Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Custom Policy Developer Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-developer-notes.md | Azure Active Directory B2C [user flows and custom policies](user-flow-overview.m | [Force password reset](force-password-reset.md) | GA | NA | | | [Phone sign-up and sign-in](phone-authentication-user-flows.md) | GA | GA | | | [Conditional Access and Identity Protection](conditional-access-user-flow.md) | GA | GA | Not available for SAML applications |+| [Smart lockout](threat-management.md) | GA | GA | | ## OAuth 2.0 application authorization flows |
active-directory-b2c | Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/error-codes.md | The following errors can be returned by the Azure Active Directory B2C service. | `AADB2C99011` | The metadata value '{0}' has not been specified in TechnicalProfile '{1}' in policy '{2}'. | [Custom policy Technical profiles](technicalprofiles.md) | | `AADB2C99013` | The supplied grant_type [{0}] and token_type [{1}] combination is not supported. | | `AADB2C99015` | Profile '{0}' in policy '{1}' in tenant '{2}' is missing all InputClaims required for resource owner password credential flow. | [Create a resource owner policy](add-ropc-policy.md#create-a-resource-owner-policy) |+|`AADB2C99002`| User doesn't exist. Please sign up before you can sign in. | |
active-directory-b2c | Identity Provider Azure Ad B2c | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-b2c.md | zone_pivot_groups: b2c-policy-type ## Overview -This article describes how to set up a federation with another Azure AD B2C tenant. When your applications are protected with your Azure AD B2C, this allows users from other Azure AD B2CΓÇÖs to login with their existing accounts. In the following diagram, users are able to sign-in to an Application protected by *Contoso*ΓÇÖs Azure AD B2C, with an account managed by *Fabrikam*ΓÇÖs Azure AD B2C tenant +This article describes how to set up a federation with another Azure AD B2C tenant. When your applications are protected with your Azure AD B2C, this allows users from other Azure AD B2CΓÇÖs to login with their existing accounts. In the following diagram, users are able to sign in to an application protected by *Contoso*ΓÇÖs Azure AD B2C, with an account managed by *Fabrikam*ΓÇÖs Azure AD B2C tenant. In this case, user account must be present in *Fabrikam*ΓÇÖs tenant before an application protected by *Contoso*ΓÇÖs Azure AD B2C can attempt to sign in. ![Azure AD B2C federation with another Azure AD B2C tenant](./media/identity-provider-azure-ad-b2c/azure-ad-b2c-federation.png) |
active-directory | Auth Ssh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-ssh.md | The system includes the following components: ## Next steps -* To implement SSH with Microsoft Entra ID, see [Log in to a Linux VM by using Microsoft Entra credentials](../devices/howto-vm-sign-in-azure-ad-linux.md). +* To implement SSH with Microsoft Entra ID for your users or guest users, see [Log in to a Linux VM by using Microsoft Entra credentials](../devices/howto-vm-sign-in-azure-ad-linux.md). |
active-directory | Concept Authentication Passwordless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-passwordless.md | The following providers offer FIDO2 security keys of different form factors that | Provider | Biometric | USB | NFC | BLE | FIPS Certified | |:-|:-:|:-:|:-:|:-:|:-:| | [AuthenTrend](https://authentrend.com/about-us/#pg-35-3) | ![y] | ![y]| ![y]| ![y]| ![n] |-| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![n]| ![n]| ![n] | +| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![y]| ![n]| ![n] | | [ATOS](https://atos.net/en/solutions/cyber-security/iot-and-ot-security/smart-card-solution-cardos-for-iot) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ciright](https://www.cyberonecard.com/) | ![n] | ![n]| ![y]| ![n]| ![n] |+| [Composecure](https://www.composecure.com/arculus) | ![n] | ![n]| ![y]| ![n]| ![n] | | [Crayonic](https://www.crayonic.com/keyvault) | ![y] | ![n]| ![y]| ![y]| ![n] | | [Cryptnox](https://cryptnox.com/) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ensurity](https://www.ensurity.com/contact) | ![y] | ![y]| ![n]| ![n]| ![n] | |
active-directory | Concept Fido2 Hardware Vendor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-fido2-hardware-vendor.md | The following table lists partners who are Microsoft-compatible FIDO2 security k | Provider | Biometric | USB | NFC | BLE | FIPS Certified | |:-|:-:|:-:|:-:|:-:|:-:| | [AuthenTrend](https://authentrend.com/about-us/#pg-35-3) | ![y] | ![y]| ![y]| ![y]| ![n] |-| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![n]| ![n]| ![n] | +| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![y]| ![n]| ![n] | | [ATOS](https://atos.net/en/solutions/cyber-security/iot-and-ot-security/smart-card-solution-cardos-for-iot) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ciright](https://www.cyberonecard.com/) | ![n] | ![n]| ![y]| ![n]| ![n] |+| [Composecure](https://www.composecure.com/arculus) | ![n] | ![n]| ![y]| ![n]| ![n] | | [Crayonic](https://www.crayonic.com/keyvault) | ![y] | ![n]| ![y]| ![y]| ![n] | | [Cryptnox](https://cryptnox.com/) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ensurity](https://www.ensurity.com/contact) | ![y] | ![y]| ![n]| ![n]| ![n] | |
active-directory | Clean Up Stale Guest Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/clean-up-stale-guest-accounts.md | There are a few recommended patterns that are effective at monitoring and cleani Use the following instructions to learn how to enhance monitoring of inactive guest accounts at scale and create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment. +### License requirements + ## Monitor guest accounts at scale with inactive guest insights (Preview) [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] Use the following instructions to learn how to enhance monitoring of inactive gu 1. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date. -### License requirements --> [!NOTE] -> When you access the report for the first time, the insights in this report may not be available immediately and may take some time to generate. If you are getting an error, please follow the instructions ensuring you have Microsoft Entra ID Governance license or wait for some time to see the report generated. -> The inactive days calculation is based on the 2 parameters (last sign in date and creation date). If both of the dates are not available in the system, then we consider User state change date i.e. the date when the user state was last changed. This will give us the closest accurate inactivity duration for those special situations. - ## Create a multi-stage review for guests to self-attest continued access |
active-directory | Overview Customers Ciam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/overview-customers-ciam.md | If you've worked with Microsoft Entra ID, you're already familiar with using a M - **Extensions**: If you need to add user attributes and data from external systems, you can create custom authentication extensions for your user flows. -- **Sign-in methods**: You can enable various options for signing in to your app, including username and password, one-time passcode, and Google or Facebook identities. Learn more+- **Sign-in methods**: You can enable various options for signing in to your app, including username and password, one-time passcode, and Google or Facebook identities. - **Encryption keys**: Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords. +Learn more about [password and one-time passcode](how-to-enable-password-reset-customers.md) login, and about [Google](how-to-google-federation-customers.md) and [Facebook](how-to-facebook-federation-customers.md) federation. There are two types of user accounts you can manage in your customer tenant: |
active-directory | Hybrid Cloud To On Premises | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md | Make sure that you have the correct Client Access Licenses (CALs) or External Co - [Grant local users access to cloud apps](hybrid-on-premises-to-cloud.md) - [Microsoft Entra B2B collaboration for hybrid organizations](hybrid-organizations.md)-- For an overview of Microsoft Entra Connect, see [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md). |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | Microsoft Entra ID (previously known as Azure AD) receives improvements on an on - Deprecated functionality - Plans for changes -> ![NOTE] +> [!NOTE] > If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md). |
active-directory | Deploy Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md | -[Microsoft Entra access reviews](access-reviews-overview.md) help your organization keep the network more secure by managing its [resource access lifecycle](identity-governance-overview.md). With access reviews, you can: +[Microsoft Entra access reviews](access-reviews-overview.md) help your organization keep the Enterprise more secure by managing its [resource access lifecycle](identity-governance-overview.md). With access reviews, you can: -* Schedule regular reviews or do ad-hoc reviews to see who has access to specific resources, such as applications and groups. +* Schedule regular reviews or do ad-hoc reviews to discover who has access to specific resources, such as applications and groups. * Track reviews for insights, compliance, or policy reasons. * Delegate reviews to specific admins, business owners, or users who can self-attest to the need for continued access. * Use the insights to efficiently determine if users should continue to have access.-Access reviews are an [Microsoft Entra ID Governance](identity-governance-overview.md) capability. The other capabilities are [entitlement management](entitlement-management-overview.md), [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md), and [terms of use](../conditional-access/terms-of-use.md). Together, they help you address these four questions: +Access reviews are an [Microsoft Entra ID Governance](identity-governance-overview.md) capability. The other capabilities are [entitlement management](entitlement-management-overview.md), [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md), lifecycle workflows, provisioning and [terms of use](../conditional-access/terms-of-use.md). Together, they help you address these four questions: * Which users should have access to which resources? * What are those users doing with that access? The following videos help you learn about access reviews: [!INCLUDE [active-directory-p2-governance-license.md](../../../includes/active-directory-p2-governance-license.md)] >[!NOTE]->Creating a review on inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license. +>To create a review of inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license. ## Plan the access reviews deployment project For access reviews, you'll likely include representatives from the following tea * Reviews privileged access to infrastructure and apps, including Microsoft 365 and Microsoft Entra ID. * Schedules and runs access reviews on groups that are used to maintain exception lists or IT pilot projects to maintain up-to-date access lists. * Ensures that programmatic (scripted) access to resources through service principals is governed and reviewed.+ * Automate processes like user onboarding and offboarding, access requests, and access certifications. + +* **Security teams** ensure the plan meets the security requirements of your organization and enforces Zero Trust. This team: + * Reduces risk and strengthens security + * Enforces least privilege access to resources and applications + * Uses tools to see a centralized authoritative source, of who has access to what, and for how long. * **Development teams** build and maintain applications for your organization. This team: For access reviews, you'll likely include representatives from the following tea * Reviews and approves or denies access to groups and applications for internal and external users. * Schedules and does reviews to attest continued access for employees and external identities such as business partners.+ * Need employees to have access to the apps required for their work. + * Permits departments to manage access for their users. * **Corporate governance** ensures that the organization follows internal policy and complies with regulations. This team: * Requests or schedules new access reviews. * Assesses processes and procedures for reviewing access, which includes documentation and record keeping for compliance. * Reviews results of past reviews for most critical resources.+ * Validates the right controls are in place to meet mandatory security and privacy policies. + * Requires repeatable access processes that are easy to audit and report. > [!NOTE]-> For reviews that require manual evaluations, plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality might be lost and too many or too few people might have access. +> For reviews that require manual evaluations, plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality might be lost and too many or too few people might have access. We recommend you establish clear responsibilities for the various stakeholders and departments engaged in the access reviews. All teams and individuals participating should understand their respective roles and obligations to uphold the principle of least privilege. ### Plan communications The creator of the access review decides at the time of creation who will do the * Users who self-attest to their need for continued access. * Managers review their direct reports' access to the resource. +>[!NOTE] +>When you select Resource owners or Managers, administrators designate fallback reviewers, who are contacted if the primary contact isnΓÇÖt available. + When you create an access review, administrators can choose one or more reviewers. All reviewers can start and carry out a review by choosing users for continued access to a resource or removing them. ### Components of an access review External identities can be granted access to company resources. They can be: For more information, see [sample script](https://github.com/microsoft/access-reviews-samples/tree/master/ExternalIdentityUse). The script shows where external identities invited into the tenant are used. You can see an external user's group membership, role assignments, and application assignments in Microsoft Entra ID. The script won't show any assignments outside of Microsoft Entra ID, for example, direct rights assignment to SharePoint resources, without the use of groups. -When you create an access review for groups or applications, you can choose to let the reviewer focus on **Everyone with access** or **Guest users only**. By selecting **Guest users only**, reviewers are given a focused list of external identities from Microsoft Entra business to business (B2B) that have access to the resource. +When you create an access review for groups or applications, you can choose to let the reviewer focus on **All users** or **Guest users only**. By selecting **Guest users only**, reviewers are given a focused list of external identities from Microsoft Entra business to business (B2B) that have access to the resource. ![Screenshot that shows reviewing guest users.](./media/deploy-access-review/4-review-guest-users-admin-ui.png) Review the following role assignments regularly: Roles that are reviewed include permanent and eligible assignments. -In the **Reviewers** section, select one or more people to review all the users. Or you can select **Members (self)** to have the members review their own access. +In the **Reviewers** section, select one or more people to review all the users. Or you can select **Manager**, to have a manager review their employeesΓÇÖ access, or **Members (self)** to have the members review their own access. ![Screenshot that shows selecting reviewers.](./media/deploy-access-review/7-plan-azure-resources-reviewers-selection.png) |
active-directory | Entitlement Management Access Package Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-resources.md | For more information, see [Compare groups](/office365/admin/create-groups/compar You can have Microsoft Entra ID automatically assign users access to a Microsoft Entra enterprise application, including both SaaS applications and your organization's applications integrated with Microsoft Entra ID, when a user is assigned an access package. For applications that integrate with Microsoft Entra ID through federated single sign-on, Microsoft Entra ID issues federation tokens for users assigned to the application. -Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md). +Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md). If you're using the Microsoft Authentication Libraries, there is also a [code sample](../develop/sample-v2-code.md) for how to use app roles for access control. > [!NOTE] > If an application has multiple roles, and more than one role of that application are in an access package, then the user will receive all those application's roles. If instead you want users to only have some of the application's roles, then you will need to create multiple access packages in the catalog, with separate access packages for each of the application roles. |
active-directory | Entitlement Management Delegate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-delegate.md | - * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md). + * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson" in its manifest, you could then [include that role from the app manifest in an access package](entitlement-management-access-package-resources.md). Applications can also use security groups in scenarios where a user could have multiple application-specific roles simultaneously. * You can use roles for delegating administrative access. If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role. This article discusses how to use roles to manage aspects within Microsoft Entra entitlement management, for controlling access to the entitlement management resources. |
active-directory | Entitlement Management Verified Id Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-verified-id-settings.md | Once an access package is configured with a verified ID requirement, end-users w The requestor steps are as follows: -1. Go to [myaccess.microsoft.com](../develop/configure-app-multi-instancing.md) and sign in. +1. Go to [myaccess.microsoft.com](HTTPS://myaccess.microsoft.com) and sign in. 1. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select **Request**. |
active-directory | Identity Governance Applications Integrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-integrate.md | Next, if the application implements a provisioning protocol, then you should con | Integrated Windows Auth (IWA) | Deploy the [application proxy](../app-proxy/application-proxy.md), configure an application for [Integrated Windows authentication SSO](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md), and set firewall rules to prevent access to the application's endpoints except via the proxy.| | header-based authentication | Deploy the [application proxy](../app-proxy/application-proxy.md) and configure an application for [header-based SSO](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) | -1. If your application has multiple roles, and relies upon Microsoft Entra ID to send a user's application-specific role as a claim of a user signing into the application, then configure those application roles in Microsoft Entra ID on your application. You can use the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest. +1. If your application has multiple roles, each user has only one role in the application, and the application relies upon Microsoft Entra ID to send a user's single application-specific role as a claim of a user signing into the application, then configure those application roles in Microsoft Entra ID on your application, and then assign each user to the application role. You can use the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest. If you're using the Microsoft Authentication Libraries, there is a [code sample](../develop/sample-v2-code.md) for how to use app roles inside your application for access control. If a user could have multiple roles simultaneously, then you may wish to implement the application to check security groups, either in the token claims or available via Microsoft Graph, instead of using application roles from the app manifest for access control. 1. If the application supports provisioning, then [configure provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of assigned users and groups from Microsoft Entra ID to that application. If this is a private or custom application, you can also select the integration that's most appropriate, based on the location and capabilities of the application. |
active-directory | Identity Governance Applications Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-prepare.md | Microsoft Entra ID Governance allows you to balance your organization's need for Organizations with compliance requirements or risk management plans have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. As part of your organization's controls for managing access, you can use Microsoft Entra features to * set up appropriate access+* provision users to applications * enforce access checks * produce reports to demonstrate how those controls are being used to meet your compliance and risk management objectives. In addition to the application access governance scenario, you can also use iden Microsoft Entra ID Governance can be integrated with many applications, using [standards](../architecture/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Microsoft Entra ID with many popular SaaS applications, on-premises applications, and applications that your organization has developed. Once you've prepared your Microsoft Entra environment, as described in the section below, the three step plan covers how to connect an application to Microsoft Entra ID and enable identity governance features to be used for that application. 1. [Define your organization's policies for governing access to the application](identity-governance-applications-define.md)-1. [Integrate the application with Microsoft Entra ID](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed +1. [Integrate the application with Microsoft Entra ID](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed. This allows authentication and user provisioning 1. [Deploy those policies](identity-governance-applications-deploy.md) for controlling single sign-on (SSO) and automating access assignments for that application <a name='prerequisites-before-configuring-azure-ad-for-identity-governance'></a> |
active-directory | Identity Governance Organizational Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-organizational-roles.md | Role-based access control (RBAC) provides a framework for classifying users and In Microsoft Entra ID, you can use role models in several ways to manage access at scale through identity governance. * You can use access packages to represent organizational roles in your organization, such as "sales representative". An access package representing that organizational role would include all the access rights that a sales representative might typically need, across multiple resources.- * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md). + * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson" in its manifest, you could then [include that role from the app manifest in an access package](entitlement-management-access-package-resources.md). Applications can also use security groups in scenarios where a user could have multiple application-specific roles simultaneously. * You can use roles for [delegating administrative access](entitlement-management-delegate.md). If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role. This article discusses how to model organizational roles, using entitlement management access packages, so you can migrate your role definitions to Microsoft Entra ID to enforce access. |
active-directory | Lifecycle Workflows Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflows-deployment.md | Communication is critical to the success of any new business process. Proactivel ### Communicate changes in accountability -Lifecycle Workflows support shifting responsibility of manual processes to business owners. Decoupling these processes from the IT department drives more accuracy and automation. This shift is a cultural change in the resource owner's accountability and responsibility. Proactively communicate this change and ensure resource owners are trained and able to use the insights to make good decisions. +Lifecycle Workflows support shifting responsibility of manual processes to business owners. Establish clear process and understanding of each teamΓÇÖs responsibilities. Decoupling these processes from the IT department drives more accuracy and automation. This shift is a cultural change in the resource owner's accountability and responsibility. Proactively communicate this change and ensure resource owners are trained and able to use the insights to make good decisions. The following information is important information about your organization and t |Item|Description|Documentation| |--|--|--|-|Inbound Provisioning|You have a process to create user accounts for employees in Microsoft Entra such as HR inbound, SuccessFactors, or MIM.<br><br> Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Microsoft Entra ID.|[Workday to Active Directory](../saas-apps/workday-inbound-tutorial.md)<br><br>[Workday to Microsoft Entra ID](../saas-apps/workday-inbound-tutorial.md)<br><br>[SuccessFactors to Active Directory](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)</br></br>[SuccessFactors to Microsoft Entra ID](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)<br><br>[Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect-v2.md)<br><br>[Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md)| +|Inbound Provisioning|You have a process to create user accounts for employees in Microsoft Entra such as HR inbound, SuccessFactors, or MIM.<br><br> Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Microsoft Entra ID.|[Workday to Active Directory](../saas-apps/workday-inbound-tutorial.md)<br><br>[Workday to Microsoft Entra ID](../saas-apps/workday-inbound-tutorial.md)<br><br>[SuccessFactors to Active Directory](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)</br></br>[SuccessFactors to Microsoft Entra ID](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)<br><br>[Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect-v2.md)<br><br>[Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md)<br><br>[API-driven inbound provisioning (Public preview)](../app-provisioning/inbound-provisioning-api-configure-app.md)| |Attribute synchronization|The accounts in Microsoft Entra ID have the employeeHireDate and employeeLeaveDateTime attributes populated. The values may be populated when the accounts are created from an HR system or synchronized from AD using Microsoft Entra Connect or cloud sync. You have extra attributes that are used to determine the scope such as department, populated or the ability to populate, with data.|[How to synchronize attributes for Lifecycle Workflows](how-to-lifecycle-workflow-sync-attributes.md) ## Understanding parts of a workflow The following table provides information that you need to be aware of as you cre The following is additional information you should be aware of. + - You can't enable the schedule for the Real-Time **Leaver** and **Mover** scenario. This is by design. Before building a Lifecycle Workflow in the portal, you should determine which s |Pre-Offboarding of an employee|Remove user from selected groups</br>Remove user from selected Teams| |Offboard an employee|Disable User Account</br>Remove user from all groups</br>Remove user from all Teams| |Post-Offboarding of an employee|Remove all licenses for user</br>Remove user from all Teams</br>Delete User Account|+|Real-time employee change|Run a Custom Task Extension| +|Real-time employee termination|Remove users from all Groups and Teams and delete the user account| For more information on the built-in templates, see [Lifecycle Workflow templates.](lifecycle-workflow-templates.md) Now that we've determined the scenario and the who and when, you should consider |Task|Description|Relevant Scenarios| |--|--|--|-|Add user to groups|Add user to selected groups| Joiner - Leaver| -|Add user to selected teams| Add user to Teams| Joiner - Leaver| +|Add user to groups|Add user to selected groups| Joiner - Leaver - Mover| +|Add user to selected teams| Add user to Teams| Joiner - Leaver - Mover| |Delete User Account| Delete user account in Microsoft Entra ID| Leaver| |Disable User Account| Disable user account in the directory| Joiner - Leaver| |Enable User Account| Enable user account in the directory| Joiner - Leaver| Now that we've determined the scenario and the who and when, you should consider |Remove all licenses of user| Remove all licenses assigned to the user| Leaver| |Remove user from all groups| Remove user from all Microsoft Entra group memberships| Leaver| |Remove user from all Teams| Remove user from all Teams memberships| Leaver|-|Remove user from selected groups| Remove user from membership of selected Microsoft Entra groups| Joiner - Leaver| -|Remove user from selected Teams| Remove user from membership of selected Teams| Joiner - Leaver| -|Run a Custom Task Extension| Run a Custom Task Extension to callout to an external system| Joiner - Leaver| +|Remove user from selected groups| Remove user from membership of selected Microsoft Entra groups| Joiner - Leaver - Mover| +|Remove user from selected Teams| Remove user from membership of selected Teams| Joiner - Leaver - Mover| +|Run a Custom Task Extension| Run a Custom Task Extension to callout to an external system| Joiner - Leaver - Mover| |Send email after user's last day| Send offboarding email to user's manager after the last day of work| Leaver| |Send email before user's last day| Send offboarding email to user's manager before the last day of work| Leaver| |Send email on user's last day| Send offboarding email to user's manager on the last day of work| Leaver| |Send Welcome Email| Send welcome email to new hire| Joiner|+|Send onboarding reminder email|Send onboarding reminder email to userΓÇÖs manager| Joiner| +|Request user access package assignment|Request user assignement to selected access packages|Joiner-Mover| +|Remove access package assignement for user|Remove user assignment from selected access packages| Leaver=Mover| +|Remove all access package assignments for user|Remove all access packages assigned to the user|Leaver| +|Cancel all pending access package assignement requests for users|Cancel all pending access package assignement requests for users|Leaver| For more information on tasks, see [Lifecycle Workflow tasks](lifecycle-workflow-tasks.md). |
active-directory | Concept Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/concept-attributes.md | To view the schema and verify it, follow these steps. ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Concept How It Works | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/concept-how-it-works.md | Title: 'Microsoft Entra Connect cloud sync deep dive - how it works' + Title: 'Microsoft Entra Cloud Sync deep dive - how it works' description: This topic provides deep dive information on how cloud sync works. For more information, see [Supported topologies](plan-cloud-sync-topologies.md). ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Custom Attribute Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/custom-attribute-mapping.md | Title: 'Microsoft Entra Connect cloud sync directory extensions and custom attribute mapping' + Title: 'Microsoft Entra Cloud Sync directory extensions and custom attribute mapping' description: This topic provides information on custom attribute mapping in cloud sync. For additional information on directory extensions see [Using directory extensio <a name='syncing-directory-extensions-for-azure-active-directory-connect-cloud-sync-'></a> -## Syncing directory extensions for Microsoft Entra Connect cloud sync +## Syncing directory extensions for Microsoft Entra Cloud Sync You can use [directory extensions](/graph/api/resources/extensionproperty?view=graph-rest-1.0&preserve-view=true) to extend the synchronization schema directory definition in Microsoft Entra ID with your own attributes. >[!Important]-> Directory extension for Microsoft Entra Connect cloud sync is only supported for applications with the identifier URI ΓÇ£api://<tenantId>/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Microsoft Entra Connect +> Directory extension for Microsoft Entra Cloud Sync is only supported for applications with the identifier URI ΓÇ£api://<tenantId>/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Microsoft Entra Connect ### Create application and service principal for directory extension For more information on extension attributes, see [Syncing extension attributes - [Understand the Microsoft Entra schema and custom expressions](concept-attributes.md) - [Microsoft Entra Connect Sync: Directory extensions](../connect/how-to-connect-sync-feature-directory-extensions.md)-- [Attribute mapping in Microsoft Entra Connect cloud sync](how-to-attribute-mapping.md)+- [Attribute mapping in Microsoft Entra Cloud Sync](how-to-attribute-mapping.md) |
active-directory | Exchange Hybrid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/exchange-hybrid.md | You can use MS Graph API to enable Exchange hybrid writeback. For more informat ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Accidental Deletes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-accidental-deletes.md | Title: 'Microsoft Entra Connect cloud sync accidental deletes' + Title: 'Microsoft Entra Cloud Sync accidental deletes' description: This topic describes how to use the accidental delete feature to prevent deletions. -The following document describes the accidental deletion feature for Microsoft Entra Connect cloud sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to: +The following document describes the accidental deletion feature for Microsoft Entra Cloud Sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to: - configure the ability to prevent accidental deletes automatically. - Set the # of objects (threshold) beyond which the configuration takes effect If you don't want to allow the deletions, you need to do the following actions: ## Next steps -- [Microsoft Entra Connect cloud sync troubleshooting?](how-to-troubleshoot.md)-- [Microsoft Entra Connect cloud sync error codes](reference-error-codes.md)+- [Microsoft Entra Cloud Sync troubleshooting?](how-to-troubleshoot.md) +- [Microsoft Entra Cloud Sync error codes](reference-error-codes.md) |
active-directory | How To Attribute Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-attribute-mapping.md | Title: 'Attribute mapping in Microsoft Entra Connect cloud sync' + Title: 'Attribute mapping in Microsoft Entra Cloud Sync' description: This article describes how to use the cloud sync feature of Microsoft Entra Connect to map attributes. -# Attribute mapping in Microsoft Entra Connect cloud sync +# Attribute mapping in Microsoft Entra Cloud Sync You can use the cloud sync attribute mapping feature to map attributes between your on-premises user or group objects and the objects in Microsoft Entra ID. To test your attribute mapping, you can use [on-demand provisioning](how-to-on-d ## Next steps -- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) - [Writing expressions for attribute mappings](reference-expressions.md) - [How to use expression builder with cloud sync](how-to-expression-builder.md) - [Attributes synchronized to Microsoft Entra ID](../connect/reference-connect-sync-attributes-synchronized.md) |
active-directory | How To Automatic Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-automatic-upgrade.md | To verify your version, right-click the executable and select properties and the To remove the agent, go to **Uninstall or change a program** and uninstall the following: - **Microsoft Entra Connect Agent Updater**-- **Microsoft Entra Connect Provisioning Agent**-- **Microsoft Entra Connect Provisioning Agent Package**+- **Microsoft Entra Provisioning Agent** +- **Microsoft Entra Provisioning Agent Package** ![Agent removal](media/how-to-automatic-upgrade/agent-3.png) ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Cloud Sync Workbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-cloud-sync-workbook.md | To learn more about alerts, see [Azure Monitor Log Alerts](../../../azure-monito ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) - [Known limitations](how-to-prerequisites.md#known-limitations) - [Error codes](reference-error-codes.md) |
active-directory | How To Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-configure.md | Title: 'Microsoft Entra Connect cloud sync new agent configuration' + Title: 'Microsoft Entra Cloud Sync new agent configuration' description: This article describes how to install cloud sync. -# Create a new configuration for Microsoft Entra Connect cloud sync +# Create a new configuration for Microsoft Entra Cloud Sync -The following document will guide you through configuring Microsoft Entra Connect cloud sync. +The following document will guide you through configuring Microsoft Entra Cloud Sync. -The following documentation demonstrates the new guided user experience for Microsoft Entra Connect cloud sync. If you are not seeing the images below, you need to select the **Preview features** at the top. You can select this again to revert back to the old experience. +The following documentation demonstrates the new guided user experience for Microsoft Entra Cloud Sync. If you are not seeing the images below, you need to select the **Preview features** at the top. You can select this again to revert back to the old experience. :::image type="content" source="media/how-to-configure/new-ux-configure-19.png" alt-text="Screenshot of enable preview features." lightbox="media/how-to-configure/new-ux-configure-19.png"::: You can configure groups and organizational units within a configuration. 7. Once you've changed the scope, you should [restart provisioning](#restart-provisioning) to initiate an immediate synchronization of the changes. ## Attribute mapping-Microsoft Entra Connect cloud sync allows you to easily map attributes between your on-premises user/group objects and the objects in Microsoft Entra ID. +Microsoft Entra Cloud Sync allows you to easily map attributes between your on-premises user/group objects and the objects in Microsoft Entra ID. :::image type="content" source="media/how-to-configure/new-ux-configure-6.png" alt-text="Screenshot of map attributes icon." lightbox="media/how-to-configure/new-ux-configure-6.png"::: After saving, you should see a message telling you what you still need to do to For more information, see [attribute mapping](how-to-attribute-mapping.md). ## Directory extensions and custom attribute mapping.-Microsoft Entra Connect cloud sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md). +Microsoft Entra Cloud Sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md). ## On-demand provisioning-Microsoft Entra Connect cloud sync allows you to test configuration changes, by applying these changes to a single user or group. +Microsoft Entra Cloud Sync allows you to test configuration changes, by applying these changes to a single user or group. :::image type="content" source="media/how-to-configure/new-ux-configure-8.png" alt-text="Screenshot of test icon." lightbox="media/how-to-configure/new-ux-configure-8.png"::: To delete a configuration, follow these steps. ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Expression Builder | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-expression-builder.md | Title: 'Use the expression builder with Microsoft Entra Connect cloud sync' + Title: 'Use the expression builder with Microsoft Entra Cloud Sync' description: This article describes how to use the expression builder with cloud sync. |
active-directory | How To Gmsa Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-gmsa-cmdlets.md | -The purpose of this document is to describe the Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Microsoft Entra Connect cloud sync applies all permissions similar to Microsoft Entra Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install. +The purpose of this document is to describe the Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Microsoft Entra Cloud Sync applies all permissions similar to Microsoft Entra Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install. This document will cover the following cmdlets: |
active-directory | How To Inbound Synch Ms Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md | Look under the 'status' section of the return object for relevant details ## Next steps -- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) - [Transformations](how-to-transformation.md) - [Microsoft Entra Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true) |
active-directory | How To Install Pshell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install-pshell.md | -# Install the Microsoft Entra Connect provisioning agent by using a CLI and PowerShell -This article shows you how to install the Microsoft Entra Connect provisioning agent by using PowerShell cmdlets. +# Install the Microsoft Entra Provisioning Agent by using a CLI and PowerShell +This article shows you how to install the Microsoft Entra Provisioning Agent by using PowerShell cmdlets. >[!NOTE]->This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Microsoft Entra Connect provisioning agent by using the wizard, see [Install the Microsoft Entra Connect provisioning agent](how-to-install.md). +>This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Microsoft Entra Provisioning Agent by using the wizard, see [Install the Microsoft Entra Provisioning Agent](how-to-install.md). ## Prerequisite -The Windows server must have TLS 1.2 enabled before you install the Microsoft Entra Connect provisioning agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in [Prerequisites for Microsoft Entra Connect cloud sync](how-to-prerequisites.md#tls-requirements). +The Windows server must have TLS 1.2 enabled before you install the Microsoft Entra Provisioning Agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in [Prerequisites for Microsoft Entra Cloud Sync](how-to-prerequisites.md#tls-requirements). >[!IMPORTANT] >The following installation instructions assume that all the [prerequisites](how-to-prerequisites.md) were met. <a name='install-the-azure-ad-connect-provisioning-agent-by-using-powershell-cmdlets-'></a> -## Install the Microsoft Entra Connect provisioning agent by using PowerShell cmdlets +## Install the Microsoft Entra Provisioning Agent by using PowerShell cmdlets [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] The Windows server must have TLS 1.2 enabled before you install the Microsoft En Now that you've installed the agent, you can apply more granular permissions to the gMSA. For information and step-by-step instructions on how to configure the permissions, see [Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md). ## Installing against US government cloud-By default, the Microsoft Entra Connect provisioning agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following: +By default, the Microsoft Entra Provisioning Agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following: - In step #8, add **ENVIRONMENTNAME=AzureUSGovernment** to the command line like the example. ``` By default, the Microsoft Entra Connect provisioning agent installs against the - [What is provisioning?](../what-is-provisioning.md) - [Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install.md | Title: 'Install the Microsoft Entra Connect provisioning agent' -description: Learn how to install the Microsoft Entra Connect provisioning agent and how to configure it in the Microsoft Entra admin center. + Title: 'Install the Microsoft Entra Provisioning Agent' +description: Learn how to install the Microsoft Entra Provisioning Agent and how to configure it in the Microsoft Entra admin center. -# Install the Microsoft Entra Connect provisioning agent +# Install the Microsoft Entra Provisioning Agent -This article walks you through the installation process for the Microsoft Entra Connect provisioning agent and how to initially configure it in the Microsoft Entra admin center. +This article walks you through the installation process for the Microsoft Entra Provisioning Agent and how to initially configure it in the Microsoft Entra admin center. > [!IMPORTANT] > The following installation instructions assume that you've met all the [prerequisites](how-to-prerequisites.md). >[!NOTE]->This article deals with installing the provisioning agent by using the wizard. For information about installing the Microsoft Entra Connect provisioning agent by using a CLI, see [Install the Microsoft Entra Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md). +>This article deals with installing the provisioning agent by using the wizard. For information about installing the Microsoft Entra Provisioning Agent by using a CLI, see [Install the Microsoft Entra Provisioning Agent by using a CLI and PowerShell](how-to-install-pshell.md). For more information and an example, view the following video: > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR] ## Group Managed Service Accounts-A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Microsoft Entra Connect cloud sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts). +A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts). ### Update an existing agent to use the gMSA To update an existing agent to use the Group Managed Service Account created dur [!INCLUDE [active-directory-cloud-sync-how-to-verify-installation](../../../../includes/active-directory-cloud-sync-how-to-verify-installation.md)] >[!IMPORTANT]-> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Microsoft Entra Connect cloud sync](how-to-configure.md). +> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Microsoft Entra Cloud Sync](how-to-configure.md). To use *password writeback* and enable the self-service password reset (SSPR) se 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../../roles/permissions-reference.md#hybrid-identity-administrator). 2. On the left, select **Protection**, select **Password reset**, then choose **On-premises integration**. 3. Check the option for **Enable password write back for synced users** .- 4. (optional) If Microsoft Entra Connect provisioning agents are detected, you can additionally check the option for **Write back passwords with Microsoft Entra Connect cloud sync**. + 4. (optional) If Microsoft Entra Connect provisioning agents are detected, you can additionally check the option for **Write back passwords with Microsoft Entra Cloud Sync**. 5. Check the option for **Allow users to unlock accounts without resetting their password** to *Yes*. 6. When ready, select **Save**. To use *password writeback* and enable the self-service password reset (SSPR) se Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential) ``` -For more information about using password writeback with Microsoft Entra Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md). +For more information about using password writeback with Microsoft Entra Cloud Sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md). ## Install an agent in the US government cloud -By default, the Microsoft Entra Connect provisioning agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure: +By default, the Microsoft Entra Provisioning Agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure: - Instead of selecting **Open file**, select **Start** > **Run**, and then go to the *AADConnectProvisioningAgentSetup.exe* file. In the **Run** box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment**, and then select **OK**. For information about security and FIPS, see [Microsoft Entra password hash sync ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)-- [Create a new configuration for Microsoft Entra Connect cloud sync](how-to-configure.md).+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) +- [Create a new configuration for Microsoft Entra Cloud Sync](how-to-configure.md). |
active-directory | How To Manage Registry Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-manage-registry-options.md | -This section describes registry options that you can set to control the runtime processing behavior of the Microsoft Entra Connect provisioning agent. +This section describes registry options that you can set to control the runtime processing behavior of the Microsoft Entra Provisioning Agent. ## Configure LDAP connection timeout When performing LDAP operations on configured Active Directory domain controllers, by default, the provisioning agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may see the following error message in the agent log file: System.DirectoryServices.Protocols.LdapException: The operation was aborted beca LDAP search operations can take longer if the search attribute is not indexed. As a first step, if you get the above error, first check if the search/lookup attribute is [indexed](/windows/win32/ad/indexed-attributes). If the search attributes are indexed and the error persists, you can increase the LDAP connection timeout using the following steps: -1. Log on as Administrator on the Windows server running the Microsoft Entra Connect Provisioning Agent. +1. Log on as Administrator on the Windows server running the Microsoft Entra Provisioning Agent. 1. Use the *Run* menu item to open the registry editor (regedit.exe) 1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent** 1. Right-click and select "New -> String Value" LDAP search operations can take longer if the search attribute is not indexed. A 1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency. ## Configure referral chasing-By default, the Microsoft Entra Connect provisioning agent does not chase [referrals](/windows/win32/ad/referrals). +By default, the Microsoft Entra Provisioning Agent does not chase [referrals](/windows/win32/ad/referrals). You may want to enable referral chasing, to support certain HR inbound provisioning scenarios such as: * Checking uniqueness of UPN across multiple domains * Resolving cross-domain manager references Use the following steps to turn on referral chasing: -1. Log on as Administrator on the Windows server running the Microsoft Entra Connect Provisioning Agent. +1. Log on as Administrator on the Windows server running the Microsoft Entra Provisioning Agent. 1. Use the *Run* menu item to open the registry editor (regedit.exe) 1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent** 1. Right-click and select "New -> String Value" Use the following steps to turn on referral chasing: ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Map Usertype | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-map-usertype.md | Title: 'Use map UserType with Microsoft Entra Connect cloud sync' + Title: 'Use map UserType with Microsoft Entra Cloud Sync' description: This article describes how to map the UserType attribute with cloud sync. |
active-directory | How To On Demand Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-on-demand-provision.md | Title: 'On-demand provisioning in Microsoft Entra Connect cloud sync' + Title: 'On-demand provisioning in Microsoft Entra Cloud Sync' description: This article describes how to use the cloud sync feature of Microsoft Entra Connect to test configuration changes. -# On-demand provisioning in Microsoft Entra Connect cloud sync +# On-demand provisioning in Microsoft Entra Cloud Sync You can use the cloud sync feature of Microsoft Entra Connect to test configuration changes by applying these changes to a single user. This on-demand provisioning helps you validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Microsoft Entra ID. This process enables you to trace the attribute transformation as it moves throu ## Next steps -- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)-- [Install Microsoft Entra Connect cloud sync](how-to-install.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) +- [Install Microsoft Entra Cloud Sync](how-to-install.md) |
active-directory | How To Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-prerequisites.md | Title: 'Prerequisites for Microsoft Entra Connect cloud sync in Microsoft Entra ID' + Title: 'Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID' description: This article describes the prerequisites and hardware requirements you need for cloud sync. -# Prerequisites for Microsoft Entra Connect cloud sync -This article provides guidance on how to choose and use Microsoft Entra Connect cloud sync as your identity solution. +# Prerequisites for Microsoft Entra Cloud Sync +This article provides guidance on how to choose and use Microsoft Entra Cloud Sync as your identity solution. ## Cloud provisioning agent requirements-You need the following to use Microsoft Entra Connect cloud sync: +You need the following to use Microsoft Entra Cloud Sync: -- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Connect Cloud Sync gMSA (group Managed Service Account) to run the agent service. +- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Cloud Sync gMSA (group Managed Service Account) to run the agent service. - A hybrid identity administrator account for your Microsoft Entra tenant that is not a guest user. - An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). Installing the agent on a domain controller is supported.-- High availability refers to the Microsoft Entra Connect cloud sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Microsoft Entra Connect cloud sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability.+- High availability refers to the Microsoft Entra Cloud Sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Microsoft Entra Cloud Sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability. - On-premises firewall configurations. ## Group Managed Service Accounts-A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Connect cloud sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) +A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) ### Prerequisites for gMSA: 1. The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later. If there's a firewall between your servers and Microsoft Entra ID, configure the ## NTLM requirement -You should not enable NTLM on the Windows Server that is running the Microsoft Entra Connect Provisioning Agent and if it is enabled you should make sure you disable it. +You should not enable NTLM on the Windows Server that is running the Microsoft Entra Provisioning Agent and if it is enabled you should make sure you disable it. ## Known limitations When using OU scoping filter ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-sso.md | The following document describes how to use single sign-on with cloud sync. ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Transformation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-transformation.md | Title: Microsoft Entra Connect cloud sync transformations + Title: Microsoft Entra Cloud Sync transformations description: This article describes how to use transformations to alter the default attribute mappings. For information on the syntax and examples of expressions, see [Writing expressi ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | How To Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-troubleshoot.md | Title: Microsoft Entra Connect cloud sync troubleshooting + Title: Microsoft Entra Cloud Sync troubleshooting description: This article describes how to troubleshoot problems that might arise with the cloud provisioning agent. To verify that Azure detects the agent, and that the agent is healthy, follow th ### Verify the required open ports -Verify that the Microsoft Entra Connect provisioning agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open: +Verify that the Microsoft Entra Provisioning Agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open: | Port number | How it's used | | -- | | However, during the name resolution, the CNAME records might contain DNS records To verify that the agent is running, follow these steps: 1. On the server with the agent installed, open **Services**. Do this by going to **Start** > **Run** > **Services.msc**.-1. Under **Services**, make sure **Microsoft Entra Connect Agent Updater** and **Microsoft Entra Connect Provisioning Agent** are there. Also confirm that their status is *Running*. +1. Under **Services**, make sure **Microsoft Entra Connect Agent Updater** and **Microsoft Entra Provisioning Agent** are there. Also confirm that their status is *Running*. ![Screenshot of local services and their status.](media/how-to-troubleshoot/troubleshoot-1.png) The following sections describe some common agent installation problems, and typ You might receive an error message that states: -*Service 'Microsoft Entra Connect Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.* +*Service 'Microsoft Entra Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.* This problem is typically caused by a group policy. The policy prevented permissions from being applied to the local NT Service sign-in account created by the installer (`NT SERVICE\AADConnectProvisioningAgent`). These permissions are required to start the service. To resolve this problem, follow these steps: 1. Sign in to the server with an administrator account. 1. Open **Services** by going to **Start** > **Run** > **Services.msc**.-1. Under **Services**, double-click **Microsoft Entra Connect Provisioning Agent**. +1. Under **Services**, double-click **Microsoft Entra Provisioning Agent**. 1. On the **Log On** tab, change **This account** to a domain admin. Then restart the service. ![Screenshot that shows options available from the log on tab.](media/how-to-troubleshoot/troubleshoot-3.png) This information provides detailed steps and where the synchronization problem i #### Microsoft Entra ID object deletion threshold -If you have an implementation topology with Microsoft Entra Connect and Microsoft Entra Connect cloud sync, both exporting to the same Microsoft Entra ID Tenant, or if you completely moved from using Microsoft Entra Connect to Microsoft Entra Connect cloud sync, you might get the following export error message when you're deleting or moving multiple objects out of the defined scope: +If you have an implementation topology with Microsoft Entra Connect and Microsoft Entra Cloud Sync, both exporting to the same Microsoft Entra ID Tenant, or if you completely moved from using Microsoft Entra Connect to Microsoft Entra Cloud Sync, you might get the following export error message when you're deleting or moving multiple objects out of the defined scope: ![Screenshot that shows the export error.](media/how-to-troubleshoot/log-4.png) -This error isn't related to the [Microsoft Entra Connect Cloud Sync accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md). It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra ID directory from Microsoft Entra Connect. -If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Connect cloud sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command: +This error isn't related to the [Microsoft Entra Cloud Sync accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md). It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra ID directory from Microsoft Entra Connect. +If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Cloud Sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command: ```PowerShell Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039-c6b1-48a5-9ba7-28fe88f83980" |
active-directory | Migrate Azure Ad Connect To Cloud Sync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md | Title: 'Migrate Microsoft Entra Connect to Microsoft Entra Connect cloud sync| Microsoft Docs' -description: Describes steps to migrate Microsoft Entra Connect to Microsoft Entra Connect cloud sync. + Title: 'Migrate Microsoft Entra Connect to Microsoft Entra Cloud Sync| Microsoft Docs' +description: Describes steps to migrate Microsoft Entra Connect to Microsoft Entra Cloud Sync. -# Migrating from Microsoft Entra Connect to Microsoft Entra Connect cloud sync +# Migrating from Microsoft Entra Connect to Microsoft Entra Cloud Sync -Microsoft Entra Connect cloud sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. If you're currently using Microsoft Entra Connect and wish to move to cloud sync, the following document provides guidance. +Microsoft Entra Cloud Sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. If you're currently using Microsoft Entra Connect and wish to move to cloud sync, the following document provides guidance. <a name='steps-for-migrating-from-azure-ad-connect-to-cloud-sync'></a> Microsoft Entra Connect cloud sync is the future for accomplishing your hybrid i |Choose the best sync tool|Before moving to cloud sync, you should verify that cloud sync is currently the best synchronization tool for you. You can do this task by going through the wizard [here](https://aka.ms/EvaluateSyncOptions).| |Verify the pre-requisites for migrating|The following guidance is only for users who have installed Microsoft Entra Connect using the Express settings and aren't synchronizing devices. Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).| |Back up your Microsoft Entra Connect configuration|Before making any changes, you should back up your Microsoft Entra Connect configuration. This way, you can role-back. For more information, see [Import and export Microsoft Entra Connect configuration settings](../connect/how-to-connect-import-export-config.md).|-|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.| +|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.| |Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on.| |Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now. Before continuing, let Microsoft Entra Connect pick up the changes so that it's synchronizing them in the new OU.| |Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU. </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`| |Stop the scheduler|Before creating new sync rules, you need to stop the Microsoft Entra Connect scheduler. For more information, see [how to stop the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).-|Create the custom sync rules|In the Microsoft Entra Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.| +|Create the custom sync rules|In the Microsoft Entra Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.| |Install the provisioning agent|If you haven't done so, install the provisioning agent. For more information, see [how to install the agent](how-to-install.md).| |Configure cloud sync|Once the agent is installed, you need to configure cloud sync. In the configuration, you need to create a scope to the OU that was created or identified previously. For more information, see [Configuring cloud sync](how-to-configure.md).| |Verify pilot users are synchronizing and being provisioned|Verify that the users are now being synchronized in the portal. You can use the PowerShell script below to get a count of the number of users that have the on-premises pilot OU in their distinguished name. This number should match the count of users in the previous step. If you create a new user in this OU, verify that it's being provisioned.| Write-Host "Total Users found:" + $counter ## More information - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)-- [Create a new configuration for Microsoft Entra Connect cloud sync](how-to-configure.md).-- [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) +- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) +- [Create a new configuration for Microsoft Entra Cloud Sync](how-to-configure.md). +- [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) `` |
active-directory | Plan Cloud Sync Topologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/plan-cloud-sync-topologies.md | Title: Microsoft Entra Connect cloud sync supported topologies and scenarios -description: Learn about various on-premises and Microsoft Entra topologies that use Microsoft Entra Connect cloud sync. + Title: Microsoft Entra Cloud Sync supported topologies and scenarios +description: Learn about various on-premises and Microsoft Entra topologies that use Microsoft Entra Cloud Sync. -# Microsoft Entra Connect cloud sync supported topologies and scenarios -This article describes various on-premises and Microsoft Entra topologies that use Microsoft Entra Connect cloud sync. This article includes only supported configurations and scenarios. +# Microsoft Entra Cloud Sync supported topologies and scenarios +This article describes various on-premises and Microsoft Entra topologies that use Microsoft Entra Cloud Sync. This article includes only supported configurations and scenarios. > [!IMPORTANT]-> Microsoft doesn't support modifying or operating Microsoft Entra Connect cloud sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Microsoft Entra Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments. +> Microsoft doesn't support modifying or operating Microsoft Entra Cloud Sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Microsoft Entra Cloud Sync. As a result, Microsoft can't provide technical support for such deployments. For more information, see the following video. Multiple AD forests is a common topology, with one or multiple domains, and a si ## Existing forest with Microsoft Entra Connect, new forest with cloud Provisioning ![Diagram that shows the topology for an existing forest and a new forest.](media/tutorial-existing-forest/existing-forest-new-forest-2.png) -This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Microsoft Entra Connect environment and then bringing on a new forest using Microsoft Entra Connect cloud sync. For an example of this scenario see [Tutorial: An existing forest with a single Microsoft Entra tenant](tutorial-existing-forest.md) +This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Microsoft Entra Connect environment and then bringing on a new forest using Microsoft Entra Cloud Sync. For an example of this scenario see [Tutorial: An existing forest with a single Microsoft Entra tenant](tutorial-existing-forest.md) <a name='piloting-azure-ad-connect-cloud-sync-in-an-existing-hybrid-ad-forest'></a> -## Piloting Microsoft Entra Connect cloud sync in an existing hybrid AD forest +## Piloting Microsoft Entra Cloud Sync in an existing hybrid AD forest ![Topology for a single forest and a single tenant](media/tutorial-migrate-aadc-aadccp/diagram-2.png)-The piloting scenario involves the existence of both Microsoft Entra Connect and Microsoft Entra Connect cloud sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools. +The piloting scenario involves the existence of both Microsoft Entra Connect and Microsoft Entra Cloud Sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools. -For an example of this scenario see [Tutorial: Pilot Microsoft Entra Connect cloud sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) +For an example of this scenario see [Tutorial: Pilot Microsoft Entra Cloud Sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) ## Merging objects from disconnected sources ### (Public Preview) This configuration is advanced and there are a few caveats to this topology: ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Reference Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-error-codes.md | Title: Microsoft Entra Connect cloud sync error codes and descriptions + Title: Microsoft Entra Cloud Sync error codes and descriptions description: reference article for cloud sync error codes -# Microsoft Entra Connect cloud sync error codes and descriptions +# Microsoft Entra Cloud Sync error codes and descriptions The following is a list of error codes and their description The following is a list of error codes and their description |HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from portal.| |HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus isn't able to send a message to the agent. Could be an outage in service bus, or the agent isn't responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| |AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Microsoft Entra ID is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Microsoft Entra ID is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.|-|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Microsoft Entra Connect cloud sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} doesn't exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.| +|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Microsoft Entra Cloud Sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} doesn't exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.| |AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code doesn't indicate success: 401 (Unauthorized).<br> Azure AD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Microsoft Entra tenant credentials were exchanged for an OAuth token that has since expired."| |AzureActiveDirectoryAuthenticationFailed|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.60b943e88f234db2b887f8cb91dee87c.707be0d2-c6a9-405d-a3b9-de87761dc3ac. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: UnexpectedError.|Unknown error.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Reference Expressions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-expressions.md | Title: Microsoft Entra Connect cloud sync expressions and function reference + Title: Microsoft Entra Cloud Sync expressions and function reference description: reference Based on the user's first name, middle name and last name, you need to generate ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Reference Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md | Title: 'AADCloudSyncTools PowerShell module for Microsoft Entra Connect cloud sync' + Title: 'AADCloudSyncTools PowerShell module for Microsoft Entra Cloud Sync' description: This article describes how to install the Microsoft Entra Connect cloud provisioning agent. -# AADCloudSyncTools PowerShell module for Microsoft Entra Connect cloud sync +# AADCloudSyncTools PowerShell module for Microsoft Entra Cloud Sync -The AADCloudSyncTools module provides a set of useful tools that can help you manage your deployments of Microsoft Entra Connect cloud sync. +The AADCloudSyncTools module provides a set of useful tools that can help you manage your deployments of Microsoft Entra Cloud Sync. ## Prerequisites Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039 ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Tutorial Basic Ad Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-basic-ad-azure.md | Now you have an environment that can be used for existing tutorials and to test ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Tutorial Existing Forest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-existing-forest.md | Title: Tutorial - Integrate an existing forest and a new forest with a single Microsoft Entra tenant using Microsoft Entra Connect cloud sync. + Title: Tutorial - Integrate an existing forest and a new forest with a single Microsoft Entra tenant using Microsoft Entra Cloud Sync. description: Learn how to add cloud sync to an existing hybrid identity environment. -![Diagram that shows the Microsoft Entra Connect cloud sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png) +![Diagram that shows the Microsoft Entra Cloud Sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png) You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works. In this scenario, there's an existing forest synced using Microsoft Entra Connec <a name='install-the-azure-ad-connect-provisioning-agent'></a> -## Install the Microsoft Entra Connect provisioning agent +## Install the Microsoft Entra Provisioning Agent If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps: If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md <a name='configure-azure-ad-connect-cloud-sync'></a> -## Configure Microsoft Entra Connect cloud sync +## Configure Microsoft Entra Cloud Sync [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] You have now successfully set up a hybrid identity environment that you can use ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Tutorial Pilot Aadc Aadccp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp.md | Title: Tutorial - Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest + Title: Tutorial - Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced using Microsoft Entra Connect Sync. -# Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest +# Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest This tutorial walks you through how you would migrate to cloud sync for a test Active Directory forest that is already synced using Microsoft Entra Connect Sync. > [!NOTE] > This article provides information for a basic migration and you should review the [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment. -![Diagram that shows the Microsoft Entra Connect cloud sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png) +![Diagram that shows the Microsoft Entra Cloud Sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png) ## Considerations Same steps need to be followed for all object types (user, group and contact). <a name='install-the-azure-ad-connect-provisioning-agent'></a> -## Install the Microsoft Entra Connect provisioning agent +## Install the Microsoft Entra Provisioning Agent If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be CP1. To install the agent, follow these steps: If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md <a name='configure-azure-ad-connect-cloud-sync'></a> -## Configure Microsoft Entra Connect cloud sync +## Configure Microsoft Entra Cloud Sync Use the following steps to configure provisioning: In case the pilot doesn't work as expected, you can go back to the Microsoft Ent ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) |
active-directory | Tutorial Single Forest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-single-forest.md | -This tutorial walks you through creating a hybrid identity environment using Microsoft Entra Connect cloud sync. +This tutorial walks you through creating a hybrid identity environment using Microsoft Entra Cloud Sync. -![Diagram that shows the Microsoft Entra Connect cloud sync flow.](media/tutorial-single-forest/diagram-2.png) +![Diagram that shows the Microsoft Entra Cloud Sync flow.](media/tutorial-single-forest/diagram-2.png) You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync. You can use the environment you create in this tutorial for testing or for getti <a name='install-the-azure-ad-connect-provisioning-agent'></a> -## Install the Microsoft Entra Connect provisioning agent +## Install the Microsoft Entra Provisioning Agent If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps: If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md <a name='configure-azure-ad-connect-cloud-sync'></a> -## Configure Microsoft Entra Connect cloud sync +## Configure Microsoft Entra Cloud Sync [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] You'll now verify that the users that you had in your on-premises directory have ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png) -You've now successfully configured a hybrid identity environment using Microsoft Entra Connect cloud sync. +You've now successfully configured a hybrid identity environment using Microsoft Entra Cloud Sync. ## Next steps |
active-directory | What Is Cloud Sync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/what-is-cloud-sync.md | Title: 'What is Microsoft Entra Connect cloud sync?' -description: Describes Microsoft Entra Connect cloud sync. + Title: 'What is Microsoft Entra Cloud Sync?' +description: Describes Microsoft Entra Cloud Sync. -# What is Microsoft Entra Connect cloud sync? +# What is Microsoft Entra Cloud Sync? > [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q] -Microsoft Entra Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. However, it can be used alongside Microsoft Entra Connect Sync and it provides the following benefits: +Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. However, it can be used alongside Microsoft Entra Connect Sync and it provides the following benefits: - Support for synchronizing to a Microsoft Entra tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired company's AD forests are isolated from the parent company's AD forests), and companies that have historically had multiple AD forests. - Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Microsoft Entra ID, with all the sync configuration managed in the cloud. Microsoft Entra Connect cloud sync is a new offering from Microsoft designed to <a name='how-is-azure-ad-connect-cloud-sync-different-from-azure-ad-connect-sync'></a> -## How is Microsoft Entra Connect cloud sync different from Microsoft Entra Connect Sync? -With Microsoft Entra Connect cloud sync, provisioning from AD to Microsoft Entra ID is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Microsoft Entra ID and AD. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service. +## How is Microsoft Entra Cloud Sync different from Microsoft Entra Connect Sync? +With Microsoft Entra Cloud Sync, provisioning from AD to Microsoft Entra ID is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Microsoft Entra ID and AD. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service. <a name='azure-ad-connect-cloud-sync-video'></a> -## Microsoft Entra Connect cloud sync video -The following short video provides an excellent overview of Microsoft Entra Connect cloud sync: +## Microsoft Entra Cloud Sync video +The following short video provides an excellent overview of Microsoft Entra Cloud Sync: > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5] To determine if cloud sync is right for your organization, use the link below. ## Comparison between Microsoft Entra Connect and cloud sync -The following table provides a comparison between Microsoft Entra Connect and Microsoft Entra Connect cloud sync: +The following table provides a comparison between Microsoft Entra Connect and Microsoft Entra Cloud Sync: | Feature | Connect sync| Cloud sync | |: |::|::| The following table provides a comparison between Microsoft Entra Connect and Mi | Support for device writeback|ΓùÅ |Customers should use [Cloud Kerberos trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune) for this moving forward| | Support for group writeback|ΓùÅ | | | Support for merging user attributes from multiple domains|ΓùÅ | |-| Active Directory Domain Services support|ΓùÅ | | +| Microsoft Entra Domain Services support|ΓùÅ | | | [Exchange hybrid writeback](exchange-hybrid.md) |ΓùÅ |ΓùÅ | | Unlimited number of objects per AD domain |ΓùÅ | | | Support for up to 150,000 objects per AD domain |ΓùÅ |ΓùÅ | |
active-directory | Common Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/common-scenarios.md | Title: 'Common hybrid scenarios with Microsoft Entra ID' -description: This article describes the common scenarios for using Microsoft Entra Connect cloud sync and Microsoft Entra Connect. +description: This article describes the common scenarios for using Microsoft Entra Cloud Sync and Microsoft Entra Connect. documentationcenter: '' For additional information, see [Supported topologies for cloud sync](cloud-sync ## Cloud sync and connect sync in parallel-You can run cloud sync and Microsoft Entra Connect in the same forest. You can use cloud sync to manage your users and groups and use Microsoft Entra Connect for devices, for example. You may decide to do allow cloud sync to handle 80% and use Microsoft Entra Connect for some of your more obscure, 20% scenarios. The tutorial, [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](cloud-sync/tutorial-pilot-aadc-aadccp.md) shows an example of how you would run each. +You can run cloud sync and Microsoft Entra Connect in the same forest. You can use cloud sync to manage your users and groups and use Microsoft Entra Connect for devices, for example. You may decide to do allow cloud sync to handle 80% and use Microsoft Entra Connect for some of your more obscure, 20% scenarios. The tutorial, [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](cloud-sync/tutorial-pilot-aadc-aadccp.md) shows an example of how you would run each. ## Common authentication methods and scenarios |
active-directory | Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/configure.md | -After installing the Microsoft Entra Connect provisioning agent, you'll need to configure cloud sync. This configuration is done via the portal. The following table provides a list of features you can use to meet your business goals. +After installing the Microsoft Entra Provisioning Agent, you'll need to configure cloud sync. This configuration is done via the portal. The following table provides a list of features you can use to meet your business goals. |Task|Description| |--|--| |
active-directory | How To Connect Sync Whatis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-whatis.md | This topic is the home for **Microsoft Entra Connect Sync** (also called **sync The sync service consists of two components, the on-premises **Microsoft Entra Connect Sync** component and the service side in Microsoft Entra ID called **Microsoft Entra Connect Sync service**. >[!IMPORTANT]->Microsoft Entra Connect Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra Cloud provisioning agent instead of the Microsoft Entra Connect application. Microsoft Entra Cloud Sync is replacing Microsoft Entra Connect Sync, which will be retired after Cloud Sync has full functional parity with Connect sync. The remainder of this article is about AADConnect sync, but we encourage customers to review the features and advantages of Cloud Sync before deploying AADConnect sync. +>Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra Cloud provisioning agent instead of the Microsoft Entra Connect application. Microsoft Entra Cloud Sync is replacing Microsoft Entra Connect Sync, which will be retired after Cloud Sync has full functional parity with Connect sync. The remainder of this article is about AADConnect sync, but we encourage customers to review the features and advantages of Cloud Sync before deploying AADConnect sync. > >To find out if you are already eligible for Cloud Sync, please verify your requirements in [this wizard](https://admin.microsoft.com/adminportal/home?Q=setupguidance#/modernonboarding/identitywizard). > |
active-directory | Reference Connect Government Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-government-cloud.md | Before you deploy the Pass-through Authentication agent, verify whether a firewa > - the pass-through authentication agent > - [Microsoft Entra application proxy connector](../../app-proxy/what-is-application-proxy.md) >-> For information on URLS for the Microsoft Entra Connect Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md) for cloud sync. +> For information on URLS for the Microsoft Entra Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md) for cloud sync. |URL |How it's used| |
active-directory | Reference Connect Version History | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history.md | If you want all the latest features and updates, check this page and install wha To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). +## 2.2.8.0 ++### Release status +10/11/2023: Released for download ++### Functional Changes + - The attribute onPremisesObjectIdentifier has been added to the default sync rules. This attribute is required by Microsoft Entra Cloud Sync's Group Provisioning to AD feature. + - The minimum .NET runtime requirement has been increased to 4.7.1. ++### Bug Fixes + - Improvements to upgrade and auto-upgrade components. + - Fixed an issue preventing deprovisioning of group when deletions of both the group and a member belonging to a different domain are processed in the same sync cycle. + ## 2.2.1.0 ### Release status To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade] ### Bug fixes +- We fixed a bug where the new employeeLeaveDateTime attribute wasn't syncing correctly in version 2.1.19.0. Note that if the incorrect attribute was already used in a rule, then the rule must be updated with the new attribute and any objects in the Microsoft Entra connector space that have the incorrect attribute must be removed with the "Remove-ADSyncCSObject" cmdlet, and then a full sync cycle must be run. ## 2.1.19.0 To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade] ### Functional changes +- We added a new attribute 'employeeLeaveDateTime' for syncing to Microsoft Entra ID. To learn more about how to use this attribute to manage your users' life cycles, please refer to [this article](../../governance/how-to-lifecycle-workflow-sync-attributes.md) ### Bug fixes +- we fixed a bug where Microsoft Entra Connect Password writeback stopped with error code "SSPR_0029 ERROR_ACCESS_DENIED" ## 2.1.18.0 To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade] 8/2/2022: Released for download and autoupgrade. ### Bug fixes+- We fixed a bug where autoupgrade fails when the service account is in "UPN" format. ## 2.1.15.0 When you upgrade to this V1.6 build or any newer builds, the group membership li ### Functional changes - We added the latest versions of Microsoft Identity Manager (MIM) Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](../../hybrid/connect/how-to-connect-install-existing-tenant.md#hard-match-vs-soft-match). ### Bug fixes When you upgrade to this V1.6 build or any newer builds, the group membership li ### Functional changes - We added the latest versions of MIM Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](../../hybrid/connect/how-to-connect-install-existing-tenant.md#hard-match-vs-soft-match). ## 2.0.10.0 This is a bug fix release. There are no functional changes in this release. ## Next steps Learn more about how to [integrate your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md).+ |
active-directory | Whatis Azure Ad Connect V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md | To address this issue, we've bundled as many of these newer components into a ne <a name='consider-moving-to-azure-ad-connect-cloud-sync'></a> -## Consider moving to Microsoft Entra Connect cloud sync -Microsoft Entra Connect cloud sync is the future of synchronization for Microsoft. It replaces Microsoft Entra Connect. +## Consider moving to Microsoft Entra Cloud Sync +Microsoft Entra Cloud Sync is the future of synchronization for Microsoft. It replaces Microsoft Entra Connect. > [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q] |
active-directory | Whatis Azure Ad Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect.md | -Microsoft Entra Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. If you're evaluating how to best meet your goals, you should also consider the cloud-managed solution [Microsoft Entra Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). +Microsoft Entra Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. If you're evaluating how to best meet your goals, you should also consider the cloud-managed solution [Microsoft Entra Cloud Sync](../cloud-sync/what-is-cloud-sync.md). > [!div class="nextstepaction"] Microsoft Entra Connect is an on-premises Microsoft application that's designed <a name='consider-moving-to-azure-ad-connect-cloud-sync'></a> -## Consider moving to Microsoft Entra Connect cloud sync -Microsoft Entra Connect cloud sync is the future of synchronization for Microsoft. It will replace Microsoft Entra Connect. +## Consider moving to Microsoft Entra Cloud Sync +Microsoft Entra Cloud Sync is the future of synchronization for Microsoft. It will replace Microsoft Entra Connect. > [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q] |
active-directory | Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/get-started.md | Use these tasks if you're deploying cloud sync to integrate with Active Director |--|--| |[Determine which sync tool is correct for you](https://setup.microsoft.com/azure/add-or-sync-users-to-azure-ad) |Use the wizard to determine whether cloud sync or Microsoft Entra Connect is the right tool for you.| |[Review the cloud sync prerequisites](cloud-sync/how-to-prerequisites.md)|Review the necessary prerequisites before getting started.|-|[Download and install the provisioning agent](cloud-sync/how-to-install.md)|Download and install the Microsoft Entra Connect Provisioning Agent. | +|[Download and install the provisioning agent](cloud-sync/how-to-install.md)|Download and install the Microsoft Entra Provisioning Agent. | |[Configure cloud sync](cloud-sync/how-to-configure.md)|Configure and tailor synchronization for your organization.| |[Verify users are synchronizing](cloud-sync/tutorial-single-forest.md#verify-users-are-created-and-synchronization-is-occurring)|Make sure it's working.| |
active-directory | Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/install.md | The following document provides the steps to install either cloud sync or Micros <a name='install-the-azure-ad-connect-provisioning-agent-for-cloud-sync'></a> -## Install the Microsoft Entra Connect provisioning agent for cloud sync -Cloud sync uses the Microsoft Entra Connect provisioning agent. Use the steps below to install it. +## Install the Microsoft Entra Provisioning Agent for cloud sync +Cloud sync uses the Microsoft Entra Provisioning Agent. Use the steps below to install it. [!INCLUDE [sign in](../../../includes/cloud-sync-sign-in.md)] 4. On the left, select **Agent**. 5. Select **Download on-premises agent**, and select **Accept terms & download**.- 6. Once the **Microsoft Entra Connect Provisioning Agent Package** has completed downloading, run the *AADConnectProvisioningAgentSetup.exe* installation file from your downloads folder. + 6. Once the **Microsoft Entra Provisioning Agent Package** has completed downloading, run the *AADConnectProvisioningAgentSetup.exe* installation file from your downloads folder. >[!NOTE] >When installing for the US Government Cloud use: >*AADConnectProvisioningAgentSetup.exe ENVIRONMENTNAME=AzureUSGovernment* Cloud sync uses the Microsoft Entra Connect provisioning agent. Use the steps b 7. On the splash screen, select **I agree to the license and conditions**, and then select **Install**. 8. Once the installation operation completes, the configuration wizard will launch. Select **Next** to start the configuration.- 9. On the **Select Extension** screen, select **HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Connect Cloud Sync** and click **Next**. + 9. On the **Select Extension** screen, select **HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Cloud Sync** and click **Next**. 10. Sign in with your Microsoft Entra Global Administrator account. 11. On the **Configure Service Account** screen, select a group Managed Service Account (gMSA). This account is used to run the agent service. To continue, select **Next**. 12. On the **Connect Active Directory** screen, if your domain name appears under **Configured domains**, skip to the next step. Otherwise, type your Active Directory domain name, and select **Add directory**. |
active-directory | On Demand Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/on-demand-provision.md | Title: 'On-demand provisioning using cloud sync' -description: This article describes how to use on-demand provisioning with Microsoft Entra Connect cloud sync. +description: This article describes how to use on-demand provisioning with Microsoft Entra Cloud Sync. documentationcenter: '' |
active-directory | Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/sso.md | -After installing the Microsoft Entra Connect provisioning agent, you will need to configure single sign-on for cloud sync. The following table provides a list of steps required for using single sign-on. +After installing the Microsoft Entra Provisioning Agent, you will need to configure single sign-on for cloud sync. The following table provides a list of steps required for using single sign-on. |Task|Description| |--|--| |
active-directory | Sync Tools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/sync-tools.md | +- **Cloud sync and the provisioning agent** - Microsoft Entra Cloud Sync is the newest offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the light-weight provisioning agent and fully configurable via through the portal. For more information, see [What is cloud sync?](cloud-sync/what-is-cloud-sync.md) and [What is the provisioning agent?](cloud-sync/what-is-provisioning-agent.md) - **Connect sync** - Microsoft Entra Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. For more information, see [What is Microsoft Entra Connect?](connect/whatis-azure-ad-connect-v2.md). |
active-directory | What Is Inter Directory Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/what-is-inter-directory-provisioning.md | Inter-directory provisioning allows us to create [hybrid identity](whatis-hybrid Microsoft Entra ID currently supports three methods for accomplishing inter-directory provisioning. These methods are: -- [Microsoft Entra Connect cloud sync](./cloud-sync/what-is-cloud-sync.md) -a new Microsoft agent designed to meet and accomplish your hybrid identity goals. It is provides a light-weight inter -directory provisioning experience between Active Directory and Microsoft Entra ID and is configured via the portal.+- [Microsoft Entra Cloud Sync](./cloud-sync/what-is-cloud-sync.md) -a new Microsoft agent designed to meet and accomplish your hybrid identity goals. It is provides a light-weight inter -directory provisioning experience between Active Directory and Microsoft Entra ID and is configured via the portal. - [Microsoft Entra Connect](./connect/whatis-azure-ad-connect.md) - the Microsoft tool designed to meet and accomplish your hybrid identity, including inter-directory provisioning from Active Directory to Microsoft Entra ID. |
active-directory | What Is Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/what-is-provisioning.md | This has been accomplished by Microsoft Entra Connect Sync, Microsoft Entra Conn ## Next steps -- [What is Microsoft Entra Connect cloud sync?](cloud-sync/what-is-cloud-sync.md)+- [What is Microsoft Entra Cloud Sync?](cloud-sync/what-is-cloud-sync.md) - [Install cloud provisioning](cloud-sync/how-to-install.md) |
active-directory | Pim Deployment Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-deployment-plan.md | PIM enables you to allow a specific set of actions at a particular scope. Key fe * Enforce **Multifactor authentication** to activate any role +* Enforce **Conditional Access policies** to activate any role (Public preview) + * Use **justification** to understand why users activate * Get **notifications** when privileged roles are activated Today, you can use PIM with: * **Azure roles** ΓÇô The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources. -* **PIM for Groups** ΓÇô To set up just-in-time access to member and owner role of a Microsoft Entra security group. PIM for Groups not only gives you an alternative way to set up PIM for Microsoft Entra roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection. +* **PIM for Groups** ΓÇô To set up just-in-time access to member and owner role of a Microsoft Entra security group. PIM for Groups not only gives you an alternative way to set up PIM for Microsoft Entra roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection. If the group is configured for app provisioning, activation of group membership triggers provisioning of group membership (and the user account, if it wasnΓÇÖt provisioned) to the application using the System for Cross-Domain Identity Management (SCIM) protocol. You can assign the following to these roles or groups: The following table shows an example test case: | Role| Expected behavior during activation| Actual results | | | | |-|Global Administrator| <li> Require MFA <br><li> Require Approval <br><li> Approver receives notification and can approve <br><li> Role expires after preset time| +|Global Administrator| <li> Require MFA <br><li> Require approval <br><li> Require Conditional Access context (Public preview) <br><li> Approver receives notification and can approve <br><li> Role expires after preset time| For both Microsoft Entra ID and Azure resource role, make sure that you have users represented who will take those roles. In addition, consider the following roles when you test PIM in your staged environment: First, ensure that all Global and Security admin roles are managed using PIM bec <a name='configure-pim-settings-for-azure-ad-roles'></a> +You can use the Privileged label to identify roles with high privileges that you can manage with PIM. Privileged label is present on [**Roles and Administrator**](../roles/privileged-roles-permissions.md?tabs=admin-center) in Microsoft Entra ID admin center. See the article, [Microsoft Entra built-in roles](../roles/permissions-reference.md) to learn more. + ### Configure PIM settings for Microsoft Entra roles [Draft and configure your PIM settings](pim-how-to-change-default-settings.md) for every privileged Microsoft Entra role that your organization uses. The following table shows example settings: -| Role| Require MFA| Notification| Incident ticket| Require approval| Approver| Activation duration| Perm admin | +| Role| Require MFA| Require Conditional Access| Notification| Incident ticket| Require approval| Approver| Activation duration| Perm admin | | | | | | | | | |-| Global Administrator| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other Global Administrator| 1 Hour| Emergency access accounts | -| Exchange Admin| :heavy_check_mark:| :heavy_check_mark:| :x:| :x:| None| 2 Hour| None | -| Helpdesk Admin| :x:| :x:| :heavy_check_mark:| :x:| None| 8 Hour| None | +| Global Administrator| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other Global Administrator| 1 Hour| Emergency access accounts | +| Exchange Admin| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |None| 2 Hour| None | +| Helpdesk Admin| :x: | | :x: | :heavy_check_mark: | :x: | None| 8 Hour| None | <a name='assign-and-activate-azure-ad-roles-'></a> For subscriptions or resources that arenΓÇÖt as critical, you wonΓÇÖt need to se The following table shows example settings: -| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration| +| Role| Require MFA| Notification| Require Conditional Access| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration| | | | | | | | |||-| Owner of critical subscriptions| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the subscription| 1 Hour| None| n/a| 3 months | -| User Access Administrator of less critical subscriptions| :heavy_check_mark:| :heavy_check_mark:| :x:| None| 1 Hour| None| n/a| 3 months | +| Owner of critical subscriptions| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other owners of the subscription| 1 Hour| None| n/a| 3 months | +| User Access Administrator of less critical subscriptions| :heavy_check_mark: | :heavy_check_mark: | | :x: | None| 1 Hour| None| n/a| 3 months | ### Assign and activate Azure Resource role To manage a Microsoft Entra role-assignable group as a PIM for Groups, you must The following table shows example settings: -| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration | +| Role| Require MFA| Notification| Require Conditional Access| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration | | | | | | | | |||-| Owner| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the resource| One Hour| None| n/a| Three months | -| Member| :heavy_check_mark:| :heavy_check_mark:| :x:| None| Five Hours| None| n/a| 3 months | +| Owner| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other owners of the resource| One Hour| None| n/a| Three months | +| Member| :heavy_check_mark: | :heavy_check_mark: | | :x: | None| Five Hours| None| n/a| 3 months | ### Assign eligibility for PIM for Groups You can [assign eligibility to members or owners of the PIM for Groups.](groups-assign-member-owner.md) With just one activation, they will have access to all the linked resources. >[!NOTE] ->You can assign the group to one or more Microsoft Entra ID and Azure resource roles in the same way as you assign roles to users. A maximum of 400 role-assignable groups can be created in a single Microsoft Entra organization (tenant). +>You can assign the group to one or more Microsoft Entra ID and Azure resource roles in the same way as you assign roles to users. A maximum of 500 role-assignable groups can be created in a single Microsoft Entra organization (tenant). ![Diagram of assign eligibility for PIM for Groups.](media/pim-deployment-plan/pim-for-groups.png) |
active-directory | Groups Create Eligible | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-create-eligible.md | For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr Use the [New-MgGroup](/powershell/module/microsoft.graph.groups/new-mggroup?branch=main) command to create a role-assignable group. +This example shows how to create a Security role-assignable group. ++```powershell +Connect-MgGraph -Scopes "Group.ReadWrite.All" +$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true +``` ++This example shows how to create a Microsoft 365 role-assignable group. + ```powershell Connect-MgGraph -Scopes "Group.ReadWrite.All"-$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group has Helpdesk Administrator built-in role assigned to it in Azure AD." -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true +$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled:$true -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true -GroupTypes "Unified" ``` # [Azure AD PowerShell](#tab/aad-powershell) $group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description Use the [New-AzureADMSGroup](/powershell/module/azuread/new-azureadmsgroup?branch=main) command to create a role-assignable group. ```powershell-$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true +$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled $false -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true ``` For this type of group, `isPublic` will always be false and `isSecurityEnabled` will always be true. Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.Ob Use the [Create group](/graph/api/group-post-groups?branch=main) API to create a role-assignable group. +This example shows how to create a Security role-assignable group. ++```http +POST https://graph.microsoft.com/v1.0/groups +{ + "description": "Helpdesk Administrator role assigned to group", + "displayName": "Contoso_Helpdesk_Administrators", + "isAssignableToRole": true, + "mailEnabled": false, + "mailNickname": "contosohelpdeskadministrators", + "securityEnabled": true +} +``` ++This example shows how to create a Microsoft 365 role-assignable group. + ```http POST https://graph.microsoft.com/v1.0/groups {- "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.", + "description": "Helpdesk Administrator role assigned to group", "displayName": "Contoso_Helpdesk_Administrators", "groupTypes": [ "Unified" ], "isAssignableToRole": true, "mailEnabled": true,- "securityEnabled": true, "mailNickname": "contosohelpdeskadministrators",+ "securityEnabled": true, "visibility" : "Private" } ``` |
active-directory | Colloquial Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/colloquial-provisioning-tutorial.md | + + Title: 'Tutorial: Configure Colloquial for automatic user provisioning with Microsoft Entra ID' +description: Learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Colloquial. +++writer: twimmers ++ms.assetid: 8ea5fa0c-d3f1-4398-8051-9051e2df01f5 ++++ Last updated : 10/12/2023++++# Tutorial: Configure Colloquial for automatic user provisioning ++This tutorial describes the steps you need to perform in both Colloquial and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users to [Colloquial](https://www.colloquial.io) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md). ++## Supported capabilities +> [!div class="checklist"] +> * Create users in Colloquial. +> * Remove users in Colloquial when they do not require access anymore. +> * Keep user attributes synchronized between Microsoft Entra ID and Colloquial. +> * [Single sign-on](colloquial-tutorial.md) to Colloquial (recommended). ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [A Microsoft Entra tenant](../develop/quickstart-create-new-tenant.md) +* A user account in Microsoft Entra ID with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* A user account in Colloquial with Admin permissions. ++## Step 1: Plan your provisioning deployment +* Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +* Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +* Determine what data to [map between Microsoft Entra ID and Colloquial](../app-provisioning/customize-application-attributes.md). ++## Step 2: Configure Colloquial to support provisioning with Microsoft Entra ID +Contact Colloquial support to configure Colloquial to support provisioning with Microsoft Entra ID. ++## Step 3: Add Colloquial from the Microsoft Entra application gallery ++Add Colloquial from the Microsoft Entra application gallery to start managing provisioning to Colloquial. If you have previously setup Colloquial for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4: Define who will be in scope for provisioning ++The Microsoft Entra provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. ++## Step 5: Configure automatic user provisioning to Colloquial ++This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in Colloquial based on user assignments in Microsoft Entra ID. ++<a name='to-configure-automatic-user-provisioning-for-Colloquial-in-azure-ad'></a> ++### To configure automatic user provisioning for Colloquial in Microsoft Entra ID: ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Colloquial**. ++ ![Screenshot of the Colloquial link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Colloquial Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Colloquial. If the connection fails, ensure your Colloquial account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Colloquial**. ++1. Review the user attributes that are synchronized from Microsoft Entra ID to Colloquial in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Colloquial for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Colloquial API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Colloquial| + ||||| + |userName|String|✓|✓ + |active|Boolean||✓ + |emails[type eq "work"].value|String||✓ + |preferredLanguage|String|| + |name.givenName|String||✓ + |name.familyName|String||✓ + |externalId|String|| + |locale|String|| + |timezone|String|| ++1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Microsoft Entra provisioning service for Colloquial, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users that you would like to provision to Colloquial by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. ++## Step 6: Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Microsoft Entra ID?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Decentralized Identifier Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md | description: An overview Azure Verifiable Credentials. |
active-directory | Howto Verifiable Credentials Partner Au10tix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/howto-verifiable-credentials-partner-au10tix.md | -In this article, we cover the steps needed to integrate Microsoft Entra Verified ID with [AU10TIX](https://www.au10tix.com/). AU10TIX is a global leader in identity verification enabling companies to scale up their business by accelerating onboarding scenarios and ongoing verification throughout the customer lifecycle. It is an automated solution for the verification of ID documents + biometrics in 8 seconds or less. AU10TIX supports the verification of documents in over 190 countries/regions reading documents in their regional languages. +In this article, we cover the steps needed to integrate Microsoft Entra Verified ID with [AU10TIX](https://www.au10tix.com/). AU10TIX is an automated solution for the verification of ID documents + biometrics. AU10TIX supports the verification of documents in over 190 countries/regions reading documents in their regional languages. To learn more about AU10TIX and its complete set of solutions, visit https://www.au10tix.com/. Before you can continue with the steps below you need to meet the following requ - A tenant [configured](verifiable-credentials-configure-tenant.md) for Microsoft Entra Verified ID service. - If you don't have an existing tenant, you can [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - You need to have completed the onboarding process with Au10tix.- - To create a AU10TIX account, submit the form on this [page](https://www.au10tix.com/solutions/microsoft-azure-active-directory-verifiable-credentials-program/). + - To create a AU10TIX account, submit the form on this [page](https://www.au10tix.com/solutions/verifiable-credentials/). >[!IMPORTANT] |
active-directory | Idemia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/idemia.md | + + Title: Configure Verified ID by IDEMIA as your identity verification partner +description: This article shows you the steps you need to follow to configure IDEMIA as your identity verification partner ++++++ Last updated : 10/12/2023++# Customer intent: As a developer, I'm looking for information about the open standards that are supported by Microsoft Entra Verified ID. +++# Configure Verified ID by IDEMIA as your identity verification partner ++In this article, we cover the steps needed to integrate Microsoft Entra Verified ID (Verified ID) with [IDEMIA](https://www.idemia.com/). ++## Prerequisites ++Before you can continue with the steps below you need to meet the following requirements: ++- A tenant configured with Verified ID. + - If you don't have an existing tenant, you can create an Azure account for free. +- You need to have completed the onboarding process with IDEMIA. + - Register on the IDEMIA Experience Portal where you can create your own Microsoft verifiable credential application with a few steps low code integration. ++>[!IMPORTANT] +>Before you can proceed, you must have already received a URL from IDEMIA. If you have not yet received it, follow up with IDEMIA before you try the steps documented below. +++## Scenario description ++Verified ID users can have their identity verified using IDEMIA's identity document capture and verification. +The Identity proofing process is completed using biometric and document capture via the users' smartphones. Once a user submits their data, biometric and document data is extracted and verified against one another, or against an authoritative data source such as a national identity database or a trusted system of record. Counter-fraud and high-risk profile verification could also be performed for additional assurance. ++The result is a trusted user identity that gives service providers the assurance they need to proceed with customer onboarding. +++After verification, users are issued a reusable identity credential, which expedites the onboarding process for employees, partners, and customersΓÇï. +++## Configure IDEMIA as your identity verification proofing solution ++To configure IDEMIA as your identity verification proofing solution, follow these steps: ++1. Go to Quickstart in the Azure portal and select **Verified ID**. +2. Choose select issuer. +3. Look for IDEMIA in the search/select issuers drop down. +4. Select VerifiedCredentialExpert as the credential type. +5. Select **Add** and then select review. +6. Download the request body and copy/paste the POST API request URL ++## Developer steps ++As a developer you now have the request URL and body from your tenant admin, follow these steps to update your application or website: ++1. Add the request URL and body to your application or website to request Verified IDs from your users. + >[!IMPORTANT] + >If you are using one of the sample apps, you'll need to replace the contents of the presentation_request_config.json with the request body obtained in Part 1. The sample code overwrites the trustedIssuers values with IssuerAuthority value from ```appsettings.json```. Copy the trustedIssuers value from the payload to IssuerAuthority in ```appsettings.json``` file. +2. Replace the **URL** and **api key** values with your own values. +3. [Grant permissions](verifiable-credentials-configure-tenant.md#grant-permissions-to-get-access-tokens) to your app so it can obtain an access token for the Verified ID service request service principal. ++## Test the user flow ++User flow is specific to your application or website. However, if you are using one of the sample apps follow the steps outlined as part of the sample app's documentation. ++## Next steps ++- [Verifiable credentials admin API](admin-api.md) +- [Request Service REST API issuance specification](issuance-request-api.md) |
ai-services | Encrypt Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/encrypt-data-at-rest.md | By default, your subscription uses Microsoft-managed encryption keys. There is a There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. -You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). +You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). ### Customer-managed keys for Language Understanding To learn how to use customer-managed keys with Azure Key Vault for Azure AI serv - [Configure customer-managed keys with Key Vault for Azure AI services encryption from the Azure portal](../Encryption/cognitive-services-encryption-keys-portal.md) -Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md). +Enabling customer managed keys will also enable a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md). > [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ### Store customer-managed keys in Azure Key Vault |
ai-services | Luis How To Collaborate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/luis-how-to-collaborate.md | After you have been added as a contributor, [sign in to the LUIS portal](how-to/ ### Users with multiple emails -If you add contributors to a LUIS app, you are specifying the exact email address. While Azure Active Directory (Azure AD) allows a single user to have more than one email account used interchangeably, LUIS requires the user to sign in with the email address specified when adding the contributor. +If you add contributors to a LUIS app, you are specifying the exact email address. While Microsoft Entra ID allows a single user to have more than one email account used interchangeably, LUIS requires the user to sign in with the email address specified when adding the contributor. <a name="owner-and-collaborators"></a> -### Azure Active Directory resources +<a name='azure-active-directory-resources'></a> -If you use [Azure Active Directory](../../active-directory/index.yml) (Azure AD) in your organization, Language Understanding (LUIS) needs permission to the information about your users' access when they want to use LUIS. The resources that LUIS requires are minimal. +### Microsoft Entra resources ++If you use [Microsoft Entra ID](../../active-directory/index.yml) (Microsoft Entra ID) in your organization, Language Understanding (LUIS) needs permission to the information about your users' access when they want to use LUIS. The resources that LUIS requires are minimal. You see the detailed description when you attempt to sign up with an account that has admin consent or does not require admin consent, such as administrator consent: You see the detailed description when you attempt to sign up with an account tha * Allows the app to see and update your data, even when you are not currently using the app. The permission is required to refresh the access token of the user. -### Azure Active Directory tenant user +<a name='azure-active-directory-tenant-user'></a> ++### Microsoft Entra tenant user -LUIS uses standard Azure Active Directory (Azure AD) consent flow. +LUIS uses standard Microsoft Entra consent flow. -The tenant admin should work directly with the user who needs access granted to use LUIS in the Azure AD. +The tenant admin should work directly with the user who needs access granted to use LUIS in the Microsoft Entra ID. * First, the user signs into LUIS, and sees the pop-up dialog needing admin approval. The user contacts the tenant admin before continuing. * Second, the tenant admin signs into LUIS, and sees a consent flow pop-up dialog. This is the dialog the admin needs to give permission for the user. Once the admin accepts the permission, the user is able to continue with LUIS. If the tenant admin will not sign in to LUIS, the admin can access [consent](https://account.activedirectory.windowsazure.com/r#/applications) for LUIS. On this page you can filter the list to items that include the name `LUIS`. If the tenant admin only wants certain users to use LUIS, there are a couple of possible solutions:-* Giving the "admin consent" (consent to all users of the Azure AD), but then set to "Yes" the "User assignment required" under Enterprise Application Properties, and finally assign/add only the wanted users to the Application. With this method, the Administrator is still providing "admin consent" to the App, however, it's possible to control the users that can access it. -* A second solution, is by using the [Azure AD identity and access management API in Microsoft Graph](/graph/azuread-identity-access-management-concept-overview) to provide consent to each specific user. +* Giving the "admin consent" (consent to all users of the Microsoft Entra ID), but then set to "Yes" the "User assignment required" under Enterprise Application Properties, and finally assign/add only the wanted users to the Application. With this method, the Administrator is still providing "admin consent" to the App, however, it's possible to control the users that can access it. +* A second solution, is by using the [Microsoft Entra identity and access management API in Microsoft Graph](/graph/azuread-identity-access-management-concept-overview) to provide consent to each specific user. -Learn more about Azure active directory users and consent: +Learn more about Microsoft Entra users and consent: * [Restrict your app](../../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md) to a set of users ## Next steps |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/role-based-access-control.md | -## Enable Azure Active Directory authentication +<a name='enable-azure-active-directory-authentication'></a> -To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources). +## Enable Microsoft Entra authentication ++To use Azure RBAC, you must enable Microsoft Entra authentication. You can [create a new resource with a custom subdomain](../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources). ## Add role assignment to Language Understanding Authoring resource These custom roles only apply to authoring (Language Understanding Authoring) an > [!NOTE] > * *Owner* and *Contributor* roles take priority over the custom LUIS roles.-> * Azure Active Directory (Azure AAD) is only used with custom LUIS roles. +> * Microsoft Entra ID (Azure Microsoft Entra ID) is only used with custom LUIS roles. > * If you are assigned as a *Contributor* on Azure, your role will be shown as *Owner* in LUIS portal. |
ai-services | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/authentication.md | Each request to an Azure AI service must include an authentication header. This * Authenticate with a [single-service](#authenticate-with-a-single-service-resource-key) or [multi-service](#authenticate-with-a-multi-service-resource-key) resource key * Authenticate with a [token](#authenticate-with-an-access-token)-* Authenticate with [Azure Active Directory (AAD)](#authenticate-with-azure-active-directory) +* Authenticate with [Microsoft Entra ID](#authenticate-with-azure-active-directory) ## Prerequisites curl -X POST 'https://api.cognitive.microsofttranslator.com/translate?api-versio --data-raw '[{ "text": "How much for the cup of coffee?" }]' | json_pp ``` -## Authenticate with Azure Active Directory +<a name='authenticate-with-azure-active-directory'></a> ++## Authenticate with Microsoft Entra ID > [!IMPORTANT]-> Azure AD authentication always needs to be used together with custom subdomain name of your Azure resource. [Regional endpoints](./cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) do not support Azure AD authentication. +> Microsoft Entra authentication always needs to be used together with custom subdomain name of your Azure resource. [Regional endpoints](./cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) do not support Microsoft Entra authentication. -In the previous sections, we showed you how to authenticate against Azure AI services using a single-service or multi-service subscription key. While these keys provide a quick and easy path to start development, they fall short in more complex scenarios that require Azure [role-based access control (Azure RBAC)](../../articles/role-based-access-control/overview.md). Let's take a look at what's required to authenticate using Azure Active Directory (Azure AD). +In the previous sections, we showed you how to authenticate against Azure AI services using a single-service or multi-service subscription key. While these keys provide a quick and easy path to start development, they fall short in more complex scenarios that require Azure [role-based access control (Azure RBAC)](../../articles/role-based-access-control/overview.md). Let's take a look at what's required to authenticate using Microsoft Entra ID. In the following sections, you'll use either the Azure Cloud Shell environment or the Azure CLI to create a subdomain, assign roles, and obtain a bearer token to call the Azure AI services. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI. > [!IMPORTANT]-> If your organization is doing authentication through Azure AD, you should [disable local authentication](./disable-local-auth.md) (authentication with keys) so that users in the organization must always use Azure AD. +> If your organization is doing authentication through Microsoft Entra ID, you should [disable local authentication](./disable-local-auth.md) (authentication with keys) so that users in the organization must always use Microsoft Entra ID. ### Create a resource with a custom subdomain Now that you have a custom subdomain associated with your resource, you're going > [!NOTE] > Keep in mind that Azure role assignments may take up to five minutes to propagate. -1. First, let's register an [Azure AD application](/powershell/module/Az.Resources/New-AzADApplication). +1. First, let's register an [Microsoft Entra application](/powershell/module/Az.Resources/New-AzADApplication). ```powershell-interactive $SecureStringPassword = ConvertTo-SecureString -String <YOUR_PASSWORD> -AsPlainText -Force Now that you have a custom subdomain associated with your resource, you're going You're going to need the **ApplicationId** in the next step. -2. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Azure AD application. +2. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Microsoft Entra application. ```powershell-interactive New-AzADServicePrincipal -ApplicationId <APPLICATION_ID> In this sample, a password is used to authenticate the service principal. The to $result | ConvertTo-Json ``` -Alternatively, the service principal can be authenticated with a certificate. Besides service principal, user principal is also supported by having permissions delegated through another Azure AD application. In this case, instead of passwords or certificates, users would be prompted for two-factor authentication when acquiring token. +Alternatively, the service principal can be authenticated with a certificate. Besides service principal, user principal is also supported by having permissions delegated through another Microsoft Entra application. In this case, instead of passwords or certificates, users would be prompted for two-factor authentication when acquiring token. ## Authorize access to managed identities -Azure AI services support Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../../articles/active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. +Azure AI services support Microsoft Entra authentication with [managed identities for Azure resources](../../articles/active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. ### Enable managed identities on a VM For more information about managed identities, see [Managed identities for Azure You can [use Azure Key Vault](./use-key-vault.md) to securely develop Azure AI services applications. Key Vault enables you to store your authentication credentials in the cloud, and reduces the chances that secrets may be accidentally leaked, because you won't store security information in your application. -Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault. +Authentication is done via Microsoft Entra ID. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault. ## See also |
ai-services | Cognitive Services Custom Subdomains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-custom-subdomains.md | -Azure AI services use custom subdomain names for each resource created through the [Azure portal](https://portal.azure.com), [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/), or [Azure CLI](/cli/azure/install-azure-cli). Unlike regional endpoints, which were common for all customers in a specific Azure region, custom subdomain names are unique to the resource. Custom subdomain names are required to enable features like Azure Active Directory (Azure AD) for authentication. +Azure AI services use custom subdomain names for each resource created through the [Azure portal](https://portal.azure.com), [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/), or [Azure CLI](/cli/azure/install-azure-cli). Unlike regional endpoints, which were common for all customers in a specific Azure region, custom subdomain names are unique to the resource. Custom subdomain names are required to enable features like Microsoft Entra ID for authentication. ## How does this impact existing resources? Azure AI services resources created before July 1, 2019 will use the regional endpoints for the associated service. These endpoints will work with existing and new resources. -If you'd like to migrate an existing resource to leverage custom subdomain names, so that you can enable features like Azure AD, follow these instructions: +If you'd like to migrate an existing resource to leverage custom subdomain names, so that you can enable features like Microsoft Entra ID, follow these instructions: 1. Sign in to the Azure portal and locate the Azure AI services resource that you'd like to add a custom subdomain name to. 2. In the **Overview** blade, locate and select **Generate Custom Domain Name**. |
ai-services | Cognitive Services Virtual Networks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-virtual-networks.md | -An application that accesses an Azure AI services resource when network rules are in effect requires authorization. Authorization is supported with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) credentials or with a valid API key. +An application that accesses an Azure AI services resource when network rules are in effect requires authorization. Authorization is supported with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) credentials or with a valid API key. > [!IMPORTANT] > Turning on firewall rules for your Azure AI services account blocks incoming requests for data by default. To allow requests through, one of the following conditions needs to be met: You can manage default network access rules for Azure AI services resources thro ## Grant access from a virtual network -You can configure Azure AI services resources to allow access from specific subnets only. The allowed subnets might belong to a virtual network in the same subscription or in a different subscription. The other subscription can belong to a different Azure AD tenant. +You can configure Azure AI services resources to allow access from specific subnets only. The allowed subnets might belong to a virtual network in the same subscription or in a different subscription. The other subscription can belong to a different Microsoft Entra tenant. Enable a *service endpoint* for Azure AI services within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure AI services service. For more information, see [Virtual Network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). Each Azure AI services resource supports up to 100 virtual network rules, which To apply a virtual network rule to an Azure AI services resource, you need the appropriate permissions for the subnets to add. The required permission is the default *Contributor* role or the *Cognitive Services Contributor* role. Required permissions can also be added to custom role definitions. -The Azure AI services resource and the virtual networks that are granted access might be in different subscriptions, including subscriptions that are part of a different Azure AD tenant. +The Azure AI services resource and the virtual networks that are granted access might be in different subscriptions, including subscriptions that are part of a different Microsoft Entra tenant. > [!NOTE]-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure AD tenant are currently supported only through PowerShell, the Azure CLI, and the REST APIs. You can view these rules in the Azure portal, but you can't configure them. +> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Microsoft Entra tenant are currently supported only through PowerShell, the Azure CLI, and the REST APIs. You can view these rules in the Azure portal, but you can't configure them. ### Configure virtual network rules To grant access to a virtual network with an existing network rule: > [!NOTE] > If a service endpoint for Azure AI services wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation. >- > Currently, only virtual networks that belong to the same Azure AD tenant are available for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or the REST APIs. + > Currently, only virtual networks that belong to the same Microsoft Entra tenant are available for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or the REST APIs. 1. Select **Save** to apply your changes. To remove a virtual network or subnet rule: ``` > [!TIP]- > To add a network rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully-qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. + > To add a network rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully-qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. 1. Remove a network rule for a virtual network and subnet. To remove a virtual network or subnet rule: ``` > [!TIP]- > To add a rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully-qualified subnet ID in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. + > To add a rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully-qualified subnet ID in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. > - > You can use the `--subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Azure AD tenant. + > You can use the `--subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Microsoft Entra tenant. 1. Remove a network rule for a virtual network and subnet. |
ai-services | Spatial Analysis Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-web-app.md | Wait for setup to complete, and navigate to your resource in the Azure portal. G * `IotHubConnectionString` ΓÇô The connection string to your Azure IoT Hub, this can be retrieved from the keys section of your Azure IoT Hub resource ![Configure Parameters](./media/spatial-analysis/solution-app-config-page.png) -Once these 2 settings are added, select **Save**. Then select **Authentication/Authorization** in the left navigation menu, and update it with the desired level of authentication. We recommend Azure Active Directory (Azure AD) express. +Once these 2 settings are added, select **Save**. Then select **Authentication/Authorization** in the left navigation menu, and update it with the desired level of authentication. We recommend Microsoft Entra ID express. ### Test the app |
ai-services | Video Moderation Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/video-moderation-api.md | The Content Moderator's video moderation capability is available as a free publi Follow the instructions in [Create an Azure Media Services account](/azure/media-services/previous/media-services-portal-create-account) to subscribe to AMS and create an associated Azure storage account. In that storage account, create a new Blob storage container. -### Create an Azure Active Directory application +<a name='create-an-azure-active-directory-application'></a> ++### Create a Microsoft Entra application Navigate to your new AMS subscription in the Azure portal and select **API access** from the side menu. Select **Connect to Azure Media Services with service principal**. Note the value in the **REST API endpoint** field; you will need this later. -In the **Azure AD app** section, select **Create New** and name your new Azure AD application registration (for example, "VideoModADApp"). Select **Save** and wait a few minutes while the application is configured. Then, you should see your new app registration under the **Azure AD app** section of the page. +In the **Microsoft Entra app** section, select **Create New** and name your new Microsoft Entra application registration (for example, "VideoModADApp"). Select **Save** and wait a few minutes while the application is configured. Then, you should see your new app registration under the **Microsoft Entra app** section of the page. Select your app registration and click the **Manage application** button below it. Note the value in the **Application ID** field; you will need this later. Select **Settings** > **Keys**, and enter a description for a new key (such as "VideoModKey"). Select **Save**, and then notice the new key value. Copy this string and save it somewhere secure. -For a more thorough walkthrough of the above process, See [Get started with Azure AD authentication](/azure/media-services/previous/media-services-portal-get-started-with-aad). +For a more thorough walkthrough of the above process, See [Get started with Microsoft Entra authentication](/azure/media-services/previous/media-services-portal-get-started-with-aad). Once you've done this, you can use the video moderation media processor in two different ways. using System.Collections.Generic; ### Set up resource references -Add the following static fields to the **Program** class in _Program.cs_. These fields hold the information necessary for connecting to your AMS subscription. Fill them in with the values you got in the steps above. Note that `CLIENT_ID` is the **Application ID** value of your Azure AD app, and `CLIENT_SECRET` is the value of the "VideoModKey" that you created for that app. +Add the following static fields to the **Program** class in _Program.cs_. These fields hold the information necessary for connecting to your AMS subscription. Fill them in with the values you got in the steps above. Note that `CLIENT_ID` is the **Application ID** value of your Microsoft Entra app, and `CLIENT_SECRET` is the value of the "VideoModKey" that you created for that app. ```csharp // declare constants and globals |
ai-services | Encrypt Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/how-to/encrypt-data-at-rest.md | By default, your subscription uses Microsoft-managed encryption keys. There's al Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. -You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](/azure/key-vault/general/overview). +You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](/azure/key-vault/general/overview). To enable customer-managed keys, you must also enable both the **Soft Delete** and **Do Not Purge** properties on the key vault. When you disable customer-managed keys, your Azure AI services resource is then 1. Go to your Azure AI services resource, and then select **Encryption**. 2. Select **Microsoft Managed Keys** > **Save**. -When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](/azure/active-directory/managed-identities-azure-resources/overview). +When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](/azure/active-directory/managed-identities-azure-resources/overview). > [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories). +> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories). ## Next steps * [Content Safety overview](../overview.md) |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/overview.md | The maximum size for image submissions is 4 MB, and image dimensions must be bet ## Security -### Use Azure Active Directory or Managed Identity to manage access +<a name='use-azure-active-directory-or-managed-identity-to-manage-access'></a> -For enhanced security, you can use Azure Active Directory (Azure AD) or Managed Identity (MI) to manage access to your resources. +### Use Microsoft Entra ID or Managed Identity to manage access ++For enhanced security, you can use Microsoft Entra ID or Managed Identity (MI) to manage access to your resources. * Managed Identity is automatically enabled when you create a Content Safety resource.-* Azure Active Directory is supported in both API and SDK scenarios. Refer to the general AI services guideline of [Authenticating with Azure Active Directory](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory). You can also grant access to other users within your organization by assigning them the roles of **Cognitive Services Users** and **Reader**. To learn more about granting user access to Azure resources using the Azure portal, refer to the [Role-based access control guide](/azure/role-based-access-control/quickstart-assign-role-user-portal). +* Microsoft Entra ID is supported in both API and SDK scenarios. Refer to the general AI services guideline of [Authenticating with Microsoft Entra ID](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory). You can also grant access to other users within your organization by assigning them the roles of **Cognitive Services Users** and **Reader**. To learn more about granting user access to Azure resources using the Azure portal, refer to the [Role-based access control guide](/azure/role-based-access-control/quickstart-assign-role-user-portal). ### Encryption of data at rest |
ai-services | Disable Local Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/disable-local-auth.md | -Azure AI Services provides Azure Active Directory (Azure AD) authentication support for all resources. This gives organizations control to disable local authentication methods and enforce Azure AD authentication. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials. +Azure AI Services provides Microsoft Entra authentication support for all resources. This gives organizations control to disable local authentication methods and enforce Microsoft Entra authentication. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials. You can disable local authentication using the Azure policy [Cognitive Services accounts should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc). You can set it at the subscription level or resource group level to enforce the policy for a group of services. You can use PowerShell to determine whether the local authentication policy is c To enable local authentication, execute the PowerShell cmdlet **[Set-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/set-azcognitiveservicesaccount)** with the parameter `-DisableLocalAuth false`.  Allow a few minutes for the service to accept the change to allow local authentication requests. ## Next steps-- [Authenticate requests to Azure AI services](./authentication.md)+- [Authenticate requests to Azure AI services](./authentication.md) |
ai-services | Create Sas Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/create-sas-tokens.md | monikerRange: '<=doc-intel-3.1.0' [!INCLUDE [applies to v3.1, v3.0, v2.1](includes/applies-to-v3-1-v3-0-v2-1.md)] - In this article, learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account. + In this article, learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Microsoft Entra credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account. :::image type="content" source="media/sas-tokens/sas-url-token.png" alt-text="Screenshot of storage URI with SAS token appended."::: The Azure portal is a web-based console that enables you to manage your Azure su * Consider setting a longer duration period for the time you're using your storage account for Document Intelligence Service operations. * The value of the expiry time is determined by whether you're using an **Account key** or **User delegation key** **Signing method**: * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).- * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Azure AD credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas). + * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Microsoft Entra credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas). 1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information,*see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range). |
ai-services | Deploy Label Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/deploy-label-tool.md | az container create \ ``` -### Connect to Azure AD for authorization +<a name='connect-to-azure-ad-for-authorization'></a> -It's recommended that you connect your web app to Azure Active Directory (Azure AD). This connection ensures that only users with valid credentials can sign in and use your web app. Follow the instructions in [Configure your App Service app](../../app-service/configure-authentication-provider-aad.md) to connect to Azure Active Directory. +### Connect to Microsoft Entra ID for authorization ++It's recommended that you connect your web app to Microsoft Entra ID. This connection ensures that only users with valid credentials can sign in and use your web app. Follow the instructions in [Configure your App Service app](../../app-service/configure-authentication-provider-aad.md) to connect to Microsoft Entra ID. ## Open source on GitHub |
ai-services | Label Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/label-tool.md | You need an Azure subscription ([create one for free](https://azure.microsoft.co > [!NOTE] >-> If your storage data is behind a VNet or firewall, you must deploy the **Document Intelligence Sample Labeling tool** behind your VNet or firewall and grant access by creating a [system-assigned managed identity](managed-identities.md "Azure managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources"). +> If your storage data is behind a VNet or firewall, you must deploy the **Document Intelligence Sample Labeling tool** behind your VNet or firewall and grant access by creating a [system-assigned managed identity](managed-identities.md "Azure managed identity is a service principal that creates a Microsoft Entra identity and specific permissions for Azure managed resources"). You use the Docker engine to run the Sample Labeling tool. Follow these steps to set up the Docker container. For a primer on Docker and container basics, see the [Docker overview](https://docs.docker.com/engine/docker-overview/). |
ai-services | Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/managed-identities.md | monikerRange: '<=doc-intel-3.1.0' [!INCLUDE [applies to v3.1, v3.0, v2.1](includes/applies-to-v3-1-v3-0-v2-1.md)] -Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources: +Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources: :::image type="content" source="media/managed-identities/rbac-flow.png" alt-text="Screenshot of managed identity flow (RBAC)."::: -* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. Unlike security keys and authentication tokens, managed identities eliminate the need for developers to manage credentials. +* You can use managed identities to grant access to any resource that supports Microsoft Entra authentication, including your own applications. Unlike security keys and authentication tokens, managed identities eliminate the need for developers to manage credentials. * To grant access to an Azure resource, assign an Azure role to a managed identity using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). |
ai-services | Try Document Intelligence Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/try-document-intelligence-studio.md | monikerRange: '>=doc-intel-3.0.0' * A [**Document Intelligence**](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [**multi-service**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource. > [!TIP]-> Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md). +> Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md). ## Models |
ai-services | Try Sample Label Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/try-sample-label-tool.md | You'll need the following to get started: * An Azure AI services or Document Intelligence resource. Once you have your Azure subscription, create a [single-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer), or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) Document Intelligence resource in the Azure portal to get your key and endpoint. You can use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production. > [!TIP]- > Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md). + > Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md). ## Create a Document Intelligence resource |
ai-services | Sdk Overview V3 0 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/sdk-overview-v3-0.md | There are two supported methods for authentication * Use a [Document Intelligence API key](#use-your-api-key) with AzureKeyCredential from azure.core.credentials. -* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). +* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md). #### Use your API key async function main() { -#### Use an Azure Active Directory (Azure AD) token credential +<a name='use-an-azure-active-directory-azure-ad-token-credential'></a> ++#### Use a Microsoft Entra token credential > [!NOTE]-> Regional endpoints do not support AAD authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication. +> Regional endpoints do not support Microsoft Entra authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication. Authorization is easiest using the `DefaultAzureCredential`. It provides a default token credential, based upon the running environment, capable of handling most Azure authentication scenarios. Here's how to acquire and use the [DefaultAzureCredential](/dotnet/api/azure.ide Install-Package Azure.Identity ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret in the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret in the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**: Here's how to acquire and use the [DefaultAzureCredential](/java/api/com.azure.i </dependency> ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance and **`TokenCredential`** variable: Here's how to acquire and use the [DefaultAzureCredential](/javascript/api/@azur npm install @azure/identity ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**: Here's how to acquire and use the [DefaultAzureCredential](/python/api/azure-ide pip install azure-identity ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**: |
ai-services | Sdk Overview V3 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/sdk-overview-v3-1.md | There are two supported methods for authentication * Use a [Document Intelligence API key](#use-your-api-key) with AzureKeyCredential from azure.core.credentials. -* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). +* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md). #### Use your API key async function main() { -#### Use an Azure Active Directory (Azure AD) token credential +<a name='use-an-azure-active-directory-azure-ad-token-credential'></a> ++#### Use a Microsoft Entra token credential > [!NOTE]-> Regional endpoints do not support AAD authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication. +> Regional endpoints do not support Microsoft Entra authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication. Authorization is easiest using the `DefaultAzureCredential`. It provides a default token credential, based upon the running environment, capable of handling most Azure authentication scenarios. Here's how to acquire and use the [DefaultAzureCredential](/dotnet/api/azure.ide Install-Package Azure.Identity ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret in the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret in the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**: Here's how to acquire and use the [DefaultAzureCredential](/java/api/com.azure.i </dependency> ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance and **`TokenCredential`** variable: Here's how to acquire and use the [DefaultAzureCredential](/javascript/api/@azur npm install @azure/identity ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**: Here's how to acquire and use the [DefaultAzureCredential](/python/api/azure-ide pip install azure-identity ``` -1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). +1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal). 1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal. -1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. +1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively. 1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**: |
ai-services | How To Create Immersive Reader | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-create-immersive-reader.md | Title: "Create an Immersive Reader Resource" -description: This article shows you how to create a new Immersive Reader resource with a custom subdomain and then configure Azure AD in your Azure tenant. +description: This article shows you how to create a new Immersive Reader resource with a custom subdomain and then configure Microsoft Entra ID in your Azure tenant. Last updated 03/31/2023 -# Create an Immersive Reader resource and configure Azure Active Directory authentication +# Create an Immersive Reader resource and configure Microsoft Entra authentication -In this article, we provide a script that creates an Immersive Reader resource and configure Azure Active Directory (Azure AD) authentication. Each time an Immersive Reader resource is created, whether with this script or in the portal, it must also be configured with Azure AD permissions. +In this article, we provide a script that creates an Immersive Reader resource and configure Microsoft Entra authentication. Each time an Immersive Reader resource is created, whether with this script or in the portal, it must also be configured with Microsoft Entra permissions. -The script is designed to create and configure all the necessary Immersive Reader and Azure AD resources for you all in one step. However, you can also just configure Azure AD authentication for an existing Immersive Reader resource, if for instance, you happen to have already created one in the Azure portal. +The script is designed to create and configure all the necessary Immersive Reader and Microsoft Entra resources for you all in one step. However, you can also just configure Microsoft Entra authentication for an existing Immersive Reader resource, if for instance, you happen to have already created one in the Azure portal. -For some customers, it may be necessary to create multiple Immersive Reader resources, for development vs. production, or perhaps for multiple different regions your service is deployed in. For those cases, you can come back and use the script multiple times to create different Immersive Reader resources and get them configured with the Azure AD permissions. +For some customers, it may be necessary to create multiple Immersive Reader resources, for development vs. production, or perhaps for multiple different regions your service is deployed in. For those cases, you can come back and use the script multiple times to create different Immersive Reader resources and get them configured with the Microsoft Entra permissions. -The script is designed to be flexible. It first looks for existing Immersive Reader and Azure AD resources in your subscription, and creates them only as necessary if they don't already exist. If it's your first time creating an Immersive Reader resource, the script does everything you need. If you want to use it just to configure Azure AD for an existing Immersive Reader resource that was created in the portal, it does that too. +The script is designed to be flexible. It first looks for existing Immersive Reader and Microsoft Entra resources in your subscription, and creates them only as necessary if they don't already exist. If it's your first time creating an Immersive Reader resource, the script does everything you need. If you want to use it just to configure Microsoft Entra ID for an existing Immersive Reader resource that was created in the portal, it does that too. It can also be used to create and configure multiple Immersive Reader resources. ## Permissions -The listed **Owner** of your Azure subscription has all the required permissions to create an Immersive Reader resource and configure Azure AD authentication. +The listed **Owner** of your Azure subscription has all the required permissions to create an Immersive Reader resource and configure Microsoft Entra authentication. If you aren't an owner, the following scope-specific permissions are required: If you aren't an owner, the following scope-specific permissions are required: :::image type="content" source="media/contributor-role.png" alt-text="Screenshot of contributor built-in role description."::: -* **Application Developer**. You need to have at least an Application Developer role associated in Azure AD: +* **Application Developer**. You need to have at least an Application Developer role associated in Microsoft Entra ID: :::image type="content" source="media/application-developer-role.png" alt-text="{alt-text}"::: -For more information, _see_ [Azure AD built-in roles](../../active-directory/roles/permissions-reference.md#application-developer) +For more information, _see_ [Microsoft Entra built-in roles](../../active-directory/roles/permissions-reference.md#application-developer) ## Set up PowerShell environment For more information, _see_ [Azure AD built-in roles](../../active-directory/rol | ResourceLocation |Options: `australiaeast`, `brazilsouth`, `canadacentral`, `centralindia`, `centralus`, `eastasia`, `eastus`, `eastus2`, `francecentral`, `germanywestcentral`, `japaneast`, `japanwest`, `jioindiawest`, `koreacentral`, `northcentralus`, `northeurope`, `norwayeast`, `southafricanorth`, `southcentralus`, `southeastasia`, `swedencentral`, `switzerlandnorth`, `switzerlandwest`, `uaenorth`, `uksouth`, `westcentralus`, `westeurope`, `westus`, `westus2`, `westus3`. This parameter is optional if the resource already exists. | | ResourceGroupName |Resources are created in resource groups within subscriptions. Supply the name of an existing resource group. If the resource group doesn't already exist, a new one with this name is created. | | ResourceGroupLocation |If your resource group doesn't exist, you need to supply a location in which to create the group. To find a list of locations, run `az account list-locations`. Use the *name* property (without spaces) of the returned result. This parameter is optional if your resource group already exists. |- | AADAppDisplayName |The Azure Active Directory application display name. If an existing Azure AD application isn't found, a new one with this name is created. This parameter is optional if the Azure AD application already exists. | - | AADAppIdentifierUri |The URI for the Azure AD application. If an existing Azure AD application isn't found, a new one with this URI is created. For example, `api://MyOrganizationImmersiveReaderAADApp`. Here we're using the default Azure AD URI scheme prefix of `api://` for compatibility with the [Azure AD policy of using verified domains](../../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). | - | AADAppClientSecretExpiration |The date or datetime after which your Azure AD Application Client Secret (password) will expire (for example, '2020-12-31T11:59:59+00:00' or '2020-12-31'). This function creates a client secret for you. To manage Azure AD application client secrets after you've created this resource, visit https://portal.azure.com and go to Home -> Azure Active Directory -> App Registrations -> (your app) `[AADAppDisplayName]` -> Certificates and Secrets section -> Client Secrets section (as shown in the "Manage your Azure AD application secrets" screenshot).| + | AADAppDisplayName |The Microsoft Entra application display name. If an existing Microsoft Entra application isn't found, a new one with this name is created. This parameter is optional if the Microsoft Entra application already exists. | + | AADAppIdentifierUri |The URI for the Microsoft Entra application. If an existing Microsoft Entra application isn't found, a new one with this URI is created. For example, `api://MyOrganizationImmersiveReaderAADApp`. Here we're using the default Microsoft Entra URI scheme prefix of `api://` for compatibility with the [Microsoft Entra policy of using verified domains](../../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). | + | AADAppClientSecretExpiration |The date or datetime after which your Microsoft Entra Application Client Secret (password) will expire (for example, '2020-12-31T11:59:59+00:00' or '2020-12-31'). This function creates a client secret for you. To manage Microsoft Entra application client secrets after you've created this resource, visit https://portal.azure.com and go to Home -> Microsoft Entra ID -> App Registrations -> (your app) `[AADAppDisplayName]` -> Certificates and Secrets section -> Client Secrets section (as shown in the "Manage your Microsoft Entra application secrets" screenshot).| - Manage your Azure AD application secrets + Manage your Microsoft Entra application secrets ![Azure portal Certificates and Secrets blade](./media/client-secrets-blade.png) |
ai-services | How To Multiple Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-multiple-resources.md | If you don't have an Azure subscription, create a [free account](https://azure.m ## Create the Immersive Reader resources -Follow [these instructions](./how-to-create-immersive-reader.md) to create each Immersive Reader resource. The **Create-ImmersiveReaderResource** script has `ResourceName`, `ResourceSubdomain`, and `ResourceLocation` as parameters. These should be unique for each resource being created. The remaining parameters should be the same as what you used when setting up your first Immersive Reader resource. This way, each resource can be linked to the same Azure resource group and Azure AD application. +Follow [these instructions](./how-to-create-immersive-reader.md) to create each Immersive Reader resource. The **Create-ImmersiveReaderResource** script has `ResourceName`, `ResourceSubdomain`, and `ResourceLocation` as parameters. These should be unique for each resource being created. The remaining parameters should be the same as what you used when setting up your first Immersive Reader resource. This way, each resource can be linked to the same Azure resource group and Microsoft Entra application. The example below shows how to create two resources, one in WestUS, and another in EastUS. Notice the unique values for `ResourceName`, `ResourceSubdomain`, and `ResourceLocation`. Create-ImmersiveReaderResource ## Add resources to environment configuration -In the quickstart, you created an environment configuration file that contains the `TenantId`, `ClientId`, `ClientSecret`, and `Subdomain` parameters. Since all of your resources use the same Azure AD application, we can use the same values for the `TenantId`, `ClientId`, and `ClientSecret`. The only change that needs to be made is to list each subdomain for each resource. +In the quickstart, you created an environment configuration file that contains the `TenantId`, `ClientId`, `ClientSecret`, and `Subdomain` parameters. Since all of your resources use the same Microsoft Entra application, we can use the same values for the `TenantId`, `ClientId`, and `ClientSecret`. The only change that needs to be made is to list each subdomain for each resource. Your new __.env__ file should now look something like the following: Be sure not to commit this file into source control, as it contains secrets that Next, we're going to modify the _routes\index.js_ file that we created to support our multiple resources. Replace its content with the following code. -As before, this code creates an API endpoint that acquires an Azure AD authentication token using your service principal password. This time, it allows the user to specify a resource location and pass it in as a query parameter. It then returns an object containing the token and the corresponding subdomain. +As before, this code creates an API endpoint that acquires a Microsoft Entra authentication token using your service principal password. This time, it allows the user to specify a resource location and pass it in as a query parameter. It then returns an object containing the token and the corresponding subdomain. ```javascript var express = require('express'); |
ai-services | Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/reference.md | launchAsync(token: string, subdomain: string, content: Content, options?: Option | Name | Type | Description | | - | - | |-| `token` | string | The Azure AD authentication token. For more information, see [How-To Create an Immersive Reader Resource](./how-to-create-immersive-reader.md). | +| `token` | string | The Microsoft Entra authentication token. For more information, see [How-To Create an Immersive Reader Resource](./how-to-create-immersive-reader.md). | | `subdomain` | string | The custom subdomain of your Immersive Reader resource in Azure. For more information, see [How-To Create an Immersive Reader Resource](./how-to-create-immersive-reader.md). | | `content` | [Content](#content) | An object containing the content to be shown in the Immersive Reader. | | `options` | [Options](#options) | Options for configuring certain behaviors of the Immersive Reader. Optional. | |
ai-services | Security How To Update Role Assignment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/security-how-to-update-role-assignment.md | Title: "Security Advisory: Update Role Assignment for Azure Active Directory authentication permissions" + Title: "Security Advisory: Update Role Assignment for Microsoft Entra authentication permissions" description: This article will show you how to update the role assignment on existing Immersive Reader resources due to a security bug discovered in November 2021 Last updated 01/06/2022 -# Security Advisory: Update Role Assignment for Azure Active Directory authentication permissions +# Security Advisory: Update Role Assignment for Microsoft Entra authentication permissions -A security bug has been discovered with Immersive Reader Azure Active Directory (Azure AD) authentication configuration. We are advising that you change the permissions on your Immersive Reader resources as described below. +A security bug has been discovered with Immersive Reader Microsoft Entra authentication configuration. We are advising that you change the permissions on your Immersive Reader resources as described below. ## Background -A security bug was discovered that relates to Azure AD authentication for Immersive Reader. When initially creating your Immersive Reader resources and configuring them for Azure AD authentication, it is necessary to grant permissions for the Azure AD application identity to access your Immersive Reader resource. This is known as a Role Assignment. The Azure role that was previously used for permissions was the [Cognitive Services User](../../role-based-access-control/built-in-roles.md#cognitive-services-user) role. +A security bug was discovered that relates to Microsoft Entra authentication for Immersive Reader. When initially creating your Immersive Reader resources and configuring them for Microsoft Entra authentication, it is necessary to grant permissions for the Microsoft Entra application identity to access your Immersive Reader resource. This is known as a Role Assignment. The Azure role that was previously used for permissions was the [Cognitive Services User](../../role-based-access-control/built-in-roles.md#cognitive-services-user) role. -During a security audit, it was discovered that this Cognitive Services User role has permissions to [List Keys](/rest/api/cognitiveservices/accountmanagement/accounts/list-keys). This is slightly concerning because Immersive Reader integrations involve the use of this Azure AD access token in client web apps and browsers, and if the access token were to be stolen by a bad actor or attacker, there is a concern that this access token could be used to `list keys` of your Immersive Reader resource. If an attacker could `list keys` for your resource, then they would obtain the `Subscription Key` for your resource. The `Subscription Key` for your resource is used as an authentication mechanism and is considered a secret. If an attacker had the resource's `Subscription Key`, it would allow them to make valid and authenticated API calls to your Immersive Reader resource endpoint, which could lead to Denial of Service due to the increased usage and throttling on your endpoint. It would also allow unauthorized use of your Immersive Reader resource, which would lead to increased charges on your bill. +During a security audit, it was discovered that this Cognitive Services User role has permissions to [List Keys](/rest/api/cognitiveservices/accountmanagement/accounts/list-keys). This is slightly concerning because Immersive Reader integrations involve the use of this Microsoft Entra access token in client web apps and browsers, and if the access token were to be stolen by a bad actor or attacker, there is a concern that this access token could be used to `list keys` of your Immersive Reader resource. If an attacker could `list keys` for your resource, then they would obtain the `Subscription Key` for your resource. The `Subscription Key` for your resource is used as an authentication mechanism and is considered a secret. If an attacker had the resource's `Subscription Key`, it would allow them to make valid and authenticated API calls to your Immersive Reader resource endpoint, which could lead to Denial of Service due to the increased usage and throttling on your endpoint. It would also allow unauthorized use of your Immersive Reader resource, which would lead to increased charges on your bill. -In practice however, this attack or exploit is not likely to occur or may not even be possible. For Immersive Reader scenarios, customers obtain Azure AD access tokens with an audience of `https://cognitiveservices.azure.com`. In order to successfully `list keys` for your resource, the Azure AD access token would need to have an audience of `https://management.azure.com`. Generally speaking, this is not too much of a concern, since the access tokens used for Immersive Reader scenarios would not work to `list keys`, as they do not have the required audience. In order to change the audience on the access token, an attacker would have to hijack the token acquisition code and change the audience before the call is made to Azure AD to acquire the token. Again, this is not likely to be exploited because, as an Immersive Reader authentication best practice, we advise that customers create Azure AD access tokens on the web application backend, not in the client or browser. In those cases, since the token acquisition happens on the backend service, it's not as likely or perhaps even possible that attacker could compromise that process and change the audience. +In practice however, this attack or exploit is not likely to occur or may not even be possible. For Immersive Reader scenarios, customers obtain Microsoft Entra access tokens with an audience of `https://cognitiveservices.azure.com`. In order to successfully `list keys` for your resource, the Microsoft Entra access token would need to have an audience of `https://management.azure.com`. Generally speaking, this is not too much of a concern, since the access tokens used for Immersive Reader scenarios would not work to `list keys`, as they do not have the required audience. In order to change the audience on the access token, an attacker would have to hijack the token acquisition code and change the audience before the call is made to Microsoft Entra ID to acquire the token. Again, this is not likely to be exploited because, as an Immersive Reader authentication best practice, we advise that customers create Microsoft Entra access tokens on the web application backend, not in the client or browser. In those cases, since the token acquisition happens on the backend service, it's not as likely or perhaps even possible that attacker could compromise that process and change the audience. -The real concern comes when or if any customer were to acquire tokens from Azure AD directly in client code. We strongly advise against this, but since customers are free to implement as they see fit, it is possible that some customers are doing this. +The real concern comes when or if any customer were to acquire tokens from Microsoft Entra ID directly in client code. We strongly advise against this, but since customers are free to implement as they see fit, it is possible that some customers are doing this. -To mitigate the concerns about any possibility of using the Azure AD access token to `list keys`, we have created a new built-in Azure role called `Cognitive Services Immersive Reader User` that does not have the permissions to `list keys`. This new role is not a shared role for the Azure AI services platform like `Cognitive Services User` role is. This new role is specific to Immersive Reader and will only allow calls to Immersive Reader APIs. +To mitigate the concerns about any possibility of using the Microsoft Entra access token to `list keys`, we have created a new built-in Azure role called `Cognitive Services Immersive Reader User` that does not have the permissions to `list keys`. This new role is not a shared role for the Azure AI services platform like `Cognitive Services User` role is. This new role is specific to Immersive Reader and will only allow calls to Immersive Reader APIs. We are advising that ALL customers migrate to using the new `Cognitive Services Immersive Reader User` role instead of the original `Cognitive Services User` role. We have provided a script below that you can run on each of your resources to switch over the role assignment permissions. Any new Immersive Reader resources you create with our script at [How to: Create If you created and configured an Immersive Reader resource using the instructions at [How to: Create an Immersive Reader resource](./how-to-create-immersive-reader.md) prior to February 2022, it is advised that you perform the operation below to update the role assignment permissions on ALL of your Immersive Reader resources. The operation involves running a script to update the role assignment on a single resource. If you have multiple resources, run this script multiple times, once for each resource. -After you have updated the role using the script below, it is also advised that you rotate the subscription keys on your resource. This is in case your keys have been compromised by the exploit above, and somebody is actually using your resource with subscription key authentication without your consent. Rotating the keys will render the previous keys invalid and deny any further access. For customers using Azure AD authentication, which should be everyone per current Immersive Reader SDK implementation, rotating the keys will have no impact on the Immersive Reader service, since Azure AD access tokens are used for authentication, not the subscription key. Rotating the subscription keys is just another precaution. +After you have updated the role using the script below, it is also advised that you rotate the subscription keys on your resource. This is in case your keys have been compromised by the exploit above, and somebody is actually using your resource with subscription key authentication without your consent. Rotating the keys will render the previous keys invalid and deny any further access. For customers using Microsoft Entra authentication, which should be everyone per current Immersive Reader SDK implementation, rotating the keys will have no impact on the Immersive Reader service, since Microsoft Entra access tokens are used for authentication, not the subscription key. Rotating the subscription keys is just another precaution. You can rotate the subscription keys on the [Azure portal](https://portal.azure.com). Navigate to your resource and then to the `Keys and Endpoint` blade. At the top, there are buttons to `Regenerate Key1` and `Regenerate Key2`. |
ai-services | Tutorial Ios Picture Immersive Reader | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/tutorial-ios-picture-immersive-reader.md | If you don't have an Azure subscription, create a [free account](https://azure.m ## Prerequisites * [Xcode](https://apps.apple.com/us/app/xcode/id497799835?mt=12)-* An Immersive Reader resource configured for Azure Active Directory authentication. Follow [these instructions](./how-to-create-immersive-reader.md) to get set up. You will need some of the values created here when configuring the sample project properties. Save the output of your session into a text file for future reference. +* An Immersive Reader resource configured for Microsoft Entra authentication. Follow [these instructions](./how-to-create-immersive-reader.md) to get set up. You will need some of the values created here when configuring the sample project properties. Save the output of your session into a text file for future reference. * Usage of this sample requires an Azure subscription to the Azure AI Vision service. [Create an Azure AI Vision resource in the Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision). ## Create an Xcode project The easiest way to use the Immersive Reader SDK is via CocoaPods. To install via 6. Ensure to open the project by opening the `.xcworkspace` file and not the `.xcodeproj` file. -## Acquire an Azure AD authentication token +<a name='acquire-an-azure-ad-authentication-token'></a> -You need some values from the Azure AD authentication configuration prerequisite step above for this part. Refer back to the text file you saved of that session. +## Acquire a Microsoft Entra authentication token ++You need some values from the Microsoft Entra authentication configuration prerequisite step above for this part. Refer back to the text file you saved of that session. ````text TenantId => Azure subscription TenantId |
ai-services | Multi Region Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/custom-features/multi-region-deployment.md | The same request body to each of those different URLs serves the exact same resp ## Validations and requirements -Assigning deployment resources requires Microsoft Azure Active Directory (Azure AD) authentication. Azure AD is used to confirm you have access to the resources you are interested in assigning to your project for multi-region deployment. In the Language Studio, you can automatically [enable Azure AD authentication](https://aka.ms/rbac-language) by assigning yourself the _Cognitive Services Language Owner_ role to your original resource. To programmatically use Azure AD authentication, learn more from the [Azure AI services documentation](../../../authentication.md?source=docs&tabs=powershell&tryIt=true#authenticate-with-azure-active-directory). +Assigning deployment resources requires Microsoft Entra authentication. Microsoft Entra ID is used to confirm you have access to the resources you are interested in assigning to your project for multi-region deployment. In the Language Studio, you can automatically [enable Microsoft Entra authentication](https://aka.ms/rbac-language) by assigning yourself the _Cognitive Services Language Owner_ role to your original resource. To programmatically use Microsoft Entra authentication, learn more from the [Azure AI services documentation](../../../authentication.md?source=docs&tabs=powershell&tryIt=true#authenticate-with-azure-active-directory). Your project name and resource are used as its main identifiers. Therefore, a Language resource can only have a specific project name in each resource. Any other projects with the same name will not be deployable to that resource. |
ai-services | Encryption Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/encryption-data-at-rest.md | By default, your subscription uses Microsoft-managed encryption keys. There is a There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. -You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../../key-vault/general/overview.md). +You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../../key-vault/general/overview.md). ### Customer-managed keys for Language service To learn how to use customer-managed keys with Azure Key Vault for Azure AI serv - [Configure customer-managed keys with Key Vault for Azure AI services encryption from the Azure portal](../../encryption/cognitive-services-encryption-keys-portal.md) -Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../../active-directory/managed-identities-azure-resources/overview.md). +Enabling customer managed keys will also enable a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../../active-directory/managed-identities-azure-resources/overview.md). > [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ### Store customer-managed keys in Azure Key Vault |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/role-based-access-control.md | -## Enable Azure Active Directory authentication +<a name='enable-azure-active-directory-authentication'></a> -To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources). +## Enable Microsoft Entra authentication ++To use Azure RBAC, you must enable Microsoft Entra authentication. You can [create a new resource with a custom subdomain](../../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources). ## Add role assignment to Language resource These custom roles only apply to Language resources. > [!NOTE] > * All prebuilt capabilities are accessible to all roles > * *Owner* and *Contributor* roles take priority over the custom language roles-> * AAD is only used in case of custom Language roles +> * Microsoft Entra ID is only used in case of custom Language roles > * If you are assigned as a *Contributor* on Azure, your role will be shown as *Owner* in Language studio portal. |
ai-services | Export Import Refresh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/export-import-refresh.md | You may want to create a copy of your question answering project or related ques ## Prerequisites * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled. Remember your Azure Active Directory ID, Subscription, language resource name you selected when you created the resource. +* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled. Remember your Microsoft Entra ID, Subscription, language resource name you selected when you created the resource. ## Export a project |
ai-services | Manage Knowledge Base | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/manage-knowledge-base.md | Question answering allows you to manage your projects by providing access to the ## Prerequisites > * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-> * A [Language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Azure Active Directory ID, Subscription, and language resource name you selected when you created the resource. +> * A [Language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Microsoft Entra ID, Subscription, and language resource name you selected when you created the resource. ## Create a project |
ai-services | Migrate Knowledge Base | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/migrate-knowledge-base.md | You may want to create copies of your projects or sources for several reasons: ## Prerequisites * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Azure Active Directory ID, Subscription, and the Language resource name you selected when you created the resource. +* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Microsoft Entra ID, Subscription, and the Language resource name you selected when you created the resource. ## Export a project There is no way to move chat logs with projects. If diagnostic logs are enabled, ## Next steps <!-- TODO: Replace Link-->- |
ai-services | Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/troubleshooting.md | Sharing works at the level of the language resource, that is, all projects assoc </details> <details>-<summary><b>Can you share a project with a contributor that is not in the same Azure Active Directory tenant, to modify a project?</b></summary> +<summary><b>Can you share a project with a contributor that is not in the same Microsoft Entra tenant, to modify a project?</b></summary> **Answer**: Sharing is based on Azure role-based access control (Azure Role-base access control). If you can share _any_ resource in Azure with another user, you can also share question answering. |
ai-services | Data Feeds From Different Sources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/data-feeds-from-different-sources.md | Use this article to find the settings and requirements for connecting different | Authentication types | Description | | |-| |**Basic** | You need to provide basic parameters for accessing data sources. For example, you can use a connection string or a password. Data feed admins can view these credentials. |-| **Azure managed identity** | [Managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for Azure resources is a feature of Azure Active Directory (Azure AD). It provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication.| +| **Azure managed identity** | [Managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for Azure resources is a feature of Microsoft Entra ID. It provides Azure services with an automatically managed identity in Microsoft Entra ID. You can use the identity to authenticate to any service that supports Microsoft Entra authentication.| | **Azure SQL connection string**| Store your Azure SQL connection string as a credential entity in Metrics Advisor, and use it directly each time you import metrics data. Only admins of the credential entity can view these credentials, but authorized viewers can create data feeds without needing to know details for the credentials. | | **Azure Data Lake Storage Gen2 shared key**| Store your data lake account key as a credential entity in Metrics Advisor, and use it directly each time you import metrics data. Only admins of the credential entity can view these credentials, but authorized viewers can create data feeds without needing to know details for the credentials.| | **Service principal**| Store your [service principal](../../active-directory/develop/app-objects-and-service-principals.md) as a credential entity in Metrics Advisor, and use it directly each time you import metrics data. Only admins of the credential entity can view the credentials, but authorized viewers can create data feeds without needing to know details for the credentials.| The following sections specify the parameters required for all authentication ty * **Basic**: See [Configure Azure Storage connection strings](../../storage/common/storage-configure-connection-string.md#configure-a-connection-string-for-an-azure-storage-account) for information on retrieving this string. Also, you can visit the Azure portal for your Azure Blob Storage resource, and find the connection string directly in **Settings** > **Access keys**. - * **Managed identity**: Managed identities for Azure resources can authorize access to blob and queue data. The feature uses Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. + * **Managed identity**: Managed identities for Azure resources can authorize access to blob and queue data. The feature uses Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. You can create a managed identity in the Azure portal for your Azure Blob Storage resource. In **Access Control (IAM)**, select **Role assignments**, and then select **Add**. A suggested role type is: **Storage Blob Data Reader**. For more details, refer to [Use managed identity to access Azure Storage](../../active-directory/managed-identities-azure-resources/tutorial-vm-windows-access-storage.md#grant-access-1). The following sections specify the parameters required for all authentication ty * **Connection string**: There are four authentication types for Azure Data Explorer (Kusto): basic, service principal, service principal from key vault, and managed identity. The data source in the connection string should be in the URI format (starts with "https"). You can find the URI in the Azure portal. - * **Basic**: Metrics Advisor supports accessing Azure Data Explorer (Kusto) by using Azure AD application authentication. You need to create and register an Azure AD application, and then authorize it to access an Azure Data Explorer database. For more information, see [Create an Azure AD app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app). Here's an example of connection string: + * **Basic**: Metrics Advisor supports accessing Azure Data Explorer (Kusto) by using Microsoft Entra application authentication. You need to create and register a Microsoft Entra application, and then authorize it to access an Azure Data Explorer database. For more information, see [Create a Microsoft Entra app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app). Here's an example of connection string: ``` Data Source=<URI Server>;Initial Catalog=<Database>;AAD Federated Security=True;Application Client ID=<Application Client ID>;Application Key=<Application Key>;Authority ID=<Tenant ID> The following sections specify the parameters required for all authentication ty * **Service principal**: A service principal is a concrete instance created from the application object. The service principal inherits certain properties from that application object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. To use a service principal in Metrics Advisor: - 1. Create the Azure AD application registration. For more information, see [Create an Azure AD app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app). + 1. Create the Microsoft Entra application registration. For more information, see [Create a Microsoft Entra app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app). 1. Manage Azure Data Explorer database permissions. For more information, see [Manage Azure Data Explorer database permissions](/azure/data-explorer/manage-database-permissions). The following sections specify the parameters required for all authentication ty Data Source=<URI Server>;Initial Catalog=<Database> ``` - * **Managed identity**: Managed identity for Azure resources can authorize access to blob and queue data. Managed identity uses Azure AD credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. Learn how to [authorize with a managed identity](../../storage/blobs/authorize-managed-identity.md#enable-managed-identities-on-a-vm). + * **Managed identity**: Managed identity for Azure resources can authorize access to blob and queue data. Managed identity uses Microsoft Entra credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. Learn how to [authorize with a managed identity](../../storage/blobs/authorize-managed-identity.md#enable-managed-identities-on-a-vm). You can create a managed identity in the Azure portal for your Azure Data Explorer (Kusto). Select **Permissions** > **Add**. The suggested role type is: **admin / viewer**. The following sections specify the parameters required for all authentication ty The account name is the same as the basic authentication type. - **Step 1:** Create and register an Azure AD application, and then authorize it to access the database. For more information, see [Create an Azure AD app registration](/azure/data-explorer/provision-azure-ad-app). + **Step 1:** Create and register a Microsoft Entra application, and then authorize it to access the database. For more information, see [Create a Microsoft Entra app registration](/azure/data-explorer/provision-azure-ad-app). **Step 2:** Assign roles. The following sections specify the parameters required for all authentication ty 4. Select **+ Add**, and select **Add role assignment** from the menu. - 5. Set the **Select** field to the Azure AD application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**. + 5. Set the **Select** field to the Microsoft Entra application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**. ![Screenshot that shows the steps to assign roles.](media/datafeeds/adls-gen-2-app-reg-assign-roles.png) Azure Monitor Logs has the following authentication types: basic, service princi * **Service principal**: A service principal is a concrete instance created from the application object, and it inherits certain properties from that application object. A service principal is created in each tenant where the application is used, and it references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. - **Step 1:** Create and register an Azure AD application, and then authorize it to access a database. For more information, see [Create an Azure AD app registration](/azure/data-explorer/provision-azure-ad-app). + **Step 1:** Create and register a Microsoft Entra application, and then authorize it to access a database. For more information, see [Create a Microsoft Entra app registration](/azure/data-explorer/provision-azure-ad-app). **Step 2:** Assign roles. 1. In the Azure portal, go to the **Storage accounts** service. 2. Select **Access Control (IAM)**. 3. Select **+ Add**, and then select **Add role assignment** from the menu.- 4. Set the **Select** field to the Azure AD application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**. + 4. Set the **Select** field to the Microsoft Entra application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**. ![Screenshot that shows how to assign roles.](media/datafeeds/adls-gen-2-app-reg-assign-roles.png) Azure Monitor Logs has the following authentication types: basic, service princi Data Source=<Server>;Initial Catalog=<db-name>;User ID=<user-name>;Password=<password> ``` - * <span id='jump'>**Managed identity**</span>: Managed identity for Azure resources can authorize access to blob and queue data. It does so by using Azure AD credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. To [enable your managed entity](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md), follow these steps: + * <span id='jump'>**Managed identity**</span>: Managed identity for Azure resources can authorize access to blob and queue data. It does so by using Microsoft Entra credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. To [enable your managed entity](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md), follow these steps: 1. Enabling a system-assigned managed identity is a one-click experience. In the Azure portal, for your Metrics Advisor workspace, go to **Settings** > **Identity** > **System assigned**. Then set the status as **on**. ![Screenshot that shows how to set the status as on.](media/datafeeds/set-identity-status.png) - 1. Enable Azure AD authentication. In the Azure portal, for your data source, go to **Settings** > **Active Directory admin**. Select **Set admin**, and select an **Azure AD user account** to be made an administrator of the server. Then, choose **Select**. + 1. Enable Microsoft Entra authentication. In the Azure portal, for your data source, go to **Settings** > **Active Directory admin**. Select **Set admin**, and select an **Microsoft Entra user account** to be made an administrator of the server. Then, choose **Select**. ![Screenshot that shows how to set the admin.](media/datafeeds/set-admin.png) 1. Enable managed identity in Metrics Advisor. You can edit a query in the database management tool or in the Azure portal. - **Management tool**: In your database management tool, select **Active Directory - Universal with MFA support** in the authentication field. In the **User name** field, enter the name of the Azure AD account that you set as the server administrator in step 2. For example, this might be `test@contoso.com`. + **Management tool**: In your database management tool, select **Active Directory - Universal with MFA support** in the authentication field. In the **User name** field, enter the name of the Microsoft Entra account that you set as the server administrator in step 2. For example, this might be `test@contoso.com`. ![Screenshot that shows how to set connection details.](media/datafeeds/connection-details.png) Azure Monitor Logs has the following authentication types: basic, service princi * **Service principal**: A service principal is a concrete instance created from the application object, and it inherits certain properties from that application object. A service principal is created in each tenant where the application is used, and it references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. - **Step 1:** Create and register an Azure AD application, and then authorize it to access a database. For more information, see [Create an Azure AD app registration](/azure/data-explorer/provision-azure-ad-app). + **Step 1:** Create and register a Microsoft Entra application, and then authorize it to access a database. For more information, see [Create a Microsoft Entra app registration](/azure/data-explorer/provision-azure-ad-app). **Step 2:** Follow the steps documented previously, in [managed identity in SQL Server](#jump). |
ai-services | Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/encryption.md | Metrics Advisor supports CMK and double encryption by using BYOS (bring your own - Get Application ID of Managed Identity - Go to Azure Active Directory, and select 'Enterprise applications'. Change 'Application type' to **'Managed Identity'**, copy resource name of Metrics Advisor, and search. Then you're able to view the 'Application ID' from the query result, copy it. + Go to Microsoft Entra ID, and select 'Enterprise applications'. Change 'Application type' to **'Managed Identity'**, copy resource name of Metrics Advisor, and search. Then you're able to view the 'Application ID' from the query result, copy it. ### Step3. Grant Metrics Advisor access permission to your Azure Database for PostgreSQL |
ai-services | Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/alerts.md | A web hook is another notification channel by using an endpoint that is provided **Step1.** Enable Managed Identity in your Metrics Advisor resource -A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). The managed identity is authenticated with Azure AD, so you donΓÇÖt have to store any credentials in code. +A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). The managed identity is authenticated with Microsoft Entra ID, so you donΓÇÖt have to store any credentials in code. Go to Metrics Advisor resource in Azure portal, and select "Identity", turn it to "on" then Managed Identity is enabled. |
ai-services | Credential Entity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/credential-entity.md | Until now, the *client ID* and *client secret* of service principal are finally **Step 5: Create a service principal to store the key vault.** -1. Go to [Azure portal AAD (Azure Active Directory)](https://portal.azure.com/?trace=diagnostics&feature.customportal=false#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) and create a new registration. +1. Go to [Azure portal Microsoft Entra ID](https://portal.azure.com/?trace=diagnostics&feature.customportal=false#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) and create a new registration. ![create a new registration](../media/credential-entity/create-registration.png) |
ai-services | Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/models.md | These models can only be used with Embedding API requests. | Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) | Output dimensions | | | | | | |-| text-embedding-ada-002 (version 2) | Canada East, East US, East US2, France Central, Japan East, North Central US, South Central US, Switzerland North, UK South, West Europe | N/A |8,191 | Sep 2021 | 1536 | +| text-embedding-ada-002 (version 2) | Australia East, Canada East, East US, East US2, France Central, Japan East, North Central US, South Central US, Switzerland North, UK South, West Europe | N/A |8,191 | Sep 2021 | 1536 | | text-embedding-ada-002 (version 1) | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 | 1536 | ### DALL-E models (Preview) |
ai-services | Use Your Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/use-your-data.md | To add a new data source to your Azure OpenAI resource, you need the following A ## Document-level access control -Azure OpenAI on your data lets you restrict the documents that can be used in responses for different users with Azure Cognitive Search [security filters](/azure/search/search-security-trimming-for-azure-search-with-aad). When you enable document level access, the search results returned from Azure Cognitive Search and used to generate a response will be trimmed based on user Azure Active Directory (AD) group membership. You can only enable document-level access on existing Azure Cognitive search indexes. To enable document-level access: +Azure OpenAI on your data lets you restrict the documents that can be used in responses for different users with Azure Cognitive Search [security filters](/azure/search/search-security-trimming-for-azure-search-with-aad). When you enable document level access, the search results returned from Azure Cognitive Search and used to generate a response will be trimmed based on user Microsoft Entra group membership. You can only enable document-level access on existing Azure Cognitive search indexes. To enable document-level access: 1. Follow the steps in the [Azure Cognitive Search documentation](/azure/search/search-security-trimming-for-azure-search-with-aad) to register your application and create users and groups. 1. [Index your documents with their permitted groups](/azure/search/search-security-trimming-for-azure-search-with-aad#index-document-with-their-permitted-groups). Be sure that your new [security fields](/azure/search/search-security-trimming-for-azure-search#create-security-field) have the schema below: Azure OpenAI on your data lets you restrict the documents that can be used in re **Azure OpenAI Studio** -Once the Azure Cognitive Search index is connected, your responses in the studio will have document access based on the Azure AD permissions of the logged in user. +Once the Azure Cognitive Search index is connected, your responses in the studio will have document access based on the Microsoft Entra permissions of the logged in user. **Web app** -If you are using a published [web app](#using-the-web-app), you need to redeploy it to upgrade to the latest version. The latest version of the web app includes the ability to retrieve the groups of the logged in user's Azure AD account, cache it, and include the group IDs in each API request. +If you are using a published [web app](#using-the-web-app), you need to redeploy it to upgrade to the latest version. The latest version of the web app includes the ability to retrieve the groups of the logged in user's Microsoft Entra account, cache it, and include the group IDs in each API request. **API** When customizing the app, we recommend: 1. Select Microsoft as the identity provider. The default settings on this page will restrict the app to your tenant only, so you don't need to change anything else here. Then select **Add** - Now users will be asked to sign in with their Azure Active Directory account to be able to access your app. You can follow a similar process to add another identity provider if you prefer. The app doesn't use the user's login information in any other way other than verifying they are a member of your tenant. + Now users will be asked to sign in with their Microsoft Entra account to be able to access your app. You can follow a similar process to add another identity provider if you prefer. The app doesn't use the user's login information in any other way other than verifying they are a member of your tenant. ### Chat history When you chat with a model, providing a history of the chat will help the model * [Get started using your data with Azure OpenAI](../use-your-data-quickstart.md) * [Introduction to prompt engineering](./prompt-engineering.md)-- |
ai-services | Encrypt Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/encrypt-data-at-rest.md | By default, your subscription uses Microsoft-managed encryption keys. There's al Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. -You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). +You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). To request the ability to use customer-managed keys, fill out and submit the [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request. When you disable customer-managed keys, your Azure AI services resource is then 1. Go to your Azure AI services resource, and then select **Encryption**. 1. Select **Microsoft Managed Keys** > **Save**. -When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md). +When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md). > [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ## Next steps |
ai-services | Business Continuity Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/business-continuity-disaster-recovery.md | Follow these steps to configure your client to monitor errors: 4. For the primary region and any backup regions your code will need to know: - Base URI for the resource- - Regional access key or Azure Active Directory access + - Regional access key or Microsoft Entra ID access 5. Configure your code so that you monitor connectivity errors (typically connection timeouts and service unavailability errors). - Given that networks yield transient errors, for single connectivity issue occurrences, the suggestion is to retry. - For persistent connectivity issues, redirect traffic to the backup resource in the region(s) you've created. -If you have fine-tuned a model in your primary region, you will need to retrain the base model in the secondary region(s) using the same training data. And then follow the above steps. +If you have fine-tuned a model in your primary region, you will need to retrain the base model in the secondary region(s) using the same training data. And then follow the above steps. |
ai-services | Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/managed-identity.md | Title: How to configure Azure OpenAI Service with managed identities -description: Provides guidance on how to set managed identity with Azure Active Directory +description: Provides guidance on how to set managed identity with Microsoft Entra ID Last updated 06/24/2022-More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your OpenAI resource using Azure Active Directory (Azure AD). +More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your OpenAI resource using Microsoft Entra ID. In the following sections, you'll use the Azure CLI to assign roles, and obtain a bearer token to call the OpenAI resource. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI. In the following sections, you'll use the Azure CLI to assign roles, and obtain - Access granted to the Azure OpenAI Service in the desired Azure subscription - Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the [Request Access to Azure OpenAI Service form](https://aka.ms/oai/access). Open an issue on this repo to contact us if you have an issue. -- [Custom subdomain names are required to enable features like Azure Active Directory (Azure AD) for authentication.](+- [Custom subdomain names are required to enable features like Microsoft Entra ID for authentication.]( ../../cognitive-services-custom-subdomains.md) - Azure CLI - [Installation Guide](/cli/azure/install-azure-cli) Assigning yourself to the "Cognitive Services User" role will allow you to use y > [!NOTE] > Role assignment change will take ~5 mins to become effective. -3. Acquire an Azure AD access token. Access tokens expire in one hour. you'll then need to acquire another one. +3. Acquire a Microsoft Entra access token. Access tokens expire in one hour. you'll then need to acquire another one. ```azurecli export accessToken=$(az account get-access-token --resource https://cognitiveservices.azure.com --query "accessToken" -o tsv) curl ${endpoint%/}/openai/deployments/YOUR_DEPLOYMENT_NAME/completions?api-versi ## Authorize access to managed identities -OpenAI supports Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. +OpenAI supports Microsoft Entra authentication with [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. ## Enable managed identities on a VM Before you can use managed identities for Azure resources to authorize access to - [Azure Resource Manager client libraries](../../../active-directory/managed-identities-azure-resources/qs-configure-sdk-windows-vm.md) For more information about managed identities, see [Managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).- |
ai-services | Switching Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/switching-endpoints.md | openai.api_version = "2023-05-15" # subject to change </tr> </table> -### Azure Active Directory authentication +<a name='azure-active-directory-authentication'></a> ++### Microsoft Entra authentication <table> <tr> |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/overview.md | Azure OpenAI Service provides REST API access to OpenAI's powerful language mode | Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman <br> Davinci <br>**Fine-tuning is currently unavailable to new customers**.| | Price | [Available here](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) | | Virtual network support & private link support | Yes, unless using [Azure OpenAI on your data](./concepts/use-your-data.md). | -| Managed Identity| Yes, via Azure Active Directory | +| Managed Identity| Yes, via Microsoft Entra ID | | UI experience | **Azure portal** for account & resource management, <br> **Azure OpenAI Service Studio** for model exploration and fine tuning | | Model regional availability | [Model availability](./concepts/models.md) | | Content filtering | Prompts and completions are evaluated against our content policy with automated systems. High severity content will be filtered. | |
ai-services | Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/reference.md | This article provides details on the inference REST API endpoints for Azure Open ## Authentication -Azure OpenAI provides two methods for authentication. you can use either API Keys or Azure Active Directory. +Azure OpenAI provides two methods for authentication. you can use either API Keys or Microsoft Entra ID. - **API Key authentication**: For this type of authentication, all API requests must include the API Key in the ```api-key``` HTTP header. The [Quickstart](./quickstart.md) provides guidance for how to make calls with this type of authentication. -- **Azure Active Directory authentication**: You can authenticate an API call using an Azure Active Directory token. Authentication tokens are included in a request as the ```Authorization``` header. The token provided must be preceded by ```Bearer```, for example ```Bearer YOUR_AUTH_TOKEN```. You can read our how-to guide on [authenticating with Azure Active Directory](./how-to/managed-identity.md).+- **Microsoft Entra authentication**: You can authenticate an API call using a Microsoft Entra token. Authentication tokens are included in a request as the ```Authorization``` header. The token provided must be preceded by ```Bearer```, for example ```Bearer YOUR_AUTH_TOKEN```. You can read our how-to guide on [authenticating with Microsoft Entra ID](./how-to/managed-identity.md). ### REST API versioning |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/Concepts/role-based-access-control.md | Collaborate with other authors and editors using Azure role-based access control All permissions are controlled by the permissions placed on the QnA Maker resource. These permissions align to read, write, publish, and full access. You can allow collaboration among multiple users by [updating RBAC access](../how-to/manage-qna-maker-app.md) for QnA Maker resource. This Azure RBAC feature includes:-* Azure Active Directory (AAD) is 100% backward compatible with key-based authentication for owners and contributors. Customers can use either key-based authentication or Azure RBAC-based authentication in their requests. +* Microsoft Entra ID is 100% backward compatible with key-based authentication for owners and contributors. Customers can use either key-based authentication or Azure RBAC-based authentication in their requests. * Quickly add authors and editors to all knowledge bases in the resource because control is at the resource level, not at the knowledge base level. > [!NOTE] |
ai-services | Add Sharepoint Datasources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/add-sharepoint-datasources.md | The request begins with a pop-up to authenticate to an Active Directory account. ![Authenticate User Account](../media/add-sharepoint-datasources/authenticate-user-account.png) -Once the QnA Maker manager selects the account, the Azure Active Directory administrator will receive a notice that they need to allow the QnA Maker app (not the QnA Maker manager) access to the SharePoint resource. The Azure Active Directory manager will need to do this for every SharePoint resource, but not every document in that resource. +Once the QnA Maker manager selects the account, the Microsoft Entra administrator will receive a notice that they need to allow the QnA Maker app (not the QnA Maker manager) access to the SharePoint resource. The Microsoft Entra manager will need to do this for every SharePoint resource, but not every document in that resource. ### Active directory The Active Directory manager (not the QnA Maker manager) needs to grant access to QnA Maker to access the SharePoint resource by selecting [this link](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=Files.Read%20Files.Read.All%20Sites.Read.All%20User.Read%20User.ReadBasic.All%20profile%20openid%20email&client_id=c2c11949-e9bb-4035-bda8-59542eb907a6&redirect_uri=https%3A%2F%2Fwww.qnamaker.ai%3A%2FCreate&state=68) to authorize the QnA Maker Portal SharePoint enterprise app to have file read permissions. -![Azure Active Directory manager grants permission interactively](../media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png) +![Microsoft Entra manager grants permission interactively](../media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png) <!-- The Active Directory manager must grant QnA Maker access either by application name, `QnAMakerPortalSharePoint`, or by application ID, `c2c11949-e9bb-4035-bda8-59542eb907a6`. The Active Directory manager will get a pop-up window requesting permissions to ![Grant required permissions](../media/add-sharepoint-datasources/grant-required-permissions.png) -->-### Grant access from the Azure Active Directory admin center +<a name='grant-access-from-the-azure-active-directory-admin-center'></a> ++### Grant access from the Microsoft Entra admin center 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Browse to **Microsoft Entra ID** > **Enterprise applications**. 1. Search for `QnAMakerPortalSharePoint` the select the QnA Maker app. |
ai-services | Manage Knowledge Bases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/manage-knowledge-bases.md | QnA Maker allows you to manage your knowledge bases by providing access to the k ## Prerequisites > * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource. +> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource. ## Create a knowledge base QnA Maker allows you to manage your knowledge bases by providing access to the k 1. On the **Create** page, skip **Step 1** if you already have your QnA Maker resource. - If you haven't created the resource yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource. + If you haven't created the resource yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource. When you are done creating the resource in the Azure portal, return to the QnA Maker portal, refresh the browser page, and continue to **Step 2**. |
ai-services | Test Knowledge Base | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/test-knowledge-base.md | Use the batch testing tool when you want to: 1. Select **Create a knowledge base** from the tool bar. 1. Skip **Step 1** because you should already have a QnA Maker resource, moving on to **Step 2** to select your existing resource information:- * Azure Active Directory ID + * Microsoft Entra ID * Azure Subscription Name * Azure QnA Service Name * Language - the English language |
ai-services | Create Publish Knowledge Base | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/Quickstarts/create-publish-knowledge-base.md | You can create a QnA Maker knowledge base (KB) from your own content, such as FA > [!div class="checklist"] > * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA Maker resource name you selected when you created the resource. +> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, QnA Maker resource name you selected when you created the resource. ## Create your first QnA Maker knowledge base You can create a QnA Maker knowledge base (KB) from your own content, such as FA 3. On the **Create** page, skip **Step 1** if you already have your QnA Maker resource. -If you haven't created the service yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource. +If you haven't created the service yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource. When you are done creating the resource in the Azure portal, return to the QnA Maker portal, refresh the browser page, and continue to **Step 2**. |
ai-services | Export Knowledge Base | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/Tutorials/export-knowledge-base.md | You may want to create a copy of your knowledge base for several reasons: ## Prerequisites > * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource. +> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource. > * Set up a new [QnA Maker service](../how-to/set-up-qnamaker-service-azure.md) ## Export a knowledge base |
ai-services | Reference Private Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/reference-private-endpoint.md | Private endpoints are provided by [Azure Private Link](../../private-link/privat ## Prerequisites > [!div class="checklist"] > * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.-> * A [Text Analytics resource](https://portal.azure.com/?quickstart=true#create/Microsoft.CognitiveServicesTextAnalytics) (with Custom question answering feature) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, Text Analytics resource name you selected when you created the resource. +> * A [Text Analytics resource](https://portal.azure.com/?quickstart=true#create/Microsoft.CognitiveServicesTextAnalytics) (with Custom question answering feature) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, Text Analytics resource name you selected when you created the resource. ## Steps to enable private endpoint 1. Assign *Contributer* role to Text Analytics service in the Azure Search Service instance. This operation requires *Owner* access to the subscription. Go to Identity tab in the service resource to get the identity. |
ai-services | Security Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/security-features.md | For a comprehensive list of Azure service security recommendations see the [Azur |Feature | Description | |:|:| | [Transport Layer Security (TLS)](/dotnet/framework/network-programming/tls) | All of the Azure AI services endpoints exposed over HTTP enforce the TLS 1.2 protocol. With an enforced security protocol, consumers attempting to call an Azure AI services endpoint should follow these guidelines: </br>- The client operating system (OS) needs to support TLS 1.2.</br>- The language (and platform) used to make the HTTP call need to specify TLS 1.2 as part of the request. Depending on the language and platform, specifying TLS is done either implicitly or explicitly.</br>- For .NET users, consider the [Transport Layer Security best practices](/dotnet/framework/network-programming/tls). |-| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.</br></br>By default, you authenticate your own calls to Azure AI services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use managed roles in Azure Active Directory. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md). | +| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.</br></br>By default, you authenticate your own calls to Azure AI services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use managed roles in Microsoft Entra ID. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md). | | [Key rotation](./authentication.md)| Each Azure AI services resource has two API keys to enable secret rotation. This is a security precaution that lets you regularly change the keys that can access your service, protecting the privacy of your service in the event that a key gets leaked. To learn about this and other authentication options, see [Rotate keys](./rotate-keys.md). | | [Environment variables](cognitive-services-environment-variables.md) | Environment variables are name-value pairs that are stored within a specific development environment. You can store your credentials in this way as a more secure alternative to using hardcoded values in your code. However, if your environment is compromised, the environment variables are compromised as well, so this is not the most secure approach.</br></br> For instructions on how to use environment variables in your code, see the [Environment variables guide](cognitive-services-environment-variables.md). | | [Customer-managed keys (CMK)](./encryption/cognitive-services-encryption-keys-portal.md) | This feature is for services that store customer data at rest (longer than 48 hours). While this data is already double-encrypted on Azure servers, users can get extra security by adding another layer of encryption, with keys they manage themselves. You can link your service to Azure Key Vault and manage your data encryption keys there. </br></br>You need special approval to get the E0 SKU for your service, which enables CMK. Within 3-5 business days after you submit the [request form](https://aka.ms/cogsvc-cmk), you'll get an update on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once you're approved for using the E0 SKU, you'll need to create a new resource from the Azure portal and select E0 as the Pricing Tier. You won't be able to upgrade from F0 to the new E0 SKU. </br></br>Only some services can use CMK; look for your service on the [Customer-managed keys](./encryption/cognitive-services-encryption-keys-portal.md) page.| |
ai-services | Bring Your Own Storage Speech Resource Speech To Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/bring-your-own-storage-speech-resource-speech-to-text.md | Such a request returns direct Storage Account URLs to data files (without SAS or } ``` -URL of this format ensures that only Azure Active Directory identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL. +URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL. > [!WARNING] > If `sasValidityInSeconds` parameter is omitted in [Get Transcription Files](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_ListFiles) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). Such a request returns direct Storage Account URLs to data files (without SAS or } ``` -URL of this format ensures that only Azure Active Directory identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL. +URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL. > [!WARNING] > If `sasValidityInSeconds` parameter is omitted in [Get Base Model Logs](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Endpoints_ListBaseModelLogs) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). Such a request returns direct Storage Account URLs to data files (without SAS or } ``` -URL of this format ensures that only Azure Active Directory identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL. +URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL. > [!WARNING] > If `sasValidityInSeconds` parameter is omitted in [Get Dataset Files](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Datasets_ListFiles) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). URL of this format ensures that only Azure Active Directory identities (users, s - [Set up the Bring your own storage (BYOS) Speech resource](bring-your-own-storage-speech-resource.md) - [Batch transcription overview](batch-transcription.md) - [How to log audio and transcriptions for speech recognition](logging-audio-transcription.md)-- [Custom Speech overview](custom-speech-overview.md)+- [Custom Speech overview](custom-speech-overview.md) |
ai-services | Bring Your Own Storage Speech Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/bring-your-own-storage-speech-resource.md | General rule is that you need to pass this JSON string as a value of `--storage` To create a BYOS-enabled Speech resource with a REST Request to Cognitive Services API, we use [Accounts - Create](/rest/api/cognitiveservices/accountmanagement/accounts/create) request. -You need to have a means of authentication. The example in this section uses [Microsoft Azure Active Directory token](/azure/active-directory/develop/access-tokens). +You need to have a means of authentication. The example in this section uses [Microsoft Entra token](/azure/active-directory/develop/access-tokens). -This code snippet generates Azure AD token using interactive browser sign-in. It requires [Azure Identity client library](/dotnet/api/overview/azure/identity-readme): +This code snippet generates Microsoft Entra token using interactive browser sign-in. It requires [Azure Identity client library](/dotnet/api/overview/azure/identity-readme): ```csharp TokenRequestContext context = new Azure.Core.TokenRequestContext(new string[] { "https://management.azure.com/.default" }); InteractiveBrowserCredential browserCredential = new InteractiveBrowserCredential(); You need to allow access for the machine, where you run the browser using Speech ## Next steps -- [Use the Bring your own storage (BYOS) Speech resource for Speech to text](bring-your-own-storage-speech-resource-speech-to-text.md)+- [Use the Bring your own storage (BYOS) Speech resource for Speech to text](bring-your-own-storage-speech-resource-speech-to-text.md) |
ai-services | Custom Commands Encryption Of Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-commands-encryption-of-data-at-rest.md | To request the ability to use customer-managed keys, fill out and submit Custome ## Customer-managed keys with Azure Key Vault -You must use Azure Key Vault to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Speech resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). +You must use Azure Key Vault to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Speech resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). When a new Speech resource is created and used to provision Custom Commands application - data is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Azure AI services resource. The managed identity is available only after the resource is created using the Pricing Tier required for CMK. -Enabling customer managed keys will also enable a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. +Enabling customer managed keys will also enable a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. > [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ## Configure Azure Key Vault |
ai-services | How To Audio Content Creation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-audio-content-creation.md | To add users to a Speech resource so that they can use Audio Content Creation, d 1. Select **Access control (IAM)** on the left navigation pane. 1. Select **Add** -> **Add role assignment**. 1. On the **Role** tab on the next screen, select a role you want to add (in this case, **Owner**).-1. On the **Members** tab, enter a user's email address and select the user's name in the directory. The email address must be linked to a Microsoft account that's trusted by Azure Active Directory. Users can easily sign up for a [Microsoft account](https://account.microsoft.com/account) by using their personal email address. +1. On the **Members** tab, enter a user's email address and select the user's name in the directory. The email address must be linked to a Microsoft account that's trusted by Microsoft Entra ID. Users can easily sign up for a [Microsoft account](https://account.microsoft.com/account) by using their personal email address. 1. On the **Review + assign** tab, select **Review + assign** to assign the role. Here is what happens next: If you want to allow a user to grant access to other users, you need to assign t :::image type="content" source="media/audio-content-creation/add-role.png" alt-text="Screenshot showing the 'Owner' role on the 'Add role assignment' pane. "::: -1. In the [Azure portal](https://portal.azure.com/), select the collapsed menu at the upper left, select **Azure Active Directory**, and then select **Users**. +1. In the [Azure portal](https://portal.azure.com/), select the collapsed menu at the upper left, select **Microsoft Entra ID**, and then select **Users**. 1. Search for the user's Microsoft account, go to their detail page, and then select **Assigned roles**. 1. Select **Add assignments** > **Directory Readers**. If the **Add assignments** button is unavailable, it means that you don't have access. Only the global administrator of this directory can add assignments to users. |
ai-services | How To Configure Azure Ad Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-azure-ad-auth.md | Title: How to configure Azure Active Directory Authentication + Title: How to configure Microsoft Entra authentication -description: Learn how to authenticate using Azure Active Directory Authentication +description: Learn how to authenticate using Microsoft Entra authentication zone_pivot_groups: programming-languages-set-two ms.devlang: cpp, csharp, java, python -# Azure Active Directory Authentication with the Speech SDK +# Microsoft Entra authentication with the Speech SDK -When using the Speech SDK to access the Speech service, there are three authentication methods available: service keys, a key-based token, and Azure Active Directory (Azure AD). This article describes how to configure a Speech resource and create a Speech SDK configuration object to use Azure AD for authentication. +When using the Speech SDK to access the Speech service, there are three authentication methods available: service keys, a key-based token, and Microsoft Entra ID. This article describes how to configure a Speech resource and create a Speech SDK configuration object to use Microsoft Entra ID for authentication. -This article shows how to use Azure AD authentication with the Speech SDK. You'll learn how to: +This article shows how to use Microsoft Entra authentication with the Speech SDK. You'll learn how to: > [!div class="checklist"] > > - Create a Speech resource-> - Configure the Speech resource for Azure AD authentication -> - Get an Azure AD access token +> - Configure the Speech resource for Microsoft Entra authentication +> - Get a Microsoft Entra access token > - Create the appropriate SDK configuration object. -To learn more about Azure AD access tokens, including token lifetime, visit [Access tokens in the Microsoft identity platform](/azure/active-directory/develop/access-tokens). +To learn more about Microsoft Entra access tokens, including token lifetime, visit [Access tokens in the Microsoft identity platform](/azure/active-directory/develop/access-tokens). ## Create a Speech resource To create a Speech resource in the [Azure portal](https://portal.azure.com), see [Get the keys for your resource](~/articles/ai-services/multi-service-resource.md?pivots=azportal#get-the-keys-for-your-resource) -## Configure the Speech resource for Azure AD authentication +<a name='configure-the-speech-resource-for-azure-ad-authentication'></a> -To configure your Speech resource for Azure AD authentication, create a custom domain name and assign roles. +## Configure the Speech resource for Microsoft Entra authentication ++To configure your Speech resource for Microsoft Entra authentication, create a custom domain name and assign roles. ### Create a custom domain name [!INCLUDE [Custom Domain include](includes/how-to/custom-domain.md)] ### Assign roles-For Azure AD authentication with Speech resources, you need to assign either the *Cognitive Services Speech Contributor* or *Cognitive Services Speech User* role. +For Microsoft Entra authentication with Speech resources, you need to assign either the *Cognitive Services Speech Contributor* or *Cognitive Services Speech User* role. You can assign roles to the user or application using the [Azure portal](../../role-based-access-control/role-assignments-portal.md) or [PowerShell](../../role-based-access-control/role-assignments-powershell.md). -## Get an Azure AD access token +<a name='get-an-azure-ad-access-token'></a> ++## Get a Microsoft Entra access token ::: zone pivot="programming-language-csharp"-To get an Azure AD access token in C#, use the [Azure Identity Client Library](/dotnet/api/overview/azure/identity-readme). +To get a Microsoft Entra access token in C#, use the [Azure Identity Client Library](/dotnet/api/overview/azure/identity-readme). -Here's an example of using Azure Identity to get an Azure AD access token from an interactive browser: +Here's an example of using Azure Identity to get a Microsoft Entra access token from an interactive browser: ```c# TokenRequestContext context = new Azure.Core.TokenRequestContext(new string[] { "https://cognitiveservices.azure.com/.default" }); InteractiveBrowserCredential browserCredential = new InteractiveBrowserCredential(); The token context must be set to "https://cognitiveservices.azure.com/.default". ::: zone-end ::: zone pivot="programming-language-cpp"-To get an Azure AD access token in C++, use the [Azure Identity Client Library](https://github.com/Azure/azure-sdk-for-cpp/tree/main/sdk/identity/azure-identity). +To get a Microsoft Entra access token in C++, use the [Azure Identity Client Library](https://github.com/Azure/azure-sdk-for-cpp/tree/main/sdk/identity/azure-identity). -Here's an example of using Azure Identity to get an Azure AD access token with your tenant ID, client ID, and client secret credentials: +Here's an example of using Azure Identity to get a Microsoft Entra access token with your tenant ID, client ID, and client secret credentials: ```cpp const std::string tenantId = "Your Tenant ID"; const std::string clientId = "Your Client ID"; The token context must be set to "https://cognitiveservices.azure.com/.default". ::: zone-end ::: zone pivot="programming-language-java"-To get an Azure AD access token in Java, use the [Azure Identity Client Library](/java/api/overview/azure/identity-readme). +To get a Microsoft Entra access token in Java, use the [Azure Identity Client Library](/java/api/overview/azure/identity-readme). -Here's an example of using Azure Identity to get an Azure AD access token from a browser: +Here's an example of using Azure Identity to get a Microsoft Entra access token from a browser: ```java TokenRequestContext context = new TokenRequestContext(); context.addScopes("https://cognitiveservices.azure.com/.default"); The token context must be set to "https://cognitiveservices.azure.com/.default". ::: zone-end ::: zone pivot="programming-language-python"-To get an Azure AD access token in Java, use the [Azure Identity Client Library](/python/api/overview/azure/identity-readme). +To get a Microsoft Entra access token in Java, use the [Azure Identity Client Library](/python/api/overview/azure/identity-readme). -Here's an example of using Azure Identity to get an Azure AD access token from an interactive browser: +Here's an example of using Azure Identity to get a Microsoft Entra access token from an interactive browser: ```Python from azure.identity import InteractiveBrowserCredential ibc = InteractiveBrowserCredential() aadToken = ibc.get_token("https://cognitiveservices.azure.com/.default") ::: zone-end ::: zone pivot="programming-language-more"-Find samples that get an Azure AD access token in [Microsoft identity platform code samples](../../active-directory/develop/sample-v2-code.md). +Find samples that get a Microsoft Entra access token in [Microsoft identity platform code samples](../../active-directory/develop/sample-v2-code.md). For programming languages where a Microsoft identity platform client library isn't available, you can directly [request an access token](../../active-directory/develop/v2-oauth-ropc.md). ::: zone-end ## Get the Speech resource ID -You need your Speech resource ID to make SDK calls using Azure AD authentication. +You need your Speech resource ID to make SDK calls using Microsoft Entra authentication. > [!NOTE] > For Intent Recognition use your LUIS Prediction resource ID. $resourceId = resource.Id ## Create the Speech SDK configuration object -With an Azure AD access token, you can now create a Speech SDK configuration object. +With a Microsoft Entra access token, you can now create a Speech SDK configuration object. The method of providing the token, and the method to construct the corresponding Speech SDK ```Config``` object varies by the object you'll be using. ### SpeechRecognizer, SpeechSynthesizer, IntentRecognizer, ConversationTranscriber -For ```SpeechRecognizer```, ```SpeechSynthesizer```, ```IntentRecognizer```, ```ConversationTranscriber``` objects, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```SpeechConfig``` object. +For ```SpeechRecognizer```, ```SpeechSynthesizer```, ```IntentRecognizer```, ```ConversationTranscriber``` objects, build the authorization token from the resource ID and the Microsoft Entra access token and then use it to create a ```SpeechConfig``` object. ::: zone pivot="programming-language-csharp" ```C# speechConfig = SpeechConfig(auth_token=authorizationToken, region=region) ### TranslationRecognizer -For the ```TranslationRecognizer```, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```SpeechTranslationConfig``` object. +For the ```TranslationRecognizer```, build the authorization token from the resource ID and the Microsoft Entra access token and then use it to create a ```SpeechTranslationConfig``` object. ::: zone pivot="programming-language-csharp" ```C# translationConfig = SpeechTranslationConfig(auth_token=authorizationToken, regio ### DialogServiceConnector -For the ```DialogServiceConnection``` object, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```CustomCommandsConfig``` or a ```BotFrameworkConfig``` object. +For the ```DialogServiceConnection``` object, build the authorization token from the resource ID and the Microsoft Entra access token and then use it to create a ```CustomCommandsConfig``` or a ```BotFrameworkConfig``` object. ::: zone pivot="programming-language-csharp" ```C# The DialogServiceConnector is not currently supported in Python ::: zone-end ### VoiceProfileClient-To use the ```VoiceProfileClient``` with Azure AD authentication, use the custom domain name created above. +To use the ```VoiceProfileClient``` with Microsoft Entra authentication, use the custom domain name created above. ::: zone pivot="programming-language-csharp" ```C# The ```VoiceProfileClient``` isn't available with the Speech SDK for Python. ::: zone-end > [!NOTE]-> The ```ConversationTranslator``` doesn't support Azure AD authentication. +> The ```ConversationTranslator``` doesn't support Microsoft Entra authentication. |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/language-support.md | With the cross-lingual feature, you can transfer your custom neural voice model # [Pronunciation assessment](#tab/pronunciation-assessment) -The table in this section summarizes the 22 locales supported for pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). Latest update extends support from English to 21 additional languages and quality enhancements to existing features, including accuracy, fluency and miscue assessment. You should specify the language that you're learning or practicing improving pronunciation. The default language is set as `en-US`. If you know your target learning language, [set the locale](how-to-pronunciation-assessment.md#get-pronunciation-assessment-results) accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario. +The table in this section summarizes the 23 locales supported for pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). Latest update extends support from English to 22 additional languages and quality enhancements to existing features, including accuracy, fluency and miscue assessment. You should specify the language that you're learning or practicing improving pronunciation. The default language is set as `en-US`. If you know your target learning language, [set the locale](how-to-pronunciation-assessment.md#get-pronunciation-assessment-results) accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario. [!INCLUDE [Language support include](includes/language-support/pronunciation-assessment.md)] |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/role-based-access-control.md | For finer-grained resource access control, you can [add or remove roles](../../r The [roles](#roles-for-speech-resources) define what permissions you have. Authentication is required to use the Speech resource. -To authenticate with Speech resource keys, all you need is the key and region. To authenticate with an Azure AD token, the Speech resource must have a [custom subdomain](speech-services-private-link.md#create-a-custom-domain-name) and use a [private endpoint](speech-services-private-link.md#turn-on-private-endpoints). The Speech service uses custom subdomains with private endpoints only. +To authenticate with Speech resource keys, all you need is the key and region. To authenticate with a Microsoft Entra token, the Speech resource must have a [custom subdomain](speech-services-private-link.md#create-a-custom-domain-name) and use a [private endpoint](speech-services-private-link.md#turn-on-private-endpoints). The Speech service uses custom subdomains with private endpoints only. ### Speech SDK authentication -For the SDK, you configure whether to authenticate with a Speech resource key or Azure AD token. For details, see [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md). +For the SDK, you configure whether to authenticate with a Speech resource key or Microsoft Entra token. For details, see [Microsoft Entra authentication with the Speech SDK](how-to-configure-azure-ad-auth.md). ### Speech Studio authentication -Once you're signed into [Speech Studio](speech-studio-overview.md), you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Azure AD token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned [roles](#roles-for-speech-resources) has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Azure AD token. +Once you're signed into [Speech Studio](speech-studio-overview.md), you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Microsoft Entra token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned [roles](#roles-for-speech-resources) has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Microsoft Entra token. -If Speech Studio uses your Azure AD token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files. +If Speech Studio uses your Microsoft Entra token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files. | Authentication credential | Feature availability | | | | |Speech resource key|Full access limited only by the assigned role permissions.|-|Azure AD token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.| -|Azure AD token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.| +|Microsoft Entra token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.| +|Microsoft Entra token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.| ## Next steps -* [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md). +* [Microsoft Entra authentication with the Speech SDK](how-to-configure-azure-ad-auth.md). * [Speech service encryption of data at rest](speech-encryption-of-data-at-rest.md). |
ai-services | Document Translation Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/connector/document-translation-flow.md | Here are the steps to upload a file from your SharePoint site to Azure Blob Stor 1. If you're using the Azure storage step for the first time, you need to enter your storage resource authentication: -1. In the **Authentication type** field, choose **Azure AD Integrated** and then select the **Sign in** button. +1. In the **Authentication type** field, choose **Microsoft Entra integrated** and then select the **Sign in** button. :::image type="content" source="../media/connectors/storage-authentication.png" alt-text="Screenshot of Azure Blob Storage authentication window."::: -1. Choose the Azure Active Directory (Azure AD) account associated with your Azure Blob Storage and Translator resource accounts. +1. Choose the Microsoft Entra account associated with your Azure Blob Storage and Translator resource accounts. 1. After you have completed the **Azure Blob Storage** authentication, the **Create blob** step appears. Complete the fields as follows: |
ai-services | Create Sas Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-sas-tokens.md | Last updated 07/18/2023 # Create SAS tokens for your storage containers -In this article, you learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account. +In this article, you learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Microsoft Entra credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account. :::image type="content" source="../../media/sas-url-token.png" alt-text="Screenshot of a storage url with SAS token appended."::: In this article, you learn how to create user delegation, shared access signatur > > [Managed identities](create-use-managed-identities.md) provide an alternate method for you to grant access to your storage data without the need to include SAS tokens with your HTTP requests. *See*, [Managed identities for Document Translation](create-use-managed-identities.md). >-> * You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. +> * You can use managed identities to grant access to any resource that supports Microsoft Entra authentication, including your own applications. > * Using managed identities replaces the requirement for you to include shared access signature tokens (SAS) with your source and target URLs. > * There's no added cost to use managed identities in Azure. Go to the [Azure portal](https://portal.azure.com/#home) and navigate to your co * Consider setting a longer duration period for the time you're using your storage account for Translator Service operations. * The value of the expiry time is determined by whether you're using an **Account key** or **User delegation key** **Signing method**: * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).- * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Azure AD credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas). + * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Microsoft Entra credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas). 1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information,*see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range). |
ai-services | Create Use Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-use-managed-identities.md | -Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your [source and target URLs](#post-request-body). +Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your [source and target URLs](#post-request-body). :::image type="content" source="../media/managed-identity-rbac-flow.png" alt-text="Screenshot of managed identity flow (RBAC)."::: -* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. +* You can use managed identities to grant access to any resource that supports Microsoft Entra authentication, including your own applications. * To grant access to an Azure resource, assign an Azure role to a managed identity using [Azure role-based access control (`Azure RBAC`)](../../../../role-based-access-control/overview.md). |
ai-services | Document Translation Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/quickstarts/document-translation-sdk.md | To get started, you need: You can choose one of the following options to authorize access to your Translator resource. -**✔️ Managed Identity**. A managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for an Azure managed resource. Managed identities enable you to run your Translator application without having to embed credentials in your code. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your source and target URLs. +**✔️ Managed Identity**. A managed identity is a service principal that creates a Microsoft Entra identity and specific permissions for an Azure managed resource. Managed identities enable you to run your Translator application without having to embed credentials in your code. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your source and target URLs. To learn more, *see* [Managed identities for Document Translation](../how-to-guides/create-use-managed-identities.md). |
ai-services | Encrypt Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/encrypt-data-at-rest.md | Follow these steps to enable customer-managed keys for Translator: ### Enable customer-managed keys -You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). +You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md). A new Azure AI services resource is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault. The key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Azure AI services resource. The managed identity is available as soon as the resource is created. To learn how to use customer-managed keys with Azure Key Vault for Azure AI serv - [Configure customer-managed keys with Key Vault for Azure AI services encryption from the Azure portal](../Encryption/cognitive-services-encryption-keys-portal.md) -Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md). +Enabling customer managed keys will also enable a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md). > [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. Any models that you have deployed will also be undeployed. All uploaded data will be deleted from Custom Translator. If the managed identities are re-enabled, we will not automatically redeploy the model for you. > [!IMPORTANT]-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ### Store customer-managed keys in Azure Key Vault |
ai-services | V3 0 Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-reference.md | Authorization: Bearer <Base64-access_token> An authentication token is valid for 10 minutes. The token should be reused when making multiple calls to the Translator. However, if your program makes requests to the Translator over an extended period of time, then your program must request a new access token at regular intervals (for example, every 8 minutes). -## Authentication with Azure Active Directory (Azure AD) +<a name='authentication-with-azure-active-directory-azure-ad'></a> - Translator v3.0 supports Azure AD authentication, Microsoft's cloud-based identity and access management solution. Authorization headers enable the Translator service to validate that the requesting client is authorized to use the resource and to complete the request. +## Authentication with Microsoft Entra ID ++ Translator v3.0 supports Microsoft Entra authentication, Microsoft's cloud-based identity and access management solution. Authorization headers enable the Translator service to validate that the requesting client is authorized to use the resource and to complete the request. ### **Prerequisites** -* A brief understanding of how to [**authenticate with Azure Active Directory**](../../authentication.md?tabs=powershell#authenticate-with-azure-active-directory). +* A brief understanding of how to [**authenticate with Microsoft Entra ID**](../../authentication.md?tabs=powershell#authenticate-with-azure-active-directory). * A brief understanding of how to [**authorize access to managed identities**](../../authentication.md?tabs=powershell#authorize-access-to-managed-identities). |
ai-services | Use Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/use-key-vault.md | In a new instance of the **Windows PowerShell**, read the environment variable. ## Authenticate to Azure using Visual Studio -Developers using Visual Studio 2017 or later can authenticate an Azure Active Directory account through Visual Studio. This enables you to access secrets in your key vault by signing into your Azure subscription from within the IDE. +Developers using Visual Studio 2017 or later can authenticate a Microsoft Entra account through Visual Studio. This enables you to access secrets in your key vault by signing into your Azure subscription from within the IDE. To authenticate in Visual Studio, select **Tools** from the top navigation menu, and select **Options**. Navigate to the **Azure Service Authentication** option to sign in with your user name and password. Create a new folder named `keyVaultExample`. Then use your preferred code editor ### Install Key Vault and Language service packages -1. In a terminal or command prompt, navigate to your project folder and install the Azure Active Directory identity library: +1. In a terminal or command prompt, navigate to your project folder and install the Microsoft Entra identity library: ```terminal pip install azure-identity |
ai-services | What Are Ai Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/what-are-ai-services.md | Azure AI services supports a wide range of cultural languages at the service lev ## Security -Azure AI services provides a layered security model, including [authentication](authentication.md "Authentication") with Azure Active Directory credentials, a valid resource key, and [Azure Virtual Networks](cognitive-services-virtual-networks.md "Azure Virtual Networks"). +Azure AI services provides a layered security model, including [authentication](authentication.md "Authentication") with Microsoft Entra credentials, a valid resource key, and [Azure Virtual Networks](cognitive-services-virtual-networks.md "Azure Virtual Networks"). ## Certifications and compliance |
aks | Access Control Managed Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-control-managed-azure-ad.md | Title: Cluster access control with AKS-managed Azure Active Directory integration -description: Learn how to access clusters when integrating Azure AD in your Azure Kubernetes Service (AKS) clusters. + Title: Cluster access control with AKS-managed Microsoft Entra integration +description: Learn how to access clusters when integrating Microsoft Entra ID in your Azure Kubernetes Service (AKS) clusters. Last updated 04/20/2023 -# Cluster access control with AKS-managed Azure Active Directory integration +# Cluster access control with AKS-managed Microsoft Entra integration -When you integrate Azure AD with your AKS cluster, you can use [Conditional Access][aad-conditional-access] or Privileged Identity Management (PIM) for just-in-time requests to control access to your cluster. This article shows you how to enable Conditional Access and PIM on your AKS clusters. +When you integrate Microsoft Entra ID with your AKS cluster, you can use [Conditional Access][aad-conditional-access] or Privileged Identity Management (PIM) for just-in-time requests to control access to your cluster. This article shows you how to enable Conditional Access and PIM on your AKS clusters. > [!NOTE]-> Azure AD Conditional Access and Privileged Identity Management are Azure AD Premium capabilities requiring a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide][aad-pricing]. +> Microsoft Entra Conditional Access and Privileged Identity Management are Microsoft Entra ID P1 or P2 capabilities requiring a Premium P2 SKU. For more on Microsoft Entra ID SKUs, see the [pricing guide][aad-pricing]. ## Before you begin -* See [AKS-managed Azure Active Directory integration](./managed-azure-ad.md) for an overview and setup instructions. +* See [AKS-managed Microsoft Entra integration](./managed-azure-ad.md) for an overview and setup instructions. -## Use Conditional Access with Azure AD and AKS +<a name='use-conditional-access-with-azure-ad-and-aks'></a> -1. In the Azure portal, go to the **Azure Active Directory** page and select **Enterprise applications**. +## Use Conditional Access with Microsoft Entra ID and AKS ++1. In the Azure portal, go to the **Microsoft Entra ID** page and select **Enterprise applications**. 2. Select **Conditional Access** > **Policies** > **New policy**. :::image type="content" source="./media/managed-aad/conditional-access-new-policy.png" alt-text="Screenshot of adding a Conditional Access policy." lightbox="./media/managed-aad/conditional-access-new-policy.png"::: 3. Enter a name for the policy, such as *aks-policy*. -4. Under **Assignments**, select **Users and groups**. Choose the users and groups you want to apply the policy to. In this example, choose the same Azure AD group that has administrator access to your cluster. +4. Under **Assignments**, select **Users and groups**. Choose the users and groups you want to apply the policy to. In this example, choose the same Microsoft Entra group that has administrator access to your cluster. :::image type="content" source="./media/managed-aad/conditional-access-users-groups.png" alt-text="Screenshot of selecting users or groups to apply the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-users-groups.png"::: -5. Under **Cloud apps or actions** > **Include**, select **Select apps**. Search for **Azure Kubernetes Service** and select **Azure Kubernetes Service AAD Server**. +5. Under **Cloud apps or actions** > **Include**, select **Select apps**. Search for **Azure Kubernetes Service** and select **Azure Kubernetes Service Microsoft Entra Server**. :::image type="content" source="./media/managed-aad/conditional-access-apps.png" alt-text="Screenshot of selecting Azure Kubernetes Service AD Server for applying the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-apps.png"::: When you integrate Azure AD with your AKS cluster, you can use [Conditional Acce kubectl get nodes ``` -4. In the Azure portal, navigate to **Azure Active Directory** and select **Enterprise applications** > **Activity** > **Sign-ins**. +4. In the Azure portal, navigate to **Microsoft Entra ID** and select **Enterprise applications** > **Activity** > **Sign-ins**. 5. Under the **Conditional Access** column you should see a status of *Success*. Select the event and then select the **Conditional Access** tab. Your Conditional Access policy will be listed. :::image type="content" source="./media/managed-aad/conditional-access-sign-in-activity.png" alt-text="Screenshot that shows failed sign-in entry due to Conditional Access policy." lightbox="./media/managed-aad/conditional-access-sign-in-activity.png"::: -## Configure just-in-time cluster access with Azure AD and AKS +<a name='configure-just-in-time-cluster-access-with-azure-ad-and-aks'></a> ++## Configure just-in-time cluster access with Microsoft Entra ID and AKS -1. In the Azure portal, go to **Azure Active Directory** and select **Properties**. +1. In the Azure portal, go to **Microsoft Entra ID** and select **Properties**. 2. Note the value listed under **Tenant ID**. It will be referenced in a later step as `<tenant-id>`. - :::image type="content" source="./media/managed-aad/jit-get-tenant-id.png" alt-text="Screenshot of the Azure portal screen for Azure Active Directory with the tenant's ID highlighted." lightbox="./media/managed-aad/jit-get-tenant-id.png"::: + :::image type="content" source="./media/managed-aad/jit-get-tenant-id.png" alt-text="Screenshot of the Azure portal screen for Microsoft Entra ID with the tenant's ID highlighted." lightbox="./media/managed-aad/jit-get-tenant-id.png"::: 3. Select **Groups** > **New group**. :::image type="content" source="./media/managed-aad/jit-create-new-group.png" alt-text="Screenshot of the Azure portal Active Directory groups screen with the New Group option highlighted." lightbox="./media/managed-aad/jit-create-new-group.png"::: -4. Verify the group type **Security** is selected and specify a group name, such as *myJITGroup*. Under the option **Azure AD roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**. +4. Verify the group type **Security** is selected and specify a group name, such as *myJITGroup*. Under the option **Microsoft Entra roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**. :::image type="content" source="./media/managed-aad/jit-new-group-created.png" alt-text="Screenshot of the new group creation screen in the Azure portal." lightbox="./media/managed-aad/jit-new-group-created.png"::: When you integrate Azure AD with your AKS cluster, you can use [Conditional Acce :::image type="content" source="./media/managed-aad/jit-get-object-id.png" alt-text="Screenshot of the Azure portal screen for the just-created group with the Object ID highlighted." lightbox="./media/managed-aad/jit-get-object-id.png"::: -6. Create the AKS cluster with AKS-managed Azure AD integration using the [`az aks create`][az-aks-create] command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier. +6. Create the AKS cluster with AKS-managed Microsoft Entra integration using the [`az aks create`][az-aks-create] command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier. ```azurecli-interactive az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <object-id> --aad-tenant-id <tenant-id> |
aks | Aks Support Help | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-support-help.md | The following table lists the tags for AKS and related | [Azure storage accounts](../storage/common/storage-account-overview.md) | [azure-storage-accounts](/answers/topics/azure-storage-accounts.html)| | [Azure Managed Identities](../active-directory/managed-identities-azure-resources/overview.md) | [azure-managed-identity](/answers/topics/azure-managed-identity.html) | | [Azure RBAC](../role-based-access-control/overview.md) | [azure-rbac](/answers/topics/azure-rbac.html)|-| [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) | [azure-active-directory](/answers/topics/azure-active-directory.html)| +| [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) | [Microsoft Entra ID](/answers/topics/azure-active-directory.html)| | [Azure Policy](../governance/policy/overview.md) | [azure-policy](/answers/topics/azure-policy.html)| | [Azure Virtual Machine Scale Sets](../virtual-machine-scale-sets/overview.md) | [virtual-machine-scale-sets](/answers/topics/123/azure-virtual-machines-scale-set.html)| | [Azure Virtual Network](../virtual-network/network-overview.md) | [azure-virtual-network](/answers/topics/azure-virtual-network.html)| |
aks | Azure Ad Integration Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-integration-cli.md | Title: Integrate Azure Active Directory with Azure Kubernetes Service (AKS) (legacy) -description: Learn how to use the Azure CLI to create and Azure Active Directory-enabled Azure Kubernetes Service (AKS) cluster (legacy) + Title: Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) (legacy) +description: Learn how to use the Azure CLI to create and Microsoft Entra ID-enabled Azure Kubernetes Service (AKS) cluster (legacy) Last updated 08/15/2023 -# Integrate Azure Active Directory with Azure Kubernetes Service (AKS) using the Azure CLI (legacy) +# Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) using the Azure CLI (legacy) > [!WARNING]-> The feature described in this document, Azure AD Integration (legacy) was **deprecated on June 1st, 2023**. At this time, no new clusters can be created with Azure AD Integration (legacy). All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from December 1st, 2023. +> The feature described in this document, Microsoft Entra Integration (legacy) was **deprecated on June 1st, 2023**. At this time, no new clusters can be created with Microsoft Entra Integration (legacy). All Microsoft Entra Integration (legacy) AKS clusters will be migrated to AKS-managed Microsoft Entra ID automatically starting from December 1st, 2023. >-> AKS has a new improved [AKS-managed Azure AD][managed-aad] experience that doesn't require you to manage server or client applications. If you want to migrate follow the instructions [here][managed-aad-migrate]. +> AKS has a new improved [AKS-managed Microsoft Entra ID][managed-aad] experience that doesn't require you to manage server or client applications. If you want to migrate follow the instructions [here][managed-aad-migrate]. -Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AD) for user authentication. In this configuration, you can log into an AKS cluster using an Azure AD authentication token. Cluster operators can also configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. +Azure Kubernetes Service (AKS) can be configured to use Microsoft Entra ID for user authentication. In this configuration, you can log into an AKS cluster using a Microsoft Entra authentication token. Cluster operators can also configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. -This article shows you how to create the required Azure AD components, then deploy an Azure AD-enabled cluster and create a basic Kubernetes role in the AKS cluster. +This article shows you how to create the required Microsoft Entra components, then deploy a Microsoft Entra ID-enabled cluster and create a basic Kubernetes role in the AKS cluster. ## Limitations -- Azure AD can only be enabled on Kubernetes RBAC-enabled cluster.-- Azure AD legacy integration can only be enabled during cluster creation.+- Microsoft Entra ID can only be enabled on Kubernetes RBAC-enabled cluster. +- Microsoft Entra legacy integration can only be enabled during cluster creation. ## Before you begin For consistency and to help run the commands in this article, create a variable aksname="myakscluster" ``` -## Azure AD authentication overview +<a name='azure-ad-authentication-overview'></a> -Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][open-id-connect]. +## Microsoft Entra authentication overview ++Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][open-id-connect]. From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster. For more information on Webhook token authentication, see the [webhook authentication documentation][kubernetes-webhook]. > [!NOTE]-> When configuring Azure AD for AKS authentication, two Azure AD applications are configured. This operation must be completed by an Azure tenant administrator. +> When configuring Microsoft Entra ID for AKS authentication, two Microsoft Entra applications are configured. This operation must be completed by an Azure tenant administrator. ++<a name='create-azure-ad-server-component'></a> -## Create Azure AD server component +## Create Microsoft Entra server component -To integrate with AKS, you create and use an Azure AD application that acts as an endpoint for the identity requests. The first Azure AD application you need gets Azure AD group membership for a user. +To integrate with AKS, you create and use a Microsoft Entra application that acts as an endpoint for the identity requests. The first Microsoft Entra application you need gets Microsoft Entra group membership for a user. Create the server application component using the [az ad app create][az-ad-app-create] command, then update the group membership claims using the [az ad app update][az-ad-app-update] command. The following example uses the *aksname* variable defined in the [Before you begin](#before-you-begin) section, and creates a variable serverApplicationSecret=$(az ad sp credential reset \ --query password -o tsv) ``` -The Azure AD service principal needs permissions to perform the following actions: +The Microsoft Entra service principal needs permissions to perform the following actions: * Read directory data * Sign in and read user profile az ad app permission add \ --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role ``` -Finally, grant the permissions assigned in the previous step for the server application using the [az ad app permission grant][az-ad-app-permission-grant] command. This step fails if the current account is not a tenant admin. You also need to add permissions for Azure AD application to request information that may otherwise require administrative consent using the [az ad app permission admin-consent][az-ad-app-permission-admin-consent]: +Finally, grant the permissions assigned in the previous step for the server application using the [az ad app permission grant][az-ad-app-permission-grant] command. This step fails if the current account is not a tenant admin. You also need to add permissions for Microsoft Entra application to request information that may otherwise require administrative consent using the [az ad app permission admin-consent][az-ad-app-permission-admin-consent]: ```azurecli-interactive az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 az ad app permission admin-consent --id $serverApplicationId ``` -## Create Azure AD client component +<a name='create-azure-ad-client-component'></a> ++## Create Microsoft Entra client component -The second Azure AD application is used when a user logs to the AKS cluster with the Kubernetes CLI (`kubectl`). This client application takes the authentication request from the user and verifies their credentials and permissions. Create the Azure AD app for the client component using the [az ad app create][az-ad-app-create] command: +The second Microsoft Entra application is used when a user logs to the AKS cluster with the Kubernetes CLI (`kubectl`). This client application takes the authentication request from the user and verifies their credentials and permissions. Create the Microsoft Entra app for the client component using the [az ad app create][az-ad-app-create] command: ```azurecli-interactive clientApplicationId=$(az ad app create \ az ad app permission grant --id $clientApplicationId --api $serverApplicationId ## Deploy the cluster -With the two Azure AD applications created, now create the AKS cluster itself. First, create a resource group using the [az group create][az-group-create] command. The following example creates the resource group in the *EastUS* region: +With the two Microsoft Entra applications created, now create the AKS cluster itself. First, create a resource group using the [az group create][az-group-create] command. The following example creates the resource group in the *EastUS* region: Create a resource group for the cluster: az aks create \ --aad-tenant-id $tenantId ``` -Finally, get the cluster admin credentials using the [az aks get-credentials][az-aks-get-credentials] command. In one of the following steps, you get the regular *user* cluster credentials to see the Azure AD authentication flow in action. +Finally, get the cluster admin credentials using the [az aks get-credentials][az-aks-get-credentials] command. In one of the following steps, you get the regular *user* cluster credentials to see the Microsoft Entra authentication flow in action. ```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name $aksname --admin az aks get-credentials --resource-group myResourceGroup --name $aksname --admin ## Create Kubernetes RBAC binding -Before an Azure Active Directory account can be used with the AKS cluster, a role binding or cluster role binding needs to be created. *Roles* define the permissions to grant, and *bindings* apply them to desired users. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization]. +Before a Microsoft Entra account can be used with the AKS cluster, a role binding or cluster role binding needs to be created. *Roles* define the permissions to grant, and *bindings* apply them to desired users. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization]. -Get the user principal name (UPN) for the user currently logged in using the [az ad signed-in-user show][az-ad-signed-in-user-show] command. This user account is enabled for Azure AD integration in the next step. +Get the user principal name (UPN) for the user currently logged in using the [az ad signed-in-user show][az-ad-signed-in-user-show] command. This user account is enabled for Microsoft Entra integration in the next step. ```azurecli-interactive az ad signed-in-user show --query userPrincipalName -o tsv ``` > [!IMPORTANT]-> If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on the *userPrincipalName*. If the user is in a different Azure AD tenant, query for and use the *objectId* property instead. +> If the user you grant the Kubernetes RBAC binding for is in the same Microsoft Entra tenant, assign permissions based on the *userPrincipalName*. If the user is in a different Microsoft Entra tenant, query for and use the *objectId* property instead. Create a YAML manifest named `basic-azure-ad-binding.yaml` and paste the following contents. On the last line, replace *userPrincipalName_or_objectId* with the UPN or object ID output from the previous command: Create the ClusterRoleBinding using the [kubectl apply][kubectl-apply] command a kubectl apply -f basic-azure-ad-binding.yaml ``` -## Access cluster with Azure AD +<a name='access-cluster-with-azure-ad'></a> -Now let's test the integration of Azure AD authentication for the AKS cluster. Set the `kubectl` config context to use regular user credentials. This context passes all authentication requests back through Azure AD. +## Access cluster with Microsoft Entra ID ++Now let's test the integration of Microsoft Entra authentication for the AKS cluster. Set the `kubectl` config context to use regular user credentials. This context passes all authentication requests back through Microsoft Entra ID. ```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name $aksname --overwrite-existing Now use the [kubectl get pods][kubectl-get] command to view pods across all name kubectl get pods --all-namespaces ``` -You receive a sign in prompt to authenticate using Azure AD credentials using a web browser. After you've successfully authenticated, the `kubectl` command displays the pods in the AKS cluster, as shown in the following example output: +You receive a sign in prompt to authenticate using Microsoft Entra credentials using a web browser. After you've successfully authenticated, the `kubectl` command displays the pods in the AKS cluster, as shown in the following example output: ```console kubectl get pods --all-namespaces If you see an authorization error message after you've successfully signed in us error: You must be logged in to the server (Unauthorized) ``` -* You defined the appropriate object ID or UPN, depending on if the user account is in the same Azure AD tenant or not. +* You defined the appropriate object ID or UPN, depending on if the user account is in the same Microsoft Entra tenant or not. * The user is not a member of more than 200 groups. * Secret defined in the application registration for server matches the value configured using `--aad-server-app-secret` * Be sure that only one version of kubectl is installed on your machine at a time. Conflicting versions can cause issues during authorization. To install the latest version, use [az aks install-cli][az-aks-install-cli]. -## Frequently asked questions about migration from Azure Active Directory Integration to AKS-managed Azure Active Directory +<a name='frequently-asked-questions-about-migration-from-azure-active-directory-integration-to-aks-managed-azure-active-directory'></a> ++## Frequently asked questions about migration from Microsoft Entra Integration to AKS-managed Microsoft Entra ID **1. What is the plan for migration?** -Azure Active Directory Integration (legacy) will be deprecated on 1st June 2023. After this date, you won't be able to create new clusters with Azure Active Directory (legacy). We'll migrate all Azure Active Directory Integration (legacy) AKS clusters to AKS-managed Azure Active Directory automatically starting from 1st August 2023. +Microsoft Entra Integration (legacy) will be deprecated on 1st June 2023. After this date, you won't be able to create new clusters with Microsoft Entra ID (legacy). We'll migrate all Microsoft Entra Integration (legacy) AKS clusters to AKS-managed Microsoft Entra ID automatically starting from 1st August 2023. We send notification emails to impacted subscription admins biweekly to remind them of migration. **2. What will happen if I don't take any action?** -Your Azure Active Directory Integration (legacy) AKS clusters will continue working after 1st June 2023. We'll automatically migrate your clusters to AKS-managed Azure Active Directory starting from 1st August 2023. You may experience API server downtime during the migration. +Your Microsoft Entra Integration (legacy) AKS clusters will continue working after 1st June 2023. We'll automatically migrate your clusters to AKS-managed Microsoft Entra ID starting from 1st August 2023. You may experience API server downtime during the migration. The kubeconfig content changes after the migration. You need to merge the new credentials into the kubeconfig file using the `az aks get-credentials --resource-group <AKS resource group name> --name <AKS cluster name>`. -We recommend updating your AKS cluster to [AKS-managed Azure Active Directory][managed-aad-migrate] manually before 1st August. This way you can manage the downtime during non-business hours when it's more convenient. +We recommend updating your AKS cluster to [AKS-managed Microsoft Entra ID][managed-aad-migrate] manually before 1st August. This way you can manage the downtime during non-business hours when it's more convenient. **3. Why do I still receive the notification email after manual migration?** It takes several days for the email to send. If your cluster wasn't migrated before we initiate the email-sending process, you may still receive a notification. -**4. How can I check whether my cluster my cluster is migrated to AKS-managed Azure Active Directory?** +**4. How can I check whether my cluster my cluster is migrated to AKS-managed Microsoft Entra ID?** -Confirm your AKS cluster is migrated to the AKS-managed Azure Active Directory using the [`az aks show`][az-aks-show] command. +Confirm your AKS cluster is migrated to the AKS-managed Microsoft Entra ID using the [`az aks show`][az-aks-show] command. ```azurecli az aks show -g <RGName> -n <ClusterName> --query "aadProfile" ``` -If your cluster is using the AKS-managed Azure Active Directory, the output shows `managed` is `true`. For example: +If your cluster is using the AKS-managed Microsoft Entra ID, the output shows `managed` is `true`. For example: ```output { If your cluster is using the AKS-managed Azure Active Directory, the output show ## Next steps -For the complete script that contains the commands shown in this article, see the [Azure AD integration script in the AKS samples repo][complete-script]. +For the complete script that contains the commands shown in this article, see the [Microsoft Entra integration script in the AKS samples repo][complete-script]. -To use Azure AD users and groups to control access to cluster resources, see [Control access to cluster resources using Kubernetes role-based access control and Azure AD identities in AKS][azure-ad-rbac]. +To use Microsoft Entra users and groups to control access to cluster resources, see [Control access to cluster resources using Kubernetes role-based access control and Microsoft Entra identities in AKS][azure-ad-rbac]. For more information about how to secure Kubernetes clusters, see [Access and identity options for AKS)][rbac-authorization]. |
aks | Azure Ad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-rbac.md | Title: Use Azure AD and Kubernetes RBAC for clusters + Title: Use Microsoft Entra ID and Kubernetes RBAC for clusters -description: Learn how to use Azure Active Directory group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS) +description: Learn how to use Microsoft Entra group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS) Last updated 02/13/2023 -# Use Kubernetes role-based access control with Azure Active Directory in Azure Kubernetes Service +# Use Kubernetes role-based access control with Microsoft Entra ID in Azure Kubernetes Service -Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (Azure AD) for user authentication. In this configuration, you sign in to an AKS cluster using an Azure AD authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership. +Azure Kubernetes Service (AKS) can be configured to use Microsoft Entra ID for user authentication. In this configuration, you sign in to an AKS cluster using a Microsoft Entra authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership. This article shows you how to: -* Control access using Kubernetes RBAC in an AKS cluster based on Azure AD group membership. -* Create example groups and users in Azure AD. +* Control access using Kubernetes RBAC in an AKS cluster based on Microsoft Entra group membership. +* Create example groups and users in Microsoft Entra ID. * Create Roles and RoleBindings in an AKS cluster to grant the appropriate permissions to create and view resources. ## Before you begin -* You have an existing AKS cluster with Azure AD integration enabled. If you need an AKS cluster with this configuration, see [Integrate Azure AD with AKS][azure-ad-aks-cli]. -* Kubernetes RBAC is enabled by default during AKS cluster creation. To upgrade your cluster with Azure AD integration and Kubernetes RBAC, [Enable Azure AD integration on your existing AKS cluster][enable-azure-ad-integration-existing-cluster]. +* You have an existing AKS cluster with Microsoft Entra integration enabled. If you need an AKS cluster with this configuration, see [Integrate Microsoft Entra ID with AKS][azure-ad-aks-cli]. +* Kubernetes RBAC is enabled by default during AKS cluster creation. To upgrade your cluster with Microsoft Entra integration and Kubernetes RBAC, [Enable Microsoft Entra integration on your existing AKS cluster][enable-azure-ad-integration-existing-cluster]. * Make sure that Azure CLI version 2.0.61 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. * If using Terraform, install [Terraform][terraform-on-azure] version 2.99.0 or later. -Use the Azure portal or Azure CLI to verify Azure AD integration with Kubernetes RBAC is enabled. +Use the Azure portal or Azure CLI to verify Microsoft Entra integration with Kubernetes RBAC is enabled. #### [Azure portal](#tab/portal) To verify using the Azure portal: * From your browser, sign in to the [Azure portal](https://portal.azure.com). * Navigate to **Kubernetes services**, and from the left-hand pane select **Cluster configuration**.-* Under the **Authentication and Authorization** section, verify the **Azure AD authentication with Kubernetes RBAC** option is selected. +* Under the **Authentication and Authorization** section, verify the **Microsoft Entra authentication with Kubernetes RBAC** option is selected. :::image type="content" source="./media/azure-ad-rbac/rbac-portal.png" alt-text="Example of AKS Authentication and Authorization page in Azure portal." lightbox="./media/azure-ad-rbac/rbac-portal.png"::: If it's enabled, the output shows the value for `enableAzureRbac` is `false`. -## Create demo groups in Azure AD +<a name='create-demo-groups-in-azure-ad'></a> -In this article, we'll create two user roles to show how Kubernetes RBAC and Azure AD control access to cluster resources. The following two example roles are used: +## Create demo groups in Microsoft Entra ID ++In this article, we'll create two user roles to show how Kubernetes RBAC and Microsoft Entra ID control access to cluster resources. The following two example roles are used: * **Application developer** * A user named *aksdev* that's part of the *appdev* group. * **Site reliability engineer** * A user named *akssre* that's part of the *opssre* group. -In production environments, you can use existing users and groups within an Azure AD tenant. +In production environments, you can use existing users and groups within a Microsoft Entra tenant. 1. First, get the resource ID of your AKS cluster using the [`az aks show`][az-aks-show] command. Then, assign the resource ID to a variable named *AKS_ID* so it can be referenced in other commands. In production environments, you can use existing users and groups within an Azur --query id -o tsv) ``` -2. Create the first example group in Azure AD for the application developers using the [`az ad group create`][az-ad-group-create] command. The following example creates a group named *appdev*: +2. Create the first example group in Microsoft Entra ID for the application developers using the [`az ad group create`][az-ad-group-create] command. The following example creates a group named *appdev*: ```azurecli-interactive APPDEV_ID=$(az ad group create --display-name appdev --mail-nickname appdev --query Id -o tsv) In production environments, you can use existing users and groups within an Azur ``` > [!TIP]-> If you receive an error such as `Principal 35bfec9328bd4d8d9b54dea6dac57b82 doesn't exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5.`, wait a few seconds for the Azure AD group object ID to propagate through the directory then try the `az role assignment create` command again. +> If you receive an error such as `Principal 35bfec9328bd4d8d9b54dea6dac57b82 doesn't exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5.`, wait a few seconds for the Microsoft Entra group object ID to propagate through the directory then try the `az role assignment create` command again. 4. Create a second example group for SREs named *opssre*. In production environments, you can use existing users and groups within an Azur --scope $AKS_ID ``` -## Create demo users in Azure AD +<a name='create-demo-users-in-azure-ad'></a> ++## Create demo users in Microsoft Entra ID -Now that we have two example groups created in Azure AD for our application developers and SREs, we'll create two example users. To test the Kubernetes RBAC integration at the end of the article, you'll sign in to the AKS cluster with these accounts. +Now that we have two example groups created in Microsoft Entra ID for our application developers and SREs, we'll create two example users. To test the Kubernetes RBAC integration at the end of the article, you'll sign in to the AKS cluster with these accounts. ### Set the user principal name and password for application developers echo "Please enter the secure password for application developers: " && read AAD ### Create the user accounts -1. Create the first user account in Azure AD using the [`az ad user create`][az-ad-user-create] command. The following example creates a user with the display name *AKS Dev* and the UPN and secure password using the values in *AAD_DEV_UPN* and *AAD_DEV_PW*: +1. Create the first user account in Microsoft Entra ID using the [`az ad user create`][az-ad-user-create] command. The following example creates a user with the display name *AKS Dev* and the UPN and secure password using the values in *AAD_DEV_UPN* and *AAD_DEV_PW*: ```azurecli-interactive AKSDEV_ID=$(az ad user create \ az ad group member add --group opssre --member-id $AKSSRE_ID ## Create AKS cluster resources for app devs -We have our Azure AD groups, users, and Azure role assignments created. Now, we'll configure the AKS cluster to allow these different groups access to specific resources. +We have our Microsoft Entra groups, users, and Azure role assignments created. Now, we'll configure the AKS cluster to allow these different groups access to specific resources. -1. Get the cluster admin credentials using the [`az aks get-credentials`][az-aks-get-credentials] command. In one of the following sections, you get the regular *user* cluster credentials to see the Azure AD authentication flow in action. +1. Get the cluster admin credentials using the [`az aks get-credentials`][az-aks-get-credentials] command. In one of the following sections, you get the regular *user* cluster credentials to see the Microsoft Entra authentication flow in action. ```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin kubectl create namespace dev > [!NOTE] > In Kubernetes, *Roles* define the permissions to grant, and *RoleBindings* apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization]. >-> If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on the *userPrincipalName (UPN)*. If the user is in a different Azure AD tenant, query for and use the *objectId* property instead. +> If the user you grant the Kubernetes RBAC binding for is in the same Microsoft Entra tenant, assign permissions based on the *userPrincipalName (UPN)*. If the user is in a different Microsoft Entra tenant, query for and use the *objectId* property instead. 3. Create a Role for the *dev* namespace, which grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups. Create a file named `role-dev-namespace.yaml` and paste the following YAML manifest: subjects: kubectl apply -f rolebinding-sre-namespace.yaml ``` -## Interact with cluster resources using Azure AD identities +<a name='interact-with-cluster-resources-using-azure-ad-identities'></a> ++## Interact with cluster resources using Microsoft Entra identities Now, we'll test that the expected permissions work when you create and manage resources in an AKS cluster. In these examples, we'll schedule and view pods in the user's assigned namespace, and try to schedule and view pods outside of the assigned namespace. -1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD. +1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Microsoft Entra sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Microsoft Entra ID. ```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --overwrite-existing Error from server (Forbidden): pods is forbidden: User "aksdev@contoso.com" cann ### Test the SRE access to the AKS cluster resources -To confirm that our Azure AD group membership and Kubernetes RBAC work correctly between different users and groups, try the previous commands when signed in as the *opssre* user. +To confirm that our Microsoft Entra group membership and Kubernetes RBAC work correctly between different users and groups, try the previous commands when signed in as the *opssre* user. 1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command that clears the previously cached authentication token for the *aksdev* user. Error from server (Forbidden): pods is forbidden: User "akssre@contoso.com" cann ## Clean up resources -In this article, you created resources in the AKS cluster and users and groups in Azure AD. To clean up all of the resources, run the following commands: +In this article, you created resources in the AKS cluster and users and groups in Microsoft Entra ID. To clean up all of the resources, run the following commands: ```azurecli-interactive # Get the admin kubeconfig context to delete the necessary cluster resources. az ad group delete --group opssre [rbac-authorization]: concepts-identity.md#kubernetes-rbac [operator-best-practices-identity]: operator-best-practices-identity.md [terraform-on-azure]: /azure/developer/terraform/overview-[enable-azure-ad-integration-existing-cluster]: managed-azure-ad.md#use-an-existing-cluster +[enable-azure-ad-integration-existing-cluster]: managed-azure-ad.md#use-an-existing-cluster |
aks | Azure Csi Blob Storage Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-blob-storage-provision.md | This section provides guidance for cluster administrators who want to create one |volumeAttributes.MSIEndpoint | Specify the MSI endpoint. | | No || |volumeAttributes.AzureStorageSPNClientID | Specify the Azure Service Principal Name (SPN) Client ID. | | No || |volumeAttributes.AzureStorageSPNTenantID | Specify the Azure SPN Tenant ID. | | No ||-|volumeAttributes.AzureStorageAADEndpoint | Specify the Azure Active Directory (Azure AD) endpoint. | | No || +|volumeAttributes.AzureStorageAADEndpoint | Specify the Microsoft Entra endpoint. | | No || | | **Following parameters are only for feature: blobfuse read account key or SAS token from key vault** | | | | |volumeAttributes.keyVaultURL | Specify Azure Key Vault DNS name. | {vault-name}.vault.azure.net | No || |volumeAttributes.keyVaultSecretName | Specify Azure Key Vault secret name. | Existing Azure Key Vault secret name. | No || The following YAML creates a pod that uses the persistent volume or persistent v [sas-tokens]: ../storage/common/storage-sas-overview.md [azure-datalake-storage-account]: ../storage/blobs/upgrade-to-data-lake-storage-gen2-how-to.md [storage-account-private-endpoint]: ../storage/common/storage-private-endpoints.md-[manage-blob-storage]: ../storage/blobs/blob-containers-cli.md +[manage-blob-storage]: ../storage/blobs/blob-containers-cli.md |
aks | Azure Netapp Files Nfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-nfs.md | To instruct Astra Trident about the Azure NetApp Files subscription and where it clientSecret: rR0rUmWXfNioN1KhtHisiSAnoTherboGuskey6pU ``` -2. Create a file named `backend-anf.yaml` and copy in the following YAML. Change the `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. Use the `subscriptionID` for the Azure subscription where Azure NetApp Files is enabled. Obtain the `tenantID`, `clientID`, and `clientSecret` from an [application registration](../active-directory/develop/howto-create-service-principal-portal.md) in Azure Active Directory (AD) with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The location must be an Azure location that contains at least one delegated subnet created in a previous step. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads). +2. Create a file named `backend-anf.yaml` and copy in the following YAML. Change the `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. Use the `subscriptionID` for the Azure subscription where Azure NetApp Files is enabled. Obtain the `tenantID`, `clientID`, and `clientSecret` from an [application registration](../active-directory/develop/howto-create-service-principal-portal.md) in Microsoft Entra ID with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The location must be an Azure location that contains at least one delegated subnet created in a previous step. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads). ```yaml apiVersion: trident.netapp.io/v1 |
aks | Azure Netapp Files Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-smb.md | A backend must be created to instruct Astra Trident about the Azure NetApp Files clientSecret: rR0rUmWXfNioN1KhtHisiSAnoTherboGuskey6pU ``` -2. Create a file named `backend-anf-smb.yaml` and copy in the following YAML. Change the `ClientID`, `clientSecret`, `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. The `tenantID`, `clientID`, and `clientSecret` can be found from an application registration in Azure Active Directory (AD) with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The Azure location must contain at least one delegated subnet. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads). +2. Create a file named `backend-anf-smb.yaml` and copy in the following YAML. Change the `ClientID`, `clientSecret`, `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. The `tenantID`, `clientID`, and `clientSecret` can be found from an application registration in Microsoft Entra ID with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The Azure location must contain at least one delegated subnet. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads). ```yaml apiVersion: trident.netapp.io/v1 |
aks | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices.md | If you're a cluster operator, work with application owners and developers to und * [Best practices for advanced scheduler features](operator-best-practices-advanced-scheduler.md) * Includes using taints and tolerations, node selectors and affinity, and inter-pod affinity and anti-affinity. * [Best practices for authentication and authorization](operator-best-practices-identity.md)- * Includes integration with Azure Active Directory, using Kubernetes role-based access control (Kubernetes RBAC), using Azure RBAC, and pod identities. + * Includes integration with Microsoft Entra ID, using Kubernetes role-based access control (Kubernetes RBAC), using Azure RBAC, and pod identities. ### Security The following conceptual articles cover some of the fundamental features and com For guidance on a creating full solutions with AKS for production, see [AKS solution guidance][aks-solution-guidance]. <!-- LINKS - internal -->-[aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?WT.mc_id=AKSDOCSPAGE +[aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?WT.mc_id=AKSDOCSPAGE |
aks | Cluster Container Registry Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-container-registry-integration.md | -The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Azure Active Directory (Azure AD) **managed identity**][aad-identity] associated with the agent pool in your AKS cluster. For more information on AKS managed identities, see [Summary of managed identities][summary-msi]. +The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Microsoft Entra ID **managed identity**][aad-identity] associated with the agent pool in your AKS cluster. For more information on AKS managed identities, see [Summary of managed identities][summary-msi]. > [!IMPORTANT]-> There's a latency issue with Azure Active Directory groups when attaching ACR. If the **AcrPull** role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there may be a delay before the RBAC group takes effect. If you're running automation that requires the RBAC configuration to be complete, we recommend you use [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue. +> There's a latency issue with Microsoft Entra groups when attaching ACR. If the **AcrPull** role is granted to a Microsoft Entra group and the kubelet identity is added to the group to complete the RBAC configuration, there may be a delay before the RBAC group takes effect. If you're running automation that requires the RBAC configuration to be complete, we recommend you use [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Microsoft Entra group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Microsoft Entra group before a token is generated by kubelet, which avoids the latency issue. > [!NOTE] > This article covers automatic authentication between AKS and ACR. If you need to pull an image from a private external registry, use an [image pull secret][image-pull-secret]. |
aks | Cluster Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-extensions.md | For supported Kubernetes versions, refer to the corresponding documentation for > For new clusters created with `az aks create`, managed identity is configured by default. For existing service principal-based clusters that need to be switched over to managed identity, it can be enabled by running `az aks update` with the `--enable-managed-identity` flag. For more information, see [Use managed identity][use-managed-identity]. > [!NOTE]-> If you have enabled [Azure AD pod-managed identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it, +> If you have enabled [Microsoft Entra pod-managed identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it, > we recommend you first review [Workload identity overview][workload-identity-overview] to understand our-> recommendations and options to set up your cluster to use an Azure AD workload identity (preview). +> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview). > This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities > to federate with any external identity providers. >-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. +> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. ## Currently available extensions |
aks | Concepts Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-identity.md | Title: Concepts - Access and identity in Azure Kubernetes Services (AKS) -description: Learn about access and identity in Azure Kubernetes Service (AKS), including Azure Active Directory integration, Kubernetes role-based access control (Kubernetes RBAC), and roles and bindings. +description: Learn about access and identity in Azure Kubernetes Service (AKS), including Microsoft Entra integration, Kubernetes role-based access control (Kubernetes RBAC), and roles and bindings. Last updated 04/28/2023 -* With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure using Azure Active Directory and Azure RBAC. +* With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure using Microsoft Entra ID and Azure RBAC. Kubernetes RBAC and AKS help you secure your cluster access and provide only the minimum required permissions to developers and operators. A ClusterRole grants and applies permissions to resources across the entire clus ### RoleBindings and ClusterRoleBindings -Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a *RoleBinding*. If your AKS cluster [integrates with Azure Active Directory (Azure AD)](#azure-ad-integration), RoleBindings grant permissions to Azure AD users to perform actions within the cluster. See how in [Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities](azure-ad-rbac.md). +Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a *RoleBinding*. If your AKS cluster [integrates with Microsoft Entra ID](#azure-ad-integration), RoleBindings grant permissions to Microsoft Entra users to perform actions within the cluster. See how in [Control access to cluster resources using Kubernetes role-based access control and Microsoft Entra identities](azure-ad-rbac.md). #### RoleBindings With a ClusterRoleBinding, you bind roles to users and apply to resources across *Service accounts* are one of the primary user types in Kubernetes. The Kubernetes API holds and manages service accounts. Service account credentials are stored as Kubernetes secrets, allowing them to be used by authorized pods to communicate with the API Server. Most API requests provide an authentication token for a service account or a normal user account. -Normal user accounts allow more traditional access for human administrators or developers, not just services and processes. While Kubernetes doesn't provide an identity management solution to store regular user accounts and passwords, you can integrate external identity solutions into Kubernetes. For AKS clusters, this integrated identity solution is Azure AD. +Normal user accounts allow more traditional access for human administrators or developers, not just services and processes. While Kubernetes doesn't provide an identity management solution to store regular user accounts and passwords, you can integrate external identity solutions into Kubernetes. For AKS clusters, this integrated identity solution is Microsoft Entra ID. For more information on the identity options in Kubernetes, see [Kubernetes authentication][kubernetes-authentication]. With Azure RBAC, you can provide your users (or identities) with granular access ### Azure RBAC for Kubernetes Authorization -With the Azure RBAC integration, AKS will use a Kubernetes Authorization webhook server so you can manage Azure AD-integrated Kubernetes cluster resource permissions and assignments using Azure role definition and role assignments. +With the Azure RBAC integration, AKS will use a Kubernetes Authorization webhook server so you can manage Microsoft Entra integrated Kubernetes cluster resource permissions and assignments using Azure role definition and role assignments. ![Azure RBAC for Kubernetes authorization flow](media/concepts-identity/azure-rbac-k8s-authz-flow.png) -As shown in the above diagram, when using the Azure RBAC integration, all requests to the Kubernetes API will follow the same authentication flow as explained on the [Azure Active Directory integration section](#azure-ad-integration). +As shown in the above diagram, when using the Azure RBAC integration, all requests to the Kubernetes API will follow the same authentication flow as explained on the [Microsoft Entra integration section](#azure-ad-integration). -If the identity making the request exists in Azure AD, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Azure AD (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC. +If the identity making the request exists in Microsoft Entra ID, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Microsoft Entra ID (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC. In this scenario, you use Azure RBAC mechanisms and APIs to assign users built-in roles or create custom roles, just as you would with Kubernetes roles. AKS provides the following four built-in roles. They are similar to the [Kuberne | Azure Kubernetes Service RBAC Admin | Allows admin access, intended to be granted within a namespace. <br> Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. <br> Doesn't allow write access to resource quota or to the namespace itself. | | Azure Kubernetes Service RBAC Cluster Admin | Allows super-user access to perform any action on any resource. <br> Gives full control over every resource in the cluster and in all namespaces. | -## Azure AD integration +<a name='azure-ad-integration'></a> -Enhance your AKS cluster security with Azure AD integration. Built on decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security. +## Microsoft Entra integration -![Azure Active Directory integration with AKS clusters](media/concepts-identity/aad-integration.png) +Enhance your AKS cluster security with Microsoft Entra integration. Built on decades of enterprise identity management, Microsoft Entra ID is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Microsoft Entra ID, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security. -With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. +![Microsoft Entra integration with AKS clusters](media/concepts-identity/aad-integration.png) ++With Microsoft Entra integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. 1. To obtain a `kubectl` configuration context, a user runs the [az aks get-credentials][az-aks-get-credentials] command. -1. When a user interacts with the AKS cluster with `kubectl`, they're prompted to sign in with their Azure AD credentials. +1. When a user interacts with the AKS cluster with `kubectl`, they're prompted to sign in with their Microsoft Entra credentials. This approach provides a single source for user account management and password credentials. The user can only access the resources as defined by the cluster administrator. -Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][openid-connect]. From inside of the Kubernetes cluster, [Webhook Token Authentication][webhook-token-docs] is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster. +Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][openid-connect]. From inside of the Kubernetes cluster, [Webhook Token Authentication][webhook-token-docs] is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster. ### Webhook and API server Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps: -1. `kubectl` uses the Azure AD client application to sign in users with [OAuth 2.0 device authorization grant flow](../active-directory/develop/v2-oauth2-device-code.md). -2. Azure AD provides an access_token, id_token, and a refresh_token. +1. `kubectl` uses the Microsoft Entra client application to sign in users with [OAuth 2.0 device authorization grant flow](../active-directory/develop/v2-oauth2-device-code.md). +2. Microsoft Entra ID provides an access_token, id_token, and a refresh_token. 3. The user makes a request to `kubectl` with an access_token from `kubeconfig`. 4. `kubectl` sends the access_token to API Server. 5. The API Server is configured with the Auth WebHook Server to perform validation.-6. The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key. +6. The authentication webhook server confirms the JSON Web Token signature is valid by checking the Microsoft Entra public signing key. 7. The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API. 8. A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID. 9. The API performs an authorization decision based on the Kubernetes Role/RoleBinding. 10. Once authorized, the API server returns a response to `kubectl`. 11. `kubectl` provides feedback to the user. -Learn how to integrate AKS with Azure AD with our [AKS-managed Azure AD integration how-to guide](managed-azure-ad.md). +Learn how to integrate AKS with Microsoft Entra ID with our [AKS-managed Microsoft Entra integration how-to guide](managed-azure-ad.md). ## AKS service permissions By default Node Access is not required for AKS. The following access is needed ## Summary -View the table for a quick summary of how users can authenticate to Kubernetes when Azure AD integration is enabled. In all cases, the user's sequence of commands is: +View the table for a quick summary of how users can authenticate to Kubernetes when Microsoft Entra integration is enabled. In all cases, the user's sequence of commands is: 1. Run `az login` to authenticate to Azure. 1. Run `az aks get-credentials` to download credentials for the cluster into `.kube/config`. View the table for a quick summary of how users can authenticate to Kubernetes w In the Azure portal, you can find: * The *Role Grant* (Azure RBAC role grant) referred to in the second column is shown on the **Access Control** tab. -* The Cluster Admin Azure AD Group is shown on the **Configuration** tab. +* The Cluster Admin Microsoft Entra group is shown on the **Configuration** tab. * Also found with parameter name `--aad-admin-group-object-ids` in the Azure CLI. -| Description | Role grant required| Cluster admin Azure AD group(s) | When to use | +| Description | Role grant required| Cluster admin Microsoft Entra group(s) | When to use | | -||-|-|-| Legacy admin login using client certificate| **Azure Kubernetes Admin Role**. This role allows `az aks get-credentials` to be used with the `--admin` flag, which downloads a [legacy (non-Azure AD) cluster admin certificate](control-kubeconfig-access.md) into the user's `.kube/config`. This is the only purpose of "Azure Kubernetes Admin Role".|n/a|If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster.| -| Azure AD with manual (Cluster)RoleBindings| **Azure Kubernetes User Role**. The "User" role allows `az aks get-credentials` to be used without the `--admin` flag. (This is the only purpose of "Azure Kubernetes User Role".) The result, on an Azure AD-enabled cluster, is the download of [an empty entry](control-kubeconfig-access.md) into `.kube/config`, which triggers browser-based authentication when it's first used by `kubectl`.| User is not in any of these groups. Because the user is not in any Cluster Admin groups, their rights will be controlled entirely by any RoleBindings or ClusterRoleBindings that have been set up by cluster admins. The (Cluster)RoleBindings [nominate Azure AD users or Azure AD groups](azure-ad-rbac.md) as their `subjects`. If no such bindings have been set up, the user will not be able to excute any `kubectl` commands.|If you want fine-grained access control, and you're not using Azure RBAC for Kubernetes Authorization. Note that the user who sets up the bindings must log in by one of the other methods listed in this table.| -| Azure AD by member of admin group| Same as above|User is a member of one of the groups listed here. AKS automatically generates a ClusterRoleBinding that binds all of the listed groups to the `cluster-admin` Kubernetes role. So users in these groups can run all `kubectl` commands as `cluster-admin`.|If you want to conveniently grant users full admin rights, and are _not_ using Azure RBAC for Kubernetes authorization.| -| Azure AD with Azure RBAC for Kubernetes Authorization|Two roles: <br> First, **Azure Kubernetes User Role** (as above). <br> Second, one of the "Azure Kubernetes Service **RBAC**..." roles listed above, or your own custom alternative.|The admin roles field on the Configuration tab is irrelevant when Azure RBAC for Kubernetes Authorization is enabled.|You are using Azure RBAC for Kubernetes authorization. This approach gives you fine-grained control, without the need to set up RoleBindings or ClusterRoleBindings.| +| Legacy admin login using client certificate| **Azure Kubernetes Admin Role**. This role allows `az aks get-credentials` to be used with the `--admin` flag, which downloads a [legacy (non-Microsoft Entra) cluster admin certificate](control-kubeconfig-access.md) into the user's `.kube/config`. This is the only purpose of "Azure Kubernetes Admin Role".|n/a|If you're permanently blocked by not having access to a valid Microsoft Entra group with access to your cluster.| +| Microsoft Entra ID with manual (Cluster)RoleBindings| **Azure Kubernetes User Role**. The "User" role allows `az aks get-credentials` to be used without the `--admin` flag. (This is the only purpose of "Azure Kubernetes User Role".) The result, on a Microsoft Entra ID-enabled cluster, is the download of [an empty entry](control-kubeconfig-access.md) into `.kube/config`, which triggers browser-based authentication when it's first used by `kubectl`.| User is not in any of these groups. Because the user is not in any Cluster Admin groups, their rights will be controlled entirely by any RoleBindings or ClusterRoleBindings that have been set up by cluster admins. The (Cluster)RoleBindings [nominate Microsoft Entra users or Microsoft Entra groups](azure-ad-rbac.md) as their `subjects`. If no such bindings have been set up, the user will not be able to excute any `kubectl` commands.|If you want fine-grained access control, and you're not using Azure RBAC for Kubernetes Authorization. Note that the user who sets up the bindings must log in by one of the other methods listed in this table.| +| Microsoft Entra ID by member of admin group| Same as above|User is a member of one of the groups listed here. AKS automatically generates a ClusterRoleBinding that binds all of the listed groups to the `cluster-admin` Kubernetes role. So users in these groups can run all `kubectl` commands as `cluster-admin`.|If you want to conveniently grant users full admin rights, and are _not_ using Azure RBAC for Kubernetes authorization.| +| Microsoft Entra ID with Azure RBAC for Kubernetes Authorization|Two roles: <br> First, **Azure Kubernetes User Role** (as above). <br> Second, one of the "Azure Kubernetes Service **RBAC**..." roles listed above, or your own custom alternative.|The admin roles field on the Configuration tab is irrelevant when Azure RBAC for Kubernetes Authorization is enabled.|You are using Azure RBAC for Kubernetes authorization. This approach gives you fine-grained control, without the need to set up RoleBindings or ClusterRoleBindings.| ## Next steps -- To get started with Azure AD and Kubernetes RBAC, see [Integrate Azure Active Directory with AKS][aks-aad].+- To get started with Microsoft Entra ID and Kubernetes RBAC, see [Integrate Microsoft Entra ID with AKS][aks-aad]. - For associated best practices, see [Best practices for authentication and authorization in AKS][operator-best-practices-identity]. - To get started with Azure RBAC for Kubernetes Authorization, see [Use Azure RBAC to authorize access within the Azure Kubernetes Service (AKS) Cluster](manage-azure-rbac.md). - To get started securing your `kubeconfig` file, see [Limit access to cluster configuration file](control-kubeconfig-access.md). |
aks | Concepts Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-security.md | In AKS, the Kubernetes master components are part of the managed service provide By default, the Kubernetes API server uses a public IP address and a fully qualified domain name (FQDN). You can limit access to the API server endpoint using [authorized IP ranges][authorized-ip-ranges]. You can also create a fully [private cluster][private-clusters] to limit API server access to your virtual network. -You can control access to the API server using Kubernetes role-based access control (Kubernetes RBAC) and Azure RBAC. For more information, see [Azure AD integration with AKS][aks-aad]. +You can control access to the API server using Kubernetes role-based access control (Kubernetes RBAC) and Azure RBAC. For more information, see [Microsoft Entra integration with AKS][aks-aad]. ## Node security |
aks | Control Kubeconfig Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/control-kubeconfig-access.md | When you interact with an AKS cluster using the `kubectl` tool, a configuration The [`az aks get-credentials`][az-aks-get-credentials] command lets you get the access credentials for an AKS cluster and merges these credentials into the *kubeconfig* file. You can use Azure RBAC to control access to these credentials. These Azure roles let you define who can retrieve the *kubeconfig* file and what permissions they have within the cluster. -There are two Azure roles you can apply to an Azure Active Directory (Azure AD) user or group: +There are two Azure roles you can apply to a Microsoft Entra user or group: - **Azure Kubernetes Service Cluster Admin Role** There are two Azure roles you can apply to an Azure Active Directory (Azure AD) * Downloads *kubeconfig* for *clusterUser* role. > [!NOTE]-> On clusters that use Azure AD, users with the *clusterUser* role have an empty *kubeconfig* file that prompts a login. Once logged in, users have access based on their Azure AD user or group settings. Users with the *clusterAdmin* role have admin access. +> On clusters that use Microsoft Entra ID, users with the *clusterUser* role have an empty *kubeconfig* file that prompts a login. Once logged in, users have access based on their Microsoft Entra user or group settings. Users with the *clusterAdmin* role have admin access. >-> On clusters that don't use Azure AD, the *clusterUser* role has same effect of *clusterAdmin* role. +> On clusters that don't use Microsoft Entra ID, the *clusterUser* role has same effect of *clusterAdmin* role. ## Assign role permissions to a user or group -To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group using the following steps: +To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Microsoft Entra user account or group using the following steps: 1. Get the cluster resource ID using the [`az aks show`][az-aks-show] command for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. Provide your own cluster and resource group name as needed. 2. Use the [`az account show`][az-account-show] and [`az ad user show`][az-ad-user-show] commands to get your user ID. az role assignment create \ --role "Azure Kubernetes Service Cluster Admin Role" ``` -If you want to assign permissions to an Azure AD group, update the `--assignee` parameter shown in the previous example with the object ID for the *group* rather than the *user*. +If you want to assign permissions to a Microsoft Entra group, update the `--assignee` parameter shown in the previous example with the object ID for the *group* rather than the *user*. -To get the object ID for a group, use the [`az ad group show`][az-ad-group-show] command. The following command gets the object ID for the Azure AD group named *appdev*: +To get the object ID for a group, use the [`az ad group show`][az-ad-group-show] command. The following command gets the object ID for the Microsoft Entra group named *appdev*: ```azurecli-interactive az ad group show --group appdev --query objectId -o tsv ``` > [!IMPORTANT]-> In some cases, such as Azure AD guest users, the *user.name* in the account is different than the *userPrincipalName*. +> In some cases, such as Microsoft Entra guest users, the *user.name* in the account is different than the *userPrincipalName*. > > ```azurecli-interactive > $ az account show --query user.name -o tsv az ad group show --group appdev --query objectId -o tsv > user_contoso.com#EXT#@contoso.onmicrosoft.com > ``` >-> In this case, set the value of *ACCOUNT_UPN* to the *userPrincipalName* from the Azure AD user. For example, if your account *user.name* is *user\@contoso.com*, this action would look like the following example: +> In this case, set the value of *ACCOUNT_UPN* to the *userPrincipalName* from the Microsoft Entra user. For example, if your account *user.name* is *user\@contoso.com*, this action would look like the following example: > > ```azurecli-interactive > ACCOUNT_UPN=$(az ad user list --query "[?contains(otherMails,'user@contoso.com')].{UPN:userPrincipalName}" -o tsv) az role assignment delete --assignee $ACCOUNT_ID --scope $AKS_CLUSTER ## Next steps -For enhanced security on access to AKS clusters, [integrate Azure Active Directory authentication][aad-integration]. +For enhanced security on access to AKS clusters, [integrate Microsoft Entra authentication][aad-integration]. <!-- LINKS - external --> [kubectl-config-use-context]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config |
aks | Csi Migrate In Tree Volumes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-migrate-in-tree-volumes.md | To make this process as simple as possible, and to ensure no data loss, this art ## Before you begin * The Azure CLI version 2.37.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].-* Kubectl and cluster administrators have access to create, get, list, delete access to a PVC or PV, volume snapshot, or volume snapshot content. For an Azure Active Directory (Azure AD) RBAC enabled cluster, you're a member of the [Azure Kubernetes Service RBAC Cluster Admin][aks-rbac-cluster-admin-role] role. +* Kubectl and cluster administrators have access to create, get, list, delete access to a PVC or PV, volume snapshot, or volume snapshot content. For a Microsoft Entra RBAC enabled cluster, you're a member of the [Azure Kubernetes Service RBAC Cluster Admin][aks-rbac-cluster-admin-role] role. ## Migrate Disk volumes |
aks | Csi Secrets Store Driver | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-driver.md | A container using *subPath volume mount* won't receive secret updates when it's 2. Create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command and enable the `azure-keyvault-secrets-provider` add-on. > [!NOTE]- > If you want to use Azure AD workload identity, you must also use the `--enable-oidc-issuer` and `--enable-workload-identity` parameters, such as in the following example: + > If you want to use Microsoft Entra Workload ID, you must also use the `--enable-oidc-issuer` and `--enable-workload-identity` parameters, such as in the following example: > > ```azurecli-interactive > az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-oidc-issuer --enable-workload-identity A container using *subPath volume mount* won't receive secret updates when it's The Secrets Store CSI Driver allows for the following methods to access an Azure key vault: -* An [Azure Active Directory workload identity][aad-workload-identity] +* An [Microsoft Entra Workload ID][aad-workload-identity] * A user-assigned or system-assigned managed identity Follow the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods] for your chosen method. |
aks | Csi Secrets Store Identity Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md | The Secrets Store CSI Driver on Azure Kubernetes Service (AKS) provides various The following access methods are available: -- Azure Active Directory (Azure AD) workload identity+- Microsoft Entra Workload ID - User-assigned managed identity -## Access with an Azure AD workload identity +<a name='access-with-an-azure-ad-workload-identity'></a> -An [Azure AD workload identity][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Azure AD then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL). +## Access with a Microsoft Entra Workload ID ++An [Microsoft Entra Workload ID][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL). > [!NOTE]-> This authentication method replaces Azure AD pod-managed identity (preview). The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. +> This authentication method replaces Microsoft Entra pod-managed identity (preview). The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. ### Prerequisites Before you begin, you must have the following prerequisites: - An existing AKS cluster with `--enable-oidc-issuer` and `--enable-workload-identity` enabled. > [!NOTE]-> Azure AD workload identity is supported on both Windows and Linux clusters. +> Microsoft Entra Workload ID is supported on both Windows and Linux clusters. ### Configure workload identity Before you begin, you must have the following prerequisites: echo $AKS_OIDC_ISSUER ``` -5. Establish a federated identity credential between the Azure AD application and the service account issuer and subject. Get the object ID of the Azure AD application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace. +5. Establish a federated identity credential between the Microsoft Entra application and the service account issuer and subject. Get the object ID of the Microsoft Entra application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace. ```bash export SERVICE_ACCOUNT_NAME="workload-identity-sa" # sample name; can be changed |
aks | Csi Secrets Store Nginx Tls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-nginx-tls.md | Depending on your scenario, you can choose to bind the certificate to either the > [!NOTE] > - > - If not using Azure Active Directory (Azure AD) pod-managed identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME` . + > - If not using Microsoft Entra pod-managed identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME` . > > - Also, binding the SecretProviderClass to a pod is required for the Secrets Store CSI Driver to mount it and generate the Kubernetes secret. See [Sync mounted content with a Kubernetes secret][az-keyvault-mirror-as-secret] . |
aks | Csi Storage Drivers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-storage-drivers.md | The CSI storage driver support on AKS allows you to natively use: CSI storage drivers support the following scenarios: -* [Encrypted managed disks with customer-managed keys][encrypt-managed-disks-customer-managed-keys] using Azure Key Vaults stored in a different Azure Active Directory (Azure AD) tenant. +* [Encrypted managed disks with customer-managed keys][encrypt-managed-disks-customer-managed-keys] using Azure Key Vaults stored in a different Microsoft Entra tenant. * Encrypt your Azure Storage disks hosting AKS OS and application data with [customer-managed keys][azure-disk-customer-managed-keys]. ## Enable CSI storage drivers on an existing cluster |
aks | Dapr Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-overview.md | Lastly, the Dapr extension is an extension of AKS, therefore you can expect the [Learn more about migrating from Dapr OSS to the Dapr extension for AKS][dapr-migration]. -### How can I authenticate Dapr components with Azure AD using managed identities? +<a name='how-can-i-authenticate-dapr-components-with-azure-ad-using-managed-identities'></a> -- Learn how [Dapr components authenticate with Azure AD][dapr-msi].+### How can I authenticate Dapr components with Microsoft Entra ID using managed identities? ++- Learn how [Dapr components authenticate with Microsoft Entra ID][dapr-msi]. - Learn about [using managed identities with AKS][aks-msi]. ### How can I switch to using the Dapr extension if IΓÇÖve already installed Dapr via a method, such as Helm? |
aks | Developer Best Practices Pod Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/developer-best-practices-pod-security.md | This best practices article focuses on how to secure pods in AKS. You learn how > [!div class="checklist"] > * Use pod security context to limit access to processes and services or privilege escalation-> * Authenticate with other Azure resources using Azure Active Directory workload identities +> * Authenticate with other Azure resources using Microsoft Entra Workload ID > * Request and retrieve credentials from a digital vault such as Azure Key Vault You can also read the best practices for [cluster security][best-practices-cluster-security] and for [container image management][best-practices-container-image-management]. Work with your cluster operator to determine what security context settings you To limit the risk of credentials being exposed in your application code, avoid the use of fixed or shared credentials. Credentials or keys shouldn't be included directly in your code. If these credentials are exposed, the application needs to be updated and redeployed. A better approach is to give pods their own identity and way to authenticate themselves, or automatically retrieve credentials from a digital vault. -#### Use an Azure AD workload identity +<a name='use-an-azure-ad-workload-identity'></a> -A workload identity is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the [Azure SDK][azure-sdk-download] or the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL). +#### Use a Microsoft Entra Workload ID -For more information about workload identities, see [Configure an AKS cluster to use Azure AD workload identities with your applications][workload-identity-overview] +A workload identity is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer, Microsoft Entra ID uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library using the [Azure SDK][azure-sdk-download] or the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL). ++For more information about workload identities, see [Configure an AKS cluster to use Microsoft Entra Workload ID with your applications][workload-identity-overview] #### Use Azure Key Vault with Secrets Store CSI Driver -Using the [Azure AD workload identity][workload-identity-overview] enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. A digital vault can be used to store these secret contents. +Using the [Microsoft Entra Workload ID][workload-identity-overview] enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. A digital vault can be used to store these secret contents. When applications need a credential, they communicate with the digital vault, retrieve the latest secret contents, and then connect to the required service. Azure Key Vault can be this digital vault. The simplified workflow for retrieving a credential from Azure Key Vault using pod managed identities is shown in the following diagram: :::image type="content" source="media/developer-best-practices-pod-security/basic-key-vault.svg" alt-text="Simplified workflow for retrieving a credential from Key Vault using a pod managed identity"::: -With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using the [Azure Key Vault provider for the Secrets Store CSI Driver][aks-keyvault-csi-driver]. The Secrets Store CSI driver enables the AKS cluster to natively retrieve secret contents from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Secrets Store CSI Driver onto AKS worker nodes. You can use an Azure AD workload identity to request access to Key Vault and retrieve the secret contents needed through the Secrets Store CSI Driver. +With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using the [Azure Key Vault provider for the Secrets Store CSI Driver][aks-keyvault-csi-driver]. The Secrets Store CSI driver enables the AKS cluster to natively retrieve secret contents from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Secrets Store CSI Driver onto AKS worker nodes. You can use a Microsoft Entra Workload ID to request access to Key Vault and retrieve the secret contents needed through the Secrets Store CSI Driver. ## Next steps This article focused on how to secure your pods. To implement some of these areas, see the following articles: -* [Use Azure AD workload identities for Azure resources with AKS][workload-identity-overview] (preview) +* [Use Microsoft Entra Workload ID for Azure resources with AKS][workload-identity-overview] (preview) * [Integrate Azure Key Vault with AKS][aks-keyvault-csi-driver] <!-- EXTERNAL LINKS --> |
aks | Edge Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/edge-zones.md | In this section you'll learn how to deploy a Kubernetes cluster in the Edge Zone 7. On the **Access** page, configure the following options: - - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md) + - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md) - The Kubernetes role-based access control (RBAC) option is the default value to provide more fine-grained control over access to the Kubernetes resources deployed in your AKS cluster. By default, *Basic* networking is used, and [Container insights](../azure-monitor/containers/container-insights-overview.md) is enabled. After deploying your AKS cluster in an Edge Zone, learn about how you can [confi [public-mec-sign-up]: https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbRx4AG8rZKBBDoHEYyD9u_bxUMUVaSlhYMFA2RjUzSklKR0YyREZZNURTRi4u [az-aks-create]: /cli/azure/aks#az_aks_create-[preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal +[preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal |
aks | Intro Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md | You can create an AKS cluster using: * [Azure portal][aks-quickstart-portal] * Template-driven deployment options, like [Azure Resource Manager templates][aks-quickstart-template], [Bicep](../azure-resource-manager/bicep/overview.md), and Terraform. -When you deploy an AKS cluster, you specify the number and size of the nodes, and AKS deploys and configures the Kubernetes control plane and nodes. [Advanced networking][aks-networking], [Azure Active Directory (Azure AD) integration][aad], [monitoring][aks-monitor], and other features can be configured during the deployment process. +When you deploy an AKS cluster, you specify the number and size of the nodes, and AKS deploys and configures the Kubernetes control plane and nodes. [Advanced networking][aks-networking], [Microsoft Entra integration][aad], [monitoring][aks-monitor], and other features can be configured during the deployment process. For more information on Kubernetes basics, see [Kubernetes core concepts for AKS][concepts-clusters-workloads]. For more information on Kubernetes basics, see [Kubernetes core concepts for AKS ## Access, security, and monitoring -For improved security and management, you can integrate with [Azure AD][aad] to: +For improved security and management, you can integrate with [Microsoft Entra ID][aad] to: * Use Kubernetes role-based access control (Kubernetes RBAC). * Monitor the health of your cluster and resources. For improved security and management, you can integrate with [Azure AD][aad] to: To limit access to cluster resources, AKS supports [Kubernetes RBAC][kubernetes-rbac]. Kubernetes RBAC controls access and permissions to Kubernetes resources and namespaces. -#### Azure AD +<a name='azure-ad'></a> -You can configure an AKS cluster to integrate with Azure AD. With Azure AD integration, you can set up Kubernetes access based on existing identity and group membership. Your existing Azure AD users and groups can be provided with an integrated sign-on experience and access to AKS resources. +#### Microsoft Entra ID ++You can configure an AKS cluster to integrate with Microsoft Entra ID. With Microsoft Entra integration, you can set up Kubernetes access based on existing identity and group membership. Your existing Microsoft Entra users and groups can be provided with an integrated sign-on experience and access to AKS resources. For more information on identity, see [Access and identity options for AKS][concepts-identity]. -To secure your AKS clusters, see [Integrate Azure AD with AKS][aks-aad]. +To secure your AKS clusters, see [Integrate Microsoft Entra ID with AKS][aks-aad]. ### Integrated logging and monitoring |
aks | Kubernetes Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-portal.md | The Kubernetes resource view from the Azure portal replaces the deprecated AKS d ## Prerequisites -To view Kubernetes resources in the Azure portal, you need an AKS cluster. Any cluster is supported, but if you're using Azure Active Directory (Azure AD) integration, your cluster must use [AKS-managed Azure AD integration][aks-managed-aad]. If your cluster uses legacy Azure AD, you can upgrade your cluster in the portal or with the [Azure CLI][cli-aad-upgrade]. You can also [use the Azure portal][aks-quickstart-portal] to create a new AKS cluster. +To view Kubernetes resources in the Azure portal, you need an AKS cluster. Any cluster is supported, but if you're using Microsoft Entra integration, your cluster must use [AKS-managed Microsoft Entra integration][aks-managed-aad]. If your cluster uses legacy Microsoft Entra ID, you can upgrade your cluster in the portal or with the [Azure CLI][cli-aad-upgrade]. You can also [use the Azure portal][aks-quickstart-portal] to create a new AKS cluster. ## View Kubernetes resources This section addresses common problems and troubleshooting steps. To access the Kubernetes resources, you must have access to the AKS cluster, the Kubernetes API, and the Kubernetes objects. Ensure that you're either a cluster administrator or a user with the appropriate permissions to access the AKS cluster. For more information on cluster security, see [Access and identity options for AKS][concepts-identity]. >[!NOTE]-> The Kubernetes resource view in the Azure portal is only supported by [managed-AAD enabled clusters](managed-azure-ad.md) or non-AAD enabled clusters. If you're using a managed-AAD enabled cluster, your AAD user or identity needs to have the respective roles/role bindings to access the Kubernetes API and the permission to pull the [user `kubeconfig`](control-kubeconfig-access.md). +> The Kubernetes resource view in the Azure portal is only supported by [managed-AAD enabled clusters](managed-azure-ad.md) or non-AAD enabled clusters. If you're using a managed-AAD enabled cluster, your Microsoft Entra user or identity needs to have the respective roles/role bindings to access the Kubernetes API and the permission to pull the [user `kubeconfig`](control-kubeconfig-access.md). ### Enable resource view |
aks | Kubernetes Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-service-principal.md | Title: Use a service principal with Azure Kubernetes Services (AKS) -description: Learn how to create and manage an Azure Active Directory service principal with a cluster in Azure Kubernetes Service (AKS). +description: Learn how to create and manage a Microsoft Entra service principal with a cluster in Azure Kubernetes Service (AKS). Last updated 06/27/2023 -An AKS cluster requires either an [Azure Active Directory (AD) service principal][aad-service-principal] or a [managed identity][managed-identity-resources-overview] to dynamically create and manage other Azure resources, such as an Azure Load Balancer or Azure Container Registry (ACR). +An AKS cluster requires either an [Microsoft Entra service principal][aad-service-principal] or a [managed identity][managed-identity-resources-overview] to dynamically create and manage other Azure resources, such as an Azure Load Balancer or Azure Container Registry (ACR). > [!NOTE] > We recommend using managed identities to authenticate with other resources in Azure, and they're the default authentication method for your AKS cluster. For more information about using a managed identity with your cluster, see [Use a system-assigned managed identity][use-managed-identity]. This article shows you how to create and use a service principal for your AKS cl ## Before you begin -To create an Azure AD service principal, you must have permissions to register an application with your Azure AD tenant and to assign the application to a role in your subscription. If you don't have the necessary permissions, you need to ask your Azure AD or subscription administrator to assign the necessary permissions or pre-create a service principal for you to use with your AKS cluster. +To create a Microsoft Entra service principal, you must have permissions to register an application with your Microsoft Entra tenant and to assign the application to a role in your subscription. If you don't have the necessary permissions, you need to ask your Microsoft Entra ID or subscription administrator to assign the necessary permissions or pre-create a service principal for you to use with your AKS cluster. -If you're using a service principal from a different Azure AD tenant, there are other considerations around the permissions available when you deploy the cluster. You may not have the appropriate permissions to read and write directory information. For more information, see [What are the default user permissions in Azure Active Directory?][azure-ad-permissions] +If you're using a service principal from a different Microsoft Entra tenant, there are other considerations around the permissions available when you deploy the cluster. You may not have the appropriate permissions to read and write directory information. For more information, see [What are the default user permissions in Microsoft Entra ID?][azure-ad-permissions] ## Prerequisites If you use Virtual Kubelet to integrate with AKS and choose to run Azure Contain ### [Azure CLI](#tab/azure-cli) -When using AKS and an Azure AD service principal, consider the following: +When using AKS and a Microsoft Entra service principal, consider the following: * The service principal for Kubernetes is a part of the cluster configuration, but don't use this identity to deploy the cluster. * By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.-* Every service principal is associated with an Azure AD application. You can associate the service principal for a Kubernetes cluster with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint. +* Every service principal is associated with a Microsoft Entra application. You can associate the service principal for a Kubernetes cluster with any valid Microsoft Entra application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint. * When you specify the service principal **Client ID**, use the value of the `appId`. * On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the `/etc/kubernetes/azure.json` file. * When you delete an AKS cluster that was created using the [`az aks create`][az-aks-create] command, the service principal created isn't automatically deleted. When using AKS and an Azure AD service principal, consider the following: ### [Azure PowerShell](#tab/azure-powershell) -When using AKS and an Azure AD service principal, consider the following: +When using AKS and a Microsoft Entra service principal, consider the following: * The service principal for Kubernetes is a part of the cluster configuration, but don't use this identity to deploy the cluster. * By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.-* Every service principal is associated with an Azure AD application. You can associate the service principal for a Kubernetes cluster with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint. +* Every service principal is associated with a Microsoft Entra application. You can associate the service principal for a Kubernetes cluster with any valid Microsoft Entra application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint. * When you specify the service principal **Client ID**, use the value of the `ApplicationId`. * On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the `/etc/kubernetes/azure.json` file. * When you delete an AKS cluster that was created using the [`New-AzAksCluster`][new-azakscluster], the service principal created isn't automatically deleted. The default expiration time for the service principal credentials is one year. I ## Next steps -For more information about Azure Active Directory service principals, see [Application and service principal objects][service-principal]. +For more information about Microsoft Entra service principals, see [Application and service principal objects][service-principal]. For information on how to update the credentials, see [Update or rotate the credentials for a service principal in AKS][update-credentials]. |
aks | Quick Kubernetes Deploy Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-portal.md | This quickstart assumes a basic understanding of Kubernetes concepts. For more i 1. On the **Node pools** page, leave the default options and then select **Next: Access**. 1. On the **Access** page, configure the following options: - - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more details about managed identities, see [What are managed identities for Azure resources?](../../active-directory/managed-identities-azure-resources/overview.md) + - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. For more details about managed identities, see [What are managed identities for Azure resources?](../../active-directory/managed-identities-azure-resources/overview.md) - The Kubernetes role-based access control (RBAC) option is the default value to provide more fine-grained control over access to the Kubernetes resources deployed in your AKS cluster. 1. Select **Next: Networking** when complete. |
aks | Tutorial Kubernetes Workload Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/tutorial-kubernetes-workload-identity.md | Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you qui * Deploy an AKS cluster using the Azure CLI with OpenID Connect (OIDC) Issuer and managed identity. * Create an Azure Key Vault and secret.-* Create an Azure Active Directory (Azure AD) workload identity and Kubernetes service account. +* Create a Microsoft Entra Workload ID and Kubernetes service account. * Configure the managed identity for token federation. * Deploy the workload and verify authentication with the workload identity. ## Before you begin * This tutorial assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts].-* If you aren't familiar with Azure AD workload identity, see the [Azure AD workload identity overview][workload-identity-overview]. +* If you aren't familiar with Microsoft Entra Workload ID, see the [Microsoft Entra Workload ID overview][workload-identity-overview]. * When you create an AKS cluster, a second resource group is automatically created to store the AKS resources. For more information, see [Why are two resource groups created with AKS?][aks-two-resource-groups] ## Prerequisites You may wish to leave these resources in place. If you no longer need these reso ## Next steps -In this tutorial, you deployed a Kubernetes cluster and deployed a simple container application to test working with an Azure AD workload identity. +In this tutorial, you deployed a Kubernetes cluster and deployed a simple container application to test working with a Microsoft Entra Workload ID. This tutorial is for introductory purposes. For guidance on a creating full solutions with AKS for production, see [AKS solution guidance][aks-solution-guidance]. |
aks | Manage Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-azure-rbac.md | -When you leverage [integrated authentication between Azure Active Directory (Azure AD) and AKS](managed-azure-ad.md), you can use Azure AD users, groups, or service principals as subjects in [Kubernetes role-based access control (Kubernetes RBAC)][kubernetes-rbac]. This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately. +When you leverage [integrated authentication between Microsoft Entra ID and AKS](managed-azure-ad.md), you can use Microsoft Entra users, groups, or service principals as subjects in [Kubernetes role-based access control (Kubernetes RBAC)][kubernetes-rbac]. This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately. This article covers how to use Azure RBAC for Kubernetes Authorization, which allows for the unified management and access control across Azure resources, AKS, and Kubernetes resources. For more information, see [Azure RBAC for Kubernetes Authorization][kubernetes-rbac]. This article covers how to use Azure RBAC for Kubernetes Authorization, which al * You need the Azure CLI version 2.24.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. * You need `kubectl`, with a minimum version of [1.18.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183).-* You need managed Azure AD integration enabled on your cluster before you can add Azure RBAC for Kubernetes authorization. If you need to enable managed Azure AD integration, see [Use Azure AD in AKS](managed-azure-ad.md). +* You need managed Microsoft Entra integration enabled on your cluster before you can add Azure RBAC for Kubernetes authorization. If you need to enable managed Microsoft Entra integration, see [Use Microsoft Entra ID in AKS](managed-azure-ad.md). * If you have CRDs and are making custom role definitions, the only way to cover CRDs today is to use `Microsoft.ContainerService/managedClusters/*/read`. For the remaining objects, you can use the specific API groups, such as `Microsoft.ContainerService/apps/deployments/read`. * New role assignments can take up to five minutes to propagate and be updated by the authorization server.-* Azure RBAC for Kubernetes Authorization requires that the Azure AD tenant configured for authentication is same as the tenant for the subscription that holds your AKS cluster. +* Azure RBAC for Kubernetes Authorization requires that the Microsoft Entra tenant configured for authentication is same as the tenant for the subscription that holds your AKS cluster. -## Create a new AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization +<a name='create-a-new-aks-cluster-with-managed-azure-ad-integration-and-azure-rbac-for-kubernetes-authorization'></a> ++## Create a new AKS cluster with managed Microsoft Entra integration and Azure RBAC for Kubernetes Authorization Create an Azure resource group using the [`az group create`][az-group-create] command. Create an Azure resource group using the [`az group create`][az-group-create] co az group create --name myResourceGroup --location westus2 ``` -Create an AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization using the [`az aks create`][az-aks-create] command. +Create an AKS cluster with managed Microsoft Entra integration and Azure RBAC for Kubernetes Authorization using the [`az aks create`][az-aks-create] command. ```azurecli-interactive az aks create -g myResourceGroup -n myManagedCluster --enable-aad --enable-azure-rbac |
aks | Manage Local Accounts Managed Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-local-accounts-managed-azure-ad.md | Title: Manage local accounts with AKS-managed Azure Active Directory integration -description: Learn how to managed local accounts when integrating Azure AD in your Azure Kubernetes Service (AKS) clusters. + Title: Manage local accounts with AKS-managed Microsoft Entra integration +description: Learn how to managed local accounts when integrating Microsoft Entra ID in your Azure Kubernetes Service (AKS) clusters. Last updated 04/20/2023 -# Manage local accounts with AKS-managed Azure Active Directory integration +# Manage local accounts with AKS-managed Microsoft Entra integration -When you deploy an AKS cluster, local accounts are enabled by default. Even when you enable RBAC or Azure AD integration, `--admin` access still exists as a non-auditable backdoor option. This article shows you how to disable local accounts on an existing cluster, create a new cluster with local accounts disabled, and re-enable local accounts on existing clusters. +When you deploy an AKS cluster, local accounts are enabled by default. Even when you enable RBAC or Microsoft Entra integration, `--admin` access still exists as a non-auditable backdoor option. This article shows you how to disable local accounts on an existing cluster, create a new cluster with local accounts disabled, and re-enable local accounts on existing clusters. ## Before you begin -* See [AKS-managed Azure Active Directory integration](./managed-azure-ad.md) for an overview and setup instructions. +* See [AKS-managed Microsoft Entra integration](./managed-azure-ad.md) for an overview and setup instructions. ## Disable local accounts You can disable local accounts using the parameter `disable-local-accounts`. The > [!NOTE] >-> * On clusters with Azure AD integration enabled, users assigned to an Azure AD administrators group specified by `aad-admin-group-object-ids` can still gain access using non-administrator credentials. On clusters without Azure AD integration enabled and `properties.disableLocalAccounts` set to `true`, any attempt to authenticate with user or admin credentials will fail. +> * On clusters with Microsoft Entra integration enabled, users assigned to a Microsoft Entra administrators group specified by `aad-admin-group-object-ids` can still gain access using non-administrator credentials. On clusters without Microsoft Entra integration enabled and `properties.disableLocalAccounts` set to `true`, any attempt to authenticate with user or admin credentials will fail. > > * After disabling local user accounts on an existing AKS cluster where users might have authenticated with local accounts, the administrator must [rotate the cluster certificates](certificate-rotation.md) to revoke certificates they might have had access to. If this is a new cluster, no action is required. You can disable local accounts using the parameter `disable-local-accounts`. The ### Disable local accounts on an existing cluster -1. Disable local accounts on an existing Azure AD integration enabled AKS cluster using the [`az aks update`][az-aks-update] command with the `disable-local-accounts` parameter. +1. Disable local accounts on an existing Microsoft Entra integration enabled AKS cluster using the [`az aks update`][az-aks-update] command with the `disable-local-accounts` parameter. ```azurecli-interactive az aks update -g <resource-group> -n <cluster-name> --disable-local-accounts |
aks | Managed Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/managed-azure-ad.md | Title: AKS-managed Azure Active Directory integration -description: Learn how to configure Azure AD for your Azure Kubernetes Service (AKS) clusters. + Title: AKS-managed Microsoft Entra integration +description: Learn how to configure Microsoft Entra ID for your Azure Kubernetes Service (AKS) clusters. Last updated 07/28/2023 -# AKS-managed Azure Active Directory integration +# AKS-managed Microsoft Entra integration -AKS-managed Azure Active Directory (Azure AD) integration simplifies the Azure AD integration process. Previously, you were required to create a client and server app, and the Azure AD tenant had to grant Directory Read permissions. Now, the AKS resource provider manages the client and server apps for you. +AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you were required to create a client and server app, and the Microsoft Entra tenant had to grant Directory Read permissions. Now, the AKS resource provider manages the client and server apps for you. -Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][open-id-connect]. +Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][open-id-connect]. -Learn more about the Azure AD integration flow in the [Azure AD documentation](concepts-identity.md#azure-ad-integration). +Learn more about the Microsoft Entra integration flow in the [Microsoft Entra documentation](concepts-identity.md#azure-ad-integration). ## Limitations -* AKS-managed Azure AD integration can't be disabled. -* Changing an AKS-managed Azure AD integrated cluster to legacy Azure AD isn't supported. -* Clusters without Kubernetes RBAC enabled aren't supported with AKS-managed Azure AD integration. +* AKS-managed Microsoft Entra integration can't be disabled. +* Changing an AKS-managed Microsoft Entra integrated cluster to legacy Microsoft Entra ID isn't supported. +* Clusters without Kubernetes RBAC enabled aren't supported with AKS-managed Microsoft Entra integration. ## Before you begin * Make sure you have Azure CLI version 2.29.0 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). * You need `kubectl` with a minimum version of [1.18.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1181) or [`kubelogin`][kubelogin]. With the Azure CLI and the Azure PowerShell module, these two commands are included and automatically managed. Meaning, they are upgraded by default and running `az aks install-cli` isn't required or recommended. If you are using an automated pipeline, you need to manage upgrading to the correct or latest version. The difference between the minor versions of Kubernetes and `kubectl` shouldn't be more than *one* version. Otherwise, you'll experience authentication issues if you don't use the correct version. * If you're using [helm](https://github.com/helm/helm), you need a minimum version of helm 3.3.-* This configuration requires you have an Azure AD group for your cluster. This group is registered as an admin group on the cluster to grant admin permissions. If you don't have an existing Azure AD group, you can create one using the [`az ad group create`](/cli/azure/ad/group#az_ad_group_create) command. +* This configuration requires you have a Microsoft Entra group for your cluster. This group is registered as an admin group on the cluster to grant admin permissions. If you don't have an existing Microsoft Entra group, you can create one using the [`az ad group create`](/cli/azure/ad/group#az_ad_group_create) command. > [!NOTE]-> Azure AD integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Azure AD clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Azure AD clusters, or Azure AD clusters running a version older than 1.24. +> Microsoft Entra integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Microsoft Entra ID clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Microsoft Entra clusters, or Microsoft Entra ID clusters running a version older than 1.24. > Existing downloaded `kubeconfig` continues to work. An optional query parameter **format** is included when getting clusterUser credential to overwrite the default behavior change. You can explicitly specify format to **azure** if you need to maintain the old `kubeconfig` format . -## Enable AKS-managed Azure AD integration on your AKS cluster +<a name='enable-aks-managed-azure-ad-integration-on-your-aks-cluster'></a> ++## Enable AKS-managed Microsoft Entra integration on your AKS cluster ### Create a new cluster Learn more about the Azure AD integration flow in the [Azure AD documentation](c az group create --name myResourceGroup --location centralus ``` -2. Create an AKS cluster and enable administration access for your Azure AD group using the [`az aks create`][az-aks-create] command. +2. Create an AKS cluster and enable administration access for your Microsoft Entra group using the [`az aks create`][az-aks-create] command. ```azurecli-interactive az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>] ``` - A successful creation of an AKS-managed Azure AD cluster has the following section in the response body: + A successful creation of an AKS-managed Microsoft Entra ID cluster has the following section in the response body: ```output "AADProfile": { Learn more about the Azure AD integration flow in the [Azure AD documentation](c ### Use an existing cluster -Enable AKS-managed Azure AD integration on your existing Kubernetes RBAC enabled cluster using the [`az aks update`][az-aks-update] command. Make sure to set your admin group to keep access on your cluster. +Enable AKS-managed Microsoft Entra integration on your existing Kubernetes RBAC enabled cluster using the [`az aks update`][az-aks-update] command. Make sure to set your admin group to keep access on your cluster. ```azurecli-interactive az aks update -g MyResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id-1>,<id-2> [--aad-tenant-id <id>] ``` -A successful activation of an AKS-managed Azure AD cluster has the following section in the response body: +A successful activation of an AKS-managed Microsoft Entra ID cluster has the following section in the response body: ```output "AADProfile": { A successful activation of an AKS-managed Azure AD cluster has the following sec } ``` -### Upgrade a legacy Azure AD cluster to AKS-managed Azure AD integration +<a name='upgrade-a-legacy-azure-ad-cluster-to-aks-managed-azure-ad-integration'></a> ++### Upgrade a legacy Microsoft Entra ID cluster to AKS-managed Microsoft Entra integration -If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD integration using the [`az aks update`][az-aks-update] command. +If your cluster uses legacy Microsoft Entra integration, you can upgrade to AKS-managed Microsoft Entra integration using the [`az aks update`][az-aks-update] command. > [!WARNING] > Free tier clusters may experience API server downtime during the upgrade. We recommend upgrading during your nonbusiness hours. If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed az aks update -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>] ``` -A successful migration of an AKS-managed Azure AD cluster has the following section in the response body: +A successful migration of an AKS-managed Microsoft Entra ID cluster has the following section in the response body: ```output "AADProfile": { A successful migration of an AKS-managed Azure AD cluster has the following sect } ``` -## Access your AKS-managed Azure AD enabled cluster +<a name='access-your-aks-managed-azure-ad-enabled-cluster'></a> ++## Access your AKS-managed Microsoft Entra ID enabled cluster 1. Get the user credentials to access your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command. A successful migration of an AKS-managed Azure AD cluster has the following sect There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with `kubectl`. You can use [`kubelogin`][kubelogin] to connect to the cluster with a non-interactive service principal credential. > [!NOTE]-> Azure AD integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Azure AD clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Azure AD clusters, or Azure AD clusters running a version older than 1.24. +> Microsoft Entra integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Microsoft Entra ID clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Microsoft Entra clusters, or Microsoft Entra ID clusters running a version older than 1.24. > Existing downloaded `kubeconfig` continues to work. An optional query parameter **format** is included when getting clusterUser credential to overwrite the default behavior change. You can explicitly specify format to **azure** if you need to maintain the old `kubeconfig` format . * When getting the clusterUser credential, you can use the `format` query parameter to overwrite the default behavior. You can set the value to `azure` to use the original kubeconfig format: There are some non-interactive scenarios, such as continuous integration pipelin az aks get-credentials --format azure ``` -* If your Azure AD integrated cluster uses Kubernetes version 1.24 or lower, you need to manually convert the kubeconfig format. +* If your Microsoft Entra integrated cluster uses Kubernetes version 1.24 or lower, you need to manually convert the kubeconfig format. ```azurecli-interactive export KUBECONFIG=/path/to/kubeconfig There are some non-interactive scenarios, such as continuous integration pipelin > > For more information, you can refer to [Azure Kubelogin Known Issues][azure-kubelogin-known-issues]. -## Troubleshoot access issues with AKS-managed Azure AD +<a name='troubleshoot-access-issues-with-aks-managed-azure-ad'></a> ++## Troubleshoot access issues with AKS-managed Microsoft Entra ID > [!IMPORTANT]-> The steps described in this section bypass the normal Azure AD group authentication. Use them only in an emergency. +> The steps described in this section bypass the normal Microsoft Entra group authentication. Use them only in an emergency. -If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster, you can still get admin credentials to directly access the cluster. You need to have access to the [Azure Kubernetes Service Cluster Admin](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) built-in role. +If you're permanently blocked by not having access to a valid Microsoft Entra group with access to your cluster, you can still get admin credentials to directly access the cluster. You need to have access to the [Azure Kubernetes Service Cluster Admin](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) built-in role. ## Next steps -* Learn about [Azure AD integration with Kubernetes RBAC][azure-ad-rbac]. +* Learn about [Microsoft Entra integration with Kubernetes RBAC][azure-ad-rbac]. * Learn more about [AKS and Kubernetes identity concepts][aks-concepts-identity].-* Use [Azure Resource Manager (ARM) templates][aks-arm-template] to create AKS-managed Azure AD enabled clusters. +* Use [Azure Resource Manager (ARM) templates][aks-arm-template] to create AKS-managed Microsoft Entra ID enabled clusters. <!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters |
aks | Monitor Aks Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks-reference.md | The following table lists the resource log categories you can collect for AKS. I | kube-scheduler | Logs from the scheduler. | AKSControlPlane | | cluster-autoscaler | Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster. | AKSControlPlane | | cloud-controller-manager | Logs from the cloud-node-manager component of the Kubernetes cloud controller manager.| AKSControlPlane |-| guard | Managed Azure Active Directory and Azure RBAC audits. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. | AKSControlPlane | +| guard | Managed Microsoft Entra ID and Azure RBAC audits. For managed Microsoft Entra ID, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. | AKSControlPlane | | csi-azuredisk-controller | Logs from the Azure Disk CSI storage driver. | AKSControlPlane | | csi-azurefile-controller | Logs from the Azure Files CSI storage driver. | AKSControlPlane | | csi-snapshot-controller | Logs from the Azure CSI driver snapshot controller. | AKSControlPlane | |
aks | Open Ai Secure Access Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-ai-secure-access-quickstart.md | -In this article, you learn how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Azure Active Directory (Azure AD) Workload Identity. You learn how to: +In this article, you learn how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Microsoft Entra Workload ID. You learn how to: * Enable workload identities on an AKS cluster. * Create an Azure user-assigned managed identity.-* Create an Azure AD federated credential. +* Create a Microsoft Entra ID federated credential. * Enable workload identity on a Kubernetes Pod. > [!NOTE]-> We recommend using Azure AD Workload Identity and managed identities on AKS for Azure OpenAI access because it enables a secure, passwordless authentication process for accessing Azure resources. +> We recommend using Microsoft Entra Workload ID and managed identities on AKS for Azure OpenAI access because it enables a secure, passwordless authentication process for accessing Azure resources. ## Before you begin * You need an Azure account with an active subscription. If you don't have one, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * This article builds on [Deploy an application that uses OpenAI on AKS](./open-ai-quickstart.md). You should complete that article before you begin this one.-* You need a custom domain name enabled on your Azure OpenAI account to use for Azure AD authorization. For more information, see [Custom subdomain names for Azure AI services](../ai-services/cognitive-services-custom-subdomains.md). +* You need a custom domain name enabled on your Azure OpenAI account to use for Microsoft Entra authorization. For more information, see [Custom subdomain names for Azure AI services](../ai-services/cognitive-services-custom-subdomains.md). [!INCLUDE [azure-cli-prepare-your-environment.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)] -## Enable Azure AD Workload Identity on an AKS cluster +<a name='enable-azure-ad-workload-identity-on-an-aks-cluster'></a> -The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled on AKS by default. You must enable them on your AKS cluster before you can use them. +## Enable Microsoft Entra Workload ID on an AKS cluster ++The Microsoft Entra Workload ID and OIDC Issuer Endpoint features aren't enabled on AKS by default. You must enable them on your AKS cluster before you can use them. 1. Set the resource group name and AKS cluster resource group name variables. The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled AKS_NAME=$(az resource list --resource-group $RG_NAME --resource-type Microsoft.ContainerService/managedClusters --query "[0].name" -o tsv) ``` -2. Enable the Azure AD Workload Identity and OIDC Issuer Endpoint features on your existing AKS cluster using the [`az aks update`][az-aks-update] command. +2. Enable the Microsoft Entra Workload ID and OIDC Issuer Endpoint features on your existing AKS cluster using the [`az aks update`][az-aks-update] command. ```azurecli-interactive az aks update \ The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled --scope $AOAI_RESOURCE_ID ``` -## Create an Azure AD federated credential +<a name='create-an-azure-ad-federated-credential'></a> ++## Create a Microsoft Entra ID federated credential 1. Set the federated credential, namespace, and service account variables. The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME} ``` -## Use Azure AD Workload Identity on AKS +<a name='use-azure-ad-workload-identity-on-aks'></a> -To use Azure AD Workload Identity on AKS, you need to make a few changes to the `ai-service` deployment manifest. +## Use Microsoft Entra Workload ID on AKS ++To use Microsoft Entra Workload ID on AKS, you need to make a few changes to the `ai-service` deployment manifest. ### Create a ServiceAccount To use Azure AD Workload Identity on AKS, you need to make a few changes to the EOF ``` -### Enable Azure AD Workload Identity on the Pod +<a name='enable-azure-ad-workload-identity-on-the-pod'></a> ++### Enable Microsoft Entra Workload ID on the Pod 1. Set the Azure OpenAI resource name, endpoint, and deployment name variables. To use Azure AD Workload Identity on AKS, you need to make a few changes to the ## Next steps -In this article, you learned how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Azure Active Directory (Azure AD) Workload Identity. +In this article, you learned how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Microsoft Entra Workload ID. -For more information on Azure AD Workload Identity, see [Azure AD Workload Identity](./workload-identity-overview.md). +For more information on Microsoft Entra Workload ID, see [Microsoft Entra Workload ID](./workload-identity-overview.md). <!-- Links internal --> [az-aks-update]: /cli/azure/aks#az_aks_update |
aks | Operator Best Practices Cluster Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-cluster-isolation.md | For more information about these features, see [Best practices for advanced sche *Authentication and authorization* uses: * Role-based access control (RBAC).-* Azure Active Directory (AD) integration. +* Microsoft Entra integration. * Pod identities. * Secrets in Azure Key Vault. |
aks | Operator Best Practices Cluster Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-cluster-security.md | As you manage clusters in Azure Kubernetes Service (AKS), workload and data secu This article focuses on how to secure your AKS cluster. You learn how to: > [!div class="checklist"]-> * Use Azure Active Directory and Kubernetes role-based access control (Kubernetes RBAC) to secure API server access. +> * Use Microsoft Entra ID and Kubernetes role-based access control (Kubernetes RBAC) to secure API server access. > * Secure container access to node resources. > * Upgrade an AKS cluster to the latest Kubernetes version. > * Keep nodes up to date and automatically apply security patches. You can also read the best practices for [container image management][best-pract > **Best practice guidance** >-> One of the most important ways to secure your cluster is to secure access to the Kubernetes API server. To control access to the API server, integrate Kubernetes RBAC with Azure Active Directory (Azure AD). With these controls,you secure AKS the same way that you secure access to your Azure subscriptions. +> One of the most important ways to secure your cluster is to secure access to the Kubernetes API server. To control access to the API server, integrate Kubernetes RBAC with Microsoft Entra ID. With these controls,you secure AKS the same way that you secure access to your Azure subscriptions. The Kubernetes API server provides a single connection point for requests to perform actions within a cluster. To secure and audit access to the API server, limit access and provide the lowest possible permission levels. while this approach isn't unique to Kubernetes, it's especially important when you've logically isolated your AKS cluster for multi-tenant use. -Azure AD provides an enterprise-ready identity management solution that integrates with AKS clusters. Since Kubernetes doesn't provide an identity management solution, you may be hard-pressed to granularly restrict access to the API server. With Azure AD-integrated clusters in AKS, you use your existing user and group accounts to authenticate users to the API server. +Microsoft Entra ID provides an enterprise-ready identity management solution that integrates with AKS clusters. Since Kubernetes doesn't provide an identity management solution, you may be hard-pressed to granularly restrict access to the API server. With Microsoft Entra integrated clusters in AKS, you use your existing user and group accounts to authenticate users to the API server. -![Azure Active Directory integration for AKS clusters](media/operator-best-practices-cluster-security/aad-integration.png) +![Microsoft Entra integration for AKS clusters](media/operator-best-practices-cluster-security/aad-integration.png) -Using Kubernetes RBAC and Azure AD-integration, you can secure the API server and provide the minimum permissions required to a scoped resource set, like a single namespace. You can grant different Azure AD users or groups different Kubernetes roles. With granular permissions, you can restrict access to the API server and provide a clear audit trail of actions performed. +Using Kubernetes RBAC and Microsoft Entra ID-integration, you can secure the API server and provide the minimum permissions required to a scoped resource set, like a single namespace. You can grant different Microsoft Entra users or groups different Kubernetes roles. With granular permissions, you can restrict access to the API server and provide a clear audit trail of actions performed. -The recommended best practice is to use *groups* to provide access to files and folders instead of individual identities. For example, use an Azure AD *group* membership to bind users to Kubernetes roles rather than individual *users*. As a user's group membership changes, their access permissions on the AKS cluster change accordingly. +The recommended best practice is to use *groups* to provide access to files and folders instead of individual identities. For example, use a Microsoft Entra ID *group* membership to bind users to Kubernetes roles rather than individual *users*. As a user's group membership changes, their access permissions on the AKS cluster change accordingly. -Meanwhile, let's say you bind the individual user directly to a role and their job function changes. While the Azure AD group memberships update, their permissions on the AKS cluster would not. In this scenario, the user ends up with more permissions than they require. +Meanwhile, let's say you bind the individual user directly to a role and their job function changes. While the Microsoft Entra group memberships update, their permissions on the AKS cluster would not. In this scenario, the user ends up with more permissions than they require. -For more information about Azure AD integration, Kubernetes RBAC, and Azure RBAC, see [Best practices for authentication and authorization in AKS][aks-best-practices-identity]. +For more information about Microsoft Entra integration, Kubernetes RBAC, and Azure RBAC, see [Best practices for authentication and authorization in AKS][aks-best-practices-identity]. ## Restrict access to Instance Metadata API |
aks | Operator Best Practices Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-identity.md | In this article, we discuss what recommended practices a cluster operator can fo > [!div class="checklist"] >-> * Authenticate AKS cluster users with Azure Active Directory (Azure AD). +> * Authenticate AKS cluster users with Microsoft Entra ID. > * Control access to resources with Kubernetes role-based access control (Kubernetes RBAC). > * Use Azure RBAC to granularly control access to the AKS resource, the Kubernetes API at scale, and the `kubeconfig`. > * Use a [managed identity][managed-identities] to authenticate pods with other services. -## Use Azure Active Directory (Azure AD) +<a name='use-azure-active-directory-azure-ad'></a> ++## Use Microsoft Entra ID > **Best practice guidance** >-> Deploy AKS clusters with [Azure AD integration][azure-ad-integration]. Using Azure AD centralizes the identity management layer. Any change in user account or group status is automatically updated in access to the AKS cluster. Scope users or groups to the minimum permissions amount using [Roles, ClusterRoles, or Bindings](#use-kubernetes-role-based-access-control-kubernetes-rbac). +> Deploy AKS clusters with [Microsoft Entra integration][azure-ad-integration]. Using Microsoft Entra ID centralizes the identity management layer. Any change in user account or group status is automatically updated in access to the AKS cluster. Scope users or groups to the minimum permissions amount using [Roles, ClusterRoles, or Bindings](#use-kubernetes-role-based-access-control-kubernetes-rbac). -Your Kubernetes cluster developers and application owners need access to different resources. Kubernetes lacks an identity management solution for you to control the resources with which users can interact. Instead, you can integrate your cluster with an existing identity solution like Azure AD, an enterprise-ready identity management solution. +Your Kubernetes cluster developers and application owners need access to different resources. Kubernetes lacks an identity management solution for you to control the resources with which users can interact. Instead, you can integrate your cluster with an existing identity solution like Microsoft Entra ID, an enterprise-ready identity management solution. -With Azure AD-integrated clusters in AKS, you create *Roles* or *ClusterRoles* defining access permissions to resources. You then *bind* the roles to users or groups from Azure AD. Learn more about these Kubernetes RBAC in [the next section](#use-kubernetes-role-based-access-control-kubernetes-rbac). Azure AD integration and how you control access to resources can be seen in the following diagram: +With Microsoft Entra integrated clusters in AKS, you create *Roles* or *ClusterRoles* defining access permissions to resources. You then *bind* the roles to users or groups from Microsoft Entra ID. Learn more about these Kubernetes RBAC in [the next section](#use-kubernetes-role-based-access-control-kubernetes-rbac). Microsoft Entra integration and how you control access to resources can be seen in the following diagram: -![Cluster-level authentication for Azure Active Directory integration with AKS](media/operator-best-practices-identity/cluster-level-authentication-flow.png) +![Cluster-level authentication for Microsoft Entra integration with AKS](media/operator-best-practices-identity/cluster-level-authentication-flow.png) -1. Developer authenticates with Azure AD. -1. The Azure AD token issuance endpoint issues the access token. -1. The developer performs an action using the Azure AD token, such as `kubectl create pod`. -1. Kubernetes validates the token with Azure AD and fetches the developer's group memberships. +1. Developer authenticates with Microsoft Entra ID. +1. The Microsoft Entra token issuance endpoint issues the access token. +1. The developer performs an action using the Microsoft Entra token, such as `kubectl create pod`. +1. Kubernetes validates the token with Microsoft Entra ID and fetches the developer's group memberships. 1. Kubernetes RBAC and cluster policies are applied.-1. The developer's request is successful based on previous validation of Azure AD group membership and Kubernetes RBAC and policies. +1. The developer's request is successful based on previous validation of Microsoft Entra group membership and Kubernetes RBAC and policies. -To create an AKS cluster that uses Azure AD, see [Integrate Azure Active Directory with AKS][aks-aad]. +To create an AKS cluster that uses Microsoft Entra ID, see [Integrate Microsoft Entra ID with AKS][aks-aad]. ## Use Kubernetes role-based access control (Kubernetes RBAC) > **Best practice guidance** >-> Define user or group permissions to cluster resources with Kubernetes RBAC. Create roles and bindings that assign the least amount of permissions required. Integrate with Azure AD to automatically update any user status or group membership change and keep access to cluster resources current. +> Define user or group permissions to cluster resources with Kubernetes RBAC. Create roles and bindings that assign the least amount of permissions required. Integrate with Microsoft Entra ID to automatically update any user status or group membership change and keep access to cluster resources current. In Kubernetes, you provide granular access control to cluster resources. You define permissions at the cluster level, or to specific namespaces. You determine what resources can be managed and with what permissions. You then apply these roles to users or groups with a binding. For more information about *Roles*, *ClusterRoles*, and *Bindings*, see [Access and identity options for Azure Kubernetes Service (AKS)][aks-concepts-identity]. rules: verbs: ["*"] ``` -You then create a *RoleBinding* and bind the Azure AD user *developer1\@contoso.com* to it, as shown in the following YAML manifest: +You then create a *RoleBinding* and bind the Microsoft Entra user *developer1\@contoso.com* to it, as shown in the following YAML manifest: ```yaml kind: RoleBinding roleRef: apiGroup: rbac.authorization.k8s.io ``` -When *developer1\@contoso.com* is authenticated against the AKS cluster, they have full permissions to resources in the *finance-app* namespace. In this way, you logically separate and control access to resources. Use Kubernetes RBAC with Azure AD-integration. +When *developer1\@contoso.com* is authenticated against the AKS cluster, they have full permissions to resources in the *finance-app* namespace. In this way, you logically separate and control access to resources. Use Kubernetes RBAC with Microsoft Entra ID-integration. -To learn how to use Azure AD groups to control access to Kubernetes resources using Kubernetes RBAC, see [Control access to cluster resources using role-based access control and Azure Active Directory identities in AKS][azure-ad-rbac]. +To learn how to use Microsoft Entra groups to control access to Kubernetes resources using Kubernetes RBAC, see [Control access to cluster resources using role-based access control and Microsoft Entra identities in AKS][azure-ad-rbac]. ## Use Azure RBAC There are two levels of access needed to fully operate an AKS cluster: ## Use pod-managed identities -Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Azure AD. +Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Microsoft Entra ID. > [!NOTE] > Pod identities are intended for use with Linux pods and container images only. Pod-managed identities (preview) support for Windows containers is coming soon. To access other Azure resources, like Azure Cosmos DB, Key Vault, or Blob storage, the pod needs authentication credentials. You could define authentication credentials with the container image or inject them as a Kubernetes secret. Either way, you would need to manually create and assign them. Usually, these credentials are reused across pods and aren't regularly rotated. -With pod-managed identities (preview) for Azure resources, you automatically request access to services through Azure AD. Pod-managed identities is currently in preview for AKS. Refer to the [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started. +With pod-managed identities (preview) for Azure resources, you automatically request access to services through Microsoft Entra ID. Pod-managed identities is currently in preview for AKS. Refer to the [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started. > [!NOTE]-> If you have enabled [Azure AD pod-managed identity][aad-pod-identity] on your AKS cluster or are considering implementing it, +> If you have enabled [Microsoft Entra pod-managed identity][aad-pod-identity] on your AKS cluster or are considering implementing it, > we recommend you first review the [workload identity overview][workload-identity-overview] article to understand our-> recommendations and options to set up your cluster to use an Azure AD workload identity (preview). +> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview). > This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities > to federate with any external identity providers. >-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. +> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. -Azure Active Directory pod-managed identity (preview) supports two modes of operation: +Microsoft Entra pod-managed identity (preview) supports two modes of operation: * **Standard** mode: In this mode, the following 2 components are deployed to the AKS cluster: * [Managed Identity Controller(MIC)](https://azure.github.io/aad-pod-identity/docs/concepts/mic/): A Kubernetes controller that watches for changes to pods, [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes [AzureAssignedIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureassignedidentity/) as needed. Specifically, when a pod is scheduled, the MIC assigns the managed identity on Azure to the underlying virtual machine scale set used by the node pool during the creation phase. When all pods using the identity are deleted, it removes the identity from the virtual machine scale set of the node pool, unless the same managed identity is used by other pods. The MIC takes similar actions when AzureIdentity or AzureIdentityBinding are created or deleted. - * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node. It redirects requests to itself and validates if the pod has access to the identity it's requesting a token for, and fetch the token from the Azure Active Directory tenant on behalf of the application. + * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node. It redirects requests to itself and validates if the pod has access to the identity it's requesting a token for, and fetch the token from the Microsoft Entra tenant on behalf of the application. * **Managed** mode: In this mode, there's only NMI. The identity needs to be manually assigned and managed by the user. For more information, see [Pod Identity in Managed Mode](https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/). In this mode, when you use the [az aks pod-identity add](/cli/azure/aks/pod-identity#az-aks-pod-identity-add) command to add a pod identity to an Azure Kubernetes Service (AKS) cluster, it creates the [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) in the namespace specified by the `--namespace` parameter, while the AKS resource provider assigns the managed identity specified by the `--identity-resource-id` parameter to virtual machine scale set of each node pool in the AKS cluster. > [!NOTE]-> If you instead decide to install the Azure Active Directory pod-managed identity using the [AKS cluster add-on](./use-azure-ad-pod-identity.md), setup uses the `managed` mode. +> If you instead decide to install the Microsoft Entra pod-managed identity using the [AKS cluster add-on](./use-azure-ad-pod-identity.md), setup uses the `managed` mode. The `managed` mode provides the following advantages over the `standard`: Instead of manually defining credentials for pods, pod-managed identities reques * **The Node Management Identity (NMI) server** is a pod that runs as a DaemonSet on each node in the AKS cluster. The NMI server listens for pod requests to Azure services. * **The Azure Resource Provider** queries the Kubernetes API server and checks for an Azure identity mapping that corresponds to a pod. -When pods request a security token from Azure Active Directory to access to an Azure resource, network rules redirect the traffic to the NMI server. +When pods request a security token from Microsoft Entra ID to access to an Azure resource, network rules redirect the traffic to the NMI server. 1. The NMI server: When pods request a security token from Azure Active Directory to access to an A * Queries the Azure Resource Provider. 1. The Azure Resource Provider checks for Azure identity mappings in the AKS cluster.-1. The NMI server requests an access token from Azure AD based on the pod's identity mapping. -1. Azure AD provides access to the NMI server, which is returned to the pod. +1. The NMI server requests an access token from Microsoft Entra ID based on the pod's identity mapping. +1. Microsoft Entra ID provides access to the NMI server, which is returned to the pod. * This access token can be used by the pod to then request access to resources in Azure. In the following example, a developer creates a pod that uses a managed identity to request access to Azure SQL Database: In the following example, a developer creates a pod that uses a managed identity ![Pod identities allow a pod to automatically request access to other resources.](media/operator-best-practices-identity/pod-identities.png) 1. Cluster operator creates a service account to map identities when pods request access to resources.-1. The NMI server is deployed to relay any pod requests, along with the Azure Resource Provider, for access tokens to Azure AD. +1. The NMI server is deployed to relay any pod requests, along with the Azure Resource Provider, for access tokens to Microsoft Entra ID. 1. A developer deploys a pod with a managed identity that requests an access token through the NMI server. 1. The token is returned to the pod and used to access Azure SQL Database -To use Pod-managed identities, see [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md). +To use Pod-managed identities, see [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md). ## Next steps This best practices article focused on authentication and authorization for your cluster and resources. To implement some of these best practices, see the following articles: -* [Integrate Azure Active Directory with AKS][aks-aad] -* [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md) +* [Integrate Microsoft Entra ID with AKS][aks-aad] +* [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md) For more information about cluster operations in AKS, see the following best practices: |
aks | Outbound Rules Control Egress | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/outbound-rules-control-egress.md | The following network and FQDN/application rules are required for an AKS cluster | **`mcr.microsoft.com`** | **`HTTPS:443`** | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images/charts (for example, coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. | | **`*.data.mcr.microsoft.com`** | **`HTTPS:443`** | Required for MCR storage backed by the Azure content delivery network (CDN). | | **`management.azure.com`** | **`HTTPS:443`** | Required for Kubernetes operations against the Azure API. |-| **`login.microsoftonline.com`** | **`HTTPS:443`** | Required for Azure Active Directory authentication. | +| **`login.microsoftonline.com`** | **`HTTPS:443`** | Required for Microsoft Entra authentication. | | **`packages.microsoft.com`** | **`HTTPS:443`** | This address is the Microsoft packages repository used for cached *apt-get* operations. Example packages include Moby, PowerShell, and Azure CLI. | | **`acs-mirror.azureedge.net`** | **`HTTPS:443`** | This address is for the repository required to download and install required binaries like kubenet and Azure CNI. | The following network and FQDN/application rules are required for an AKS cluster | **`mcr.microsoft.com`** | **`HTTPS:443`** | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images/charts (for example, coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. | | **`.data.mcr.microsoft.com`** | **`HTTPS:443`** | Required for MCR storage backed by the Azure Content Delivery Network (CDN). | | **`management.chinacloudapi.cn`** | **`HTTPS:443`** | Required for Kubernetes operations against the Azure API. |-| **`login.chinacloudapi.cn`** | **`HTTPS:443`** | Required for Azure Active Directory authentication. | +| **`login.chinacloudapi.cn`** | **`HTTPS:443`** | Required for Microsoft Entra authentication. | | **`packages.microsoft.com`** | **`HTTPS:443`** | This address is the Microsoft packages repository used for cached *apt-get* operations. Example packages include Moby, PowerShell, and Azure CLI. | | **`*.azk8s.cn`** | **`HTTPS:443`** | This address is for the repository required to download and install required binaries like kubenet and Azure CNI. | The following network and FQDN/application rules are required for an AKS cluster | **`mcr.microsoft.com`** | **`HTTPS:443`** | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images/charts (for example, coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. | | **`*.data.mcr.microsoft.com`** | **`HTTPS:443`** | Required for MCR storage backed by the Azure content delivery network (CDN). | | **`management.usgovcloudapi.net`** | **`HTTPS:443`** | Required for Kubernetes operations against the Azure API. |-| **`login.microsoftonline.us`** | **`HTTPS:443`** | Required for Azure Active Directory authentication. | +| **`login.microsoftonline.us`** | **`HTTPS:443`** | Required for Microsoft Entra authentication. | | **`packages.microsoft.com`** | **`HTTPS:443`** | This address is the Microsoft packages repository used for cached *apt-get* operations. Example packages include Moby, PowerShell, and Azure CLI. | | **`acs-mirror.azureedge.net`** | **`HTTPS:443`** | This address is for the repository required to install required binaries like kubenet and Azure CNI. | |
aks | Quickstart Event Grid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quickstart-event-grid.md | Remove-AzResourceGroup -Name MyResourceGroup > [!NOTE]-> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete]. +> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete]. > > If you used a managed identity, the identity is managed by the platform and does not require removal. |
aks | Trusted Access Feature | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/trusted-access-feature.md | -This feature allows services to securely connect to AKS and Kubernetes via the Azure backend without requiring private endpoint. Instead of relying on identities with [Microsoft Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) permissions, this feature can use your system-assigned managed identity to authenticate with the managed services and applications you want to use on top of AKS. +This feature allows services to securely connect to AKS and Kubernetes via the Azure backend without requiring private endpoint. Instead of relying on identities with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) permissions, this feature can use your system-assigned managed identity to authenticate with the managed services and applications you want to use on top of AKS. Trusted Access addresses the following scenarios: This article shows you how to enable secure access from your Azure services to y ## Trusted Access feature overview -Trusted Access enables you to give explicit consent to your system-assigned MSI of allowed resources to access your AKS clusters using an Azure resource *RoleBinding*. Your Azure resources access AKS clusters through the AKS regional gateway via system-assigned managed identity authentication with the appropriate Kubernetes permissions via an Azure resource *Role*. The Trusted Access feature allows you to access AKS clusters with different configurations, including but not limited to [private clusters](private-clusters.md), [clusters with local accounts disabled](manage-local-accounts-managed-azure-ad.md#disable-local-accounts), [Azure AD clusters](azure-ad-integration-cli.md), and [authorized IP range clusters](api-server-authorized-ip-ranges.md). +Trusted Access enables you to give explicit consent to your system-assigned MSI of allowed resources to access your AKS clusters using an Azure resource *RoleBinding*. Your Azure resources access AKS clusters through the AKS regional gateway via system-assigned managed identity authentication with the appropriate Kubernetes permissions via an Azure resource *Role*. The Trusted Access feature allows you to access AKS clusters with different configurations, including but not limited to [private clusters](private-clusters.md), [clusters with local accounts disabled](manage-local-accounts-managed-azure-ad.md#disable-local-accounts), [Microsoft Entra ID clusters](azure-ad-integration-cli.md), and [authorized IP range clusters](api-server-authorized-ip-ranges.md). ## Prerequisites |
aks | Tutorial Kubernetes Deploy Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-deploy-cluster.md | In previous tutorials, you created a container image and uploaded it to an ACR i AKS clusters can use [Kubernetes role-based access control (Kubernetes RBAC)][k8s-rbac], which allows you to define access to resources based on roles assigned to users. If a user is assigned multiple roles, permissions are combined. Permissions can be scoped to either a single namespace or across the whole cluster. -To learn more about AKS and Kubernetes RBAC, see [Control access to cluster resources using Kubernetes RBAC and Azure Active Directory identities in AKS][aks-k8s-rbac]. +To learn more about AKS and Kubernetes RBAC, see [Control access to cluster resources using Kubernetes RBAC and Microsoft Entra identities in AKS][aks-k8s-rbac]. ### [Azure CLI](#tab/azure-cli) |
aks | Tutorial Kubernetes Upgrade Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-upgrade-cluster.md | Delete your cluster using the following steps: > [!NOTE]-> When you delete the cluster, the Azure Active Directory (Azure AD) service principal used by the AKS cluster isn't removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete]. If you used a managed identity, the identity is managed by the platform and doesn't require that you provision or rotate any secrets. +> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster isn't removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete]. If you used a managed identity, the identity is managed by the platform and doesn't require that you provision or rotate any secrets. ## Next steps |
aks | Update Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/update-credentials.md | Title: Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster -description: Learn how update or rotate the service principal or Azure AD Application credentials for an Azure Kubernetes Service (AKS) cluster. +description: Learn how update or rotate the service principal or Microsoft Entra Application credentials for an Azure Kubernetes Service (AKS) cluster. Last updated 03/01/2023 Last updated 03/01/2023 # Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster -AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. AKS clusters [integrated with Azure Active Directory (Azure AD)][aad-integration] as an authentication provider have two more identities: the Azure AD Server App and the Azure AD Client App. This article details how to update the service principal and Azure AD credentials for an AKS cluster. +AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. AKS clusters [integrated with Microsoft Entra ID][aad-integration] as an authentication provider have two more identities: the Microsoft Entra Server App and the Microsoft Entra Client App. This article details how to update the service principal and Microsoft Entra credentials for an AKS cluster. > [!NOTE] > Alternatively, you can use a managed identity for permissions instead of a service principal. Managed identities don't require updates or rotations. For more information, see [Use managed identities](use-managed-identity.md). az aks update-credentials \ --client-secret "${SP_SECRET}" ``` -## Update AKS cluster with new Azure AD application credentials +<a name='update-aks-cluster-with-new-azure-ad-application-credentials'></a> -You can create new Azure AD server and client applications by following the [Azure AD integration steps][create-aad-app], or reset your existing Azure AD applications following the [same method as for service principal reset][reset-existing-service-principal-credentials]. After that, you need to update your cluster Azure AD application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables. +## Update AKS cluster with new Microsoft Entra application credentials ++You can create new Microsoft Entra server and client applications by following the [Microsoft Entra integration steps][create-aad-app], or reset your existing Microsoft Entra applications following the [same method as for service principal reset][reset-existing-service-principal-credentials]. After that, you need to update your cluster Microsoft Entra application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables. ```azurecli-interactive az aks update-credentials \ az aks update-credentials \ ## Next steps -In this article, you learned how to update or rotate service principal and Azure AD application credentials. For more information on how to use a manage identity for workloads within an AKS cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity]. +In this article, you learned how to update or rotate service principal and Microsoft Entra application credentials. For more information on how to use a manage identity for workloads within an AKS cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity]. <!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli |
aks | Upgrade Windows 2019 2022 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-windows-2019-2022.md | Node Selector is the most common and recommended option for placement of Windows ## Security and authentication considerations -If you're using Group Managed Service Accounts (gMSA), you need to update the Managed Identity configuration for the new node pool. gMSA uses a secret (user account and password) so the node that runs the Windows pod can authenticate the container against Azure Active Directory (Azure AD). To access that secret on Azure Key Vault, the node uses a Managed Identity that allows the node to access the resource. Since Managed Identities are configured per node pool, and the pod now resides on a new node pool, you need to update that configuration. For more information, see [Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster](./use-group-managed-service-accounts.md). +If you're using Group Managed Service Accounts (gMSA), you need to update the Managed Identity configuration for the new node pool. gMSA uses a secret (user account and password) so the node that runs the Windows pod can authenticate the container against Microsoft Entra ID. To access that secret on Azure Key Vault, the node uses a Managed Identity that allows the node to access the resource. Since Managed Identities are configured per node pool, and the pod now resides on a new node pool, you need to update that configuration. For more information, see [Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster](./use-group-managed-service-accounts.md). The same principle applies to Managed Identities for any other pod or node pool when accessing other Azure resources. You need to update any access that Managed Identity provides to reflect the new node pool. To view update and sign-in activities, see [How to view Managed Identity activity](../active-directory/managed-identities-azure-resources/how-to-view-managed-identity-activity.md). |
aks | Use Azure Ad Pod Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-ad-pod-identity.md | Title: Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview) -description: Learn how to use Azure AD pod-managed identities in Azure Kubernetes Service (AKS) + Title: Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview) +description: Learn how to use Microsoft Entra pod-managed identities in Azure Kubernetes Service (AKS) Last updated 08/15/2023 -# Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview) +# Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview) -Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate [managed identities for Azure resources][az-managed-identities] and identities in Azure AD with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Azure AD as an identity provider. +Microsoft Entra pod-managed identities use Kubernetes primitives to associate [managed identities for Azure resources][az-managed-identities] and identities in Microsoft Entra ID with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Microsoft Entra ID as an identity provider. > [!IMPORTANT]-> We recommend you review [Azure AD workload identity][workload-identity-overview]. +> We recommend you review [Microsoft Entra Workload ID][workload-identity-overview]. > This authentication method replaces pod-managed identity (preview), which integrates with the > Kubernetes native capabilities to federate with any external identity providers on behalf of the > application. >-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024. +> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024. > > To disable the AKS Managed add-on, use the following command: `az feature unregister --namespace "Microsoft.ContainerService" --name "EnablePodIdentityPreview"`. az provider register --namespace Microsoft.ContainerService ## Operation mode options -Azure AD pod-managed identity supports two modes of operation: +Microsoft Entra pod-managed identity supports two modes of operation: * **Standard Mode**: In this mode, the following two components are deployed to the AKS cluster: * [Managed Identity Controller (MIC)](https://azure.github.io/aad-pod-identity/docs/concepts/mic/): An MIC is a Kubernetes controller that watches for changes to pods, [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes [AzureAssignedIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureassignedidentity/) as needed. Specifically, when a pod is scheduled, the MIC assigns the managed identity on Azure to the underlying Virtual Machine Scale Set used by the node pool during the creation phase. When all pods using the identity are deleted, it removes the identity from the Virtual Machine Scale Set of the node pool, unless the same managed identity is used by other pods. The MIC takes similar actions when AzureIdentity or AzureIdentityBinding are created or deleted.- * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): NMI is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Azure AD tenant on behalf of the application. + * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): NMI is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Microsoft Entra tenant on behalf of the application. * **Managed Mode**: This mode offers only NMI. When installed via the AKS cluster add-on, Azure manages creation of Kubernetes primitives (AzureIdentity and AzureIdentityBinding) and identity assignment in response to CLI commands by the user. Otherwise, if installed via Helm chart, the identity needs to be manually assigned and managed by the user. For more information, see [Pod identity in managed mode](https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/). -When you install the Azure AD pod-managed identity via Helm chart or YAML manifest as shown in the [Installation Guide](https://azure.github.io/aad-pod-identity/docs/getting-started/installation/), you can choose between the `standard` and `managed` mode. If you instead decide to install the Azure AD pod-managed identity using the AKS cluster add-on as shown in this article, the setup will use the `managed` mode. +When you install the Microsoft Entra pod-managed identity via Helm chart or YAML manifest as shown in the [Installation Guide](https://azure.github.io/aad-pod-identity/docs/getting-started/installation/), you can choose between the `standard` and `managed` mode. If you instead decide to install the Microsoft Entra pod-managed identity using the AKS cluster add-on as shown in this article, the setup will use the `managed` mode. ## Create an AKS cluster with Azure Container Networking Interface (CNI) az aks get-credentials --resource-group myResourceGroup --name myAKSCluster ``` > [!NOTE]-> When you enable pod-managed identity on your AKS cluster, an AzurePodIdentityException named *aks-addon-exception* is added to the *kube-system* namespace. An AzurePodIdentityException allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the NMI server. The *aks-addon-exception* allows AKS first-party addons, such as Azure AD pod-managed identity, to operate without having to manually configure an AzurePodIdentityException. Optionally, you can add, remove, and update an AzurePodIdentityException using `az aks pod-identity exception add`, `az aks pod-identity exception delete`, `az aks pod-identity exception update`, or `kubectl`. +> When you enable pod-managed identity on your AKS cluster, an AzurePodIdentityException named *aks-addon-exception* is added to the *kube-system* namespace. An AzurePodIdentityException allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the NMI server. The *aks-addon-exception* allows AKS first-party addons, such as Microsoft Entra pod-managed identity, to operate without having to manually configure an AzurePodIdentityException. Optionally, you can add, remove, and update an AzurePodIdentityException using `az aks pod-identity exception add`, `az aks pod-identity exception delete`, `az aks pod-identity exception update`, or `kubectl`. ## Update an existing AKS cluster with Azure CNI Update an existing AKS cluster with Azure CNI to include pod-managed identity. az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity ``` -## Using Kubenet network plugin with Azure Active Directory pod-managed identities +<a name='using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities'></a> ++## Using Kubenet network plugin with Microsoft Entra pod-managed identities > [!IMPORTANT]-> Running Azure AD pod-managed identity in a cluster with Kubenet is not a recommended configuration due to security concerns. Default Kubenet configuration fails to prevent ARP spoofing, which could be utilized by a pod to act as another pod and gain access to an identity it's not intended to have. Please follow the mitigation steps and configure policies before enabling Azure AD pod-managed identity in a cluster with Kubenet. +> Running Microsoft Entra pod-managed identity in a cluster with Kubenet is not a recommended configuration due to security concerns. Default Kubenet configuration fails to prevent ARP spoofing, which could be utilized by a pod to act as another pod and gain access to an identity it's not intended to have. Please follow the mitigation steps and configure policies before enabling Microsoft Entra pod-managed identity in a cluster with Kubenet. ### Mitigation kubectl get azureidentitybinding -n $POD_IDENTITY_NAMESPACE ## Run a sample application -For a pod to use Azure AD pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. By default, the selector will match the name of the pod-managed identity, but it can also be set using the `--binding-selector` option when calling `az aks pod-identity add`. +For a pod to use Microsoft Entra pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. By default, the selector will match the name of the pod-managed identity, but it can also be set using the `--binding-selector` option when calling `az aks pod-identity add`. -To run a sample application using Azure AD pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription ID. +To run a sample application using Microsoft Entra pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription ID. > [!NOTE] > In the previous steps, you created the *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* variables. You can use a command such as `echo` to display the value you set for variables, for example `echo $POD_IDENTITY_NAME`. az aks update --resource-group myResourceGroup --name myAKSCluster --disable-pod ## Clean up -To remove an Azure AD pod-managed identity from your cluster, remove the sample application and the pod-managed identity from the cluster. Then remove the identity and the role assignment of cluster identity. +To remove a Microsoft Entra pod-managed identity from your cluster, remove the sample application and the pod-managed identity from the cluster. Then remove the identity and the role assignment of cluster identity. ```bash kubectl delete pod demo --namespace $POD_IDENTITY_NAMESPACE |
aks | Use Group Managed Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-group-managed-service-accounts.md | Last updated 08/30/2023 To use GMSA with AKS, you need a standard domain user credential to access the GMSA credential configured on your domain controller. To configure GMSA on your domain controller, see [Get started with Group Managed Service Accounts][gmsa-getting-started]. For the standard domain user credential, you can use an existing user or create a new one, as long as it has access to the GMSA credential. > [!IMPORTANT]-> You must use either Active Directory Domain Service or on-premises Active Directory. At this time, you can't use Azure Active Directory to configure GMSA with an AKS cluster. +> You must use either Active Directory Domain Service or on-premises Active Directory. At this time, you can't use Microsoft Entra ID to configure GMSA with an AKS cluster. ## Store the standard domain user credentials in Azure Key Vault |
aks | Use Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md | Last updated 07/31/2023 # Use a managed identity in Azure Kubernetes Service (AKS) -Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. This identity can be a *managed identity* or *service principal*. A system-assigned managed identity is automatically created when you create an AKS cluster. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources][managed-identity-resources-overview]. +Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. This identity can be a *managed identity* or *service principal*. A system-assigned managed identity is automatically created when you create an AKS cluster. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources][managed-identity-resources-overview]. AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*. AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable. > [!NOTE]-> If you're considering implementing [Azure AD pod-managed identity][aad-pod-identity] on your AKS cluster, we recommend you first review the [Azure AD workload identity overview][workload-identity-overview]. This authentication method replaces Azure AD pod-managed identity (preview) and is the recommended method. +> If you're considering implementing [Microsoft Entra pod-managed identity][aad-pod-identity] on your AKS cluster, we recommend you first review the [Microsoft Entra Workload ID overview][workload-identity-overview]. This authentication method replaces Microsoft Entra pod-managed identity (preview) and is the recommended method. ## Before you begin AKS doesn't automatically create a [service principal](kubernetes-service-princi ## Limitations * Tenants moving or migrating a managed identity-enabled cluster isn't supported.-* If the cluster has Azure AD pod-managed identity (`aad-pod-identity`) enabled, Node-Managed Identity (NMI) pods modify the iptables of the nodes to intercept calls to the Azure Instance Metadata (IMDS) endpoint. This configuration means any request made to the Metadata endpoint is intercepted by NMI, even if the pod doesn't use `aad-pod-identity`. AzurePodIdentityException CRD can be configured to inform `aad-pod-identity` of any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. The system pods with `kubernetes.azure.com/managedby: aks` label in *kube-system* namespace should be excluded in `aad-pod-identity` by configuring the AzurePodIdentityException CRD. - * For more information, see [Disable aad-pod-identity for a specific pod or application](./use-azure-ad-pod-identity.md#clean-up). +* If the cluster has Microsoft Entra pod-managed identity (`aad-pod-identity`) enabled, Node-Managed Identity (NMI) pods modify the iptables of the nodes to intercept calls to the Azure Instance Metadata (IMDS) endpoint. This configuration means any request made to the Metadata endpoint is intercepted by NMI, even if the pod doesn't use `aad-pod-identity`. AzurePodIdentityException CRD can be configured to inform `aad-pod-identity` of any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. The system pods with `kubernetes.azure.com/managedby: aks` label in *kube-system* namespace should be excluded in `aad-pod-identity` by configuring the AzurePodIdentityException CRD. + * For more information, see [Disable Microsoft Entra ID-pod-identity for a specific pod or application](./use-azure-ad-pod-identity.md#clean-up). * To configure an exception, install the [mic-exception YAML](https://github.com/Azure/aad-pod-identity/blob/master/deploy/infra/mic-exception.yaml). * AKS doesn't support the use of a system-assigned managed identity if using a custom private DNS zone. AKS uses several managed identities for built-in services and add-ons. | Add-on | Ingress application gateway | Manages required network resources. | Contributor role for node resource group | No | Add-on | omsagent | Used to send AKS metrics to Azure Monitor. | Monitoring Metrics Publisher role | No | Add-on | Virtual-Node (ACIConnector) | Manages required network resources for Azure Container Instances (ACI). | Contributor role for node resource group | No-| OSS project | aad-pod-identity | Enables applications to access cloud resources securely with Microsoft Azure Active Directory (Azure AD). | N/A | Steps to grant permission at [Azure AD Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md). +| OSS project | Microsoft Entra ID-pod-identity | Enables applications to access cloud resources securely with Microsoft Entra ID. | N/A | Steps to grant permission at [Microsoft Entra Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md). ## Enable managed identities on a new AKS cluster |
aks | Use Oidc Issuer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-oidc-issuer.md | Last updated 07/26/2023 # Create an OpenID Connect provider on Azure Kubernetes Service (AKS) -[OpenID Connect][open-id-connect-overview] (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol issued by Azure Active Directory (Azure AD). You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications, on your Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Azure Active Directory (Azure AD) or other cloud provider identity and access management platform, to discover the API server's public signing keys. +[OpenID Connect][open-id-connect-overview] (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol issued by Microsoft Entra ID. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications, on your Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Microsoft Entra ID or other cloud provider identity and access management platform, to discover the API server's public signing keys. AKS rotates the key automatically and periodically. If you don't want to wait, you can rotate the key manually and immediately. The maximum lifetime of the token issued by the OIDC provider is one day. During key rotation, there is one additional key present in the discovery docume ## Next steps * See [configure creating a trust relationship between an app and an external identity provider](../active-directory/develop/workload-identity-federation-create-trust.md) to understand how a federated identity credential creates a trust relationship between an application on your cluster and an external identity provider.-* Review [Azure AD workload identity][azure-ad-workload-identity-overview] (preview). This authentication method integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application. +* Review [Microsoft Entra Workload ID][azure-ad-workload-identity-overview] (preview). This authentication method integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application. * See [Secure pod network traffic][secure-pod-network-traffic] to understand how to use the Network Policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. <!-- LINKS - external --> |
aks | Use Pod Security Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-pod-security-policies.md | It's important to understand how these default policies interact with user reque ## Create a test user in an AKS cluster -When you use the [`az aks get-credentials`][az-aks-get-credentials] command, the *admin* credentials for the AKS cluster are added to your `kubectl` config by default. The admin user bypasses the enforcement of pod security policies. If you use Azure Active Directory integration for your AKS clusters, you can sign in with the credentials of a non-admin user to see the enforcement of policies in action. +When you use the [`az aks get-credentials`][az-aks-get-credentials] command, the *admin* credentials for the AKS cluster are added to your `kubectl` config by default. The admin user bypasses the enforcement of pod security policies. If you use Microsoft Entra integration for your AKS clusters, you can sign in with the credentials of a non-admin user to see the enforcement of policies in action. 1. Create a sample namespace named *psp-aks* for test resources using the [`kubectl create namespace`][kubectl-create] command. |
aks | Virtual Nodes Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/virtual-nodes-cli.md | For more information on managed identities, see [Use managed identities](use-man The pod is assigned an internal IP address from the Azure virtual network subnet delegated for use with virtual nodes. > [!NOTE]-> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A current limitation of virtual nodes is you can't use integrated Azure AD service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`. +> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A current limitation of virtual nodes is you can't use integrated Microsoft Entra service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`. ## Test the virtual node pod |
aks | Virtual Nodes Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/virtual-nodes-portal.md | The Azure Cloud Shell is a free interactive shell you can use to run the steps i ``` > [!NOTE]-> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A limitation of virtual nodes is you can't use integrated Azure AD service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`. +> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A limitation of virtual nodes is you can't use integrated Microsoft Entra service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`. ## Test the virtual node pod |
aks | Workload Identity Deploy Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-deploy-cluster.md | Title: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workload identity -description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with an Azure AD workload identity. +description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with a Microsoft Entra Workload ID. Last updated 09/27/2023 Last updated 09/27/2023 Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this article, you will: -* Deploy an AKS cluster using the Azure CLI that includes the OpenID Connect Issuer and an Azure AD workload identity +* Deploy an AKS cluster using the Azure CLI that includes the OpenID Connect Issuer and a Microsoft Entra Workload ID * Grant access to your Azure Key Vault-* Create an Azure Active Directory (Azure AD) workload identity and Kubernetes service account +* Create a Microsoft Entra Workload ID and Kubernetes service account * Configure the managed identity for token federation. -This article assumes you have a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts]. If you aren't familiar with Azure AD workload identity, see the following [Overview][workload-identity-overview] article. +This article assumes you have a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts]. If you aren't familiar with Microsoft Entra Workload ID, see the following [Overview][workload-identity-overview] article. - This article requires version 2.47.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed. You can retrieve this information using the Azure CLI command: [az keyvault list ## Disable workload identity -To disable the Azure AD workload identity on the AKS cluster where it's been enabled and configured, you can run the following command: +To disable the Microsoft Entra Workload ID on the AKS cluster where it's been enabled and configured, you can run the following command: ```azurecli-interactive az aks update --resource-group myResourceGroup --name myAKSCluster --disable-workload-identity |
aks | Workload Identity Migrate From Pod Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-migrate-from-pod-identity.md | Last updated 07/31/2023 # Migrate from pod managed-identity to workload identity -This article focuses on migrating from a pod-managed identity to Azure Active Directory (Azure AD) workload identity for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application. +This article focuses on migrating from a pod-managed identity to Microsoft Entra Workload ID for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application. -If you aren't familiar with Azure AD workload identity, see the following [Overview][workload-identity-overview] article. +If you aren't familiar with Microsoft Entra Workload ID, see the following [Overview][workload-identity-overview] article. ## Before you begin For either scenario, you need to have the federated trust set up before you upda - [Create a managed identity](#create-a-managed-identity) credential. - Associate the managed identity with the kubernetes service account already used for the pod-managed identity or [create a new Kubernetes service account](#create-kubernetes-service-account) and then associate it with the managed identity.-- [Establish a federated trust relationship](#establish-federated-identity-credential-trust) between the managed identity and Azure AD.+- [Establish a federated trust relationship](#establish-federated-identity-credential-trust) between the managed identity and Microsoft Entra ID. ### Migrate from latest version I0926 00:29:31.101998 1 proxy.go:129] proxy "msg"="successfully acquired t ## Remove pod-managed identity -After you've completed your testing and the application is successfully able to get a token using the proxy sidecar, you can remove the Azure AD pod-managed identity mapping for the pod from your cluster, and then remove the identity. +After you've completed your testing and the application is successfully able to get a token using the proxy sidecar, you can remove the Microsoft Entra pod-managed identity mapping for the pod from your cluster, and then remove the identity. 1. Run the [az aks pod-identity delete][az-aks-pod-identity-delete] command to remove the identity from your pod. This should only be done after all pods in the namespace using the pod-managed identity mapping have migrated to use the sidecar. After you've completed your testing and the application is successfully able to ## Next steps -This article showed you how to set up your pod to authenticate using a workload identity as a migration option. For more information about Azure AD workload identity, see the following [Overview][workload-identity-overview] article. +This article showed you how to set up your pod to authenticate using a workload identity as a migration option. For more information about Microsoft Entra Workload ID, see the following [Overview][workload-identity-overview] article. <!-- INTERNAL LINKS --> [pod-annotations]: workload-identity-overview.md#pod-annotations |
aks | Workload Identity Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-overview.md | Title: Use an Azure AD workload identity on Azure Kubernetes Service (AKS) -description: Learn about Azure Active Directory workload identity for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity. + Title: Use a Microsoft Entra Workload ID on Azure Kubernetes Service (AKS) +description: Learn about Microsoft Entra Workload ID for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity. Last updated 09/13/2023 -# Use Azure AD workload identity with Azure Kubernetes Service (AKS) +# Use Microsoft Entra Workload ID with Azure Kubernetes Service (AKS) -Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Azure Active Directory (Azure AD) application credentials or managed identities to access Azure AD protected resources, such as Azure Key Vault and Microsoft Graph. Azure AD workload identity integrates with the capabilities native to Kubernetes to federate with external identity providers. +Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Microsoft Entra application credentials or managed identities to access Microsoft Entra protected resources, such as Azure Key Vault and Microsoft Graph. Microsoft Entra Workload ID integrates with the capabilities native to Kubernetes to federate with external identity providers. -[Azure AD workload identity][azure-ad-workload-identity] uses [Service Account Token Volume Projection][service-account-token-volume-projection] enabling pods to use a Kubernetes identity (that is, a service account). A Kubernetes token is issued and [OIDC federation][oidc-federation] enables Kubernetes applications to access Azure resources securely with Azure AD based on annotated service accounts. +[Microsoft Entra Workload ID][azure-ad-workload-identity] uses [Service Account Token Volume Projection][service-account-token-volume-projection] enabling pods to use a Kubernetes identity (that is, a service account). A Kubernetes token is issued and [OIDC federation][oidc-federation] enables Kubernetes applications to access Azure resources securely with Microsoft Entra ID based on annotated service accounts. -Azure AD workload identity works especially well with the [Azure Identity client libraries](#azure-identity-client-libraries) and the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL) collection if you're using [application registration][azure-ad-application-registration]. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources. +Microsoft Entra Workload ID works especially well with the [Azure Identity client libraries](#azure-identity-client-libraries) and the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL) collection if you're using [application registration][azure-ad-application-registration]. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources. -This article helps you understand this new authentication feature, and reviews the options available to plan your project strategy and potential migration from Azure AD pod-managed identity. +This article helps you understand this new authentication feature, and reviews the options available to plan your project strategy and potential migration from Microsoft Entra pod-managed identity. ## Dependencies -- AKS supports Azure AD workload identities on version 1.22 and higher.+- AKS supports Microsoft Entra Workload ID on version 1.22 and higher. - The Azure CLI version 2.47.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. ## Azure Identity client libraries The following client libraries are the **minimum** version required. | Ecosystem | Library | Image | Example | Has Windows | |--|--|-|-|-|-| .NET | [microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | `ghcr.io/azure/azure-workload-identity/msal-net:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes | -| Go | [microsoft-authentication-library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | `ghcr.io/azure/azure-workload-identity/msal-go:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes | -| Java | [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | `ghcr.io/azure/azure-workload-identity/msal-java:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No | -| JavaScript | [microsoft-authentication-library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `ghcr.io/azure/azure-workload-identity/msal-node:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No | -| Python | [microsoft-authentication-library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | `ghcr.io/azure/azure-workload-identity/msal-python:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No | +| .NET | [Microsoft Authentication Library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | `ghcr.io/azure/azure-workload-identity/msal-net:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes | +| Go | [Microsoft Authentication Library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | `ghcr.io/azure/azure-workload-identity/msal-go:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes | +| Java | [Microsoft Authentication Library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | `ghcr.io/azure/azure-workload-identity/msal-java:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No | +| JavaScript | [Microsoft Authentication Library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `ghcr.io/azure/azure-workload-identity/msal-node:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No | +| Python | [Microsoft Authentication Library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | `ghcr.io/azure/azure-workload-identity/msal-python:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No | ## Limitations The following client libraries are the **minimum** version required. ## How it works -In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library or the Microsoft Authentication Library. +In this security model, the AKS cluster acts as token issuer, Microsoft Entra ID uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library or the Microsoft Authentication Library. :::image type="content" source="media/workload-identity-overview/aks-workload-identity-model.png" alt-text="Diagram of the AKS workload identity security model."::: -The following table describes the required OIDC issuer endpoints for Azure AD workload identity: +The following table describes the required OIDC issuer endpoints for Microsoft Entra Workload ID: |Endpoint |Description | ||| |`{IssuerURL}/.well-known/openid-configuration` |Also known as the OIDC discovery document. This contains the metadata about the issuer's configurations. |-|`{IssuerURL}/openid/v1/jwks` |This contains the public signing key(s) that Azure AD uses to verify the authenticity of the service account token. | +|`{IssuerURL}/openid/v1/jwks` |This contains the public signing key(s) that Microsoft Entra ID uses to verify the authenticity of the service account token. | The following diagram summarizes the authentication sequence using OpenID Connect. Similar to other webhook addons, the certificate is rotated by cluster certifica ## Service account labels and annotations -Azure AD workload identity supports the following mappings related to a service account: +Microsoft Entra Workload ID supports the following mappings related to a service account: -- One-to-one where a service account references an Azure AD object.-- Many-to-one where multiple service accounts references the same Azure AD object.-- One-to-many where a service account references multiple Azure AD objects by changing the client ID annotation. For more information, see [How to federate multiple identities with a Kubernetes service account][multiple-identities].+- One-to-one where a service account references a Microsoft Entra object. +- Many-to-one where multiple service accounts references the same Microsoft Entra object. +- One-to-many where a service account references multiple Microsoft Entra objects by changing the client ID annotation. For more information, see [How to federate multiple identities with a Kubernetes service account][multiple-identities]. > [!NOTE] > If the service account annotations are updated, you need to restart the pod for the changes to take effect. -If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think of a service account as an Azure Identity, except a service account is part of the core Kubernetes API, rather than a [Custom Resource Definition][custom-resource-definition] (CRD). The following describes a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for an Azure AD access token. +If you've used [Microsoft Entra pod-managed identity][use-azure-ad-pod-identity], think of a service account as an Azure Identity, except a service account is part of the core Kubernetes API, rather than a [Custom Resource Definition][custom-resource-definition] (CRD). The following describes a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for a Microsoft Entra access token. ### Service account annotations All annotations are optional. If the annotation isn't specified, the default val |Annotation |Description |Default | |--||--|-|`azure.workload.identity/client-id` |Represents the Azure AD application<br> client ID to be used with the pod. || -|`azure.workload.identity/tenant-id` |Represents the Azure tenant ID where the<br> Azure AD application is registered. |AZURE_TENANT_ID environment variable extracted<br> from `azure-wi-webhook-config` ConfigMap.| -|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the<br> projected service account token. It's an optional field that you configure to prevent downtime<br> caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. |3600<br> Supported range is 3600-86400.| +|`azure.workload.identity/client-id` |Represents the Microsoft Entra application<br> client ID to be used with the pod. || +|`azure.workload.identity/tenant-id` |Represents the Azure tenant ID where the<br> Microsoft Entra application is registered. |AZURE_TENANT_ID environment variable extracted<br> from `azure-wi-webhook-config` ConfigMap.| +|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the<br> projected service account token. It's an optional field that you configure to prevent downtime<br> caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Microsoft Entra tokens. Microsoft Entra tokens expire in 24 hours after they're issued. |3600<br> Supported range is 3600-86400.| ### Pod labels All annotations are optional. If the annotation isn't specified, the default val |Annotation |Description |Default | |--||--|-|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. | +|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Microsoft Entra tokens. Microsoft Entra tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. | |`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example, `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |-|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true | +|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire a Microsoft Entra token on behalf of the user with federated identity credential. |true | |`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8000 | <sup>1</sup> Takes precedence if the service account is also annotated. |
analysis-services | Analysis Services Addservprinc Admins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-addservprinc-admins.md | -Before completing this task, you must have a service principal registered in Azure Active Directory. +Before completing this task, you must have a service principal registered in Microsoft Entra ID. [Create service principal - Azure portal](../active-directory/develop/howto-create-service-principal-portal.md) [Create service principal - PowerShell](../active-directory/develop/howto-authenticate-service-principal-powershell.md) |
analysis-services | Analysis Services Async Refresh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-async-refresh.md | https://westus.asazure.windows.net/servers/myserver/models/AdventureWorks/refres ## Authentication -All calls must be authenticated with a valid Azure Active Directory (OAuth 2) token in the Authorization header and must meet the following requirements: +All calls must be authenticated with a valid Microsoft Entra ID (OAuth 2) token in the Authorization header and must meet the following requirements: - The token must be either a user token or an application service principal. - The token must have the correct audience set to `https://*.asazure.windows.net`. See [Create service principal - Azure portal](../active-directory/develop/howto- ## See also [Samples](analysis-services-samples.md) -[REST API](/rest/api/analysisservices/servers) +[REST API](/rest/api/analysisservices/servers) |
analysis-services | Analysis Services Backup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-backup.md | When restoring, your backup file must be in the storage account you've configure > [!NOTE]-> If you're restoring from an on-premises server, you must remove all the domain users from the model's roles and add them back to the roles as Azure Active Directory users. +> If you're restoring from an on-premises server, you must remove all the domain users from the model's roles and add them back to the roles as Microsoft Entra users. > > |
analysis-services | Analysis Services Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-connect.md | In **Azure portal** > server > **Overview** > **Server name**, copy the entire s When connecting to Azure Analysis Services using the Tabular Object Model, use the following connection string formats: -###### Integrated Azure Active Directory authentication +<a name='integrated-azure-active-directory-authentication'></a> -Integrated authentication picks up the Azure Active Directory credential cache if available. If not, the Azure login window is shown. +###### Integrated Microsoft Entra authentication ++Integrated authentication picks up the Microsoft Entra credential cache if available. If not, the Azure login window is shown. ``` "Provider=MSOLAP;Data Source=<Azure AS instance name>;" ``` -###### Azure Active Directory authentication with username and password +<a name='azure-active-directory-authentication-with-username-and-password'></a> ++###### Microsoft Entra authentication with username and password ``` "Provider=MSOLAP;Data Source=<Azure AS instance name>;User ID=<user name>;Password=<password>;Persist Security Info=True; Impersonation Level=Impersonate;"; Cannot initialize the data source object of OLE DB provider "MSOLAP" for linked [Connect with Excel](analysis-services-connect-excel.md) [Connect with Power BI](analysis-services-connect-pbi.md) -[Manage your server](analysis-services-manage.md) +[Manage your server](analysis-services-manage.md) |
analysis-services | Analysis Services Create Bicep File | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-bicep-file.md | This quickstart describes how to create an Analysis Services server resource in ## Prerequisites * **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.-* **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant. And, you need to be signed in to Azure with an account in that Azure Active Directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). +* **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant. And, you need to be signed in to Azure with an account in that Microsoft Entra ID. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). ## Review the Bicep file |
analysis-services | Analysis Services Create Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-powershell.md | This quickstart describes using PowerShell from the command line to create an Az [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.-- **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant and you must have an account in that directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).+- **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant and you must have an account in that directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). - **Azure PowerShell**. To find the installed version, run `Get-Module -ListAvailable Az`. To install or upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). ## Import Az.AnalysisServices module |
analysis-services | Analysis Services Create Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-server.md | This quickstart describes how to create an Analysis Services server resource in ## Prerequisites * **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.-* **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant. And, you need to be signed in to Azure with an account in that Azure Active Directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). +* **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant. And, you need to be signed in to Azure with an account in that Microsoft Entra ID. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). ## Sign in to the Azure portal This quickstart describes how to create an Analysis Services server resource in * **Resource group**: Create a new resource group or select one you already have. Resource groups are designed to help you manage a collection of Azure resources. To learn more, see [resource groups](../azure-resource-manager/management/overview.md). * **Location**: This Azure datacenter location hosts the server. Choose a location nearest your largest user base. * **Pricing tier**: Select a pricing tier. If you are testing and intend to install the sample model database, select the free **D1** tier. To learn more, see [Azure Analysis Services pricing](https://azure.microsoft.com/pricing/details/analysis-services/). - * **Administrator**: By default, this will be the account you are logged in with. You can choose a different account from your Azure Active Directory. + * **Administrator**: By default, this will be the account you are logged in with. You can choose a different account from your Microsoft Entra ID. * **Backup Storage setting**: Optional. If you already have a [storage account](../storage/common/storage-introduction.md), you can specify it as the default for model database backup. You can also specify [backup and restore](analysis-services-backup.md) settings later. * **Storage key expiration**: Optional. Specify a storage key expiration period. |
analysis-services | Analysis Services Create Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-template.md | If your environment meets the prerequisites and you're familiar with using ARM t ## Prerequisites * **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.-* **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant. And, you need to be signed in to Azure with an account in that Azure Active Directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). +* **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant. And, you need to be signed in to Azure with an account in that Microsoft Entra ID. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). ## Review the template |
analysis-services | Analysis Services Database Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-database-users.md | -At the model database level, all users must belong to a role. Roles define users with particular permissions for the model database. Any user or security group added to a role must have an account in an Azure AD tenant in the same subscription as the server. +At the model database level, all users must belong to a role. Roles define users with particular permissions for the model database. Any user or security group added to a role must have an account in a Microsoft Entra tenant in the same subscription as the server. How you define roles is different depending on the tool you use, but the effect is the same. When adding a **service principal** use `app:appid@tenantid`. 6. Click **Members** > **Add External**. -8. In **Add External Member**, enter users or groups in your tenant Azure AD by email address. After you click OK and close Role Manager, roles and role members appear in Tabular Model Explorer. +8. In **Add External Member**, enter users or groups in your tenant Microsoft Entra ID by email address. After you click OK and close Role Manager, roles and role members appear in Tabular Model Explorer. ![Screen showing roles and users in Tabular Model Explorer.](./media/analysis-services-database-users/aas-roles-tmexplorer.png) To add roles and users to a deployed model database, you must be connected to th |**Process database**|Members can run Process and Process All operations. Cannot modify the model schema and cannot query data.| |**Read**|Members can query data (based on row filters) but cannot modify the model schema.| -4. Click **Membership**, then enter a user or group in your tenant Azure AD by email address. +4. Click **Membership**, then enter a user or group in your tenant Microsoft Entra ID by email address. ![Screen showing Add user.](./media/analysis-services-database-users/aas-roles-adduser-ssms.png) You can run a TMSL script in the XMLA window in SSMS or by using PowerShell. Use **Sample TMSL script** -In this sample, a B2B external user and a group are added to the Analyst role with Read permissions for the SalesBI database. Both the external user and group must be in same tenant Azure AD. +In this sample, a B2B external user and a group are added to the Analyst role with Read permissions for the SalesBI database. Both the external user and group must be in same tenant Microsoft Entra ID. ``` { |
analysis-services | Analysis Services Gateway Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-gateway-install.md | To learn more about how Azure Analysis Services works with the gateway, see [Con * Install the gateway on a computer that remains on and does not go to sleep. * Do not install the gateway on a computer with a wireless only connection to your network. Performance can be diminished. * When installing the gateway, the user account you're signed in to your computer with must have Log on as service privileges. When install is complete, the On-premises data gateway service uses the NT SERVICE\PBIEgwService account to log on as a service. A different account can be specified during setup or in Services after setup is complete. Ensure Group Policy settings allow both the account you're signed in with when installing and the service account you choose have Log on as service privileges.-* Sign in to Azure with an account in Azure AD for the same [tenant](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) as the subscription you are registering the gateway in. Azure B2B (guest) accounts are not supported when installing and registering a gateway. +* Sign in to Azure with an account in Microsoft Entra ID for the same [tenant](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) as the subscription you are registering the gateway in. Azure B2B (guest) accounts are not supported when installing and registering a gateway. * If data sources are on an Azure Virtual Network (VNet), you must configure the [AlwaysUseGateway](analysis-services-vnet-gateway.md) server property. * If installing the gateway on an Azure Virtual Machine (VM), ensure optimal networking performance by configuring Accelerated networking. To learn more, see [Create a Windows VM with accelerated networking](../virtual-network/create-vm-accelerated-networking-powershell.md). To learn more about how Azure Analysis Services works with the gateway, see [Con ![Screenshot showing install location and license terms.](media/analysis-services-gateway-install/aas-gateway-installer-accept.png) -3. Sign in to Azure. The account must be in your tenant's Azure Active Directory. This account is used for the gateway administrator. Azure B2B (guest) accounts are not supported when installing and registering the gateway. +3. Sign in to Azure. The account must be in your tenant's Microsoft Entra ID. This account is used for the gateway administrator. Azure B2B (guest) accounts are not supported when installing and registering the gateway. ![Screenshot showing sign in to Azure.](media/analysis-services-gateway-install/aas-gateway-installer-account.png) > [!NOTE]- > If you sign in with a domain account, it's mapped to your organizational account in Azure AD. Your organizational account is used as the gateway administrator. + > If you sign in with a domain account, it's mapped to your organizational account in Microsoft Entra ID. Your organizational account is used as the gateway administrator. ## Register |
analysis-services | Analysis Services Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-gateway.md | Information provided here is specific to how Azure Analysis Services works with For Azure Analysis Services, getting setup with the gateway the first time is a four-part process: -- **Download and run setup** - This step installs a gateway service on a computer in your organization. You also sign in to Azure using an account in your [tenant's](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) Azure AD. Azure B2B (guest) accounts are not supported.+- **Download and run setup** - This step installs a gateway service on a computer in your organization. You also sign in to Azure using an account in your [tenant's](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) Microsoft Entra ID. Azure B2B (guest) accounts are not supported. - **Register your gateway** - In this step, you specify a name and recovery key for your gateway and select a region, registering your gateway with the Gateway Cloud Service. Your gateway resource can be registered in any region, but it's recommended it be in the same region as your Analysis Services servers. |
analysis-services | Analysis Services Manage Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-manage-users.md | Title: Azure Analysis Services authentication and user permissions| Microsoft Docs -description: This article describes how Azure Analysis Services uses Azure Active Directory (Azure AD) for identity management and user authentication. +description: This article describes how Azure Analysis Services uses Microsoft Entra ID for identity management and user authentication. -Azure Analysis Services uses Azure Active Directory (Azure AD) for identity management and user authentication. Any user creating, managing, or connecting to an Azure Analysis Services server must have a valid user identity in an [Azure AD tenant](../active-directory/fundamentals/active-directory-whatis.md) in the same subscription. +Azure Analysis Services uses Microsoft Entra ID for identity management and user authentication. Any user creating, managing, or connecting to an Azure Analysis Services server must have a valid user identity in an [Microsoft Entra tenant](../active-directory/fundamentals/active-directory-whatis.md) in the same subscription. -Azure Analysis Services supports [Azure AD B2B collaboration](../active-directory/external-identities/what-is-b2b.md). With B2B, users from outside an organization can be invited as guest users in an Azure AD directory. Guests can be from another Azure AD tenant directory or any valid email address. Once invited and the user accepts the invitation sent by email from Azure, the user identity is added to the tenant directory. Those identities can be added to security groups or as members of a server administrator or database role. +Azure Analysis Services supports [Microsoft Entra B2B collaboration](../active-directory/external-identities/what-is-b2b.md). With B2B, users from outside an organization can be invited as guest users in a Microsoft Entra directory. Guests can be from another Microsoft Entra tenant directory or any valid email address. Once invited and the user accepts the invitation sent by email from Azure, the user identity is added to the tenant directory. Those identities can be added to security groups or as members of a server administrator or database role. ![Azure Analysis Services authentication architecture](./media/analysis-services-manage-users/aas-manage-users-arch.png) Azure Analysis Services supports [Azure AD B2B collaboration](../active-director All client applications and tools use one or more of the Analysis Services [client libraries](/analysis-services/client-libraries?view=azure-analysis-services-current&preserve-view=true) (AMO, MSOLAP, ADOMD) to connect to a server. -All three client libraries support both Azure AD interactive flow, and non-interactive authentication methods. The two non-interactive methods, Active Directory Password and Active Directory Integrated Authentication methods can be used in applications utilizing AMOMD and MSOLAP. These two methods never result in pop-up dialog boxes for sign in. +All three client libraries support both Microsoft Entra interactive flow, and non-interactive authentication methods. The two non-interactive methods, Active Directory Password and Active Directory Integrated Authentication methods can be used in applications utilizing AMOMD and MSOLAP. These two methods never result in pop-up dialog boxes for sign in. Client applications like Excel and Power BI Desktop, and tools like SSMS and Analysis Services projects extension for Visual Studio install the latest versions of the client libraries with regular updates. Power BI Desktop, SSMS, and Analysis Services projects extension are updated monthly. Excel is [updated with Microsoft 365](https://support.microsoft.com/office/when-do-i-get-the-newest-features-for-microsoft-365-da36192c-58b9-4bc9-8d51-bb6eed468516). Microsoft 365 updates are less frequent, and some organizations use the deferred channel, meaning updates are deferred up to three months. Depending on the client application or tools you use, the type of authentication and how you sign in may be different. Each application may support different features for connecting to cloud services like Azure Analysis Services. -Power BI Desktop, Visual Studio, and SSMS support Active Directory Universal Authentication, an interactive method that also supports Azure AD Multi-Factor Authentication (MFA). Azure AD MFA helps safeguard access to data and applications while providing a simple sign in process. It delivers strong authentication with several verification options (phone call, text message, smart cards with pin, or mobile app notification). Interactive MFA with Azure AD can result in a pop-up dialog box for validation. **Universal Authentication is recommended**. +Power BI Desktop, Visual Studio, and SSMS support Active Directory Universal Authentication, an interactive method that also supports Microsoft Entra multifactor authentication (MFA). Microsoft Entra multifactor authentication helps safeguard access to data and applications while providing a simple sign in process. It delivers strong authentication with several verification options (phone call, text message, smart cards with pin, or mobile app notification). Interactive MFA with Microsoft Entra ID can result in a pop-up dialog box for validation. **Universal Authentication is recommended**. -If signing in to Azure by using a Windows account, and Universal Authentication is not selected or available (Excel), [Active Directory Federation Services (AD FS)](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) is required. With Federation, Azure AD and Microsoft 365 users are authenticated using on-premises credentials and can access Azure resources. +If signing in to Azure by using a Windows account, and Universal Authentication is not selected or available (Excel), [Active Directory Federation Services (AD FS)](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) is required. With Federation, Microsoft Entra ID and Microsoft 365 users are authenticated using on-premises credentials and can access Azure resources. ### SQL Server Management Studio (SSMS) Azure Analysis Services servers support connections from [SSMS V17.1](/sql/ssms/ * Supports Azure B2B guest users invited into the Azure AS tenant. When connecting to a server, guest users must select Active Directory Universal Authentication when connecting to the server. -* Supports Multi-Factor Authentication (MFA). Azure AD MFA helps safeguard access to data and applications with a range of verification options: phone call, text message, smart cards with pin, or mobile app notification. Interactive MFA with Azure AD can result in a pop-up dialog box for validation. +* Supports multifactor authentication (MFA). Microsoft Entra multifactor authentication helps safeguard access to data and applications with a range of verification options: phone call, text message, smart cards with pin, or mobile app notification. Interactive MFA with Microsoft Entra ID can result in a pop-up dialog box for validation. ### Visual Studio Power BI Desktop connects to Azure Analysis Services using Active Directory Univ ### Excel -Excel users can connect to a server by using a Windows account, an organization ID (email address), or an external email address. External email identities must exist in the Azure AD as a guest user. +Excel users can connect to a server by using a Windows account, an organization ID (email address), or an external email address. External email identities must exist in the Microsoft Entra ID as a guest user. ## User permissions -**Server administrators** are specific to an Azure Analysis Services server instance. They connect with tools like Azure portal, SSMS, and Visual Studio to perform tasks like configuring settings and managing user roles. By default, the user that creates the server is automatically added as an Analysis Services server administrator. Other administrators can be added by using Azure portal or SSMS. Server administrators must have an account in the Azure AD tenant in the same subscription. To learn more, see [Manage server administrators](analysis-services-server-admins.md). +**Server administrators** are specific to an Azure Analysis Services server instance. They connect with tools like Azure portal, SSMS, and Visual Studio to perform tasks like configuring settings and managing user roles. By default, the user that creates the server is automatically added as an Analysis Services server administrator. Other administrators can be added by using Azure portal or SSMS. Server administrators must have an account in the Microsoft Entra tenant in the same subscription. To learn more, see [Manage server administrators](analysis-services-server-admins.md). **Database users** connect to model databases by using client applications like Excel or Power BI. Users must be added to database roles. Database roles define administrator, process, or read permissions for a database. It's important to understand database users in a role with administrator permissions is different than server administrators. However, by default, server administrators are also database administrators. To learn more, see [Manage database roles and users](analysis-services-database-users.md). -**Azure resource owners**. Resource owners manage resources for an Azure subscription. Resource owners can add Azure AD user identities to Owner or Contributor Roles within a subscription by using **Access control** in Azure portal, or with Azure Resource Manager templates. +**Azure resource owners**. Resource owners manage resources for an Azure subscription. Resource owners can add Microsoft Entra user identities to Owner or Contributor Roles within a subscription by using **Access control** in Azure portal, or with Azure Resource Manager templates. ![Access control in Azure portal](./media/analysis-services-manage-users/aas-manage-users-rbac.png) Roles at this level apply to users or accounts that need to perform tasks that c ## Database roles - Roles defined for a tabular model are database roles. That is, the roles contain members consisting of Azure AD users and security groups that have specific permissions that define the action those members can take on a model database. A database role is created as a separate object in the database, and applies only to the database in which that role is created. + Roles defined for a tabular model are database roles. That is, the roles contain members consisting of Microsoft Entra users and security groups that have specific permissions that define the action those members can take on a model database. A database role is created as a separate object in the database, and applies only to the database in which that role is created. By default, when you create a new tabular model project, the model project does not have any roles. Roles can be defined by using the Role Manager dialog box in Visual Studio. When roles are defined during model project design, they are applied only to the model workspace database. When the model is deployed, the same roles are applied to the deployed model. After a model has been deployed, server and database administrators can manage roles and members by using SSMS. To learn more, see [Manage database roles and users](analysis-services-database-users.md). Roles at this level apply to users or accounts that need to perform tasks that c ## Next steps -[Manage access to resources with Azure Active Directory groups](../active-directory/fundamentals/active-directory-manage-groups.md) +[Manage access to resources with Microsoft Entra groups](../active-directory/fundamentals/active-directory-manage-groups.md) [Manage database roles and users](analysis-services-database-users.md) [Manage server administrators](analysis-services-server-admins.md) [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) |
analysis-services | Analysis Services Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-manage.md | To get all the latest features, and the smoothest experience when connecting to **DAX Studio** – An open-source tool for DAX authoring, diagnosis, performance tuning, and analysis. Features include object browsing, integrated tracing, query execution breakdowns with detailed statistics, DAX syntax highlighting and formatting. XMLA read-only is required for query operations. To learn more, see [daxstudio.org](https://daxstudio.org/). ## Server administrators and database users-In Azure Analysis Services, there are two types of users, server administrators and database users. Both types of users must be in your Azure Active Directory and must be specified by organizational email address or UPN. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). +In Azure Analysis Services, there are two types of users, server administrators and database users. Both types of users must be in your Microsoft Entra ID and must be specified by organizational email address or UPN. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). ## Troubleshooting connection problems When connecting using SSMS, if you run into problems, you may need to clear the login cache. Nothing is cached to disc. To clear the cache, close and restart the connect process. |
analysis-services | Analysis Services Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-overview.md | Azure Analysis Services is a fully managed platform as a service (PaaS) that pro In Azure portal, you can [create a server](analysis-services-create-server.md) within minutes. And with Azure Resource Manager [templates](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md) and PowerShell, you can create servers using a declarative template. With a single template, you can deploy server resources along with other Azure components such as storage accounts and Azure Functions. -Azure Analysis Services integrates with many Azure services enabling you to build sophisticated analytics solutions. Integration with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) provides secure, role-based access to your critical data. Integrate with [Azure Data Factory](../data-factory/introduction.md) pipelines by including an activity that loads data into the model. [Azure Automation](../automation/automation-intro.md) and [Azure Functions](../azure-functions/functions-overview.md) can be used for lightweight orchestration of models using custom code. +Azure Analysis Services integrates with many Azure services enabling you to build sophisticated analytics solutions. Integration with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) provides secure, role-based access to your critical data. Integrate with [Azure Data Factory](../data-factory/introduction.md) pipelines by including an activity that loads data into the model. [Azure Automation](../automation/automation-intro.md) and [Azure Functions](../azure-functions/functions-overview.md) can be used for lightweight orchestration of models using custom code. ## The right tier when you need it Azure Analysis Services Firewall blocks all client connections other than those ### Authentication -User authentication is handled by [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Azure Active Directory for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). +User authentication is handled by [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Microsoft Entra ID for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md). ### Data security Secure access to data sources on-premises in your organization is achieved by in ### Roles -Analysis Services uses [role-based authorization](/analysis-services/tabular-models/roles-ssas-tabular) that grants access to server and model database operations, objects, and data. All users who access a server or database do so with their Azure AD user account within an assigned role. The server administrator role is at the server resource level. By default, the account used when creating a server is automatically included in the Server Admins role. Additional user and group accounts are added by using the portal, SSMS, or PowerShell. +Analysis Services uses [role-based authorization](/analysis-services/tabular-models/roles-ssas-tabular) that grants access to server and model database operations, objects, and data. All users who access a server or database do so with their Microsoft Entra user account within an assigned role. The server administrator role is at the server resource level. By default, the account used when creating a server is automatically included in the Server Admins role. Additional user and group accounts are added by using the portal, SSMS, or PowerShell. Non-administrative users who query data are granted access through database roles. A database role is created as a separate object in the database, and applies only to the database in which that role is created. Database roles are defined by (database) Administrator, Read, and Read and Process permissions. User and group accounts are added by using SSMS or PowerShell. Tabular models at the 1400 and higher compatibility level support object-level s ### Automation through service principals -Service principals are an Azure Active Directory application resource you create within your tenant to perform unattended resource and service-level operations. Service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks like data refresh, scale up/down, and pause/resume. Permissions are assigned to service principals through role membership. To learn more, see [Automation with service principals](analysis-services-service-principal.md). +Service principals are a Microsoft Entra application resource you create within your tenant to perform unattended resource and service-level operations. Service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks like data refresh, scale up/down, and pause/resume. Permissions are assigned to service principals through role membership. To learn more, see [Automation with service principals](analysis-services-service-principal.md). ### Azure governance |
analysis-services | Analysis Services Refresh Azure Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-refresh-azure-automation.md | The example in this article uses the [SqlServer PowerShell module](/powershell/m ## Authentication -All calls must be authenticated with a valid Azure Active Directory (OAuth 2) token. The example in this article uses a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). +All calls must be authenticated with a valid Microsoft Entra ID (OAuth 2) token. The example in this article uses a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). ## Prerequisites else ## Next steps [Samples](analysis-services-samples.md) -[REST API](/rest/api/analysisservices/servers) +[REST API](/rest/api/analysisservices/servers) |
analysis-services | Analysis Services Refresh Logic App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-refresh-logic-app.md | To learn more about using REST APIs with Azure Analysis Services, see [Asynchron ## Authentication -All calls must be authenticated with a valid Azure Active Directory (OAuth 2) token. The examples in this article will use a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). +All calls must be authenticated with a valid Microsoft Entra ID (OAuth 2) token. The examples in this article will use a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). ## Design the logic app Configure the HTTP activity as follows: |**Headers** | Content-Type, application/json <br /> <br /> ![Headers](./media/analysis-services-async-refresh-logic-app/6.png) | |**Body** | To learn more about forming the request body, see [Asynchronous refresh with the REST API - POST /refreshes](analysis-services-async-refresh.md#post-refreshes). | |**Authentication** |Active Directory OAuth |-|**Tenant** |Fill in your Azure Active Directory TenantId | +|**Tenant** |Fill in your Microsoft Entra TenantId | |**Audience** |https://*.asazure.windows.net | |**Client ID** |Enter your Service Principal Name ClientID | |**Credential Type** |Secret | Save the Logic App. ## Next steps [Samples](analysis-services-samples.md) -[REST API](/rest/api/analysisservices/servers) +[REST API](/rest/api/analysisservices/servers) |
analysis-services | Analysis Services Server Admins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-server-admins.md | -Server administrators must be a valid user, service principal, or security group in the Azure Active Directory (Azure AD) for the tenant in which the server resides. You can use **Analysis Services Admins** for your server in Azure portal, Server Properties in SSMS, PowerShell, or REST API to manage server administrators. +Server administrators must be a valid user, service principal, or security group in the Microsoft Entra ID for the tenant in which the server resides. You can use **Analysis Services Admins** for your server in Azure portal, Server Properties in SSMS, PowerShell, or REST API to manage server administrators. When adding a **security group**, use `obj:groupid@tenantid`. Service principals are not supported in security groups added to the server administrator role. If server firewall is enabled, server administrator client computer IP addresses 1. In the portal, for your server, click **Analysis Services Admins**. 2. In **\<servername> - Analysis Services Admins**, click **Add**.-3. In **Add Server Administrators**, select user accounts from your Azure AD or invite external users by email address. +3. In **Add Server Administrators**, select user accounts from your Microsoft Entra ID or invite external users by email address. ![Server Admins in Azure portal](./media/analysis-services-server-admins/aas-manage-users-admins.png) If server firewall is enabled, server administrator client computer IP addresses 1. Right-click the server > **Properties**. 2. In **Analysis Server Properties**, click **Security**.-3. Click **Add**, and then enter the email address for a user or group in your Azure AD. +3. Click **Add**, and then enter the email address for a user or group in your Microsoft Entra ID. ![Add server administrators in SSMS](./media/analysis-services-server-admins/aas-manage-users-ssms.png) |
analysis-services | Analysis Services Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-service-principal.md | -Service principals are an Azure Active Directory application resource you create within your tenant to perform unattended resource and service level operations. They're a unique type of *user identity* with an application ID and password or certificate. A service principal has only those permissions necessary to perform tasks defined by the roles and permissions for which it is assigned. +Service principals are a Microsoft Entra application resource you create within your tenant to perform unattended resource and service level operations. They're a unique type of *user identity* with an application ID and password or certificate. A service principal has only those permissions necessary to perform tasks defined by the roles and permissions for which it is assigned. -In Analysis Services, service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks. For example, provisioning servers, deploying models, data refresh, scale up/down, and pause/resume can all be automated by using service principals. Permissions are assigned to service principals through role membership, much like regular Azure AD UPN accounts. +In Analysis Services, service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks. For example, provisioning servers, deploying models, data refresh, scale up/down, and pause/resume can all be automated by using service principals. Permissions are assigned to service principals through role membership, much like regular Microsoft Entra UPN accounts. -Analysis Services does not support operations performed by managed identities using service principals. To learn more, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) and [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-analysis-services). +Analysis Services does not support operations performed by managed identities using service principals. To learn more, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) and [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-analysis-services). ## Create service principals |
analysis-services | Analysis Services Tutorial Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/tutorials/analysis-services-tutorial-roles.md | To learn more about user security in Azure Analysis Services, see [Authenticatio ## Prerequisites -- An Azure Active Directory in your subscription.+- A Microsoft Entra ID in your subscription. - Created an [Azure Analysis Services server](../analysis-services-create-server.md) in your subscription. - Have [server administrator](../analysis-services-server-admins.md) permissions. - [Add the adventureworks sample model](../analysis-services-create-sample-model.md) to your server. For the remaining tasks, you use SSMS to connect to and manage your server. ## Add a user account to the server administrator role -In this task, you add a user or group account from your Azure AD to the server administrator role. If specifying a security group, use `obj:groupid@tenantid`. +In this task, you add a user or group account from your Microsoft Entra ID to the server administrator role. If specifying a security group, use `obj:groupid@tenantid`. 1. In **Object Explorer**, right-click your server name, and then click **Properties**. 2. In the **Analysis Server Properties** window, click **Security** > **Add**.-3. In the **Select a User or Group** window, enter a user or group account in your Azure AD, and then click **Add**. +3. In the **Select a User or Group** window, enter a user or group account in your Microsoft Entra ID, and then click **Add**. ![Add server admin](./media/analysis-services-tutorial-roles/aas-add-server-admin.png) In this task, you add a user or group account to the Internet Sales Administrato ![New Query Editor Window](./media/analysis-services-tutorial-roles/aas-add-db-admin.png) -3. In the **XMLAQuery**, change the value for **"memberName":** to a user or group account in your Azure AD. By default, the account you're signed in with is included; however, you do not need to add your own account because you are already a server administrator. +3. In the **XMLAQuery**, change the value for **"memberName":** to a user or group account in your Microsoft Entra ID. By default, the account you're signed in with is included; however, you do not need to add your own account because you are already a server administrator. ![TMSL script in XMLA query](./media/analysis-services-tutorial-roles/aas-add-db-admin-script.png) In this task, you add a user or group account to the Internet Sales Administrato ## Add a new model database role and add a user or group -In this task, you use the [Create](/analysis-services/tmsl/create-command-tmsl) command in a TMSL script to create a new Internet Sales Global role, specify *read* permissions for the role, and add a user or group account from your Azure AD. +In this task, you use the [Create](/analysis-services/tmsl/create-command-tmsl) command in a TMSL script to create a new Internet Sales Global role, specify *read* permissions for the role, and add a user or group account from your Microsoft Entra ID. 1. In **Object Explorer**, right-click **adventureworks**, and then click **New Query** > **XMLA**. 2. Copy and paste the following TMSL script into the query editor: In this task, you use the [Create](/analysis-services/tmsl/create-command-tmsl) } ``` -3. Change `"memberName": "globalsales@adventureworks.com"` object value to a user or group account in your Azure AD. +3. Change `"memberName": "globalsales@adventureworks.com"` object value to a user or group account in your Microsoft Entra ID. 4. Press **F5**, to execute the script. ## Verify your changes When no longer needed, delete the user or group accounts and roles. To do so, us In this tutorial, you learned how to connect to your Azure AS server and explore the adventureworks sample model databases and properties in SSMS. You also learned how to use SSMS and TMSL scripts to add users or groups to existing and new roles. Now that you have user permissions configured for your server and sample model database, you and other users can connect to it by using client applications like Power BI. To learn more, continue to the next tutorial. > [!div class="nextstepaction"]-> [Tutorial: Connect with Power BI Desktop](analysis-services-tutorial-pbid.md) +> [Tutorial: Connect with Power BI Desktop](analysis-services-tutorial-pbid.md) |
api-management | Api Management Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-features.md | Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct | Feature | Consumption | Developer | Basic | Standard | Premium | | -- | -- | | -- | -- | - |-| Azure AD integration<sup>1</sup> | No | Yes | No | Yes | Yes | +| Microsoft Entra integration<sup>1</sup> | No | Yes | No | Yes | Yes | | Virtual Network (VNet) support | No | Yes | No | No | Yes | | Private endpoint support for inbound connections | No | Yes | Yes | Yes | Yes | | Multi-region deployment | No | No | No | No | Yes | Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct | [Pass-through GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes | | [Synthetic GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes | -<sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/> +<sup>1</sup> Enables the use of Microsoft Entra ID (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/> <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/> <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/> <sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/> |
api-management | Api Management Howto Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad.md | Title: Authorize access to API Management developer portal by using Azure AD + Title: Authorize access to API Management developer portal by using Microsoft Entra ID -description: Learn how to enable user sign-in to the API Management developer portal by using Azure Active Directory. +description: Learn how to enable user sign-in to the API Management developer portal by using Microsoft Entra ID. -# Authorize developer accounts by using Azure Active Directory in Azure API Management +# Authorize developer accounts by using Microsoft Entra ID in Azure API Management In this article, you'll learn how to: > [!div class="checklist"]-> * Enable access to the developer portal for users from Azure Active Directory (Azure AD). -> * Manage groups of Azure AD users by adding external groups that contain the users. +> * Enable access to the developer portal for users from Microsoft Entra ID. +> * Manage groups of Microsoft Entra users by adding external groups that contain the users. For an overview of options to secure the developer portal, see [Secure access to the API Management developer portal](secure-developer-portal-access.md). > [!IMPORTANT]-> * This article has been updated with steps to configure an Azure AD app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)). -> * If you previously configured an Azure AD app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal). +> * This article has been updated with steps to configure a Microsoft Entra app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)). +> * If you previously configured a Microsoft Entra app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal). ## Prerequisites For an overview of options to secure the developer portal, see [Secure access to [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)] -## Enable user sign-in using Azure AD - portal +<a name='enable-user-sign-in-using-azure-adportal'></a> -To simplify the configuration, API Management can automatically enable an Azure AD application and identity provider for users of the developer portal. Alternatively, you can manually enable the Azure AD application and identity provider. +## Enable user sign-in using Microsoft Entra ID - portal -### Automatically enable Azure AD application and identity provider +To simplify the configuration, API Management can automatically enable a Microsoft Entra application and identity provider for users of the developer portal. Alternatively, you can manually enable the Microsoft Entra application and identity provider. ++<a name='automatically-enable-azure-ad-application-and-identity-provider'></a> ++### Automatically enable Microsoft Entra application and identity provider 1. In the left menu of your API Management instance, under **Developer portal**, select **Portal overview**.-1. On the **Portal overview** page, scroll down to **Enable user sign-in with Azure Active Directory**. -1. Select **Enable Azure AD**. -1. On the **Enable Azure AD** page, select **Enable Azure AD**. +1. On the **Portal overview** page, scroll down to **Enable user sign-in with Microsoft Entra ID**. +1. Select **Enable Microsoft Entra ID**. +1. On the **Enable Microsoft Entra ID** page, select **Enable Microsoft Entra ID**. 1. Select **Close**. - :::image type="content" source="media/api-management-howto-aad/enable-azure-ad-portal.png" alt-text="Screenshot of enabling Azure AD in the developer portal overview page."::: + :::image type="content" source="media/api-management-howto-aad/enable-azure-ad-portal.png" alt-text="Screenshot of enabling Microsoft Entra ID in the developer portal overview page."::: -After the Azure AD provider is enabled: +After the Microsoft Entra provider is enabled: -* Users in the specified Azure AD instance can [sign into the developer portal by using an Azure AD account](#log_in_to_dev_portal). -* You can manage the Azure AD configuration on the **Developer portal** > **Identities** page in the portal. +* Users in the specified Microsoft Entra instance can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal). +* You can manage the Microsoft Entra configuration on the **Developer portal** > **Identities** page in the portal. * Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page. * Republish the developer portal after any configuration change. -### Manually enable Azure AD application and identity provider +<a name='manually-enable-azure-ad-application-and-identity-provider'></a> ++### Manually enable Microsoft Entra application and identity provider 1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**. 1. Select **+Add** from the top to open the **Add identity provider** pane to the right.-1. Under **Type**, select **Azure Active Directory** from the drop-down menu. Once selected, you'll be able to enter other necessary information. +1. Under **Type**, select **Microsoft Entra ID** from the drop-down menu. Once selected, you'll be able to enter other necessary information. * In the **Client library** dropdown, select **MSAL**. * To add **Client ID** and **Client secret**, see steps later in the article. 1. Save the **Redirect URL** for later. After the Azure AD provider is enabled: > [!IMPORTANT] > Update the **Client secret** before the key expires. -1. In the **Add identity provider** pane's **Allowed tenants** field, specify the Azure AD instance's domains to which you want to grant access to the API Management service instance APIs. +1. In the **Add identity provider** pane's **Allowed tenants** field, specify the Microsoft Entra instance's domains to which you want to grant access to the API Management service instance APIs. * You can separate multiple domains with newlines, spaces, or commas. > [!NOTE] > You can specify multiple domains in the **Allowed Tenants** section. A global administration must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should: > 1. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, `https://contoso.portal.azure-api.net/aadadminconsent`).- > 1. Enter the domain name of the Azure AD tenant to which they want to grant access. + > 1. Enter the domain name of the Microsoft Entra tenant to which they want to grant access. > 1. Select **Submit**. 1. After you specify the desired configuration, select **Add**.-1. Republish the developer portal for the Azure AD configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**. +1. Republish the developer portal for the Microsoft Entra configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**. -After the Azure AD provider is enabled: +After the Microsoft Entra provider is enabled: -* Users in the specified Azure AD instance can [sign into the developer portal by using an Azure AD account](#log_in_to_dev_portal). -* You can manage the Azure AD configuration on the **Developer portal** > **Identities** page in the portal. +* Users in the specified Microsoft Entra instance can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal). +* You can manage the Microsoft Entra configuration on the **Developer portal** > **Identities** page in the portal. * Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page. * Republish the developer portal after any configuration change. ## Migrate to MSAL -If you previously configured an Azure AD app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management. +If you previously configured a Microsoft Entra app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management. -### Update Azure AD app for MSAL compatibility +<a name='update-azure-ad-app-for-msal-compatibility'></a> ++### Update Microsoft Entra app for MSAL compatibility For steps, see [Switch redirect URIs to the single-page application type](../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform). ### Update identity provider configuration 1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.-1. Select **Azure Active Directory** from the list. +1. Select **Microsoft Entra ID** from the list. 1. In the **Client library** dropdown, select **MSAL**. 1. Select **Update**. 1. [Republish your developer portal](api-management-howto-developer-portal-customize.md#publish-from-the-azure-portal). -## Add an external Azure AD group +<a name='add-an-external-azure-ad-group'></a> ++## Add an external Microsoft Entra group -Now that you've enabled access for users in an Azure AD tenant, you can: -* Add Azure AD groups into API Management. -* Control product visibility using Azure AD groups. +Now that you've enabled access for users in a Microsoft Entra tenant, you can: +* Add Microsoft Entra groups into API Management. +* Control product visibility using Microsoft Entra groups. 1. Navigate to the App Registration page for the application you registered in [the previous section](#enable-user-sign-in-using-azure-adportal). 1. Select **API Permissions**. 1. Add the following minimum **application** permissions for Microsoft Graph API: * `User.Read.All` application permission ΓÇô so API Management can read the userΓÇÖs group membership to perform group synchronization at the time the user logs in. - * `Group.Read.All` application permission ΓÇô so API Management can read the Azure AD groups when an administrator tries to add the group to API Management using the **Groups** blade in the portal. + * `Group.Read.All` application permission ΓÇô so API Management can read the Microsoft Entra groups when an administrator tries to add the group to API Management using the **Groups** blade in the portal. 1. Select **Grant admin consent for {tenantname}** so that you grant access for all users in this directory. -Now you can add external Azure AD groups from the **Groups** tab of your API Management instance. +Now you can add external Microsoft Entra groups from the **Groups** tab of your API Management instance. 1. Under **Developer portal** in the side menu, select **Groups**.-1. Select the **Add Azure AD group** button. +1. Select the **Add Microsoft Entra group** button. - :::image type="content" source="media/api-management-howto-aad/api-management-with-aad008.png" alt-text="Screenshot showing Add Azure AD group button in the portal."::: + :::image type="content" source="media/api-management-howto-aad/api-management-with-aad008.png" alt-text="Screenshot showing Add Microsoft Entra group button in the portal."::: 1. Select the **Tenant** from the drop-down. 1. Search for and select the group that you want to add. 1. Press the **Select** button. -Once you add an external Azure AD group, you can review and configure its properties: +Once you add an external Microsoft Entra group, you can review and configure its properties: 1. Select the name of the group from the **Groups** tab. 2. Edit **Name** and **Description** information for the group. -Users from the configured Azure AD instance can now: +Users from the configured Microsoft Entra instance can now: * Sign into the developer portal. * View and subscribe to any groups for which they have visibility. > [!NOTE] > Learn more about the difference between **Delegated** and **Application** permissions types in [Permissions and consent in the Microsoft identity platform](../active-directory/develop/v2-permissions-and-consent.md#permission-types) article. -## <a id="log_in_to_dev_portal"></a> Developer portal: Add Azure AD account authentication +## <a id="log_in_to_dev_portal"></a> Developer portal: Add Microsoft Entra account authentication -In the developer portal, you can sign in with Azure AD using the **Sign-in button: OAuth** widget included on the sign-in page of the default developer portal content. +In the developer portal, you can sign in with Microsoft Entra ID using the **Sign-in button: OAuth** widget included on the sign-in page of the default developer portal content. :::image type="content" source="media/api-management-howto-aad/developer-portal-azure-ad-signin.png" alt-text="Screenshot showing OAuth widget in developer portal."::: -Although a new account will automatically be created when a new user signs in with Azure AD, consider adding the same widget to the sign-up page. The **Sign-up form: OAuth** widget represents a form used for signing up with OAuth. +Although a new account will automatically be created when a new user signs in with Microsoft Entra ID, consider adding the same widget to the sign-up page. The **Sign-up form: OAuth** widget represents a form used for signing up with OAuth. > [!IMPORTANT]-> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the Azure AD changes to take effect. +> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the Microsoft Entra ID changes to take effect. ++<a name='legacy-developer-portal-how-to-sign-in-with-azure-ad'></a> -## Legacy developer portal: How to sign in with Azure AD +## Legacy developer portal: How to sign in with Microsoft Entra ID [!INCLUDE [api-management-portal-legacy.md](../../includes/api-management-portal-legacy.md)] -To sign into the developer portal by using an Azure AD account that you configured in the previous sections: +To sign into the developer portal by using a Microsoft Entra account that you configured in the previous sections: 1. Open a new browser window using the sign-in URL from the Active Directory application configuration. -2. Select **Azure Active Directory**. +2. Select **Microsoft Entra ID**. ![Sign-in page][api-management-dev-portal-signin] -1. Enter the credentials of one of the users in Azure AD. +1. Enter the credentials of one of the users in Microsoft Entra ID. 2. Select **Sign in**. ![Signing in with username and password][api-management-aad-signin] Your user is now signed in to the developer portal for your API Management servi ## Next Steps -- Learn more about [Azure Active Directory and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).+- Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md). - Learn more about [MSAL](../active-directory/develop/msal-overview.md) and [migrating to MSAL](../active-directory/develop/msal-migration.md). - [Create an API Management service instance](./get-started-create-service-instance.md). - [Manage your first API](./import-and-publish.md). |
api-management | Api Management Howto Create Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-groups.md | API Management has the following immutable system groups: * **Developers** - Authenticated developer portal users fall into this group. Developers are the customers that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API. * **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance fall into this group. They can be granted certain read-only access, such as the ability to view APIs but not call them. -In addition to these system groups, administrators can create custom groups or [use external groups in associated Azure Active Directory tenants][leverage external groups in associated Azure Active Directory tenants]. Custom and external groups can be used alongside system groups in giving developers visibility and access to API products. For example, you could create one custom group for developers affiliated with a specific partner organization and allow them access to the APIs from a product containing relevant APIs only. A user can be a member of more than one group. +In addition to these system groups, administrators can create custom groups or [use external groups in associated Microsoft Entra tenants][leverage external groups in associated Azure Active Directory tenants]. Custom and external groups can be used alongside system groups in giving developers visibility and access to API products. For example, you could create one custom group for developers affiliated with a specific partner organization and allow them access to the APIs from a product containing relevant APIs only. A user can be a member of more than one group. This guide shows how administrators of an API Management instance can add new groups and associate them with products and developers. Now that the group is created, it can be associated with products and developers Once a product is associated with a group, developers in that group can view and subscribe to the product. > [!NOTE]-> To add Azure Active Directory groups, see [How to authorize developer accounts using Azure Active Directory in Azure API Management](api-management-howto-aad.md). +> To add Microsoft Entra groups, see [How to authorize developer accounts using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md). To remove a group from the product, click **Delete**. |
api-management | Api Management Howto Developer Portal Customize | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-developer-portal-customize.md | Learn more about the developer portal: - [Azure API Management developer portal overview](api-management-howto-developer-portal.md) - [Migrate to the new developer portal](developer-portal-deprecated-migration.md) from the deprecated legacy portal.-- Configure authentication to the developer portal with [usernames and passwords](developer-portal-basic-authentication.md), [Azure AD](api-management-howto-aad.md), or [Azure AD B2C](api-management-howto-aad-b2c.md).+- Configure authentication to the developer portal with [usernames and passwords](developer-portal-basic-authentication.md), [Microsoft Entra ID](api-management-howto-aad.md), or [Azure AD B2C](api-management-howto-aad-b2c.md). - Learn more about [customizing and extending](developer-portal-extend-custom-functionality.md) the functionality of the developer portal. |
api-management | Api Management Howto Integrate Internal Vnet Appgateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md | In the first setup example, all your APIs are managed only from within your virt In this article, we also expose the *developer portal* and the *management endpoint* to external audiences through the application gateway. Extra steps are needed to create a listener, probe, settings, and rules for each endpoint. All details are provided in their respective steps. -If you use Azure Active Directory or third-party authentication, enable the [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway. +If you use Microsoft Entra ID or third-party authentication, enable the [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway. > [!WARNING] > To prevent Application Gateway WAF from breaking the download of OpenAPI specifications in the developer portal, disable the firewall rule `942200 - "Detects MySQL comment-/space-obfuscated injections and backtick termination"`. |
api-management | Api Management Howto Oauth2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-oauth2.md | Title: Authorize test console of API Management developer portal using OAuth 2.0 -description: Set up OAuth 2.0 user authorization for the test console in the Azure API Management developer portal. This example uses Azure AD as an OAuth 2.0 provider. +description: Set up OAuth 2.0 user authorization for the test console in the Azure API Management developer portal. This example uses Microsoft Entra ID as an OAuth 2.0 provider. documentationcenter: '' If you haven't yet created an API Management service instance, see [Create an AP ## Scenario overview -Configuring OAuth 2.0 user authorization in API Management only enables the developer portal's test console (and the test console in the Azure portal) as a client to acquire a token from the authorization server. The configuration for each OAuth 2.0 provider is different, although the steps are similar, and the required pieces of information used to configure OAuth 2.0 in your API Management service instance are the same. This article shows an example using Azure Active Directory as an OAuth 2.0 provider. +Configuring OAuth 2.0 user authorization in API Management only enables the developer portal's test console (and the test console in the Azure portal) as a client to acquire a token from the authorization server. The configuration for each OAuth 2.0 provider is different, although the steps are similar, and the required pieces of information used to configure OAuth 2.0 in your API Management service instance are the same. This article shows an example using Microsoft Entra ID as an OAuth 2.0 provider. The following are the high level configuration steps: -1. Register an application (backend-app) in Azure AD to represent the API. +1. Register an application (backend-app) in Microsoft Entra ID to represent the API. -1. Register another application (client-app) in Azure AD to represent a client application that needs to call the API - in this case, the test console of the developer portal. +1. Register another application (client-app) in Microsoft Entra ID to represent a client application that needs to call the API - in this case, the test console of the developer portal. - In Azure AD, grant permissions to allow the client-app to call the backend-app. + In Microsoft Entra ID, grant permissions to allow the client-app to call the backend-app. 1. Configure the test console in the developer portal to call an API using OAuth 2.0 user authorization. This configuration supports the following OAuth flow: :::image type="content" source="media/api-management-howto-oauth2/overview-graphic-azure-ad.png" alt-text="Overview graphic to visually conceptualize the following flow."::: -1. The developer portal requests a token from Azure AD using the client-app credentials. +1. The developer portal requests a token from Microsoft Entra ID using the client-app credentials. -1. After successful validation, Azure AD issues the access/refresh token. +1. After successful validation, Microsoft Entra ID issues the access/refresh token. 1. A developer (user of the developer portal) makes an API call with the authorization header. -1. The token gets validated by using the `validate-jwt` policy in API Management by Azure AD. +1. The token gets validated by using the `validate-jwt` policy in API Management by Microsoft Entra ID. 1. Based on the validation result, the developer will receive the response in the developer portal. Throughout this tutorial you'll be asked to record key information to reference - **Backend Application (client) ID**: The GUID of the application that represents the backend API - **Backend Application Scopes**: One or more scopes you may create to access the API. The scope format is `api://<Backend Application (client) ID>/<Scope Name>` (for example, api://1764e900-1827-4a0b-9182-b2c1841864c2/Read) - **Client Application (client) ID**: The GUID of the application that represents the developer portal-- **Client Application Secret Value**: The GUID that serves as the secret for interaction with the client application in Azure Active Directory +- **Client Application Secret Value**: The GUID that serves as the secret for interaction with the client application in Microsoft Entra ID ## Register applications with the OAuth server You'll need to register two applications with your OAuth 2.0 provider: one represents the backend API to be protected, and a second represents the client application that calls the API - in this case, the test console of the developer portal. -The following are example steps using Azure AD as the OAuth 2.0 provider. For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md). +The following are example steps using Microsoft Entra ID as the OAuth 2.0 provider. For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md). -### Register an application in Azure AD to represent the API +<a name='register-an-application-in-azure-ad-to-represent-the-api'></a> ++### Register an application in Microsoft Entra ID to represent the API 1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**. The following are example steps using Azure AD as the OAuth 2.0 provider. For de 1. Once the scopes are created, make a note of them for use in a subsequent step. -### Register another application in Azure AD to represent a client application +<a name='register-another-application-in-azure-ad-to-represent-a-client-application'></a> ++### Register another application in Microsoft Entra ID to represent a client application -Register every client application that calls the API as an application in Azure AD. +Register every client application that calls the API as an application in Microsoft Entra ID. 1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**. Register every client application that calls the API as an application in Azure When the secret is created, note the key value for use in a subsequent step. You can't access the secret again in the portal. -### Grant permissions in Azure AD +<a name='grant-permissions-in-azure-ad'></a> ++### Grant permissions in Microsoft Entra ID Now that you've registered two applications to represent the API and the test console, grant permissions to allow the client-app to call the backend-app. Optionally: * Select one or more desired **Authorization grant types**. For this example, select **Authorization code** (the default). [Learn more](#authorization-grant-types) - * Enter the **Authorization endpoint URL**. You can obtain the endpoint URL from the **Endpoints** page of one of your app registrations. For a single-tenant app in Azure AD, this URL will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Azure AD tenant. + * Enter the **Authorization endpoint URL**. You can obtain the endpoint URL from the **Endpoints** page of one of your app registrations. For a single-tenant app in Microsoft Entra ID, this URL will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Microsoft Entra tenant. Using the v2 endpoint is recommended; however, API Management supports both v1 and v2 endpoints. Optionally: 1. Specify **Token endpoint URL**, **Client authentication methods**, **Access token sending method**, and **Default scope**. - * Enter the **Token endpoint URL**. For a single tenant app in Azure AD, it will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Azure AD tenant. Use the same endpoint version (v2 or v1) that you chose previously. + * Enter the **Token endpoint URL**. For a single tenant app in Microsoft Entra ID, it will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Microsoft Entra tenant. Use the same endpoint version (v2 or v1) that you chose previously. `https://login.microsoftonline.com/{aad-tenant}/oauth2/v2.0/token` (v2) After saving the OAuth 2.0 server configuration, configure an API or APIs to use > [!IMPORTANT] > * Configuring OAuth 2.0 user authorization settings for an API enables API Management to acquire a token from the authorization server when you use the test console in the Azure portal or developer portal. The authorization server settings are also added to the API definition and documentation. -> * For OAuth 2.0 authorization at runtime, the client app must acquire and present the token and you need to configure token validation in API Management or the backend API. For an example, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md). +> * For OAuth 2.0 authorization at runtime, the client app must acquire and present the token and you need to configure token validation in API Management or the backend API. For an example, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md). 1. Select **APIs** from the **API Management** menu on the left. Select the **GET Resource** operation, select **Open Console**, and then select ![Open console][api-management-open-console] -When **Authorization code** is selected, a pop-up window is displayed with the sign-in form of the OAuth 2.0 provider. In this example, the sign-in form is provided by Azure Active Directory. +When **Authorization code** is selected, a pop-up window is displayed with the sign-in form of the OAuth 2.0 provider. In this example, the sign-in form is provided by Microsoft Entra ID. > [!NOTE] > If you have pop-ups disabled, you'll be prompted to enable them by the browser. After you enable them, select **Authorization code** again and the sign-in form will be displayed. At this point you can configure the desired values for the remaining parameters, ## Next steps -For more information about using OAuth 2.0 and API Management, see [Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md). +For more information about using OAuth 2.0 and API Management, see [Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md). [api-management-oauth2-signin]: ./media/api-management-howto-oauth2/api-management-oauth2-signin.png |
api-management | Api Management Howto Protect Backend With Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-protect-backend-with-aad.md | Title: Protect API in API Management using OAuth 2.0 and Azure Active Directory + Title: Protect API in API Management using OAuth 2.0 and Microsoft Entra ID -description: Learn how to secure user access to an API in Azure API Management with OAuth 2.0 user authorization and Azure Active Directory. +description: Learn how to secure user access to an API in Azure API Management with OAuth 2.0 user authorization and Microsoft Entra ID. -# Protect an API in Azure API Management using OAuth 2.0 authorization with Azure Active Directory +# Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID -In this article, you'll learn high level steps to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Azure Active Directory (Azure AD)](../active-directory/develop/active-directory-v2-protocols.md). +In this article, you'll learn high level steps to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Microsoft Entra ID](../active-directory/develop/active-directory-v2-protocols.md). For a conceptual overview of API authorization, see [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md). Prior to following the steps in this article, you must have: - An API Management instance - A published API using the API Management instance-- An Azure AD tenant+- A Microsoft Entra tenant ## Overview -Follow these steps to protect an API in API Management, using OAuth 2.0 authorization with Azure AD. +Follow these steps to protect an API in API Management, using OAuth 2.0 authorization with Microsoft Entra ID. -1. Register an application (called *backend-app* in this article) in Azure AD to protect access to the API. +1. Register an application (called *backend-app* in this article) in Microsoft Entra ID to protect access to the API. To access the API, users or applications will acquire and present a valid OAuth token granting access to this app with each API request. 1. Configure the [validate-jwt](validate-jwt-policy.md) policy in API Management to validate the OAuth token presented in each incoming API request. Valid requests can be passed to the API. -Details about OAuth authorization flows and how to generate the required OAuth tokens are beyond the scope of this article. Typically, a separate client app is used to acquire tokens from Azure AD that authorize access to the API. For links to more information, see the [Next steps](#next-steps). +Details about OAuth authorization flows and how to generate the required OAuth tokens are beyond the scope of this article. Typically, a separate client app is used to acquire tokens from Microsoft Entra ID that authorize access to the API. For links to more information, see the [Next steps](#next-steps). -## Register an application in Azure AD to represent the API +<a name='register-an-application-in-azure-ad-to-represent-the-api'></a> -Using the Azure portal, protect an API with Azure AD by first registering an application that represents the API. +## Register an application in Microsoft Entra ID to represent the API ++Using the Azure portal, protect an API with Microsoft Entra ID by first registering an application that represents the API. For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md). For details about app registration, see [Quickstart: Configure an application to ## Authorization workflow -1. A user or application acquires a token from Azure AD with permissions that grant access to the backend-app. +1. A user or application acquires a token from Microsoft Entra ID with permissions that grant access to the backend-app. 1. The token is added in the Authorization header of API requests to API Management. For details about app registration, see [Quickstart: Configure an application to ## Next steps -* To learn more about how to build an application and implement OAuth 2.0, see [Azure AD code samples](../active-directory/develop/sample-v2-code.md). +* To learn more about how to build an application and implement OAuth 2.0, see [Microsoft Entra code samples](../active-directory/develop/sample-v2-code.md). * For an end-to-end example of configuring OAuth 2.0 user authorization in the API Management developer portal, see [How to authorize test console of developer portal by configuring OAuth 2.0 user authorization](api-management-howto-oauth2.md). -- Learn more about [Azure AD and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).+- Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md). - For other ways to secure your back-end service, see [Mutual certificate authentication](./api-management-howto-mutual-certificates.md).- |
api-management | Api Management Howto Setup Delegation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-setup-delegation.md | var signature = digest.toString('base64'); ## Next steps - [Learn more about the developer portal.](api-management-howto-developer-portal.md)-- [Authenticate using Azure AD](api-management-howto-aad.md) or with [Azure AD B2C](api-management-howto-aad-b2c.md).+- [Authenticate using Microsoft Entra ID](api-management-howto-aad.md) or with [Azure AD B2C](api-management-howto-aad-b2c.md). - More developer portal questions? [Find answers in our FAQ](developer-portal-faq.md). [Delegating developer sign-in and sign-up]: #delegate-signin-up |
api-management | Api Management Howto Use Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-managed-service-identity.md | -This article shows you how to create a managed identity for an Azure API Management instance and how to use it to access other resources. A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). +This article shows you how to create a managed identity for an Azure API Management instance and how to use it to access other resources. A managed identity generated by Microsoft Entra ID allows your API Management instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). You can grant two types of identities to an API Management instance: You can grant two types of identities to an API Management instance: - A *user-assigned identity* is a standalone Azure resource that can be assigned to your service. The service can have multiple user-assigned identities. > [!NOTE]-> Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription is moved to a different directory. If a subscription is moved, you'll need to recreate and configure the identities. +> Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. They don't get updated if a subscription is moved to a different directory. If a subscription is moved, you'll need to recreate and configure the identities. ## Create a system-assigned managed identity When the instance is created, it has the following additional properties: } ``` -The `tenantId` property identifies which Azure AD tenant the identity belongs to. The `principalId` property is a unique identifier for the instance's new identity. Within Azure AD, the service principal has the same name that you gave to your API Management instance. +The `tenantId` property identifies which Microsoft Entra tenant the identity belongs to. The `principalId` property is a unique identifier for the instance's new identity. Within Microsoft Entra ID, the service principal has the same name that you gave to your API Management instance. > [!NOTE] > An API Management instance can have both system-assigned and user-assigned identities at the same time. In this case, the `type` property would be `SystemAssigned,UserAssigned`. When the service is created, it has the following additional properties: } ``` -The `principalId` property is a unique identifier for the identity that's used for Azure AD administration. The `clientId` property is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls. +The `principalId` property is a unique identifier for the identity that's used for Microsoft Entra administration. The `clientId` property is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls. > [!NOTE] > An API Management instance can have both system-assigned and user-assigned identities at the same time. In this case, the `type` property would be `SystemAssigned,UserAssigned`. You can configure and use a user-assigned managed identity to access an event hu You can remove a system-assigned identity by disabling the feature through the portal or the Azure Resource Manager template in the same way that it was created. User-assigned identities can be removed individually. To remove all identities, set the identity type to `"None"`. -Removing a system-assigned identity in this way will also delete it from Azure AD. System-assigned identities are also automatically removed from Azure AD when the API Management instance is deleted. +Removing a system-assigned identity in this way will also delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the API Management instance is deleted. To remove all identities by using the Azure Resource Manager template, update this section: |
api-management | Api Management Key Concepts Experiment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-key-concepts-experiment.md | API Management integrates with many complementary Azure services to create enter * [Azure Monitor](api-management-howto-use-azure-monitor.md) for logging, reporting, and alerting on management operations, systems events, and API requestsΓÇï * [Application Insights](api-management-howto-app-insights.md) for live metrics, end-to-end tracing, and troubleshooting * [Virtual networks](virtual-network-concepts.md), [private endpoints](private-endpoint.md), and [Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md) for network-level protectionΓÇï-* Azure Active Directory for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï +* Microsoft Entra ID for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï * [Event Hubs](api-management-howto-log-event-hubs.md) for streaming eventsΓÇï * Several Azure compute offerings commonly used to build and host APIs on Azure, including [Functions](import-function-app-as-api.md), [Logic Apps](import-logic-app-as-api.md), [Web Apps](import-app-service-as-api.md), [Service Fabric](how-to-configure-service-fabric-backend.md), and others.ΓÇï Groups are used to manage the visibility of products to developers. API Manageme * **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal. They can be granted certain read-only access, such as the ability to view APIs but not call them. -Administrators can also create custom groups or use external groups in an [associated Azure Active Directory tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group. +Administrators can also create custom groups or use external groups in an [associated Microsoft Entra tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group. **More information**: * [How to create and use groups][How to create and use groups] |
api-management | Api Management Key Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-key-concepts.md | API Management integrates with many complementary Azure services to create enter * [Azure Monitor](api-management-howto-use-azure-monitor.md) for logging, reporting, and alerting on management operations, systems events, and API requestsΓÇï * [Application Insights](api-management-howto-app-insights.md) for live metrics, end-to-end tracing, and troubleshooting * [Virtual networks](virtual-network-concepts.md), [private endpoints](private-endpoint.md), and [Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md) for network-level protectionΓÇï-* Azure Active Directory for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï +* Microsoft Entra ID for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï * [Event Hubs](api-management-howto-log-event-hubs.md) for streaming eventsΓÇï * Several Azure compute offerings commonly used to build and host APIs on Azure, including [Functions](import-function-app-as-api.md), [Logic Apps](import-logic-app-as-api.md), [Web Apps](import-app-service-as-api.md), [Service Fabric](how-to-configure-service-fabric-backend.md), and others.ΓÇï Groups are used to manage the visibility of products to developers. API Manageme * **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal. They can be granted certain read-only access, such as the ability to view APIs but not call them. -Administrators can also create custom groups or use external groups in an [associated Azure Active Directory tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group. +Administrators can also create custom groups or use external groups in an [associated Microsoft Entra tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group. **More information**: * [How to create and use groups][How to create and use groups] |
api-management | Api Management Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policies.md | More information about policies: - [Restrict caller IPs](ip-filter-policy.md) - Filters (allows/denies) calls from specific IP addresses and/or address ranges. - [Set usage quota by subscription](quota-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. - [Set usage quota by key](quota-by-key-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.-- [Validate Azure Active Directory token](validate-azure-ad-token-policy.md) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP header, query parameter, or token value.+- [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) - Enforces existence and validity of a Microsoft Entra JWT extracted from either a specified HTTP header, query parameter, or token value. - [Validate JWT](validate-jwt-policy.md) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value. - [Validate client certificate](validate-client-certificate-policy.md) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. For more information about working with policies, see: + [Tutorial: Transform and protect your API](transform-api.md) + [Set or edit policies](set-edit-policies.md) + [Policy snippets repo](https://github.com/Azure/api-management-policy-snippets) -- |
api-management | Api Management Sample Send Request | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-send-request.md | There are certain tradeoffs when using a fire-and-forget style of request. If fo The `send-request` policy enables using an external service to perform complex processing functions and return data to the API management service that can be used for further policy processing. ### Authorizing reference tokens-A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Azure Active Directory](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server. +A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server. ### Standardized introspection In the past, there has been no standardized way of verifying a reference token with an authorization server. However a recently proposed standard [RFC 7662](https://tools.ietf.org/html/rfc7662) was published by the IETF that defines how a resource server can verify the validity of a token. |
api-management | Api Management Template Data Model Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-template-data-model-reference.md | This topic describes the entity and type representations for common items used i |Property|Type|Description| |--|-|--| |`Properties`|string dictionary|Properties for this authentication provider.| -|`AuthenticationType`|string|The provider type. (Azure Active Directory, Facebook login, Google Account, Microsoft Account, Twitter).| +|`AuthenticationType`|string|The provider type. (Microsoft Entra ID, Facebook login, Google Account, Microsoft Account, Twitter).| |`Caption`|string|Display name of the provider.| ## <a name="Representation"></a> Representation |
api-management | Api Management Template Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-template-resources.md | The following localization options are supported: |GeneralExceptionMessage|Something is not right. It could be a temporary glitch or a bug. Please, try again.| |GeneralJsonExceptionMessage|Something is not right. It could be a temporary glitch or a bug. Please, reload the page and try again.| |ConfirmationMessageUnsavedChanges|There are some unsaved changes. Are you sure you want to cancel and discard the changes?| -|AzureActiveDirectory|Azure Active Directory| +|AzureActiveDirectory|Microsoft Entra ID| |HttpLargeRequestMessage|Http Request Body too large.| ### <a name="CommonStrings"></a> CommonStrings The following localization options are supported: |WebAuthenticationUserIsNotConfirm|Please confirm your registration before attempting to sign in.| |WebAuthenticationInvalidEmailFormatted|Email is invalid: {0}| |WebAuthenticationUserNotFound|User not found| -|WebAuthenticationTenantNotRegistered|Your account belongs to an Azure Active Directory tenant which is not authorized to access this portal.| +|WebAuthenticationTenantNotRegistered|Your account belongs to a Microsoft Entra tenant which is not authorized to access this portal.| |WebAuthenticationAuthenticationFailed|Authentication has failed.| |WebAuthenticationGooglePlusNotEnabled|Authentication has failed. If you authorized the application then please contact the admin to make sure that Google authentication is configured correctly.| |ValidationErrorAllowedTenantIsRequired|Allowed Tenant is required| -|ValidationErrorTenantIsNotValid|The Azure Active Directory tenant '{0}' is not valid.| -|WebAuthenticationActiveDirectoryTitle|Azure Active Directory| +|ValidationErrorTenantIsNotValid|The Microsoft Entra tenant '{0}' is not valid.| +|WebAuthenticationActiveDirectoryTitle|Microsoft Entra ID| |WebAuthenticationLoginUsingYourProvider|Log in using your {0} account| |WebAuthenticationUserLimitNotice|This service has reached the maximum number of allowed users. Please `<a href="mailto:{0}"\>contact the administrator</a\>` to upgrade their service and re-enable user registration.| |WebAuthenticationUserLimitNoticeHeader|User registration disabled| The following localization options are supported: |WebAuthenticationSignupConfirmationAlmostDone|Almost Done| |WebAuthenticationSignupConfirmationEmailSent|WeΓÇÖve sent an e-mail to {0}. Please follow the instructions inside the e-mail to activate your account. If the e-mail doesnΓÇÖt arrive within the next few minutes, please check your junk email folder.| |WebAuthenticationEmailSentNotificationMessage|Email sent successfully to {0}| -|WebAuthenticationNoAadTenantConfigured|No Azure Active Directory tenant configured for the service.| +|WebAuthenticationNoAadTenantConfigured|No Microsoft Entra tenant configured for the service.| |CheckboxLabelUserRegistrationTermsConsentRequired|I agree to the `<a data-toggle="modal" href="#" data-target="#terms"\>Terms of Use</a\>`.| |TextblockUserRegistrationTermsProvided|Please review `<a data-toggle="modal" href="#" data-target="#terms"\>Terms of Use.</a\>`| |DialogHeadingTermsOfUse|Terms of Use| |
api-management | Api Management Troubleshoot Cannot Add Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-troubleshoot-cannot-add-custom-domain.md | The API Management service does not have permission to access the key vault that To resolve this issue, follow these steps: -1. Go to the [Azure portal](https://portal.azure.com), select your API Management instance, and then select **Managed identities**. Make sure that the **Register with Azure Active Directory** option is set to **Yes**. +1. Go to the [Azure portal](https://portal.azure.com), select your API Management instance, and then select **Managed identities**. Make sure that the **Register with Microsoft Entra ID** option is set to **Yes**. ![Registering with Azure Active Director](./media/api-management-troubleshoot-cannot-add-custom-domain/register-with-aad.png) 1. In the Azure portal, open the **Key vaults** service, and select the key vault that you're trying to use for the custom domain. 1. Select **Access policies**, and check whether there is a service principal that matches the name of the API Management service instance. If there is, select the service principal, and make sure that it has the **Get** permission listed under **Secret permissions**. Learn more about API Management service: * For other ways to secure your back-end service, see [Mutual Certificate authentication](api-management-howto-mutual-certificates.md). * [Create an API Management service instance](get-started-create-service-instance.md).-* [Manage your first API](import-and-publish.md). +* [Manage your first API](import-and-publish.md). |
api-management | Authentication Authorization Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-authorization-overview.md | API Management supports other client-side and service-side authentication and au > [!NOTE] > Other API Management components have separate mechanisms to secure and restrict user access:-> * For managing the API Management instance through the Azure control plane, API Management relies on Azure AD and Azure [role-based access control (RBAC)](api-management-role-based-access-control.md). +> * For managing the API Management instance through the Azure control plane, API Management relies on Microsoft Entra ID and Azure [role-based access control (RBAC)](api-management-role-based-access-control.md). > * The API Management developer portal supports [several options](secure-developer-portal-access.md) to facilitate secure user sign-up and sign-in. ## Authentication versus authorization What happens when a client app calls an API with a request that is secured using * The client (the calling app, or *bearer*) authenticates using credentials to an *identity provider*. * The client obtains a time-limited *access token* (a JSON web token, or JWT) from the identity provider's *authorization server*. - The identity provider (for example, Azure AD) is the *issuer* of the token, and the token includes an *audience claim* that authorizes access to a *resource server* (for example, to a backend API, or to the API Management gateway itself). + The identity provider (for example, Microsoft Entra ID) is the *issuer* of the token, and the token includes an *audience claim* that authorizes access to a *resource server* (for example, to a backend API, or to the API Management gateway itself). * The client calls the API and presents the access token - for example, in an Authorization header. * The *resource server* validates the access token. Validation is a complex process that includes a check that the *issuer* and *audience* claims contain expected values. * Based on token validation criteria, access to resources of the [backend](backends.md) API is then granted. -Depending on the type of client app and scenarios, different *authorization flows* are needed to request and manage tokens. For example, the authorization code flow and grant type are commonly used in apps that call web APIs. Learn more about [OAuth flows and application scenarios in Azure AD](../active-directory/develop/authentication-flows-app-scenarios.md). +Depending on the type of client app and scenarios, different *authorization flows* are needed to request and manage tokens. For example, the authorization code flow and grant type are commonly used in apps that call web APIs. Learn more about [OAuth flows and application scenarios in Microsoft Entra ID](../active-directory/develop/authentication-flows-app-scenarios.md). ## OAuth 2.0 authorization scenarios in API Management Depending on the type of client app and scenarios, different *authorization flow A common authorization scenario is when the calling application requests access to the backend API directly and presents an OAuth 2.0 token in an authorization header to the gateway. Azure API Management then acts as a "transparent" proxy between the caller and backend API, and passes the token through unchanged to the backend. The scope of the access token is between the calling application and backend API. -The following image shows an example where Azure AD is the authorization provider. The client app might be a single-page application (SPA). +The following image shows an example where Microsoft Entra ID is the authorization provider. The client app might be a single-page application (SPA). :::image type="content" source="media/authentication-authorization-overview/oauth-token-backend.svg" alt-text="Diagram showing OAuth communication where audience is the backend."::: Although the access token sent along with the HTTP request is intended for the b Example: -* [Protect an API in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md) +* [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md) > [!TIP]-> In the special case when API access is protected using Azure AD, you can configure the [validate-azure-ad-token](validate-azure-ad-token-policy.md) policy for token validation. +> In the special case when API access is protected using Microsoft Entra ID, you can configure the [validate-azure-ad-token](validate-azure-ad-token-policy.md) policy for token validation. ### Scenario 2 - Client app authorizes to API Management In this scenario, the API Management service acts on behalf of the API, and the calling application requests access to the API Management instance. The scope of the access token is between the calling application and the API Management gateway. In API Management, configure a policy ([validate-jwt](validate-jwt-policy.md) or [validate-azure-ad-token](validate-azure-ad-token-policy.md)) to validate the token before the gateway passes the request to the backend. A separate mechanism typically secures the connection between the gateway and the backend API. -In the following example, Azure AD is again the authorization provider, and mutual TLS (mTLS) authentication secures the connection between the gateway and the backend. +In the following example, Microsoft Entra ID is again the authorization provider, and mutual TLS (mTLS) authentication secures the connection between the gateway and the backend. :::image type="content" source="media/authentication-authorization-overview/oauth-token-gateway.svg" alt-text="Diagram showing OAuth communication where audience is the API Management gateway."::: While authorization is preferred, and OAuth 2.0 has become the dominant method o |Mechanism |Description |Considerations | ||||-|[Managed identity authentication](authentication-managed-identity-policy.md) | Authenticate to backend API with a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). | Recommended for scoped access to a protected backend resource by obtaining a token from Azure AD. | +|[Managed identity authentication](authentication-managed-identity-policy.md) | Authenticate to backend API with a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). | Recommended for scoped access to a protected backend resource by obtaining a token from Microsoft Entra ID. | |[Certificate authentication](authentication-certificate-policy.md) | Authenticate to backend API using a client certificate. | Certificate may be stored in key vault. | |[Basic authentication](authentication-basic-policy.md) | Authenticate to backend API with username and password that are passed through an Authorization header. | Discouraged if better options are available. | |
api-management | Authentication Managed Identity Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-managed-identity-policy.md | - Use the `authentication-managed-identity` policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the `Authorization` header using the `Bearer` scheme. API Management caches the token until it expires. + Use the `authentication-managed-identity` policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Microsoft Entra ID for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the `Authorization` header using the `Bearer` scheme. API Management caches the token until it expires. -Both system-assigned identity and any of the multiple user-assigned identities can be used to request a token. If `client-id` is not provided, system-assigned identity is assumed. If the `client-id` variable is provided, token is requested for that user-assigned identity from Azure Active Directory. +Both system-assigned identity and any of the multiple user-assigned identities can be used to request a token. If `client-id` is not provided, system-assigned identity is assumed. If the `client-id` variable is provided, token is requested for that user-assigned identity from Microsoft Entra ID. [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)] Both system-assigned identity and any of the multiple user-assigned identities c | Attribute | Description | Required | Default | | -- | | -- | - |-|resource|String. The application ID of the target web API (secured resource) in Azure Active Directory. Policy expressions are allowed. |Yes|N/A| -|client-id|String. The client ID of the user-assigned identity in Azure Active Directory. Policy expressions aren't allowed. |No|system-assigned identity| +|resource|String. The application ID of the target web API (secured resource) in Microsoft Entra ID. Policy expressions are allowed. |Yes|N/A| +|client-id|String. The client ID of the user-assigned identity in Microsoft Entra ID. Policy expressions aren't allowed. |No|system-assigned identity| |output-token-variable-name|String. Name of the context variable that will receive token value as an object of type `string`. Policy expressions aren't allowed. |No|N/A| |ignore-error|Boolean. If set to `true`, the policy pipeline continues to execute even if an access token isn't obtained.|No|`false`| |
api-management | Authorizations Configure Common Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-configure-common-providers.md | Title: Configure authorization providers - Azure API Management | Microsoft Docs -description: Learn how to configure common identity providers for authorizations in Azure API Management. Example providers are Azure Active Directory and a generic OAuth 2.0 provider. An authorization manages authorization tokens to an OAuth 2.0 backend service. +description: Learn how to configure common identity providers for authorizations in Azure API Management. Example providers are Microsoft Entra ID and a generic OAuth 2.0 provider. An authorization manages authorization tokens to an OAuth 2.0 backend service. -* Azure AD provider +* Microsoft Entra provider * Generic OAuth 2.0 provider -You add identity provider settings when configuring an authorization in your API Management instance. For a step-by-step example of configuring an Azure AD provider and authorization, see: +You add identity provider settings when configuring an authorization in your API Management instance. For a step-by-step example of configuring a Microsoft Entra provider and authorization, see: * [Create an authorization with the Microsoft Graph API](authorizations-how-to-azure-ad.md) To configure any of the supported providers in API Management, first configure a * Depending on the provider and your scenario, you might need to retrieve other settings such as authorization endpoint URLs or scopes. -## Azure AD provider +<a name='azure-ad-provider'></a> -Authorizations support the Azure AD identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols. +## Microsoft Entra provider ++Authorizations support the Microsoft Entra identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols. * **Supported grant types**: authorization code, client credentials > [!NOTE]-> Currently, the Azure AD authorization provider supports only the Azure AD v1.0 endpoints. +> Currently, the Microsoft Entra authorization provider supports only the Azure AD v1.0 endpoints. -### Azure AD provider settings +<a name='azure-ad-provider-settings'></a> ++### Microsoft Entra provider settings [!INCLUDE [api-management-authorization-azure-ad-provider](../../includes/api-management-authorization-azure-ad-provider.md)] Required settings for these providers differ from provider to provider but are s ## Next steps * Learn more about [authorizations](authorizations-overview.md) in API Management.-* Create an authorization for [Azure AD](authorizations-how-to-azure-ad.md) or [GitHub](authorizations-how-to-github.md). +* Create an authorization for [Microsoft Entra ID](authorizations-how-to-azure-ad.md) or [GitHub](authorizations-how-to-github.md). |
api-management | Authorizations How To Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-how-to-azure-ad.md | This article guides you through the steps required to create an [authorization]( You learn how to: > [!div class="checklist"]-> * Create an Azure AD application +> * Create a Microsoft Entra application > * Create and configure an authorization in API Management > * Configure an access policy > * Create a Microsoft Graph API in API Management and configure a policy You learn how to: ## Prerequisites -- Access to an Azure Active Directory (Azure AD) tenant where you have permissions to create an app registration and to grant admin consent for the app's permissions. [Learn more](../active-directory/roles/delegate-app-roles.md#restrict-who-can-create-applications)+- Access to a Microsoft Entra tenant where you have permissions to create an app registration and to grant admin consent for the app's permissions. [Learn more](../active-directory/roles/delegate-app-roles.md#restrict-who-can-create-applications) If you want to create your own developer tenant, you can sign up for the [Microsoft 365 Developer Program](https://developer.microsoft.com/microsoft-365/dev-program). - A running API Management instance. If you need to, [create an Azure API Management instance](get-started-create-service-instance.md). - Enable a [system-assigned managed identity](api-management-howto-use-managed-service-identity.md) for API Management in the API Management instance. -## Step 1: Create an Azure AD application +<a name='step-1-create-an-azure-ad-application'></a> -Create an Azure AD application for the API and give it the appropriate permissions for the requests that you want to call. +## Step 1: Create a Microsoft Entra application ++Create a Microsoft Entra application for the API and give it the appropriate permissions for the requests that you want to call. 1. Sign in to the [Azure portal](https://portal.azure.com) with an account with sufficient permissions in the tenant.-1. Under **Azure Services**, search for **Azure Active Directory**. +1. Under **Azure Services**, search for **Microsoft Entra ID**. 1. On the left menu, select **App registrations**, and then select **+ New registration**. - :::image type="content" source="media/authorizations-how-to-azure-ad/create-registration.png" alt-text="Screenshot of creating an Azure AD app registration in the portal."::: + :::image type="content" source="media/authorizations-how-to-azure-ad/create-registration.png" alt-text="Screenshot of creating a Microsoft Entra app registration in the portal."::: 1. On the **Register an application** page, enter your application registration settings: 1. In **Name**, enter a meaningful name that will be displayed to users of the app, such as *MicrosoftGraphAuth*. Create an Azure AD application for the API and give it the appropriate permissio |Settings |Value | |||- |**Provider name** | A name of your choice, such as *aad-01* | + |**Provider name** | A name of your choice, such as *Microsoft Entra ID-01* | |**Identity provider** | Select **Azure Active Directory v1** | |**Grant type** | Select **Authorization code** | |**Client id** | Paste the value you copied earlier from the app registration | |**Client secret** | Paste the value you copied earlier from the app registration | |**Resource URL** | `https://graph.microsoft.com` |- |**Tenant ID** | Optional for Azure AD identity provider. Default is *Common* | - |**Scopes** | Optional for Azure AD identity provider. Automatically configured from AD app's API permissions. | - |**Authorization name** | A name of your choice, such as *aad-auth-01* | + |**Tenant ID** | Optional for Microsoft Entra identity provider. Default is *Common* | + |**Scopes** | Optional for Microsoft Entra identity provider. Automatically configured from AD app's API permissions. | + |**Authorization name** | A name of your choice, such as *Microsoft Entra auth-01* | 1. After the authorization provider and authorization are created, select **Next**. -## Step 3: Authorize with Azure AD and configure an access policy +<a name='step-3-authorize-with-azure-ad-and-configure-an-access-policy'></a> ++## Step 3: Authorize with Microsoft Entra ID and configure an access policy -1. On the **Login** tab, select **Login with Azure Active Directory**. Before the authorization will work, it needs to be authorized. - :::image type="content" source="media/authorizations-how-to-azure-ad/login-azure-ad.png" alt-text="Screenshot of login with Azure AD in the portal."::: +1. On the **Login** tab, select **Login with Microsoft Entra ID**. Before the authorization will work, it needs to be authorized. + :::image type="content" source="media/authorizations-how-to-azure-ad/login-azure-ad.png" alt-text="Screenshot of login with Microsoft Entra ID in the portal."::: 1. When prompted, sign in to your organizational account. 1. On the confirmation page, select **Allow access**. The preceding policy definition consists of two parts: ## Next steps * Learn more about [access restriction policies](api-management-access-restriction-policies.md)-* Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Azure AD. +* Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Microsoft Entra ID. |
api-management | Authorizations Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-overview.md | During Step 1, you configure your authorization provider. You can choose between > With the Generic OAuth 2.0 provider, other identity providers that support the standards of [OAuth 2.0 flow](https://oauth.net/2/) can be used. > -To use an authorization provider, at least one *authorization* is required. Each authorization is a separate connection to the authorization provider. The process of configuring an authorization differs based on the configured grant type. Each authorization provider configuration only supports one grant type. For example, if you want to configure Azure AD to use both grant types, two authorization provider configurations are needed. The following table summarizes the two grant types. +To use an authorization provider, at least one *authorization* is required. Each authorization is a separate connection to the authorization provider. The process of configuring an authorization differs based on the configured grant type. Each authorization provider configuration only supports one grant type. For example, if you want to configure Microsoft Entra ID to use both grant types, two authorization provider configurations are needed. The following table summarizes the two grant types. |Grant type |Description | For authorizations based on the authorization code grant type, you must authenti #### Step 3: Access policy -You configure one or more *access policies* for each authorization. The access policies determine which [Azure AD identities](../active-directory/develop/app-objects-and-service-principals.md) can gain access to your authorizations at runtime. Authorizations currently support managed identities and service principals. +You configure one or more *access policies* for each authorization. The access policies determine which [Microsoft Entra identities](../active-directory/develop/app-objects-and-service-principals.md) can gain access to your authorizations at runtime. Authorizations currently support managed identities and service principals. |Identity |Description | Benefits | Considerations | |||--|-|-|Service principal | Identity whose tokens can be used to authenticate and grant access to specific Azure resources, when an organization is using Azure Active Directory (Azure AD). By using a service principal, organizations avoid creating fictitious users to manage authentication when they need to access a resource. A service principal is an Azure AD identity that represents a registered Azure AD application. | Permits more tightly scoped access to authorization. Isn't tied to specific API Management instance. Relies on Azure AD for permission enforcement. | Getting the [authorization context](get-authorization-context-policy.md) requires an Azure AD token. | -|Managed identity | Service principal of a special type that represents an Azure AD identity for an Azure service. Managed identities are tied to, and can only be used with, an Azure resource. Managed identities eliminate the need for you to manually create and manage service principals directly.<br/><br/>When a system-assigned managed identity is enabled, a service principal representing that managed identity is created in your tenant automatically and tied to your resource's lifecycle.|No credentials are needed.|Identity is tied to specific Azure infrastructure. Anyone with Contributor access to API Management instance can access any authorization granting managed identity permissions. | +|Service principal | Identity whose tokens can be used to authenticate and grant access to specific Azure resources, when an organization is using Microsoft Entra ID. By using a service principal, organizations avoid creating fictitious users to manage authentication when they need to access a resource. A service principal is a Microsoft Entra identity that represents a registered Microsoft Entra application. | Permits more tightly scoped access to authorization. Isn't tied to specific API Management instance. Relies on Microsoft Entra ID for permission enforcement. | Getting the [authorization context](get-authorization-context-policy.md) requires a Microsoft Entra token. | +|Managed identity | Service principal of a special type that represents a Microsoft Entra identity for an Azure service. Managed identities are tied to, and can only be used with, an Azure resource. Managed identities eliminate the need for you to manually create and manage service principals directly.<br/><br/>When a system-assigned managed identity is enabled, a service principal representing that managed identity is created in your tenant automatically and tied to your resource's lifecycle.|No credentials are needed.|Identity is tied to specific Azure infrastructure. Anyone with Contributor access to API Management instance can access any authorization granting managed identity permissions. | | Managed identity `<Your API Management instance name>` | This option corresponds to a managed identity tied to your API Management instance. | Quick selection of system-assigned managed identity for the corresponding API management instance. | Identity is tied to your API Management instance. Anyone with Contributor access to API Management instance can access any authorization granting managed identity permissions. | ## Security considerations Learn how to: - Configure [identity providers](authorizations-configure-common-providers.md) for authorizations - Configure and use an authorization for the [Microsoft Graph API](authorizations-how-to-azure-ad.md) or the [GitHub API](authorizations-how-to-github.md) - Configure [multiple authorization connections](configure-authorization-connection.md) for a provider- |
api-management | Identity Provider Adal Retirement Sep 2025 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/identity-provider-adal-retirement-sep-2025.md | Title: Azure API Management identity providers configuration change (September 2025) | Microsoft Docs -description: Azure API Management is updating the library used for user authentication in the developer portal. If you use Azure AD or Azure AD B2C identity providers, you need to update application settings and identity provider configuration to use the Microsoft Authentication Library (MSAL). +description: Azure API Management is updating the library used for user authentication in the developer portal. If you use Microsoft Entra ID or Azure AD B2C identity providers, you need to update application settings and identity provider configuration to use the Microsoft Authentication Library (MSAL). documentationcenter: '' Last updated 09/06/2022 -# ADAL-based Azure AD or Azure AD B2C identity provider retirement (September 2025) +# ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement (September 2025) -On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Azure AD or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal. +On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Microsoft Entra ID or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal. -This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Azure AD or Azure AD B2C identity providers beyond 30 September, 2025. +This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Microsoft Entra ID or Azure AD B2C identity providers beyond 30 September, 2025. ## Is my service affected by this change? Your service is impacted by this change if: -* You've configured an [Azure AD](../api-management-howto-aad.md) or [Azure AD B2C](../api-management-howto-aad-b2c.md) identity provider for user account authentication using the ADAL and use the provided developer portal. +* You've configured an [Microsoft Entra ID](../api-management-howto-aad.md) or [Azure AD B2C](../api-management-howto-aad-b2c.md) identity provider for user account authentication using the ADAL and use the provided developer portal. ## What is the deadline for the change? -On 30 September, 2025, these identity providers will stop functioning. To avoid disruption of your developer portal, you need to update your Azure AD applications and identity provider configuration in Azure API Management by that date. Your developer portal might be at a security risk after Microsoft ADAL support ends in June 1, 2023. +On 30 September, 2025, these identity providers will stop functioning. To avoid disruption of your developer portal, you need to update your Microsoft Entra applications and identity provider configuration in Azure API Management by that date. Your developer portal might be at a security risk after Microsoft ADAL support ends in June 1, 2023. -Developer portal sign-in and sign-up with Azure AD or Azure AD B2C will stop working past 30 September, 2025 if you don't update your ADAL-based Azure AD or Azure AD B2C identity providers. This new authentication method is more secure, as it relies on the OAuth 2.0 authorization code flow with PKCE and uses an up-to-date software library. +Developer portal sign-in and sign-up with Microsoft Entra ID or Azure AD B2C will stop working past 30 September, 2025 if you don't update your ADAL-based Microsoft Entra ID or Azure AD B2C identity providers. This new authentication method is more secure, as it relies on the OAuth 2.0 authorization code flow with PKCE and uses an up-to-date software library. ## What do I need to do? -### Update Azure AD and Azure AD B2C applications for MSAL compatibility +<a name='update-azure-ad-and-azure-ad-b2c-applications-for-msal-compatibility'></a> ++### Update Microsoft Entra ID and Azure AD B2C applications for MSAL compatibility [Switch redirect URIs to the single-page application type](../../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform). Developer portal sign-in and sign-up with Azure AD or Azure AD B2C will stop wor 1. Go to the [Azure portal](https://portal.azure.com) and navigate to your Azure API Management service. 2. Select **Identities** in the menu.-3. Select **Azure Active Directory** or **Azure Active Directory B2C** from the list. +3. Select **Microsoft Entra ID** or **Azure Active Directory B2C** from the list. 4. Select **MSAL** in the **Client library** dropdown. 5. Select **Update**. 6. [Republish your developer portal](../api-management-howto-developer-portal-customize.md#publish-from-the-azure-portal). If you have questions, get answers from community experts in [Microsoft Q&A](htt 1. Under **Service**, select **My services**, then select **API Management Service**. 1. Under **Resource**, select the Azure resource that youΓÇÖre creating a support request for. 1. For **Problem type**, select **Authentication and Security**. -1. For **Problem subtype**, select **Azure Active Directory Authentication** or **Azure Active Directory B2C Authentication**. +1. For **Problem subtype**, select **Microsoft Entra authentication** or **Azure Active Directory B2C Authentication**. ## More information -* [Authenticate users with Azure AD](../api-management-howto-aad.md) +* [Authenticate users with Microsoft Entra ID](../api-management-howto-aad.md) * [Authenticate users with Azure AD B2C](../api-management-howto-aad-b2c.md) * [Microsoft Q&A](/answers/topics/azure-api-management.html) ## Next steps -See all [upcoming breaking changes and feature retirements](overview.md). +See all [upcoming breaking changes and feature retirements](overview.md). |
api-management | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/overview.md | The following table lists all the upcoming breaking changes and feature retireme | [Deprecated (legacy) portal retirement][devportal2023] | October 31, 2023 | | [Self-hosted gateway v0/v1 retirement][shgwv0v1] | October 1, 2023 | | [stv1 platform retirement][stv12024] | August 31, 2024 |-| [ADAL-based Azure AD or Azure AD B2C identity provider retirement][msal2025] | September 30, 2025 | +| [ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement][msal2025] | September 30, 2025 | | [CAPTCHA endpoint update][captcha2025] | September 30, 2025 | <!-- Links --> |
api-management | Configure Authorization Connection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-authorization-connection.md | -You can configure multiple authorizations (also called *authorization connections*) to an authorization provider in your API Management instance. For example, if you configured Azure AD as an authorization provider, you might need to create multiple authorizations for different scenarios and users. +You can configure multiple authorizations (also called *authorization connections*) to an authorization provider in your API Management instance. For example, if you configured Microsoft Entra ID as an authorization provider, you might need to create multiple authorizations for different scenarios and users. In this article, you learn how to add an authorization connection to an existing provider, using the portal. For an overview of configuration steps, see [How to configure authorizations?](authorizations-overview.md#how-to-configure-authorizations) ## Prerequisites * An API Management instance. If you need to, [create one](get-started-create-service-instance.md).-* A configured authorization provider. For example, see the steps to create a provider for [GitHub](authorizations-how-to-github.md) or [Azure AD](authorizations-how-to-azure-ad.md). +* A configured authorization provider. For example, see the steps to create a provider for [GitHub](authorizations-how-to-github.md) or [Microsoft Entra ID](authorizations-how-to-azure-ad.md). ## Create an authorization connection - portal In this article, you learn how to add an authorization connection to an existing 1. Complete the steps for your authorization connection. 1. On the **Authorization** tab, enter an **Authorization name**. Select **Create**, then select **Next**. 1. On the **Login** tab (for authorization code grant type), complete the steps to login to the authorization provider to allow access. Select **Next**.- 1. On the **Access policy** tab, assign access to the Azure AD identity or identities that can use the authorization. Select **Complete**. + 1. On the **Access policy** tab, assign access to the Microsoft Entra identity or identities that can use the authorization. Select **Complete**. 1. The new connection appears in the list of authorizations, and shows a status of **Connected**. :::image type="content" source="media/configure-authorization-connection/list-authorizations.png" alt-text="Screenshot of list of authorization connections in the portal."::: To update an authorization connection: * Learn more about [configuring identity providers](authorizations-configure-common-providers.md) for authorizations. * Review [limits](authorizations-overview.md#limits) for authorization providers and authorizations.---- |
api-management | Developer Portal Basic Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-basic-authentication.md | There are two ways to add a username and password for authentication to the deve ## Delete the username and password provider -If you've configured another identity provider for the developer portal such as [Azure AD](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md), you might want to delete the username and password provider. +If you've configured another identity provider for the developer portal such as [Microsoft Entra ID](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md), you might want to delete the username and password provider. Deleting the identity provider prevents adding users to use username and password authentication. Existing users configured for basic authentication are also prevented from signing into the developer portal. Deleting the identity provider prevents adding users to use username and passwor For steps to add other identity providers for developer sign-up to the developer portal, see: -- [Authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md)-- [Authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md)+- [Authorize developer accounts by using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md) +- [Authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md) |
api-management | Developer Portal Deprecated Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-deprecated-migration.md | When you migrate from the deprecated portal, keep in mind the following changes: - *Issues* and *Applications* aren't supported in the new developer portal. - Direct integration with Facebook, Microsoft, Twitter, and Google as identity providers isn't supported in the new developer portal. You can integrate with those providers via Azure AD B2C. - If you use delegation, change the return URL in your applications and use the [*Get Shared Access Token* API endpoint](/rest/api/apimanagement/current-ga/user/get-shared-access-token) instead of the *Generate SSO URL* endpoint.-- If you use Azure AD as an identity provider:+- If you use Microsoft Entra ID as an identity provider: - Change the return URL in your application to point to the new developer portal domain. - Modify the suffix of the return URL in your application from `/signin-aad` to `/signin`. |
api-management | Developer Portal Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-faq.md | After you update the domain, you need to [republish the portal](api-management-h ## I added an identity provider and I can't see it in the portal -After you configure an identity provider (for example, Azure AD, Azure AD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget. +After you configure an identity provider (for example, Microsoft Entra ID, Azure AD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget. ## I set up delegation and the portal doesn't use it |
api-management | Front Door Api Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/front-door-api-management.md | The following are high level steps to add an endpoint for the developer portal t For more information and details about settings, see [How to configure an origin for Azure Front Door](../frontdoor/how-to-configure-origin.md#create-a-new-origin-group). > [!NOTE]-> If you've configured an [Azure AD](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md) identity provider for the developer portal, you need to update the corresponding app registration with an additional redirect URL to Front Door. In the app registration, add the URL for the developer portal endpoint configured in your Front Door profile. +> If you've configured an [Microsoft Entra ID](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md) identity provider for the developer portal, you need to update the corresponding app registration with an additional redirect URL to Front Door. In the app registration, add the URL for the developer portal endpoint configured in your Front Door profile. ## Next steps |
api-management | Get Authorization Context Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-authorization-context-policy.md | The policy fetches and stores authorization and refresh tokens from the configur | authorization-id | The authorization resource identifier. Policy expressions are allowed. | Yes | N/A | | context-variable-name | The name of the context variable to receive the [`Authorization` object](#authorization-object). Policy expressions are allowed. | Yes | N/A | | identity-type | Type of identity to check against the authorization access policy. <br> - `managed`: managed identity of the API Management service. <br> - `jwt`: JWT bearer token specified in the `identity` attribute.<br/><br/>Policy expressions are allowed. | No | `managed` |-| identity | An Azure AD JWT bearer token to check against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: `https://azure-api.net/authorization-manager` <br> - `oid`: Permission object ID <br> - `tid`: Permission tenant ID<br/><br/>Policy expressions are allowed. | No | N/A | +| identity | A Microsoft Entra JWT bearer token to check against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: `https://azure-api.net/authorization-manager` <br> - `oid`: Permission object ID <br> - `tid`: Permission tenant ID<br/><br/>Policy expressions are allowed. | No | N/A | | ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource isn't found or is in an error state): <br> - `true`: the context variable is assigned a value of null. <br> - `false`: return `500`<br/><br/>If you set the value to `false`, and the policy configuration includes an `on-error` section, the error is available in the `context.LastError` property.<br/><br/>Policy expressions are allowed. | No | `false` | ### Authorization object |
api-management | How To Create Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-create-workspace.md | The new workspace appears in the list on the **Workspaces** page. Select the wor After creating a workspace, assign permissions to users to manage the workspace's resources. Each workspace user must be assigned both a service-scoped workspace RBAC role and a workspace-scoped RBAC role, or granted equivalent permissions using custom roles. > [!NOTE]-> For easier management, set up Azure AD groups to assign workspace permissions to multiple users. +> For easier management, set up Microsoft Entra groups to assign workspace permissions to multiple users. > * For a list of built-in workspace roles, see [How to use role-based access control in API Management](api-management-role-based-access-control.md). The open source [Azure API Management workspaces migration tool](https://github. ## Next steps * Workspace collaborators can get started [managing APIs and other resources in their API Management workspace](api-management-in-workspace.md)- |
api-management | How To Deploy Self Hosted Gateway Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md | This article describes the steps for deploying the self-hosted gateway component ## Deploy to Kubernetes > [!TIP]-> The following steps deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using a gateway access token (authentication key). You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Azure AD](self-hosted-gateway-enable-azure-ad.md). +> The following steps deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using a gateway access token (authentication key). You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Microsoft Entra ID](self-hosted-gateway-enable-azure-ad.md). 1. Select **Gateways** under **Deployment and infrastructure**. 2. Select the self-hosted gateway resource that you want to deploy. |
api-management | How To Self Hosted Gateway On Kubernetes In Production | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md | Without a valid access token, a self-hosted gateway can't access and download co When you're automating token refresh, use [this management API operation](/rest/api/apimanagement/current-ga/gateway/generate-token) to generate a new token. For information on managing Kubernetes secrets, see the [Kubernetes website](https://kubernetes.io/docs/concepts/configuration/secret). > [!TIP]-> You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Azure AD](self-hosted-gateway-enable-azure-ad.md). +> You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Microsoft Entra ID](self-hosted-gateway-enable-azure-ad.md). ## Autoscaling |
api-management | Howto Protect Backend Frontend Azure Ad B2c | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/howto-protect-backend-frontend-azure-ad-b2c.md | For defense in depth, we then use EasyAuth to validate the token again inside th > * Creation of an Azure Functions Backend API > * Import of an Azure Functions API into Azure API Management > * Securing the API in Azure API Management-> * Calling the Azure Active Directory B2C Authorization Endpoints via the Microsoft Identity Platform Libraries (MSAL.js) +> * Calling the Azure Active Directory B2C Authorization Endpoints via the Microsoft identity platform Libraries (MSAL.js) > * Storing a HTML / Vanilla JS Single Page Application and serving it from an Azure Blob Storage Endpoint ## Prerequisites Open the Azure AD B2C blade in the portal and do the following steps. ## Build the function API -1. Switch back to your standard Azure AD tenant in the Azure portal so we can configure items in your subscription again. +1. Switch back to your standard Microsoft Entra tenant in the Azure portal so we can configure items in your subscription again. 1. Go to the Function Apps blade of the Azure portal, open your empty function app, then click 'Functions', click 'Add'. 1. In the flyout that appears, choose 'Develop in portal', under 'select a template' then choose 'HTTP trigger', under Template details name it 'hello' with authorization level 'Function', then select Add. 1. Switch to the Code + Test blade and copy-paste the sample code from below *over the existing code* that appears. Open the Azure AD B2C blade in the portal and do the following steps. > [!IMPORTANT] > Now your Function API is deployed and should throw 401 responses if the correct JWT isn't supplied as an Authorization: Bearer header, and should return data when a valid request is presented.- > You added additional defense-in-depth security in EasyAuth by configuring the 'Login With Azure AD' option to handle unauthenticated requests. + > You added additional defense-in-depth security in EasyAuth by configuring the 'Login With Microsoft Entra ID' option to handle unauthenticated requests. > > We still have no IP security applied, if you have a valid key and OAuth2 token, anyone can call this from anywhere - ideally we want to force all requests to come via API Management. > You'll need to add CIDR formatted blocks of addresses to the IP restrictions pan 1. Select the '$web' container from the list 1. Select https://docsupdatetracker.net/index.html blob from the list 1. Click 'Edit'-1. Update the auth values in the msal config section to match your *front-end* application you registered in B2C earlier. Use the code comments for hints on how the config values should look. +1. Update the auth values in the MSAL config section to match your *front-end* application you registered in B2C earlier. Use the code comments for hints on how the config values should look. The *authority* value needs to be in the format:- https://{b2ctenantname}.b2clogin.com/tfp/{b2ctenantname}.onmicrosoft.com}/{signupandsigninpolicyname}, if you have used our sample names and your b2c tenant is called 'contoso' then you would expect the authority to be 'https://contoso.b2clogin.com/tfp/contoso.onmicrosoft.com/Frontendapp_signupandsignin'. 1. Set the api values to match your backend address (The API Base Url you recorded earlier, and the 'b2cScopes' values were recorded earlier for the *backend application*). 1. Click Save The steps above can be adapted and edited to allow many different uses of Azure ## Next steps -* Learn more about [Azure Active Directory and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md). +* Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md). * Check out more [videos](https://azure.microsoft.com/documentation/videos/index/?services=api-management) about API Management. * For other ways to secure your back-end service, see [Mutual Certificate authentication](api-management-howto-mutual-certificates.md). * [Create an API Management service instance](get-started-create-service-instance.md). |
api-management | Mitigate Owasp Api Threats | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mitigate-owasp-api-threats.md | Use API Management for user authentication and authorization: * [Client certificate](authentication-certificate-policy.md) policy - Using client certificates is more secure than basic credentials or subscription key, but it doesn't allow the flexibility provided by token-based authorization protocols such as OAuth 2.0. -* **Authorization** - API Management supports a [validate JWT](validate-jwt-policy.md) policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. Configure the policy to check relevant token claims, audience, and expiration time. Learn more about protecting an API using [OAuth 2.0 authorization and Azure Active Directory](api-management-howto-protect-backend-with-aad.md). +* **Authorization** - API Management supports a [validate JWT](validate-jwt-policy.md) policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. Configure the policy to check relevant token claims, audience, and expiration time. Learn more about protecting an API using [OAuth 2.0 authorization and Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md). More recommendations: More recommendations: * APIs should use TLS/SSL (transport security) to protect the credentials or tokens. Credentials and tokens should be sent in request headers and not as query parameters. -* In the API Management [developer portal](api-management-howto-developer-portal.md), configure [Azure Active Directory](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) as the identity provider to increase the account security. The developer portal uses CAPTCHA to mitigate brute force attacks. +* In the API Management [developer portal](api-management-howto-developer-portal.md), configure [Microsoft Entra ID](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) as the identity provider to increase the account security. The developer portal uses CAPTCHA to mitigate brute force attacks. ### Related information More information about this threat: [API7:2019 Security misconfiguration](https: * If you choose to [self-host](developer-portal-self-host.md) the developer portal, ensure there's a process in place to periodically update the self-hosted portal to the latest version. Updates for the default managed version are automatic. - * Use [Azure Active Directory (Azure AD)](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) for user sign-up and sign-in. Disable the default username and password authentication, which is less secure. + * Use [Microsoft Entra ID](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) for user sign-up and sign-in. Disable the default username and password authentication, which is less secure. * Assign [user groups](api-management-howto-create-groups.md#-associate-a-group-with-a-product) to products, to control the visibility of APIs in the portal. |
api-management | Protect With Ddos Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/protect-with-ddos-protection.md | Enabling Azure DDoS Protection for API Management is supported only for instance > [!NOTE] > If the instance is hosted on the `stv1` platform, you must [migrate](compute-infrastructure.md#how-do-i-migrate-to-the-stv2-platform) to the `stv2` platform. * An Azure DDoS Protection [plan](../ddos-protection/manage-ddos-protection.md)- * The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Azure Active Directory tenant. + * The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant. * You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU (preview). See [Azure DDoS Protection SKU Comparison](../ddos-protection/ddos-protection-sku-comparison.md). > [!NOTE] |
api-management | Secure Developer Portal Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/secure-developer-portal-access.md | Title: Secure access to developer portal -description: Learn about options to secure access to the API Management developer portal, including Azure AD, Azure AD B2C, and basic authentication +description: Learn about options to secure access to the API Management developer portal, including Microsoft Entra ID, Azure AD B2C, and basic authentication API Management has a fully customizable, standalone, managed [developer portal]( For steps to enable Azure AD B2C authentication in the developer portal, see [How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md). -* **Internal users** - The preferred option when the developer portal is consumed internally is to leverage your corporate Azure AD. Azure AD provides a seamless single sign-on (SSO) experience for corporate users who need to access and discover APIs through the developer portal. +* **Internal users** - The preferred option when the developer portal is consumed internally is to leverage your corporate Microsoft Entra ID. Microsoft Entra ID provides a seamless single sign-on (SSO) experience for corporate users who need to access and discover APIs through the developer portal. - For steps to enable Azure AD authentication in the developer portal, see [How to authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md). + For steps to enable Microsoft Entra authentication in the developer portal, see [How to authorize developer accounts by using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md). * **Basic authentication** - A default option is to use the built-in developer portal [username and password](developer-portal-basic-authentication.md) provider, which allows developers to register directly in API Management and sign in using API Management user accounts. User sign up through this option is protected by a CAPTCHA service. If the API exposed through Azure API Management is secured with OAuth 2.0 - that To enable the test console to acquire a valid OAuth 2.0 token for API testing: -1. Add an OAuth 2.0 user authorization server to your instance. You can use any OAuth 2.0 provider, including Azure AD, Azure AD B2C, or a third-party identity provider. +1. Add an OAuth 2.0 user authorization server to your instance. You can use any OAuth 2.0 provider, including Microsoft Entra ID, Azure AD B2C, or a third-party identity provider. 2. Then, configure the API with settings for that authorization server. In the portal, configure OAuth 2.0 authorization on the API's **Settings** page > **Security** > **User authorization**. Different authentication and authorization options apply to different scenarios. ### Scenario 1 - Intranet API and applications * An API Management contributor and backend API developer wants to publish an API that is secured by OAuth 2.0. -* The API will be consumed by desktop applications whose users sign in using SSO through Azure AD. +* The API will be consumed by desktop applications whose users sign in using SSO through Microsoft Entra ID. * The desktop application developers also need to discover and test the APIs via the API Management developer portal. Key configurations: Key configurations: |Configuration |Reference | |||-| Authorize developer users of the API Management developer portal using their corporate identities and Azure AD. | [Authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md) | +| Authorize developer users of the API Management developer portal using their corporate identities and Microsoft Entra ID. | [Authorize developer accounts by using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md) | |Set up the test console in the developer portal to obtain a valid OAuth 2.0 token for the desktop app developers to exercise the backend API. <br/><br/>The same configuration can be used for the test console in the Azure portal, which is accessible to the API Management contributors and backend developers. <br/><br/>The token could be used in combination with an API Management subscription key. | [How to authorize test console of developer portal by configuring OAuth 2.0 user authorization](api-management-howto-oauth2.md)<br/><br/>[Subscriptions in Azure API Management](api-management-subscriptions.md) | | Validate the OAuth 2.0 token and claims when an API is called through API Management with an access token. | [Validate JWT policy](validate-jwt-policy.md) | Go a step further with this scenario by moving API Management into the network p * An API Management contributor and backend API developer wants to undertake a rapid proof-of-concept to expose a legacy API through Azure API Management. The API through API Management will be externally (internet) facing. * The API uses client certificate authentication and will be consumed by a new public-facing single-page app (SPA) being developed offshore by a partner. -* The SPA uses OAuth 2.0 with Open ID Connect (OIDC). +* The SPA uses OAuth 2.0 with OpenID Connect (OIDC). * Application developers will access the API in a test environment through the developer portal, using a test backend endpoint to accelerate frontend development. Key configurations: Key configurations: | Validate the OAuth 2.0 token and claims when the SPA calls API Management with an access token. In this case, the audience is API Management. | [Validate JWT policy](validate-jwt-policy.md) | | Set up API Management to use client certificate authentication to the backend. | [Secure backend services using client certificate authentication in Azure API Management](api-management-howto-mutual-certificates.md) | -Go a step further with this scenario by using the [developer portal with Azure AD authorization](api-management-howto-aad.md) and Azure AD [B2B collaboration](../active-directory/external-identities/what-is-b2b.md) to allow the delivery partners to collaborate more closely. Consider delegating access to API Management through RBAC in a development or test environment and enable SSO into the developer portal using their own corporate credentials. +Go a step further with this scenario by using the [developer portal with Microsoft Entra authorization](api-management-howto-aad.md) and Microsoft Entra [B2B collaboration](../active-directory/external-identities/what-is-b2b.md) to allow the delivery partners to collaborate more closely. Consider delegating access to API Management through RBAC in a development or test environment and enable SSO into the developer portal using their own corporate credentials. ### Scenario 3 - External API, SaaS, open to the public |
api-management | Self Hosted Gateway Enable Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-azure-ad.md | Title: Azure API Management self-hosted gateway - Azure AD authentication -description: Enable the Azure API Management self-hosted gateway to authenticate with its associated cloud-based API Management instance using Azure Active Directory authentication. + Title: Azure API Management self-hosted gateway - Microsoft Entra authentication +description: Enable the Azure API Management self-hosted gateway to authenticate with its associated cloud-based API Management instance using Microsoft Entra authentication. Last updated 05/22/2023 -# Use Azure AD authentication for the self-hosted gateway +# Use Microsoft Entra authentication for the self-hosted gateway The Azure API Management [self-hosted gateway](self-hosted-gateway-overview.md) needs connectivity with its associated cloud-based API Management instance for reporting status, checking for and applying configuration updates, and sending metrics and events. -In addition to using a gateway access token (authentication key) to connect with its cloud-based API Management instance, you can enable the self-hosted gateway to authenticate to its associated cloud instance by using an [Azure AD app](../active-directory/develop/app-objects-and-service-principals.md). With Azure AD authentication, you can configure longer expiry times for secrets and use standard steps to manage and rotate secrets in Active Directory. +In addition to using a gateway access token (authentication key) to connect with its cloud-based API Management instance, you can enable the self-hosted gateway to authenticate to its associated cloud instance by using an [Microsoft Entra app](../active-directory/develop/app-objects-and-service-principals.md). With Microsoft Entra authentication, you can configure longer expiry times for secrets and use standard steps to manage and rotate secrets in Active Directory. ## Scenario overview -The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create an Azure AD app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app. +The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create a Microsoft Entra app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app. -To enable Azure AD authentication, complete the following steps: +To enable Microsoft Entra authentication, complete the following steps: 1. Create two custom roles to: * Let the configuration API get access to customer's RBAC information * Grant permissions to read self-hosted gateway configuration 1. Grant RBAC access to the API Management instance's managed identity -1. Create an Azure AD app and grant it access to read the gateway configuration +1. Create a Microsoft Entra app and grant it access to read the gateway configuration 1. Deploy the gateway with new configuration options ## Prerequisites Assign the API Management Configuration API Access Validator Service Role to the ### Assign API Management Gateway Configuration Reader Role -#### Step 1: Register Azure AD app +<a name='step-1-register-azure-ad-app'></a> -Create a new Azure AD app. For steps, see [Create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This app will be used by the self-hosted gateway to authenticate to the API Management instance. +#### Step 1: Register Microsoft Entra app ++Create a new Microsoft Entra app. For steps, see [Create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This app will be used by the self-hosted gateway to authenticate to the API Management instance. * Generate a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret) * Take note of the following application values for use in the next section when deploying the self-hosted gateway: application (client) ID, directory (tenant) ID, and client secret Create a new Azure AD app. For steps, see [Create an Azure Active Directory appl * Scope: The API Management instance (or resource group or subscription in which it's deployed) * Role: API Management Gateway Configuration Reader Role-* Assign access to: Azure AD app +* Assign access to: Microsoft Entra app ## Deploy the self-hosted gateway -Deploy the self-hosted gateway to Kubernetes, adding Azure AD app registration settings to the `data` element of the gateways `ConfigMap`. In the following example YAML configuration file, the gateway is named *mygw* and the file is named `mygw.yaml`. +Deploy the self-hosted gateway to Kubernetes, adding Microsoft Entra app registration settings to the `data` element of the gateways `ConfigMap`. In the following example YAML configuration file, the gateway is named *mygw* and the file is named `mygw.yaml`. > [!IMPORTANT] > If you're following the existing Kubernetes [deployment guidance](how-to-deploy-self-hosted-gateway-kubernetes.md): > * Make sure to omit the step to store the default authentication key using the `kubectl create secret generic` command. -> * Substitute the following basic configuration file for the default YAML file that's generated for you in the Azure portal. The following file adds Azure AD configuration in place of configuration to use an authentication key. +> * Substitute the following basic configuration file for the default YAML file that's generated for you in the Azure portal. The following file adds Microsoft Entra configuration in place of configuration to use an authentication key. ```yml |
api-management | Self Hosted Gateway Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-overview.md | To operate properly, each self-hosted gateway needs outbound connectivity on por | Hostname of Azure Blob Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) | | Hostname of Azure Table Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) | | Endpoints for Azure Resource Manager | ✔️ | Optional<sup>3</sup> | Required endpoints are `management.azure.com`. |-| Endpoints for Azure Active Directory integration | ✔️ | Optional<sup>4</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. | +| Endpoints for Microsoft Entra integration | ✔️ | Optional<sup>4</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. | | Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](../azure-monitor/app/ip-addresses.md#outgoing-ports) | | Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) | | Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | This requirement depends on the external cache that is being used | <sup>1</sup>For an API Management instance in an internal virtual network, enable private connectivity to the v2 configuration endpoint from the location of the self-hosted gateway, for example, using a private DNS in a peered network.<br/> <sup>2</sup>Only required in v2 when API inspector or quotas are used in policies.<br/>-<sup>3</sup>Only required when using Azure AD authentication to verify RBAC permissions.<br/> -<sup>4</sup>Only required when using Azure AD authentication or Azure AD-related policies.<br/> +<sup>3</sup>Only required when using Microsoft Entra authentication to verify RBAC permissions.<br/> +<sup>4</sup>Only required when using Microsoft Entra authentication or Microsoft Entra related policies.<br/> <sup>5</sup>Only required when feature is used and requires public IP address, port, and hostname information.<br/> > [!IMPORTANT] To authenticate the connection between the self-hosted gateway and the cloud-bas |Option |Considerations | |||-| [Azure Active Directory authentication](self-hosted-gateway-enable-azure-ad.md) | Configure one or more Azure AD apps for access to gateway<br/><br/>Manage access separately per app<br/><br/>Configure longer expiry times for secrets in accordance with your organization's policies<br/><br/>Use standard Azure AD procedures to assign or revoke user or group permissions to app and to rotate secrets<br/><br/> | +| [Microsoft Entra authentication](self-hosted-gateway-enable-azure-ad.md) | Configure one or more Microsoft Entra apps for access to gateway<br/><br/>Manage access separately per app<br/><br/>Configure longer expiry times for secrets in accordance with your organization's policies<br/><br/>Use standard Microsoft Entra procedures to assign or revoke user or group permissions to app and to rotate secrets<br/><br/> | | Gateway access token (also called authentication key) | Token expires every 30 days at maximum and must be renewed in the containers<br/><br/>Backed by a gateway key that can be rotated independently (for example, to revoke access) <br/><br/>Regenerating gateway key invalidates all access tokens created with it | ### Connectivity failures |
api-management | Self Hosted Gateway Settings Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-settings-reference.md | Here is an overview of all configuration options: | Name | Description | Required | Default | Availability | |-||-|-|-|-| gateway.name | Id of the self-hosted gateway resource. | Yes, when using Azure AD authentication | N/A | v2.3+ | +| gateway.name | Id of the self-hosted gateway resource. | Yes, when using Microsoft Entra authentication | N/A | v2.3+ | | config.service.endpoint | Configuration endpoint in Azure API Management for the self-hosted gateway. Find this value in the Azure portal under **Gateways** > **Deployment**. | Yes | N/A | v2.0+ |-| config.service.auth | Defines how the self-hosted gateway should authenticate to the Configuration API. Currently gateway token and Azure AD authentication are supported. | Yes | N/A | v2.0+ | -| config.service.auth.azureAd.tenantId | ID of the Azure AD tenant. | Yes, when using Azure AD authentication | N/A | v2.3+ | -| config.service.auth.azureAd.clientId | Client ID of the Azure AD app to authenticate with (also known as application ID). | Yes, when using Azure AD authentication | N/A | v2.3+ | -| config.service.auth.azureAd.clientSecret | Secret of the Azure AD app to authenticate with. | Yes, when using Azure AD authentication (unless certificate is specified) | N/A | v2.3+ | -| config.service.auth.azureAd.certificatePath | Path to certificate to authenticate with for the Azure AD app. | Yes, when using Azure AD authentication (unless secret is specified) | N/A | v2.3+ | -| config.service.auth.azureAd.authority | Authority URL of Azure AD. | No | `https://login.microsoftonline.com` | v2.3+ | -| config.service.auth.tokenAudience | Audience of token used for Azure AD authentication | No | `https://azure-api.net/configuration` | v2.3+ | +| config.service.auth | Defines how the self-hosted gateway should authenticate to the Configuration API. Currently gateway token and Microsoft Entra authentication are supported. | Yes | N/A | v2.0+ | +| config.service.auth.azureAd.tenantId | ID of the Microsoft Entra tenant. | Yes, when using Microsoft Entra authentication | N/A | v2.3+ | +| config.service.auth.azureAd.clientId | Client ID of the Microsoft Entra app to authenticate with (also known as application ID). | Yes, when using Microsoft Entra authentication | N/A | v2.3+ | +| config.service.auth.azureAd.clientSecret | Secret of the Microsoft Entra app to authenticate with. | Yes, when using Microsoft Entra authentication (unless certificate is specified) | N/A | v2.3+ | +| config.service.auth.azureAd.certificatePath | Path to certificate to authenticate with for the Microsoft Entra app. | Yes, when using Microsoft Entra authentication (unless secret is specified) | N/A | v2.3+ | +| config.service.auth.azureAd.authority | Authority URL of Microsoft Entra ID. | No | `https://login.microsoftonline.com` | v2.3+ | +| config.service.auth.tokenAudience | Audience of token used for Microsoft Entra authentication | No | `https://azure-api.net/configuration` | v2.3+ | | config.service.endpoint.disableCertificateValidation | Defines if the self-hosted gateway should validate the server-side certificate of the Configuration API. It is recommended to use certificate validation, only disable for testing purposes and with caution as it can introduce security risk. | No | `false` | v2.0+ | | config.service.integration.timeout | Defines the timeout for interacting with the Configuration API. | No | `00:01:40` | v2.3.5+ | The self-hosted gateway provides support for a few authentication options to int This guidance helps you provide the required information to define how to authenticate: - For gateway token-based authentication, specify an access token (authentication key) of the self-hosted gateway in the Azure portal under **Gateways** > **Deployment**.-- For Azure AD-based authentication, specify `azureAdApp` and provide the additional `config.service.auth.azureAd` authentication settings.+- For Microsoft Entra ID-based authentication, specify `azureAdApp` and provide the additional `config.service.auth.azureAd` authentication settings. ## Cross-instance discovery & synchronization |
api-management | Self Hosted Gateway Support Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-support-policies.md | The following table shows Microsoft's responsibilities, shared responsibilities, |Microsoft Azure |Shared responsibilities |Customers | ||||-|▪️ **Configuration endpoint (management plane)** - The self-hosted gateway depends on a configuration endpoint that provides the configuration, APIs, hostnames, and policy information. This configuration endpoint is part of the management plane of every API Management service.<br/><br/>▪️ **Gateway container image maintenance and updates** - Bug fixes, patches, performance improvements, and new features in the self-hosted gateway [container image](self-hosted-gateway-overview.md#packaging). |▪ **Securing self-hosted gateway communication with configuration endpoint** - The communication between the self-hosted gateway and the configuration endpoint can be secured by two mechanisms: either an access token that expires automatically every 30 days and needs to be updated for the running containers; or authentication with Azure Active Directory, which doesn't require token refresh.<br/><br/> ▪ **Keeping the gateway up to date** - The customer oversees regularly updating the gateway to the latest version and latest features. And Microsoft will provide updated images with new features, bug fixes, and patches. | ▪ **Gateway hosting** - Deploying and operating the gateway infrastructure: virtual machines with container runtime and/or Kubernetes cluster.<br/><br/>▪ **Network configuration** - Necessary to maintain management plane connectivity and API access.<br/><br/> ▪ **Gateway SLA** - Capacity management, scaling, and uptime.<br/><br/> ▪ **Providing diagnostics data to support** - Collecting and sharing diagnostics data with support engineers.<br/><br/>▪ **Third party OSS (open-source software) software components** - Combining the self-hosted gateway with other software like Prometheus, Grafana, service meshes, container runtimes, Kubernetes distributions, and proxies are the customer's responsibility. | +|▪️ **Configuration endpoint (management plane)** - The self-hosted gateway depends on a configuration endpoint that provides the configuration, APIs, hostnames, and policy information. This configuration endpoint is part of the management plane of every API Management service.<br/><br/>▪️ **Gateway container image maintenance and updates** - Bug fixes, patches, performance improvements, and new features in the self-hosted gateway [container image](self-hosted-gateway-overview.md#packaging). |▪ **Securing self-hosted gateway communication with configuration endpoint** - The communication between the self-hosted gateway and the configuration endpoint can be secured by two mechanisms: either an access token that expires automatically every 30 days and needs to be updated for the running containers; or authentication with Microsoft Entra ID, which doesn't require token refresh.<br/><br/> ▪ **Keeping the gateway up to date** - The customer oversees regularly updating the gateway to the latest version and latest features. And Microsoft will provide updated images with new features, bug fixes, and patches. | ▪ **Gateway hosting** - Deploying and operating the gateway infrastructure: virtual machines with container runtime and/or Kubernetes cluster.<br/><br/>▪ **Network configuration** - Necessary to maintain management plane connectivity and API access.<br/><br/> ▪ **Gateway SLA** - Capacity management, scaling, and uptime.<br/><br/> ▪ **Providing diagnostics data to support** - Collecting and sharing diagnostics data with support engineers.<br/><br/>▪ **Third party OSS (open-source software) software components** - Combining the self-hosted gateway with other software like Prometheus, Grafana, service meshes, container runtimes, Kubernetes distributions, and proxies are the customer's responsibility. | ## Self-hosted gateway container image support coverage |
api-management | Soft Delete | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/soft-delete.md | You **can't** reuse the name of an API Management instance in a new deployment: * While the instance is soft-deleted. -* In a subscription other than the one used to deploy the original instance, even after the original instance has been permanently deleted (purged) from Azure. This restriction applies whether the new subscription used is in the same or a different Azure Active Directory tenant. The restriction is in effect for several days or longer after deletion, depending on the subscription type. +* In a subscription other than the one used to deploy the original instance, even after the original instance has been permanently deleted (purged) from Azure. This restriction applies whether the new subscription used is in the same or a different Microsoft Entra tenant. The restriction is in effect for several days or longer after deletion, depending on the subscription type. - This restriction is because Azure reserves the service host name to a customer's tenant for a reservation period to prevent the threat of subdomain takeover with dangling DNS entries. For more information, see [Prevent dangling DNS entries and avoid subdomain takeover](/azure/security/fundamentals/subdomain-takeover). To see all dangling DNS entries for subscriptions in an Azure AD tenant, see [Identify dangling DNS entries](/azure/security/fundamentals/subdomain-takeover#identify-dangling-dns-entries). + This restriction is because Azure reserves the service host name to a customer's tenant for a reservation period to prevent the threat of subdomain takeover with dangling DNS entries. For more information, see [Prevent dangling DNS entries and avoid subdomain takeover](/azure/security/fundamentals/subdomain-takeover). To see all dangling DNS entries for subscriptions in a Microsoft Entra tenant, see [Identify dangling DNS entries](/azure/security/fundamentals/subdomain-takeover#identify-dangling-dns-entries). ## Next steps |
api-management | Sql Data Source Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/sql-data-source-policy.md | The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request |Element|Description|Required| |-|--|--|-| [connection-string](#connection-string-attributes) | Specifies the Azure SQL connection string. The connection string uses either SQL authentication (username and password) or Azure AD authentication if an API Management managed identity is configured. | Yes | +| [connection-string](#connection-string-attributes) | Specifies the Azure SQL connection string. The connection string uses either SQL authentication (username and password) or Microsoft Entra authentication if an API Management managed identity is configured. | Yes | | [include-fragment](include-fragment-policy.md) | Inserts a policy fragment in the policy definition. If there are multiple fragments, then add additional `include-fragment` elements. | No | | [authentication-certificate](authentication-certificate-policy.md) | Authenticates using a client certificate in the resolver's SQL request. | No | The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request ## Configure managed identity integration with Azure SQL -You can configure an API Management system-assigned managed identity for access to Azure SQL instead of configuring SQL authentication with username and password. For background, see [Configure and manage Azure AD authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure). +You can configure an API Management system-assigned managed identity for access to Azure SQL instead of configuring SQL authentication with username and password. For background, see [Configure and manage Microsoft Entra authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure). ### Prerequisites * Enable a system-assigned [managed identity](api-management-howto-use-managed-service-identity.md) in your API Management instance. -### Enable Azure AD access +<a name='enable-azure-ad-access'></a> -Enable Azure Active Directory authentication to SQL Database by assigning an Azure AD user as the admin of the server. +### Enable Microsoft Entra ID access ++Enable Microsoft Entra authentication to SQL Database by assigning a Microsoft Entra user as the admin of the server. 1. In the [portal](https://portal.azure.com), go to your Azure SQL server. -1. Select **Azure Active Directory**. +1. Select **Microsoft Entra ID**. 1. Select **Set admin** and select yourself or a group to which you belong. 1. Select **Save**. The following example resolves a GraphQL mutation using a T-SQL INSERT statement * [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies) |
api-management | Validate Azure Ad Token Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-azure-ad-token-policy.md | Last updated 12/08/2022 -# Validate Azure Active Directory token +# Validate Microsoft Entra token -The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Azure Active Directory service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable. +The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable. > [!NOTE] > To validate a JWT that was provided by another identity provider, API Management also provides the generic [`validate-jwt`](validate-jwt-policy.md) policy. The `validate-azure-ad-token` policy enforces the existence and validity of a JS | Attribute | Description | Required | Default | | - | | -- | |-| tenant-id | Tenant ID or URL of the Azure Active Directory service. Policy expressons are allowed.| Yes | N/A | +| tenant-id | Tenant ID or URL of the Microsoft Entra service. Policy expressons are allowed.| Yes | N/A | | header-name | The name of the HTTP header holding the token. Policy expressions are allowed. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | `Authorization` | | query-parameter-name | The name of the query parameter holding the token. Policy expressions are allowed. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A | | token-value | Expression returning a string containing the token. You must not return `Bearer` as part of the token value. Policy expressions are allowed. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A | The `validate-azure-ad-token` policy enforces the existence and validity of a JS ### Usage notes -* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Azure AD authentication by applying the `validate-azure-ad-token` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control. +* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Microsoft Entra authentication by applying the `validate-azure-ad-token` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control. * When using a custom header (`header-name`), the header value cannot be prefixed with `Bearer ` and should be removed. ## Examples ### Simple token validation -The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Azure AD tenant ID and client application ID are provided using named values. +The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Microsoft Entra tenant ID and client application ID are provided using named values. ```xml <validate-azure-ad-token tenant-id="{{aad-tenant-id}}"> The following policy is the minimal form of the `validate-azure-ad-token` policy ### Validate that audience and claim are correct -The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The hostname is provided using a policy expression, and the Azure AD tenant ID and client application ID are provided using named values. The decoded JWT is provided in the `jwt` variable after validation. +The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The hostname is provided using a policy expression, and the Microsoft Entra tenant ID and client application ID are provided using named values. The decoded JWT is provided in the `jwt` variable after validation. For more details on optional claims, read [Provide optional claims to your app](../active-directory/develop/active-directory-optional-claims.md). For more details on optional claims, read [Provide optional claims to your app]( [!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]- |
api-management | Validate Jwt Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-jwt-policy.md | -> To validate a JWT that was provided by the Azure Active Directory service, API Management also provides the [`validate-azure-ad-token`](validate-azure-ad-token-policy.md) policy. +> To validate a JWT that was provided by the Microsoft Entra service, API Management also provides the [`validate-azure-ad-token`](validate-azure-ad-token-policy.md) policy. [!INCLUDE [api-management-policy-form-alert](../../includes/api-management-policy-form-alert.md)] The `validate-jwt` policy enforces existence and validity of a supported JSON we | Element | Description | Required | | - | -- | -- |-| openid-config |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice. <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Azure Active Directory use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- (v2) `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/> - (v2 multitenant) ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- (v1) `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/><br/> substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`. | No | +| openid-config |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice. <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Microsoft Entra ID use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- (v2) `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/> - (v2 multitenant) ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- (v1) `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/><br/> substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`. | No | | issuer-signing-keys | A list of Base64-encoded security keys, in [`key`](#key-attributes) subelements, used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or one succeeds (useful for token rollover). <br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To validate an RS256 signed token, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the RS256 signing key-in Base64url-encoded format. | No | | decryption-keys | A list of Base64-encoded keys, in [`key`](#key-attributes) subelements, used to decrypt the tokens. If multiple security keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To decrypt an RS256 signed token, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management. | No | | audiences | A list of acceptable audience claims, in `audience` subelements, that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified. | No | The `validate-jwt` policy enforces existence and validity of a supported JSON we * **RS256** - the key may be provided either via an OpenID configuration endpoint, or by providing the ID of an uploaded certificate (in PFX format) that contains the public key, or the modulus-exponent pair of the public key. * The policy supports tokens encrypted with symmetric keys using the following encryption algorithms: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512. * To configure the policy with one or more OpenID configuration endpoints for use with a self-hosted gateway, the OpenID configuration endpoints URLs must also be reachable by the cloud gateway.-* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Azure AD authentication by applying the `validate-jwt` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control. +* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Microsoft Entra authentication by applying the `validate-jwt` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control. * When using a custom header (`header-name`), the header value cannot be prefixed with `Bearer ` and should be removed. The `validate-jwt` policy enforces existence and validity of a supported JSON we </validate-jwt> ``` -### Azure Active Directory token validation +<a name='azure-active-directory-token-validation'></a> ++### Microsoft Entra token validation ```xml <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid."> |
api-management | Virtual Network Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-reference.md | When an API Management service instance is hosted in a VNet, the ports in the fo | * / [80], 443 | Inbound | TCP | Internet / VirtualNetwork | **Client communication to API Management** | External only | | * / 3443 | Inbound | TCP | ApiManagement / VirtualNetwork | **Management endpoint for Azure portal and PowerShell** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / Storage | **Dependency on Azure Storage** | External & Internal |-| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal | +| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Microsoft Entra ID](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / AzureConnectors | [Authorizations](authorizations-overview.md) dependency (optional) | External & Internal | | * / 1433 | Outbound | TCP | VirtualNetwork / Sql | **Access to Azure SQL endpoints** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / AzureKeyVault | **Access to Azure Key Vault** | External & Internal | When an API Management service instance is hosted in a VNet, the ports in the fo | * / [80], 443 | Inbound | TCP | Internet / VirtualNetwork | **Client communication to API Management** | External only | | * / 3443 | Inbound | TCP | ApiManagement / VirtualNetwork | **Management endpoint for Azure portal and PowerShell** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / Storage | **Dependency on Azure Storage** | External & Internal |-| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal | +| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Microsoft Entra ID](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / AzureKeyVault | Access to Azure Key Vault for [named values](api-management-howto-properties.md) integration (optional) | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / AzureConnectors | [Authorizations](authorizations-overview.md) dependency (optional) | External & Internal | | * / 1433 | Outbound | TCP | VirtualNetwork / Sql | **Access to Azure SQL endpoints** | External & Internal | To enable TLS/SSL certificate chain building and validation, the API Management Outbound access on port `53` is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management. -## Azure Active Directory integration +<a name='azure-active-directory-integration'></a> -To operate properly, the API Management service needs outbound connectivity on port 443 to the following endpoints associated with Azure Active Directory: `<region>.login.microsoft.com` and `login.microsoftonline.com`. +## Microsoft Entra integration ++To operate properly, the API Management service needs outbound connectivity on port 443 to the following endpoints associated with Microsoft Entra ID: `<region>.login.microsoft.com` and `login.microsoftonline.com`. ## Metrics and health monitoring |
api-management | Visualize Using Managed Grafana Dashboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/visualize-using-managed-grafana-dashboard.md | You can use [Azure Managed Grafana](../managed-grafana/index.yml) to visualize A * The Managed Grafana instance must be in the same subscription as the API Management instance. - * When created, the Grafana workspace is automatically assigned an Azure Active Directory managed identity, which is assigned the Monitor Reader role on the subscription. This gives you immediate access to Azure Monitor from the new Grafana workspace without needing to set permissions manually. Learn more about [configuring data sources](../managed-grafan) for Managed Grafana. + * When created, the Grafana workspace is automatically assigned a Microsoft Entra managed identity, which is assigned the Monitor Reader role on the subscription. This gives you immediate access to Azure Monitor from the new Grafana workspace without needing to set permissions manually. Learn more about [configuring data sources](../managed-grafan) for Managed Grafana. ## Import API Management dashboard Review the default visualizations on the dashboard, which will appear similar to * For more information about managing your Grafana dashboard, see the [Grafana docs](https://grafana.com/docs/grafana/v9.0/dashboards/). * Easily pin log queries and charts from the Azure portal to your Managed Grafana dashboard. For more information, see [Monitor your Azure services in Grafana](../azure-monitor/visualize/grafana-plugin.md#pin-charts-from-the-azure-portal-to-azure-managed-grafana).---- |
api-management | Workspaces Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/workspaces-overview.md | Azure RBAC is used to configure workspace collaborators' permissions to read and Workspace members must be assigned both a service-scoped role and a workspace-scoped role, or granted equivalent permissions using custom roles. The service-scoped role enables referencing service-level resources from workspace-level resources. For example, publish an API from a workspace with a service-level product, assign a service-level tag to an API, or organize a user into a workspace-level group to control API and product visibility. > [!NOTE]-> For easier management, set up Azure AD groups to assign workspace permissions to multiple users. +> For easier management, set up Microsoft Entra groups to assign workspace permissions to multiple users. > ## Workspaces and other API Management features All resources in an API Management service need to have unique names, even if th ## Next steps -* [Create a workspace](how-to-create-workspace.md) +* [Create a workspace](how-to-create-workspace.md) |
app-service | Configure Authentication Api Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-api-version.md | There are two versions of the management API for App Service authentication. The > [!WARNING] > Migration to V2 will disable management of the App Service Authentication/Authorization feature for your application through some clients, such as its existing experience in the Azure portal, Azure CLI, and Azure PowerShell. This cannot be reversed. -The V2 API doesn't support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it uses the converged [Microsoft identity platform](../active-directory/develop/v2-overview.md) to sign-in users with both Azure AD and personal Microsoft accounts. When switching to the V2 API, the V1 Azure Active Directory (Azure AD) configuration is used to configure the Microsoft identity platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but you should move to the newer Microsoft Identity Platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more. +The V2 API doesn't support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it uses the converged [Microsoft identity platform](../active-directory/develop/v2-overview.md) to sign-in users with both Microsoft Entra ID and personal Microsoft accounts. When switching to the V2 API, the V1 Microsoft Entra configuration is used to configure the Microsoft identity platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but you should move to the newer Microsoft identity platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more. The automated migration process will move provider secrets into application settings and then convert the rest of the configuration into the new format. To use the automatic migration: The following steps will allow you to manually migrate the application to the V2 In the resulting JSON payload, make note of the secret value used for each provider you've configured: - * Azure AD: `clientSecret` + * Microsoft Entra ID: `clientSecret` * Google: `googleClientSecret` * Facebook: `facebookAppSecret` * Twitter: `twitterConsumerSecret` The following steps will allow you to manually migrate the application to the V2 1. Add a property to `authsettings.json` that points to the application setting name you created earlier for each provider: - * Azure AD: `clientSecretSettingName` + * Microsoft Entra ID: `clientSecretSettingName` * Google: `googleClientSecretSettingName` * Facebook: `facebookAppSecretSettingName` * Twitter: `twitterConsumerSecretSettingName` * Microsoft Account: `microsoftAccountClientSecretSettingName` - An example file after this operation might look similar to the following, in this case only configured for Azure AD: + An example file after this operation might look similar to the following, in this case only configured for Microsoft Entra ID: ```json { You've now migrated the app to store identity provider secrets as application se #### Support for Microsoft Account provider registrations -If your existing configuration contains a Microsoft Account provider and doesn't contain an Azure AD provider, you can switch the configuration over to the Azure AD provider and then perform the migration. To do this: +If your existing configuration contains a Microsoft Account provider and doesn't contain a Microsoft Entra provider, you can switch the configuration over to the Microsoft Entra provider and then perform the migration. To do this: 1. Go to [**App registrations**](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal and find the registration associated with your Microsoft Account provider. It may be under the "Applications from personal account" heading. 1. Navigate to the "Authentication" page for the registration. Under "Redirect URIs", you should see an entry ending in `/.auth/login/microsoftaccount/callback`. Copy this URI. 1. Add a new URI that matches the one you just copied, except instead have it end in `/.auth/login/aad/callback`. This will allow the registration to be used by the App Service Authentication / Authorization configuration. 1. Navigate to the App Service Authentication / Authorization configuration for your app. 1. Collect the configuration for the Microsoft Account provider.-1. Configure the Azure AD provider using the "Advanced" management mode, supplying the client ID and client secret values you collected in the previous step. For the Issuer URL, use Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with your **Directory (tenant) ID**. +1. Configure the Microsoft Entra provider using the "Advanced" management mode, supplying the client ID and client secret values you collected in the previous step. For the Issuer URL, use Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with your **Directory (tenant) ID**. 1. Once you've saved the configuration, test the login flow by navigating in your browser to the `/.auth/login/aad` endpoint on your site and complete the sign-in flow.-1. At this point, you've successfully copied the configuration over, but the existing Microsoft Account provider configuration remains. Before you remove it, make sure that all parts of your app reference the Azure AD provider through login links, etc. Verify that all parts of your app work as expected. -1. Once you've validated that things work against the Azure AD provider, you may remove the Microsoft Account provider configuration. +1. At this point, you've successfully copied the configuration over, but the existing Microsoft Account provider configuration remains. Before you remove it, make sure that all parts of your app reference the Microsoft Entra provider through login links, etc. Verify that all parts of your app work as expected. +1. Once you've validated that things work against the Microsoft Entra provider, you may remove the Microsoft Account provider configuration. > [!WARNING]-> It is possible to converge the two registrations by modifying the [supported account types](../active-directory/develop/supported-accounts-validation.md) for the Azure AD app registration. However, this would force a new consent prompt for Microsoft Account users, and those users' identity claims may be different in structure, `sub` notably changing values since a new App ID is being used. This approach is not recommended unless thoroughly understood. You should instead wait for support for the two registrations in the V2 API surface. +> It is possible to converge the two registrations by modifying the [supported account types](../active-directory/develop/supported-accounts-validation.md) for the Microsoft Entra app registration. However, this would force a new consent prompt for Microsoft Account users, and those users' identity claims may be different in structure, `sub` notably changing values since a new App ID is being used. This approach is not recommended unless thoroughly understood. You should instead wait for support for the two registrations in the V2 API surface. #### Switching to V2 |
app-service | Configure Authentication Customize Sign In Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-customize-sign-in-out.md | Users can initiate a sign-out by sending a `GET` request to the app's `/.auth/lo - Clears authentication cookies from the current session. - Deletes the current user's tokens from the token store.-- For Azure Active Directory and Google, performs a server-side sign-out on the identity provider.+- For Microsoft Entra ID and Google, performs a server-side sign-out on the identity provider. Here's a simple sign-out link in a webpage: az webapp config appsettings set --name <app_name> --resource-group <group_name> ## Limit the domain of sign-in accounts -Both Microsoft Account and Azure Active Directory lets you sign in from multiple domains. For example, Microsoft Account allows _outlook.com_, _live.com_, and _hotmail.com_ accounts. Azure AD allows any number of custom domains for the sign-in accounts. However, you may want to accelerate your users straight to your own branded Azure AD sign-in page (such as `contoso.com`). To suggest the domain name of the sign-in accounts, follow these steps. +Both Microsoft Account and Microsoft Entra ID lets you sign in from multiple domains. For example, Microsoft Account allows _outlook.com_, _live.com_, and _hotmail.com_ accounts. Microsoft Entra ID allows any number of custom domains for the sign-in accounts. However, you may want to accelerate your users straight to your own branded Microsoft Entra sign-in page (such as `contoso.com`). To suggest the domain name of the sign-in accounts, follow these steps. 1. In [https://resources.azure.com](https://resources.azure.com), At the top of the page, select **Read/Write**. 2. In the left browser, navigate to **subscriptions** > **_\<subscription-name_** > **resourceGroups** > **_\<resource-group-name>_** > **providers** > **Microsoft.Web** > **sites** > **_\<app-name>_** > **config** > **authsettingsV2**. For any Windows app, you can define authorization behavior of the IIS web server The identity provider may provide certain turn-key authorization. For example: -- For [Azure App Service](configure-authentication-provider-aad.md), you can [manage enterprise-level access](../active-directory/manage-apps/what-is-access-management.md) directly in Azure AD. For instructions, see [How to remove a user's access to an application](../active-directory/manage-apps/methods-for-removing-user-access.md).+- For [Azure App Service](configure-authentication-provider-aad.md), you can [manage enterprise-level access](../active-directory/manage-apps/what-is-access-management.md) directly in Microsoft Entra ID. For instructions, see [How to remove a user's access to an application](../active-directory/manage-apps/methods-for-removing-user-access.md). - For [Google](configure-authentication-provider-google.md), Google API projects that belong to an [organization](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations) can be configured to allow access only to users in your organization (see [Google's **Setting up OAuth 2.0** support page](https://support.google.com/cloud/answer/6158849?hl=en)). ### Application level |
app-service | Configure Authentication Oauth Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-oauth-tokens.md | From your server code, the provider-specific tokens are injected into the reques | Provider | Header names | |-|-|-| Azure Active Directory | `X-MS-TOKEN-AAD-ID-TOKEN` <br/> `X-MS-TOKEN-AAD-ACCESS-TOKEN` <br/> `X-MS-TOKEN-AAD-EXPIRES-ON` <br/> `X-MS-TOKEN-AAD-REFRESH-TOKEN` | +| Microsoft Entra ID | `X-MS-TOKEN-AAD-ID-TOKEN` <br/> `X-MS-TOKEN-AAD-ACCESS-TOKEN` <br/> `X-MS-TOKEN-AAD-EXPIRES-ON` <br/> `X-MS-TOKEN-AAD-REFRESH-TOKEN` | | Facebook Token | `X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN` <br/> `X-MS-TOKEN-FACEBOOK-EXPIRES-ON` | | Google | `X-MS-TOKEN-GOOGLE-ID-TOKEN` <br/> `X-MS-TOKEN-GOOGLE-ACCESS-TOKEN` <br/> `X-MS-TOKEN-GOOGLE-EXPIRES-ON` <br/> `X-MS-TOKEN-GOOGLE-REFRESH-TOKEN` | | Twitter | `X-MS-TOKEN-TWITTER-ACCESS-TOKEN` <br/> `X-MS-TOKEN-TWITTER-ACCESS-TOKEN-SECRET` | |
app-service | Configure Authentication Provider Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-provider-aad.md | Title: Configure Azure AD authentication -description: Learn how to configure Azure Active Directory authentication as an identity provider for your App Service or Azure Functions app. + Title: Configure Microsoft Entra authentication +description: Learn how to configure Microsoft Entra authentication as an identity provider for your App Service or Azure Functions app. ms.assetid: 6ec6a46c-bce4-47aa-b8a3-e133baef22eb Last updated 01/31/2023-# Configure your App Service or Azure Functions app to use Azure AD sign-in +# Configure your App Service or Azure Functions app to use Microsoft Entra sign-in Select another authentication provider to jump to it. [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)] -This article shows you how to configure authentication for Azure App Service or Azure Functions so that your app signs in users with the [Microsoft identity platform](../active-directory/develop/v2-overview.md) (Azure AD) as the authentication provider. +This article shows you how to configure authentication for Azure App Service or Azure Functions so that your app signs in users with the [Microsoft identity platform](../active-directory/develop/v2-overview.md) (Microsoft Entra ID) as the authentication provider. The App Service Authentication feature can automatically create an app registration with the Microsoft identity platform. You can also use a registration that you or a directory admin creates separately. The App Service Authentication feature can automatically create an app registrat - [Use an existing registration created separately](#advanced) > [!NOTE]-> The option to create a new registration automatically isn't available for government clouds or when using [Azure Active Directory for customers (Preview)]. Instead, [define a registration separately](#advanced). +> The option to create a new registration automatically isn't available for government clouds or when using [Microsoft Entra ID for customers (Preview)]. Instead, [define a registration separately](#advanced). ## <a name="express"> </a> Option 1: Create a new app registration automatically -Use this option unless you need to create an app registration separately. You can customize the app registration in Azure AD once it's created. +Use this option unless you need to create an app registration separately. You can customize the app registration in Microsoft Entra ID once it's created. 1. Sign in to the [Azure portal] and navigate to your app. 1. Select **Authentication** in the menu on the left. Select **Add identity provider**. Use this option unless you need to create an app registration separately. You ca You're now ready to use the Microsoft identity platform for authentication in your app. The provider will be listed on the **Authentication** screen. From there, you can edit or delete this provider configuration. -For an example of configuring Azure AD sign-in for a web app that accesses Azure Storage and Microsoft Graph, see [this tutorial](scenario-secure-app-authentication-app-service.md). +For an example of configuring Microsoft Entra sign-in for a web app that accesses Azure Storage and Microsoft Graph, see [this tutorial](scenario-secure-app-authentication-app-service.md). ## <a name="advanced"> </a>Option 2: Use an existing registration created separately You can configure App Service authentication to use an existing app registration. The following situations are the most common cases to use an existing app registration: -- Your account doesn't have permissions to create app registrations in your Azure AD tenant.-- You want to use an app registration from a different Azure AD tenant than the one your app is in.+- Your account doesn't have permissions to create app registrations in your Microsoft Entra tenant. +- You want to use an app registration from a different Microsoft Entra tenant than the one your app is in. - The option to create a new registration isn't available for government clouds. -#### <a name="register"> </a>Step 1: Create an app registration in Azure AD for your App Service app +#### <a name="register"> </a>Step 1: Create an app registration in Microsoft Entra ID for your App Service app During creation of the app registration, collect the following information which you'll need later when you configure the authentication in the App Service app: The instructions for creating an app registration depend on if you're using [a w To register the app, perform the following steps: -1. Sign in to the [Azure portal], search for and select **App Services**, and then select your app. Note your app's **URL**. You'll use it to configure your Azure Active Directory app registration. +1. Sign in to the [Azure portal], search for and select **App Services**, and then select your app. Note your app's **URL**. You'll use it to configure your Microsoft Entra app registration. 1. Navigate to your tenant in the portal: # [Workforce tenant](#tab/workforce-tenant) - From the portal menu, select **Azure Active Directory**. If the tenant you're using is different from the one you use to configure the App Service application, you'll need to [change directories][Switch your directory] first. + From the portal menu, select **Microsoft Entra ID**. If the tenant you're using is different from the one you use to configure the App Service application, you'll need to [change directories][Switch your directory] first. # [Customer tenant (Preview)](#tab/customer-tenant) To register the app, perform the following steps: > [!TIP] > Because you're working in two tenant contexts (the tenant for your subscription and the customer tenant), you may want to open the Azure portal in two separate tabs of your web browser. Each can be signed into a different tenant. - 1. From the portal menu, select **Azure Active Directory**. + 1. From the portal menu, select **Microsoft Entra ID**. To register the app, perform the following steps: -#### <a name="secrets"> </a>Step 2: Enable Azure Active Directory in your App Service app +#### <a name="secrets"> </a>Step 2: Enable Microsoft Entra ID in your App Service app 1. Sign in to the [Azure portal] and navigate to your app. 1. From the left navigation, select **Authentication** > **Add identity provider** > **Microsoft**. To register the app, perform the following steps: |-|-| |Application (client) ID| Use the **Application (client) ID** of the app registration. | |Client Secret| Use the client secret you generated in the app registration. With a client secret, hybrid flow is used and the App Service will return access and refresh tokens. When the client secret isn't set, implicit flow is used and only an ID token is returned. These tokens are sent by the provider and stored in the App Service authentication token store.|- |Issuer URL| Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the **authentication endpoint** you determined in the previous step for your tenant type and cloud environment, also replacing *\<tenant-id>* with the **Directory (tenant) ID** in which the app registration was created. For applications that use Azure AD v1, omit `/v2.0` in the URL. <br/><br/> This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. Any configuration other than a tenant-specific endpoint will be treated as multi-tenant. In multi-tenant configurations, no validation of the issuer or tenant ID is performed by the system, and these checks should be fully handled in [your app's authorization logic](#authorize-requests).| + |Issuer URL| Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the **authentication endpoint** you determined in the previous step for your tenant type and cloud environment, also replacing *\<tenant-id>* with the **Directory (tenant) ID** in which the app registration was created. For applications that use Azure AD v1, omit `/v2.0` in the URL. <br/><br/> This value is used to redirect users to the correct Microsoft Entra tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. Any configuration other than a tenant-specific endpoint will be treated as multi-tenant. In multi-tenant configurations, no validation of the issuer or tenant ID is performed by the system, and these checks should be fully handled in [your app's authorization logic](#authorize-requests).| |Allowed Token Audiences| This field is optional. The configured **Application (client) ID** is *always* implicitly considered to be an allowed audience. If your application represents an API that will be called by other clients, you should also add the **Application ID URI** that you configured on the app registration. There's a limit of 500 characters total across the list of allowed audiences.| The client secret will be stored as a slot-sticky [application setting] named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. You can update that setting later to use [Key Vault references](./app-service-key-vault-references.md) if you wish to manage the secret in Azure Key Vault. You can also work directly with the underlying access token from the injected `x ### Use a built-in authorization policy -The created app registration authenticates incoming requests for your Azure AD tenant. By default, it also lets anyone within the tenant to access the application, which is fine for many applications. However, some applications need to restrict access further by making authorization decisions. Your application code is often the best place to handle custom authorization logic. However, for common scenarios, the Microsoft identity platform provides built-in checks that you can use to limit access. +The created app registration authenticates incoming requests for your Microsoft Entra tenant. By default, it also lets anyone within the tenant to access the application, which is fine for many applications. However, some applications need to restrict access further by making authorization decisions. Your application code is often the best place to handle custom authorization logic. However, for common scenarios, the Microsoft identity platform provides built-in checks that you can use to limit access. This section shows how to enable built-in checks using the [App Service authentication V2 API](./configure-authentication-api-version.md). Currently, the only way to configure these built-in checks is via [Azure Resource Manager templates](/azure/templates/microsoft.web/sites/config-authsettingsv2) or the [REST API](/rest/api/appservice/web-apps/update-auth-settings-v2). -Within the API object, the Azure Active Directory identity provider configuration has a `validation` section that can include a `defaultAuthorizationPolicy` object as in the following structure: +Within the API object, the Microsoft Entra identity provider configuration has a `validation` section that can include a `defaultAuthorizationPolicy` object as in the following structure: ```json { Within the API object, the Azure Active Directory identity provider configuratio | Property | Description | ||-| | `defaultAuthorizationPolicy` | A grouping of requirements that must be met in order to access the app. Access is granted based on a logical `AND` over each of its configured properties. When `allowedApplications` and `allowedPrincipals` are both configured, the incoming request must satisfy both requirements in order to be accepted. |-| `allowedApplications` | An allowlist of string application **client IDs** representing the client resource that is calling into the app. When this property is configured as a nonempty array, only tokens obtained by an application specified in the list will be accepted.<br/><br/>This policy evaluates the `appid` or `azp` claim of the incoming token, which must be an access token. See the [Microsoft Identity Platform claims reference]. | +| `allowedApplications` | An allowlist of string application **client IDs** representing the client resource that is calling into the app. When this property is configured as a nonempty array, only tokens obtained by an application specified in the list will be accepted.<br/><br/>This policy evaluates the `appid` or `azp` claim of the incoming token, which must be an access token. See the [Microsoft identity platform claims reference]. | | `allowedPrincipals` | A grouping of checks that determine if the principal represented by the incoming request may access the app. Satisfaction of `allowedPrincipals` is based on a logical `OR` over its configured properties. |-| `identities` (under `allowedPrincipals`) | An allowlist of string **object IDs** representing users or applications that have access. When this property is configured as a nonempty array, the `allowedPrincipals` requirement can be satisfied if the user or application represented by the request is specified in the list.<br/><br/>This policy evaluates the `oid` claim of the incoming token. See the [Microsoft Identity Platform claims reference]. | +| `identities` (under `allowedPrincipals`) | An allowlist of string **object IDs** representing users or applications that have access. When this property is configured as a nonempty array, the `allowedPrincipals` requirement can be satisfied if the user or application represented by the request is specified in the list.<br/><br/>This policy evaluates the `oid` claim of the incoming token. See the [Microsoft identity platform claims reference]. | Additionally, some checks can be configured through an [application setting], regardless of the API version being used. The `WEBSITE_AUTH_AAD_ALLOWED_TENANTS` application setting can be configured with a comma-separated list of up to 10 tenant IDs (e.g., "559a2f9c-c6f2-4d31-b8d6-5ad1a13f8330,5693f64a-3ad5-4be7-b846-e9d1141bcebc") to require that the incoming token is from one of the specified tenants, as specified by the `tid` claim. The `WEBSITE_AUTH_AAD_REQUIRE_CLIENT_SERVICE_PRINCIPAL` application setting can be configured to "true" or "1" to require the incoming token to include an `oid` claim. This setting is ignored and treated as true if `allowedPrincipals.identities` has been configured (since the `oid` claim is checked against this provided list of identities). Requests that fail these built-in checks are given an HTTP `403 Forbidden` respo ## Configure client apps to access your App Service -In the prior sections, you registered your App Service or Azure Function to authenticate users. This section explains how to register native clients or daemon apps in Azure AD so that they can request access to APIs exposed by your App Service on behalf of users or themselves, such as in an N-tier architecture. Completing the steps in this section isn't required if you only wish to authenticate users. +In the prior sections, you registered your App Service or Azure Function to authenticate users. This section explains how to register native clients or daemon apps in Microsoft Entra ID so that they can request access to APIs exposed by your App Service on behalf of users or themselves, such as in an N-tier architecture. Completing the steps in this section isn't required if you only wish to authenticate users. ### Native client application You can register native clients to request access your App Service app's APIs on behalf of a signed in user. -1. From the portal menu, select **Azure Active Directory**. +1. From the portal menu, select **Microsoft Entra ID**. 1. From the left navigation, select **App registrations** > **New registration**. 1. In the **Register an application** page, enter a **Name** for your app registration. 1. In **Redirect URI**, select **Public client (mobile & desktop)** and type the URL `<app-url>/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. You can register native clients to request access your App Service app's APIs on > [!NOTE] > For a Microsoft Store application, use the [package SID](/previous-versions/azure/app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library#package-sid) as the URI instead. 1. From the left navigation, select **API permissions** > **Add a permission** > **My APIs**.-1. Select the app registration you created earlier for your App Service app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Azure AD for your App Service app](#register). +1. Select the app registration you created earlier for your App Service app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Microsoft Entra ID for your App Service app](#register). 1. Under **Delegated permissions**, select **user_impersonation**, and then select **Add permissions**. You have now configured a native client application that can request access your App Service app on behalf of a user. You have now configured a native client application that can request access your In an N-tier architecture, your client application can acquire a token to call an App Service or Function app on behalf of the client app itself (not on behalf of a user). This scenario is useful for non-interactive daemon applications that perform tasks without a logged in user. It uses the standard OAuth 2.0 [client credentials](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) grant. -1. From the portal menu, select **Azure Active Directory**. +1. From the portal menu, select **Microsoft Entra ID**. 1. From the left navigation, select **App registrations** > **New registration**. 1. In the **Register an application** page, enter a **Name** for your app registration. 1. For a daemon application, you don't need a Redirect URI so you can keep that empty. In an N-tier architecture, your client application can acquire a token to call a You can now [request an access token using the client ID and client secret](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#first-case-access-token-request-with-a-shared-secret) by setting the `resource` parameter to the **Application ID URI** of the target app. The resulting access token can then be presented to the target app using the standard [OAuth 2.0 Authorization header](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#use-a-token), and App Service authentication will validate and use the token as usual to now indicate that the caller (an application in this case, not a user) is authenticated. -At present, this allows _any_ client application in your Azure AD tenant to request an access token and authenticate to the target app. If you also want to enforce _authorization_ to allow only certain client applications, you must perform some extra configuration. +At present, this allows _any_ client application in your Microsoft Entra tenant to request an access token and authenticate to the target app. If you also want to enforce _authorization_ to allow only certain client applications, you must perform some extra configuration. 1. [Define an App Role](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md) in the manifest of the app registration representing the App Service or Function app you want to protect. 1. On the app registration representing the client that needs to be authorized, select **API permissions** > **Add a permission** > **My APIs**. You have now configured a daemon client application that can access your App Ser Regardless of the configuration you use to set up authentication, the following best practices will keep your tenant and applications more secure: -- Configure each App Service app with its own app registration in Azure AD.+- Configure each App Service app with its own app registration in Microsoft Entra ID. - Give each App Service app its own permissions and consent. - Avoid permission sharing between environments by using separate app registrations for separate deployment slots. When you're testing new code, this practice can help prevent issues from affecting the production app. ### Migrate to the Microsoft Graph -Some older apps may also have been set up with a dependency on the [deprecated Azure AD Graph][aad-graph], which is scheduled for full retirement. For example, your app code may have called Azure AD graph to check group membership as part of an authorization filter in a middleware pipeline. Apps should move to the [Microsoft Graph](/graph/overview) by following the [guidance provided by Azure AD as part of the Azure AD Graph deprecation process][aad-graph]. In following those instructions, you may need to make some changes to your configuration of App Service authentication. Once you have added Microsoft Graph permissions to your app registration, you can: +Some older apps may also have been set up with a dependency on the [deprecated Azure AD Graph][aad-graph], which is scheduled for full retirement. For example, your app code may have called Azure AD Graph to check group membership as part of an authorization filter in a middleware pipeline. Apps should move to the [Microsoft Graph](/graph/overview) by following the [guidance provided by Microsoft Entra ID as part of the Azure AD Graph deprecation process][aad-graph]. In following those instructions, you may need to make some changes to your configuration of App Service authentication. Once you have added Microsoft Graph permissions to your app registration, you can: -1. Update the **Issuer URL** to include the "/v2.0" suffix if it doesn't already. See [Enable Azure Active Directory in your App Service app](#-step-2-enable-azure-active-directory-in-your-app-service-app) for general expectations around this value. +1. Update the **Issuer URL** to include the "/v2.0" suffix if it doesn't already. 1. Remove requests for Azure AD Graph permissions from your sign-in configuration. The properties to change depend on [which version of the management API you're using](./configure-authentication-api-version.md): - If you're using the V1 API (`/authsettings`), this would be in the `additionalLoginParams` array. - If you're using the V2 API (`/authsettingsV2`), this would be in the `loginParameters` array. Some older apps may also have been set up with a dependency on the [deprecated A You would also need to update the configuration to request the new Microsoft Graph permissions you set up for the application registration. You can use the [.default scope](../active-directory/develop/scopes-oidc.md#the-default-scope) to simplify this setup in many cases. To do so, add a new sign-in parameter `scope=openid profile email https://graph.microsoft.com/.default`. -With these changes, when App Service Authentication attempts to sign in, it will no longer request permissions to the Azure AD Graph, and instead it will get a token for the Microsoft Graph. Any use of that token from your application code would also need to be updated, as per the [guidance provided by Azure AD][aad-graph]. +With these changes, when App Service Authentication attempts to sign in, it will no longer request permissions to the Azure AD Graph, and instead it will get a token for the Microsoft Graph. Any use of that token from your application code would also need to be updated, as per the [guidance provided by Microsoft Entra ID][aad-graph]. [aad-graph]: /graph/migrate-azure-ad-graph-overview With these changes, when App Service Authentication attempts to sign in, it will [Azure Active Directory for customers (Preview)]: ../active-directory/external-identities/customers/overview-customers-ciam.md [Switch your directory]: ../azure-portal/set-preferences.md#switch-and-manage-directories [Create a sign-up and sign-in user flow]: ../active-directory/external-identities/customers/how-to-user-flow-sign-up-sign-in-customers.md-[Add your application to the user flow]: ../active-directory/external-identities/customers/how-to-user-flow-add-application.md +[Add your application to the user flow]: ../active-directory/external-identities/customers/how-to-user-flow-add-application.md |
app-service | Configure Authentication Provider Microsoft | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-provider-microsoft.md | -This topic shows you how to configure Azure App Service or Azure Functions to use AAD to support personal Microsoft account logins. +This topic shows you how to configure Azure App Service or Azure Functions to use Microsoft Entra ID to support personal Microsoft account logins. > [!IMPORTANT]-> While the Microsoft Account provider is still supported, it is recommended that apps instead use the [Microsoft Identity Platform provider (Azure AD)](./configure-authentication-provider-aad.md). The Microsoft Identity Platform offers support for both organizational accounts and personal Microsoft accounts. +> While the Microsoft Account provider is still supported, it is recommended that apps instead use the [Microsoft identity platform provider (Microsoft Entra ID)](./configure-authentication-provider-aad.md). The Microsoft identity platform offers support for both organizational accounts and personal Microsoft accounts. ## <a name="register-microsoft-account"> </a>Register your app with Microsoft Account 1. Go to [**App registrations**](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal. If needed, sign in with your Microsoft account. 1. Select **New registration**, then enter an application name.-1. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)** +1. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)** 1. In **Redirect URIs**, select **Web**, and then enter `https://<app-domain-name>/.auth/login/aad/callback`. Replace *\<app-domain-name>* with the domain name of your app. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. Be sure to use the HTTPS scheme in the URL. 1. Select **Register**. This topic shows you how to configure Azure App Service or Azure Functions to us 1. Go to your application in the [Azure portal]. 1. Select **Settings** > **Authentication / Authorization**, and make sure that **App Service Authentication** is **On**.-1. Under **Authentication Providers**, select **Azure Active Directory**. Select **Advanced** under **Management mode**. Paste in the Application (client) ID and client secret that you obtained earlier. Use **`https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0`** for the **Issuer Url** field. +1. Under **Authentication Providers**, select **Microsoft Entra ID**. Select **Advanced** under **Management mode**. Paste in the Application (client) ID and client secret that you obtained earlier. Use **`https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0`** for the **Issuer Url** field. 1. Select **OK**. App Service provides authentication, but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code. -1. (Optional) To restrict access to Microsoft account users, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated requests to use AAD for authentication. Note that because you have configured your **Issuer Url** to use the Microsoft Account tenant, only personal accounts will successfully authenticate. +1. (Optional) To restrict access to Microsoft account users, set **Action to take when request is not authenticated** to **Log in with Microsoft Entra ID**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated requests to use Microsoft Entra ID for authentication. Note that because you have configured your **Issuer Url** to use the Microsoft Account tenant, only personal accounts will successfully authenticate. > [!CAUTION] > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred so that the app manually starts authentication itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow). |
app-service | Configure Language Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-java.md | Java applications running in App Service have the same set of [security best pra ### Authenticate users (Easy Auth) -Set up app authentication in the Azure portal with the **Authentication and Authorization** option. From there, you can enable authentication using Azure Active Directory or social sign-ins like Facebook, Google, or GitHub. Azure portal configuration only works when configuring a single authentication provider. For more information, see [Configure your App Service app to use Azure Active Directory sign-in](configure-authentication-provider-aad.md) and the related articles for other identity providers. If you need to enable multiple sign-in providers, follow the instructions in the [customize sign-ins and sign-outs](configure-authentication-customize-sign-in-out.md) article. +Set up app authentication in the Azure portal with the **Authentication and Authorization** option. From there, you can enable authentication using Microsoft Entra ID or social sign-ins like Facebook, Google, or GitHub. Azure portal configuration only works when configuring a single authentication provider. For more information, see [Configure your App Service app to use Microsoft Entra sign-in](configure-authentication-provider-aad.md) and the related articles for other identity providers. If you need to enable multiple sign-in providers, follow the instructions in the [customize sign-ins and sign-outs](configure-authentication-customize-sign-in-out.md) article. #### Java SE -Spring Boot developers can use the [Azure Active Directory Spring Boot starter](/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory) to secure applications using familiar Spring Security annotations and APIs. Be sure to increase the maximum header size in your *application.properties* file. We suggest a value of `16384`. +Spring Boot developers can use the [Microsoft Entra Spring Boot starter](/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory) to secure applications using familiar Spring Security annotations and APIs. Be sure to increase the maximum header size in your *application.properties* file. We suggest a value of `16384`. #### Tomcat |
app-service | Deploy Authentication Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-authentication-types.md | Azure App Service lets you deploy your web application code and configuration by |Deployment method|Authentication  |Reference Documents | |:-|:-|:-|-|Azure CLI |Azure AD authentication | In Azure CLI, version 2.48.1 or higher, the following commands have been modified to use Azure AD authentication if basic authentication is turned off for your web app or function app:<br/>- [az webapp up](/cli/azure/webapp#az-webapp-up)<br/>- [az webapp deploy](/cli/azure/webapp#az-webapp-deploy)<br/>- [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip)<br/>- [az webapp log deployment show](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-show)<br/>- [az webapp log deployment list](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-list)<br/>- [az webapp log download](/cli/azure/webapp/log#az-webapp-log-download)<br/>- [az webapp log tail](/cli/azure/webapp/log#az-webapp-log-tail)<br/>- [az webapp browse](/cli/azure/webapp#az-webapp-browse)<br/>- [az webapp create-remote-connection](/cli/azure/webapp#az-webapp-create-remote-connection)<br/>- [az webapp ssh](/cli/azure/webapp#az-webapp-ssh)<br/>- [az functionapp deploy](/cli/azure/functionapp#az-functionapp-deploy)<br/>- [az functionapp log deployment list](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-list)<br/>- [az functionapp log deployment show](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-show)<br/>- [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az-functionapp-deployment-source-config-zip)<br/>For more information, see [az appservice](/cli/azure/appservice) and [az webapp](/cli/azure/webapp). | -|Azure PowerShell |Azure AD authentication | In Azure PowerShell, version 9.7.1 or above, Azure AD authentication is available for App Service. For more information, see [PowerShell samples for Azure App Service](samples-powershell.md). | -|SCM/Kudu/OneDeploy REST endpoint |Basic authentication, Azure AD authentication |[Deploy files to App Service](deploy-zip.md) | -|Kudu UI |Basic authentication, Azure AD authentication |[Deploy files to App Service](deploy-zip.md)| +|Azure CLI |Microsoft Entra authentication | In Azure CLI, version 2.48.1 or higher, the following commands have been modified to use Microsoft Entra authentication if basic authentication is turned off for your web app or function app:<br/>- [az webapp up](/cli/azure/webapp#az-webapp-up)<br/>- [az webapp deploy](/cli/azure/webapp#az-webapp-deploy)<br/>- [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip)<br/>- [az webapp log deployment show](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-show)<br/>- [az webapp log deployment list](/cli/azure/webapp/log/deployment#az-webapp-log-deployment-list)<br/>- [az webapp log download](/cli/azure/webapp/log#az-webapp-log-download)<br/>- [az webapp log tail](/cli/azure/webapp/log#az-webapp-log-tail)<br/>- [az webapp browse](/cli/azure/webapp#az-webapp-browse)<br/>- [az webapp create-remote-connection](/cli/azure/webapp#az-webapp-create-remote-connection)<br/>- [az webapp ssh](/cli/azure/webapp#az-webapp-ssh)<br/>- [az functionapp deploy](/cli/azure/functionapp#az-functionapp-deploy)<br/>- [az functionapp log deployment list](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-list)<br/>- [az functionapp log deployment show](/cli/azure/functionapp/log/deployment#az-functionapp-log-deployment-show)<br/>- [az functionapp deployment source config-zip](/cli/azure/functionapp/deployment/source#az-functionapp-deployment-source-config-zip)<br/>For more information, see [az appservice](/cli/azure/appservice) and [az webapp](/cli/azure/webapp). | +|Azure PowerShell |Microsoft Entra authentication | In Azure PowerShell, version 9.7.1 or above, Microsoft Entra authentication is available for App Service. For more information, see [PowerShell samples for Azure App Service](samples-powershell.md). | +|SCM/Kudu/OneDeploy REST endpoint |Basic authentication, Microsoft Entra authentication |[Deploy files to App Service](deploy-zip.md) | +|Kudu UI |Basic authentication, Microsoft Entra authentication |[Deploy files to App Service](deploy-zip.md)| |FTP\FTPS |Basic authentication |[Deploy your app to Azure App Service using FTP/S](deploy-ftp.md) | |Visual Studio |Basic authentication  |[Quickstart: Deploy an ASP.NET web app](quickstart-dotnetcore.md)<br/>[Develop and deploy WebJobs using Visual Studio](webjobs-dotnet-deploy-vs.md)<br/>[Troubleshoot an app in Azure App Service using Visual Studio](troubleshoot-dotnet-visual-studio.md)<br/>[GitHub Actions integration in Visual Studio](/visualstudio/azure/overview-github-actions)<br/>[Deploy your application to Azure using GitHub Actions workflows created by Visual Studio](/visualstudio/deployment/azure-deployment-using-github-actions) |-|Visual Studio Code|Azure AD authentication |[Quickstart: Deploy an ASP.NET web app](quickstart-dotnetcore.md)<br/> [Working with GitHub in VS Code](https://code.visualstudio.com/docs/sourcecontrol/github) | +|Visual Studio Code|Microsoft Entra authentication |[Quickstart: Deploy an ASP.NET web app](quickstart-dotnetcore.md)<br/> [Working with GitHub in VS Code](https://code.visualstudio.com/docs/sourcecontrol/github) | |GitHub with GitHub Actions |Publish profile, service principal, OpenID Connect |[Deploy to App Service using GitHub Actions](deploy-github-actions.md) | |GitHub with App Service build service as build engine|Publish profile |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | |GitHub with Azure Pipelines as build engine|Publish profile, Azure DevOps service connection |[Deploy to App Service using Azure Pipelines](deploy-azure-pipelines.md) | Azure App Service lets you deploy your web application code and configuration by |Bitbucket |Publish profile |[Continuous deployment to Azure App Service](deploy-continuous-deployment.md) | |Local Git |Publish profile |[Local Git deployment to Azure App Service](deploy-local-git.md) | |External Git repository|Publish profile |[Setting up continuous deployment using manual steps](https://github.com/projectkudu/kudu/wiki/Continuous-deployment#setting-up-continuous-deployment-using-manual-steps) |-|Run directly from an uploaded ZIP file |Azure AD authentication |[Run your app in Azure App Service directly from a ZIP package](deploy-run-package.md) | +|Run directly from an uploaded ZIP file |Microsoft Entra authentication |[Run your app in Azure App Service directly from a ZIP package](deploy-run-package.md) | |Run directly from external URL |Storage account key, managed identity |[Run from external URL instead](deploy-run-package.md#run-from-external-url-instead) |-|Azure Web app plugin for Maven (Java) |Azure AD authentication |[Quickstart: Create a Java app on Azure App Service](quickstart-java.md)| -|Azure WebApp Plugin for Gradle (Java) |Azure AD authentication |[Configure a Java app for Azure App Service](configure-language-java.md)| +|Azure Web app plugin for Maven (Java) |Microsoft Entra authentication |[Quickstart: Create a Java app on Azure App Service](quickstart-java.md)| +|Azure WebApp Plugin for Gradle (Java) |Microsoft Entra authentication |[Configure a Java app for Azure App Service](configure-language-java.md)| |Webhooks |Publish profile |[Web hooks](https://github.com/projectkudu/kudu/wiki/Web-hooks) | |App Service migration assistant |Basic authentication |[Azure App Service migration tools](https://azure.microsoft.com/products/app-service/migration-tools/) | |App Service migration assistant for PowerShell scripts |Basic authentication |[Azure App Service migration tools](https://azure.microsoft.com/products/app-service/migration-tools/) |-|Azure Migrate App Service discovery/assessment/migration |Azure AD authentication |[Tutorial: Assess ASP.NET web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md)<br/>[Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md) | +|Azure Migrate App Service discovery/assessment/migration |Microsoft Entra authentication |[Tutorial: Assess ASP.NET web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md)<br/>[Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md) | |
app-service | Deploy Azure Pipelines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-azure-pipelines.md | Use [Azure Pipelines](/azure/devops/pipelines/) to automatically deploy your web YAML pipelines are defined using a YAML file in your repository. A step is the smallest building block of a pipeline and can be a script or task (prepackaged script). [Learn about the key concepts and components that make up a pipeline](/azure/devops/pipelines/get-started/key-pipelines-concepts). -You'll use the [Azure Web App task](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app) to deploy to Azure App Service in your pipeline. For more complicated scenarios such as needing to use XML parameters in your deploy, you can use the [Azure App Service Deploy task](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app). +You'll use the [Azure Web App task](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app) to deploy to Azure App Service in your pipeline. For more complicated scenarios such as needing to use XML parameters in your deploy, you can use the [Azure App Service Deploy task](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment). ## Prerequisites |
app-service | Deploy Ci Cd Custom Container | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-ci-cd-custom-container.md | You can customize the GitHub Actions build provider in the following ways: - Customize the workflow file after it's generated in your GitHub repository. For more information, see [Workflow syntax for GitHub Actions](https://docs.github.com/actions/reference/workflow-syntax-for-github-actions). Just make sure that the workflow ends with the [Azure/webapps-deploy](https://github.com/Azure/webapps-deploy) action to trigger an app restart. - If the selected branch is protected, you can still preview the workflow file without saving the configuration, then add it and the required GitHub secrets into your repository manually. This method doesn't give you the log integration with the Azure portal.-- Instead of a publishing profile, deploy using a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) in Azure Active Directory.+- Instead of a publishing profile, deploy using a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) in Microsoft Entra ID. #### Authenticate with a service principal |
app-service | Deploy Configure Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-configure-credentials.md | Invoke-AzResourceAction -ResourceGroupName <group-name> -ResourceType Microsoft. ## Disable basic authentication -Some organizations need to meet security requirements and would rather disable access via FTP or WebDeploy. This way, the organization's members can only access its App Services through APIs that are controlled by Azure Active Directory (Azure AD). +Some organizations need to meet security requirements and would rather disable access via FTP or WebDeploy. This way, the organization's members can only access its App Services through APIs that are controlled by Microsoft Entra ID. ### FTP |
app-service | Deploy Continuous Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-continuous-deployment.md | You can customize the GitHub Actions build provider in these ways: - Customize the workflow file after it's generated in your GitHub repository. For more information, see [Workflow syntax for GitHub Actions](https://docs.github.com/actions/reference/workflow-syntax-for-github-actions). Just make sure that the workflow deploys to App Service with the [azure/webapps-deploy](https://github.com/Azure/webapps-deploy) action. - If the selected branch is protected, you can still preview the workflow file without saving the configuration and then manually add it into your repository. This method doesn't give you log integration with the Azure portal.-- Instead of using a publishing profile, deploy by using a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) in Azure Active Directory.+- Instead of using a publishing profile, deploy by using a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) in Microsoft Entra ID. #### Authenticate by using a service principal |
app-service | Networking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/networking.md | The normal app access ports inbound are as follows: You can set route tables without restriction. You can tunnel all of the outbound application traffic from your App Service Environment to an egress firewall device, such as Azure Firewall. In this scenario, the only thing you have to worry about is your application dependencies. -Application dependencies include endpoints that your app needs during runtime. Besides APIs and services the app is calling, dependencies could also be derived endpoints like certificate revocation list (CRL) check endpoints and identity/authentication endpoint, for example Azure Active Directory. If you're using [continuous deployment in App Service](../deploy-continuous-deployment.md), you might also need to allow endpoints depending on type and language. Specifically for [Linux continuous deployment](https://github.com/microsoft/Oryx/blob/main/doc/hosts/appservice.md#network-dependencies), you need to allow `oryx-cdn.microsoft.io:443`. +Application dependencies include endpoints that your app needs during runtime. Besides APIs and services the app is calling, dependencies could also be derived endpoints like certificate revocation list (CRL) check endpoints and identity/authentication endpoint, for example Microsoft Entra ID. If you're using [continuous deployment in App Service](../deploy-continuous-deployment.md), you might also need to allow endpoints depending on type and language. Specifically for [Linux continuous deployment](https://github.com/microsoft/Oryx/blob/main/doc/hosts/appservice.md#network-dependencies), you need to allow `oryx-cdn.microsoft.io:443`. You can put your web application firewall devices, such as Azure Application Gateway, in front of inbound traffic. Doing so allows you to expose specific apps on that App Service Environment. |
app-service | Identity Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/identity-scenarios.md | If you have a web app or an API running in Azure App Service, you can restrict a ## Authentication solutions - **Azure App Service built-in authentication** - Allows you to sign users in and access data by writing minimal or no code in your web app, RESTful API, or mobile back end. ItΓÇÖs built directly into the platform and doesnΓÇÖt require any particular language, library, security expertise, or even any code to use.-- **Microsoft Authentication Library (MSAL)** - Enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. Available for multiple supported platforms and frameworks, these are general purpose libraries that can be used in various hosted environments. Developers can also integrate with multiple sign-in providers, like Azure AD, Facebook, Google, Twitter.-- **Microsoft.Identity.Web** - A higher-level library wrapping MSAL.NET, it provides a set of ASP.NET Core abstractions that simplify adding authentication support to web apps and web APIs integrating with the Microsoft identity platform. It provides a single-surface API convenience layer that ties together ASP.NET Core, its authentication middleware, and MSAL.NET. This library can be used in apps in various hosted environments. You can integrate with multiple sign-in providers, like Azure AD, Facebook, Google, Twitter.+- **Microsoft Authentication Library (MSAL)** - Enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. Available for multiple supported platforms and frameworks, these are general purpose libraries that can be used in various hosted environments. Developers can also integrate with multiple sign-in providers, like Microsoft Entra ID, Facebook, Google, Twitter. +- **Microsoft.Identity.Web** - A higher-level library wrapping MSAL.NET, it provides a set of ASP.NET Core abstractions that simplify adding authentication support to web apps and web APIs integrating with the Microsoft identity platform. It provides a single-surface API convenience layer that ties together ASP.NET Core, its authentication middleware, and MSAL.NET. This library can be used in apps in various hosted environments. You can integrate with multiple sign-in providers, like Microsoft Entra ID, Facebook, Google, Twitter. ## Scenario recommendations |
app-service | Manage Create Arc Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/manage-create-arc-environment.md | The [custom location](../azure-arc/kubernetes/custom-locations.md) in Azure is u <!-- --kubeconfig ~/.kube/config # needed for non-Azure --> > [!NOTE]- > If you experience issues creating a custom location on your cluster, you may need to [enable the custom location feature on your cluster](../azure-arc/kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster). This is required if logged into the CLI using a Service Principal or if you are logged in with an Azure Active Directory user with restricted permissions on the cluster resource. + > If you experience issues creating a custom location on your cluster, you may need to [enable the custom location feature on your cluster](../azure-arc/kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster). This is required if logged into the CLI using a Service Principal or if you are logged in with a Microsoft Entra user with restricted permissions on the cluster resource. > 3. Validate that the custom location is successfully created with the following command. The output should show the `provisioningState` property as `Succeeded`. If not, run it again after a minute. |
app-service | Overview Authentication Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-authentication-authorization.md | Implementing a secure solution for authentication (signing-in users) and authori - Azure App Service allows you to integrate a variety of auth capabilities into your web app or API without implementing them yourself. - ItΓÇÖs built directly into the platform and doesnΓÇÖt require any particular language, SDK, security expertise, or even any code to utilize.-- You can integrate with multiple login providers. For example, Azure AD, Facebook, Google, Twitter.+- You can integrate with multiple login providers. For example, Microsoft Entra ID, Facebook, Google, Twitter. Your app might need to support more complex scenarios such as Visual Studio integration or incremental consent. There are several different authentication solutions available to support these scenarios. To learn more, read [Identity scenarios](identity-scenarios.md). App Service uses [federated identity](https://en.wikipedia.org/wiki/Federated_id | Provider | Sign-in endpoint | How-To guidance | | - | - | - |-| [Microsoft identity platform](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [App Service Microsoft Identity Platform login](configure-authentication-provider-aad.md) | +| [Microsoft identity platform](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [App Service Microsoft identity platform login](configure-authentication-provider-aad.md) | | [Facebook](https://developers.facebook.com/docs/facebook-login) | `/.auth/login/facebook` | [App Service Facebook login](configure-authentication-provider-facebook.md) | | [Google](https://developers.google.com/identity/choose-auth) | `/.auth/login/google` | [App Service Google login](configure-authentication-provider-google.md) | | [Twitter](https://developer.twitter.com/en/docs/basics/authentication) | `/.auth/login/twitter` | [App Service Twitter login](configure-authentication-provider-twitter.md) | With this option, you don't need to write any authentication code in your app. F > Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. > [!NOTE]-> When using the Microsoft identity provider for users in your organization, the default behavior is that any user in your Azure AD tenant can request a token for your application. You can [configure the application in Azure AD](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md) if you want to restrict access to your app to a defined set of users. App Service also offers some [basic built-in authorization checks](.\configure-authentication-provider-aad.md#authorize-requests) which can help with some validations. To learn more about authorization in the Microsoft identity platform, see [Microsoft identity platform authorization basics](../active-directory/develop/authorization-basics.md). +> When using the Microsoft identity provider for users in your organization, the default behavior is that any user in your Microsoft Entra tenant can request a token for your application. You can [configure the application in Microsoft Entra ID](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md) if you want to restrict access to your app to a defined set of users. App Service also offers some [basic built-in authorization checks](.\configure-authentication-provider-aad.md#authorize-requests) which can help with some validations. To learn more about authorization in the Microsoft identity platform, see [Microsoft identity platform authorization basics](../active-directory/develop/authorization-basics.md). ### Token store When using Azure App Service with Easy Auth behind Azure Front Door or other rev ## More resources -- [How-To: Configure your App Service or Azure Functions app to use Azure AD login](configure-authentication-provider-aad.md)+- [How-To: Configure your App Service or Azure Functions app to use Microsoft Entra login](configure-authentication-provider-aad.md) - [Customize sign-ins and sign-outs](configure-authentication-customize-sign-in-out.md) <!- - [Work with OAuth tokens and sessions](configure-authentication-oauth-tokens.md) |
app-service | Overview Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-managed-identity.md | This article shows you how to create a managed identity for App Service and Azur [!INCLUDE [app-service-managed-identities](../../includes/app-service-managed-identities.md)] -The managed identity configuration is specific to the slot. To configure a managed identity for a deployment slot in the portal, navigate to the slot first. To find the managed identity for your web app or deployment slot in your Azure Active Directory tenant from the Azure portal, search for it directly from the **Overview** page of your tenant. Usually, the slot name is similar to `<app-name>/slots/<slot-name>`. +The managed identity configuration is specific to the slot. To configure a managed identity for a deployment slot in the portal, navigate to the slot first. To find the managed identity for your web app or deployment slot in your Microsoft Entra tenant from the Azure portal, search for it directly from the **Overview** page of your tenant. Usually, the slot name is similar to `<app-name>/slots/<slot-name>`. ## Add a system-assigned identity When the site is created, it has the following additional properties: } ``` -The tenantId property identifies what Azure AD tenant the identity belongs to. The principalId is a unique identifier for the application's new identity. Within Azure AD, the service principal has the same name that you gave to your App Service or Azure Functions instance. +The tenantId property identifies what Microsoft Entra tenant the identity belongs to. The principalId is a unique identifier for the application's new identity. Within Microsoft Entra ID, the service principal has the same name that you gave to your App Service or Azure Functions instance. If you need to reference these properties in a later stage in the template, you can do so via the [`reference()` template function](../azure-resource-manager/templates/template-functions-resource.md#reference) with the `'Full'` flag, as in this example: When the site is created, it has the following additional properties: } ``` -The principalId is a unique identifier for the identity that's used for Azure AD administration. The clientId is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls. +The principalId is a unique identifier for the identity that's used for Microsoft Entra administration. The clientId is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls. -- ## Configure target resource -You may need to configure the target resource to allow access from your app or function. For example, if you [request a token](#connect-to-azure-services-in-app-code) to access Key Vault, you must also add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +You may need to configure the target resource to allow access from your app or function. For example, if you [request a token](#connect-to-azure-services-in-app-code) to access Key Vault, you must also add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). > [!IMPORTANT] > The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh. ## Connect to Azure services in app code -With its managed identity, an app can obtain tokens for Azure resources that are protected by Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application. +With its managed identity, an app can obtain tokens for Azure resources that are protected by Microsoft Entra ID, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application. App Service and Azure Functions provide an internally accessible [REST endpoint](#rest-endpoint-reference) for token retrieval. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint and simplifies the development experience. Connecting to other Azure services is as simple as adding a credential object to the service-specific client. Content-Type: application/json } ``` -This response is the same as the [response for the Azure AD service-to-service access token request](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#successful-response). To access Key Vault, you will then add the value of `access_token` to a client connection with the vault. +This response is the same as the [response for the Microsoft Entra service-to-service access token request](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#successful-response). To access Key Vault, you will then add the value of `access_token` to a client connection with the vault. # [.NET](#tab/dotnet) $accessToken = $tokenResponse.access_token For more information on the REST endpoint, see [REST endpoint reference](#rest-endpoint-reference). ## <a name="remove"></a>Remove an identity -When you remove a system-assigned identity, it's deleted from Azure Active Directory. System-assigned identities are also automatically removed from Azure Active Directory when you delete the app resource itself. +When you remove a system-assigned identity, it's deleted from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the app resource itself. # [Azure portal](#tab/portal) The **IDENTITY_ENDPOINT** is a local URL from which your app can request tokens. > | Parameter name | In | Description | > |-|--|--|-> | resource | Query | The Azure AD resource URI of the resource for which a token should be obtained. This could be one of the [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI. | +> | resource | Query | The Microsoft Entra resource URI of the resource for which a token should be obtained. This could be one of the [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI. | > | api-version | Query | The version of the token API to be used. Use `2019-08-01`. | > | X-IDENTITY-HEADER | Header | The value of the IDENTITY_HEADER environment variable. This header is used to help mitigate server-side request forgery (SSRF) attacks. | > | client_id | Query | (Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. | |
app-service | Overview Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-security.md | For App Service on Windows, you can also restrict IP addresses dynamically by co Azure App Service provides turn-key authentication and authorization of users or client apps. When enabled, it can sign in users and client apps with little or no application code. You may implement your own authentication and authorization solution, or allow App Service to handle it for you instead. The authentication and authorization module handles web requests before handing them off to your application code, and it denies unauthorized requests before they reach your code. -App Service authentication and authorization support multiple authentication providers, including Azure Active Directory, Microsoft accounts, Facebook, Google, and Twitter. For more information, see [Authentication and authorization in Azure App Service](overview-authentication-authorization.md). +App Service authentication and authorization support multiple authentication providers, including Microsoft Entra ID, Microsoft accounts, Facebook, Google, and Twitter. For more information, see [Authentication and authorization in Azure App Service](overview-authentication-authorization.md). ## Service-to-service authentication When authenticating against a back-end service, App Service provides two different mechanisms depending on your need: - **Service identity** - Sign in to the remote resource using the identity of the app itself. App Service lets you easily create a [managed identity](overview-managed-identity.md), which you can use to authenticate with other services, such as [Azure SQL Database](/azure/sql-database/) or [Azure Key Vault](../key-vault/index.yml). For an end-to-end tutorial of this approach, see [Secure Azure SQL Database connection from App Service using a managed identity](tutorial-connect-msi-sql-database.md).-- **On-behalf-of (OBO)** - Make delegated access to remote resources on behalf of the user. With Azure Active Directory as the authentication provider, your App Service app can perform delegated sign-in to a remote service, such as [Microsoft Graph](/graph/overview) or a remote API app in App Service. For an end-to-end tutorial of this approach, see [Authenticate and authorize users end-to-end in Azure App Service](tutorial-auth-aad.md).+- **On-behalf-of (OBO)** - Make delegated access to remote resources on behalf of the user. With Microsoft Entra ID as the authentication provider, your App Service app can perform delegated sign-in to a remote service, such as [Microsoft Graph](/graph/overview) or a remote API app in App Service. For an end-to-end tutorial of this approach, see [Authenticate and authorize users end-to-end in Azure App Service](tutorial-auth-aad.md). ## Connectivity to remote resources Except for the **Isolated** pricing tier, all tiers run your apps on the shared For web workloads, we highly recommend utilizing [Azure DDoS protection](../ddos-protection/ddos-protection-overview.md) and a [web application firewall](../web-application-firewall/overview.md) to safeguard against emerging DDoS attacks. Another option is to deploy [Azure Front Door](../frontdoor/web-application-firewall.md) along with a web application firewall. Azure Front Door offers platform-level [protection against network-level DDoS attacks](../frontdoor/front-door-ddos.md). -For more information, see [Introduction to Azure App Service Environments](environment/intro.md). +For more information, see [Introduction to Azure App Service Environments](environment/intro.md). |
app-service | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview.md | Azure App Service is a fully managed platform as a service (PaaS) offering for d * **Global scale with high availability** - Scale [up](manage-scale-up.md) or [out](../azure-monitor/autoscale/autoscale-get-started.md) manually or automatically. Host your apps anywhere in Microsoft's global datacenter infrastructure, and the App Service [SLA](https://azure.microsoft.com/support/legal/sla/app-service/) promises high availability. * **Connections to SaaS platforms and on-premises data** - Choose from [many hundreds of connectors](/connectors/connector-reference/connector-reference-logicapps-connectors) for enterprise systems (such as SAP), SaaS services (such as Salesforce), and internet services (such as Facebook). Access on-premises data using [Hybrid Connections](app-service-hybrid-connections.md) and [Azure Virtual Networks](./overview-vnet-integration.md). * **Security and compliance** - App Service is [ISO, SOC, and PCI compliant](https://www.microsoft.com/trust-center). Create [IP address restrictions](app-service-ip-restrictions.md) and [managed service identities](overview-managed-identity.md). [Prevent subdomain takeovers](reference-dangling-subdomain-prevention.md).-* **Authentication** - [Authenticate users](overview-authentication-authorization.md) using the built-in authentication component. Authenticate users with [Azure Active Directory](configure-authentication-provider-aad.md), [Google](configure-authentication-provider-google.md), [Facebook](configure-authentication-provider-facebook.md), [Twitter](configure-authentication-provider-twitter.md), or [Microsoft account](configure-authentication-provider-microsoft.md). +* **Authentication** - [Authenticate users](overview-authentication-authorization.md) using the built-in authentication component. Authenticate users with [Microsoft Entra ID](configure-authentication-provider-aad.md), [Google](configure-authentication-provider-google.md), [Facebook](configure-authentication-provider-facebook.md), [Twitter](configure-authentication-provider-twitter.md), or [Microsoft account](configure-authentication-provider-microsoft.md). * **Application templates** - Choose from an extensive list of application templates in the [Azure Marketplace](https://azure.microsoft.com/marketplace/), such as WordPress, Joomla, and Drupal. * **Visual Studio and Visual Studio Code integration** - Dedicated tools in Visual Studio and Visual Studio Code streamline the work of creating, deploying, and debugging. * **Java tools integration** - Develop and deploy to Azure without leaving your favorite development tools, such as Maven, Gradle, Visual Studio Code, IntelliJ, and Eclipse. |
app-service | Resources Kudu | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/resources-kudu.md | It also provides other features, such as: - Allows access with [REST API](https://github.com/projectkudu/kudu/wiki/REST-API). ## RBAC permissions required to access Kudu-To access Kudu in the browser with Azure Active Directory authentication, you need to be a member of a built-in or custom role. +To access Kudu in the browser with Microsoft Entra authentication, you need to be a member of a built-in or custom role. - If using a built-in role, you must be a member of Website Contributor, Contributor, or Owner. - If using a custom role, you need the resource provider operation: `Microsoft.Web/sites/publish/Action`. To access Kudu in the browser with Azure Active Directory authentication, you ne ## More Resources Kudu is an [open source project](https://github.com/projectkudu/kudu), and has its documentation at [Kudu Wiki](https://github.com/projectkudu/kudu/wiki).- |
app-service | Scenario Secure App Access Microsoft Graph As User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-microsoft-graph-as-user.md | public class Startup ### appsettings.json -*AzureAd* specifies the configuration for the Microsoft.Identity.Web library. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Applications** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Azure AD overview page for your tenant. +*AzureAd* specifies the configuration for the Microsoft.Identity.Web library. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Applications** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Microsoft Entra overview page for your tenant. *Graph* specifies the Microsoft Graph endpoint and the initial scopes needed by the app. |
app-service | Scenario Secure App Access Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scenario-secure-app-access-storage.md | To see this code as part of a sample application, see the [sample on GitHub](htt ### Install client library packages -Install the [Blob Storage NuGet package](https://www.nuget.org/packages/Azure.Storage.Blobs/) to work with Blob Storage and the [Azure Identity client library for .NET NuGet package](https://www.nuget.org/packages/Azure.Identity/) to authenticate with Azure AD credentials. Install the client libraries by using the .NET Core command-line interface or the Package Manager Console in Visual Studio. +Install the [Blob Storage NuGet package](https://www.nuget.org/packages/Azure.Storage.Blobs/) to work with Blob Storage and the [Azure Identity client library for .NET NuGet package](https://www.nuget.org/packages/Azure.Identity/) to authenticate with Microsoft Entra credentials. Install the client libraries by using the .NET Core command-line interface or the Package Manager Console in Visual Studio. #### .NET Core command-line |
app-service | Tutorial Auth Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-auth-aad.md | -# Requires non-internal subscription - internal subscriptions doesn't provide permission to correctly configure AAD apps +# Requires non-internal subscription - internal subscriptions doesn't provide permission to correctly configure Microsoft Entra apps # Tutorial: Authenticate and authorize users end-to-end in Azure App Service In the tutorial, you learn: > [!div class="checklist"] > * Enable built-in authentication and authorization > * Secure apps against unauthenticated requests-> * Use Azure Active Directory as the identity provider +> * Use Microsoft Entra ID as the identity provider > * Access a remote app on behalf of the signed-in user > * Secure service-to-service calls with token authentication > * Use access tokens from server code Browse to the frontend app and return the _fake_ profile from the backend. This ## 5. Configure authentication -In this step, you enable authentication and authorization for the two web apps. This tutorial uses Azure Active Directory as the identity provider. +In this step, you enable authentication and authorization for the two web apps. This tutorial uses Microsoft Entra ID as the identity provider. You also configure the frontend app to: You also configure the frontend app to: - Configure App Service to return a usable token - Use the token in your code. -For more information, see [Configure Azure Active Directory authentication for your App Services application](configure-authentication-provider-aad.md). +For more information, see [Configure Microsoft Entra authentication for your App Services application](configure-authentication-provider-aad.md). ### Enable authentication and authorization for backend app For more information, see [Configure Azure Active Directory authentication for y 1. In your backend app's left menu, select **Authentication**, and then select **Add identity provider**. -1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Azure AD identities. +1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Microsoft Entra identities. 1. Accept the default settings and select **Add**. :::image type="content" source="./media/tutorial-auth-aad/configure-auth-back-end.png" alt-text="Screenshot of the backend app's left menu showing Authentication/Authorization selected and settings selected in the right menu."::: -1. The **Authentication** page opens. Copy the **Client ID** of the Azure AD application to a notepad. You need this value later. +1. The **Authentication** page opens. Copy the **Client ID** of the Microsoft Entra application to a notepad. You need this value later. - :::image type="content" source="./media/tutorial-auth-aad/get-application-id-back-end.png" alt-text="Screenshot of the Azure Active Directory Settings window showing the Azure AD App, and the Azure AD Applications window showing the Client ID to copy."::: + :::image type="content" source="./media/tutorial-auth-aad/get-application-id-back-end.png" alt-text="Screenshot of the Microsoft Entra Settings window showing the Microsoft Entra App, and the Microsoft Entra Applications window showing the Client ID to copy."::: If you stop here, you have a self-contained app that's already secured by the App Service authentication and authorization. The remaining sections show you how to secure a multi-app solution by "flowing" the authenticated user from the frontend to the backend. If you stop here, you have a self-contained app that's already secured by the Ap 1. In your backend app's left menu, select **Authentication**, and then select **Add identity provider**. -1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Azure AD identities. +1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Microsoft Entra identities. 1. Accept the default settings and select **Add**. :::image type="content" source="./media/tutorial-auth-aad/configure-auth-back-end.png" alt-text="Screenshot of the backend app's left menu showing Authentication/Authorization selected and settings selected in the right menu."::: -1. The **Authentication** page opens. Copy the **Client ID** of the Azure AD application to a notepad. You need this value later. +1. The **Authentication** page opens. Copy the **Client ID** of the Microsoft Entra application to a notepad. You need this value later. - :::image type="content" source="./media/tutorial-auth-aad/get-application-id-back-end.png" alt-text="Screenshot of the Azure Active Directory Settings window showing the Azure AD App, and the Azure AD Applications window showing the Client ID to copy."::: + :::image type="content" source="./media/tutorial-auth-aad/get-application-id-back-end.png" alt-text="Screenshot of the Microsoft Entra Settings window showing the Microsoft Entra App, and the Microsoft Entra Applications window showing the Client ID to copy."::: ### Grant frontend app access to backend What you learned: > [!div class="checklist"] > * Enable built-in authentication and authorization > * Secure apps against unauthenticated requests-> * Use Azure Active Directory as the identity provider +> * Use Microsoft Entra ID as the identity provider > * Access a remote app on behalf of the signed-in user > * Secure service-to-service calls with token authentication > * Use access tokens from server code |
app-service | Tutorial Connect App Access Sql Database As User Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-access-sql-database-as-user-dotnet.md | Title: 'Tutorial - Web app accesses SQL Database as the user' -description: Secure database connectivity with Azure Active Directory authentication from .NET web app, using the signed-in user. Learn how to apply it to other Azure services. +description: Secure database connectivity with Microsoft Entra authentication from .NET web app, using the signed-in user. Learn how to apply it to other Azure services. Last updated 04/21/2023 # Tutorial: Connect an App Service app to SQL Database on behalf of the signed-in user -This tutorial shows you how to enable [built-in authentication](overview-authentication-authorization.md) in an [App Service](overview.md) app using the Azure Active Directory authentication provider, then extend it by connecting it to a back-end Azure SQL Database by impersonating the signed-in user (also known as the [on-behalf-of flow](../active-directory/develop/v2-oauth2-on-behalf-of-flow.md)). This is a more advanced connectivity approach to [Tutorial: Access data with managed identity](tutorial-connect-msi-sql-database.md) and has the following advantages in enterprise scenarios: +This tutorial shows you how to enable [built-in authentication](overview-authentication-authorization.md) in an [App Service](overview.md) app using the Microsoft Entra authentication provider, then extend it by connecting it to a back-end Azure SQL Database by impersonating the signed-in user (also known as the [on-behalf-of flow](../active-directory/develop/v2-oauth2-on-behalf-of-flow.md)). This is a more advanced connectivity approach to [Tutorial: Access data with managed identity](tutorial-connect-msi-sql-database.md) and has the following advantages in enterprise scenarios: - Eliminates connection secrets to back-end services, just like the managed identity approach. - Gives the back-end database (or any other Azure service) more control over who or how much to grant access to its data and functionality. - Lets the app tailor its data presentation to the signed-in user. -In this tutorial, you add Azure Active Directory authentication to the sample web app you deployed in one of the following tutorials: +In this tutorial, you add Microsoft Entra authentication to the sample web app you deployed in one of the following tutorials: - [Tutorial: Build an ASP.NET app in Azure with Azure SQL Database](app-service-web-tutorial-dotnet-sqldatabase.md) - [Tutorial: Build an ASP.NET Core and Azure SQL Database app in Azure App Service](tutorial-dotnetcore-sqldb-app.md) What you will learn: > * Enable built-in authentication for Azure SQL Database > * Disable other authentication options in Azure SQL Database > * Enable App Service authentication-> * Use Azure Active Directory as the identity provider -> * Access Azure SQL Database on behalf of the signed-in Azure AD user +> * Use Microsoft Entra ID as the identity provider +> * Access Azure SQL Database on behalf of the signed-in Microsoft Entra user > [!NOTE]->Azure AD authentication is _different_ from [Integrated Windows authentication](/previous-versions/windows/it-pro/windows-server-2003/cc758557(v=ws.10)) in on-premises Active Directory (AD DS). AD DS and Azure AD use completely different authentication protocols. For more information, see [Azure AD Domain Services documentation](../active-directory-domain-services/index.yml). +>Microsoft Entra authentication is _different_ from [Integrated Windows authentication](/previous-versions/windows/it-pro/windows-server-2003/cc758557(v=ws.10)) in on-premises Active Directory (AD DS). AD DS and Microsoft Entra ID use completely different authentication protocols. For more information, see [Microsoft Entra Domain Services documentation](../active-directory-domain-services/index.yml). [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] Prepare your environment for the Azure CLI. [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/cloud-shell-try-it-no-header.md)] -## 1. Configure database server with Azure AD authentication +<a name='1-configure-database-server-with-azure-ad-authentication'></a> -First, enable Azure Active Directory authentication to SQL Database by assigning an Azure AD user as the admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). +## 1. Configure database server with Microsoft Entra authentication -1. If your Azure AD tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md). +First, enable Microsoft Entra authentication to SQL Database by assigning a Microsoft Entra user as the admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Microsoft Entra ID. For more information on allowed Microsoft Entra users, see [Microsoft Entra features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). -1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az_ad_user_list) and replace *\<user-principal-name>*. The result is saved to a variable. +1. If your Microsoft Entra tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Microsoft Entra ID](../active-directory/fundamentals/add-users-azure-active-directory.md). ++1. Find the object ID of the Microsoft Entra user using the [`az ad user list`](/cli/azure/ad/user#az_ad_user_list) and replace *\<user-principal-name>*. The result is saved to a variable. ```azurecli-interactive azureaduser=$(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query [].id --output tsv) ``` > [!TIP]- > To see the list of all user principal names in Azure AD, run `az ad user list --query [].userPrincipalName`. + > To see the list of all user principal names in Microsoft Entra ID, run `az ad user list --query [].userPrincipalName`. > -1. Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix). +1. Add this Microsoft Entra user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az_sql_server_ad_admin_create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix). ```azurecli-interactive az sql server ad-admin create --resource-group <group-name> --server-name <server-name> --display-name ADMIN --object-id $azureaduser First, enable Azure Active Directory authentication to SQL Database by assigning az sql server ad-only-auth enable --resource-group <group-name> --server-name <server-name> ``` -For more information on adding an Active Directory admin, see [Provision Azure AD admin (SQL Database)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database). +For more information on adding an Active Directory admin, see [Provision Microsoft Entra admin (SQL Database)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database). ## 2. Enable user authentication for your app -You enable authentication with Azure Active Directory as the identity provider. For more information, see [Configure Azure Active Directory authentication for your App Services application](configure-authentication-provider-aad.md). +You enable authentication with Microsoft Entra ID as the identity provider. For more information, see [Configure Microsoft Entra authentication for your App Services application](configure-authentication-provider-aad.md). 1. In the [Azure portal](https://portal.azure.com) menu, select **Resource groups** or search for and select *Resource groups* from any page. You enable authentication with Azure Active Directory as the identity provider. 1. In your app's left menu, select **Authentication**, and then select **Add identity provider**. -1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Azure AD identities. +1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Microsoft Entra identities. 1. Accept the default settings and select **Add**. You enable authentication with Azure Active Directory as the identity provider. ## 3. Configure user impersonation to SQL Database -Currently, your Azure app connects to SQL Database uses SQL authentication (username and password) managed as app settings. In this step, you give the app permissions to access SQL Database on behalf of the signed-in Azure AD user. +Currently, your Azure app connects to SQL Database uses SQL authentication (username and password) managed as app settings. In this step, you give the app permissions to access SQL Database on behalf of the signed-in Microsoft Entra user. 1. In the **Authentication** page for the app, select your app name under **Identity provider**. This app registration was automatically generated for you. Select **API permissions** in the left menu. Currently, your Azure app connects to SQL Database uses SQL authentication (user ## 4. Configure App Service to return a usable access token -The app registration in Azure Active Directory now has the required permissions to connect to SQL Database by impersonating the signed-in user. Next, you configure your App Service app to give you a usable access token. +The app registration in Microsoft Entra ID now has the required permissions to connect to SQL Database by impersonating the signed-in user. Next, you configure your App Service app to give you a usable access token. In the Cloud Shell, run the following commands on the app to add the `scope` parameter to the authentication setting `identityProviders.azureActiveDirectory.login.loginParameters`. public MyDatabaseContext (DbContextOptions<MyDatabaseContext> options, IHttpCont -- -When the new webpage shows your to-do list, your app is connecting to the database on behalf of the signed-in Azure AD user. +When the new webpage shows your to-do list, your app is connecting to the database on behalf of the signed-in Microsoft Entra user. ![Azure app after Code First Migration](./media/app-service-web-tutorial-dotnet-sqldatabase/this-one-is-done.png) This command may take a minute to run. ## Frequently asked questions - [Why do I get a `Login failed for user '<token-identified principal>'.` error?](#why-do-i-get-a-login-failed-for-user-token-identified-principal-error)-- [How do I add other Azure AD users or groups in Azure SQL Database?](#how-do-i-add-other-azure-ad-users-or-groups-in-azure-sql-database)+- [How do I add other Microsoft Entra users or groups in Azure SQL Database?](#how-do-i-add-other-azure-ad-users-or-groups-in-azure-sql-database) - [How do I debug locally when using App Service authentication?](#how-do-i-debug-locally-when-using-app-service-authentication) - [What happens when access tokens expire?](#what-happens-when-access-tokens-expire) This command may take a minute to run. The most common causes of this error are: - You're running the code locally, and there's no valid token in the `X-MS-TOKEN-AAD-ACCESS-TOKEN` request header. See [How do I debug locally when using App Service authentication?](#how-do-i-debug-locally-when-using-app-service-authentication).-- Azure AD authentication isn't configured on your SQL Database.-- The signed-in user isn't permitted to connect to the database. See [How do I add other Azure AD users or groups in Azure SQL Database?](#how-do-i-add-other-azure-ad-users-or-groups-in-azure-sql-database).+- Microsoft Entra authentication isn't configured on your SQL Database. +- The signed-in user isn't permitted to connect to the database. See [How do I add other Microsoft Entra users or groups in Azure SQL Database?](#how-do-i-add-other-azure-ad-users-or-groups-in-azure-sql-database). ++<a name='how-do-i-add-other-azure-ad-users-or-groups-in-azure-sql-database'></a> -#### How do I add other Azure AD users or groups in Azure SQL Database? +#### How do I add other Microsoft Entra users or groups in Azure SQL Database? 1. Connect to your database server, such as with [sqlcmd](/azure/azure-sql/database/authentication-aad-configure#sqlcmd) or [SSMS](/azure/azure-sql/database/authentication-aad-configure#connect-to-the-database-using-ssms-or-ssdt).-1. [Create contained users mapped to Azure AD identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) in SQL Database documentation. +1. [Create contained users mapped to Microsoft Entra identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) in SQL Database documentation. - The following Transact-SQL example adds an Azure AD identity to SQL Server and gives it some database roles: + The following Transact-SQL example adds a Microsoft Entra identity to SQL Server and gives it some database roles: ```sql CREATE USER [<user-or-group-name>] FROM EXTERNAL PROVIDER; What you learned: > * Enable built-in authentication for Azure SQL Database > * Disable other authentication options in Azure SQL Database > * Enable App Service authentication-> * Use Azure Active Directory as the identity provider -> * Access Azure SQL Database on behalf of the signed-in Azure AD user +> * Use Microsoft Entra ID as the identity provider +> * Access Azure SQL Database on behalf of the signed-in Microsoft Entra user > [!div class="nextstepaction"] > [Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md) |
app-service | Tutorial Connect App App Graph Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-app-app-graph-javascript.md | -# Requires non-internal subscription - internal subscriptions doesn't provide permission to correctly configure AAD apps +# Requires non-internal subscription - internal subscriptions doesn't provide permission to correctly configure Microsoft Entra apps # Tutorial: Flow authentication from App Service through back-end API to Microsoft Graph This tutorial doesn't: In the previous tutorial, when the user signed in to the frontend app, a pop-up displayed asking for user consent. -In this tutorial, in order to read user profile from Microsoft Graph, the back-end app needs to exchange the signed-in user's [access token](../active-directory/develop/access-tokens.md) for a new access token with the required permissions for Microsoft Graph. Because the user isn't directly connected to the backend app, they can't access the consent screen interactively. You must work around this by configuring the back-end app's app registration in Azure AD to [grant admin consent](../active-directory/manage-apps/grant-admin-consent.md?pivots=portal). This is a setting change typically done by an Active Directory administrator. +In this tutorial, in order to read user profile from Microsoft Graph, the back-end app needs to exchange the signed-in user's [access token](../active-directory/develop/access-tokens.md) for a new access token with the required permissions for Microsoft Graph. Because the user isn't directly connected to the backend app, they can't access the consent screen interactively. You must work around this by configuring the back-end app's app registration in Microsoft Entra ID to [grant admin consent](../active-directory/manage-apps/grant-admin-consent.md?pivots=portal). This is a setting change typically done by an Active Directory administrator. 1. Open the Azure portal and search for your research for the backend App Service. 1. Find the **Settings -> Authentication** section. In this tutorial, in order to read user profile from Microsoft Graph, the back-e ## 2. Install npm packages -In the previous tutorial, the backend app didn't need any npm packages for authentication because the only authentication was provided by configuring the identity provider in the Azure portal. In this tutorial, the signed-in user's access token for the back-end API must be exchanged for an access token with Microsoft Graph in its scope. This exchange is completed with two libraries because this exchange doesn't use App Service authentication anymore, but Azure Active Directory and MSAL.js directly. +In the previous tutorial, the backend app didn't need any npm packages for authentication because the only authentication was provided by configuring the identity provider in the Azure portal. In this tutorial, the signed-in user's access token for the back-end API must be exchanged for an access token with Microsoft Graph in its scope. This exchange is completed with two libraries because this exchange doesn't use App Service authentication anymore, but Microsoft Entra ID and MSAL.js directly. -* [@azure/msal-node](https://www.npmjs.com/package/@azure/msal-node) - exchange token +* [@azure/MSAL-node](https://www.npmjs.com/package/@azure/msal-node) - exchange token * [@microsoft/microsoft-graph-client](https://www.npmjs.com/package/@microsoft/microsoft-graph-client) - connect to Microsoft Graph 1. Open the Azure Cloud Shell and change into the sample directory's backend app: |
app-service | Tutorial Python Postgresql App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-python-postgresql-app.md | Title: 'Tutorial: Deploy a Python Django or Flask web app with PostgreSQL' description: Create a Python Django or Flask web app with a PostgreSQL database and deploy it to Azure. The tutorial uses either the Django or Flask framework and the app is hosted on Azure App Service on Linux. ms.devlang: python Previously updated : 02/28/2023 Last updated : 10/31/2023 +zone_pivot_groups: app-service-portal-azd # Deploy a Python (Django or Flask) web app with PostgreSQL in Azure +### [Flask](#tab/flask) ++> [!TIP] +> With [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed, you can skip to the end of the tutorial by running the following commands in an empty working directory: +> +> ```bash +> azd auth login +> azd init --template msdocs-flask-postgresql-sample-app +> azd up +> ``` ++### [Django](#tab/django) ++> [!TIP] +> With [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed, you can skip to the end of the tutorial by running the following commands in an empty working directory: +> +> ```bash +> azd auth login +> azd init --template msdocs-django-postgresql-sample-app +> azd up +> ``` ++-- + In this tutorial, you'll deploy a data-driven Python web app (**[Django](https://www.djangoproject.com/)** or **[Flask](https://flask.palletsprojects.com/)**) to **[Azure App Service](./overview.md#app-service-on-linux)** with the **[Azure Database for PostgreSQL](../postgresql/index.yml)** relational database service. Azure App Service supports [Python](https://www.python.org/downloads/) in a Linux server environment. :::image type="content" border="False" source="./media/tutorial-python-postgresql-app/python-postgresql-app-architecture-240px.png" lightbox="./media/tutorial-python-postgresql-app/python-postgresql-app-architecture.png" alt-text="An architecture diagram showing an App Service with a PostgreSQL database in Azure."::: In this tutorial, you'll deploy a data-driven Python web app (**[Django](https:/ Sample Python applications using the Flask and Django framework are provided to help you follow along with this tutorial. To deploy them without running them locally, skip this part. -To run the application locally, make sure you have [Python 3.7 or higher](https://www.python.org/downloads/) and [PostgreSQL](https://www.postgresql.org/download/) installed locally. Then, download or clone the app: +To run the application locally, make sure you have [Python 3.7 or higher](https://www.python.org/downloads/) and [PostgreSQL](https://www.postgresql.org/download/) installed locally. Then, download or clone the app and go to the application folder: ### [Flask](#tab/flask) ```bash-git clone https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app.git +git clone git clone https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app +cd msdocs-flask-postgresql-sample-app ``` ### [Django](#tab/django) ```bash git clone https://github.com/Azure-Samples/msdocs-django-postgresql-sample-app.git-``` ---Go to the application folder: --### [Flask](#tab/flask) --```bash -cd msdocs-python-flask-webapp-quickstart -``` --### [Django](#tab/django) --```bash cd msdocs-django-postgresql-sample-app ``` python manage.py runserver ## 1. Create App Service and PostgreSQL ++### [Flask](#tab/flask) ++```bash +git clone https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app.git +``` ++### [Django](#tab/django) ++```bash +git clone https://github.com/Azure-Samples/msdocs-django-postgresql-sample-app.git +``` ++-- ++ In this step, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Database for PostgreSQL. For the creation process, you'll specify: * The **Name** for the web app. It's the name used as part of the DNS name for your webapp in the form of `https://<app-name>.azurewebsites.net`. When you're finished, you can delete all of the resources from your Azure subscr :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-clean-up-resources-3.png" alt-text="A screenshot of the confirmation dialog for deleting a resource group in the Azure portal." lightbox="./media/tutorial-python-postgresql-app/azure-portal-clean-up-resources-3.png":::: :::column-end::: :::row-end:::++In this tutorial, you'll deploy a data-driven Python web app (**[Django](https://www.djangoproject.com/)** or **[Flask](https://flask.palletsprojects.com/)**) to **[Azure App Service](./overview.md#app-service-on-linux)** with the **[Azure Database for PostgreSQL](../postgresql/index.yml)** relational database service. Azure App Service supports [Python](https://www.python.org/downloads/) in a Linux server environment. +++**To complete this tutorial, you'll need:** ++* An Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/python). +* [Git](https://git-scm.com/downloads) installed locally. +* [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed locally. +* Knowledge of Python with Flask development or [Python with Django development](/training/paths/django-create-data-driven-websites/). ++> [!NOTE] +> If you want, you can follow the steps using the [Azure Cloud Shell](https://shell.azure.com). It has all tools you need to follow this tutorial. ++## Sample application ++A sample Python application using the Flask framework is provided to help you follow along with this tutorial. To deploy it without running it locally, skip this part. ++> [!NOTE] +> To run the sample application locally, you need [Python 3.7 or higher](https://www.python.org/downloads/) and [PostgreSQL](https://www.postgresql.org/download/) installed locally. ++Clone the sample repository's `starter-no-infra` branch and change to the repository root. ++```bash +git clone -b starter-no-infra https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app +cd msdocs-flask-postgresql-sample-app +``` ++Create an *.env* file as shown below using the *.env.sample* file as a guide. Set the values of `DBNAME`, `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. ++``` +DBNAME=<database name> +DBHOST=<database-hostname> +DBUSER=<db-user-name> +DBPASS=<db-password> +``` ++Create a virtual environment for the app. +++Run the sample. ++```bash +# Install dependencies +pip install -r requirements.txt +# Run database migrations +flask db upgrade +# Run the app at http://127.0.0.1:5000 +flask run +``` ++## 1. Create Azure resources and deploy a sample app ++In this step, you create the Azure resources and deploy a sample app to App Service on Linux. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Database for PostgreSQL. ++1. If you haven't already, clone the sample repository's `starter-no-infra` branch in a local terminal. ++ ```bash + git clone -b starter-no-infra https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app + cd msdocs-flask-postgresql-sample-app + ``` ++ This cloned branch is your starting point. It contains a simple data-drive Flask application. ++1. From the repository root, run `azd init`. ++ ```bash + azd init --template python-app-service-postgresql-infra + ``` ++ This azd template contains files (*azure.yaml* and the *infra* directory) that will generate a secure-by-default architecture with the following Azure resources: ++ - **Resource group** → The container for all the created resources. + - **App Service plan** → Defines the compute resources for App Service. A Linux plan in the *B1* tier is specified. + - **App Service** → Represents your app and runs in the App Service plan. + - **Virtual network** → Integrated with the App Service app and isolates back-end network traffic. + - **Azure Database for PostgreSQL flexible server** → Accessible only from within the virtual network. A database and a user are created for you on the server. + - **Private DNS zone** → Enables DNS resolution of the PostgreSQL server in the virtual network. + - **Log Analytics workspace** → Acts as the target container for your app to ship its logs, where you can also query the logs. ++1. When prompted, give the following answers: + + |Question |Answer | + ||| + |The current directory is not empty. Would you like to initialize a project here in '\<your-directory>'? | **Y** | + |What would you like to do with these files? | **Keep my existing files unchanged** | + |Enter a new environment name | Type a unique name. The azd template uses this name as part of the DNS name of your web app in Azure (`<app-name>.azurewebsites.net`). Alphanumeric characters and hyphens are allowed. | ++1. Run the `azd up` command to provision the necessary Azure resources and deploy the app code. If you are not already signed-in to Azure, the browser will launch and ask you to sign-in. The `azd up` command will also prompt you to select the desired subscription and location to deploy to. ++ ```bash + azd up + ``` ++ The `azd up` command might take a few minutes to complete. It also compiles and deploys your application code, but you'll modify your code later to work with App Service. While it's running, the command provides messages about the provisioning and deployment process, including a link to the deployment in Azure. When it finishes, the command also displays a link to the deploy application. + +## 2. Use the database connection string ++The azd template you use generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings) and outputs the them to the terminal for your convenience. App settings are one way to keep connection secrets out of your code repository. ++1. In the azd output, find the app settings and find the `AZURE_POSTGRESQL_CONNECTIONSTRING`. To keep secrets safe, only the setting names are displayed. They look like this in the azd output: ++ <pre> + App Service app has the following settings: + + - AZURE_POSTGRESQL_CONNECTIONSTRING + - FLASK_DEBUG + - SCM_DO_BUILD_DURING_DEPLOYMENT + - SECRET_KEY + </pre> ++1. `AZURE_POSTGRESQL_CONNECTIONSTRING` contains the connection string to the Postgres database in Azure, and you can use it in your code to connect to it. Open *azureproject/production.py*, uncomment the following lines, and save the file: ++ ```python + conn_str = os.environ['AZURE_POSTGRESQL_CONNECTIONSTRING'] + conn_str_params = {pair.split('=')[0]: pair.split('=')[1] for pair in conn_str.split(' ')} + + DATABASE_URI = 'postgresql+psycopg2://{dbuser}:{dbpass}@{dbhost}/{dbname}'.format( + dbuser=conn_str_params['user'], + dbpass=conn_str_params['password'], + dbhost=conn_str_params['host'], + dbname=conn_str_params['dbname'] + ) + ``` ++ Your application code is now configured to connect to the PostgreSQL database in Azure. If you want, open `app.py` and see how the `DATABASE_URI` environment variable is used. ++2. In the terminal, run `azd deploy` + + ```bash + azd deploy + ``` ++## 4. Generate database schema ++With the PostgreSQL database protected by the virtual network, the easiest way to run [Flask database migrations](https://flask-migrate.readthedocs.io/en/latest/) is in an SSH session with the App Service container. ++1. In the azd output, find the URL for the SSH session and navigate to it in the browser. It looks like this in the output: ++ <pre> + Open SSH session to App Service container at: https://<app-name>.scm.azurewebsites.net/webssh/host + </pre> ++1. In the SSH terminal, run `flask db upgrade`. If it succeeds, App Service is [connecting successfully to the database](#i-get-an-error-when-running-database-migrations). ++ :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-generate-db-schema-flask-2.png" alt-text="A screenshot showing the commands to run in the SSH shell and their output (Flask)." lightbox="./media/tutorial-python-postgresql-app/azure-portal-generate-db-schema-flask-2.png"::: ++ > [!NOTE] + > Only changes to files in `/home` can persist beyond app restarts. Changes outside of `/home` aren't persisted. + > + +## 5. Browse to the app ++1. In the azd output, find the URL of your app and navigate to it in the browser. The URL looks like this in the AZD output: ++ <pre> + Deploying services (azd deploy) + + (Γ£ô) Done: Deploying service web + - Endpoint: https://<app-name>.azurewebsites.net/ + </pre> ++2. Add a few restaurants to the list. ++ :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-browse-app-2.png" alt-text="A screenshot of the Flask web app with PostgreSQL running in Azure showing restaurants and restaurant reviews." lightbox="./media/tutorial-python-postgresql-app/azure-portal-browse-app-2.png"::: ++ Congratulations, you're running a web app in Azure App Service, with secure connectivity to Azure Database for PostgreSQL. ++## 6. Stream diagnostic logs ++Azure App Service can capture console logs to help you diagnose issues with your application. For convenience, the azd template has already [enabled logging to the local file system](troubleshoot-diagnostic-logs.md#enable-application-logging-linuxcontainer) as well as [shipping them to a Log Analytics workspace](troubleshoot-diagnostic-logs.md#send-logs-to-azure-monitor). ++The sample app includes `print()` statements to demonstrate this capability as shown in the following snippet. +++- In the azd output, find the link to stream App Service logs and navigate to it in the browser. The link looks like this in the azd output: ++ <pre> + Stream App Service logs at: https://portal.azure.com/#@/resource/subscriptions/<subscription-guid>/resourceGroups/<group-name>/providers/Microsoft.Web/sites/<app-name>/logStream + </pre> ++Learn more about logging in Python apps in the series on [setting up Azure Monitor for your Python application](/azure/azure-monitor/app/opencensus-python). ++## 7. Clean up resources ++To delete all Azure resources in the current deployment environment, run `azd down`. ++```bash +azd down +``` ## Troubleshooting -Listed below are issues you may encounter while trying to work through this tutorial and steps to resolve them. +Listed below are issues you might encounter while trying to work through this tutorial and steps to resolve them. #### I can't connect to the SSH session -If you can't connect to the SSH session, then the app itself has failed to start. Check the [diagnostic logs](#6-stream-diagnostic-logs) for details. For example, if you see an error like `KeyError: 'AZURE_POSTGRESQL_CONNECTIONSTRING'`, it may mean that the environment variable is missing (you may have removed the app setting). +If you can't connect to the SSH session, then the app itself has failed to start. Check the [diagnostic logs](#6-stream-diagnostic-logs) for details. For example, if you see an error like `KeyError: 'AZURE_POSTGRESQL_CONNECTIONSTRING'`, it might mean that the environment variable is missing (you might have removed the app setting). #### I get an error when running database migrations The [Django sample application](https://github.com/Azure-Samples/msdocs-django-p :::code language="python" source="~/msdocs-django-postgresql-sample-app/azureproject/production.py" range="25-26"::: For more information, see [Production settings for Django apps](configure-language-python.md#production-settings-for-django-apps).+ ## Next steps |
application-gateway | Key Vault Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/key-vault-certs.md | When you're using a restricted Key Vault, use the following steps to configure A > [!TIP] > Steps 1-3 are not required if your Key Vault has a Private Endpoint enabled. The application gateway can access the Key Vault using the private IP address. -> [!Note] +> [!IMPORTANT] > If using Private Endpoints to access Key Vault, you must link the privatelink.vaultcore.azure.net private DNS zone, containing the corresponding record to the referenced Key Vault, to the virtual network containing Application Gateway. Custom DNS servers may continue to be used on the virtual network instead of the Azure DNS provided resolvers, however the private dns zone will need to remain linked to the virtual network as well. 1. In the Azure portal, in your Key Vault, select **Networking**. |
attestation | Azure Tpm Vbs Attestation Usage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/azure-tpm-vbs-attestation-usage.md | This is the first step for any attestation to be performed. Setting up an endpoi Here's how you can set up an attestation endpoint using Portal -1 Prerequisite: Access to the Microsoft Azure Active Directory(Azure AD) tenant and subscription under which you want to create the attestation endpoint. -Learn more about setting up an [Azure AD tenant](../active-directory/develop/quickstart-create-new-tenant.md). +1 Prerequisite: Access to the Microsoft Entra tenant and subscription under which you want to create the attestation endpoint. +Learn more about setting up an [Microsoft Entra tenant](../active-directory/develop/quickstart-create-new-tenant.md). 2 Create an endpoint under the desired resource group, with the desired name. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5azcU] Sample policies can be found in the [policy section](tpm-attestation-sample-poli ### Client setup: A client to communicate with the attestation service endpoint needs to ensure it's following the protocol as described in the [protocol documentation](virtualization-based-security-protocol.md). Use the [Attestation Client NuGet](https://www.nuget.org/packages/Microsoft.Attestation.Client) to ease the integration. -1 Prerequisite: An Azure AD identity is needed to access the TPM endpoint. -Learn more [Azure AD identity tokens](../active-directory/develop/v2-overview.md). +1 Prerequisite: a Microsoft Entra identity is needed to access the TPM endpoint. +Learn more [Microsoft Entra identity tokens](../active-directory/develop/v2-overview.md). 2 Add Attestation Reader Role to the identity that will be need for authentication against the endpoint. Azure i > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRi] Using the Open ID [metadata endpoint](/rest/api/attestation/metadata-configurati ## Next steps - [Set up Azure Attestation using PowerShell](quickstart-powershell.md) - [Attest an SGX enclave using code samples](/samples/browse/?expanded=azure&terms=attestation)-- [Learn more about policy](policy-reference.md)+- [Learn more about policy](policy-reference.md) |
attestation | Basic Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/basic-concepts.md | See [examples of an attestation policy](policy-examples.md) An attestation policy is what ultimately determines if an attestation token will be issued by Azure Attestation. Policy also determines the claims to be generated in the attestation token. It is thus of utmost importance that the policy evaluated by the service is in fact the policy written by the administrator and it has not been tampered or modified by external entities. -Trust model defines the authorization model of attestation provider to define and update policy. Two models are supported ΓÇô one based on Azure AD authorization and one based on possession of customer-managed cryptographic keys (referred as isolated model). Isolated model will enable Azure Attestation to ensure that the customer-submitted policy is not tampered. +Trust model defines the authorization model of attestation provider to define and update policy. Two models are supported ΓÇô one based on Microsoft Entra authorization and one based on possession of customer-managed cryptographic keys (referred as isolated model). Isolated model will enable Azure Attestation to ensure that the customer-submitted policy is not tampered. In isolated model, administrator creates an attestation provider specifying a set of trusted signing X.509 certificates in a file. The administrator can then add a signed policy to the attestation provider. While processing the attestation request, Azure Attestation will validate the signature of the policy using the public key represented by either the ΓÇ£jwkΓÇ¥ or the ΓÇ£x5cΓÇ¥ parameter in the header. Azure Attestation will also verify if public key in the request header is in the list of trusted signing certificates associated with the attestation provider. In this way, the relying party (Azure Attestation) can trust a policy signed using the X.509 certificates it knows about. |
attestation | Quickstart Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/quickstart-powershell.md | New-AzResourceGroup -Name $attestationResourceGroup -Location $location ``` > [!NOTE]- > Once an attestation provider is created in this resource group, an Azure AD user must have **Attestation Contributor** role on the provider to perform operations like policy configuration/ policy signer certificates management. These permissions can also be inherited with roles such as **Owner** (wildcard permissions)/ **Contributor** (wildcard permissions) on the subscription/ resource group. + > Once an attestation provider is created in this resource group, a Microsoft Entra user must have **Attestation Contributor** role on the provider to perform operations like policy configuration/ policy signer certificates management. These permissions can also be inherited with roles such as **Owner** (wildcard permissions)/ **Contributor** (wildcard permissions) on the subscription/ resource group. ## Create and manage an attestation provider Remove-AzAttestationProvider -Name $attestationProvider -ResourceGroupName $atte ## Policy management -In order to manage policies, an Azure AD user requires the following permissions for "Actions": +In order to manage policies, a Microsoft Entra user requires the following permissions for "Actions": - Microsoft.Attestation/attestationProviders/attestation/read - Microsoft.Attestation/attestationProviders/attestation/write - Microsoft.Attestation/attestationProviders/attestation/delete - To perform these actions, an Azure AD user must have **Attestation Contributor** role on the attestation provider. These permissions can also be inherited with roles such as **Owner** (wildcard permissions)/ **Contributor** (wildcard permissions) on the subscription/ resource group. + To perform these actions, a Microsoft Entra user must have **Attestation Contributor** role on the attestation provider. These permissions can also be inherited with roles such as **Owner** (wildcard permissions)/ **Contributor** (wildcard permissions) on the subscription/ resource group. -In order to read policies, an Azure AD user requires the following permission for "Actions": +In order to read policies, a Microsoft Entra user requires the following permission for "Actions": - Microsoft.Attestation/attestationProviders/attestation/read - To perform this action, an Azure AD user must have **Attestation Reader** role on the attestation provider. The read permissions can also be inherited with roles such as **Reader** (wildcard permissions) on the subscription/ resource group. + To perform this action, a Microsoft Entra user must have **Attestation Reader** role on the attestation provider. The read permissions can also be inherited with roles such as **Reader** (wildcard permissions) on the subscription/ resource group. These PowerShell cmdlets provide policy management for an attestation provider (one TEE at a time). |
attestation | Troubleshoot Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/troubleshoot-guide.md | At line:1 char:1 **Troubleshooting steps** -In order to manage policies, an Azure AD user requires the following permissions for "Actions": +In order to manage policies, a Microsoft Entra user requires the following permissions for "Actions": - Microsoft.Attestation/attestationProviders/attestation/read - Microsoft.Attestation/attestationProviders/attestation/write - Microsoft.Attestation/attestationProviders/attestation/delete - To perform these actions, an Azure AD user must have "Attestation Contributor" role on the attestation provider. These permissions can also be inherited with roles such as "Owner" (wildcard permissions), "Contributor" (wildcard permissions) on the subscription/ resource group. + To perform these actions, a Microsoft Entra user must have "Attestation Contributor" role on the attestation provider. These permissions can also be inherited with roles such as "Owner" (wildcard permissions), "Contributor" (wildcard permissions) on the subscription/ resource group. -In order to read policies, an Azure AD user requires the following permission for "Actions": +In order to read policies, a Microsoft Entra user requires the following permission for "Actions": - Microsoft.Attestation/attestationProviders/attestation/read - To perform this action, an Azure AD user must have "Attestation Reader" role on the attestation provider. Read permissions are also part of roles such as "Reader" (wildcard permissions) on the subscription/ resource group. + To perform this action, a Microsoft Entra user must have "Attestation Reader" role on the attestation provider. Read permissions are also part of roles such as "Reader" (wildcard permissions) on the subscription/ resource group. To verify the roles in PowerShell, run the below steps: |
attestation | Workflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/workflow.md | Here are the general steps in a typical SGX enclave attestation workflow (using ![SGX enclave validation flow](./media/sgx-validation-flow.png) > [!Note]-> When you send attestation requests in the [2018-09-01-preview](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/attestation/data-plane/Microsoft.Attestation/stable/2018-09-01-preview) API version, the client needs to send evidence to Azure Attestation along with the Azure AD access token. +> When you send attestation requests in the [2018-09-01-preview](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/attestation/data-plane/Microsoft.Attestation/stable/2018-09-01-preview) API version, the client needs to send evidence to Azure Attestation along with the Microsoft Entra access token. ## Trusted Platform Module (TPM) enclave validation work flow Here are the general steps in a typical TPM enclave attestation workflow (using Azure Attestation): 1. On device/platform boot, various boot loaders and boot services measure events backed by TPM and securely store them as TCG logs. Client collects the TCG logs from the device and TPM quote, which acts evidence for attestation.-2. The client authenticates to Azure AD and obtains an access token. -3. The client has an URI, which refers to an instance of Azure Attestation. The client sends the evidence and the Azure Active Directory (Azure AD) access token to Azure Attestation. Exact information submitted to the provider depends on the platform. +2. The client authenticates to Microsoft Entra ID and obtains an access token. +3. The client has an URI, which refers to an instance of Azure Attestation. The client sends the evidence and the Microsoft Entra access token to Azure Attestation. Exact information submitted to the provider depends on the platform. 4. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client. The communication between the client and attestation service is dictated by the Azure attestation TPM protocol. 5. The client then sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the platform's trustworthiness. |
automation | Add User Assigned Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/add-user-assigned-identity.md | If you don't have an Azure subscription, create a [free account](https://azure.m - The latest version of Azure Account modules. Currently this is 2.2.8. (See [Az.Accounts](https://www.powershellgallery.com/packages/Az.Accounts/) for details about this version.) -- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the user-assigned managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Azure AD tenant.+- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the user-assigned managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Microsoft Entra tenant. - To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../role-based-access-control/built-in-roles.md#owner). Perform the following steps. ## Assign a role to a user-assigned managed identity -An Automation account can use its user-assigned managed identity to obtain tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens don't represent any specific user of the application. Instead, they represent the application that is accessing the resource. In this case, for example, the token represents an Automation account. +An Automation account can use its user-assigned managed identity to obtain tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens don't represent any specific user of the application. Instead, they represent the application that is accessing the resource. In this case, for example, the token represents an Automation account. Before you can use your user-assigned managed identity for authentication, set up access for that identity on the Azure resource where you plan to use the identity. To complete this task, assign the appropriate role to that identity on the target Azure resource. |
automation | Automation Create Standalone Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-create-standalone-account.md | With this account created for you, you can quickly start building and deploying To create or update an Automation account, and to complete the tasks described in this article, you must have the following privileges and permissions: -To create an Automation account, your Azure AD user account must be added to a role with permissions equivalent to the Owner role for `Microsoft.Automation` resources. For more information, see [Role-Based Access Control in Azure Automation](automation-role-based-access-control.md). +To create an Automation account, your Microsoft Entra user account must be added to a role with permissions equivalent to the Owner role for `Microsoft.Automation` resources. For more information, see [Role-Based Access Control in Azure Automation](automation-role-based-access-control.md). ## Create a new Automation account in the Azure portal The following table describes the fields on the **Advanced** tab. | **Field** | **Required**<br> **or**<br> **optional** |**Description** | ||||-|System-assigned |Optional |An Azure Active Directory identity that is tied to the lifecycle of the Automation account. | +|System-assigned |Optional |A Microsoft Entra identity that is tied to the lifecycle of the Automation account. | |User-assigned |Optional |A managed identity represented as a standalone Azure resource that is managed separately from the resources that use it.| You can chose to enable managed identities later, and the Automation account is created without one. To enable a managed identity after the account is created, see [Enable managed identity](enable-managed-identity-for-automation.md). If you select both options, for the user-assigned identity, select the **Add user assigned identities** option. On the **Select user assigned managed identity** page, select a subscription and add one or more user-assigned identities created in that subscription to assign to the Automation account. |
automation | Automation Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-disaster-recovery.md | You can use these scripts for migration of Automation account assets from the ac - Az.Resources version 6.0.0 - Az.Automation version 1.7.3 - Az.Storage version 4.6.0 -1. Ensure that both the source and destination Automation accounts should belong to the same Azure Active Directory tenant. +1. Ensure that both the source and destination Automation accounts should belong to the same Microsoft Entra tenant. ### Create and execute the runbook You can use the[PowerShell script](https://github.com/azureautomation/Migrate-automation-account-assets-from-one-region-to-another) or [PowerShell workflow](https://github.com/azureautomation/Migrate-automation-account-assets-from-one-region-to-another-PwshWorkflow/tree/main) runbook or import from the Runbook gallery and execute it to enable migration of assets from one Automation account to another. Type[] | True | Array consisting of all the types of assets that need to be migr ## Next steps -- Learn more about [regions that support availability zones](../availability-zones/az-region.md).+- Learn more about [regions that support availability zones](../availability-zones/az-region.md). |
automation | Automation Hybrid Runbook Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-hybrid-runbook-worker.md | The extension-based Hybrid Runbook Worker only supports the user Hybrid Runbook The extension-based approach greatly simplifies the installation and management of the User Hybrid Runbook Worker, removing the complexity of working with the agent-based approach. Here are some key benefits: - **Seamless onboarding** ΓÇô The Agent-based approach for onboarding Hybrid Runbook worker is dependent on the Log Analytics agent, which is a multi-step, time-consuming, and error-prone process. The extension-based approach is no longer dependent on the Log Analytics agent. - **Ease of Manageability** ΓÇô It offers native integration with ARM identity for Hybrid Runbook Worker and provides the flexibility for governance at scale through policies and templates.-- **Azure Active Directory based authentication** ΓÇô It uses a VM system-assigned managed identities provided by Azure Active Directory. This centralizes control and management of identities and resource credentials.+- **Microsoft Entra ID based authentication** ΓÇô It uses a VM system-assigned managed identities provided by Microsoft Entra ID. This centralizes control and management of identities and resource credentials. - **Unified experience** ΓÇô It offers an identical experience for managing Azure and off-Azure Arc-enabled machines. - **Multiple onboarding channels** ΓÇô You can choose to onboard and manage extension-based workers through the Azure portal, PowerShell cmdlets, Bicep, ARM templates, REST API and Azure CLI. You can also install the extension on an existing Azure VM or Arc-enabled server within the Azure portal experience of that machine through the Extensions blade. - **Default Automatic upgrade** ΓÇô It offers Automatic upgrade of minor versions by default, significantly reducing the manageability of staying updated on the latest version. We recommend enabling Automatic upgrades to take advantage of any security or feature updates without the manual overhead. You can also opt out of automatic upgrades at any time. Any major version upgrades are currently not supported and should be managed manually. |
automation | Automation Managed Identity Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-managed-identity-faq.md | Automation Run As accounts will not be supported after **30 September 2023**. Co ## What is a managed identity?-Applications use managed identities in Azure AD when they're connecting to resources that support Azure AD authentication. Applications can use managed identities to obtain Azure AD tokens without managing credentials, secrets, certificates, or keys. +Applications use managed identities in Microsoft Entra ID when they're connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without managing credentials, secrets, certificates, or keys. -For more information about managed identities in Azure AD, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). ## What can I do with a managed identity in Automation accounts? -An Azure Automation managed identity from Azure AD allows your runbook to access other Azure AD-protected resources easily. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. +An Azure Automation managed identity from Microsoft Entra ID allows your runbook to access other Microsoft Entra protected resources easily. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. Key benefits are:-- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.+- You can use managed identities to authenticate to any Azure service that supports Microsoft Entra authentication. - Managed identities eliminate the overhead associated with managing Run As accounts in your runbook code. You can access resources via a managed identity of an Automation account from a runbook without worrying about creating the service principal, Run As certificate, Run As connection, and so on. - You don't have to renew the certificate that the Automation Run As account uses. ## Are managed identities more secure than a Run As account?-A Run As account creates an Azure AD app that's used to manage the resources within the subscription through a certificate that has contributor access at the subscription level by default. A malicious user could use this certificate to perform a privileged operation against resources in the subscription, leading to potential vulnerabilities. +A Run As account creates a Microsoft Entra app that's used to manage the resources within the subscription through a certificate that has contributor access at the subscription level by default. A malicious user could use this certificate to perform a privileged operation against resources in the subscription, leading to potential vulnerabilities. -Run As accounts also have a management overhead that involves creating a service principal, Run As certificate, Run As connection, certificate renewal, and so on. Managed identities eliminate this overhead by providing a secure method for users to authenticate and access resources that support Azure AD authentication without worrying about any certificate or credential management. +Run As accounts also have a management overhead that involves creating a service principal, Run As certificate, Run As connection, certificate renewal, and so on. Managed identities eliminate this overhead by providing a secure method for users to authenticate and access resources that support Microsoft Entra authentication without worrying about any certificate or credential management. ## Can a managed identity be used for both cloud and hybrid jobs? Azure Automation supports [system-assigned managed identities](./automation-security-overview.md#managed-identities) for both cloud and hybrid jobs. Currently, Azure Automation [user-assigned managed identities](./automation-security-overview.md) can be used for cloud jobs only and can't be used for jobs that run on a hybrid worker. |
automation | Automation Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-role-based-access-control.md | You can create [Azure custom roles](../role-based-access-control/custom-roles.md ## Update Management permissions -Update Management can be used to assess and schedule update deployments to machines in multiple subscriptions in the same Azure Active Directory (Azure AD) tenant, or across tenants using Azure Lighthouse. The following table lists the permissions needed to manage update deployments. +Update Management can be used to assess and schedule update deployments to machines in multiple subscriptions in the same Microsoft Entra tenant, or across tenants using Azure Lighthouse. The following table lists the permissions needed to manage update deployments. |**Resource** |**Role** |**Scope** | |||| You can remove the access permission for a user who isn't managing the Automatio You can also configure role-based access to an Automation account using the following [Azure PowerShell cmdlets](../role-based-access-control/role-assignments-powershell.md): -[Get-AzRoleDefinition](/powershell/module/Az.Resources/Get-AzRoleDefinition) lists all Azure roles that are available in Azure Active Directory. You can use this cmdlet with the `Name` parameter to list all the actions that a specific role can perform. +[Get-AzRoleDefinition](/powershell/module/Az.Resources/Get-AzRoleDefinition) lists all Azure roles that are available in Microsoft Entra ID. You can use this cmdlet with the `Name` parameter to list all the actions that a specific role can perform. ```azurepowershell-interactive Get-AzRoleDefinition -Name 'Automation Operator' |
automation | Automation Secure Asset Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-secure-asset-encryption.md | Before enabling customer-managed keys for an Automation account, you must ensure - An [Azure Key Vault](../key-vault/general/basic-concepts.md) with the **Soft Delete** and **Do Not Purge** properties enabled. These properties are required to allow for recovery of keys if there's accidental deletion. - Only RSA keys are supported with Azure Automation encryption. For more information about keys, see [About Azure Key Vault keys, secrets, and certificates](../key-vault/general/about-keys-secrets-certificates.md).-- The Automation account and the key vault can be in different subscriptions but need to be in the same Azure Active Directory tenant.+- The Automation account and the key vault can be in different subscriptions but need to be in the same Microsoft Entra tenant. - When using PowerShell, verify the [Azure Az PowerShell module](/powershell/azure/new-azureps-module-az) is installed. To install or upgrade, see [How to install the Azure Az PowerShell module](/powershell/azure/install-azure-powershell). ## Generate and assign a new system-assigned identity for an Automation account |
automation | Automation Security Guidelines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-security-guidelines.md | This section guides you in configuring your Automation account securely. 1. Limit the number of highly privileged roles such as Automation Contributor to reduce the potential for breach by a compromised owner. -1. Use [Azure AD Privileged Identity Management](../active-directory/roles/security-planning.md#use-azure-ad-privileged-identity-management) to protect the privileged accounts from malicious cyber-attacks to increase your visibility into their use through reports and alerts. +1. Use [Microsoft Entra Privileged Identity Management](../active-directory/roles/security-planning.md#use-azure-ad-privileged-identity-management) to protect the privileged accounts from malicious cyber-attacks to increase your visibility into their use through reports and alerts. ### Securing Hybrid Runbook worker role -1. Install Hybrid workers using the [Hybrid Runbook Worker VM extension](./extension-based-hybrid-runbook-worker-install.md?tabs=windows), that doesn't have any dependency on the Log Analytics agent. We recommend this platform as it leverages Azure AD based authentication. +1. Install Hybrid workers using the [Hybrid Runbook Worker VM extension](./extension-based-hybrid-runbook-worker-install.md?tabs=windows), that doesn't have any dependency on the Log Analytics agent. We recommend this platform as it leverages Microsoft Entra ID based authentication. [Hybrid Runbook Worker](./automation-hrw-run-runbooks.md) feature of Azure Automation allows you to execute runbooks directly on the machine hosting the role in Azure or non-Azure machine to execute Automation jobs in the local environment. - Use only high privilege users or [Hybrid worker custom roles](./extension-based-hybrid-runbook-worker-install.md?tabs=windows) for users responsible for managing operations such as registering or unregistering Hybrid workers and hybrid groups and executing runbooks against Hybrid runbook worker groups. - The same user would also require VM contributor access on the machine hosting Hybrid worker role. Since the VM contributor is a high privilege role, ensure only a limited right set of users have access to manage Hybrid works, thereby reducing the potential for breach by a compromised owner. This section guides you in configuring your Automation account securely. ### Authentication certificate and identities -1. For runbook authentication, we recommend that you use [Managed identities](./automation-security-overview.md#managed-identities) instead of Run As accounts. The Run As accounts are an administrative overhead and we plan to deprecate them. A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more information about managed identities in Azure Automation, see [Managed identities for Azure Automation](./automation-security-overview.md#managed-identities) +1. For runbook authentication, we recommend that you use [Managed identities](./automation-security-overview.md#managed-identities) instead of Run As accounts. The Run As accounts are an administrative overhead and we plan to deprecate them. A managed identity from Microsoft Entra ID allows your runbook to easily access other Microsoft Entra protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more information about managed identities in Azure Automation, see [Managed identities for Azure Automation](./automation-security-overview.md#managed-identities) You can authenticate an Automation account using two types of managed identities: - **System-assigned identity** is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned identity. This section guides you in configuring your Automation account securely. Follow the [Managed identity best practice recommendations](../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#choosing-system-or-user-assigned-managed-identities) for more details. -1. Rotate the [Azure Automation keys](./automation-create-standalone-account.md?tabs=azureportal#manage-automation-account-keys) periodically. The key regeneration prevents future DSC or hybrid worker node registrations from using previous keys. We recommend to use the [Extension based hybrid workers](./automation-hybrid-runbook-worker.md) that use Azure AD authentication instead of Automation keys. Azure AD centralizes the control and management of identities and resource credentials. +1. Rotate the [Azure Automation keys](./automation-create-standalone-account.md?tabs=azureportal#manage-automation-account-keys) periodically. The key regeneration prevents future DSC or hybrid worker node registrations from using previous keys. We recommend to use the [Extension based hybrid workers](./automation-hybrid-runbook-worker.md) that use Microsoft Entra authentication instead of Automation keys. Microsoft Entra ID centralizes the control and management of identities and resource credentials. ### Data security 1. Secure the assets in Azure Automation including credentials, certificates, connections and encrypted variables. These assets are protected in Azure Automation using multiple levels of encryption. By default, data is encrypted with Microsoft-managed keys. For additional control over encryption keys, you can supply customer-managed keys to use for encryption of Automation assets. These keys must be present in Azure Key Vault for Automation service to be able to access the keys. See [Encryption of secure assets using customer-managed keys](./automation-secure-asset-encryption.md). Review the Azure Policy recommendations for Azure Automation and act as appropri * To learn how to use Azure role-based access control (Azure RBAC), see [Manage role permissions and security in Azure Automation](./automation-role-based-access-control.md). * For information on how Azure protects your privacy and secures your data, see [Azure Automation data security](./automation-managing-data.md).-* To learn about configuring the Automation account to use encryption, see [Encryption of secure assets in Azure Automation](./automation-secure-asset-encryption.md). +* To learn about configuring the Automation account to use encryption, see [Encryption of secure assets in Azure Automation](./automation-secure-asset-encryption.md). |
automation | Automation Security Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-security-overview.md | An Azure Automation account is different from your Microsoft account or accounts The Automation resources for each Automation account are associated with a single Azure region, but the account can manage all the resources in your Azure subscription. The main reason to create Automation accounts in different regions is if you have policies that require data and resources to be isolated to a specific region. -All tasks that you create against resources using Azure Resource Manager and the PowerShell cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory (Azure AD) organizational identity credential-based authentication. +All tasks that you create against resources using Azure Resource Manager and the PowerShell cmdlets in Azure Automation must authenticate to Azure using Microsoft Entra organizational identity credential-based authentication. ## Managed identities -A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +A managed identity from Microsoft Entra ID allows your runbook to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Managed identities are the recommended way to authenticate in your runbooks, and is the default authentication method for your Automation account. You need the `Microsoft.Authorization/*/Write` permission. This permission is ob To learn more about classic subscription permissions, see [Azure classic subscription administrators](../role-based-access-control/classic-administrators.md#add-a-co-administrator). -### Azure AD permissions +<a name='azure-ad-permissions'></a> -To renew the service principal, you need to be a member of one of the following Azure AD built-in roles: +### Microsoft Entra permissions ++To renew the service principal, you need to be a member of one of the following Microsoft Entra built-in roles: - [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) - [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) -Membership can be assigned to **ALL** users in the tenant at the directory level, which is the default behavior. You can grant membership to either role at the directory level. For more information, see [Who has permission to add applications to my Azure AD instance?](../active-directory/develop/how-applications-are-added.md#who-has-permission-to-add-applications-to-my-azure-ad-instance). +Membership can be assigned to **ALL** users in the tenant at the directory level, which is the default behavior. You can grant membership to either role at the directory level. For more information, see [Who has permission to add applications to my Microsoft Entra instance?](../active-directory/develop/how-applications-are-added.md#who-has-permission-to-add-applications-to-my-azure-ad-instance). ### Automation account permissions To learn more about the Azure Resource Manager and Classic deployment models, se ## Role-based access control -Role-based access control is available with Azure Resource Manager to grant permitted actions to an Azure AD user account and Run As account, and authenticate the service principal. Read [Role-based access control in Azure Automation article](automation-role-based-access-control.md) for further information to help develop your model for managing Automation permissions. +Role-based access control is available with Azure Resource Manager to grant permitted actions to a Microsoft Entra user account and Run As account, and authenticate the service principal. Read [Role-based access control in Azure Automation article](automation-role-based-access-control.md) for further information to help develop your model for managing Automation permissions. If you have strict security controls for permission assignment in resource groups, you need to assign the Run As account membership to the **Contributor** role in the resource group. |
automation | Automation Solution Vm Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-solution-vm-management.md | The following are limitations with the current feature: You must have certain permissions to enable VMs for the Start/Stop VMs during off-hours feature. The permissions are different depending on whether the feature uses a pre-created Automation account and Log Analytics workspace or creates a new account and workspace. -You don't need to configure permissions if you're a Contributor on the subscription and a Global Administrator in your Azure Active Directory (AD) tenant. If you don't have these rights or need to configure a custom role, make sure that you have the permissions described below. +You don't need to configure permissions if you're a Contributor on the subscription and a Global Administrator in your Microsoft Entra tenant. If you don't have these rights or need to configure a custom role, make sure that you have the permissions described below. ### Permissions for pre-existing Automation account and Log Analytics workspace |
automation | Automation Use Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-use-azure-ad.md | Title: Use Azure AD in Azure Automation to authenticate to Azure -description: This article tells how to use Azure AD within Azure Automation as the provider for authentication to Azure. + Title: Use Microsoft Entra ID in Azure Automation to authenticate to Azure +description: This article tells how to use Microsoft Entra ID within Azure Automation as the provider for authentication to Azure. Last updated 05/26/2023 -# Use Azure AD to authenticate to Azure +# Use Microsoft Entra ID to authenticate to Azure -The [Azure Active Directory (AD)](../active-directory/fundamentals/active-directory-whatis.md) service enables a number of administrative tasks, such as user management, domain management, and single sign-on configuration. This article describes how to use Azure AD within Azure Automation as the provider for authentication to Azure. +The [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) service enables a number of administrative tasks, such as user management, domain management, and single sign-on configuration. This article describes how to use Microsoft Entra ID within Azure Automation as the provider for authentication to Azure. -## Install Azure AD modules +<a name='install-azure-ad-modules'></a> -You can enable Azure AD through the following PowerShell modules: +## Install Microsoft Entra modules -* Azure Active Directory PowerShell for Graph (AzureRM and Az modules). Azure Automation ships with the AzureRM module and its recent upgrade, the Az module. Functionality includes non-interactive authentication to Azure using Azure AD user (OrgId) credential-based authentication. See [Azure AD 2.0.2.76](https://www.powershellgallery.com/packages/AzureAD/2.0.2.76). +You can enable Microsoft Entra ID through the following PowerShell modules: -* Microsoft Azure Active Directory for Windows PowerShell (MSOnline module). This module enables interactions with Microsoft Online, including Microsoft 365. +* Azure Active Directory PowerShell for Graph (AzureRM and Az modules). Azure Automation ships with the AzureRM module and its recent upgrade, the Az module. Functionality includes non-interactive authentication to Azure using Microsoft Entra user (OrgId) credential-based authentication. See [Microsoft Entra ID 2.0.2.76](https://www.powershellgallery.com/packages/AzureAD/2.0.2.76). ++* Microsoft Entra ID for Windows PowerShell (MSOnline module). This module enables interactions with Microsoft Online, including Microsoft 365. >[!NOTE] >PowerShell Core does not support the MSOnline module. To use the module cmdlets, you must run them from Windows PowerShell. You're encouraged to use the newer Azure Active Directory PowerShell for Graph modules instead of the MSOnline module. ### Preinstallation -Before installing the Azure AD modules on your computer: +Before installing the Microsoft Entra modules on your computer: * Uninstall any previous versions of the AzureRM/Az module and the MSOnline module. Before installing the Azure AD modules on your computer: 3. Run Windows PowerShell as an administrator to create an elevated Windows PowerShell command prompt. -4. Deploy Azure Active Directory from [MSOnline 1.0](https://www.powershellgallery.com/packages/MSOnline/1.0). +4. Deploy Microsoft Entra ID from [MSOnline 1.0](https://www.powershellgallery.com/packages/MSOnline/1.0). 5. If you're prompted to install the NuGet provider, type Y and press ENTER. Azure Automation uses the [PSCredential](/dotnet/api/system.management.automatio You must assign an administrator for the Azure subscription. This person has the role of Owner for the subscription scope. See [Role-based access control in Azure Automation](automation-role-based-access-control.md). -## Change the Azure AD user's password +<a name='change-the-azure-ad-users-password'></a> ++## Change the Microsoft Entra user's password -To change the Azure AD user's password: +To change the Microsoft Entra user's password: 1. Log out of Azure. -2. Have the administrator log in to Azure as the Azure AD user just created, using the full user name (including the domain) and a temporary password. +2. Have the administrator log in to Azure as the Microsoft Entra user just created, using the full user name (including the domain) and a temporary password. 3. Ask the administrator to change the password when prompted. ## Configure Azure Automation to manage the Azure subscription -For Azure Automation to communicate with Azure AD, you must retrieve the credentials associated with the Azure connection to Azure AD. Examples of these credentials are tenant ID, subscription ID, and the like. For more about the connection between Azure and Azure AD, see [Connect your organization to Azure Active Directory](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). +For Azure Automation to communicate with Microsoft Entra ID, you must retrieve the credentials associated with the Azure connection to Microsoft Entra ID. Examples of these credentials are tenant ID, subscription ID, and the like. For more about the connection between Azure and Microsoft Entra ID, see [Connect your organization to Microsoft Entra ID](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). ## Create a credential asset -With the Azure credentials for Azure AD available, it's time to create an Azure Automation credential asset to securely store the Azure AD credentials so that runbooks and Desire State Configuration (DSC) scripts can access them. You can do this using either the Azure portal or PowerShell cmdlets. +With the Azure credentials for Microsoft Entra available, it's time to create an Azure Automation credential asset to securely store the Microsoft Entra credentials so that runbooks and Desire State Configuration (DSC) scripts can access them. You can do this using either the Azure portal or PowerShell cmdlets. ### Create the credential asset in Azure portal |
automation | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/overview.md | Machines connected to the Log Analytics workspace use the [Log Analytics agent]( > [!NOTE] > Change Tracking and Inventory requires linking a Log Analytics workspace to your Automation account. For a definitive list of supported regions, see [Azure Workspace mappings](../how-to/region-mappings.md). The region mappings don't affect the ability to manage VMs in a separate region from your Automation account. -As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Azure Lighthouse allows you to perform operations at scale across several Azure Active Directory (Azure AD) tenants at once, making management tasks like Change Tracking and Inventory more efficient across those tenants you're responsible for. Change Tracking and Inventory can manage machines in multiple subscriptions in the same tenant, or across tenants using [Azure delegated resource management](../../lighthouse/concepts/architecture.md). +As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Azure Lighthouse allows you to perform operations at scale across several Microsoft Entra tenants at once, making management tasks like Change Tracking and Inventory more efficient across those tenants you're responsible for. Change Tracking and Inventory can manage machines in multiple subscriptions in the same tenant, or across tenants using [Azure delegated resource management](../../lighthouse/concepts/architecture.md). ## Current limitations |
automation | Context Switching | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/context-switching.md | Context switching is when the context in one process changes the context in a di |Account | The user name or service principal used to authenticate communications with Azure.| |Environment | Represents the Azure global or one of the national Azure clouds, such as Azure Government. You can also specify a hybrid cloud platform, like Azure Stack.| |Subscription | Represents the Azure subscription that contains the resources you want to manage.|-|Tenant | A dedicated and trusted instance of Azure Active Directory that represents a single organization.| +|Tenant | A dedicated and trusted instance of Microsoft Entra ID that represents a single organization.| |Credentials | The information used by Azure to verify your identity and confirm your authorization to access resources in Azure.| When an account signs on that can access several subscriptions, any of those subscriptions may be added to the user's context. To guarantee the correct subscription, you must declare it when connecting. For example, use `Add-AzAccount -Credential $Cred -subscription 'cd4dxxxx-xxxx-xxxx-xxxx-xxxxxxxx9749'`. However, issues can arise when your runbooks managing one subscription runs in the same sandbox process as your other runbooks managing resources in another subscription from the same Automation account. Changes to the context made by one runbook can affect your other runbooks using the default context. As the context includes information, such as the credentials to use and the subscription to target, cmdlets could target the wrong subscription resulting in `not found` or permissions errors. This issue is known as **Context Switching**. |
automation | Delete Run As Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/delete-run-as-account.md | Run As accounts in Azure Automation provide authentication for managing resource To configure or update or delete a Run As account and a Classic Run As accounts, you must either be: -- An owner of the Azure AD Application for the Run As Account+- An owner of the Microsoft Entra Application for the Run As Account (or) -- A member in one of the following Azure AD roles+- A member in one of the following Microsoft Entra roles - Application Administrator - Cloud Application Administrator - Global Administrator To configure or update or delete a Run As account and a Classic Run As accounts, 5. While the account is being deleted, you can track the progress under **Notifications** from the menu. Run As accounts can't be restored after deletion. > [!NOTE]-> We recommend that you delete the Run As account from Automation account portal. Alternatively, you can delete the Service principal from the **Azure Active Directory** portal > **App registrations** > search and select your Automation account name and in the **Overview** page, select **Delete**. +> We recommend that you delete the Run As account from Automation account portal. Alternatively, you can delete the Service principal from the **Microsoft Entra ID** portal > **App registrations** > search and select your Automation account name and in the **Overview** page, select **Delete**. ## Next steps - [Use system-assigned managed identity](enable-managed-identity-for-automation.md).-- [Use user-assigned managed identity](add-user-assigned-identity.md).+- [Use user-assigned managed identity](add-user-assigned-identity.md). |
automation | Disable Local Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/disable-local-authentication.md | -Azure Automation provides Microsoft Azure Active Directory (Azure AD) authentication support for all Automation service public endpoints. This critical security enhancement removes certificate dependencies and gives organizations control to disable local authentication methods. This feature provides you with seamless integration when centralized control and management of identities and resource credentials through Azure AD is required. +Azure Automation provides Microsoft Entra authentication support for all Automation service public endpoints. This critical security enhancement removes certificate dependencies and gives organizations control to disable local authentication methods. This feature provides you with seamless integration when centralized control and management of identities and resource credentials through Microsoft Entra ID is required. -Azure Automation provides an optional feature to "Disable local authentication" at the Automation account level using the Azure policy [Configure Azure Automation account to disable local authentication](../automation/policy-reference.md#azure-automation). By default, this flag is set to false at the account, so you can use both local authentication and Azure AD authentication. If you choose to disable local authentication, then the Automation service only accepts Azure AD based authentication. +Azure Automation provides an optional feature to "Disable local authentication" at the Automation account level using the Azure policy [Configure Azure Automation account to disable local authentication](../automation/policy-reference.md#azure-automation). By default, this flag is set to false at the account, so you can use both local authentication and Microsoft Entra authentication. If you choose to disable local authentication, then the Automation service only accepts Microsoft Entra ID based authentication. In the Azure portal, you may receive a warning message on the landing page for the selected Automation account if authentication is disabled. To confirm if the local authentication policy is enabled, use the PowerShell cmdlet [Get-AzAutomationAccount](/powershell/module/az.automation/get-azautomationaccount) and check property `DisableLocalAuth`. A value of `true` means local authentication is disabled. The following table describes the behaviors or features that are prevented from |Scenario | Alternative | |||-|Starting a runbook using a webhook. | Start a runbook job using Azure Resource Manager template, which uses Azure AD authentication. | +|Starting a runbook using a webhook. | Start a runbook job using Azure Resource Manager template, which uses Microsoft Entra authentication. | |Using Automation Desired State Configuration.| Use [Azure Policy Guest configuration](../governance/machine-configuration/overview.md).  | |Using agent-based Hybrid Runbook Workers.| Use [extension-based Hybrid Runbook Workers (Preview)](./extension-based-hybrid-runbook-worker-install.md).| |Using Automation Update management |Use [Update Manager (preview)](../update-center/overview.md) ## Next steps-- [Azure Automation account authentication overview](./automation-security-overview.md)+- [Azure Automation account authentication overview](./automation-security-overview.md) |
automation | Enable Managed Identity For Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/enable-managed-identity-for-automation.md | If you don't have an Azure subscription, create a [free account](https://azure.m - The latest version of Az PowerShell modules Az.Accounts, Az.Resources, Az.Automation, Az.KeyVault. -- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Azure AD tenant.+- An Azure resource that you want to access from your Automation runbook. This resource needs to have a role defined for the managed identity, which helps the Automation runbook authenticate access to the resource. To add roles, you need to be an owner for the resource in the corresponding Microsoft Entra tenant. - If you want to execute hybrid jobs using a managed identity, update the agent-based Hybrid Runbook Worker to the latest version. There is no minimum version requirement for extension-based Hybrid Runbook Worker, and all the versions would work. The minimum required versions for the agent-based Hybrid Worker are: Once enabled, the following properties will be assigned to the system-assigned m |Property (JSON) | Value | Description| |-|--||-| principalid | \<principal-ID\> | The Globally Unique Identifier (GUID) of the service principal object for the system-assigned managed identity that represents your Automation account in the Azure AD tenant. This GUID sometimes appears as an "object ID" or objectID. | -| tenantid | \<Azure-AD-tenant-ID\> | The Globally Unique Identifier (GUID) that represents the Azure AD tenant where the Automation account is now a member. Inside the Azure AD tenant, the service principal has the same name as the Automation account. | +| principalid | \<principal-ID\> | The Globally Unique Identifier (GUID) of the service principal object for the system-assigned managed identity that represents your Automation account in the Microsoft Entra tenant. This GUID sometimes appears as an "object ID" or objectID. | +| tenantid | \<Azure-AD-tenant-ID\> | The Globally Unique Identifier (GUID) that represents the Microsoft Entra tenant where the Automation account is now a member. Inside the Microsoft Entra tenant, the service principal has the same name as the Automation account. | You can enable a system-assigned managed identity for an Azure Automation account using the Azure portal, PowerShell, the Azure REST API, or ARM template. For the examples involving PowerShell, first sign in to Azure interactively using the [Connect-AzAccount](/powershell/module/Az.Accounts/Connect-AzAccount) cmdlet and follow the instructions. Perform the following steps: :::image type="content" source="media/managed-identity/managed-identity-on.png" alt-text="Enabling system-assigned identity in Azure portal."::: - Your Automation account can now use the system-assigned identity, which is registered with Azure Active Directory (Azure AD) and is represented by an object ID. + Your Automation account can now use the system-assigned identity, which is registered with Microsoft Entra ID and is represented by an object ID. :::image type="content" source="media/managed-identity/managed-identity-object-id.png" alt-text="Managed identity object ID."::: Perform the following steps. ## Assign role to a system-assigned managed identity -An Automation account can use its system-assigned managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens don't represent any specific user of the application. Instead, they represent the application that's accessing the resource. In this case, for example, the token represents an Automation account. +An Automation account can use its system-assigned managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens don't represent any specific user of the application. Instead, they represent the application that's accessing the resource. In this case, for example, the token represents an Automation account. Before you can use your system-assigned managed identity for authentication, set up access for that identity on the Azure resource where you plan to use the identity. To complete this task, assign the appropriate role to that identity on the target Azure resource. print(response.text) ### Using system-assigned managed identity to Access SQL Database -For details on provisioning access to an Azure SQL database, see [Provision Azure AD admin (SQL Database)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database). +For details on provisioning access to an Azure SQL database, see [Provision Microsoft Entra admin (SQL Database)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database). ```powershell $queryParameter = "?resource=https://database.windows.net/" |
automation | Powershell Runbook Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/learn/powershell-runbook-managed-identity.md | -This tutorial walks you through creating a [PowerShell runbook](../automation-runbook-types.md#powershell-runbooks) in Azure Automation that uses a [managed identity](../automation-security-overview.md#managed-identities), rather than the Run As account to interact with resources. PowerShell runbooks are based on Windows PowerShell. A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources. +This tutorial walks you through creating a [PowerShell runbook](../automation-runbook-types.md#powershell-runbooks) in Azure Automation that uses a [managed identity](../automation-security-overview.md#managed-identities), rather than the Run As account to interact with resources. PowerShell runbooks are based on Windows PowerShell. A managed identity from Microsoft Entra ID allows your runbook to easily access other Microsoft Entra protected resources. In this tutorial, you learn how to: |
automation | Manage Office 365 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-office-365.md | -You can use Azure Automation for management of Office 365 subscription services, for products such as Microsoft Word and Microsoft Outlook. Interactions with Office 365 are enabled by [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). See [Use Azure AD in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). +You can use Azure Automation for management of Office 365 subscription services, for products such as Microsoft Word and Microsoft Outlook. Interactions with Office 365 are enabled by [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). See [Use Microsoft Entra ID in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). ## Prerequisites You need the following to manage Office 365 subscription services in Azure Autom * An Azure subscription. See [Subscription decision guide](/azure/cloud-adoption-framework/decision-guides/subscriptions/). * An Automation object in Azure to hold the user account credentials and runbooks. See [An introduction to Azure Automation](./automation-intro.md).-* Azure AD. See [Use Azure AD in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). +* Microsoft Entra ID. See [Use Microsoft Entra ID in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). * An Office 365 tenant, with an account. See [Set up your Office 365 tenant](/sharepoint/dev/spfx/set-up-your-developer-tenant). ## Install the MSOnline and MSOnlineExt modules -Use of Office 365 within Azure Automation requires Microsoft Azure Active Directory for Windows PowerShell (`MSOnline` module). You'll also need the module [`MSOnlineExt`](https://www.powershellgallery.com/packages/MSOnlineExt/1.0.35), which simplifies Azure AD management in single- and multi-tenant environments. Install the modules as described in [Use Azure AD in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). +Use of Office 365 within Azure Automation requires Microsoft Entra ID for Windows PowerShell (`MSOnline` module). You'll also need the module [`MSOnlineExt`](https://www.powershellgallery.com/packages/MSOnlineExt/1.0.35), which simplifies Microsoft Entra management in single- and multi-tenant environments. Install the modules as described in [Use Microsoft Entra ID in Azure Automation to authenticate to Azure](automation-use-azure-ad.md). >[!NOTE]->To use MSOnline PowerShell, you must be a member of Azure AD. Guest users can't use the module. +>To use MSOnline PowerShell, you must be a member of Microsoft Entra ID. Guest users can't use the module. ## Create an Azure Automation account It's optional to create a credential asset for the Office 365 administrative use To run Office 365 subscription services, you need an Office 365 service account with permissions to do what you want. You can use one global administrator account, one account per service, or have one function or script to execute. In any case, the service account requires a complex and secure password. See [Set up Office 365 for business](/microsoft-365/admin/setup/setup). -## Connect to the Azure AD online service +<a name='connect-to-the-azure-ad-online-service'></a> ++## Connect to the Microsoft Entra online service >[!NOTE] >To use the MSOnline module cmdlets, you must run them from Windows PowerShell. PowerShell Core does not support these cmdlets. -You can use the MSOnline module to connect to Azure AD from the Office 365 subscription. The connection uses an Office 365 user name and password or uses multi-factor authentication (MFA). You can connect using the Azure portal or a Windows PowerShell command prompt (does not have to be elevated). +You can use the MSOnline module to connect to Microsoft Entra ID from the Office 365 subscription. The connection uses an Office 365 user name and password or uses multi-factor authentication (MFA). You can connect using the Azure portal or a Windows PowerShell command prompt (does not have to be elevated). A PowerShell example is shown below. The [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential) cmdlet prompts for credentials and stores them in the `Msolcred` variable. Then the [Connect-MsolService](/powershell/module/msonline/connect-msolservice) cmdlet uses the credentials to connect to the Azure directory online service. If you want to connect to a specific Azure environment, use the `AzureEnvironment` parameter. Connect-MsolService -Credential $MsolCred -AzureEnvironment "AzureCloud" If you don't receive any errors, you've connected successfully. A quick test is to run an Office 365 cmdlet, for example, `Get-MsolUser`, and see the results. If you receive errors, note that a common problem is an incorrect password. >[!NOTE]->You can also use the AzureRM module or the Az module to connect to Azure AD from the Office 365 subscription. The main connection cmdlet is [Connect-AzureAD](/powershell/module/azuread/connect-azuread). This cmdlet supports the `AzureEnvironmentName` parameter for specific Office 365 environments. +>You can also use the AzureRM module or the Az module to connect to Microsoft Entra ID from the Office 365 subscription. The main connection cmdlet is [Connect-AzureAD](/powershell/module/azuread/connect-azuread). This cmdlet supports the `AzureEnvironmentName` parameter for specific Office 365 environments. ## Create a PowerShell runbook from an existing script |
automation | Manage Sql Server In Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/manage-sql-server-in-automation.md | Azure Automation can also issue T-SQL (Transact SQL) commands against the SQL se To run the commands against the database, you need to do the following: - Ensure that Automation account has a system-assigned managed identity. - Provide the appropriate permissions to the Automation managed identity.-- Configure the SQL server to utilize Azure Active Directory authentication.+- Configure the SQL server to utilize Microsoft Entra authentication. - Create a user on the SQL server that maps to the Automation account managed identity. - Create a runbook to connect and execute the commands. - (Optional) If the SQL server is protected by a firewall, create a Hybrid Runbook Worker (HRW), install the SQL modules on that server, and add the HRW IP address to the allowlist on the firewall. To allow access from the Automation system managed identity to the Azure SQL dat 1. Configure the SQL server for Active Directory authentication by using these steps: 1. Go to [Azure portal](https://portal.azure.com) home page and select **SQL servers**.- 1. In the **SQL server** page, under **Settings**, select **Azure Active Directory**. + 1. In the **SQL server** page, under **Settings**, select **Microsoft Entra ID**. 1. Select **Set admin** to configure SQL server for AD authentication. 1. Add authentication on the SQL side by using these steps: When you use a Hybrid worker, the modules that your runbook uses, must be instal * For details of credential use, see [Manage credentials in Azure Automation](shared-resources/credentials.md). * For information about modules, see [Manage modules in Azure Automation](shared-resources/modules.md). * If you need to start a runbook, see [Start a runbook in Azure Automation](start-runbooks.md).-* For PowerShell details, see [PowerShell Docs](/powershell/scripting/overview). +* For PowerShell details, see [PowerShell Docs](/powershell/scripting/overview). |
automation | Migrate Existing Agent Based Hybrid Worker To Extension Based Workers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/migrate-existing-agent-based-hybrid-worker-to-extension-based-workers.md | The purpose of the Extension-based approach is to simplify the installation and - **Ease of Manageability** – It offers native integration with Azure Resource Manager (ARM) identity for Hybrid Runbook Worker and provides the flexibility for governance at scale through policies and templates. -- **Azure Active Directory based authentication** – It uses a VM system-assigned managed identities provided by Azure Active Directory. This centralizes control and management of identities and resource credentials. +- **Microsoft Entra ID based authentication** – It uses a VM system-assigned managed identities provided by Microsoft Entra ID. This centralizes control and management of identities and resource credentials. - **Unified experience** – It offers an identical experience for managing Azure and off-Azure Arc-enabled machines. |
automation | Migrate Run As Accounts Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/migrate-run-as-accounts-managed-identity.md | -Run As accounts in Azure Automation provide authentication for managing resources deployed through Azure Resource Manager or the classic deployment model. Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate is generated. The certificate is valid for one month. Renewing the certificate every month before it expires keeps the Automation account working but adds overhead. +Run As accounts in Azure Automation provide authentication for managing resources deployed through Azure Resource Manager or the classic deployment model. Whenever a Run As account is created, a Microsoft Entra application is registered, and a self-signed certificate is generated. The certificate is valid for one month. Renewing the certificate every month before it expires keeps the Automation account working but adds overhead. You can now configure Automation accounts to use a [managed identity](automation-security-overview.md#managed-identities), which is the default option when you create an Automation account. With this feature, an Automation account can authenticate to Azure resources without the need to exchange any credentials. A managed identity removes the overhead of renewing the certificate or managing the service principal. |
automation | Create Azure Automation Account Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/quickstarts/create-azure-automation-account-portal.md | The following table describes the fields on the **Advanced** tab. | **Field** | **Required**<br> **or**<br> **optional** |**Description** | ||||-|System-assigned |Optional |An Azure Active Directory identity that is tied to the lifecycle of the Automation account. | +|System-assigned |Optional |A Microsoft Entra identity that is tied to the lifecycle of the Automation account. | |User-assigned |Optional |A managed identity represented as a standalone Azure resource that is managed separately from the resources that use it.| You can choose to enable managed identities later, and the Automation account is created without one. To enable a managed identity after the account is created, see [Enable managed identity](enable-managed-identity.md). If you select both options, for the user-assigned identity, select the **Add user assigned identities** option. On the **Select user assigned managed identity** page, select a subscription and add one or more user-assigned identities created in that subscription to assign to the Automation account. |
automation | Enable Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/quickstarts/enable-managed-identity.md | This Quickstart shows you how to enable managed identities for an Azure Automati 1. Set the system-assigned **Status** option to **On** and then press **Save**. When you're prompted to confirm, select **Yes**. - Your Automation account can now use the system-assigned identity, that is registered with Azure Active Directory (Azure AD) and is represented by an object ID. + Your Automation account can now use the system-assigned identity, that is registered with Microsoft Entra ID and is represented by an object ID. :::image type="content" source="media/enable-managed-identity/system-assigned-object-id.png" alt-text="Managed identity object ID."::: If you no longer need the system-assigned managed identity enabled for your Auto In this Quickstart, you enabled managed identities for an Azure Automation account. To use your Automation account with managed identities to execute a runbook, see. > [!div class="nextstepaction"]-> [Tutorial: Create Automation PowerShell runbook using managed identity](../learn/powershell-runbook-managed-identity.md) +> [Tutorial: Create Automation PowerShell runbook using managed identity](../learn/powershell-runbook-managed-identity.md) |
automation | Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/shared-resources/credentials.md | You can add an activity for the internal `Get-AutomationPSCredential` cmdlet to ![Add credential cmdlet to canvas](../media/credentials/credential-add-canvas.png) -The following image shows an example of using a credential in a graphical runbook. In this case, the credential provides authentication for a runbook to Azure resources, as described in [Use Azure AD in Azure Automation to authenticate to Azure](../automation-use-azure-ad.md). The first activity retrieves the credential that has access to the Azure subscription. The account connection activity then uses this credential to provide authentication for any activities that come after it. A [pipeline link](../automation-graphical-authoring-intro.md#use-links-for-workflow) is used here since `Get-AutomationPSCredential` is expecting a single object. +The following image shows an example of using a credential in a graphical runbook. In this case, the credential provides authentication for a runbook to Azure resources, as described in [Use Microsoft Entra ID in Azure Automation to authenticate to Azure](../automation-use-azure-ad.md). The first activity retrieves the credential that has access to the Azure subscription. The account connection activity then uses this credential to provide authentication for any activities that come after it. A [pipeline link](../automation-graphical-authoring-intro.md#use-links-for-workflow) is used here since `Get-AutomationPSCredential` is expecting a single object. ![Credential workflow with pipeline link example](../media/credentials/get-credential.png) |
automation | Hybrid Runbook Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/hybrid-runbook-worker.md | The connection to Active Directory Federation Services (AD FS) on the server can #### Resolution -You can resolve the issue for the Orchestrator sandbox by migrating your script to use the Azure Active Directory modules instead of the MSOnline module for PowerShell cmdlets. For more information, see [Migrating from Orchestrator to Azure Automation (Beta)](../automation-orchestrator-migration.md). +You can resolve the issue for the Orchestrator sandbox by migrating your script to use the Microsoft Entra modules instead of the MSOnline module for PowerShell cmdlets. For more information, see [Migrating from Orchestrator to Azure Automation (Beta)](../automation-orchestrator-migration.md). ΓÇïIf you want to continue to use the MSOnline module cmdlets, change your script to use [Invoke-Command](/powershell/module/microsoft.powershell.core/invoke-command). Specify values for the `ComputerName` and `Credential` parameters. |
automation | Runbooks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/runbooks.md | To determine what's wrong, follow these steps: Connect-AzAccount -Credential $Cred ``` -1. If your authentication fails locally, you haven't set up your Azure Active Directory (Azure AD) credentials properly. To get the Azure AD account set up correctly, see the article [Authenticate to Azure using Azure Active Directory](../automation-use-azure-ad.md). +1. If your authentication fails locally, you haven't set up your Microsoft Entra credentials properly. To get the Microsoft Entra account set up correctly, see the article [Authenticate to Azure using Microsoft Entra ID](../automation-use-azure-ad.md). 1. If the error appears to be transient, try adding retry logic to your authentication routine to make authenticating more robust. The subscription named <subscription name> cannot be found. This error can occur if: * The subscription name isn't valid.-* The Azure AD user who's trying to get the subscription details isn't configured as an administrator of the subscription. +* The Microsoft Entra user who's trying to get the subscription details isn't configured as an administrator of the subscription. * The cmdlet isn't available. * Context switching occurred. Add-AzureAccount: AADSTS50079: Strong authentication enrollment (proof-up) is re ### Cause -If you have multifactor authentication on your Azure account, you can't use an Azure Active Directory user to authenticate to Azure. Instead, you need to use a certificate or a service principal to authenticate. +If you have multifactor authentication on your Azure account, you can't use a Microsoft Entra user to authenticate to Azure. Instead, you need to use a certificate or a service principal to authenticate. ### Resolution This error occurs because of one of the following issues: * **Module incompatible.** Module dependencies might not be correct. In this case, your runbook typically returns a `Command not found` or `Cannot bind parameter` message. -* **No authentication with Active Directory for sandbox.** Your runbook attempted to call an executable or subprocess that runs in an Azure sandbox. Configuring runbooks to authenticate with Azure AD by using the Azure Active Directory Authentication Library (ADAL) isn't supported. +* **No authentication with Active Directory for sandbox.** Your runbook attempted to call an executable or subprocess that runs in an Azure sandbox. Configuring runbooks to authenticate with Microsoft Entra ID by using the Azure Active Directory Authentication Library (ADAL) isn't supported. ### Resolution This error occurs because of one of the following issues: * **Module incompatible.** Update your Azure modules by following the steps in [How to update Azure PowerShell modules in Azure Automation](../automation-update-azure-modules.md). -* **No authentication with Active Directory for sandbox.** When you authenticate to Azure AD with a runbook, ensure that the Azure AD module is available in your Automation account. Be sure to grant the Run As account the necessary permissions to perform the tasks that the runbook automates. +* **No authentication with Active Directory for sandbox.** When you authenticate to Microsoft Entra ID with a runbook, ensure that the Azure AD module is available in your Automation account. Be sure to grant the Run As account the necessary permissions to perform the tasks that the runbook automates. If your runbook can't call an executable or subprocess running in an Azure sandbox, use the runbook on a [Hybrid Runbook Worker](../automation-hrw-run-runbooks.md). Hybrid workers aren't limited by the memory and network limits that Azure sandboxes have. |
automation | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/update-management/overview.md | -As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Update Management can be used to assess and schedule update deployments to machines in multiple subscriptions in the same Azure Active Directory (Azure AD) tenant, or across tenants using Azure Lighthouse. +As a service provider, you may have onboarded multiple customer tenants to [Azure Lighthouse](../../lighthouse/overview.md). Update Management can be used to assess and schedule update deployments to machines in multiple subscriptions in the same Microsoft Entra tenant, or across tenants using Azure Lighthouse. Microsoft offers other capabilities to help you manage updates for your Azure VMs or Azure virtual machine scale sets that you should consider as part of your overall update management strategy. |
automation | Query Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/update-management/query-logs.md | A record with a type of `Update` is created that represents updates available an | Property | Description | |-|-|-| TenantId| Unique identifier representing your organization's instance of Azure Active Directory. | +| TenantId| Unique identifier representing your organization's instance of Microsoft Entra ID. | | SourceSystem | The source system for the record. The value is `OperationsManager`. | | TimeGenerated | Date and time of record creation. | | SourceComputerId | Unique identifier representing the source computer. | A record with a type of `UpdateRunProgress` is created that provides update depl | Property | Description | |-|-|-| TenantId | Unique identifier representing your organization's instance of Azure Active Directory.| +| TenantId | Unique identifier representing your organization's instance of Microsoft Entra ID.| | SourceSystem | Source system for the record. The value is `OperationsManager`. | | TimeGenerated | Date and time of record creation. | | MG | Unique identifier for the management group or Log Analytics workspace. | A record with a type of `UpdateSummary` is created that provides update summary | Property | Description | |-|-|-| TenantId| Unique identifier representing your organization's instance of Azure Active Directory.| +| TenantId| Unique identifier representing your organization's instance of Microsoft Entra ID.| | SourceSystem | Source system for the record. The value is `OpsManager`. | | TimeGenerated | Date and time of record creation. | | MG | Unique identifier for the management group or Log Analytics workspace. | |
azure-app-configuration | Concept Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-customer-managed-keys.md | Azure App Configuration [encrypts sensitive information at rest](../security/fun ## Overview -Azure App Configuration encrypts sensitive information at rest by using a 256-bit AES encryption key provided by Microsoft. Every App Configuration instance has its own encryption key managed by the service and used to encrypt sensitive information. Sensitive information includes the values found in key-value pairs. When the customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Azure Active Directory. The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key. The wrapped encryption key is then stored, and the unwrapped encryption key is cached within App Configuration for one hour. Every hour, the App Configuration refreshes the unwrapped version of the App Configuration instance's encryption key. This process ensures availability under normal operating conditions. +Azure App Configuration encrypts sensitive information at rest by using a 256-bit AES encryption key provided by Microsoft. Every App Configuration instance has its own encryption key managed by the service and used to encrypt sensitive information. Sensitive information includes the values found in key-value pairs. When the customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Microsoft Entra ID. The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key. The wrapped encryption key is then stored, and the unwrapped encryption key is cached within App Configuration for one hour. Every hour, the App Configuration refreshes the unwrapped version of the App Configuration instance's encryption key. This process ensures availability under normal operating conditions. > [!IMPORTANT] > If the identity assigned to the App Configuration instance is no longer authorized to unwrap the instance's encryption key, or if the managed key is permanently deleted, then it will no longer be possible to decrypt sensitive information stored in the App Configuration instance. By using Azure Key Vault's [soft delete](../key-vault/general/soft-delete-overview.md) function, you mitigate the chance of accidentally deleting your encryption key. |
azure-app-configuration | Concept Enable Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-enable-rbac.md | Title: Authorize access to Azure App Configuration using Azure Active Directory + Title: Authorize access to Azure App Configuration using Microsoft Entra ID description: Enable Azure RBAC to authorize access to your Azure App Configuration instance -# Authorize access to Azure App Configuration using Azure Active Directory -Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Azure Active Directory (Azure AD) to authorize requests to App Configuration instances. Azure AD allows you to use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. A security principal may be a user, a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md). To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md). +# Authorize access to Azure App Configuration using Microsoft Entra ID +Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Microsoft Entra ID to authorize requests to App Configuration instances. Microsoft Entra ID allows you to use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. A security principal may be a user, a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md). To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md). ## Overview-Requests made by a security principal to access an App Configuration resource must be authorized. With Azure AD, access to a resource is a two-step process: -1. The security principal's identity is authenticated and an OAuth 2.0 token is returned. The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Azure Active Directory tenant ID to which the service principal belongs. +Requests made by a security principal to access an App Configuration resource must be authorized. With Microsoft Entra ID, access to a resource is a two-step process: +1. The security principal's identity is authenticated and an OAuth 2.0 token is returned. The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Microsoft Entra tenant ID to which the service principal belongs. 2. The token is passed as part of a request to the App Configuration service to authorize access to the specified resource. -The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Azure App Configuration, see [Authenticate access to Azure App Configuration resources with Azure Active Directory and managed identities for Azure Resources](howto-integrate-azure-managed-service-identity.md). +The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Azure App Configuration, see [Authenticate access to Azure App Configuration resources with Microsoft Entra ID and managed identities for Azure Resources](howto-integrate-azure-managed-service-identity.md). The authorization step requires that one or more Azure roles be assigned to the security principal. Azure App Configuration provides Azure roles that encompass sets of permissions for App Configuration resources. The roles that are assigned to a security principal determine the permissions provided to the principal. For more information about Azure roles, see [Azure built-in roles for Azure App Configuration](#azure-built-in-roles-for-azure-app-configuration). ## Assign Azure roles for access rights-Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). +Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). -When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access is scoped to the App Configuration resource. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access is scoped to the App Configuration resource. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). ## Azure built-in roles for Azure App Configuration-Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Azure AD: +Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Microsoft Entra ID: - **App Configuration Data Owner**: Use this role to give read/write/delete access to App Configuration data. This does not grant access to the App Configuration resource. - **App Configuration Data Reader**: Use this role to give read access to App Configuration data. This does not grant access to the App Configuration resource.-- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role does not grant direct access to the data using Azure AD. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see [authorization](quickstart-resource-manager.md#authorization).+- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role does not grant direct access to the data using Microsoft Entra ID. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see [authorization](quickstart-resource-manager.md#authorization). - **Reader**: Use this role to give read access to the App Configuration resource. This does not grant access to the resource's access keys, nor to the data stored in App Configuration. > [!NOTE] |
azure-app-configuration | Concept Snapshots | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/concept-snapshots.md | As snapshots are immutable entities, snapshots can only be created and archived. ## Requirements for snapshot operations -The following sections detail the permissions required to perform snapshot related operations with Azure AD and HMAC authentication. +The following sections detail the permissions required to perform snapshot related operations with Microsoft Entra ID and HMAC authentication. ### Create a snapshot -To create a snapshot in stores using Azure Active Directory (Azure AD) authentication, the following permissions are required. The App Configuration Data Owner role already has these permissions. +To create a snapshot in stores using Microsoft Entra authentication, the following permissions are required. The App Configuration Data Owner role already has these permissions. - `Microsoft.AppConfiguration/configurationStores/keyvalues/read` - `Microsoft.AppConfiguration/configurationStores/snapshots/write` To archive and/or recover a snapshot using HMAC authentication, a read-write acc ### Archive and recover a snapshot -To archive and/or recover a snapshot using Azure AD authentication, the following permission is needed. The App Configuration Data Owner role already has this permission. +To archive and/or recover a snapshot using Microsoft Entra authentication, the following permission is needed. The App Configuration Data Owner role already has this permission. - `Microsoft.AppConfiguration/configurationStores/snapshots/archive/action` To archive and/or recover a snapshot using HMAC authentication, a read-write access key must be used. ### Read and list snapshots -To list all snapshots, or get all the key-values in an individual snapshot by name the following permission is needed for stores utilizing Azure AD authentication. The built-in Data Owner and Data Reader roles already have this permission. +To list all snapshots, or get all the key-values in an individual snapshot by name the following permission is needed for stores utilizing Microsoft Entra authentication. The built-in Data Owner and Data Reader roles already have this permission. - `Microsoft.AppConfiguration/configurationStores/snapshots/read` For stores that use HMAC authentication, both the "read snapshot" operation (to read the key-values from a snapshot) and the "list snapshots" operation can be performed using either the read-write access keys or the read-only access keys. |
azure-app-configuration | Howto Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-best-practices.md | configBuilder.AddAzureAppConfiguration(options => { ## References to external data -App Configuration is designed to store any configuration data that you would normally save in configuration files or environment variables. However, some types of data may be better suited to reside in other sources. For example, store secrets in Key Vault, files in Azure Storage, membership information in Azure AD groups, or customer lists in a database. +App Configuration is designed to store any configuration data that you would normally save in configuration files or environment variables. However, some types of data may be better suited to reside in other sources. For example, store secrets in Key Vault, files in Azure Storage, membership information in Microsoft Entra groups, or customer lists in a database. You can still take advantage of App Configuration by saving a reference to external data in a key-value. You can [use content type](./concept-key-value.md#use-content-type) to differentiate each data source. When your application reads a reference, it loads the actual data from the referenced source, assuming it has the necessary permission to the source. If you change the location of your external data, you only need to update the reference in App Configuration instead of updating and redeploying your entire application. The App Configuration [Key Vault reference](use-key-vault-references-dotnet-core To access an App Configuration store, you can use its connection string, which is available in the Azure portal. Because connection strings contain credential information, they're considered secrets. These secrets need to be stored in Azure Key Vault, and your code must authenticate to Key Vault to retrieve them. -A better option is to use the managed identities feature in Azure Active Directory. With managed identities, you need only the App Configuration endpoint URL to bootstrap access to your App Configuration store. You can embed the URL in your application code (for example, in the *appsettings.json* file). See [Use managed identities to access App Configuration](howto-integrate-azure-managed-service-identity.md) for details. +A better option is to use the managed identities feature in Microsoft Entra ID. With managed identities, you need only the App Configuration endpoint URL to bootstrap access to your App Configuration store. You can embed the URL in your application code (for example, in the *appsettings.json* file). See [Use managed identities to access App Configuration](howto-integrate-azure-managed-service-identity.md) for details. ## App Service or Azure Functions access to App Configuration |
azure-app-configuration | Howto Create Snapshots | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-create-snapshots.md | In your App Configuration store, go to **Operations** > **Configuration explorer ## Create a snapshot > [!IMPORTANT]- > You may see any error "You are not authorized to view this configuration store data" when you switch to the Snapshots blade in the Azure portal if you opt to use Azure AD authentication in the Configuration explorer or the Feature manager blades. This is a known issue in the Azure portal, and we are working on addressing it. It doesn't affect any scenarios other than the Azure Portal regarding accessing snapshots with Azure AD authentication. + > You may see any error "You are not authorized to view this configuration store data" when you switch to the Snapshots blade in the Azure portal if you opt to use Microsoft Entra authentication in the Configuration explorer or the Feature manager blades. This is a known issue in the Azure portal, and we are working on addressing it. It doesn't affect any scenarios other than the Azure Portal regarding accessing snapshots with Microsoft Entra authentication. As a temporary workaround, you can switch to using Access keys authentication from either the Configuration explorer or the Feature manager blades. You should then see the Snapshot blade displayed properly, assuming you have permission for the access keys. |
azure-app-configuration | Howto Disable Access Key Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-disable-access-key-authentication.md | Last updated 5/14/2021 # Disable access key authentication for an Azure App Configuration instance -Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials, or by using an access key. Of these two types of authentication schemes, Azure AD provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. +Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Microsoft Entra credentials, or by using an access key. Of these two types of authentication schemes, Microsoft Entra ID provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. -When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Azure AD will succeed. For more information about using Azure AD, see [Authorize access to Azure App Configuration using Azure Active Directory](./concept-enable-rbac.md). +When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concept-enable-rbac.md). ## Disable access key authentication Disabling access key authentication will delete all access keys. If any running applications are using access keys for authentication they will begin to fail once access key authentication is disabled. Enabling access key authentication again will generate a new set of access keys and any applications attempting to use the old access keys will still fail. > [!WARNING]-> If any clients are currently accessing data in your Azure App Configuration resource with access keys, then Microsoft recommends that you migrate those clients to [Azure AD](./concept-enable-rbac.md) before disabling access key authentication. +> If any clients are currently accessing data in your Azure App Configuration resource with access keys, then Microsoft recommends that you migrate those clients to [Microsoft Entra ID](./concept-enable-rbac.md) before disabling access key authentication. > Additionally, it is recommended to read the [limitations](#limitations) section below to verify the limitations won't affect the intended usage of the resource. # [Azure portal](#tab/portal) To modify the state of access key authentication for an Azure App Configuration - The Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role - The Azure Resource Manager [Contributor](../role-based-access-control/built-in-roles.md#contributor) role -These roles do not provide access to data in an Azure App Configuration resource via Azure Active Directory (Azure AD). However, they include the **Microsoft.AppConfiguration/configurationStores/listKeys/action** action permission, which grants access to the resource's access keys. With this permission, a user can use the access keys to access all the data in the resource. +These roles do not provide access to data in an Azure App Configuration resource via Microsoft Entra ID. However, they include the **Microsoft.AppConfiguration/configurationStores/listKeys/action** action permission, which grants access to the resource's access keys. With this permission, a user can use the access keys to access all the data in the resource. Role assignments must be scoped to the level of the Azure App Configuration resource or higher to permit a user to allow or disallow access key authentication for the resource. For more information about role scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md). Be careful to restrict assignment of these roles only to those who require the ability to create an App Configuration resource or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage App Configuration resources. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage App Configuration resources. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ## Limitations When access key authentication is disabled, the capability to read/write key-val ## Next steps - [Use customer-managed keys to encrypt your App Configuration data](concept-customer-managed-keys.md)-- [Using private endpoints for Azure App Configuration](concept-private-endpoint.md)+- [Using private endpoints for Azure App Configuration](concept-private-endpoint.md) |
azure-app-configuration | Howto Geo Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-geo-replication.md | Each replica you create has its dedicated endpoint. If your application resides When geo-replication is enabled, and if one replica isn't accessible, you can let your application failover to another replica for improved resiliency. App Configuration provider libraries have built-in failover support by accepting multiple replica endpoints. You can provide a list of your replica endpoints in the order of the most preferred to the least preferred endpoint. When the current endpoint isn't accessible, the provider library will fail over to a less preferred endpoint, but it will try to connect to the more preferred endpoints from time to time. When a more preferred endpoint becomes available, it will switch to it for future requests. -Assuming you have an application using Azure App Configuration, you can update it as the following sample code to take advantage of the failover feature. You can either provide a list of endpoints for Azure Active Directory (Azure AD) authentication or a list of connection strings for access key-based authentication. +Assuming you have an application using Azure App Configuration, you can update it as the following sample code to take advantage of the failover feature. You can either provide a list of endpoints for Microsoft Entra authentication or a list of connection strings for access key-based authentication. ### [.NET](#tab/dotnet) Edit the call to the `AddAzureAppConfiguration` method, which is often found in the `program.cs` file of your application. -**Connect with Azure AD** +**Connect with Microsoft Entra ID** ```csharp configurationBuilder.AddAzureAppConfiguration(options => configurationBuilder.AddAzureAppConfiguration(options => Edit the `endpoints` or `connection-strings` properties in the `bootstrap.properties` file of your application. -**Connect with Azure AD** +**Connect with Microsoft Entra ID** ```properties spring.cloud.azure.appconfiguration.stores[0].endpoints[0]="<first-replica-endpoint>" |
azure-app-configuration | Howto Integrate Azure Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-integrate-azure-managed-service-identity.md | zone_pivot_groups: appconfig-provider # Use managed identities to access App Configuration -Azure Active Directory [managed identities](../active-directory/managed-identities-azure-resources/overview.md) simplify secrets management for your cloud application. With a managed identity, your code can use the service principal created for the Azure service it runs on. You use a managed identity instead of a separate credential stored in Azure Key Vault or a local connection string. +Microsoft Entra [managed identities](../active-directory/managed-identities-azure-resources/overview.md) simplify secrets management for your cloud application. With a managed identity, your code can use the service principal created for the Azure service it runs on. You use a managed identity instead of a separate credential stored in Azure Key Vault or a local connection string. Azure App Configuration and its .NET, .NET Framework, and Java Spring client libraries have managed identity support built into them. Although you aren't required to use it, the managed identity eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret. |
azure-app-configuration | Overview Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/overview-managed-identity.md | -This topic shows you how to create a managed identity for Azure App Configuration. A managed identity from Azure Active Directory (Azure AD) allows Azure App Configuration to easily access other Azure AD protected resources. The identity is managed by the Azure platform. It does not require you to provision or rotate any secrets. For more about managed identities in Azure AD, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +This topic shows you how to create a managed identity for Azure App Configuration. A managed identity from Microsoft Entra ID allows Azure App Configuration to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform. It does not require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Your application can be granted two types of identities: The following steps will walk you through creating a user-assigned identity and ## Removing an identity -A system-assigned identity can be removed by disabling the feature by using the [az appconfig identity remove](/cli/azure/appconfig/identity#az-appconfig-identity-remove) command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from Azure AD. System-assigned identities are also automatically removed from Azure AD when the app resource is deleted. +A system-assigned identity can be removed by disabling the feature by using the [az appconfig identity remove](/cli/azure/appconfig/identity#az-appconfig-identity-remove) command in the Azure CLI. User-assigned identities can be removed individually. Removing a system-assigned identity in this way will also delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the app resource is deleted. ## Next steps |
azure-app-configuration | Quickstart Aspnet Core App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-aspnet-core-app.md | dotnet new webapp --output TestAppConfig --framework netcoreapp3.1 > [!TIP] > Some shells will truncate the connection string unless it's enclosed in quotes. Ensure that the output of the `dotnet user-secrets list` command shows the entire connection string. If it doesn't, rerun the command, enclosing the connection string in quotes. - Secret Manager stores the secret outside of your project tree, which helps prevent the accidental sharing of secrets within source code. It's used only to test the web app locally. When the app is deployed to Azure like [App Service](../app-service/overview.md), use the *Connection strings*, *Application settings* or environment variables to store the connection string. Alternatively, to avoid connection strings all together, you can [connect to App Configuration using managed identities](./howto-integrate-azure-managed-service-identity.md) or your other [Azure AD identities](./concept-enable-rbac.md). + Secret Manager stores the secret outside of your project tree, which helps prevent the accidental sharing of secrets within source code. It's used only to test the web app locally. When the app is deployed to Azure like [App Service](../app-service/overview.md), use the *Connection strings*, *Application settings* or environment variables to store the connection string. Alternatively, to avoid connection strings all together, you can [connect to App Configuration using managed identities](./howto-integrate-azure-managed-service-identity.md) or your other [Microsoft Entra identities](./concept-enable-rbac.md). 1. Open *Program.cs* and add Azure App Configuration as an extra configuration source by calling the `AddAzureAppConfiguration` method. |
azure-app-configuration | Rest Api Authentication Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/rest-api-authentication-azure-ad.md | Title: Azure Active Directory REST API - authentication -description: Use Azure Active Directory to authenticate to Azure App Configuration by using the REST API + Title: Microsoft Entra REST API - authentication +description: Use Microsoft Entra ID to authenticate to Azure App Configuration by using the REST API -# Azure Active Directory authentication +# Microsoft Entra authentication -You can authenticate HTTP requests by using the `Bearer` authentication scheme with a token acquired from Azure Active Directory (Azure AD). You must transmit these requests over Transport Layer Security (TLS). +You can authenticate HTTP requests by using the `Bearer` authentication scheme with a token acquired from Microsoft Entra ID. You must transmit these requests over Transport Layer Security (TLS). ## Prerequisites -You must assign the principal that's used to request an Azure AD token to one of the applicable [Azure App Configuration roles](./rest-api-authorization-azure-ad.md). +You must assign the principal that's used to request a Microsoft Entra token to one of the applicable [Azure App Configuration roles](./rest-api-authorization-azure-ad.md). Provide each request with all HTTP headers required for authentication. Here's the minimum requirement: Host: {myconfig}.azconfig.io Authorization: Bearer {{AadToken}} ``` -## Azure AD token acquisition +<a name='azure-ad-token-acquisition'></a> -Before acquiring an Azure AD token, you must identify what user you want to authenticate as, what audience you're requesting the token for, and what Azure AD endpoint (authority) to use. +## Microsoft Entra token acquisition ++Before acquiring a Microsoft Entra token, you must identify what user you want to authenticate as, what audience you're requesting the token for, and what Microsoft Entra endpoint (authority) to use. ### Audience -Request the Azure AD token with a proper audience. For Azure App Configuration use the following audience. The audience can also be referred to as the *resource* that the token is being requested for. +Request the Microsoft Entra token with a proper audience. For Azure App Configuration use the following audience. The audience can also be referred to as the *resource* that the token is being requested for. `https://azconfig.io` -### Azure AD authority +<a name='azure-ad-authority'></a> ++### Microsoft Entra authority -The Azure AD authority is the endpoint you use for acquiring an Azure AD token. It's in the form of `https://login.microsoftonline.com/{tenantId}`. The `{tenantId}` segment refers to the Azure AD tenant ID to which the user or application who is trying to authenticate belongs. +The Microsoft Entra authority is the endpoint you use for acquiring a Microsoft Entra token. It's in the form of `https://login.microsoftonline.com/{tenantId}`. The `{tenantId}` segment refers to the Microsoft Entra tenant ID to which the user or application who is trying to authenticate belongs. ### Authentication libraries -Microsoft Authentication Library (MSAL) helps to simplify the process of acquiring an Azure AD token. Azure builds these libraries for multiple languages. For more information, see the [documentation](../active-directory/develop/msal-overview.md). +Microsoft Authentication Library (MSAL) helps to simplify the process of acquiring a Microsoft Entra token. Azure builds these libraries for multiple languages. For more information, see the [documentation](../active-directory/develop/msal-overview.md). ## Errors HTTP/1.1 401 Unauthorized WWW-Authenticate: HMAC-SHA256, Bearer error="invalid_token", error_description="Authorization token failed validation" ``` -**Reason:** The Azure AD token isn't valid. +**Reason:** The Microsoft Entra token isn't valid. -**Solution:** Acquire an Azure AD token from the Azure AD authority, and ensure that you've used the proper audience. +**Solution:** Acquire a Microsoft Entra token from the Microsoft Entra authority, and ensure that you've used the proper audience. ```http HTTP/1.1 401 Unauthorized WWW-Authenticate: HMAC-SHA256, Bearer error="invalid_token", error_description="The access token is from the wrong issuer. It must match the AD tenant associated with the subscription to which the configuration store belongs. If you just transferred your subscription and see this error message, please try back later." ``` -**Reason:** The Azure AD token isn't valid. +**Reason:** The Microsoft Entra token isn't valid. -**Solution:** Acquire an Azure AD token from the Azure AD authority. Ensure that the Azure AD tenant is the one associated with the subscription to which the configuration store belongs. This error can appear if the principal belongs to more than one Azure AD tenant. +**Solution:** Acquire a Microsoft Entra token from the Microsoft Entra authority. Ensure that the Microsoft Entra tenant is the one associated with the subscription to which the configuration store belongs. This error can appear if the principal belongs to more than one Microsoft Entra tenant. |
azure-app-configuration | Rest Api Authentication Index | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/rest-api-authentication-index.md | - + Title: Azure App Configuration REST API - Authentication description: Reference pages for authentication using the Azure App Configuration REST API All HTTP requests must be authenticated. The following authentication schemes ar [HMAC authentication](./rest-api-authentication-hmac.md) uses a randomly generated secret to sign request payloads. Details on how requests using this authentication method are authorized can be found in the [HMAC authorization](./rest-api-authorization-hmac.md) section. -## Azure Active Directory +<a name='azure-active-directory'></a> ++## Microsoft Entra ID -[Azure Active Directory (Azure AD) authentication](../active-directory/authentication/overview-authentication.md) utilizes a bearer token that is obtained from Azure Active Directory to authenticate requests. Details on how requests using this authentication method are authorized can be found in the [Azure AD authorization](./rest-api-authorization-azure-ad.md) section. +[Microsoft Entra authentication](../active-directory/authentication/overview-authentication.md) utilizes a bearer token that is obtained from Microsoft Entra ID to authenticate requests. Details on how requests using this authentication method are authorized can be found in the [Microsoft Entra authorization](./rest-api-authorization-azure-ad.md) section. |
azure-app-configuration | Rest Api Authorization Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/rest-api-authorization-azure-ad.md | Title: Azure App Configuration REST API - Azure Active Directory authorization -description: Use Azure Active Directory for authorization against Azure App Configuration by using the REST API + Title: Azure App Configuration REST API - Microsoft Entra authorization +description: Use Microsoft Entra ID for authorization against Azure App Configuration by using the REST API -# Azure Active Directory authorization - REST API reference +# Microsoft Entra authorization - REST API reference -When you use Azure Active Directory (Azure AD) authentication, authorization is handled by role-based access control (RBAC). RBAC requires users to be assigned to roles in order to grant access to resources. Each role contains a set of actions that users assigned to the role are able to perform. +When you use Microsoft Entra authentication, authorization is handled by role-based access control (RBAC). RBAC requires users to be assigned to roles in order to grant access to resources. Each role contains a set of actions that users assigned to the role are able to perform. ## Roles HTTP/1.1 403 Forbidden ## Managing role assignments -You can manage role assignments by using [Azure RBAC procedures](../role-based-access-control/overview.md) that are standard across all Azure services. You can do this through the Azure CLI, PowerShell, and the Azure portal. For more information, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). +You can manage role assignments by using [Azure RBAC procedures](../role-based-access-control/overview.md) that are standard across all Azure services. You can do this through the Azure CLI, PowerShell, and the Azure portal. For more information, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). |
azure-app-configuration | Rest Api Authorization Index | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/rest-api-authorization-index.md | - + Title: Azure App Configuration REST API - Authorization description: Reference pages for authorization using the Azure App Configuration REST API Authorization refers to the procedure used to determine the permissions that a c The [authorization model](./rest-api-authorization-hmac.md) model associated with HMAC authentication splits permissions into read-only or read-write. See the [HMAC authorization](./rest-api-authorization-hmac.md) page for details. -## Azure Active Directory +<a name='azure-active-directory'></a> ++## Microsoft Entra ID -The [authorization model](./rest-api-authorization-azure-ad.md) associated with Azure Active Directory (Azure AD) authentication uses Azure RBAC to control permissions. See the [Azure AD authorization](./rest-api-authorization-azure-ad.md) page for details. +The [authorization model](./rest-api-authorization-azure-ad.md) associated with Microsoft Entra authentication uses Azure RBAC to control permissions. See the [Microsoft Entra authorization](./rest-api-authorization-azure-ad.md) page for details. |
azure-app-configuration | Rest Api Fiddler | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/rest-api-fiddler.md | - Title: Azure Active Directory REST API - Test Using Fiddler++ Title: Microsoft Entra REST API - Test Using Fiddler description: Use Fiddler to test the Azure App Configuration REST API |
azure-app-configuration | Rest Api Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/rest-api-postman.md | - Title: Azure Active Directory REST API - Test by using Postman++ Title: Microsoft Entra REST API - Test by using Postman description: Use Postman to test the Azure App Configuration REST API |
azure-arc | Automated Integration Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/automated-integration-testing.md | export ARC_DATASERVICES_WHL_OVERRIDE="https://azurearcdatacli.blob.core.windows. ``` The CLI version to Blob URL mapping can be found [here](https://azcliextensionsync.blob.core.windows.net/index1/index.json). -##### 3. `CUSTOM_LOCATION_OID` - Custom Locations Object ID from your specific Azure AD Tenant +<a name='3-custom_location_oidcustom-locations-object-id-from-your-specific-azure-ad-tenant'></a> ++##### 3. `CUSTOM_LOCATION_OID` - Custom Locations Object ID from your specific Microsoft Entra tenant > Mandatory: this is required for Connected Cluster Custom Location creation. -The following steps are sourced from [Enable custom locations on your cluster](../kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster) to retrieve the unique Custom Location Object ID for your Azure AD tenant. +The following steps are sourced from [Enable custom locations on your cluster](../kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster) to retrieve the unique Custom Location Object ID for your Microsoft Entra tenant. -There are two approaches to obtaining the `CUSTOM_LOCATION_OID` for your Azure AD tenant. +There are two approaches to obtaining the `CUSTOM_LOCATION_OID` for your Microsoft Entra tenant. 1. Via Azure CLI: There are two approaches to obtaining the `CUSTOM_LOCATION_OID` for your Azure A ![A screenshot of a PowerShell terminal that shows `az ad sp show --id <>`.](media/automated-integration-testing/custom-location-oid-cli.png) -2. Via Azure portal - navigate to your Azure Active Directory blade, and search for `Custom Locations RP`: +2. Via Azure portal - navigate to your Microsoft Entra blade, and search for `Custom Locations RP`: ![A screenshot of the custom locations RP.](media/automated-integration-testing/custom-location-oid-portal.png) |
azure-arc | Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/connectivity.md | The connectivity mode provides you the flexibility to choose how much data is se Importantly, if the Azure Arc-enabled data services are directly connected to Azure, then users can use [Azure Resource Manager APIs](/rest/api/resources/), the Azure CLI, and the Azure portal to operate the Azure Arc data services. The experience in directly connected mode is much like how you would use any other Azure service with provisioning/de-provisioning, scaling, configuring, and so on all in the Azure portal. If the Azure Arc-enabled data services are indirectly connected to Azure, then the Azure portal is a read-only view. You can see the inventory of SQL managed instances and PostgreSQL servers that you have deployed and the details about them, but you cannot take action on them in the Azure portal. In the indirectly connected mode, all actions must be taken locally using Azure Data Studio, the appropriate CLI, or Kubernetes native tools like kubectl. -Additionally, Azure Active Directory and Azure Role-Based Access Control can be used in the directly connected mode only because there is a dependency on a continuous and direct connection to Azure to provide this functionality. +Additionally, Microsoft Entra ID and Azure Role-Based Access Control can be used in the directly connected mode only because there is a dependency on a continuous and direct connection to Azure to provide this functionality. Some Azure-attached services are only available when they can be directly reached such as Container Insights, and backup to blob storage. Some Azure-attached services are only available when they can be directly reache |**Automatic upgrades and patching**|Supported<br/>The data controller must either have direct access to the Microsoft Container Registry (MCR) or the container images need to be pulled from MCR and pushed to a local, private container registry that the data controller has access to.|Supported| |**Automatic backup and restore**|Supported<br/>Automatic local backup and restore.|Supported<br/>In addition to automated local backup and restore, you can _optionally_ send backups to Azure blob storage for long-term, off-site retention.| |**Monitoring**|Supported<br/>Local monitoring using Grafana and Kibana dashboards.|Supported<br/>In addition to local monitoring dashboards, you can _optionally_ send monitoring data and logs to Azure Monitor for at-scale monitoring of multiple sites in one place. |-|**Authentication**|Use local username/password for data controller and dashboard authentication. Use SQL and Postgres logins or Active Directory (AD is not currently supported) for connectivity to database instances. Use Kubernetes authentication providers for authentication to the Kubernetes API.|In addition to or instead of the authentication methods for the indirectly connected mode, you can _optionally_ use Azure Active Directory.| -|**Role-based access control (RBAC)**|Use Kubernetes RBAC on Kubernetes API. Use SQL and Postgres RBAC for database instances.|You can use Azure Active Directory and Azure RBAC.| +|**Authentication**|Use local username/password for data controller and dashboard authentication. Use SQL and Postgres logins or Active Directory (AD is not currently supported) for connectivity to database instances. Use Kubernetes authentication providers for authentication to the Kubernetes API.|In addition to or instead of the authentication methods for the indirectly connected mode, you can _optionally_ use Microsoft Entra ID.| +|**Role-based access control (RBAC)**|Use Kubernetes RBAC on Kubernetes API. Use SQL and Postgres RBAC for database instances.|You can use Microsoft Entra ID and Azure RBAC.| ## Connectivity requirements Some Azure-attached services are only available when they can be directly reache |**Billing telemetry data**|Customer environment -> Azure|Required|No|Indirect or direct|Utilization of database instances must be sent to Azure for billing purposes. | |**Monitoring data and logs**|Customer environment -> Azure|Optional|Maybe depending on data volume (see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/))|Indirect or direct|You may want to send the locally collected monitoring data and logs to Azure Monitor for aggregating data across multiple environments into one place and also to use Azure Monitor services like alerts, using the data in Azure Machine Learning, etc.| |**Azure Role-based Access Control (Azure RBAC)**|Customer environment -> Azure -> Customer Environment|Optional|No|Direct only|If you want to use Azure RBAC, then connectivity must be established with Azure at all times. If you donΓÇÖt want to use Azure RBAC then local Kubernetes RBAC can be used.|-|**Azure Active Directory (AAD) (Future)**|Customer environment -> Azure -> Customer environment|Optional|Maybe, but you may already be paying for Azure AD|Direct only|If you want to use Azure AD for authentication, then connectivity must be established with Azure at all times. If you donΓÇÖt want to use Azure AD for authentication, you can use Active Directory Federation Services (ADFS) over Active Directory. **Pending availability in directly connected mode**| +|**Microsoft Entra ID (Future)**|Customer environment -> Azure -> Customer environment|Optional|Maybe, but you may already be paying for Microsoft Entra ID|Direct only|If you want to use Microsoft Entra ID for authentication, then connectivity must be established with Azure at all times. If you donΓÇÖt want to use Microsoft Entra ID for authentication, you can use Active Directory Federation Services (ADFS) over Active Directory. **Pending availability in directly connected mode**| |**Backup and restore**|Customer environment -> Customer environment|Required|No|Direct or indirect|The backup and restore service can be configured to point to local storage classes. | |**Azure backup - long term retention (Future)**| Customer environment -> Azure | Optional| Yes for Azure storage | Direct only |You may want to send backups that are taken locally to Azure Backup for long-term, off-site retention of backups and bring them back to the local environment for restore. | |**Provisioning and configuration changes from Azure portal**|Customer environment -> Azure -> Customer environment|Optional|No|Direct only|Provisioning and configuration changes can be done locally using Azure Data Studio or the appropriate CLI. In directly connected mode, you will also be able to provision and make configuration changes from the Azure portal.| Some Azure-attached services are only available when they can be directly reache ## Additional network requirements -In addition, resource bridge (preview) requires [Arc-enabled Kubernetes endpoints](../network-requirements-consolidated.md#azure-arc-enabled-kubernetes-endpoints). +In addition, resource bridge (preview) requires [Arc-enabled Kubernetes endpoints](../network-requirements-consolidated.md#azure-arc-enabled-kubernetes-endpoints). |
azure-arc | Managed Instance Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/managed-instance-features.md | Azure Arc-enabled SQL Managed Instance share a common code base with the latest | Contained databases | Yes | | Encryption for backups | Yes | | SQL Server Authentication | Yes |-| Azure Active Directory Authentication | No | +| Microsoft Entra authentication | No | | Windows Authentication | Yes | ## <a name="RDBMSM"></a> RDBMS Manageability |
azure-arc | Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/azure-rbac.md | description: "Use Azure RBAC for authorization checks on Azure Arc-enabled Kuber # Use Azure RBAC on Azure Arc-enabled Kubernetes clusters (preview) -Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. By using this feature, you can use Azure Active Directory (Azure AD) and role assignments in Azure to control authorization checks on the cluster. Azure role assignments let you granularly control which users can read, write, and delete Kubernetes objects such as deployment, pod, and service. +Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. By using this feature, you can use Microsoft Entra ID and role assignments in Azure to control authorization checks on the cluster. Azure role assignments let you granularly control which users can read, write, and delete Kubernetes objects such as deployment, pod, and service. For a conceptual overview of this feature, see [Azure RBAC on Azure Arc-enabled Kubernetes](conceptual-azure-rbac.md). For a conceptual overview of this feature, see [Azure RBAC on Azure Arc-enabled > [!NOTE] > You can't set up this feature for Red Hat OpenShift, or for managed Kubernetes offerings of cloud providers like Elastic Kubernetes Service or Google Kubernetes Engine where the user doesn't have access to the API server of the cluster. For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](../../aks/manage-azure-rbac.md) and doesn't require the AKS cluster to be connected to Azure Arc. For AKS on Azure Stack HCI, see [Use Azure RBAC for AKS hybrid clusters (preview)](/azure/aks/hybrid/azure-rbac-aks-hybrid). -## Set up Azure AD applications +<a name='set-up-azure-ad-applications'></a> ++## Set up Microsoft Entra applications ### [Azure CLI >= v2.3.7](#tab/AzureCLI) #### Create a server application -1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`. +1. Create a new Microsoft Entra application and get its `appId` value. This value is used in later steps as `serverApplicationId`. ```azurecli CLUSTER_NAME="<name-of-arc-connected-cluster>" For a conceptual overview of this feature, see [Azure RBAC on Azure Arc-enabled #### Create a client application -1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `clientApplicationId`. +1. Create a new Microsoft Entra application and get its `appId` value. This value is used in later steps as `clientApplicationId`. ```azurecli CLIENT_UNIQUE_SUFFIX="<identifier_suffix>" For a conceptual overview of this feature, see [Azure RBAC on Azure Arc-enabled #### Create a server application -1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`. +1. Create a new Microsoft Entra application and get its `appId` value. This value is used in later steps as `serverApplicationId`. ```azurecli CLUSTER_NAME="<name-of-arc-connected-cluster>" For a conceptual overview of this feature, see [Azure RBAC on Azure Arc-enabled #### Create a client application -1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `clientApplicationId`. +1. Create a new Microsoft Entra application and get its `appId` value. This value is used in later steps as `clientApplicationId`. ```azurecli CLIENT_UNIQUE_SUFFIX="<identifier_suffix>" Using a shared kubeconfig requires slightly different steps depending on your Ku sudo chmod +x /usr/local/bin/kubelogin ``` -5. [Convert](https://azure.github.io/kubelogin/cli/convert-kubeconfig.html) the kubelogin to use the appropriate [login mode](https://azure.github.io/kubelogin/concepts/login-modes.html). For example, for [device code login](https://azure.github.io/kubelogin/concepts/login-modes/devicecode.html) with an Azure Active Directory user, the commands would be as follows: +5. [Convert](https://azure.github.io/kubelogin/cli/convert-kubeconfig.html) the kubelogin to use the appropriate [login mode](https://azure.github.io/kubelogin/concepts/login-modes.html). For example, for [device code login](https://azure.github.io/kubelogin/concepts/login-modes/devicecode.html) with a Microsoft Entra user, the commands would be as follows: ```bash export KUBECONFIG=/path/to/kubeconfig Using a shared kubeconfig requires slightly different steps depending on your Ku An administrator needs to create a new role assignment that authorizes this user to have access on the resource. -## Use Conditional Access with Azure AD +<a name='use-conditional-access-with-azure-ad'></a> ++## Use Conditional Access with Microsoft Entra ID -When you're integrating Azure AD with your Azure Arc-enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster. +When you're integrating Microsoft Entra ID with your Azure Arc-enabled Kubernetes cluster, you can also use [Conditional Access](../../active-directory/conditional-access/overview.md) to control access to your cluster. > [!NOTE]-> [Azure AD Conditional Access](../../active-directory/conditional-access/overview.md) is an Azure AD Premium capability. +> [Microsoft Entra Conditional Access](../../active-directory/conditional-access/overview.md) is a Microsoft Entra ID P2 capability. To create an example Conditional Access policy to use with the cluster: -1. At the top of the Azure portal, search for and select **Azure Active Directory**. -1. On the menu for Azure Active Directory on the left side, select **Enterprise applications**. +1. At the top of the Azure portal, search for and select **Microsoft Entra ID**. +1. On the menu for Microsoft Entra ID on the left side, select **Enterprise applications**. 1. On the menu for enterprise applications on the left side, select **Conditional Access**. 1. On the menu for Conditional Access on the left side, select **Policies** > **New policy**. To create an example Conditional Access policy to use with the cluster: 1. Enter a name for the policy, such as **arc-k8s-policy**. -1. Select **Users and groups**. Under **Include**, choose **Select users and groups**. Then choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administrative access to your cluster. +1. Select **Users and groups**. Under **Include**, choose **Select users and groups**. Then choose the users and groups where you want to apply the policy. For this example, choose the same Microsoft Entra group that has administrative access to your cluster. :::image type="content" source="media/azure-rbac/conditional-access-users-groups.png" alt-text="Screenshot that shows selecting users or groups to apply the Conditional Access policy." lightbox="media/azure-rbac/conditional-access-users-groups.png"::: Access the cluster again. For example, run the `kubectl get nodes` command to vi kubectl get nodes ``` -Follow the instructions to sign in again. An error message states that you're successfully logged in, but your admin requires the device that's requesting access to be managed by Azure AD in order to access the resource. Follow these steps: +Follow the instructions to sign in again. An error message states that you're successfully logged in, but your admin requires the device that's requesting access to be managed by Microsoft Entra ID in order to access the resource. Follow these steps: -1. In the Azure portal, go to **Azure Active Directory**. +1. In the Azure portal, go to **Microsoft Entra ID**. 1. Select **Enterprise applications**. Then under **Activity**, select **Sign-ins**. 1. An entry at the top shows **Failed** for **Status** and **Success** for **Conditional Access**. Select the entry, and then select **Conditional Access** in **Details**. Notice that your Conditional Access policy is listed. :::image type="content" source="media/azure-rbac/conditional-access-sign-in-activity.png" alt-text="Screenshot showing a failed sign-in entry in the Azure portal." lightbox="media/azure-rbac/conditional-access-sign-in-activity.png"::: -## Configure just-in-time cluster access with Azure AD +<a name='configure-just-in-time-cluster-access-with-azure-ad'></a> ++## Configure just-in-time cluster access with Microsoft Entra ID Another option for cluster access control is to use [Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) for just-in-time requests. >[!NOTE]-> [Azure AD PIM](../../active-directory/privileged-identity-management/pim-configure.md) is an Azure AD Premium capability that requires a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide](https://azure.microsoft.com/pricing/details/active-directory/). +> [Microsoft Entra PIM](../../active-directory/privileged-identity-management/pim-configure.md) is a Microsoft Entra ID P2 capability. For more on Microsoft Entra ID SKUs, see the [pricing guide](https://azure.microsoft.com/pricing/details/active-directory/). To configure just-in-time access requests for your cluster, complete the following steps: -1. At the top of the Azure portal, search for and select **Azure Active Directory**. +1. At the top of the Azure portal, search for and select **Microsoft Entra ID**. 1. Take note of the tenant ID. For the rest of these instructions, we'll refer to that ID as `<tenant-id>`. - :::image type="content" source="media/azure-rbac/jit-get-tenant-id.png" alt-text="Screenshot showing Azure Active Directory details in the Azure portal." lightbox="media/azure-rbac/jit-get-tenant-id.png"::: + :::image type="content" source="media/azure-rbac/jit-get-tenant-id.png" alt-text="Screenshot showing Microsoft Entra ID details in the Azure portal." lightbox="media/azure-rbac/jit-get-tenant-id.png"::: -1. On the menu for Azure Active Directory on the left side, under **Manage**, select **Groups** > **New group**. +1. On the menu for Microsoft Entra ID on the left side, under **Manage**, select **Groups** > **New group**. -1. Make sure that **Security** is selected for **Group type**. Enter a group name, such as **myJITGroup**. Under **Azure AD Roles can be assigned to this group (Preview)**, select **Yes**. Finally, select **Create**. +1. Make sure that **Security** is selected for **Group type**. Enter a group name, such as **myJITGroup**. Under **Microsoft Entra roles can be assigned to this group (Preview)**, select **Yes**. Finally, select **Create**. :::image type="content" source="media/azure-rbac/jit-new-group-created.png" alt-text="Screenshot showing details for the new group in the Azure portal." lightbox="media/azure-rbac/jit-new-group-created.png"::: |
azure-arc | Cluster Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/cluster-connect.md | Title: "Use cluster connect to securely connect to Azure Arc-enabled Kubernetes clusters." Previously updated : 08/30/2023 Last updated : 10/12/2023 -description: "With cluster connect, you can securely connect to Azure Arc-enabled Kubernetes clusters without requiring any inbound port to be enabled on the firewall." +description: "With cluster connect, you can securely connect to Azure Arc-enabled Kubernetes clusters from anywhere without requiring any inbound port to be enabled on the firewall." # Use cluster connect to securely connect to Azure Arc-enabled Kubernetes clusters -With cluster connect, you can securely connect to Azure Arc-enabled Kubernetes clusters without requiring any inbound port to be enabled on the firewall. +With cluster connect, you can securely connect to Azure Arc-enabled Kubernetes clusters from anywhere without requiring any inbound port to be enabled on the firewall. Access to the `apiserver` of the Azure Arc-enabled Kubernetes cluster enables the following scenarios: Before you begin, review the [conceptual overview of the cluster connect feature [!INCLUDE [arc-region-note](../includes/arc-region-note.md)] -## Azure Active Directory authentication option +## Set up authentication -### [Azure CLI](#tab/azure-cli) +On the existing Arc-enabled cluster, create the ClusterRoleBinding with either Microsoft Entra authentication, or a service account token. ++<a name='azure-active-directory-authentication-option'></a> ++### Microsoft Entra authentication option -1. Get the `objectId` associated with your Azure Active Directory (Azure AD) entity. +#### [Azure CLI](#tab/azure-cli) - - For an Azure AD user account: +1. Get the `objectId` associated with your Microsoft Entra entity. ++ - For a Microsoft Entra user account: ```azurecli AAD_ENTITY_OBJECT_ID=$(az ad signed-in-user show --query id -o tsv) ``` - - For an Azure AD application: + - For a Microsoft Entra application: ```azurecli AAD_ENTITY_OBJECT_ID=$(az ad sp show --id <id> --query id -o tsv) Before you begin, review the [conceptual overview of the cluster connect feature 1. Authorize the entity with appropriate permissions. - - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Azure AD entity (service principal or user) that needs to access this cluster. Example: + - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Microsoft Entra entity (service principal or user) that needs to access this cluster. Example: ```console kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --user=$AAD_ENTITY_OBJECT_ID ``` - - If you are using Azure RBAC for authorization checks on the cluster, you can create an Azure role assignment mapped to the Azure AD entity. Example: + - If you are using Azure RBAC for authorization checks on the cluster, you can create an Azure role assignment mapped to the Microsoft Entra entity. Example: ```azurecli az role assignment create --role "Azure Arc Kubernetes Viewer" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER az role assignment create --role "Azure Arc Enabled Kubernetes Cluster User Role" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER ``` -### [Azure PowerShell](#tab/azure-powershell) +#### [Azure PowerShell](#tab/azure-powershell) -1. Get the `objectId` associated with your Azure Active Directory (Azure AD) entity. +1. Get the `objectId` associated with your Microsoft Entra entity. - - For an Azure AD user account: + - For a Microsoft Entra user account: ```azurepowershell $AAD_ENTITY_OBJECT_ID = (az ad signed-in-user show --query id -o tsv) ``` - - For an Azure AD application: + - For a Microsoft Entra application: ```azurepowershell $AAD_ENTITY_OBJECT_ID = (az ad sp show --id <id> --query objectId -o tsv) Before you begin, review the [conceptual overview of the cluster connect feature 1. Authorize the entity with appropriate permissions. - - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Azure AD entity (service principal or user) that needs to access this cluster. Example: + - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Microsoft Entra entity (service principal or user) that needs to access this cluster. Example: ```console kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --user=$AAD_ENTITY_OBJECT_ID ``` - - If you are using [Azure RBAC for authorization checks](azure-rbac.md) on the cluster, you can create an Azure role assignment mapped to the Azure AD entity. Example: + - If you are using [Azure RBAC for authorization checks](azure-rbac.md) on the cluster, you can create an Azure role assignment mapped to the Microsoft Entra entity. Example: ```azurecli az role assignment create --role "Azure Arc Kubernetes Viewer" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER+ az role assignment create --role "Azure Arc Enabled Kubernetes Cluster User Role" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER ``` -## Service account token authentication option +### Service account token authentication option -### [Azure CLI](#tab/azure-cli) +#### [Azure CLI](#tab/azure-cli) 1. With the `kubeconfig` file pointing to the `apiserver` of your Kubernetes cluster, run this command to create a service account. This example creates the service account in the default namespace, but you can substitute any other namespace for `default`. Before you begin, review the [conceptual overview of the cluster connect feature echo $TOKEN ``` -### [Azure PowerShell](#tab/azure-powershell) +#### [Azure PowerShell](#tab/azure-powershell) 1. With the `kubeconfig` file pointing to the `apiserver` of your Kubernetes cluster, run this command to create a service account. This example creates the service account in the default namespace, but you can substitute any other namespace for `default`. Before you begin, review the [conceptual overview of the cluster connect feature -## Access your cluster +## Access your cluster from a client device ++Now you can access the cluster from a different client. Run the following steps on another client device. -1. Set up the cluster connect `kubeconfig` needed to access your cluster based on the authentication option used: +1. Sign in using either Microsoft Entra authentication or service account token authentication. - - If using Azure AD authentication, after logging into Azure CLI using the Azure AD entity of interest, get the Cluster Connect `kubeconfig` needed to communicate with the cluster from anywhere (from even outside the firewall surrounding the cluster): +1. Get the cluster connect `kubeconfig` needed to communicate with the cluster from anywhere (from even outside the firewall surrounding the cluster), based on the authentication option used: ++ - If using Microsoft Entra authentication: ```azurecli az connectedk8s proxy -n $CLUSTER_NAME -g $RESOURCE_GROUP ``` - - If using service account authentication, get the cluster connect `kubeconfig` needed to communicate with the cluster from anywhere: + - If using service account token authentication: ```azurecli az connectedk8s proxy -n $CLUSTER_NAME -g $RESOURCE_GROUP --token $TOKEN ``` -1. Use `kubectl` to send requests to the cluster: + > [!NOTE] + > This command will open the proxy and block the current shell. - ```console - kubectl get pods +1. In a different shell session, use `kubectl` to send requests to the cluster: ++ ```powershell + kubectl get pods -A ``` You should now see a response from the cluster containing the list of all pods under the `default` namespace. Use `az connectedk8s show` to check your Arc-enabled Kubernetes agent version. ### [Agent version < 1.11.7](#tab/agent-version) -When making requests to the Kubernetes cluster, if the Azure AD entity used is a part of more than 200 groups, you may see the following error: +When making requests to the Kubernetes cluster, if the Microsoft Entra entity used is a part of more than 200 groups, you may see the following error: `You must be logged in to the server (Error:Error while retrieving group info. Error:Overage claim (users with more than 200 group membership) is currently not supported.` This is a known limitation. To get past this error: ### [Agent version >= 1.11.7](#tab/agent-version-latest) -When making requests to the Kubernetes cluster, if the Azure AD service principal used is a part of more than 200 groups, you may see the following error: +When making requests to the Kubernetes cluster, if the Microsoft Entra service principal used is a part of more than 200 groups, you may see the following error: `Overage claim (users with more than 200 group membership) for SPN is currently not supported. For troubleshooting, please refer to aka.ms/overageclaimtroubleshoot` This is a known limitation. To get past this error: ## Next steps -- Set up [Azure AD RBAC](azure-rbac.md) on your clusters.+- Set up [Microsoft Entra RBAC](azure-rbac.md) on your clusters. - Deploy and manage [cluster extensions](extensions.md). |
azure-arc | Conceptual Agent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-agent-overview.md | The following high-level steps are involved in [connecting a Kubernetes cluster | `deployment.apps/extension-manager` | Installs and manages lifecycle of extension Helm charts. | | `deployment.apps/kube-aad-proxy` | Used for authentication of requests sent to the cluster using cluster connect. | | `deployment.apps/clusterconnect-agent` | Reverse proxy agent that enables the cluster connect feature to provide access to `apiserver` of the cluster. Optional component deployed only if the [cluster connect](conceptual-cluster-connect.md) feature is enabled. |- | `deployment.apps/guard` | Authentication and authorization webhook server used for Azure Active Directory (Azure AD) RBAC. Optional component deployed only if [Azure RBAC](conceptual-azure-rbac.md) is enabled on the cluster. | + | `deployment.apps/guard` | Authentication and authorization webhook server used for Microsoft Entra RBAC. Optional component deployed only if [Azure RBAC](conceptual-azure-rbac.md) is enabled on the cluster. | 1. Once all the Azure Arc-enabled Kubernetes agent pods are in `Running` state, verify that your cluster is connected to Azure Arc. You should see: |
azure-arc | Conceptual Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-azure-rbac.md | description: "This article provides a conceptual overview of the Azure RBAC capa # Azure RBAC on Azure Arc-enabled Kubernetes clusters (preview) -Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. With Azure RBAC, you can use Azure Active Directory (Azure AD) and role assignments in Azure to control authorization checks on the cluster. This allows the benefits of Azure role assignments, such as activity logs showing all Azure RBAC changes to an Azure resource, to be used with your Azure Arc-enabled Kubernetes cluster. +Kubernetes [ClusterRoleBinding and RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) object types help to define authorization in Kubernetes natively. With Azure RBAC, you can use Microsoft Entra ID and role assignments in Azure to control authorization checks on the cluster. This allows the benefits of Azure role assignments, such as activity logs showing all Azure RBAC changes to an Azure resource, to be used with your Azure Arc-enabled Kubernetes cluster. [!INCLUDE [preview features note](./includes/preview/preview-callout.md)] In order to route all authorization access checks to the authorization service i The `apiserver` of the cluster is configured to use [webhook token authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication) and [webhook authorization](https://kubernetes.io/docs/reference/access-authn-authz/webhook/) so that `TokenAccessReview` and `SubjectAccessReview` requests are routed to the guard webhook server. The `TokenAccessReview` and `SubjectAccessReview` requests are triggered by requests for Kubernetes resources sent to the `apiserver`. -Guard then makes a `checkAccess` call on the authorization service in Azure to see if the requesting Azure AD entity has access to the resource of concern. +Guard then makes a `checkAccess` call on the authorization service in Azure to see if the requesting Microsoft Entra entity has access to the resource of concern. If that entity has a role that permits this access, an `allowed` response is sent from the authorization service to guard. Guard, in turn, sends an `allowed` response to the `apiserver`, enabling the calling entity to access the requested Kubernetes resource. |
azure-arc | Conceptual Cluster Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-cluster-connect.md | When a user sends a request using this `kubeconfig` file: 1. The Azure Arc proxy maps the endpoint receiving the request to the Azure Arc service. 1. The Azure Arc service then forwards the request to the `clusterconnect-agent` running on the cluster.-1. The `clusterconnect-agent` passes on the request to the `kube-aad-proxy` component, which performs Azure Active Directory (Azure AD) authentication on the calling entity. -1. After Azure AD authentication, `kube-aad-proxy` uses Kubernetes [user impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) to forward the request to the cluster's `apiserver`. +1. The `clusterconnect-agent` passes on the request to the `kube-aad-proxy` component, which performs Microsoft Entra authentication on the calling entity. +1. After Microsoft Entra authentication, `kube-aad-proxy` uses Kubernetes [user impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) to forward the request to the cluster's `apiserver`. ## Next steps |
azure-arc | Conceptual Custom Locations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/conceptual-custom-locations.md | You can visualize custom locations as an abstraction layer on top of Azure Arc-e ## Architecture -When the admin [enables the custom locations feature on the cluster](custom-locations.md), a ClusterRoleBinding is created on the cluster, authorizing the Azure AD application used by the custom locations resource provider. Once authorized, the custom locations resource provider can create ClusterRoleBindings or RoleBindings needed by other Azure resource providers to create custom resources on this cluster. The cluster extensions installed on the cluster determine the list of resource providers to authorize. +When the admin [enables the custom locations feature on the cluster](custom-locations.md), a ClusterRoleBinding is created on the cluster, authorizing the Microsoft Entra application used by the custom locations resource provider. Once authorized, the custom locations resource provider can create ClusterRoleBindings or RoleBindings needed by other Azure resource providers to create custom resources on this cluster. The cluster extensions installed on the cluster determine the list of resource providers to authorize. [ ![Use custom locations](./media/conceptual-custom-locations-usage.png) ](./media/conceptual-custom-locations-usage.png#lightbox) |
azure-arc | Custom Locations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/custom-locations.md | In this article, you learn how to: ## Enable custom locations on your cluster -If you are signed in to Azure CLI as an Azure Active Directory (Azure AD) user, to enable this feature on your cluster, execute the following command: +If you are signed in to Azure CLI as a Microsoft Entra user, to enable this feature on your cluster, execute the following command: ```azurecli az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features cluster-connect custom-locations Unable to fetch oid of 'custom-locations' app. Proceeding without enabling the f This is because a service principal doesn't have permissions to get information about the application used by the Azure Arc service. To avoid this error, complete the following steps: -1. Sign in to Azure CLI using your user account. Fetch the `objectId` or `id` of the Azure AD application used by Azure Arc service. The command you use depends on your version of Azure CLI. +1. Sign in to Azure CLI using your user account. Fetch the `objectId` or `id` of the Microsoft Entra application used by Azure Arc service. The command you use depends on your version of Azure CLI. If you're using an Azure CLI version lower than 2.37.0, use the following command: |
azure-arc | Identity Access Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/identity-access-overview.md | Cluster connect is required if you want to use [custom locations](conceptual-cus For more information, see [Use cluster connect to securely connect to Azure Arc-enabled Kubernetes clusters](cluster-connect.md). -### Azure AD and Azure RBAC without cluster connect +<a name='azure-ad-and-azure-rbac-without-cluster-connect'></a> -If you don't want to use cluster connect, you can authenticate and authorize users so they can access the connected cluster by using [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) and [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview). Using [Azure RBAC on Azure Arc-enabled Kubernetes (preview)](conceptual-azure-rbac.md) lets you control the access that's granted to users in your tenant, managing access directly from Azure using familiar Azure identity and access features. You can also configure roles at the subscription or resource group scope, letting them roll out to all connected clusters within that scope. +### Microsoft Entra ID and Azure RBAC without cluster connect ++If you don't want to use cluster connect, you can authenticate and authorize users so they can access the connected cluster by using [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) and [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview). Using [Azure RBAC on Azure Arc-enabled Kubernetes (preview)](conceptual-azure-rbac.md) lets you control the access that's granted to users in your tenant, managing access directly from Azure using familiar Azure identity and access features. You can also configure roles at the subscription or resource group scope, letting them roll out to all connected clusters within that scope. Azure RBAC supports [conditional access](azure-rbac.md#use-conditional-access-with-azure-ad), allowing you to enable [just-in-time cluster access](azure-rbac.md#configure-just-in-time-cluster-access-with-azure-ad) or limit access to approved clients or devices. -Azure RBAC also supports a [direct mode of communication](azure-rbac.md#use-a-shared-kubeconfig-file), using Azure AD identities to access connected clusters directly from within the datacenter, rather than requiring all connections to go through Azure. +Azure RBAC also supports a [direct mode of communication](azure-rbac.md#use-a-shared-kubeconfig-file), using Microsoft Entra identities to access connected clusters directly from within the datacenter, rather than requiring all connections to go through Azure. Azure RBAC on Arc-enabled Kubernetes is currently in public preview. For more information, see [Use Azure RBAC on Azure Arc-enabled Kubernetes clusters (preview)](azure-rbac.md). Azure RBAC on Arc-enabled Kubernetes is currently in public preview. For more in Authentication is the process of verifying a user's identity. There are two options for authenticating to an Arc-enabled Kubernetes cluster: cluster connect and Azure RBAC. -### Azure AD authentication +<a name='azure-ad-authentication'></a> ++### Microsoft Entra authentication -The [Azure RBAC on Arc-enabled Kubernetes](conceptual-azure-rbac.md) feature (currently in public preview) lets you use [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) to allow users in your Azure tenant to access your connected Kubernetes clusters. +The [Azure RBAC on Arc-enabled Kubernetes](conceptual-azure-rbac.md) feature (currently in public preview) lets you use [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) to allow users in your Azure tenant to access your connected Kubernetes clusters. -You can also use Azure Active Directory authentication with cluster connect. For more information, see [Azure Active Directory authentication option](cluster-connect.md#azure-active-directory-authentication-option). +You can also use Microsoft Entra authentication with cluster connect. For more information, see [Microsoft Entra authentication option](cluster-connect.md#microsoft-entra-authentication-option). ### Service token authentication For more information, see [Service account token authentication option](cluster- Authorization grants an authenticated user the permission to perform specified actions. With Azure Arc-enabled Kubernetes, there are two authorization options, both of which use role-based access control (RBAC): -- [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) uses Azure AD and Azure Resource Manager to provide fine-grained access management to Azure resources. This allows the benefits of Azure role assignments, such as activity logs tracking all changes made, to be used with your Azure Arc-enabled Kubernetes clusters.+- [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) uses Microsoft Entra ID and Azure Resource Manager to provide fine-grained access management to Azure resources. This allows the benefits of Azure role assignments, such as activity logs tracking all changes made, to be used with your Azure Arc-enabled Kubernetes clusters. - [Kubernetes role-based access control (Kubernetes RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) lets you dynamically configure policies through the Kubernetes API so that users, groups, and service accounts only have access to specific cluster resources. While Kubernetes RBAC works only on Kubernetes resources within your cluster, Azure RBAC works on resources across your Azure subscription. ### Azure RBAC authorization -[Azure role-based access control (RBAC)](../../role-based-access-control/overview.md) is an authorization system built on Azure Resource Manager and Azure AD that provides fine-grained access management of Azure resources. With Azure RBAC, role definitions outline the permissions to be applied. You assign these roles to users or groups via a role assignment for a particular scope. The scope can be across the entire subscription or limited to a resource group or to an individual resource such as a Kubernetes cluster. +[Azure role-based access control (RBAC)](../../role-based-access-control/overview.md) is an authorization system built on Azure Resource Manager and Microsoft Entra ID that provides fine-grained access management of Azure resources. With Azure RBAC, role definitions outline the permissions to be applied. You assign these roles to users or groups via a role assignment for a particular scope. The scope can be across the entire subscription or limited to a resource group or to an individual resource such as a Kubernetes cluster. -If you're using Azure AD authentication without cluster connect, then Azure RBAC authorization is your only option for authorization. +If you're using Microsoft Entra authentication without cluster connect, then Azure RBAC authorization is your only option for authorization. -If you're using cluster connect with Azure AD authentication, you have the option to use Azure RBAC for connectivity to the `apiserver` of the cluster. For more information, see [Azure Active Directory authentication option](cluster-connect.md#azure-active-directory-authentication-option). +If you're using cluster connect with Microsoft Entra authentication, you have the option to use Azure RBAC for connectivity to the `apiserver` of the cluster. For more information, see [Microsoft Entra authentication option](cluster-connect.md#azure-active-directory-authentication-option). ### Kubernetes RBAC authorization If you're using cluster connect with Azure AD authentication, you have the optio If you're using cluster connect with the [service account token authentication option](cluster-connect.md#service-account-token-authentication-option), you must use Kubernetes RBAC to provide connectivity to the `apiserver` of the cluster. This connectivity doesn't require any inbound port to be enabled on the firewall. A reverse proxy agent running on the cluster can securely start a session with the Azure Arc service in an outbound manner. -If you're using [cluster connect with Azure AD authentication](cluster-connect.md#azure-active-directory-authentication-option), you also have the option to use Kubernetes RBAC instead of Azure RBAC. +If you're using [cluster connect with Microsoft Entra authentication](cluster-connect.md#azure-active-directory-authentication-option), you also have the option to use Kubernetes RBAC instead of Azure RBAC. ## Next steps -- Learn more about [Azure Azure AD](/azure/active-directory/fundamentals/active-directory-whatis) and [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview).+- Learn more about [Azure Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) and [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview). - Learn about [cluster connect access to Azure Arc-enabled Kubernetes clusters](conceptual-cluster-connect.md). - Learn about [Azure RBAC on Azure Arc-enabled Kubernetes (preview)](conceptual-azure-rbac.md) - Learn about [access and identity options for Azure Kubernetes Service (AKS) clusters](../../aks/concepts-identity.md). |
azure-arc | Kubernetes Resource View | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/kubernetes-resource-view.md | The Azure portal includes a Kubernetes resource view for easy access to the Kube - An account that can authenticate to the cluster and access the resources in the portal: - - If using [Azure RBAC](azure-rbac.md), ensure that the Azure Active Directory (Azure AD) account that will access the portal has a role that lets it authenticate to the cluster, such as [Azure Arc Kubernetes Viewer](/azure/role-based-access-control/built-in-roles): + - If using [Azure RBAC](azure-rbac.md), ensure that the Microsoft Entra account that will access the portal has a role that lets it authenticate to the cluster, such as [Azure Arc Kubernetes Viewer](/azure/role-based-access-control/built-in-roles): ```azurecli az role assignment create --role "Azure Arc Kubernetes Viewer" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER |
azure-arc | Private Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/private-link.md | Consider these current limitations when planning your Private Link setup. * You can associate at most one Azure Arc Private Link Scope with a virtual network. * An Azure Arc-enabled Kubernetes cluster can only connect to one Azure Arc Private Link Scope. * All on-premises Kubernetes clusters need to use the same private endpoint by resolving the correct private endpoint information (FQDN record name and private IP address) using the same DNS forwarder. For more information, see [Azure Private Endpoint DNS configuration](../../private-link/private-endpoint-dns.md). The Azure Arc-enabled Kubernetes cluster, Azure Arc Private Link Scope, and virtual network must be in the same Azure region. The Private Endpoint and the virtual network must also be in the same Azure region, but this region can be different from that of your Azure Arc Private Link Scope and Arc-enabled Kubernetes cluster.-* Traffic to Azure Active Directory, Azure Resource Manager and Microsoft Container Registry service tags must be allowed through your on-premises network firewall during the preview. +* Traffic to Microsoft Entra ID, Azure Resource Manager and Microsoft Container Registry service tags must be allowed through your on-premises network firewall during the preview. * Other Azure services that you will use, for example Azure Monitor, requires their own private endpoints in your virtual network. > [!NOTE] To connect your Kubernetes cluster to Azure Arc over a private link, you need to 1. Establish a connection between your on-premises network and an Azure virtual network using a [site-to-site VPN](../../vpn-gateway/tutorial-site-to-site-portal.md) or [ExpressRoute](../../expressroute/expressroute-howto-linkvnet-arm.md) circuit. 1. Deploy an Azure Arc Private Link Scope, which controls which Kubernetes clusters can communicate with Azure Arc over private endpoints and associate it with your Azure virtual network using a private endpoint. 1. Update the DNS configuration on your local network to resolve the private endpoint addresses.-1. Configure your local firewall to allow access to Azure Active Directory, Azure Resource Manager and Microsoft Container Registry. +1. Configure your local firewall to allow access to Microsoft Entra ID, Azure Resource Manager and Microsoft Container Registry. 1. Associate the Azure Arc-enabled Kubernetes clusters with the Azure Arc Private Link Scope. 1. Optionally, deploy private endpoints for other Azure services your Azure Arc-enabled Kubernetes cluster is managed by, such as Azure Monitor. The rest of this document assumes you have already set up your ExpressRoute circuit or site-to-site VPN connection. ## Network configuration -Azure Arc-enabled Kubernetes integrates with several Azure services to bring cloud management and governance to your hybrid Kubernetes clusters. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints. You also need to allow access to Microsoft Container Registry (and AzureFrontDoor.FirstParty as a precursor for Microsoft Container Registry) to pull images & Helm charts to enable services like Azure Monitor, as well as for initial setup of Azure Arc agents on the Kubernetes clusters. +Azure Arc-enabled Kubernetes integrates with several Azure services to bring cloud management and governance to your hybrid Kubernetes clusters. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Microsoft Entra ID and Azure Resource Manager over the internet until these services offer private endpoints. You also need to allow access to Microsoft Container Registry (and AzureFrontDoor.FirstParty as a precursor for Microsoft Container Registry) to pull images & Helm charts to enable services like Azure Monitor, as well as for initial setup of Azure Arc agents on the Kubernetes clusters. There are two ways you can achieve this: -* If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, Azure Front Door and Microsoft Container Registry using [service tags](../../virtual-network/service-tags-overview.md). The NSG rules should look like the following: +* If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID, Azure Resource Manager, Azure Front Door and Microsoft Container Registry using [service tags](../../virtual-network/service-tags-overview.md). The NSG rules should look like the following: - | Setting | Azure AD rule | Azure Resource Manager rule | AzureFrontDoorFirstParty rule | Microsoft Container Registry rule | + | Setting | Microsoft Entra ID rule | Azure Resource Manager rule | AzureFrontDoorFirstParty rule | Microsoft Container Registry rule | |-|||| | Source | Virtual Network | Virtual Network | Virtual Network | Virtual Network | Source Port ranges | * | * | * | * There are two ways you can achieve this: | Priority | 150 (must be lower than any rules that block internet access) | 151 (must be lower than any rules that block internet access) | 152 (must be lower than any rules that block internet access) | 153 (must be lower than any rules that block internet access) | | Name | AllowAADOutboundAccess | AllowAzOutboundAccess | AllowAzureFrontDoorFirstPartyAccess | AllowMCROutboundAccess -* Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, and Microsoft Container Registry, and inbound & outbound access to AzureFrontDoor.FirstParty using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Azure AD, Azure Resource Manager, AzureFrontDoor.FirstParty, and Microsoft Container Registry and is updated monthly to reflect any changes. Azure Active Directory's service tag is AzureActiveDirectory, Azure Resource Manager's service tag is AzureResourceManager, Microsoft Container Registry's service tag is MicrosoftContainerRegistry, and Azure Front Door's service tag is AzureFrontDoor.FirstParty. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules. +* Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID, Azure Resource Manager, and Microsoft Container Registry, and inbound & outbound access to AzureFrontDoor.FirstParty using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Microsoft Entra ID, Azure Resource Manager, AzureFrontDoor.FirstParty, and Microsoft Container Registry and is updated monthly to reflect any changes. Microsoft Entra service tag is AzureActiveDirectory, Azure Resource Manager's service tag is AzureResourceManager, Microsoft Container Registry's service tag is MicrosoftContainerRegistry, and Azure Front Door's service tag is AzureFrontDoor.FirstParty. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules. ## Create an Azure Arc Private Link Scope If you run into problems, the following suggestions may help: nslookup dp.kubernetesconfiguration.azure.com ``` -* If you are having trouble onboarding your Kubernetes cluster, confirm that youΓÇÖve added the Azure Active Directory, Azure Resource Manager, AzureFrontDoor.FirstParty and Microsoft Container Registry service tags to your local network firewall. +* If you are having trouble onboarding your Kubernetes cluster, confirm that youΓÇÖve added the Microsoft Entra ID, Azure Resource Manager, AzureFrontDoor.FirstParty and Microsoft Container Registry service tags to your local network firewall. ## Next steps |
azure-arc | System Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/system-requirements.md | For Azure PowerShell: > [!NOTE] > When you deploy the Azure Arc agents to a cluster, Helm v. 3.6.3 will be installed in the `.azure` folder of the deployment machine. This [Helm 3](https://helm.sh/docs/) installation is only used for Azure Arc, and it doesn't remove or change any previously installed versions of Helm on the machine. -## Azure AD identity requirements +<a name='azure-ad-identity-requirements'></a> -To connect your cluster to Azure Arc, you must have an Azure AD identity (user or service principal) which can be used to log in to [Azure CLI](/cli/azure/authenticate-azure-cli) or [Azure PowerShell](/powershell/azure/authenticate-azureps) and connect your cluster to Azure Arc. +## Microsoft Entra identity requirements ++To connect your cluster to Azure Arc, you must have a Microsoft Entra identity (user or service principal) which can be used to log in to [Azure CLI](/cli/azure/authenticate-azure-cli) or [Azure PowerShell](/powershell/azure/authenticate-azureps) and connect your cluster to Azure Arc. This identity must have 'Read' and 'Write' permissions on the Azure Arc-enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`). If connecting the cluster to an existing resource group (rather than a new one created by this identity), the identity must have 'Read' permission for that resource group. |
azure-arc | Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/troubleshooting.md | If you receive this error, it indicates that the service timed out while provisi If you receive an overage claim, review the following factors in order: -1. Are you using a service principal that is part of more than 200 Azure AD groups? If yes, then you must create and use another service principal that isn't a member of more than 200 groups, or remove the original service principal from some of its groups and try again. +1. Are you using a service principal that is part of more than 200 Microsoft Entra groups? If yes, then you must create and use another service principal that isn't a member of more than 200 groups, or remove the original service principal from some of its groups and try again. 1. Have you configured outbound proxy environment? If so, make sure that the endpoint `https://<region>.obo.arc.azure.com:8084/` is allowed for outbound traffic. Some other aspects to consider: With these actions accomplished, you can either [recreate a flux configuration](./tutorial-use-gitops-flux2.md), which installs the flux extension automatically, or you can reinstall the flux extension manually. -### Flux v2 - Installing the `microsoft.flux` extension in a cluster with Azure AD Pod Identity enabled +<a name='flux-v2installing-the-microsoftflux-extension-in-a-cluster-with-azure-ad-pod-identity-enabled'></a> -If you attempt to install the Flux extension in a cluster that has Azure Active Directory (Azure AD) Pod Identity enabled, an error may occur in the extension-agent pod. +### Flux v2 - Installing the `microsoft.flux` extension in a cluster with Microsoft Entra Pod Identity enabled ++If you attempt to install the Flux extension in a cluster that has Microsoft Entra Pod Identity enabled, an error may occur in the extension-agent pod. ```console {"Message":"2021/12/02 10:24:56 Error: in getting auth header : error {adal: Refresh request failed. Status Code = '404'. Response body: no azure identity found for request clientID <REDACTED>\n}","LogType":"ConfigAgentTrace","LogLevel":"Information","Environment":"prod","Role":"ClusterConfigAgent","Location":"westeurope","ArmId":"/subscriptions/<REDACTED>/resourceGroups/<REDACTED>/providers/Microsoft.Kubernetes/managedclusters/<REDACTED>","CorrelationId":"","AgentName":"FluxConfigAgent","AgentVersion":"0.4.2","AgentTimestamp":"2021/12/02 10:24:56"} The extension status also returns as "Failed". The extension-agent pod is trying to get its token from IMDS on the cluster in order to talk to the extension service in Azure, but the token request is intercepted by the [pod identity](../../aks/use-azure-ad-pod-identity.md)). -You can fix this issue by upgrading to the latest version of the `microsoft.flux` extension. For version 1.6.1 or earlier, the workaround is to create an `AzurePodIdentityException` that tells Azure AD Pod Identity to ignore the token requests from flux-extension pods. +You can fix this issue by upgrading to the latest version of the `microsoft.flux` extension. For version 1.6.1 or earlier, the workaround is to create an `AzurePodIdentityException` that tells Microsoft Entra Pod Identity to ignore the token requests from flux-extension pods. ```console apiVersion: aadpodidentity.k8s.io/v1 Unable to fetch oid of 'custom-locations' app. Proceeding without enabling the f This warning occurs when you use a service principal to log into Azure. The service principal doesn't have permissions to get information of the application used by Azure Arc service. To avoid this error, execute the following steps: -1. Sign in into Azure CLI using your user account. Fetch the Object ID of the Azure AD application used by Azure Arc service: +1. Sign in into Azure CLI using your user account. Fetch the Object ID of the Microsoft Entra application used by Azure Arc service: ```azurecli az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query objectId -o tsv |
azure-arc | Conceptual Custom Locations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/platform/conceptual-custom-locations.md | On Arc-enabled Kubernetes clusters, a custom location represents an abstraction ## Architecture for Arc-enabled Kubernetes -When an administrator enables the custom locations feature on a cluster, a ClusterRoleBinding is created, authorizing the Azure AD application used by the Custom Locations Resource Provider (RP). Once authorized, Custom Locations RP can create ClusterRoleBindings or RoleBindings needed by other Azure RPs to create custom resources on this cluster. The cluster extensions installed on the cluster determines the list of RPs to authorize. +When an administrator enables the custom locations feature on a cluster, a ClusterRoleBinding is created, authorizing the Microsoft Entra application used by the Custom Locations Resource Provider (RP). Once authorized, Custom Locations RP can create ClusterRoleBindings or RoleBindings needed by other Azure RPs to create custom resources on this cluster. The cluster extensions installed on the cluster determines the list of RPs to authorize. [ ![Use custom locations](../kubernetes/media/conceptual-custom-locations-usage.png) ](../kubernetes/media/conceptual-custom-locations-usage.png#lightbox) |
azure-arc | Security Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/security-overview.md | This article describes the security configuration and considerations you should ## Using a managed identity -By default, an Azure Active Directory system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure. +By default, a Microsoft Entra system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure. ## Identity and access control |
azure-arc | Agent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/agent-overview.md | Installing the Connected Machine agent for Window applies the following system-w | Service name | Display name | Process name | Description | |--|--|--|-|- | himds | Azure Hybrid Instance Metadata Service | himds | Synchronizes metadata with Azure and hosts a local REST API for extensions and applications to access the metadata and request Azure Active Directory managed identity tokens | + | himds | Azure Hybrid Instance Metadata Service | himds | Synchronizes metadata with Azure and hosts a local REST API for extensions and applications to access the metadata and request Microsoft Entra managed identity tokens | | GCArcService | Guest configuration Arc Service | gc_service | Audits and enforces Azure guest configuration policies on the machine. | | ExtensionService | Guest configuration Extension Service | gc_service | Installs, updates, and manages extensions on the machine. | Installing the Connected Machine agent for Window applies the following system-w | Security group name | Description | ||-|- | Hybrid agent extension applications | Members of this security group can request Azure Active Directory tokens for the system-assigned managed identity | + | Hybrid agent extension applications | Members of this security group can request Microsoft Entra tokens for the system-assigned managed identity | * Agent installation creates the following environmental variables The agent requests the following metadata information from Azure: * Resource location (region) * Virtual machine ID * Tags-* Azure Active Directory managed identity certificate +* Microsoft Entra managed identity certificate * Guest configuration policy assignments * Extension requests - install, update, and delete. |
azure-arc | Azcmagent Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/azcmagent-connect.md | To authenticate with a service principal, provide the service principal's applic ### Access token -Access tokens can also be used for non-interactive authentication, but are short-lived and typically used by automation solutions onboarding several servers over a short period of time. You can get an access token with [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) or any other Azure Active Directory client. +Access tokens can also be used for non-interactive authentication, but are short-lived and typically used by automation solutions onboarding several servers over a short period of time. You can get an access token with [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) or any other Microsoft Entra client. To authenticate with an access token, use the `--access-token [token]` flag. If the account you're logging in with and the subscription where you're registering the server aren't in the same tenant, you must also provide the tenant ID for the subscription with `--tenant-id [tenant]`. To authenticate with an access token, use the `--access-token [token]` flag. If `--access-token` -Specifies the Azure Active Directory access token used to create the Azure Arc-enabled server resource in Azure. For more information, see [authentication options](#authentication-options). +Specifies the Microsoft Entra access token used to create the Azure Arc-enabled server resource in Azure. For more information, see [authentication options](#authentication-options). `--automanage-profile` The tenant ID for the subscription where you want to create the Azure Arc-enable `--use-device-code` -Generate an Azure Active Directory device login code that can be entered in a web browser on another computer to authenticate the agent with Azure. For more information, see [authentication options](#authentication-options). +Generate a Microsoft Entra device login code that can be entered in a web browser on another computer to authenticate the agent with Azure. For more information, see [authentication options](#authentication-options). [!INCLUDE [common-flags](includes/azcmagent-common-flags.md)] |
azure-arc | Azcmagent Disconnect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/azcmagent-disconnect.md | To authenticate with a service principal, provide the service principal's applic ### Access token -Access tokens can also be used for non-interactive authentication, but are short-lived and typically used by automation solutions operating on several servers over a short period of time. You can get an access token with [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) or any other Azure Active Directory client. +Access tokens can also be used for non-interactive authentication, but are short-lived and typically used by automation solutions operating on several servers over a short period of time. You can get an access token with [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) or any other Microsoft Entra client. To authenticate with an access token, use the `--access-token [token]` flag. To authenticate with an access token, use the `--access-token [token]` flag. `--access-token` -Specifies the Azure Active Directory access token used to create the Azure Arc-enabled server resource in Azure. For more information, see [authentication options](#authentication-options). +Specifies the Microsoft Entra access token used to create the Azure Arc-enabled server resource in Azure. For more information, see [authentication options](#authentication-options). `-f`, `--force-local-only` Specifies the service principal secret. Must be used with the `--service-princip `--use-device-code` -Generate an Azure Active Directory device login code that can be entered in a web browser on another computer to authenticate the agent with Azure. For more information, see [authentication options](#authentication-options). +Generate a Microsoft Entra device login code that can be entered in a web browser on another computer to authenticate the agent with Azure. For more information, see [authentication options](#authentication-options). [!INCLUDE [common-flags](includes/azcmagent-common-flags.md)] |
azure-arc | Deliver Extended Security Updates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/deliver-extended-security-updates.md | Title: Deliver Extended Security Updates for Windows Server 2012 description: Learn how to deliver Extended Security Updates for Windows Server 2012. Previously updated : 10/05/2023 Last updated : 10/09/2023 If any problems occur during the enablement process, see [Troubleshoot delivery ## Additional scenarios -There are several scenarios in which you may be eligible to receive Extended Security Updates patches at no additional cost. Three of these scenarios supported by Azure Arc include the following: +There are some scenarios in which you may be eligible to receive Extended Security Updates patches at no additional cost. Two of these scenarios supported by Azure Arc include the following: -- Dev/Test-- Visual Studio-- Disaster Recovery+- Dev/Test (Visual Studio) +- Disaster Recovery (Entitled benefit DR instances from Software Assurance or subscription only) To qualify for these scenarios, you must have: 1. Provisioned and activated a WS2012 Arc ESU License intended to be linked to regular Azure Arc-enabled servers running in production environments (i.e., normally billed ESU scenarios) -1. Onboarded your Windows Server 2012 and Windows Server 2012 R2 machines to Azure Arc-enabled servers for the purpose of Dev/Test, association with Visual Studio subscriptions, or Disaster Recovery +1. Onboarded your Windows Server 2012 and Windows Server 2012 R2 machines to Azure Arc-enabled servers for the purpose of Dev/Test with Visual Studio subscriptions or Disaster Recovery To enroll Azure Arc-enabled servers eligible for ESUs at no additional cost, follow these steps to tag and link: -1. Tag both the WS2012 Arc ESU License and the Azure Arc-enabled server with one of the following three name-value pairs, corresponding to the appropriate exception: +1. Tag both the WS2012 Arc ESU License and the Azure Arc-enabled server with one of the following name-value pairs, corresponding to the appropriate exception: - 1. Name: ΓÇ£ESU UsageΓÇ¥; Value: ΓÇ£WS2012 DEV TESTΓÇ¥ - 1. Name: ΓÇ£ESU UsageΓÇ¥; Value: ΓÇ£WS2012 VISUAL STUDIOΓÇ¥ + 1. Name: ΓÇ£ESU UsageΓÇ¥; Value: ΓÇ£WS2012 VISUAL STUDIO DEV TESTΓÇ¥ 1. Name: ΓÇ£ESU UsageΓÇ¥; Value: ΓÇ£WS2012 DISASTER RECOVERYΓÇ¥ In the case that you're using the ESU License for multiple exception scenarios, mark the license with the tag: Name: ΓÇ£ESU UsageΓÇ¥; Value: ΓÇ£WS2012 MULTIPURPOSEΓÇ¥ |
azure-arc | Manage Agent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/manage-agent.md | You do not need to restart any services when reconfiguring the proxy settings wi ### Proxy bypass for private endpoints -Starting with agent version 1.15, you can also specify services which should **not** use the specified proxy server. This can help with split-network designs and private endpoint scenarios where you want Azure Active Directory and Azure Resource Manager traffic to go through your proxy server to public endpoints but want Azure Arc traffic to skip the proxy and communicate with a private IP address on your network. +Starting with agent version 1.15, you can also specify services which should **not** use the specified proxy server. This can help with split-network designs and private endpoint scenarios where you want Microsoft Entra ID and Azure Resource Manager traffic to go through your proxy server to public endpoints but want Azure Arc traffic to skip the proxy and communicate with a private IP address on your network. The proxy bypass feature does not require you to enter specific URLs to bypass. Instead, you provide the name of the service(s) that should not use the proxy server. The location parameter refers to the Azure region of the Arc Server(s). The proxy bypass feature does not require you to enter specific URLs to bypass. | `ARM` | `management.azure.com` | | `Arc` | `his.arc.azure.com`, `guestconfiguration.azure.com` , `san-af-<location>-prod.azurewebsites.net`| -To send Azure Active Directory and Azure Resource Manager traffic through a proxy server but skip the proxy for Azure Arc traffic, run the following command: +To send Microsoft Entra ID and Azure Resource Manager traffic through a proxy server but skip the proxy for Azure Arc traffic, run the following command: ```bash azcmagent config set proxy.url "http://ProxyServerFQDN:port" If you're already using environment variables to configure the proxy server for * Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring. * Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.-- |
azure-arc | Manage Vm Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/manage-vm-extensions.md | To learn about the Azure Connected Machine agent package and details about the E > [!NOTE] > The Desired State Configuration VM extension is no longer available for Azure Arc-enabled servers. Alternatively, we recommend [migrating to machine configuration](../../governance/machine-configuration/migrate-from-azure-automation.md) or using the Custom Script Extension to manage the post-deployment configuration of your server. -Arc-enabled servers support moving machines with one or more VM extensions installed between resource groups or another Azure subscription without experiencing any impact to their configuration. The source and destination subscriptions must exist within the same [Azure Active Directory tenant](../../active-directory/develop/quickstart-create-new-tenant.md). This support is enabled starting with the Connected Machine agent version **1.8.21197.005**. For more information about moving resources and considerations before proceeding, see [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md). +Arc-enabled servers support moving machines with one or more VM extensions installed between resource groups or another Azure subscription without experiencing any impact to their configuration. The source and destination subscriptions must exist within the same [Microsoft Entra tenant](../../active-directory/develop/quickstart-create-new-tenant.md). This support is enabled starting with the Connected Machine agent version **1.8.21197.005**. For more information about moving resources and considerations before proceeding, see [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md). ### Windows extensions |
azure-arc | Managed Identity Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/managed-identity-authentication.md | Last updated 11/08/2021 # Authenticate against Azure resources with Azure Arc-enabled servers -Applications or processes running directly on an Azure Arc-enabled servers can use managed identities to access other Azure resources that support Azure Active Directory-based authentication. An application can obtain an [access token](../../active-directory/develop/developer-glossary.md#access-token) representing its identity, which is system-assigned for Azure Arc-enabled servers, and use it as a 'bearer' token to authenticate itself to another service. +Applications or processes running directly on an Azure Arc-enabled servers can use managed identities to access other Azure resources that support Microsoft Entra ID-based authentication. An application can obtain an [access token](../../active-directory/develop/developer-glossary.md#access-token) representing its identity, which is system-assigned for Azure Arc-enabled servers, and use it as a 'bearer' token to authenticate itself to another service. Refer to the [managed identity overview](../../active-directory/managed-identities-azure-resources/overview.md) documentation for a detailed description of managed identities, and understand the distinction between system-assigned and user-assigned identities. -In this article, we show you how a server can use a system-assigned managed identity to access Azure [Key Vault](../../key-vault/general/overview.md). Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Azure Active Directory (AD). For example, TLS/SSL certificates used by your IIS web servers can be stored in Azure Key Vault, and securely deploy the certificates to Windows or Linux servers outside of Azure. +In this article, we show you how a server can use a system-assigned managed identity to access Azure [Key Vault](../../key-vault/general/overview.md). Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Microsoft Entra ID. For example, TLS/SSL certificates used by your IIS web servers can be stored in Azure Key Vault, and securely deploy the certificates to Windows or Linux servers outside of Azure. ## Security overview While onboarding your server to Azure Arc-enabled servers, several actions are p - Azure Resource Manager receives a request to enable the system-assigned managed identity on the Azure Arc-enabled server. -- Azure Resource Manager creates a service principal in Azure AD for the identity of the server. The service principal is created in the Azure AD tenant that's trusted by the subscription.+- Azure Resource Manager creates a service principal in Microsoft Entra ID for the identity of the server. The service principal is created in the Microsoft Entra tenant that's trusted by the subscription. - Azure Resource Manager configures the identity on the server by updating the Azure Instance Metadata Service (IMDS) identity endpoint for [Windows](../../virtual-machines/windows/instance-metadata-service.md) or [Linux](../../virtual-machines/linux/instance-metadata-service.md) with the service principal client ID and certificate. The endpoint is a REST endpoint accessible only from within the server using a well-known, non-routable IP address. This service provides a subset of metadata information about the Azure Arc-enabled server to help manage and configure it. |
azure-arc | Onboard Dsc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-dsc.md | Configuration documents (MOF files) can be applied to the machine using the `Sta The following are the parameters you pass to the PowerShell script to use. -- `TenantId`: The unique identifier (GUID) that represents your dedicated instance of Azure AD.+- `TenantId`: The unique identifier (GUID) that represents your dedicated instance of Microsoft Entra ID. - `SubscriptionId`: The subscription ID (GUID) of your Azure subscription that you want the machines in. |
azure-arc | Onboard Group Policy Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-group-policy-powershell.md | The Group Policy Object, which is used to onboard Azure Arc-enabled servers, req ## Apply the Group Policy Object -On the Group Policy Management Console (GPMC), right-click on the desired Organizational Unit and link the GPO named **[MSFT] Azure Arc Servers (datetime)**. This is the Group Policy Object which has the Scheduled Task to onboard the machines. After 10 or 20 minutes, the Group Policy Object will be replicated to the respective domain controllers. Learn more about [creating and managing group policy in Azure AD Domain Services](../../active-directory-domain-services/manage-group-policy.md). +On the Group Policy Management Console (GPMC), right-click on the desired Organizational Unit and link the GPO named **[MSFT] Azure Arc Servers (datetime)**. This is the Group Policy Object which has the Scheduled Task to onboard the machines. After 10 or 20 minutes, the Group Policy Object will be replicated to the respective domain controllers. Learn more about [creating and managing group policy in Microsoft Entra Domain Services](../../active-directory-domain-services/manage-group-policy.md). After you have successfully installed the agent and configured it to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the servers in your Organizational Unit have successfully connected. View your machines in the [Azure portal](https://aka.ms/hybridmachineportal). |
azure-arc | Onboard Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-service-principal.md | -One method to connect the machines to Azure Arc-enabled servers is to use an Azure Active Directory [service principal](../../active-directory/develop/app-objects-and-service-principals.md). This service principal method can be used instead of your privileged identity to [interactively connect the machine](onboard-portal.md). This service principal is a special limited management identity that has only the minimum permission necessary to connect machines to Azure using the `azcmagent` command. This method is safer than using a higher privileged account like a Tenant Administrator and follows our access control security best practices. **The service principal is used only during onboarding; it is not used for any other purpose.** +One method to connect the machines to Azure Arc-enabled servers is to use a Microsoft Entra [service principal](../../active-directory/develop/app-objects-and-service-principals.md). This service principal method can be used instead of your privileged identity to [interactively connect the machine](onboard-portal.md). This service principal is a special limited management identity that has only the minimum permission necessary to connect machines to Azure using the `azcmagent` command. This method is safer than using a higher privileged account like a Tenant Administrator and follows our access control security best practices. **The service principal is used only during onboarding; it is not used for any other purpose.** Before you start connecting your machines, review the following requirements: If you don't have an Azure subscription, create a [free account](https://azure.m You can create a service principal in the Azure portal or by using Azure PowerShell. > [!NOTE]-> To create a service principal, your Azure Active Directory tenant needs to allow users to register applications. If it does not, your account must be a member of the **Application Administrator** or **Cloud Application Administrator** administrative role. See [Delegate app registration permissions in Azure Active Directory](../../active-directory/roles/delegate-app-roles.md) for more information about tenant-level requirements. To assign Arc-enabled server roles, your account must be a member of the **Owner** or **User Access Administrator** role in the subscription that you want to use for onboarding. +> To create a service principal, your Microsoft Entra tenant needs to allow users to register applications. If it does not, your account must be a member of the **Application Administrator** or **Cloud Application Administrator** administrative role. See [Delegate app registration permissions in Microsoft Entra ID](../../active-directory/roles/delegate-app-roles.md) for more information about tenant-level requirements. To assign Arc-enabled server roles, your account must be a member of the **Owner** or **User Access Administrator** role in the subscription that you want to use for onboarding. ### Azure portal The following are the settings that you configure the `azcmagent` command to use - `service-principal-id` : The unique identifier (GUID) that represents the application ID of the service principal. - `service-principal-secret` | The service principal password.-- `tenant-id` : The unique identifier (GUID) that represents your dedicated instance of Azure AD.+- `tenant-id` : The unique identifier (GUID) that represents your dedicated instance of Microsoft Entra ID. - `subscription-id` : The subscription ID (GUID) of your Azure subscription that you want the machines in. - `resource-group` : The resource group name where you want your connected machines to belong to. - `location` : See [supported Azure regions](overview.md#supported-regions). This location can be the same or different, as the resource group's location. |
azure-arc | Onboard Update Management Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-update-management-machines.md | -You can enable Azure Arc-enabled servers for one or more of your Windows or Linux virtual machines or physical servers hosted on-premises or other cloud environment that are managed with Azure Automation Update Management. This onboarding process automates the download and installation of the [Connected Machine agent](agent-overview.md). To connect the machines to Azure Arc-enabled servers, an Azure Active Directory [service principal](../../active-directory/develop/app-objects-and-service-principals.md) is used instead of your privileged identity to [interactively connect](onboard-portal.md) the machine. This service principal is created automatically as part of the onboarding process for these machines. +You can enable Azure Arc-enabled servers for one or more of your Windows or Linux virtual machines or physical servers hosted on-premises or other cloud environment that are managed with Azure Automation Update Management. This onboarding process automates the download and installation of the [Connected Machine agent](agent-overview.md). To connect the machines to Azure Arc-enabled servers, a Microsoft Entra [service principal](../../active-directory/develop/app-objects-and-service-principals.md) is used instead of your privileged identity to [interactively connect](onboard-portal.md) the machine. This service principal is created automatically as part of the onboarding process for these machines. Before you get started, be sure to review the [prerequisites](prerequisites.md) and verify that your subscription and resources meet the requirements. For information about supported regions and other related considerations, see [supported Azure regions](overview.md#supported-regions). After the agent is installed and configured to connect to Azure Arc-enabled serv - Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring. -- Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verify the machine is reporting to the expected Log Analytics workspace, enable monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.+- Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verify the machine is reporting to the expected Log Analytics workspace, enable monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and much more. |
azure-arc | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/prerequisites.md | You'll need the following Azure built-in roles for different aspects of managing There are no limits to the number of Azure Arc-enabled servers you can register in any single resource group, subscription or tenant. -Each Azure Arc-enabled server is associated with an Azure Active Directory object and counts against your directory quota. See [Azure AD service limits and restrictions](../../active-directory/enterprise-users/directory-service-limits-restrictions.md) for information about the maximum number of objects you can have in an Azure AD directory. +Each Azure Arc-enabled server is associated with a Microsoft Entra object and counts against your directory quota. See [Microsoft Entra service limits and restrictions](../../active-directory/enterprise-users/directory-service-limits-restrictions.md) for information about the maximum number of objects you can have in a Microsoft Entra directory. ## Azure resource providers |
azure-arc | Private Link Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/private-link-security.md | The Azure Arc-enabled servers Private Link Scope object has a number of limits y - An Azure Arc-enabled machine or server resource can only connect to one Azure Arc-enabled servers Private Link Scope. - All on-premises machines need to use the same private endpoint by resolving the correct private endpoint information (FQDN record name and private IP address) using the same DNS forwarder. For more information, see [Azure Private Endpoint DNS configuration](../../private-link/private-endpoint-dns.md) - The Azure Arc-enabled server and Azure Arc Private Link Scope must be in the same Azure region. The Private Endpoint and the virtual network must also be in the same Azure region, but this region can be different from that of your Azure Arc Private Link Scope and Arc-enabled server.-- Network traffic to Azure Active Directory and Azure Resource Manager does not traverse the Azure Arc Private Link Scope and will continue to use your default network route to the internet. You can optionally [configure a resource management private link](../../azure-resource-manager/management/create-private-link-access-portal.md) to send Azure Resource Manager traffic to a private endpoint.+- Network traffic to Microsoft Entra ID and Azure Resource Manager does not traverse the Azure Arc Private Link Scope and will continue to use your default network route to the internet. You can optionally [configure a resource management private link](../../azure-resource-manager/management/create-private-link-access-portal.md) to send Azure Resource Manager traffic to a private endpoint. - Other Azure services that you will use, for example Azure Monitor, requires their own private endpoints in your virtual network. - Remote access to the server using Windows Admin Center or SSH is not supported over private link at this time. To connect your server to Azure Arc over a private link, you need to configure y 1. Update the DNS configuration on your local network to resolve the private endpoint addresses. -1. Configure your local firewall to allow access to Azure Active Directory and Azure Resource Manager. +1. Configure your local firewall to allow access to Microsoft Entra ID and Azure Resource Manager. 1. Associate the machines or servers registered with Azure Arc-enabled servers with the private link scope. This article assumes you have already set up your ExpressRoute circuit or site-t ## Network configuration -Azure Arc-enabled servers integrate with several Azure services to bring cloud management and governance to your hybrid machines or servers. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints. +Azure Arc-enabled servers integrate with several Azure services to bring cloud management and governance to your hybrid machines or servers. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Microsoft Entra ID and Azure Resource Manager over the internet until these services offer private endpoints. There are two ways you can achieve this: -- If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD and Azure using [service tags](../../virtual-network/service-tags-overview.md). The NSG rules should look like the following:+- If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID and Azure using [service tags](../../virtual-network/service-tags-overview.md). The NSG rules should look like the following: - |Setting |Azure AD rule | Azure rule | + |Setting |Microsoft Entra ID rule | Azure rule | |--|--|--| |Source |Virtual network |Virtual network | |Source port ranges |* |* | There are two ways you can achieve this: |Priority |150 (must be lower than any rules that block internet access) |151 (must be lower than any rules that block internet access) | |Name |AllowAADOutboundAccess |AllowAzOutboundAccess | -- Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD and Azure using the downloadable service tag files. The [JSON file](https://www.microsoft.com/en-us/download/details.aspx?id=56519) contains all the public IP address ranges used by Azure AD and Azure and is updated monthly to reflect any changes. Azure ADs service tag is `AzureActiveDirectory` and Azure's service tag is `AzureResourceManager`. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules.+- Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID and Azure using the downloadable service tag files. The [JSON file](https://www.microsoft.com/en-us/download/details.aspx?id=56519) contains all the public IP address ranges used by Microsoft Entra ID and Azure and is updated monthly to reflect any changes. Azure ADs service tag is `AzureActiveDirectory` and Azure's service tag is `AzureResourceManager`. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules. See the visual diagram under the section [How it works](#how-it-works) for the network traffic flows. The Windows agent can be downloaded from [https://aka.ms/AzureConnectedMachineAg The script will return status messages letting you know if onboarding was successful after it completes. > [!TIP]-> Network traffic from the Azure Connected Machine agent to Azure Active Directory and Azure Resource Manager will continue to use public endpoints. If your server needs to communicate through a proxy server to reach these endpoints, [configure the agent with the proxy server URL](manage-agent.md#update-or-remove-proxy-settings) before connecting it to Azure. You may also need to [configure a proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) for the Azure Arc services if your private endpoint is not accessible from your proxy server. +> Network traffic from the Azure Connected Machine agent to Microsoft Entra ID and Azure Resource Manager will continue to use public endpoints. If your server needs to communicate through a proxy server to reach these endpoints, [configure the agent with the proxy server URL](manage-agent.md#update-or-remove-proxy-settings) before connecting it to Azure. You may also need to [configure a proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) for the Azure Arc services if your private endpoint is not accessible from your proxy server. ### Configure an existing Azure Arc-enabled server It may take up to 15 minutes for the Private Link Scope to accept connections fr nslookup agentserviceapi.guestconfiguration.azure.com ``` -1. If you are having trouble onboarding a machine or server, confirm that you've added the Azure Active Directory and Azure Resource Manager service tags to your local network firewall. The agent needs to communicate with these services over the internet until private endpoints are available for these services. +1. If you are having trouble onboarding a machine or server, confirm that you've added the Microsoft Entra ID and Azure Resource Manager service tags to your local network firewall. The agent needs to communicate with these services over the internet until private endpoints are available for these services. ## Next steps |
azure-arc | Security Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/security-overview.md | Each Azure Arc-enabled server has a managed identity as part of a resource group Users and applications granted [contributor](../../role-based-access-control/built-in-roles.md#contributor) or administrator role access to the resource can make changes to the resource, including deploying or deleting [extensions](manage-vm-extensions.md) on the machine. Extensions can include arbitrary scripts that run in a privileged context, so consider any contributor on the Azure resource to be an indirect administrator of the server. -The **Azure Connected Machine Onboarding** role is available for at-scale onboarding, and is only able to read or create new Azure Arc-enabled servers in Azure. It cannot be used to delete servers already registered or manage extensions. As a best practice, we recommend only assigning this role to the Azure Active Directory (Azure AD) service principal used to onboard machines at scale. +The **Azure Connected Machine Onboarding** role is available for at-scale onboarding, and is only able to read or create new Azure Arc-enabled servers in Azure. It cannot be used to delete servers already registered or manage extensions. As a best practice, we recommend only assigning this role to the Microsoft Entra service principal used to onboard machines at scale. Users as a member of the **Azure Connected Machine Resource Administrator** role can read, modify, reonboard, and delete a machine. This role is designed to support management of Azure Arc-enabled servers, but not other resources in the resource group or subscription. To manage the Azure Connected Machine agent (azcmagent) on Windows, your user ac The Azure Connected Machine agent is composed of three services, which run on your machine. -* The Hybrid Instance Metadata Service (himds) service is responsible for all core functionality of Arc. This includes sending heartbeats to Azure, exposing a local instance metadata service for other apps to learn about the machineΓÇÖs Azure resource ID, and retrieve Azure AD tokens to authenticate to other Azure services. This service runs as an unprivileged virtual service account (NT SERVICE\\himds) on Windows, and as the **himds** user on Linux. The virtual service account requires the Log on as a Service right on Windows. +* The Hybrid Instance Metadata Service (himds) service is responsible for all core functionality of Arc. This includes sending heartbeats to Azure, exposing a local instance metadata service for other apps to learn about the machineΓÇÖs Azure resource ID, and retrieve Microsoft Entra tokens to authenticate to other Azure services. This service runs as an unprivileged virtual service account (NT SERVICE\\himds) on Windows, and as the **himds** user on Linux. The virtual service account requires the Log on as a Service right on Windows. * The Guest Configuration service (GCService) is responsible for evaluating Azure Policy on the machine. azcmagent config set config.mode full ## Using a managed identity with Azure Arc-enabled servers -By default, the Azure Active Directory system assigned identity used by Arc can only be used to update the status of the Azure Arc-enabled server in Azure. For example, the *last seen* heartbeat status. You can optionally assign other roles to the identity if an application on your server uses the system assigned identity to access other Azure services. To learn more about configuring a system-assigned managed identity to access Azure resources, see [Authenticate against Azure resources with Azure Arc-enabled servers](managed-identity-authentication.md). +By default, the Microsoft Entra system assigned identity used by Arc can only be used to update the status of the Azure Arc-enabled server in Azure. For example, the *last seen* heartbeat status. You can optionally assign other roles to the identity if an application on your server uses the system assigned identity to access other Azure services. To learn more about configuring a system-assigned managed identity to access Azure resources, see [Authenticate against Azure resources with Azure Arc-enabled servers](managed-identity-authentication.md). -While the Hybrid Instance Metadata Service can be accessed by any application running on the machine, only authorized applications can request an Azure AD token for the system assigned identity. On the first attempt to access the token URI, the service will generate a randomly generated cryptographic blob in a location on the file system that only trusted callers can read. The caller must then read the file (proving it has appropriate permission) and retry the request with the file contents in the authorization header to successfully retrieve an Azure AD token. +While the Hybrid Instance Metadata Service can be accessed by any application running on the machine, only authorized applications can request a Microsoft Entra token for the system assigned identity. On the first attempt to access the token URI, the service will generate a randomly generated cryptographic blob in a location on the file system that only trusted callers can read. The caller must then read the file (proving it has appropriate permission) and retry the request with the file contents in the authorization header to successfully retrieve a Microsoft Entra token. * On Windows, the caller must be a member of the local **Administrators** group or the **Hybrid Agent Extension Applications** group to read the blob. The Azure Connected Machine agent uses public key authentication to communicate * Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review [Connected Machine agent overview](agent-overview.md) to understand requirements, technical details about the agent, and deployment methods. -* Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring. +* Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring. |
azure-arc | Ssh Arc Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/ssh-arc-overview.md | To enable this functionality, ensure the following: - Ensure the Arc-enabled server has the "sshd" service enabled. For Linux machines `openssh-server` can be installed via a package manager and needs to be enabled. SSHD needs to be [enabled on Windows](/windows-server/administration/openssh/openssh_install_firstuse). - Ensure you have the Owner or Contributer role assigned. -Authenticating with Azure AD credentials has additional requirements: +Authenticating with Microsoft Entra credentials has additional requirements: - `aadsshlogin` and `aadsshlogin-selinux` (as appropriate) must be installed on the Arc-enabled server. These packages are installed with the `Azure AD based SSH Login ΓÇô Azure Arc` VM extension. - Configure role assignments for the VM. Two Azure roles are used to authorize VM login: - **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges. - **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges. - An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to Azure AD login to the VM over SSH. There's an intentional (and audited) separation between the set of people who control virtual machines and the set of people who can access virtual machines. + An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to Microsoft Entra login to the VM over SSH. There's an intentional (and audited) separation between the set of people who control virtual machines and the set of people who can access virtual machines. > [!NOTE] > The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshoot-limits.md) per subscription. |
azure-arc | Ssh Arc Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/ssh-arc-troubleshoot.md | This issue occurs when the current user doesn't have the proper role assignment - `Request for Azure Relay Information Failed: (AuthorizationFailed) The client '\<user name\>' with object id '\<ID\>' does not have authorization to perform action 'Microsoft.HybridConnectivity/endpoints/listCredentials/action' over scope '/subscriptions/\<Subscription ID\>/resourceGroups/\<Resource Group\>/providers/Microsoft.HybridCompute/machines/\<Machine Name\>/providers/Microsoft.HybridConnectivity/endpoints/default' or the scope is invalid. If access was recently granted, please refresh your credentials.` Resolution:-- Ensure that you have the Virtual Machine Local user Login role on the resource you're connecting to. If using Azure AD login, ensure you have the Virtual Machine User Login or the Virtual Machine Administrator Login roles and that the Azure AD SSH Login extension is installed on the Arc-Enabled Server.+- Ensure that you have the Virtual Machine Local user Login role on the resource you're connecting to. If using Microsoft Entra login, ensure you have the Virtual Machine User Login or the Virtual Machine Administrator Login roles and that the Microsoft Entra SSH Login extension is installed on the Arc-Enabled Server. ### HybridConnectivity RP not registered Resolution: - Learn about SSH access to [Azure Arc-enabled servers](ssh-arc-overview.md). - Learn about troubleshooting [agent connection issues](troubleshoot-agent-onboard.md).- |
azure-arc | Troubleshoot Agent Onboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/troubleshoot-agent-onboard.md | Use the following table to identify and resolve issues when configuring the Azur | AZCM0019 | The path to the configuration file is incorrect | Ensure the path to the configuration file is correct and try again. | | AZCM0023 | The value provided for a parameter (argument) is invalid | Review the error message for more specific information. Refer to the syntax of the command (`azcmagent <command> --help`) for valid values or expected format for the arguments. | | AZCM0026 | There is an error in network configuration or some critical services are temporarily unavailable | Check if the required endpoints are reachable (for example, hostnames are resolvable, endpoints aren't blocked). If the network is configured for Private Link Scope, a Private Link Scope resource ID must be provided for onboarding using the `--private-link-scope` parameter. |-| AZCM0041 | The credentials supplied are invalid | For device logins, verify that the user account specified has access to the tenant and subscription where the server resource will be created<sup>[1](#footnote3)</sup>.<br> For service principal logins, check the client ID and secret for correctness, the expiration date of the secret<sup>[2](#footnote4)</sup>, and that the service principal is from the same tenant where the server resource will be created<sup>[1](#footnote3)</sup>.<br> <a name="footnote3"></a><sup>1</sup>See [How to find your Azure Active Directory tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).<br> <a name="footnote4"></a><sup>2</sup>In Azure portal, open Azure Active Directory and select the App registration blade. Select the application to be used and the Certificates and secrets within it. Check whether the expiration data has passed. If it has, create new credentials with sufficient roles and try again. See [Connected Machine agent prerequisites-required permissions](prerequisites.md#required-permissions). | +| AZCM0041 | The credentials supplied are invalid | For device logins, verify that the user account specified has access to the tenant and subscription where the server resource will be created<sup>[1](#footnote3)</sup>.<br> For service principal logins, check the client ID and secret for correctness, the expiration date of the secret<sup>[2](#footnote4)</sup>, and that the service principal is from the same tenant where the server resource will be created<sup>[1](#footnote3)</sup>.<br> <a name="footnote3"></a><sup>1</sup>See [How to find your Microsoft Entra tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).<br> <a name="footnote4"></a><sup>2</sup>In Azure portal, open Microsoft Entra ID and select the App registration blade. Select the application to be used and the Certificates and secrets within it. Check whether the expiration data has passed. If it has, create new credentials with sufficient roles and try again. See [Connected Machine agent prerequisites-required permissions](prerequisites.md#required-permissions). | | AZCM0042 | Creation of the Azure Arc-enabled server resource failed | Review the error message in the output to identify the cause of the failure to create resource and the suggested remediation. For permission issues, see [Connected Machine agent prerequisites-required permissions](prerequisites.md#required-permissions) for more information. | | AZCM0043 | Deletion of the Azure Arc-enabled server resource failed | Verify that the user/service principal specified has permissions to delete Azure Arc-enabled server/resources in the specified group ΓÇö see [Connected Machine agent prerequisites-required permissions](prerequisites.md#required-permissions).<br> If the resource no longer exists in Azure, use the `--force-local-only` flag to proceed. | | AZCM0044 | A resource with the same name already exists | Specify a different name for the `--resource-name` parameter or delete the existing Azure Arc-enabled server in Azure and try again. | Use the following table to identify and resolve issues when configuring the Azur | AZCM0067 | The machine is already connected to Azure | Run `azcmagent disconnect` to remove the current connection, then try again. | | AZCM0068 | Subscription name was provided, and an error occurred while looking up the corresponding subscription GUID. | Retry the command with the subscription GUID instead of subscription name. | | AZCM0061<br>AZCM0064<br>AZCM0065<br>AZCM0066<br>AZCM0070<br> | The agent service isn't responding or unavailable | Verify the command is run in an elevated user context (administrator/root). Ensure that the HIMDS service is running (start or restart HIMDS as needed) then try the command again. |-| AZCM0081 | An error occurred while downloading the Azure Active Directory managed identity certificate | If this message is encountered while attempting to connect the server to Azure, the agent won't be able to communicate with the Azure Arc service. Delete the resource in Azure and try connecting again. | +| AZCM0081 | An error occurred while downloading the Microsoft Entra managed identity certificate | If this message is encountered while attempting to connect the server to Azure, the agent won't be able to communicate with the Azure Arc service. Delete the resource in Azure and try connecting again. | | AZCM0101 | The command wasn't parsed successfully | Run `azcmagent <command> --help` to review the command syntax. | | AZCM0102 | An error occurred while retrieving the computer hostname | Retry the command and specify a resource name (with parameter --resource-name or ΓÇôn). Use only alphanumeric characters, hyphens and/or underscores; note that resource name can't end with a hyphen or underscore. | | AZCM0103 | An error occurred while generating RSA keys | Contact Microsoft Support for assistance. |-| AZCM0105 | An error occurred while downloading the Azure Active Directory managed identify certificate | Delete the resource created in Azure and try again. | +| AZCM0105 | An error occurred while downloading the Microsoft Entra ID managed identify certificate | Delete the resource created in Azure and try again. | | AZCM0147-<br>AZCM0152 | An error occurred while installing Azcmagent on Windows | Review the error message in the output for more specific information. | | AZCM0127-<br>AZCM0146 | An error occurred while installing Azcmagent on Linux | Review the error message in the output for more specific information. | |
azure-arc | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/overview.md | By using Arc-enabled VMware vSphere's capabilities to discover your VMware estat ## Set up self-service access for your teams to use vSphere resources using Azure Arc -Arc-enabled VMware vSphere extends Azure's control plane (Azure Resource Manager) to VMware vSphere infrastructure. This enables you to use Azure AD-based identity management, granular Azure RBAC, and ARM templates to help your app teams and developers get self-service access to provision and manage VMs on VMware vSphere environment, providing greater agility. +Arc-enabled VMware vSphere extends Azure's control plane (Azure Resource Manager) to VMware vSphere infrastructure. This enables you to use Microsoft Entra ID-based identity management, granular Azure RBAC, and ARM templates to help your app teams and developers get self-service access to provision and manage VMs on VMware vSphere environment, providing greater agility. 1. Virtualized Infrastructure Administrators/Cloud Administrators can connect a vCenter instance to Azure. |
azure-arc | Setup And Manage Self Service Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/setup-and-manage-self-service-access.md | You must assign this role on individual resource pool (or cluster or host), netw 6. Select **Azure Arc VMware Private Cloud User** role and select **Next**. -7. Select **Select members** and search for the Azure Active Directory (Azure AD) user or group that you want to provide access. +7. Select **Select members** and search for the Microsoft Entra user or group that you want to provide access. -8. Select the Azure AD user or group name. Repeat this for each user or group to which you want to grant this permission. +8. Select the Microsoft Entra user or group name. Repeat this for each user or group to which you want to grant this permission. 9. Select **Review + assign** to complete the role assignment. The **Azure Arc VMware VM Contributor** role is a built-in role that provides pe 5. Select **Azure Arc VMware VM Contributor** role and select **Next**. -6. Select the option **Select members**, and search for the Azure Active Directory (Azure AD) user or group that you want to provide access. +6. Select the option **Select members**, and search for the Microsoft Entra user or group that you want to provide access. -8. Select the Azure AD user or group name. Repeat this for each user or group to which you want to grant this permission. +8. Select the Microsoft Entra user or group name. Repeat this for each user or group to which you want to grant this permission. 9. Select on **Review + assign** to complete the role assignment. |
azure-arc | Support Matrix For Arc Enabled Vmware Vsphere | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/vmware-vsphere/support-matrix-for-arc-enabled-vmware-vsphere.md | The following firewall URL exceptions are needed for the Azure Arc agents: | `aka.ms` | Used to resolve the download script during installation | | `packages.microsoft.com` | Used to download the Linux installation package | | `download.microsoft.com` | Used to download the Windows installation package |-| `login.windows.net` | Azure Active Directory | -| `login.microsoftonline.com` | Azure Active Directory | -| `pas.windows.net` | Azure Active Directory | +| `login.windows.net` | Microsoft Entra ID | +| `login.microsoftonline.com` | Microsoft Entra ID | +| `pas.windows.net` | Microsoft Entra ID | | `management.azure.com` | Azure Resource Manager - to create or delete the Arc server resource | | `*.his.arc.azure.com` | Metadata and hybrid identity services | | `*.guestconfiguration.azure.com` | Extension management and guest configuration services | |
azure-cache-for-redis | Cache Azure Active Directory For Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-azure-active-directory-for-authentication.md | Title: Use Azure Active Directory for cache authentication + Title: Use Microsoft Entra ID for cache authentication -description: Learn how to use Azure Active Directory with Azure Cache for Redis. +description: Learn how to use Microsoft Entra ID with Azure Cache for Redis. -# Use Azure Active Directory for cache authentication +# Use Microsoft Entra ID for cache authentication Azure Cache for Redis offers two methods to authenticate to your cache instance: - [access key](cache-configure.md#access-keys) -- [Azure Active Directory token](/azure/active-directory/develop/access-tokens)+- [Microsoft Entra token](/azure/active-directory/develop/access-tokens) -Although access key authentication is simple, it comes with a set of challenges around security and password management. In this article, you learn how to use an Azure Active Directory (Azure AD) token for cache authentication. +Although access key authentication is simple, it comes with a set of challenges around security and password management. In this article, you learn how to use a Microsoft Entra token for cache authentication. -Azure Cache for Redis offers a password-free authentication mechanism by integrating with [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis). This integration also includes [role-based access control](/azure/role-based-access-control/) functionality provided through [access control lists (ACLs)](https://redis.io/docs/management/security/acl/) supported in open source Redis. +Azure Cache for Redis offers a password-free authentication mechanism by integrating with [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis). This integration also includes [role-based access control](/azure/role-based-access-control/) functionality provided through [access control lists (ACLs)](https://redis.io/docs/management/security/acl/) supported in open source Redis. -To use the ACL integration, your client application must assume the identity of an Azure Active Directory entity, like service principal or managed identity, and connect to your cache. In this article, you learn how to use your service principal or managed identity to connect to your cache, and how to grant your connection predefined permissions based on the Azure AD artifact being used for the connection. +To use the ACL integration, your client application must assume the identity of a Microsoft Entra entity, like service principal or managed identity, and connect to your cache. In this article, you learn how to use your service principal or managed identity to connect to your cache, and how to grant your connection predefined permissions based on the Microsoft Entra artifact being used for the connection. ## Scope of availability To use the ACL integration, your client application must assume the identity of ## Prerequisites and limitations -- To enable Azure AD token-based authentication for your Azure Cache for Redis instance, at least one Redis user must be configured under the **Data Access Policy** setting in the Resource menu.-- Azure AD-based authentication is supported for SSL connections and TLS 1.2 only.-- Azure AD-based authentication isn't supported on Azure Cache for Redis instances that run Redis version 4.-- Azure AD-based authentication isn't supported on Azure Cache for Redis instances that [depend on Cloud Services](./cache-faq.yml#caches-with-a-dependency-on-cloud-services--classic).-- Azure AD based authentication isn't supported in the Enterprise tiers of Azure Cache for Redis Enterprise.+- To enable Microsoft Entra token-based authentication for your Azure Cache for Redis instance, at least one Redis user must be configured under the **Data Access Policy** setting in the Resource menu. +- Microsoft Entra ID-based authentication is supported for SSL connections and TLS 1.2 only. +- Microsoft Entra ID-based authentication isn't supported on Azure Cache for Redis instances that run Redis version 4. +- Microsoft Entra ID-based authentication isn't supported on Azure Cache for Redis instances that [depend on Cloud Services](./cache-faq.yml#caches-with-a-dependency-on-cloud-services--classic). +- Microsoft Entra ID based authentication isn't supported in the Enterprise tiers of Azure Cache for Redis Enterprise. - Some Redis commands are blocked. For a full list of blocked commands, see [Redis commands not supported in Azure Cache for Redis](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis). > [!IMPORTANT]-> Once a connection is established using Azure AD token, client applications must periodically refresh Azure AD token before expiry, and send an `AUTH` command to Redis server to avoid disruption of connections. For more information, see [Configure your Redis client to use Azure Active Directory](#configure-your-redis-client-to-use-azure-active-directory). +> Once a connection is established using Microsoft Entra token, client applications must periodically refresh Microsoft Entra token before expiry, and send an `AUTH` command to Redis server to avoid disruption of connections. For more information, see [Configure your Redis client to use Microsoft Entra ID](#configure-your-redis-client-to-use-azure-active-directory). -## Enable Azure AD token based authentication on your cache +<a name='enable-azure-ad-token-based-authentication-on-your-cache'></a> -1. In the Azure portal, select the Azure Cache for Redis instance where you'd like to configure Azure AD token-based authentication. +## Enable Microsoft Entra token based authentication on your cache ++1. In the Azure portal, select the Azure Cache for Redis instance where you'd like to configure Microsoft Entra token-based authentication. 1. Select **(PREVIEW) Data Access Configuration** from the Resource menu. To use the ACL integration, your client application must assume the identity of 1. From the Resource menu, select **Advanced settings**. -1. Check the box labeled **(PREVIEW) Enable Azure AD Authorization** and select **OK**. Then, select **Save**. +1. Check the box labeled **(PREVIEW) Enable Microsoft Entra Authorization** and select **OK**. Then, select **Save**. - :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-azure-ad-access-authorization.png" alt-text="Screenshot of Azure AD access authorization."::: + :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-azure-ad-access-authorization.png" alt-text="Screenshot of Microsoft Entra ID access authorization."::: 1. A dialog box displays a popup notifying you that upgrading is permanent and might cause a brief connection blip. Select **Yes.** > [!IMPORTANT] > Once the enable operation is complete, the nodes in your cache instance reboots to load the new configuration. We recommend performing this operation during your maintenance window or outside your peak business hours. The operation can take up to 30 minutes. -## Configure your Redis client to use Azure Active Directory +<a name='configure-your-redis-client-to-use-azure-active-directory'></a> ++## Configure your Redis client to use Microsoft Entra ID -Because most Azure Cache for Redis clients assume that a password/access key is used for authentication, you likely need to update your client workflow to support authentication using Azure AD. In this section, you learn how to configure your client applications to connect to Azure Cache for Redis using an Azure AD token. +Because most Azure Cache for Redis clients assume that a password/access key is used for authentication, you likely need to update your client workflow to support authentication using Microsoft Entra ID. In this section, you learn how to configure your client applications to connect to Azure Cache for Redis using a Microsoft Entra token. -### Azure AD Client Workflow +<a name='azure-ad-client-workflow'></a> -1. Configure your client application to acquire an Azure AD token for scope `acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default` using the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview). +### Microsoft Entra Client Workflow ++1. Configure your client application to acquire a Microsoft Entra token for scope `acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default` using the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview). <!-- (ADD code snippet) --> Because most Azure Cache for Redis clients assume that a password/access key is - `UserName` = Object ID of your managed identity or service principal - - `Password` = Azure AD token that you acquired using MSAL + - `Password` = Microsoft Entra token that you acquired using MSAL <!-- (ADD code snippet) --> -1. Ensure that your client executes a Redis [AUTH command](https://redis.io/commands/auth/) automatically before your Azure AD token expires using: +1. Ensure that your client executes a Redis [AUTH command](https://redis.io/commands/auth/) automatically before your Microsoft Entra token expires using: - `UserName` = Object ID of your managed identity or service principal - - `Password` = Azure AD token refreshed periodically + - `Password` = Microsoft Entra token refreshed periodically <!-- (ADD code snippet) --> ### Client library support -The library [`Microsoft.Azure.StackExchangeRedis`](https://www.nuget.org/packages/Microsoft.Azure.StackExchangeRedis) is an extension of `StackExchange.Redis` that enables you to use Azure Active Directory to authenticate connections from a Redis client application to an Azure Cache for Redis. The extension manages the authentication token, including proactively refreshing tokens before they expire to maintain persistent Redis connections over multiple days. +The library [`Microsoft.Azure.StackExchangeRedis`](https://www.nuget.org/packages/Microsoft.Azure.StackExchangeRedis) is an extension of `StackExchange.Redis` that enables you to use Microsoft Entra ID to authenticate connections from a Redis client application to an Azure Cache for Redis. The extension manages the authentication token, including proactively refreshing tokens before they expire to maintain persistent Redis connections over multiple days. -This [code sample](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) demonstrates how to use the `Microsoft.Azure.StackExchangeRedis` NuGet package to connect to your Azure Cache for Redis instance using Azure Active Directory. +This [code sample](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) demonstrates how to use the `Microsoft.Azure.StackExchangeRedis` NuGet package to connect to your Azure Cache for Redis instance using Microsoft Entra ID. -The following table includes links to code samples, which demonstrate how to connect to your Azure Cache for Redis instance using an Azure AD token. A wide variety of client libraries are included in multiple languages. +The following table includes links to code samples, which demonstrate how to connect to your Azure Cache for Redis instance using a Microsoft Entra token. A wide variety of client libraries are included in multiple languages. | **Client library** | **Language** | **Link to sample code**| |-|-|-| The following table includes links to code samples, which demonstrate how to con | ioredis | Node.js | [ioredis code sample](https://aka.ms/redis/aad/sample-code/js-ioredis) | | node-redis | Node.js | [node-redis code sample](https://aka.ms/redis/aad/sample-code/js-noderedis) | -### Best practices for Azure AD authentication +<a name='best-practices-for-azure-ad-authentication'></a> ++### Best practices for Microsoft Entra authentication - Configure private links or firewall rules to protect your cache from a Denial of Service attack. -- Ensure that your client application sends a new Azure AD token at least 3 minutes before token expiry to avoid connection disruption.+- Ensure that your client application sends a new Microsoft Entra token at least 3 minutes before token expiry to avoid connection disruption. - When calling the Redis server `AUTH` command periodically, consider adding a jitter so that the `AUTH` commands are staggered, and your Redis server doesn't receive lot of `AUTH` commands at the same time. |
azure-cache-for-redis | Cache Configure Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-configure-role-based-access-control.md | -Azure Cache for Redis now integrates this ACL functionality with Azure Active Directory (Azure AD) to allow you to configure your Data Access Policies for your application's service principal and managed identity. +Azure Cache for Redis now integrates this ACL functionality with Microsoft Entra ID to allow you to configure your Data Access Policies for your application's service principal and managed identity. Azure Cache for Redis offers three built-in access policies: _Owner_, _Contributor_, and _Reader_. If the built-in access policies don't satisfy your data protection and isolation requirements, you can create and use your own custom data access policy as described in [Configure custom data access policy](#configure-a-custom-data-access-policy-for-your-application). Azure Cache for Redis offers three built-in access policies: _Owner_, _Contribut - Redis ACL and Data Access Policies aren't supported on Azure Cache for Redis instances that run Redis version 4. - Redis ACL and Data Access Policies aren't supported on Azure Cache for Redis instances that depend on [Cloud Services](cache-faq.yml#caches-with-a-dependency-on-cloud-services--classic).-- Azure AD authentication and authorization are supported for SSL connections only.+- Microsoft Entra authentication and authorization are supported for SSL connections only. - Some Redis commands are [blocked](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis). ## Permissions for your data access policy The following list contains some examples of permission strings for various scen ## Configure a custom data access policy for your application -1. In the Azure portal, select the Azure Cache for Redis instance that you want to configure Azure AD token based authentication for. +1. In the Azure portal, select the Azure Cache for Redis instance that you want to configure Microsoft Entra token based authentication for. 1. From the Resource menu, select **(PREVIEW) Data Access configuration**. The following list contains some examples of permission strings for various scen 1. From the Resource menu, select **Advanced settings**. -1. If not checked already, Check the box labeled **(PREVIEW) Enable Azure AD Authorization** and select **OK**. Then, select **Save**. +1. If not checked already, Check the box labeled **(PREVIEW) Enable Microsoft Entra Authorization** and select **OK**. Then, select **Save**. - :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-azure-ad-access-authorization.png" alt-text="Screenshot of Azure AD access authorization."::: + :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-azure-ad-access-authorization.png" alt-text="Screenshot of Microsoft Entra ID access authorization."::: 1. A dialog box displays a popup notifying you that upgrading is permanent and might cause a brief connection blip. Select **Yes.** > [!IMPORTANT] > Once the enable operation is complete, the nodes in your cache instance reboots to load the new configuration. We recommend performing this operation during your maintenance window or outside your peak business hours. The operation can take up to 30 minutes. -## Configure your Redis client to use Azure Active Directory +<a name='configure-your-redis-client-to-use-azure-active-directory'></a> ++## Configure your Redis client to use Microsoft Entra ID Now that you have configured Redis User and Data access policy for configuring role based access control, you need to update your client workflow to support authenticating using a specific user/password. To learn how to configure you client application to connect to your cache instance as a specific Redis User, see [Configure your Redis client to use Azure AD.](cache-azure-active-directory-for-authentication.md#configure-your-redis-client-to-use-azure-active-directory) ## Next steps -- [Use Azure Active Directory for cache authentication](cache-azure-active-directory-for-authentication.md)+- [Use Microsoft Entra ID for cache authentication](cache-azure-active-directory-for-authentication.md) |
azure-cache-for-redis | Cache How To Geo Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-geo-replication.md | Be sure to check the following items: - If youΓÇÖre using a firewall in either cache, make sure that the firewall settings are similar so you have no connection issues. - Make sure both caches are using the same port and TLS/SSL settings-- The geo-primary and geo-secondary caches have different access keys. If a failover is triggered, make sure your application can update the access key it's using to match the new geo-primary. Or, use [Azure Active Directory tokens for cache authentication](cache-azure-active-directory-for-authentication.md), which allow you to use the same authentication credential for both the geo-primary and the geo-secondary cache. +- The geo-primary and geo-secondary caches have different access keys. If a failover is triggered, make sure your application can update the access key it's using to match the new geo-primary. Or, use [Microsoft Entra tokens for cache authentication](cache-azure-active-directory-for-authentication.md), which allow you to use the same authentication credential for both the geo-primary and the geo-secondary cache. ### Failover with minimal data loss Geo-failover events can introduce data inconsistencies during the transition, es There's no need to run the CLIENT UNPAUSE command as the new geo-primary does retain the client pause. >[!NOTE]->Using [Azure Active Directory based authentication](cache-azure-active-directory-for-authentication.md) for your cache is recommended in geo-failover scenarios because it removes the difficulty of managing different access keys for the geo-primary and the geo-secondary cache. +>Using [Microsoft Entra ID based authentication](cache-azure-active-directory-for-authentication.md) for your cache is recommended in geo-failover scenarios because it removes the difficulty of managing different access keys for the geo-primary and the geo-secondary cache. > ## Remove a geo-replication link |
azure-cache-for-redis | Cache How To Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-monitor.md | In contrast, for clustered caches, we recommend using the metrics with the suffi - The amount of data written to the cache in Megabytes per second (MB/s) during the specified reporting interval. This value is derived from the network interface cards that support the virtual machine that hosts the cache and isn't Redis specific. This value corresponds to the network bandwidth of data sent to the cache from the client. - Connected Clients - The number of client connections to the cache during the specified reporting interval. This number maps to `connected_clients` from the Redis INFO command. Once the [connection limit](cache-configure.md#default-redis-server-configuration) is reached, later attempts to connect to the cache fail. Even if there are no active client applications, there may still be a few instances of connected clients because of internal processes and connections.-- Connected Clients Using AAD Token (preview)- - The number of client connections to the cache authenticated using Azure AD token during the specified reporting interval. +- Connected Clients Using Microsoft Entra Token (preview) + - The number of client connections to the cache authenticated using Microsoft Entra token during the specified reporting interval. - Connections Created Per Second - The number of instantaneous connections created per second on the cache via port 6379 or 6380 (SSL). This metric can help identify whether clients are frequently disconnecting and reconnecting, which can cause higher CPU usage and Redis Server Load. This metric isn't available in Enterprise or Enterprise Flash tier caches. - Connections Closed Per Second In contrast, for clustered caches, we recommend using the metrics with the suffi - **RDB** ΓÇô when there's an issue related to RDB persistence - **Import** ΓÇô when there's an issue related to Import RDB - **Export** ΓÇô when there's an issue related to Export RDB- - **AADAuthenticationFailure** (preview) - when there's an authentication failure using Azure AD Access token - - **AADTokenExpired** (preview) - when an Azure AD access token used for authentication is not renewed and it expires. + - **AADAuthenticationFailure** (preview) - when there's an authentication failure using Microsoft Entra access token + - **AADTokenExpired** (preview) - when a Microsoft Entra access token used for authentication is not renewed and it expires. - Evicted Keys - The number of items evicted from the cache during the specified reporting interval because of the `maxmemory` limit. - This number maps to `evicted_keys` from the Redis INFO command. |
azure-cache-for-redis | Cache How To Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-version.md | Last updated 06/02/2023 In this article, you'll learn how to configure the Redis software version to be used with your cache instance. Azure Cache for Redis offers the latest major version of Redis and at least one previous version. It will update these versions regularly as newer Redis software is released. You can choose between the two available versions. Keep in mind that your cache will be upgraded to the next version automatically if the version it's using currently is no longer supported. > [!NOTE]-> At this time, Redis 6 does not directly support Access Control Lists (ACL) but ACLs can be setup through [Active AD](cache-configure-role-based-access-control.md). For more information, seee to [Use Azure Active Directory for cache authentication](cache-azure-active-directory-for-authentication.md) +> At this time, Redis 6 does not directly support Access Control Lists (ACL) but ACLs can be setup through [Active AD](cache-configure-role-based-access-control.md). For more information, seee to [Use Microsoft Entra ID for cache authentication](cache-azure-active-directory-for-authentication.md) > Presently, Redis 6 does not support geo-replication between a Redis 4 cache and Redis 6 cache. > |
azure-cache-for-redis | Cache Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-managed-identity.md | -[Managed identities](../active-directory/managed-identities-azure-resources/overview.md) are a common tool used in Azure to help developers minimize the burden of managing secrets and sign-in information. Managed identities are useful when Azure services connect to each other. Instead of managing authorization between each service, [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) can be used to provide a managed identity that makes the authentication process more streamlined and secure. +[Managed identities](../active-directory/managed-identities-azure-resources/overview.md) are a common tool used in Azure to help developers minimize the burden of managing secrets and sign-in information. Managed identities are useful when Azure services connect to each other. Instead of managing authorization between each service, [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) can be used to provide a managed identity that makes the authentication process more streamlined and secure. ## Use managed identity with storage accounts Managed identity for storage isn't supported on caches that have a dependency on :::image type="content" source="media/cache-managed-identity/identity-save.png" alt-text="Screenshot showing System Assigned selected and Status is on."::: -1. A dialog pops up saying that your cache will be registered with Azure Active Directory and that it can be granted permissions to access resources protected by Azure AD. Select **Yes**. +1. A dialog pops up saying that your cache will be registered with Microsoft Entra ID and that it can be granted permissions to access resources protected by Microsoft Entra ID. Select **Yes**. :::image type="content" source="media/cache-managed-identity/identity-dialog.png" alt-text="Screenshot asking if you want to enable managed identity."::: 1. You see an **Object (principal) ID**, indicating that the identity has been assigned. |
azure-cache-for-redis | Cache Tutorial Write Behind | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-tutorial-write-behind.md | This example uses the portal: :::image type="content" source="media/cache-tutorial-write-behind/cache-create-sql.png" alt-text="Screenshot of creating an Azure SQL resource."::: -1. Select **Use SQL authentication** and enter an admin sign-in and password. Be sure to remember these credentials or write them down. When you're deploying a server in production, use Azure Active Directory (Azure AD) authentication instead. +1. Select **Use SQL authentication** and enter an admin sign-in and password. Be sure to remember these credentials or write them down. When you're deploying a server in production, use Microsoft Entra authentication instead. :::image type="content" source="media/cache-tutorial-write-behind/cache-sql-authentication.png" alt-text="Screenshot of the authentication information for an Azure SQL resource."::: |
azure-functions | Durable Functions Configure Durable Functions With Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-configure-durable-functions-with-credentials.md | Title: "Configure Durable Functions with Azure Active Directory" + Title: "Configure Durable Functions with Microsoft Entra ID" description: Configure Durable Functions with Managed Identity Credentials and Client Secret Credentials. Last updated 02/01/2023 -# Configure Durable Functions with Azure Active Directory +# Configure Durable Functions with Microsoft Entra ID -[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) is a cloud-based identity and access management service. Identity-based connections allow Durable Functions to make authorized requests against Azure AD protected resources, like an Azure Storage account, without the need to manage secrets manually. Using the default Azure storage provider, Durable Functions needs to authenticate against an Azure storage account. In this article, we show how to configure a Durable Functions app to utilize two kinds of Identity-based connections: **managed identity credentials** and **client secret credentials**. +[Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) (Microsoft Entra ID) is a cloud-based identity and access management service. Identity-based connections allow Durable Functions to make authorized requests against Microsoft Entra protected resources, like an Azure Storage account, without the need to manage secrets manually. Using the default Azure storage provider, Durable Functions needs to authenticate against an Azure storage account. In this article, we show how to configure a Durable Functions app to utilize two kinds of Identity-based connections: **managed identity credentials** and **client secret credentials**. ## Configure your app to use managed identity (recommended) -A [managed identity](../../app-service/overview-managed-identity.md) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. Managed identity is supported in [Durable Functions extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask) versions **2.7.0** and greater. +A [managed identity](../../app-service/overview-managed-identity.md) allows your app to easily access other Microsoft Entra protected resources such as Azure Key Vault. Managed identity is supported in [Durable Functions extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask) versions **2.7.0** and greater. > [!NOTE] > Strictly speaking, a managed identity is only available to apps when executing on Azure. When configured to use identity-based connections, a locally executing app will utilize your **developer credentials** to authenticate with Azure resources. Then, when deployed on Azure, it will utilize your managed identity configuration instead. Navigate to your Azure function appΓÇÖs **Configuration** page and perform the f * If **user-assigned identity** should be used, then add the following app settings values in your app configuration: * **AzureWebJobsStorage__credential**: managedidentity - * **AzureWebJobsStorage__clientId**: (This is a GUID value that you obtain from the Azure AD portal) + * **AzureWebJobsStorage__clientId**: (This is a GUID value that you obtain from the Microsoft Entra admin center) ![Screenshot of user identity client id.](media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-03.png) Navigate to your Azure function appΓÇÖs **Configuration** page and perform the f ## Configure your app to use client secret credentials -Registering a client application in Azure Active Directory (Azure AD) is another way you can configure access to an Azure service. In the following steps, you will learn how to use client secret credentials for authentication to your Azure Storage account. This method can be used by function apps both locally and on Azure. However, client secret credential is **less recommended** than managed identity as it's more complicated to configure and manage and it requires sharing a secret credential with the Azure Functions service. +Registering a client application in Microsoft Entra ID is another way you can configure access to an Azure service. In the following steps, you will learn how to use client secret credentials for authentication to your Azure Storage account. This method can be used by function apps both locally and on Azure. However, client secret credential is **less recommended** than managed identity as it's more complicated to configure and manage and it requires sharing a secret credential with the Azure Functions service. ### Prerequisites In particular, this quickstart assumes that you have already: * Created a Durable Functions project on your local machine or in the Azure portal. -### Register a client application on Azure Active Directory -1. Register a client application under Azure Active Directory in the Azure portal according to [these instructions](../../healthcare-apis/register-application.md). +<a name='register-a-client-application-on-azure-active-directory'></a> ++### Register a client application on Microsoft Entra ID +1. Register a client application under Microsoft Entra ID in the Azure portal according to [these instructions](../../healthcare-apis/register-application.md). 2. Create a client secret for your client application. In your registered application: To run and test in Azure, specify the followings in your Azure function appΓÇÖs ![Screenshot of endpoint sample.](media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-02.png) 3. Add a client secret credential by specifying the following values: - * **AzureWebJobsStorage__clientId**: (this is a GUID value found in the Azure AD application page) + * **AzureWebJobsStorage__clientId**: (this is a GUID value found in the Microsoft Entra application page) - * **AzureWebJobsStorage__ClientSecret**: (this is the secret value generated in the Azure AD portal in a previous step) + * **AzureWebJobsStorage__ClientSecret**: (this is the secret value generated in the Microsoft Entra admin center in a previous step) - * **AzureWebJobsStorage__tenantId**: (this is the tenant ID that the Azure AD application is registered in) + * **AzureWebJobsStorage__tenantId**: (this is the tenant ID that the Microsoft Entra application is registered in) The client ID and tenant ID values can be found on your client applicationΓÇÖs overview page. The client secret value is the one that was carefully saved in the previous step. It will not be available after the page is refreshed. ![Screenshot of application's overview page.](media/durable-functions-configure-df-with-credentials/durable-functions-client-secret-scenario-04.png)- |
azure-functions | Durable Functions Http Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-http-features.md | The "call HTTP" API can automatically implement the client side of the polling c ### Managed identities -Durable Functions natively supports calls to APIs that accept Azure Active Directory (Azure AD) tokens for authorization. This support uses [Azure managed identities](../../active-directory/managed-identities-azure-resources/overview.md) to acquire these tokens. +Durable Functions natively supports calls to APIs that accept Microsoft Entra tokens for authorization. This support uses [Azure managed identities](../../active-directory/managed-identities-azure-resources/overview.md) to acquire these tokens. The following code is an example of an orchestrator function. The function makes authenticated calls to restart a virtual machine by using the Azure Resource Manager [virtual machines REST API](/rest/api/compute/virtualmachines). This feature isn't available in Java. -In the previous example, the `tokenSource` parameter is configured to acquire Azure AD tokens for [Azure Resource Manager](../../azure-resource-manager/management/overview.md). The tokens are identified by the resource URI `https://management.core.windows.net/.default`. The example assumes that the current function app either is running locally or was deployed as a function app with a managed identity. The local identity or the managed identity is assumed to have permission to manage VMs in the specified resource group `myRG`. +In the previous example, the `tokenSource` parameter is configured to acquire Microsoft Entra tokens for [Azure Resource Manager](../../azure-resource-manager/management/overview.md). The tokens are identified by the resource URI `https://management.core.windows.net/.default`. The example assumes that the current function app either is running locally or was deployed as a function app with a managed identity. The local identity or the managed identity is assumed to have permission to manage VMs in the specified resource group `myRG`. At runtime, the configured token source automatically returns an OAuth 2.0 access token. The source then adds the token as a bearer token to the Authorization header of the outgoing request. This model is an improvement over manually adding authorization headers to HTTP requests for the following reasons: At runtime, the configured token source automatically returns an OAuth 2.0 acces You can find a more complete example in the [precompiled C# RestartVMs sample](https://github.com/Azure/azure-functions-durable-extension/blob/dev/samples/precompiled/RestartVMs.cs). -Managed identities aren't limited to Azure resource management. You can use managed identities to access any API that accepts Azure AD bearer tokens, including Azure services from Microsoft and web apps from partners. A partner's web app can even be another function app. For a list of Azure services from Microsoft that support authentication with Azure AD, see [Azure services that support Azure AD authentication](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +Managed identities aren't limited to Azure resource management. You can use managed identities to access any API that accepts Microsoft Entra bearer tokens, including Azure services from Microsoft and web apps from partners. A partner's web app can even be another function app. For a list of Azure services from Microsoft that support authentication with Microsoft Entra ID, see [Azure services that support Microsoft Entra authentication](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). ### Limitations |
azure-functions | Durable Functions Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-overview.md | Content-Type: application/json Because the Durable Functions runtime manages state for you, you don't need to implement your own status-tracking mechanism. -The Durable Functions extension exposes built-in HTTP APIs that manage long-running orchestrations. You can alternatively implement this pattern yourself by using your own function triggers (such as HTTP, a queue, or Azure Event Hubs) and the [durable client binding](durable-functions-bindings.md#orchestration-client). For example, you might use a queue message to trigger termination. Or, you might use an HTTP trigger that's protected by an Azure Active Directory authentication policy instead of the built-in HTTP APIs that use a generated key for authentication. +The Durable Functions extension exposes built-in HTTP APIs that manage long-running orchestrations. You can alternatively implement this pattern yourself by using your own function triggers (such as HTTP, a queue, or Azure Event Hubs) and the [durable client binding](durable-functions-bindings.md#orchestration-client). For example, you might use a queue message to trigger termination. Or, you might use an HTTP trigger that's protected by a Microsoft Entra authentication policy instead of the built-in HTTP APIs that use a generated key for authentication. For more information, see the [HTTP features](durable-functions-http-features.md) article, which explains how you can expose asynchronous, long-running processes over HTTP using the Durable Functions extension. |
azure-functions | Durable Functions Storage Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/durable/durable-functions-storage-providers.md | If the configured value is both an exact match for a single setting and a prefix ##### Identity-based connections -If you are using [version 2.7.0 or higher of the extension](https://github.com/Azure/azure-functions-durable-extension/releases/tag/v2.7.0) and the Azure storage provider, instead of using a connection string with a secret, you can have the app use an [Azure Active Directory identity](../../active-directory/fundamentals/active-directory-whatis.md). To do this, you would define settings under a common prefix which maps to the `connectionName` property in the trigger and binding configuration. +If you are using [version 2.7.0 or higher of the extension](https://github.com/Azure/azure-functions-durable-extension/releases/tag/v2.7.0) and the Azure storage provider, instead of using a connection string with a secret, you can have the app use an [Microsoft Entra identity](../../active-directory/fundamentals/active-directory-whatis.md). To do this, you would define settings under a common prefix which maps to the `connectionName` property in the trigger and binding configuration. To use an identity-based connection for Durable Functions, configure the following app settings: |
azure-functions | Functions Bindings Azure Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-azure-sql.md | For [SQL trigger](functions-bindings-azure-sql-trigger.md) functionality, use a Azure SQL bindings for Azure Functions have a required property for the connection string on all bindings and triggers. These pass the connection string to the Microsoft.Data.SqlClient library and supports the connection string as defined in the [SqlClient ConnectionString documentation](/dotnet/api/microsoft.data.sqlclient.sqlconnection.connectionstring?view=sqlclient-dotnet-core-5.0&preserve-view=true#Microsoft_Data_SqlClient_SqlConnection_ConnectionString). Notable keywords include: -- `Authentication` allows a function to connect to Azure SQL with Azure Active Directory, including [Active Directory Managed Identity](./functions-identity-access-azure-sql-with-managed-identity.md)+- `Authentication` allows a function to connect to Azure SQL with Microsoft Entra ID, including [Active Directory Managed Identity](./functions-identity-access-azure-sql-with-managed-identity.md) - `Command Timeout` allows a function to wait for specified amount of time in seconds before terminating a query (default 30 seconds) - `ConnectRetryCount` allows a function to automatically make additional reconnection attempts, especially applicable to Azure SQL Database serverless tier (default 1) - `Pooling` allows a function to reuse connections to the database, which can improve performance (default `true`). Additional settings for connection pooling include `Connection Lifetime`, `Max Pool Size`, and `Min Pool Size`. Learn more about connection pooling in the [ADO.NET documentation](/sql/connect/ado-net/sql-server-connection-pooling) |
azure-functions | Functions Bindings Dapr Input Secret | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-input-secret.md | + + Title: Dapr Secret input binding for Azure Functions +description: Learn how to access Dapr Secret input binding data during function execution in Azure Functions. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Secret input binding for Azure Functions +++The Dapr secret input binding allows you to read secrets data as input during function execution. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). + +## Example +++A C# function can be created using one of the following C# modes: +++# [In-process](#tab/in-process) ++```csharp +[FunctionName("RetrieveSecret")] +public static void Run( + [DaprServiceInvocationTrigger] object args, + [DaprSecret("kubernetes", "my-secret", Metadata = "metadata.namespace=default")] IDictionary<string, string> secret, + ILogger log) +{ + log.LogInformation("C# function processed a RetrieveSecret request from the Dapr Runtime."); +} +``` ++# [Isolated process](#tab/isolated-process) ++More samples for the Dapr input secret binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-dapr-extension/blob/master/samples/dotnet-isolated-azurefunction/InputBinding). +++++++The following example creates a `"RetreveSecret"` function using the `DaprSecretInput` binding with the [`DaprServiceInvocationTrigger`](./functions-bindings-dapr-trigger-svc-invoke.md): +++```java +@FunctionName("RetrieveSecret") +public void run( + @DaprServiceInvocationTrigger( + methodName = "RetrieveSecret") Object args, + @DaprSecretInput( + secretStoreName = "kubernetes", + key = "my-secret", + metadata = "metadata.namespace=default") + Map<String, String> secret, + final ExecutionContext context) +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprServiceInvocationTrigger`: ++```json +{ + "bindings": + { + "type": "daprSecret", + "direction": "in", + "name": "secret", + "key": "my-secret", + "secretStoreName": "localsecretstore", + "metadata": "metadata.namespace=default" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context) { + context.log("Node function processed a RetrieveSecret request from the Dapr Runtime."); ++ // print the fetched secret value + for( var key in context.bindings.secret) + { + context.log(`Stored secret: Key = ${key}, Value =${context.bindings.secret[key]}`); + } +}; +``` ++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprServiceInvocationTrigger`: ++```json +{ + "bindings": + { + "type": "daprSecret", + "direction": "in", + "name": "secret", + "key": "my-secret", + "secretStoreName": "localsecretstore", + "metadata": "metadata.namespace=default" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++param ( + $payload, $secret +) ++# PowerShell function processed a CreateNewOrder request from the Dapr Runtime. +Write-Host "PowerShell function processed a RetrieveSecretLocal request from the Dapr Runtime." ++# Convert the object to a JSON-formatted string with ConvertTo-Json +$jsonString = $secret | ConvertTo-Json ++Write-Host "$jsonString" +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Secret input binding, which uses the [v2 Python programming model](functions-reference-python.md). To use the `daprSecret` binding alongside the `daprServiceInvocationTrigger` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="RetrieveSecret") +@app.dapr_service_invocation_trigger(arg_name="payload", method_name="RetrieveSecret") +@app.dapr_secret_input(arg_name="secret", secret_store_name="localsecretstore", key="my-secret", metadata="metadata.namespace=default") +def main(payload, secret: str) : + # Function should be invoked with this command: dapr invoke --app-id functionapp --method RetrieveSecret --data '{}' + logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.') + secret_dict = json.loads(secret) ++ for key in secret_dict: + logging.info("Stored secret: Key = " + key + + ', Value = ' + secret_dict[key]) +``` ++# [Python v1](#tab/v1) ++The following example shows a Dapr Secret input binding, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprSecret`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": + { + "type": "daprSecret", + "direction": "in", + "name": "secret", + "key": "my-secret", + "secretStoreName": "localsecretstore", + "metadata": "metadata.namespace=default" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main (payload, secret) -> None: + logging.info('Python function processed a RetrieveSecret request from the Dapr Runtime.') + secret_dict = json.loads(secret) ++ for key in secret_dict: + logging.info("Stored secret: Key = " + key + ', Value = '+ secret_dict[key]) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprSecret` to define a Dapr secret input binding, which supports these parameters: ++| Parameter | Description | +| | -- | +| **SecretStoreName** | The name of the secret store to get the secret. | +| **Key** | The key identifying the name of the secret to get. | +| **Metadata** | _Optional._ An array of metadata properties in the form `"key1=value1&key2=value2"`. | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprSecretInput` to define a Dapr secret input binding, which supports these parameters: ++| Parameter | Description | +| | -- | +| **SecretStoreName** | The name of the secret store to get the secret. | +| **Key** | The key identifying the name of the secret to get. | +| **Metadata** | _Optional._ An array of metadata properties in the form `"key1=value1&key2=value2"`. | ++++++## Annotations ++The `DaprSecretInput` annotation allows you to have your function access a secret. ++| Element | Description | +| - | -- | +| **secretStoreName** | The name of the Dapr secret store. | +| **key** | The secret key value. | +| **metadata** | _Optional_. The metadata values. | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description | +|--|-| +|**key** | The secret key value. | +|**secretStoreName** | Name of the secret store as defined in the _local-secret-store.yaml_ component file. | +|**metadata** | The metadata namespace. | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_secret_input` that you set in your Python code. ++|Property | Description | +||-| +|**secret_store_name** | The name of the secret store. | +|**key** | The secret key value. | +|**metadata** | The metadata namespace. | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description | +|--|-| +|**key** | The secret key value. | +|**secretStoreName** | Name of the secret store as defined in the _local-secret-store.yaml_ component file. | +|**metadata** | The metadata namespace. | +++++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr secret input binding, start by setting up a Dapr secret store component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr secret store component specs](https://docs.dapr.io/reference/components-reference/supported-secret-stores/) +- [How to: Retrieve a secret](https://docs.dapr.io/developing-applications/building-blocks/secrets/howto-secrets/) ++++# [Python v2](#tab/v2) ++To use the `daprSecret` in **Python v2**, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` +++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the secret store. ++++++## Next steps ++[Learn more about Dapr secrets.](https://docs.dapr.io/developing-applications/building-blocks/secrets/) |
azure-functions | Functions Bindings Dapr Input State | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-input-state.md | + + Title: Dapr State input binding for Azure Functions +description: Learn how to provide Dapr State input binding data during a function execution in Azure Functions. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr State input binding for Azure Functions +++The Dapr state input binding allows you to read Dapr state during a function execution. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: +++# [In-process](#tab/in-process) ++```csharp +[FunctionName("StateInputBinding")] +public static IActionResult Run( + [HttpTrigger(AuthorizationLevel.Function, "get", Route = "state/{key}")] HttpRequest req, + [DaprState("statestore", Key = "{key}")] string state, + ILogger log) +{ + log.LogInformation("C# HTTP trigger function processed a request."); ++ return new OkObjectResult(state); +} +``` ++# [Isolated process](#tab/isolated-process) ++More samples for the Dapr input state binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/dotnet-isolated-azurefunction/InputBinding). +++++++The following example creates a `"RetreveOrder"` function using the `DaprStateInput` binding with the [`DaprServiceInvocationTrigger`](./functions-bindings-dapr-trigger-svc-invoke.md): +++```java +@FunctionName("RetrieveOrder") +public String run( + @DaprServiceInvocationTrigger( + methodName = "RetrieveOrder") + String payload, + @DaprStateInput( + stateStore = "%StateStoreName%", + key = "order") + String product, + final ExecutionContext context) +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprState`: ++```json +{ + "bindings": + { + "type": "daprState", + "direction": "in", + "dataType": "string", + "name": "state", + "stateStore": "statestore", + "key": "{key}" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context, req) { + context.log('Current state of this function: ' + context.bindings.daprState); +}; +``` ++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprState`: ++```json +{ + "bindings": + { + "type": "daprState", + "direction": "in", + "key": "order", + "stateStore": "%StateStoreName%", + "name": "order" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++param ( + $payload, $order +) ++# C# function processed a CreateNewOrder request from the Dapr Runtime. +Write-Host "PowerShell function processed a RetrieveOrder request from the Dapr Runtime." ++# Convert the object to a JSON-formatted string with ConvertTo-Json +$jsonString = $order | ConvertTo-Json ++Write-Host "$jsonString" +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr State input binding, which uses the [v2 Python programming model](functions-reference-python.md). To use the `daprState` binding alongside the `daprServiceInvocationTrigger` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="RetrieveOrder") +@app.dapr_service_invocation_trigger(arg_name="payload", method_name="RetrieveOrder") +@app.dapr_state_input(arg_name="data", state_store="statestore", key="order") +def main(payload, data: str) : + # Function should be invoked with this command: dapr invoke --app-id functionapp --method RetrieveOrder --data '{}' + logging.info('Python function processed a RetrieveOrder request from the Dapr Runtime.') + logging.info(data) +``` ++# [Python v1](#tab/v1) ++The following example shows a Dapr State input binding, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprState`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": + { + "type": "daprState", + "direction": "in", + "dataType": "string", + "name": "state", + "stateStore": "statestore", + "key": "{key}" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section explains these properties. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main(payload, data: str) -> None: + logging.info('Python function processed a RetrieveOrder request from the Dapr Runtime.') + logging.info(data) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprState` to read Dapr state into your function, which supports these parameters: ++| Parameter | Description | +| | -- | +| **StateStore** | The name of the state store to retrieve state. | +| **Key** | The name of the key to retrieve from the specified state store. | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprStateInput` to read Dapr state into your function, which supports these parameters: ++| Parameter | Description | +| | -- | +| **StateStore** | The name of the state store to retrieve state. | +| **Key** | The name of the key to retrieve from the specified state store. | ++++## Annotations ++The `DaprStateInput` annotation allows you to read Dapr state into your function. ++| Element | Description | +| - | -- | +| **stateStore** | The name of the Dapr state store. | +| **key** | The state store key value. | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description | +|--|-| +|**stateStore** | The name of the state store. | +|**key** | The name of the key to retrieve from the specified state store. | ++++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description | +|--|-| +|**key** | The name of the key to retrieve from the specified state store. | +|**stateStore** | The name of the state store. | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_state_input` that you set in your Python code. ++|Property | Description | +||-| +|**state_store** | The name of the state store. | +|**key** | The secret key value. The name of the key to retrieve from the specified state store. | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description | +|--|-| +|**stateStore** | The name of the state store. | +|**key** | The name of the key to retrieve from the specified state store. | ++ +++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr state input binding, start by setting up a Dapr state store component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr state store component specs](https://docs.dapr.io/reference/components-reference/supported-state-stores/) +- [How to: Save state](https://docs.dapr.io/developing-applications/building-blocks/state-management/howto-get-save-state/) ++++# [Python v2](#tab/v2) ++To use the `daprState` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the state store. +++++## Next steps ++[Learn more about Dapr state management.](https://docs.dapr.io/developing-applications/building-blocks/state-management/) |
azure-functions | Functions Bindings Dapr Output Invoke | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-output-invoke.md | + + Title: Dapr Invoke output binding for Azure Functions +description: Learn how to send data to a Dapr Invoke output binding during function execution in Azure Functions. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Invoke output binding for Azure Functions +++The Dapr invoke output binding allows you to invoke another Dapr application during a function execution. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: +++# [In-process](#tab/in-process) ++The following example demonstrates using a Dapr invoke output binding to perform a Dapr service invocation operation hosted in another Dapr-ized application. In this example, the function acts like a proxy. ++```csharp +[FunctionName("InvokeOutputBinding")] +public static async Task<IActionResult> Run( + [HttpTrigger(AuthorizationLevel.Function, "get", Route = "invoke/{appId}/{methodName}")] HttpRequest req, + [DaprInvoke(AppId = "{appId}", MethodName = "{methodName}", HttpVerb = "post")] IAsyncCollector<InvokeMethodParameters> output, + ILogger log) +{ + log.LogInformation("C# HTTP trigger function processed a request."); ++ string requestBody = await new StreamReader(req.Body).ReadToEndAsync(); ++ var outputContent = new InvokeMethodParameters + { + Body = requestBody + }; ++ await output.AddAsync(outputContent); ++ return new OkResult(); +} +``` ++# [Isolated process](#tab/isolated-process) ++More samples for the Dapr output invoke binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/dotnet-isolated-azurefunction/OutputBinding). +++++++The following example creates a `"InvokeOutputBinding"` function using the `DaprInvokeOutput` binding with an `HttpTrigger`: +++```java +@FunctionName("InvokeOutputBinding") +public String run( + @HttpTrigger( + name = "req", + methods = {HttpMethod.GET, HttpMethod.POST}, + authLevel = AuthorizationLevel.ANONYMOUS, + route = "invoke/{appId}/{methodName}") + HttpRequestMessage<Optional<String>> request, + @DaprInvokeOutput( + appId = "{appId}", + methodName = "{methodName}", + httpVerb = "post") + OutputBinding<String> payload, + final ExecutionContext context) +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprInvoke`: ++```json +{ + "bindings": + { + "type": "daprInvoke", + "direction": "out", + "appId": "{appId}", + "methodName": "{methodName}", + "httpVerb": "post", + "name": "payload" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context, req) { + context.log("Node HTTP trigger function processed a request."); + context.bindings.output = { body: req.body }; + context.done(null); +}; +``` ++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprInvoke`: ++```json +{ + "bindings": + { + "type": "daprInvoke", + "direction": "out", + "appId": "{appId}", + "methodName": "{methodName}", + "httpVerb": "post", + "name": "payload" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System.Net ++# Input bindings are passed in via param block. +param($req, $TriggerMetadata) ++# Write to the Azure Functions log stream. +Write-Host "Powershell InvokeOutputBinding processed a request." ++$req_body = $req.Body ++$invoke_output_binding_req_body = @{ + "body" = $req_body +} ++# Associate values to output bindings by calling 'Push-OutputBinding'. +Push-OutputBinding -Name payload -Value $invoke_output_binding_req_body ++Push-OutputBinding -Name res -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $req_body +}) +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Invoke output binding, which uses the [v2 Python programming model](functions-reference-python.md). To use `daprInvoke` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="InvokeOutputBinding") +@app.route(route="invoke/{appId}/{methodName}", auth_level=dapp.auth_level.ANONYMOUS) +@app.dapr_invoke_output(arg_name = "payload", app_id = "{appId}", method_name = "{methodName}", http_verb = "post") +def main(req: func.HttpRequest, payload: func.Out[str] ) -> str: + # request body must be passed this way "{\"body\":{\"value\":{\"key\":\"some value\"}}}" to use the InvokeOutputBinding, all the data must be enclosed in body property. + logging.info('Python function processed a InvokeOutputBinding request from the Dapr Runtime.') ++ body = req.get_body() + logging.info(body) + if body is not None: + payload.set(body) + else: + logging.info('req body is none') + return 'ok' +``` ++ +# [Python v1](#tab/v1) ++The following example shows a Dapr Invoke output binding, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprInvoke`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": + { + "type": "daprInvoke", + "direction": "out", + "appId": "{appId}", + "methodName": "{methodName}", + "httpVerb": "post", + "name": "payload" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section explains these properties. ++Here's the Python code: ++```python +def main(req: func.HttpRequest, + payload: func.Out[bytes]) -> func.HttpResponse: + logging.info('Python InvokeOutputBinding processed a request.') + data = req.params.get('data') +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprInvoke` attribute to define a Dapr invoke output binding, which supports these parameters: ++| Parameter | Description | Can be sent via Attribute | Can be sent via RequestBody | +| | -- | :: | :--: | +| **AppId** | The Dapr app ID to invoke. | :heavy_check_mark: | :heavy_check_mark: | +| **MethodName** | The method name of the app to invoke. | :heavy_check_mark: | :heavy_check_mark: | +| **HttpVerb** | _Optional._ HTTP verb to use of the app to invoke. Default is `POST`. | :heavy_check_mark: | :heavy_check_mark: | +| **Body** | _Required._ The body of the request. | :x: | :heavy_check_mark: | +++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprInvokeOutput` attribute to define a Dapr invoke output binding, which supports these parameters: ++| Parameter | Description | Can be sent via Attribute | Can be sent via RequestBody | +| | -- | :: | :--: | +| **AppId** | The Dapr app ID to invoke. | :heavy_check_mark: | :heavy_check_mark: | +| **MethodName** | The method name of the app to invoke. | :heavy_check_mark: | :heavy_check_mark: | +| **HttpVerb** | _Optional._ HTTP verb to use of the app to invoke. Default is `POST`. | :heavy_check_mark: | :heavy_check_mark: | +| **Body** | _Required._ The body of the request. | :x: | :heavy_check_mark: | ++++++## Annotations ++The `DaprInvokeOutput` annotation allows you to have your function invoke and listen to an output binding. ++| Element | Description | Can be sent via Attribute | Can be sent via RequestBody | +| - | -- | :: | :--: | +| **appId** | The app ID of the application involved in the invoke binding. | :heavy_check_mark: | :heavy_check_mark: | +| **methodName** | The name of the method variable. | :heavy_check_mark: | :heavy_check_mark: | +| **httpVerb** | Post or get. | :heavy_check_mark: | :heavy_check_mark: | +| **body** | _Required._ The body of the request. | :x: | :heavy_check_mark: | ++++## Configuration +++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +|**appId** | The app ID of the application involved in the invoke binding. | :heavy_check_mark: | :heavy_check_mark: | +|**methodName** | The name of the method variable. | :heavy_check_mark: | :heavy_check_mark: | +|**httpVerb** | Post or get. | :heavy_check_mark: | :heavy_check_mark: | +| **body** | _Required._ The body of the request. | :x: | :heavy_check_mark: | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_invoke_output` that you set in your Python code. ++|Property | Description| Can be sent via Attribute | Can be sent via RequestBody | +||| :: | :--: | +|**app_id** | The app ID of the application involved in the invoke binding. | :heavy_check_mark: | :heavy_check_mark: | +|**method_name** | The name of the method variable. | :heavy_check_mark: | :heavy_check_mark: | +|**http_verb** | Set to `post` or `get`. | :heavy_check_mark: | :heavy_check_mark: | +| **body** | _Required._ The body of the request. | :x: | :heavy_check_mark: | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +|**appId** | The app ID of the application involved in the invoke binding. | :heavy_check_mark: | :heavy_check_mark: | +|**methodName** | The name of the method variable. | :heavy_check_mark: | :heavy_check_mark: | +|**httpVerb** | Post or get. | :heavy_check_mark: | :heavy_check_mark: | +| **body** | _Required._ The body of the request. | :x: | :heavy_check_mark: | +++++If properties are defined in both Attributes and `RequestBody`, priority is given to data provided in `RequestBody`. ++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr service invocation output binding, learn more about [how to use Dapr service invocation in the official Dapr documentation](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/). +++# [Python v2](#tab/v2) ++To use the `daprInvoke` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the service invocation components. ++++++## Next steps ++[Learn more about Dapr service invocation.](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/) |
azure-functions | Functions Bindings Dapr Output Publish | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-output-publish.md | + + Title: Dapr Publish output binding for Azure Functions +description: Learn how to provide Dapr Publish output binding data using Azure Functions. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Publish output binding for Azure Functions +++The Dapr publish output binding allows you to publish a message to a Dapr topic during a function execution. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: +++# [In-process](#tab/in-process) ++The following example demonstrates using a Dapr publish output binding to perform a Dapr publish operation to a pub/sub component and topic. ++```csharp +[FunctionName("PublishOutputBinding")] +public static void Run( + [HttpTrigger(AuthorizationLevel.Function, "post", Route = "topic/{topicName}")] HttpRequest req, + [DaprPublish(PubSubName = "%PubSubName%", Topic = "{topicName}")] out DaprPubSubEvent pubSubEvent, + ILogger log) +{ + string requestBody = new StreamReader(req.Body).ReadToEnd(); + pubSubEvent = new DaprPubSubEvent(requestBody); +} +``` ++# [Isolated process](#tab/isolated-process) ++More samples for the Dapr output publish binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-dapr-extension/blob/master/samples/dotnet-isolated-azurefunction/OutputBinding). +++++++The following example creates a `"TransferEventBetweenTopics"` function using the `DaprPublishOutput` binding with an [`DaprTopicTrigger`](./functions-bindings-dapr-trigger-topic.md): +++```java +@FunctionName("TransferEventBetweenTopics") +public String run( + @DaprTopicTrigger( + pubSubName = "%PubSubName%", + topic = "A") + String request, + @DaprPublishOutput( + pubSubName = "%PubSubName%", + topic = "B") + OutputBinding<String> payload, + final ExecutionContext context) throws JsonProcessingException { + context.getLogger().info("Java function processed a TransferEventBetweenTopics request from the Dapr Runtime."); +} +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprPublish`: ++```json +{ + "bindings": + { + "type": "daprPublish", + "direction": "out", + "pubsubname": "messagebus", + "topic": "{topicName}", + "name": "payload" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context, req) { + context.log("Node HTTP trigger function processed a request."); + context.bindings.payload = { payload: req.body }; + context.done(null); +}; +``` ++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprPublish`: ++```json +{ + "bindings": + { + "type": "daprPublish", + "direction": "out", + "name": "pubEvent", + "pubsubname": "%PubSubName%", + "topic": "B" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++# Example to use Dapr Service Invocation Trigger and Dapr State Output binding to persist a new state into statestore +param ( + $subEvent +) ++Write-Host "PowerShell function processed a TransferEventBetweenTopics request from the Dapr Runtime." ++# Convert the object to a JSON-formatted string with ConvertTo-Json +$jsonString = $subEvent["data"] ++$messageFromTopicA = "Transfer from Topic A: $jsonString".Trim() ++$publish_output_binding_req_body = @{ + "payload" = $messageFromTopicA +} ++# Associate values to output bindings by calling 'Push-OutputBinding'. +Push-OutputBinding -Name pubEvent -Value $publish_output_binding_req_body +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Publish output binding, which uses the [v2 Python programming model](functions-reference-python.md). To use `daprPublish` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="TransferEventBetweenTopics") +@app.dapr_topic_trigger(arg_name="subEvent", pub_sub_name="%PubSubName%", topic="A", route="A") +@app.dapr_publish_output(arg_name="pubEvent", pub_sub_name="%PubSubName%", topic="B") +def main(subEvent, pubEvent: func.Out[bytes]) -> None: + logging.info('Python function processed a TransferEventBetweenTopics request from the Dapr Runtime.') + subEvent_json = json.loads(subEvent) + payload = "Transfer from Topic A: " + str(subEvent_json["data"]) + pubEvent.set(json.dumps({"payload": payload}).encode('utf-8')) +``` ++ +# [Python v1](#tab/v1) ++The following example shows a Dapr Publish output binding, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprPublish`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": + { + "type": "daprPublish", + "direction": "out", + "name": "pubEvent", + "pubsubname": "messagebus", + "topic": "B" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +def main(subEvent, + pubEvent: func.Out[bytes]) -> None: + logging.info('Python function processed a TransferEventBetweenTopics request from the Dapr Runtime.') + subEvent_json = json.loads(subEvent) + payload = "Transfer from Topic A: " + str(subEvent_json["data"]) + pubEvent.set(json.dumps({"payload": payload })) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprPublish` to define a Dapr publish output binding, which supports these parameters: ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +| **PubSubName** | The name of the Dapr pub/sub to send the message. | :heavy_check_mark: | :heavy_check_mark: | +| **Topic** | The name of the Dapr topic to send the message. | :heavy_check_mark: | :heavy_check_mark: | +| **Payload** | _Required._ The message being published. | :x: | :heavy_check_mark: | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprPublish Output` to define a Dapr publish output binding, which supports these parameters: ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +| **PubSubName** | The name of the Dapr pub/sub to send the message. | :heavy_check_mark: | :heavy_check_mark: | +| **Topic** | The name of the Dapr topic to send the message. | :heavy_check_mark: | :heavy_check_mark: | +| **Payload** | _Required._ The message being published. | :x: | :heavy_check_mark: | +++++++## Annotations ++The `DaprPublishOutput` annotation allows you to have a function access a published message. ++| Element | Description | Can be sent via Attribute | Can be sent via RequestBody | +| --| -- | :: | :--: | +| **pubSubName** | The name of the Dapr pub/sub to send the message. | :heavy_check_mark: | :heavy_check_mark: | +| **topic** | The name of the Dapr topic to send the message. | :heavy_check_mark: | :heavy_check_mark: | +| **payload** | _Required._ The message being published. | :x: | :heavy_check_mark: | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the _function.json_ file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +|**pubsubname** | The name of the publisher component service. | :heavy_check_mark: | :heavy_check_mark: | +|**topic** | The name/identifier of the publisher topic. | :heavy_check_mark: | :heavy_check_mark: | +| **payload** | _Required._ The message being published. | :x: | :heavy_check_mark: | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_publish_output` that you set in your Python code. ++|Property | Description| Can be sent via Attribute | Can be sent via RequestBody | +||| :: | :--: | +|**pub_sub_name** | The name of the publisher event. | :heavy_check_mark: | :heavy_check_mark: | +|**topic** | The publisher topic name/identifier. | :heavy_check_mark: | :heavy_check_mark: | +| **payload** | _Required._ The message being published. | :x: | :heavy_check_mark: | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the _function.json_ file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +|**pubsubname** | The name of the publisher component service. | :heavy_check_mark: | :heavy_check_mark: | +|**topic** | The name/identifier of the publisher topic. | :heavy_check_mark: | :heavy_check_mark: | +| **payload** | _Required._ The message being published. | :x: | :heavy_check_mark: | +++++If properties are defined in both Attributes and `RequestBody`, priority is given to data provided in `RequestBody`. ++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr publish output binding, start by setting up a Dapr pub/sub component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr pub/sub component specs](https://docs.dapr.io/reference/components-reference/supported-pubsub/) +- [How to: Publish a message and subscribe to a topic](https://docs.dapr.io/developing-applications/building-blocks/pubsub/howto-publish-subscribe/) +++# [Python v2](#tab/v2) ++To use the `daprPublish` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the output pub/sub component. +++++## Next steps ++[Learn more about Dapr publish and subscribe.](https://docs.dapr.io/developing-applications/building-blocks/pubsub/) + |
azure-functions | Functions Bindings Dapr Output State | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-output-state.md | + + Title: Dapr State output binding for Azure Functions +description: Learn how to provide Dapr State output binding data during a function execution in Azure Functions. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr State output binding for Azure Functions +++The Dapr state output binding allows you to save a value to a Dapr state during a function execution. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: ++ ++# [In-process](#tab/in-process) ++The following example demonstrates using the Dapr state output binding to persist a new state into the state store. ++```csharp +[FunctionName("StateOutputBinding")] +public static async Task<IActionResult> Run( + [HttpTrigger(AuthorizationLevel.Function, "post", Route = "state/{key}")] HttpRequest req, + [DaprState("statestore", Key = "{key}")] IAsyncCollector<string> state, + ILogger log) +{ + log.LogInformation("C# HTTP trigger function processed a request."); ++ string requestBody = await new StreamReader(req.Body).ReadToEndAsync(); + await state.AddAsync(requestBody); ++ return new OkResult(); +} +``` ++# [Isolated process](#tab/isolated-process) ++More samples for the Dapr output state binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-dapr-extension/blob/master/samples/dotnet-isolated-azurefunction/OutputBinding). +++++++The following example creates a `"CreateNewOrderHttpTrigger"` function using the `DaprStateOutput` binding with an `HttpTrigger`: +++```java +@FunctionName("CreateNewOrderHttpTrigger") +public String run( + @HttpTrigger( + name = "req", + methods = {HttpMethod.POST}, + authLevel = AuthorizationLevel.ANONYMOUS) + HttpRequestMessage<Optional<String>> request, + @DaprStateOutput( + stateStore = "%StateStoreName%", + key = "product") + OutputBinding<String> product, + final ExecutionContext context) { + context.getLogger().info("Java HTTP trigger (CreateNewOrderHttpTrigger) processed a request."); +} +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprState` output: ++```json +{ + "bindings": + { + "type": "daprState", + "direction": "out", + "name": "dapr", + "stateStore": "statestore", + "key": "{key}", + "daprAddress": "%daprAddress%" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context, req) { + context.log('JavaScript HTTP trigger function processed a request.'); ++ context.bindings.dapr = { + // stateStore: 'statestore-if-not-in-function.json' + // key: 'key-if-not-in-function.json' + value: req.body + }; +}; +``` ++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprState` output: ++```json +{ + "bindings": + { + "type": "daprState", + "stateStore": "%StateStoreName%", + "direction": "out", + "name": "order", + "key": "order" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++param ( + $payload +) ++# C# function processed a CreateNewOrder request from the Dapr Runtime. +Write-Host "PowerShell function processed a CreateNewOrder request from the Dapr Runtime." ++# Payload must be of the format { "data": { "value": "some value" } } ++# Convert the object to a JSON-formatted string with ConvertTo-Json +$jsonString = $payload| ConvertTo-Json ++# Associate values to output bindings by calling 'Push-OutputBinding'. +Push-OutputBinding -Name order -Value $payload["data"] +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr State output binding, which uses the [v2 Python programming model](functions-reference-python.md). To use `daprState` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="HttpTriggerFunc") +@app.route(route="req", auth_level=dapp.auth_level.ANONYMOUS) +@app.dapr_state_output(arg_name="state", state_store="statestore", key="newOrder") +def main(req: func.HttpRequest, state: func.Out[str] ) -> str: + # request body must be passed this way '{\"value\": { \"key\": \"some value\" } }' + body = req.get_body() + if body is not None: + state.set(body.decode('utf-8')) + logging.info(body.decode('utf-8')) + else: + logging.info('req body is none') + return 'ok' +``` ++# [Python v1](#tab/v1) ++The following example shows a Dapr State output binding, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprState`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": + { + "type": "daprState", + "stateStore": "%StateStoreName%", + "direction": "out", + "name": "order", + "key": "order" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main(payload, + order: func.Out[str]) -> None: + logging.info('Python function processed a CreateNewOrder request from the Dapr Runtime.') + payload_json = json.loads(payload) + logging.info(payload_json["data"]) + order.set(json.dumps(payload_json["data"])) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprState` to define a Dapr state output binding, which supports these parameters: ++| Parameter | Description | Can be sent via Attribute | Can be sent via RequestBody | +| | -- | :: | :--: | +| **StateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: | +| **Key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: | +| **Value** | _Required._ The value being stored. | :x: | :heavy_check_mark: | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprStateOutput` to define a Dapr state output binding, which supports these parameters: ++| Parameter | Description | Can be sent via Attribute | Can be sent via RequestBody | +| | -- | :: | :--: | +| **StateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: | +| **Key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: | +| **Value** | _Required._ The value being stored. | :x: | :heavy_check_mark: | +++## Annotations ++The `DaprStateOutput` annotation allows you to function access a state store. ++| Element | Description | Can be sent via Attribute | Can be sent via RequestBody | +| - | -- | :: | :--: | +| **stateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: | +| **key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: | +| **value** | _Required._ The value being stored. | :x: | :heavy_check_mark: | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the _function.json_ file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +| **stateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: | +| **key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: | +| **value** | _Required._ The value being stored. | :x: | :heavy_check_mark: | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_state_output` that you set in your Python code. ++|Property | Description| Can be sent via Attribute | Can be sent via RequestBody | +||| :: | :--: | +| **stateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: | +| **key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: | +| **value** | _Required._ The value being stored. | :x: | :heavy_check_mark: | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the _function.json_ file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +| **stateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: | +| **key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: | +| **value** | _Required._ The value being stored. | :x: | :heavy_check_mark: | +++++If properties are defined in both Attributes and `RequestBody`, priority is given to data provided in `RequestBody`. ++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr state output binding, start by setting up a Dapr state store component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr state store component specs](https://docs.dapr.io/reference/components-reference/supported-state-stores/) +- [How to: Save state](https://docs.dapr.io/developing-applications/building-blocks/state-management/howto-get-save-state/) +++# [Python v2](#tab/v2) ++To use the `daprState` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the state store. +++++## Next steps ++[Learn more about Dapr state management.](https://docs.dapr.io/developing-applications/building-blocks/state-management/) |
azure-functions | Functions Bindings Dapr Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-output.md | + + Title: Dapr Binding output binding for Azure Functions +description: Learn how to provide Dapr Binding output binding data during a function execution in Azure Functions. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Binding output binding for Azure Functions +++The Dapr output binding allows you to send a value to a Dapr output binding during a function execution. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: ++ ++# [In-process](#tab/in-process) ++The following example demonstrates using a Dapr service invocation trigger and a Dapr output binding to read and process a binding request. ++```csharp +[FunctionName("SendMessageToKafka")] +public static async Task Run( + [DaprServiceInvocationTrigger] JObject payload, + [DaprBinding(BindingName = "%KafkaBindingName%", Operation = "create")] IAsyncCollector<object> messages, + ILogger log) +{ + log.LogInformation("C# function processed a SendMessageToKafka request."); + await messages.AddAsync(payload); +} +``` ++# [Isolated process](#tab/isolated-process) ++More samples for the Dapr output invoke binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-dapr-extension/blob/master/samples/dotnet-isolated-azurefunction/OutputBinding). +++++++The following example creates a `"SendMessagetoKafka"` function using the `DaprBindingOutput` binding with the [`DaprServiceInvocationTrigger`](./functions-bindings-dapr-output.md): +++```java +@FunctionName("SendMessageToKafka") +public String run( + @DaprServiceInvocationTrigger( + methodName = "SendMessageToKafka") + String payload, + @DaprBindingOutput( + bindingName = "%KafkaBindingName%", + operation = "create") + OutputBinding<String> product, + final ExecutionContext context) { + context.getLogger().info("Java function processed a SendMessageToKafka request."); + product.setValue(payload); ++ return payload; +} +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprBinding`: ++```json +{ + "bindings": + { + "type": "daprBinding", + "direction": "out", + "bindingName": "%KafkaBindingName%", + "operation": "create", + "name": "messages" + } +} +``` +For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context) { + context.log("Node HTTP trigger function processed a request."); + context.bindings.messages = { "data": context.bindings.args }; +}; +``` ++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprBinding`: ++```json +{ + "bindings": + { + "type": "daprBinding", + "direction": "out", + "bindingName": "%KafkaBindingName%", + "operation": "create", + "name": "messages" + } +} +``` +For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System.Net ++# Input bindings are passed in via param block. +param($req, $TriggerMetadata) ++Write-Host "Powershell SendMessageToKafka processed a request." ++$invoke_output_binding_req_body = @{ + "data" = $req +} ++# Associate values to output bindings by calling 'Push-OutputBinding'. +Push-OutputBinding -Name messages -Value $invoke_output_binding_req_body +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Binding output binding, which uses the [v2 Python programming model](functions-reference-python.md). To use `@dapp.dapr_binding_output` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="SendMessageToKafka") +@app.dapr_service_invocation_trigger(arg_name="payload", method_name="SendMessageToKafka") +@app.dapr_binding_output(arg_name="messages", binding_name="%KafkaBindingName%", operation="create") +def main(payload: str, messages: func.Out[bytes]) -> None: + logging.info('Python processed a SendMessageToKafka request from the Dapr Runtime.') + messages.set(json.dumps({"data": payload}).encode('utf-8')) +``` ++# [Python v1](#tab/v1) ++The following example shows a Dapr Binding output binding, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprBinding`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": + { + "type": "daprBinding", + "direction": "out", + "bindingName": "%KafkaBindingName%", + "operation": "create", + "name": "messages" + } +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main(args, messages: func.Out[bytes]) -> None: + logging.info('Python processed a SendMessageToKafka request from the Dapr Runtime.') + messages.set(json.dumps({"data": args})) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprBinding` to define a Dapr binding output binding, which supports these parameters: ++| Parameter | Description | Can be sent via Attribute | Can be sent via RequestBody | +| | -- | :: | :--: | +| **BindingName** | The name of the Dapr binding. | :heavy_check_mark: | :heavy_check_mark: | +| **Operation** | The configured binding operation. | :heavy_check_mark: | :heavy_check_mark: | +| **Metadata** | The metadata namespace. | :x: | :heavy_check_mark: | +| **Data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: | +++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprBindingOutput` to define a Dapr binding output binding, which supports these parameters: ++| Parameter | Description | Can be sent via Attribute | Can be sent via RequestBody | +| | -- | :: | :--: | +| **BindingName** | The name of the Dapr binding. | :heavy_check_mark: | :heavy_check_mark: | +| **Operation** | The configured binding operation. | :heavy_check_mark: | :heavy_check_mark: | +| **Metadata** | The metadata namespace. | :x: | :heavy_check_mark: | +| **Data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: | ++++++## Annotations ++The `DaprBindingOutput` annotation allows you to create a function that sends an output binding. ++| Element | Description | Can be sent via Attribute | Can be sent via RequestBody | +| - | -- | :: | :--: | +| **bindingName** | The name of the Dapr binding. | :heavy_check_mark: | :heavy_check_mark: | +| **output** | The configured binding operation. | :heavy_check_mark: | :heavy_check_mark: | +| **metadata** |The metadata namespace. | :x: | :heavy_check_mark: | +| **data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: | ++++## Configuration +++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +|**bindingName** | The name of the binding. | :heavy_check_mark: | :heavy_check_mark: | +|**operation** | The binding operation. | :heavy_check_mark: | :heavy_check_mark: | +| **metadata** | The metadata namespace. | :x: | :heavy_check_mark: | +| **data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_binding_output` that you set in your Python code. ++|Property | Description| Can be sent via Attribute | Can be sent via RequestBody | +||| :: | :--: | +|**binding_name** | The name of the binding event. | :heavy_check_mark: | :heavy_check_mark: | +|**operation** | The binding operation name/identifier. | :heavy_check_mark: | :heavy_check_mark: | +| **metadata** | The metadata namespace. | :x: | :heavy_check_mark: | +| **data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody | +|--|| :: | :--: | +|**bindingName** | The name of the binding. | :heavy_check_mark: | :heavy_check_mark: | +|**operation** | The binding operation. | :heavy_check_mark: | :heavy_check_mark: | +| **metadata** | The metadata namespace. | :x: | :heavy_check_mark: | +| **data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: | +++++If properties are defined in both Attributes and `RequestBody`, priority is given to data provided in `RequestBody`. ++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr output binding, start by setting up a Dapr output binding component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr output binding component specs](https://docs.dapr.io/reference/components-reference/supported-bindings/) +- [How to: Use output bindings to interface with external resources](https://docs.dapr.io/developing-applications/building-blocks/bindings/howto-bindings/) +++# [Python v2](#tab/v2) ++To use the `daprBinding` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the output binding component. ++++++## Next steps ++[Learn more about Dapr service invocation.](https://docs.dapr.io/developing-applications/building-blocks/bindings/) |
azure-functions | Functions Bindings Dapr Trigger Svc Invoke | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-trigger-svc-invoke.md | + + Title: Dapr Service Invocation trigger for Azure Functions +description: Learn how to run Azure Functions as Dapr service invocation data changes. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Service Invocation trigger for Azure Functions +++Azure Functions can be triggered on a Dapr service invocation using the following Dapr events. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: ++ ++# [In-process](#tab/in-process) ++```csharp +[FunctionName("CreateNewOrder")] +public static void Run( + [DaprServiceInvocationTrigger] JObject payload, + [DaprState("%StateStoreName%", Key = "order")] out JToken order, + ILogger log) +{ + log.LogInformation("C# function processed a CreateNewOrder request from the Dapr Runtime."); ++ // payload must be of the format { "data": { "value": "some value" } } + order = payload["data"]; +} +``` ++# [Isolated process](#tab/isolated-process) ++ ++++++Here's the Java code for the Dapr Service Invocation trigger: ++```java +@FunctionName("CreateNewOrder") +public String run( + @DaprServiceInvocationTrigger( + methodName = "CreateNewOrder") +) +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprServiceInvocationTrigger`: ++```json +{ + "bindings": [ + { + "type": "daprServiceInvocationTrigger", + "name": "payload" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context) { + context.log("Node function processed a RetrieveOrder request from the Dapr Runtime."); ++ // print the fetched state value + context.log(context.bindings.data); +}; +``` +++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprServiceInvocationTrigger`: ++```json +{ + "bindings": [ + { + "type": "daprServiceInvocationTrigger", + "name": "payload", + "direction": "in" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++param ( + $payload +) ++# C# function processed a CreateNewOrder request from the Dapr Runtime. +Write-Host "PowerShell function processed a CreateNewOrder request from the Dapr Runtime." ++# Payload must be of the format { "data": { "value": "some value" } } ++# Convert the object to a JSON-formatted string with ConvertTo-Json +$jsonString = $payload| ConvertTo-Json ++# Associate values to output bindings by calling 'Push-OutputBinding'. +Push-OutputBinding -Name order -Value $payload["data"] +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Service Invocation trigger, which uses the [v2 Python programming model](functions-reference-python.md). To use the `daprServiceInvocationTrigger` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="RetrieveOrder") +@app.dapr_service_invocation_trigger(arg_name="payload", method_name="RetrieveOrder") +@app.dapr_state_input(arg_name="data", state_store="statestore", key="order") +def main(payload, data: str) : + # Function should be invoked with this command: dapr invoke --app-id functionapp --method RetrieveOrder --data '{}' + logging.info('Python function processed a RetrieveOrder request from the Dapr Runtime.') + logging.info(data) +``` ++ +# [Python v1](#tab/v1) ++The following example shows a Dapr Service Invocation trigger, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprServiceInvocationTrigger`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "type": "daprServiceInvocationTrigger", + "name": "payload", + "direction": "in" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main(payload, data: str) -> None: + logging.info('Python function processed a RetrieveOrder request from the Dapr Runtime.') + logging.info(data) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprServiceInvocationTrigger` to trigger a Dapr service invocation binding, which supports the following properties. ++| Parameter | Description | +| | -- | +| **MethodName** | _Optional._ The name of the method the Dapr caller should use. If not specified, the name of the function is used as the method name. | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprServiceInvocationTrigger` to define a Dapr service invocation trigger, which supports these parameters: ++| Parameter | Description | +| | -- | +| **MethodName** | _Optional._ The name of the method the Dapr caller should use. If not specified, the name of the function is used as the method name. | ++++++## Annotations ++The `DaprServiceInvocationTrigger` annotation allows you to create a function that gets invoked by Dapr runtime. ++| Element | Description | +| - | -- | +| **methodName** | The method name. | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| +|--|| +|**type** | Must be set to `daprServiceInvocationTrigger`.| +|**name** | The name of the variable that represents the Dapr data in function code. | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_service_invocation_trigger` that you set in your Python code. ++|Property | Description| +||| +|**method_name** | The name of the variable that represents the Dapr data. | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| +|--|| +|**type** | Must be set to `daprServiceInvocationTrigger`.| +|**name** | The name of the variable that represents the Dapr data in function code. | +++++See the [Example section](#example) for complete examples. ++## Usage ++To use a Dapr Service Invocation trigger, learn more about which components to use with the Service Invocation trigger and how to set them up in the official Dapr documentation. ++- [Dapr component specs](https://docs.dapr.io/reference/components-reference/) +- [Dapr service invocation](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/) +++# [Python v2](#tab/v2) ++To use the `daprServiceInvocationTrigger` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the service invocation component. +++++## Next steps ++[Learn more about Dapr service invocation.](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/) |
azure-functions | Functions Bindings Dapr Trigger Topic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-trigger-topic.md | + + Title: Dapr Topic trigger for Azure Functions +description: Learn how to run Azure Functions as Dapr topic data changes. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Topic trigger for Azure Functions +++Azure Functions can be triggered on a Dapr topic subscription using the following Dapr events. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example ++++A C# function can be created using one of the following C# modes: +++# [In-process](#tab/in-process) ++```csharp +[FunctionName("TransferEventBetweenTopics")] +public static void Run( + [DaprTopicTrigger("%PubSubName%", Topic = "A")] CloudEvent subEvent, + [DaprPublish(PubSubName = "%PubSubName%", Topic = "B")] out DaprPubSubEvent pubEvent, + ILogger log) +{ + log.LogInformation("C# function processed a TransferEventBetweenTopics request from the Dapr Runtime."); +++ pubEvent = new DaprPubSubEvent("Transfer from Topic A: " + subEvent.Data); +} +``` ++ +# [Isolated process](#tab/isolated-process) +++++++Here's the Java code for subscribing to a topic using the Dapr Topic trigger: ++```java +@FunctionName("PrintTopicMessage") +public String run( + @DaprTopicTrigger( + pubSubName = "%PubSubName%", + topic = "B") + String payload, + final ExecutionContext context) throws JsonProcessingException { + Logger logger = context.getLogger(); + logger.info("Java function processed a PrintTopicMessage request from the Dapr Runtime."); +``` ++++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following examples show Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprTopicTrigger`: ++```json +{ + "bindings": [ + { + "type": "daprTopicTrigger", + "pubsubname": "messagebus", + "topic": "B", + "name": "subEvent" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code for the Dapr Topic trigger: ++```javascript +module.exports = async function (context) { + context.log("Node function processed a PrintTopicMessage request from the Dapr Runtime."); + context.log(`Topic B received a message: ${context.bindings.subEvent.data}.`); +}; +``` +++++The following examples show Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprTopicTrigger`: ++```json +{ + "bindings": [ + { + "type": "daprTopicTrigger", + "pubsubname": "%PubSubName%", + "topic": "B", + "name": "subEvent", + "direction": "in" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++param ( + $subEvent +) ++Write-Host "PowerShell function processed a PrintTopicMessage request from the Dapr Runtime." ++# Convert the object to a JSON-formatted string with ConvertTo-Json +$jsonString = $subEvent["data"] | ConvertTo-Json -Compress ++Write-Host "Topic B received a message: $jsonString" +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Topic trigger, which uses the [v2 Python programming model](functions-reference-python.md). To use the `daprTopicTrigger` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="PrintTopicMessage") +@app.dapr_topic_trigger(arg_name="subEvent", pub_sub_name="%PubSubName%", topic="B", route="B") +def main(subEvent) -> None: + logging.info('Python function processed a PrintTopicMessage request from the Dapr Runtime.') + subEvent_json = json.loads(subEvent) + logging.info("Topic B received a message: " + subEvent_json["data"]) +``` ++ +# [Python v1](#tab/v1) ++The following example shows a Dapr Topic trigger, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprTopicTrigger`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "type": "daprTopicTrigger", + "pubsubname": "messagebus", + "topic": "B", + "name": "subEvent", + "direction": "in" + } + ] +} +``` +For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main(subEvent) -> None: + logging.info('Python function processed a PrintTopicMessage request from the Dapr Runtime.') + subEvent_json = json.loads(subEvent) + logging.info("Topic B received a message: " + subEvent_json["data"]) +``` +++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprTopicTrigger` to trigger a Dapr pub/sub binding, which supports the following properties. ++| Parameter | Description | +| | -- | +| **PubSubName** | The name of the Dapr pub/sub. | +| **Topic** | The name of the Dapr topic. | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprTopicTrigger` to define a Dapr topic trigger, which supports these parameters: ++| Parameter | Description | +| | -- | +| **PubSubName** | The name of the Dapr pub/sub. | +| **Topic** | The name of the Dapr topic. | ++++++## Annotations ++The `DaprTopicTrigger` annotation allows you to create a function that runs when a topic is received. ++| Element | Description | +| - | -- | +| **pubSubName** | The name of the Dapr pub/sub. | +| **topic** | The name of the Dapr topic. | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the _function.json_ file. ++|function.json property | Description| +|--|| +|**pubsubname** | The name of the Dapr pub/sub component type. | +|**topic** | Name of the topic. | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_topic_trigger` that you set in your Python code. ++|Property | Description | Can be sent via Attribute | Can be sent via RequestBody | +||-| :: | :--: | +|**pub_sub_name** | The name of the Dapr subscription component type. | :heavy_check_mark: | :x: | +|**topic** | The subscription topic. | :heavy_check_mark: | :x: | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the _function.json_ file. ++|function.json property | Description | Can be sent via Attribute | Can be sent via RequestBody | +|--|-| :: | :--: | +|**pubsubname** | The name of the Dapr subscription component type. | :heavy_check_mark: | :x: | +|**topic** | Name of the topic. | :heavy_check_mark: | :x: | +++See the [Example section](#example) for complete examples. ++## Usage +++To use a Dapr Topic trigger, start by setting up a Dapr pub/sub component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr pub/sub component specs](https://docs.dapr.io/reference/components-reference/supported-pubsub/) +- [How to: Publish a message and subscribe to a topic](https://docs.dapr.io/developing-applications/building-blocks/pubsub/howto-publish-subscribe/) +++# [Python v2](#tab/v2) ++To use the `daprTopicTrigger` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the pub/sub component. +++++## Next steps ++[Learn more about Dapr publish and subscribe.](https://docs.dapr.io/developing-applications/building-blocks/pubsub/) |
azure-functions | Functions Bindings Dapr Trigger | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr-trigger.md | + + Title: Dapr Input Bindings trigger for Azure Functions +description: Learn how to run Azure Functions as Dapr input binding data changes. + Last updated : 10/11/2023+ms.devlang: csharp, java, javascript, powershell, python ++zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Input Bindings trigger for Azure Functions +++Azure Functions can be triggered on a Dapr input binding using the following Dapr events. ++For information on setup and configuration details of the Dapr extension, see the [Dapr extension overview](./functions-bindings-dapr.md). ++## Example +++A C# function can be created using one of the following C# modes: +++# [In-process](#tab/in-process) ++```csharp +[FunctionName("ConsumeMessageFromKafka")] +public static void Run( + // Note: the value of BindingName must match the binding name in components/kafka-bindings.yaml + [DaprBindingTrigger(BindingName = "%KafkaBindingName%")] JObject triggerData, + ILogger log) +{ + log.LogInformation("Hello from Kafka!"); + log.LogInformation($"Trigger data: {triggerData}"); +} +``` + +# [Isolated process](#tab/isolated-process) +++++++Here's the Java code for the Dapr Input Binding trigger: ++```java +@FunctionName("ConsumeMessageFromKafka") +public String run( + @DaprBindingTrigger( + bindingName = "%KafkaBindingName%") +) +``` +++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++The following example shows Dapr triggers in a _function.json_ file and JavaScript code that uses those bindings. ++Here's the _function.json_ file for `daprBindingTrigger`: ++```json +{ + "bindings": [ + { + "type": "daprBindingTrigger", + "bindingName": "%KafkaBindingName%", + "name": "triggerData" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the JavaScript code: ++```javascript +module.exports = async function (context) { + context.log("Hello from Kafka!"); ++ context.log(`Trigger data: ${context.bindings.triggerData}`); +}; +``` ++++The following example shows Dapr triggers in a _function.json_ file and PowerShell code that uses those bindings. ++Here's the _function.json_ file for `daprBindingTrigger`: ++```json +{ + "bindings": [ + { + "type": "daprBindingTrigger", + "bindingName": "%KafkaBindingName%", + "name": "triggerData", + "direction": "in" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++In code: ++```powershell +using namespace System +using namespace Microsoft.Azure.WebJobs +using namespace Microsoft.Extensions.Logging +using namespace Microsoft.Azure.WebJobs.Extensions.Dapr +using namespace Newtonsoft.Json.Linq ++param ( + $triggerData +) ++Write-Host "PowerShell function processed a ConsumeMessageFromKafka request from the Dapr Runtime." ++$jsonString = $triggerData | ConvertTo-Json ++Write-Host "Trigger data: $jsonString" +``` ++++# [Python v2](#tab/v2) ++The following example shows a Dapr Input Binding trigger, which uses the [v2 Python programming model](functions-reference-python.md). To use the `daprBinding` in your Python function app code: ++```python +import logging +import json +import azure.functions as func ++app = func.FunctionApp() ++@app.function_name(name="ConsumeMessageFromKafka") +@app.dapr_binding_trigger(arg_name="triggerData", binding_name="%KafkaBindingName%") +def main(triggerData: str) -> None: + logging.info('Python function processed a ConsumeMessageFromKafka request from the Dapr Runtime.') + logging.info('Trigger data: ' + triggerData) +``` ++ +# [Python v1](#tab/v1) ++The following example shows a Dapr Input Binding trigger, which uses the [v1 Python programming model](functions-reference-python.md). ++Here's the _function.json_ file for `daprBindingTrigger`: ++```json +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "type": "daprBindingTrigger", + "bindingName": "sample-topic", + "name": "triggerData", + "direction": "in" + } + ] +} +``` ++For more information about *function.json* file properties, see the [Configuration](#configuration) section. ++Here's the Python code: ++```python +import logging +import json +import azure.functions as func ++def main(triggerData: str) -> None: + logging.info('Hello from Kafka!') + logging.info('Trigger data: ' + triggerData) +``` ++++++## Attributes ++# [In-process](#tab/in-process) ++In the [in-process model](./functions-dotnet-class-library.md), use the `DaprBindingTrigger` to trigger a Dapr input binding, which supports the following properties. ++| Parameter | Description | +| | -- | +| **BindingName** | The name of the Dapr trigger. If not specified, the name of the function is used as the trigger name. | ++# [Isolated process](#tab/isolated-process) ++In the [isolated worker model](./dotnet-isolated-process-guide.md), use the `DaprBindingTrigger` to define a Dapr binding trigger, which supports these parameters: ++| Parameter | Description | +| | -- | +| **BindingName** | The name of the Dapr trigger. If not specified, the name of the function is used as the trigger name. | ++++++## Annotations ++The `DaprBindingTrigger` annotation allows you to create a function that gets triggered by the binding component you created. ++| Element | Description | +| - | -- | +| **bindingName** | The name of the Dapr binding. | ++++## Configuration ++++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| +|--|| +|**bindingName** | The name of the binding. | ++++# [Python v2](#tab/v2) ++The following table explains the binding configuration properties for `@dapp.dapr_binding_trigger` that you set in your Python code. ++|Property | Description| +||| +|**binding_name** | The name of the binding. | ++# [Python v1](#tab/v1) ++The following table explains the binding configuration properties that you set in the function.json file. ++|function.json property | Description| +|--|| +|**bindingName** | The name of the binding. | +++++See the [Example section](#example) for complete examples. ++## Usage ++To use the Dapr Input Binding trigger, start by setting up a Dapr input binding component. You can learn more about which component to use and how to set it up in the official Dapr documentation. ++- [Dapr input binding component specs](https://docs.dapr.io/reference/components-reference/supported-bindings/) +- [How to: Trigger your application with input bindings](https://docs.dapr.io/developing-applications/building-blocks/bindings/howto-bindings/) +++# [Python v2](#tab/v2) ++To use the `daprBindingTrigger` in Python v2, set up your project with the correct dependencies. ++1. [Create and activate a virtual environment](https://learn.microsoft.com/azure/azure-functions/create-first-function-cli-python?tabs=macos%2Cbash%2Cazure-cli&pivots=python-mode-decorators#create-venv). ++1. In your `requirements.text` file, add the following line: ++ ```txt + azure-functions==1.18.0b3 + ``` ++1. In the terminal, install the Python library. ++ ```bash + pip install -r .\requirements.txt + ``` ++1. Modify your `local.setting.json` file with the following configuration: ++ ```json + "PYTHON_ISOLATE_WORKER_DEPENDENCIES":1 + ``` ++# [Python v1](#tab/v1) ++The Python v1 model requires no additional changes, aside from setting up the bindings component. ++++++## Next steps ++[Learn more about Dapr service invocation.](https://docs.dapr.io/developing-applications/building-blocks/bindings/) |
azure-functions | Functions Bindings Dapr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-dapr.md | + + Title: Dapr Extension for Azure Functions +description: Learn to use the Dapr triggers and bindings in Azure Functions. + Last updated : 10/11/2023+zone_pivot_groups: programming-languages-set-functions-lang-workers +++# Dapr Extension for Azure Functions +++The Dapr Extension for Azure Functions is a set of tools and services that allow developers to easily integrate Azure Functions with the [Distributed Application Runtime (Dapr)](https://docs.dapr.io/) platform. ++Azure Functions is an event-driven compute service that provides a set of [triggers and bindings](./functions-triggers-bindings.md) to easily connect with other Azure services. Dapr provides a set of building blocks and best practices for building distributed applications, including microservices, state management, pub/sub messaging, and more. ++With the integration between Dapr and Functions, you can build functions that react to events from Dapr or external systems. ++| Action | Direction | Type | +||--|| +| Trigger on a Dapr input binding | N/A | [daprBindingTrigger](./functions-bindings-dapr-trigger.md) | +| Trigger on a Dapr service invocation | N/A | [daprServiceInvocationTrigger](./functions-bindings-dapr-trigger-svc-invoke.md) | +| Trigger on a Dapr topic subscription | N/A | [daprTopicTrigger](./functions-bindings-dapr-trigger-topic.md) | +| Pull in Dapr state for an execution | In | [daprState](./functions-bindings-dapr-input-state.md) | +| Pull in Dapr secrets for an execution | In | [daprSecret](./functions-bindings-dapr-input-secret.md) | +| Save a value to a Dapr state | Out | [daprState](./functions-bindings-dapr-output-state.md) | +| Invoke another Dapr app | Out | [daprInvoke](./functions-bindings-dapr-output-invoke.md) | +|Publish a message to a Dapr topic | Out | [daprPublish](./functions-bindings-dapr-output-publish.md) | +| Send a value to a Dapr output binding | Out | [daprBinding](./functions-bindings-dapr-output.md) | +++## Install extension +The extension NuGet package you install depends on the C# mode [in-process](functions-dotnet-class-library.md) or [isolated worker process](dotnet-isolated-process-guide.md) you're using in your function app: ++# [In-process](#tab/in-process) ++This extension is available by installing the [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Dapr), version 0.17.0-preview01. ++Using the .NET CLI: ++```dotnetcli +dotnet add package Microsoft.Azure.WebJobs.Extensions.Dapr --prerelease +``` ++# [Isolated process](#tab/isolated-process) ++Add the extension to your project by installing the [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Dapr), version 0.17.0-preview01. ++Using the .NET CLI: ++```dotnetcli +dotnet add package Microsoft.Azure.Functions.Worker.Extensions.Dapr --prerelease +``` ++++++## Install bundle ++> [!NOTE] +> The [Node.js v4 model for Azure Functions](functions-reference-node.md?pivots=nodejs-model-v4) isn't currently available for use with the Dapr extension during the preview. ++# [Preview Bundle v4.x](#tab/preview-bundle-v4x) ++You can add the preview extension by adding or replacing the following code in your `host.json` file: ++```json +{ + "version": "2.0", + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle.Preview", + "version": "[4.*, 5.0.0)" + } +} +``` +++++## Dapr enablement ++You can configure Dapr using various [arguments and annotations][dapr-args] based on the runtime context. You can configure Dapr for Azure Functions through two channels: ++- Infrastructure as Code (IaC) templates, as in Bicep or Azure Resource Manager (ARM) templates +- The Azure portal ++When using an IaC template, specify the following arguments in the `properties` section of the container app resource definition. ++# [Bicep](#tab/bicep1) ++```bicep +DaprConfig: { + enabled: true + appId: '${envResourceNamePrefix}-funcapp' + appPort: 3001 + httpReadBufferSize: '' + httpMaxRequestSize: '' + logLevel: '' + enableApiLogging: true +} +``` ++# [ARM](#tab/arm1) ++```json +"DaprConfig": { + "enabled": true, + "appId": "${envResourceNamePrefix}-funcapp", + "appPort": 3001, + "httpReadBufferSize": "", + "httpMaxRequestSize": "", + "logLevel": "", + "enableApiLogging": true +} +``` +++The above Dapr configuration values are considered application-scope changes. When you run a container app in multiple-revision mode, changes to these settings won't create a new revision. Instead, all existing revisions are restarted to ensure they're configured with the most up-to-date values. ++When configuring Dapr using the Azure portal, navigate to your function app and select **Dapr** from the left-side menu: +++## Dapr ports and listeners ++When you're triggering a function from Dapr, the extension exposes port `3001` automatically to listen to incoming requests from the Dapr sidecar. ++> [!IMPORTANT] +> Port `3001` is only exposed and listened to if a Dapr trigger is defined in the function app. When using Dapr, the sidecar waits to receive a response from the defined port before completing instantiation. _Do not_ define the `dapr.io/port` annotation or `--app-port` unless you have a trigger. Doing so may lock your application from the Dapr sidecar. +> +> If you're only using input and output bindings, port `3001` doesn't need to be exposed or defined. ++By default, when Azure Functions tries to communicate with Dapr, it calls Dapr over the port resolved from the environment variable `DAPR_HTTP_PORT`. If that variable is null, it defaults to port `3500`. ++You can override the Dapr address used by input and output bindings by setting the `DaprAddress` property in the `function.json` for the binding (or the attribute). By default, it uses `http://localhost:{DAPR_HTTP_PORT}`. ++The function app still exposes another port and endpoint for things like HTTP triggers, which locally defaults to `7071`, but in a container, defaults to `80`. +++## Binding types ++The binding types supported for .NET depend on both the extension version and C# execution mode, which can be one of the following: + +# [In-process class library](#tab/in-process) ++An in-process class library is a compiled C# function runs in the same process as the Functions runtime. + +# [Isolated process](#tab/isolated-process) ++An isolated worker process class library compiled C# function runs in a process isolated from the runtime. ++++The Dapr Extension supports parameter types according to the table below. ++| Binding | Parameter types | +|-|-|-| +| Dapr trigger | [daprBindingTrigger]<br/>[daprServiceInvocationTrigger]<br/>[daprTopicTrigger]| +| Dapr input | [daprState]<br/>[daprSecret] | +| Dapr output | [daprState][dapr-state-output]<br/>[daprInvoke]<br/>[daprPublish]<br/>[daprBinding] | ++For examples using these types, see [the GitHub repository for the extension](https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/dotnet-azurefunction). +++[daprBindingTrigger]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/triggers.md#input-binding-trigger +[daprServiceInvocationTrigger]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/triggers.md#service-invocation-trigger +[daprTopicTrigger]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/triggers.md#topic-trigger ++[daprState]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/input-bindings.md#state-input-binding +[daprSecret]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/input-bindings.md#state-input-binding ++[dapr-state-output]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/output-bindings.md#topic-publish-output-binding +[daprInvoke]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/output-bindings.md#service-invocation-output-binding +[daprPublish]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/output-bindings.md#topic-publish-output-binding +[daprBinding]: https://github.com/Azure/azure-functions-dapr-extension/blob/master/docs/output-bindings.md#topic-publish-output-binding ++## Try out the Dapr Extension for Azure Functions ++Learn how to use the Dapr Extension for Azure Functions via the provided samples. ++| Samples | Description | +|-|-| +| [Quickstart][dapr-quickstart] | Get started using the Dapr Pub/sub binding and `HttpTrigger`. | +| [Dapr Kafka][dapr-kafka] | Learn how to use the Azure Functions Dapr Extension with the Kafka bindings Dapr component. | +| [.NET In-process][dapr-in-proc] | Learn how to use Azure Functions in-process model to integrate with multiple Dapr components in .NET, like Service Invocation, Pub/sub, Bindings, and State Management. | +| [.NET Isolated][dapr-isolated] | Integrate with Dapr components in .NET using the Azure Functions out-of-proc (OOP) execution model. | ++[dapr-quickstart]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/quickstarts/dotnet-isolated +[dapr-kafka]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/python-v2-azurefunction#3-dapr-binding +[dapr-in-proc]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/dotnet-azurefunction +[dapr-isolated]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/dotnet-isolated-azurefunction ++++## Try out the Dapr Extension for Azure Functions ++Learn how to use the Dapr Extension for Azure Functions via the provided samples. ++| Samples | Description | +|-|-| +| [Java Functions][dapr-java] | Learn how to use the Azure Functions Dapr Extension using Java. | ++[dapr-java]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/java-azurefunction ++++## Try out the Dapr Extension for Azure Functions ++Learn how to use the Dapr Extension for Azure Functions via the provided samples. ++| Samples | Description | +|-|-| +| [Quickstart][dapr-quickstart] | Get started using the Dapr Pub/sub binding and `HttpTrigger`. | +| [Dapr Kafka][dapr-kafka] | Learn how to use the Azure Functions Dapr Extension with the Kafka bindings Dapr component. | +| [JavaScript][dapr-js] | Run a JavaScript Dapr function application and integrate with Dapr Service Invocation, Pub/sub, Bindings, and State Management using Azure Functions. | ++[dapr-quickstart]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/quickstarts/javascript +[dapr-kafka]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/javascript-azurefunction#3-dapr-binding +[dapr-js]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/javascript-azurefunction ++++## Try out the Dapr Extension for Azure Functions ++Learn how to use the Dapr Extension for Azure Functions via the provided samples. ++| Samples | Description | +|-|-| +| [PowerShell Functions][dapr-powershell] | Learn how to use the Azure Functions Dapr Extension with PowerShell. | ++[dapr-powershell]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/powershell-azurefunction ++++## Try out the Dapr Extension for Azure Functions ++Learn how to use the Dapr Extension for Azure Functions via the provided samples. ++| Samples | Description | +|-|-| +| [Dapr Kafka][dapr-kafka] | Learn how to use the Azure Functions Dapr Extension with the Kafka bindings Dapr component. | +| [Python v1][dapr-python] | Run a Dapr-ized Python application and use the Azure Functions Python v1 programming model to integrate with Dapr components. | +| [Python v2][dapr-python-2] | Launch a Dapr application using the Azure Functions Python v2 programming model to integrate with Dapr components. | ++[dapr-kafka]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/dotnet-isolated-azurefunction#3-dapr-binding +[dapr-python]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/python-azurefunction +[dapr-python-2]: https://github.com/Azure/azure-functions-dapr-extension/tree/master/samples/python-v2-azurefunction +++## Next steps ++[Learn more about Dapr.](https://docs.dapr.io/) |
azure-functions | Functions Bindings Event Grid Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-event-grid-output.md | public static async Task Run( } ``` -Starting in version 3.3.0, it's possible to use Azure Active Directory when authenticating the output binding: +Starting in version 3.3.0, it's possible to use Microsoft Entra ID when authenticating the output binding: ```csharp [FunctionName("EventGridAsyncOutput")] Use the following steps to configure a topic key: ### Identity-based authentication -When using version 3.3.x or higher of the extension, you can connect to an Event Grid topic using an [Azure Active Directory identity](../active-directory/fundamentals/active-directory-whatis.md) to avoid having to obtain and work with topic keys. +When using version 3.3.x or higher of the extension, you can connect to an Event Grid topic using an [Microsoft Entra identity](../active-directory/fundamentals/active-directory-whatis.md) to avoid having to obtain and work with topic keys. To do this, create an application setting that returns the topic endpoint URI, where the name of the setting combines a unique _common prefix_, such as `myawesometopic`, with the value `__topicEndpointUri`. You then use the common prefix `myawesometopic` when you define the `Connection` property in the binding. |
azure-functions | Functions How To Use Azure Function App Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-how-to-use-azure-function-app-settings.md | Use the [`az functionapp cors show`](/cli/azure/functionapp/cors#az-functionapp- ![Configure authentication for a function app](./media/functions-how-to-use-azure-function-app-settings/configure-function-app-authentication.png) -When functions use an HTTP trigger, you can require calls to first be authenticated. App Service supports Azure Active Directory authentication and sign-in with social providers, such as Facebook, Microsoft, and Twitter. For details on configuring specific authentication providers, see [Azure App Service authentication overview](../app-service/overview-authentication-authorization.md). +When functions use an HTTP trigger, you can require calls to first be authenticated. App Service supports Microsoft Entra authentication and sign-in with social providers, such as Facebook, Microsoft, and Twitter. For details on configuring specific authentication providers, see [Azure App Service authentication overview](../app-service/overview-authentication-authorization.md). ## Next steps |
azure-functions | Functions Identity Access Azure Sql With Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-identity-access-azure-sql-with-managed-identity.md | When you're finished with this tutorial, your Azure Function will connect to Azu An overview of the steps you'll take: > [!div class="checklist"]-> * [Enable Azure AD authentication to the SQL database](#grant-database-access-to-azure-ad-user) +> * [Enable Microsoft Entra authentication to the SQL database](#grant-database-access-to-azure-ad-user) > * [Enable Azure Function managed identity](#enable-system-assigned-managed-identity-on-azure-function) > * [Grant SQL Database access to the managed identity](#grant-sql-database-access-to-the-managed-identity) > * [Configure Azure Function SQL connection string](#configure-azure-function-sql-connection-string) -## Grant database access to Azure AD user +<a name='grant-database-access-to-azure-ad-user'></a> -First enable Azure AD authentication to SQL database by assigning an Azure AD user as the Active Directory admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). +## Grant database access to Microsoft Entra user -Enabling Azure AD authentication can be completed via the Azure portal, PowerShell, or Azure CLI. Directions for Azure CLI are below and information completing this via Azure portal and PowerShell is available in the [Azure SQL documentation on Azure AD authentication](/azure/azure-sql/database/authentication-aad-configure). +First enable Microsoft Entra authentication to SQL database by assigning a Microsoft Entra user as the Active Directory admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Microsoft Entra ID. For more information on allowed Microsoft Entra users, see [Microsoft Entra features and limitations in SQL database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). -1. If your Azure AD tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md). +Enabling Microsoft Entra authentication can be completed via the Azure portal, PowerShell, or Azure CLI. Directions for Azure CLI are below and information completing this via Azure portal and PowerShell is available in the [Azure SQL documentation on Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-configure). -1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable. +1. If your Microsoft Entra tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Microsoft Entra ID](../active-directory/fundamentals/add-users-azure-active-directory.md). ++1. Find the object ID of the Microsoft Entra user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable. For Azure CLI 2.37.0 and newer: Enabling Azure AD authentication can be completed via the Azure portal, PowerShe ``` > [!TIP]- > To see the list of all user principal names in Azure AD, run `az ad user list --query [].userPrincipalName`. + > To see the list of all user principal names in Microsoft Entra ID, run `az ad user list --query [].userPrincipalName`. > -1. Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix). +1. Add this Microsoft Entra user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix). ```azurecli-interactive az sql server ad-admin create --resource-group myResourceGroup --server-name <server-name> --display-name ADMIN --object-id $azureaduser ``` -For more information on adding an Active Directory admin, see [Provision an Azure Active Directory administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) +For more information on adding an Active Directory admin, see [Provision a Microsoft Entra administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) For information on enabling system-assigned managed identity through Azure CLI o ## Grant SQL database access to the managed identity -In this step we'll connect to the SQL database with an Azure AD user account and grant the managed identity access to the database. +In this step we'll connect to the SQL database with a Microsoft Entra user account and grant the managed identity access to the database. -1. Open your preferred SQL tool and login with an Azure AD user account (such as the Azure AD user we assigned as administrator). This can be accomplished in Cloud Shell with the SQLCMD command. +1. Open your preferred SQL tool and login with a Microsoft Entra user account (such as the Microsoft Entra user we assigned as administrator). This can be accomplished in Cloud Shell with the SQLCMD command. ```bash sqlcmd -S <server-name>.database.windows.net -d <db-name> -U <aad-user-name> -P "<aad-password>" -G -l 30 In this step we'll connect to the SQL database with an Azure AD user account and GO ``` - *\<identity-name>* is the name of the managed identity in Azure AD. If the identity is system-assigned, the name is always the same as the name of your Function app. + *\<identity-name>* is the name of the managed identity in Microsoft Entra ID. If the identity is system-assigned, the name is always the same as the name of your Function app. ## Configure Azure Function SQL connection string -In the final step we'll configure the Azure Function SQL connection string to use Azure AD managed identity authentication. +In the final step we'll configure the Azure Function SQL connection string to use Microsoft Entra managed identity authentication. The connection string setting name is identified in our Functions code as the binding attribute "ConnectionStringSetting", as seen in the SQL input binding [attributes and annotations](./functions-bindings-azure-sql-input.md?pivots=programming-language-csharp#attributes). |
azure-functions | Functions Identity Based Connections Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-identity-based-connections-tutorial.md | Last updated 10/20/2021 # Tutorial: Create a function app that connects to Azure services using identities instead of secrets -This tutorial shows you how to configure a function app using Azure Active Directory identities instead of secrets or connection strings, where possible. Using identities helps you avoid accidentally leaking sensitive secrets and can provide better visibility into how data is accessed. To learn more about identity-based connections, see [configure an identity-based connection](functions-reference.md#configure-an-identity-based-connection). +This tutorial shows you how to configure a function app using Microsoft Entra identities instead of secrets or connection strings, where possible. Using identities helps you avoid accidentally leaking sensitive secrets and can provide better visibility into how data is accessed. To learn more about identity-based connections, see [configure an identity-based connection](functions-reference.md#configure-an-identity-based-connection). While the procedures shown work generally for all languages, this tutorial currently supports C# class library functions on Windows specifically. After you complete this tutorial, you should complete the follow-on tutorial tha ## Why use identity? -Managing secrets and credentials is a common challenge for teams of all sizes. Secrets need to be secured against theft or accidental disclosure, and they may need to be periodically rotated. Many Azure services allow you to instead use an identity in [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) to authenticate clients and check against permissions which can be modified and revoked quickly. This allows for greater control over application security with less operational overhead. An identity could be a human user, such as the developer of an application, or a running application in Azure with a [managed identity](../active-directory/managed-identities-azure-resources/overview.md). +Managing secrets and credentials is a common challenge for teams of all sizes. Secrets need to be secured against theft or accidental disclosure, and they may need to be periodically rotated. Many Azure services allow you to instead use an identity in [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) to authenticate clients and check against permissions which can be modified and revoked quickly. This allows for greater control over application security with less operational overhead. An identity could be a human user, such as the developer of an application, or a running application in Azure with a [managed identity](../active-directory/managed-identities-azure-resources/overview.md). -Some services do not support Azure Active Directory authentication, so secrets may still be required by your applications. However, these can be stored in [Azure Key Vault](../key-vault/general/overview.md), which helps simplify the management lifecycle for your secrets. Access to a key vault is also controlled with identities. +Some services do not support Microsoft Entra authentication, so secrets may still be required by your applications. However, these can be stored in [Azure Key Vault](../key-vault/general/overview.md), which helps simplify the management lifecycle for your secrets. Access to a key vault is also controlled with identities. By understanding how to use identities instead of secrets when you can and to use Key Vault when you can't, you'll be able to reduce risk, decrease operational overhead, and generally improve the security posture for your applications. ## Create a function app that uses Key Vault for necessary secrets -Azure Files is an example of a service that does not yet support Azure Active Directory authentication for SMB file shares. Azure Files is the default file system for Windows deployments on Premium and Consumption plans. While we could [remove Azure Files entirely](./storage-considerations.md#create-an-app-without-azure-files), this introduces limitations you may not want. Instead, you will move the Azure Files connection string into Azure Key Vault. That way it is centrally managed, with access controlled by the identity. +Azure Files is an example of a service that does not yet support Microsoft Entra authentication for SMB file shares. Azure Files is the default file system for Windows deployments on Premium and Consumption plans. While we could [remove Azure Files entirely](./storage-considerations.md#create-an-app-without-azure-files), this introduces limitations you may not want. Instead, you will move the Azure Files connection string into Azure Key Vault. That way it is centrally managed, with access controlled by the identity. ### Create an Azure Key Vault |
azure-functions | Functions Premium Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-premium-plan.md | See the complete regional availability of Functions on the [Azure web site](http |East US 2| 100 | 100 | |France Central| 100 | 60 | |Germany West Central| 100 | 20 |+|Israel Central| 100 | 20 | +|Italy North | 100 | 20 | |Japan East| 100 | 20 | |Japan West| 100 | 20 | |Jio India West| 100 | 20 | |
azure-functions | Functions Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference.md | If none of these options are successful, an error occurs. Your identity may already have some role assignments against Azure resources used for development, but those roles may not provide the necessary data access. Management roles like [Owner](../role-based-access-control/built-in-roles.md#owner) aren't sufficient. Double-check what permissions are required for connections for each component, and make sure that you have them assigned to yourself. -In some cases, you may wish to specify use of a different identity. You can add configuration properties for the connection that point to the alternate identity based on a client ID and client Secret for an Azure Active Directory service principal. **This configuration option is not supported when hosted in the Azure Functions service.** To use an ID and secret on your local machine, define the connection with the following extra properties: +In some cases, you may wish to specify use of a different identity. You can add configuration properties for the connection that point to the alternate identity based on a client ID and client Secret for a Microsoft Entra service principal. **This configuration option is not supported when hosted in the Azure Functions service.** To use an ID and secret on your local machine, define the connection with the following extra properties: | Property | Environment variable template | Description | ||||-| Tenant ID | `<CONNECTION_NAME_PREFIX>__tenantId` | The Azure Active Directory tenant (directory) ID. | +| Tenant ID | `<CONNECTION_NAME_PREFIX>__tenantId` | The Microsoft Entra tenant (directory) ID. | | Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | The client (application) ID of an app registration in the tenant. | | Client secret | `<CONNECTION_NAME_PREFIX>__clientSecret` | A client secret that was generated for the app registration. | |
azure-functions | Migrate Cosmos Db Version 3 Version 4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/migrate-cosmos-db-version-3-version-4.md | The following table only includes attributes that were renamed or were removed f |**CollectionName** |**ContainerName** | The name of the container being monitored. | |**LeaseConnectionStringSetting** |**LeaseConnection** | (Optional) The name of an app setting or setting collection that specifies how to connect to the Azure Cosmos DB account that holds the lease container. <br><br> When not set, the `Connection` value is used. This parameter is automatically set when the binding is created in the portal. The connection string for the leases container must have write permissions.| |**LeaseCollectionName** |**LeaseContainerName** | (Optional) The name of the container used to store leases. When not set, the value `leases` is used. |-|**CreateLeaseCollectionIfNotExists** |**CreateLeaseContainerIfNotExists** | (Optional) When set to `true`, the leases container is automatically created when it doesn't already exist. The default value is `false`. When using Azure AD identities if you set the value to `true`, creating containers isn't [an allowed operation](../cosmos-db/nosql/troubleshoot-forbidden.md#non-data-operations-are-not-allowed) and your Function won't be able to start.| +|**CreateLeaseCollectionIfNotExists** |**CreateLeaseContainerIfNotExists** | (Optional) When set to `true`, the leases container is automatically created when it doesn't already exist. The default value is `false`. When using Microsoft Entra identities if you set the value to `true`, creating containers isn't [an allowed operation](../cosmos-db/nosql/troubleshoot-forbidden.md#non-data-operations-are-not-allowed) and your Function won't be able to start.| |**LeasesCollectionThroughput** |**LeasesContainerThroughput** | (Optional) Defines the number of Request Units to assign when the leases container is created. This setting is only used when `CreateLeaseContainerIfNotExists` is set to `true`. This parameter is automatically set when the binding is created using the portal. | |**LeaseCollectionPrefix** |**LeaseContainerPrefix** | (Optional) When set, the value is added as a prefix to the leases created in the Lease container for this function. Using a prefix allows two separate Azure Functions to share the same Lease container by using different prefixes. | |**UseMultipleWriteLocations** |*Removed* | This attribute is no longer needed as it's automatically detected. | The following table only includes attributes that changed or were removed from t |**collectionName** |**containerName** | The name of the container being monitored. | |**leaseConnectionStringSetting** |**leaseConnection** | (Optional) The name of an app setting or setting collection that specifies how to connect to the Azure Cosmos DB account that holds the lease container. <br><br> When not set, the `connection` value is used. This parameter is automatically set when the binding is created in the portal. The connection string for the leases container must have write permissions.| |**leaseCollectionName** |**leaseContainerName** | (Optional) The name of the container used to store leases. When not set, the value `leases` is used. |-|**createLeaseCollectionIfNotExists** |**createLeaseContainerIfNotExists** | (Optional) When set to `true`, the leases container is automatically created when it doesn't already exist. The default value is `false`. When using Azure AD identities if you set the value to `true`, creating containers isn't [an allowed operation](../cosmos-db/nosql/troubleshoot-forbidden.md#non-data-operations-are-not-allowed) and your Function won't be able to start.| +|**createLeaseCollectionIfNotExists** |**createLeaseContainerIfNotExists** | (Optional) When set to `true`, the leases container is automatically created when it doesn't already exist. The default value is `false`. When using Microsoft Entra identities if you set the value to `true`, creating containers isn't [an allowed operation](../cosmos-db/nosql/troubleshoot-forbidden.md#non-data-operations-are-not-allowed) and your Function won't be able to start.| |**leasesCollectionThroughput** |**leasesContainerThroughput** | (Optional) Defines the number of Request Units to assign when the leases container is created. This setting is only used when `createLeaseContainerIfNotExists` is set to `true`. This parameter is automatically set when the binding is created using the portal. | |**leaseCollectionPrefix** |**leaseContainerPrefix** | (Optional) When set, the value is added as a prefix to the leases created in the Lease container for this function. Using a prefix allows two separate Azure Functions to share the same Lease container by using different prefixes. | |**useMultipleWriteLocations** |*Removed* | This attribute is no longer needed as it's automatically detected. | |
azure-functions | Security Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/security-concepts.md | While application settings are sufficient for most many functions, you may want Identities may be used in place of secrets for connecting to some resources. This has the advantage of not requiring the management of a secret, and it provides more fine-grained access control and auditing. -When you are writing code that creates the connection to [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication), you can choose to use an identity instead of a secret or connection string. Details for both connection methods are covered in the documentation for each service. +When you are writing code that creates the connection to [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication), you can choose to use an identity instead of a secret or connection string. Details for both connection methods are covered in the documentation for each service. Some Azure Functions trigger and binding extensions may be configured using an identity-based connection. Today, this includes the [Azure Blob](./functions-bindings-storage-blob.md) and [Azure Queue](./functions-bindings-storage-queue.md) extensions. For information about how to configure these extensions to use an identity, see [How to use identity-based connections in Azure Functions](./functions-reference.md#configure-an-identity-based-connection). |
azure-functions | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/start-stop-vms/overview.md | This new version of Start/Stop VMs v2 provides a decentralized low-cost automati Start/Stop VMs v2 is redesigned and it doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [previous version](../../automation/automation-solution-vm-management.md). This version relies on [Azure Functions](../../azure-functions/functions-overview.md) to handle the VM start and stop execution. -A managed identity is created in Azure Active Directory (Azure AD) for this Azure Functions application and allows Start/Stop VMs v2 to easily access other Azure AD-protected resources, such as the logic apps and Azure VMs. For more about managed identities in Azure AD, see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). +A managed identity is created in Microsoft Entra ID for this Azure Functions application and allows Start/Stop VMs v2 to easily access other Microsoft Entra protected resources, such as the logic apps and Azure VMs. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). An HTTP trigger function endpoint is created to support the schedule and sequence scenarios included with the feature, as shown in the following table. |
azure-functions | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-glossary-cloud-terminology.md | See [About Azure storage accounts](./storage/common/storage-account-create.md) ## subscription A customer's agreement with Microsoft that enables them to obtain Azure services. The subscription pricing and related terms are governed by the offer chosen for the subscription.-See [Microsoft Online Subscription Agreement](https://azure.microsoft.com/support/legal/subscription-agreement/) and [How Azure subscriptions are associated with Azure Active Directory](active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) +See [Microsoft Online Subscription Agreement](https://azure.microsoft.com/support/legal/subscription-agreement/) and [How Azure subscriptions are associated with Microsoft Entra ID](active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) ## tag An indexing term that enables you to categorize resources according to your requirements for managing or billing. When you have a complex collection of resources, you can use tags to visualize those assets in the way that makes the most sense. For example, you could tag resources that serve a similar role in your organization or belong to the same department. See [Using tags to organize your Azure resources](./azure-resource-manager/management/tag-resources.md) -## Tenant -A tenant is a group of users or an organization that share access with specific privileges to an instance of a product, service, or application. In Azure Active Directory a tenant is an instance of Azure Active Directory that an organization receives when it signs up for a cloud application like Microsoft 365. Each Azure AD tenant is distinct and separate from other Azure AD tenants. Multitenancy refers to an instance of an application shared by multiple organizations, each with separate access to the instance. +## tenant +A tenant is a group of users or an organization that share access with specific privileges to an instance of a product, service, or application. In Microsoft Entra ID a tenant is an instance of Microsoft Entra ID that an organization receives when it signs up for a cloud application like Microsoft 365. Each Microsoft Entra tenant is distinct and separate from other Microsoft Entra tenants. Multitenancy refers to an instance of an application shared by multiple organizations, each with separate access to the instance. ## update domain The collection of virtual machines in an availability set that are updated at the same time. Virtual machines in the same update domain are restarted together during planned maintenance. Azure never restarts more than one update domain at a time. Also referred to as an upgrade domain. |
azure-government | Azure Secure Isolation Guidance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/azure-secure-isolation-guidance.md | Multi-tenancy in the public cloud improves efficiency by multiplexing resources A brief summary of isolation approaches is provided below. -- **User access controls with authentication and identity separation** ΓÇô All data in Azure irrespective of the type or storage location is associated with a subscription. A cloud tenant can be viewed as a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when you sign up for a Microsoft cloud service. The identity and access stack helps enforce isolation among subscriptions, including limiting access to resources within a subscription only to authorized users.+- **User access controls with authentication and identity separation** ΓÇô All data in Azure irrespective of the type or storage location is associated with a subscription. A cloud tenant can be viewed as a dedicated instance of Microsoft Entra ID that your organization receives and owns when you sign up for a Microsoft cloud service. The identity and access stack helps enforce isolation among subscriptions, including limiting access to resources within a subscription only to authorized users. - **Compute isolation** ΓÇô Azure provides you with both logical and physical compute isolation for processing. Logical isolation is implemented via: - *Hypervisor isolation* for services that provide cryptographically certain isolation by using separate virtual machines and using Azure Hypervisor isolation. - *Drawbridge isolation* inside a virtual machine (VM) for services that provide cryptographically certain isolation for workloads running on the same virtual machine by using isolation provided by [Drawbridge](https://www.microsoft.com/research/project/drawbridge/). These services provide small units of processing using customer code. A brief summary of isolation approaches is provided below. In addition to robust logical compute isolation available by design to all Azure tenants, if you desire physical compute isolation, you can use Azure Dedicated Host or isolated Virtual Machines, which are deployed on server hardware dedicated to a single customer. - **Networking isolation** ΓÇô Azure Virtual Network (VNet) helps ensure that your private network traffic is logically isolated from traffic belonging to other customers. Services can communicate using public IPs or private (VNet) IPs. Communication between your VMs remains private within a VNet. You can connect your VNets via [VNet peering](../virtual-network/virtual-network-peering-overview.md) or [VPN gateways](../vpn-gateway/vpn-gateway-about-vpngateways.md), depending on your connectivity options, including bandwidth, latency, and encryption requirements. You can use [network security groups](../virtual-network/network-security-groups-overview.md) (NSGs) to achieve network isolation and protect your Azure resources from the Internet while accessing Azure services that have public endpoints. You can use Virtual Network [service tags](../virtual-network/service-tags-overview.md) to define network access controls on [network security groups](../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../firewall/service-tags.md). A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, thereby reducing the complexity of frequent updates to network security rules. Moreover, you can use [Private Link](../private-link/private-link-overview.md) to access Azure PaaS services over a private endpoint in your VNet, ensuring that traffic between your VNet and the service travels across the Microsoft global backbone network, which eliminates the need to expose the service to the public Internet. Finally, Azure provides you with options to encrypt data in transit, including [Transport Layer Security (TLS) end-to-end encryption](../application-gateway/ssl-overview.md) of network traffic with [TLS termination using Key Vault certificates](../application-gateway/key-vault-certs.md), [VPN encryption](../vpn-gateway/vpn-gateway-about-compliance-crypto.md) using IPsec, and Azure ExpressRoute encryption using [MACsec with customer-managed keys (CMK) support](../expressroute/expressroute-about-encryption.md#point-to-point-encryption-by-macsec-faq).-- **Storage isolation** ΓÇô To ensure cryptographic certainty of logical data isolation, Azure Storage relies on data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure AD to ensure secure key access and centralized key management. Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is [encrypted through FIPS 140 validated 256-bit AES encryption](../storage/common/storage-service-encryption.md#about-azure-storage-service-side-encryption) and you can use Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes managed disks.+- **Storage isolation** ΓÇô To ensure cryptographic certainty of logical data isolation, Azure Storage relies on data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is [encrypted through FIPS 140 validated 256-bit AES encryption](../storage/common/storage-service-encryption.md#about-azure-storage-service-side-encryption) and you can use Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes managed disks. - **Security assurance processes and practices** ΓÇô Azure isolation assurance is further enforced by MicrosoftΓÇÖs internal use of the [Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) (SDL) and other strong security assurance processes to protect attack surfaces and mitigate threats. Microsoft has established industry-leading processes and tooling that provides high confidence in the Azure isolation guarantee. In line with the [shared responsibility](../security/fundamentals/shared-responsibility.md) model in cloud computing, as you migrate workloads from your on-premises datacenter to the cloud, the delineation of responsibility between you and cloud service provider varies depending on the cloud service model. For example, with the Infrastructure as a Service (IaaS) model, MicrosoftΓÇÖs responsibility ends at the Hypervisor layer, and you're responsible for all layers above the virtualization layer, including maintaining the base operating system in guest VMs. You can use Azure isolation technologies to achieve the desired level of isolation for your applications and data deployed in the cloud. This article provides technical guidance to address common security and isolatio > For recommendations on how to improve the security of applications and data deployed on Azure, you should review the **[Azure Security Benchmark](/security/benchmark/azure/)** documentation. ## Identity-based isolation-[Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) is an identity repository and cloud service that provides authentication, authorization, and access control for your users, groups, and objects. Azure AD can be used as a standalone cloud directory or as an integrated solution with existing on-premises Active Directory to enable key enterprise features such as directory synchronization and single sign-on. +[Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) is an identity repository and cloud service that provides authentication, authorization, and access control for your users, groups, and objects. Microsoft Entra ID can be used as a standalone cloud directory or as an integrated solution with existing on-premises Active Directory to enable key enterprise features such as directory synchronization and single sign-on. -Each Azure [subscription](/azure/cloud-adoption-framework/decision-guides/subscriptions/) is associated with an Azure AD tenant. Using [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md), users, groups, and applications from that directory can be granted access to resources in the Azure subscription. For example, a storage account can be placed in a resource group to control access to that specific storage account using Azure AD. Azure Storage defines a set of Azure built-in roles that encompass common permissions used to access blob or queue data. A request to Azure Storage can be authorized using either your Azure AD account or the Storage Account Key. In this manner, only specific users can be given the ability to access data in Azure Storage. +Each Azure [subscription](/azure/cloud-adoption-framework/decision-guides/subscriptions/) is associated with a Microsoft Entra tenant. Using [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md), users, groups, and applications from that directory can be granted access to resources in the Azure subscription. For example, a storage account can be placed in a resource group to control access to that specific storage account using Microsoft Entra ID. Azure Storage defines a set of Azure built-in roles that encompass common permissions used to access blob or queue data. A request to Azure Storage can be authorized using either your Microsoft Entra account or the Storage Account Key. In this manner, only specific users can be given the ability to access data in Azure Storage. ### Zero Trust architecture-All data in Azure irrespective of the type or storage location is associated with a subscription. A cloud tenant can be viewed as a dedicated instance of Azure AD that your organization receives and owns when you sign up for a Microsoft cloud service. Authentication to the Azure portal is performed through Azure AD using an identity created either in Azure AD or federated with an on-premises Active Directory. The identity and access stack helps enforce isolation among subscriptions, including limiting access to resources within a subscription only to authorized users. This access restriction is an overarching goal of the [Zero Trust model](https://aka.ms/Zero-Trust), which assumes that the network is compromised and requires a fundamental shift from the perimeter security model. When evaluating access requests, all requesting users, devices, and applications should be considered untrusted until their integrity can be validated in line with the Zero Trust [design principles](https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/). Azure AD provides the strong, adaptive, standards-based identity verification required in a Zero Trust framework. +All data in Azure irrespective of the type or storage location is associated with a subscription. A cloud tenant can be viewed as a dedicated instance of Microsoft Entra ID that your organization receives and owns when you sign up for a Microsoft cloud service. Authentication to the Azure portal is performed through Microsoft Entra ID using an identity created either in Microsoft Entra ID or federated with an on-premises Active Directory. The identity and access stack helps enforce isolation among subscriptions, including limiting access to resources within a subscription only to authorized users. This access restriction is an overarching goal of the [Zero Trust model](https://aka.ms/Zero-Trust), which assumes that the network is compromised and requires a fundamental shift from the perimeter security model. When evaluating access requests, all requesting users, devices, and applications should be considered untrusted until their integrity can be validated in line with the Zero Trust [design principles](https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/). Microsoft Entra ID provides the strong, adaptive, standards-based identity verification required in a Zero Trust framework. > [!NOTE] > Extra resources: All data in Azure irrespective of the type or storage location is associated wit > - To learn how to implement Zero Trust architecture on Azure, see **[Zero Trust Guidance Center](/security/zero-trust/)**. > - For definitions and general deployment models, see **[NIST SP 800-207](https://csrc.nist.gov/publications/detail/sp/800-207/final)** *Zero Trust Architecture*. -### Azure Active Directory -The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) and its capabilities to support granular [Azure role-based access control](../role-based-access-control/overview.md) (Azure RBAC). Each Azure account is associated with one Azure AD tenant. Users, groups, and applications from that directory can manage resources in Azure. You can assign appropriate access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. Each Azure AD tenant is distinct and separate from other Azure ADs. An Azure AD instance is logically isolated using security boundaries to prevent customer data and identity information from comingling, thereby ensuring that users and administrators of one Azure AD can't access or compromise data in another Azure AD instance, either maliciously or accidentally. Azure AD runs physically isolated on dedicated servers that are logically isolated to a dedicated network segment and where host-level packet filtering and Windows Firewall services provide extra protections from untrusted traffic. +<a name='azure-active-directory'></a> -Azure AD implements extensive **data protection features**, including tenant isolation and access control, data encryption in transit, secrets encryption and management, disk level encryption, advanced cryptographic algorithms used by various Azure AD components, data operational considerations for insider access, and more. Detailed information is available from a whitepaper [Azure Active Directory Data Security Considerations](https://aka.ms/AADDataWhitePaper). +### Microsoft Entra ID +The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) and its capabilities to support granular [Azure role-based access control](../role-based-access-control/overview.md) (Azure RBAC). Each Azure account is associated with one Microsoft Entra tenant. Users, groups, and applications from that directory can manage resources in Azure. You can assign appropriate access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. Each Microsoft Entra tenant is distinct and separate from other Azure ADs. A Microsoft Entra instance is logically isolated using security boundaries to prevent customer data and identity information from comingling, thereby ensuring that users and administrators of one Microsoft Entra ID can't access or compromise data in another Microsoft Entra instance, either maliciously or accidentally. Microsoft Entra ID runs physically isolated on dedicated servers that are logically isolated to a dedicated network segment and where host-level packet filtering and Windows Firewall services provide extra protections from untrusted traffic. -Tenant isolation in Azure AD involves two primary elements: +Microsoft Entra ID implements extensive **data protection features**, including tenant isolation and access control, data encryption in transit, secrets encryption and management, disk level encryption, advanced cryptographic algorithms used by various Microsoft Entra components, data operational considerations for insider access, and more. Detailed information is available from a whitepaper [Microsoft Entra Data Security Considerations](https://aka.ms/AADDataWhitePaper). ++Tenant isolation in Microsoft Entra ID involves two primary elements: - Preventing data leakage and access across tenants, which means that data belonging to Tenant A can't in any way be obtained by users in Tenant B without explicit authorization by Tenant A. - Resource access isolation across tenants, which means that operations performed by Tenant A can't in any way impact access to resources for Tenant B. -As shown in Figure 2, access via Azure AD requires user authentication through a Security Token Service (STS). The authorization system uses information on the userΓÇÖs existence and enabled state through the Directory Services API and Azure RBAC to determine whether the requested access to the target Azure AD instance is authorized for the user in the session. Aside from token-based authentication that is tied directly to the user, Azure AD further supports logical isolation in Azure through: +As shown in Figure 2, access via Microsoft Entra ID requires user authentication through a Security Token Service (STS). The authorization system uses information on the userΓÇÖs existence and enabled state through the Directory Services API and Azure RBAC to determine whether the requested access to the target Microsoft Entra instance is authorized for the user in the session. Aside from token-based authentication that is tied directly to the user, Microsoft Entra ID further supports logical isolation in Azure through: -- Azure AD instances are discrete containers and there's no relationship between them.-- Azure AD data is stored in partitions and each partition has a predetermined set of replicas that are considered the preferred primary replicas. Use of replicas provides high availability of Azure AD services to support identity separation and logical isolation.-- Access isn't permitted across Azure AD instances unless the Azure AD instance administrator grants it through federation or provisioning of user accounts from other Azure AD instances.-- Physical access to servers that comprise the Azure AD service and direct access to Azure ADΓÇÖs back-end systems is [restricted to properly authorized Microsoft operational roles](./documentation-government-plan-security.md#restrictions-on-insider-access) using the Just-In-Time (JIT) privileged access management system.-- Azure AD users have no access to physical assets or locations, and therefore it isn't possible for them to bypass the logical Azure RBAC policy checks.+- Microsoft Entra instances are discrete containers and there's no relationship between them. +- Microsoft Entra data is stored in partitions and each partition has a predetermined set of replicas that are considered the preferred primary replicas. Use of replicas provides high availability of Microsoft Entra services to support identity separation and logical isolation. +- Access isn't permitted across Microsoft Entra instances unless the Microsoft Entra instance administrator grants it through federation or provisioning of user accounts from other Microsoft Entra instances. +- Physical access to servers that comprise the Microsoft Entra service and direct access to Microsoft Entra IDΓÇÖs back-end systems is [restricted to properly authorized Microsoft operational roles](./documentation-government-plan-security.md#restrictions-on-insider-access) using the Just-In-Time (JIT) privileged access management system. +- Microsoft Entra users have no access to physical assets or locations, and therefore it isn't possible for them to bypass the logical Azure RBAC policy checks. -**Figure 2.** Azure Active Directory logical tenant isolation +**Figure 2.** Microsoft Entra logical tenant isolation -In summary, AzureΓÇÖs approach to logical tenant isolation uses identity, managed through Azure Active Directory, as the first logical control boundary for providing tenant-level access to resources and authorization through Azure RBAC. +In summary, AzureΓÇÖs approach to logical tenant isolation uses identity, managed through Microsoft Entra ID, as the first logical control boundary for providing tenant-level access to resources and authorization through Azure RBAC. ## Data encryption key management Azure has extensive support to safeguard your data using [data encryption](../security/fundamentals/encryption-overview.md), including various encryption models: Proper protection and management of cryptographic keys is essential for data sec **If you require extra security for your most sensitive customer data stored in Azure services, you can encrypt it using your own encryption keys you control in Key Vault.** -The Key Vault service provides an abstraction over the underlying HSMs. It provides a REST API to enable service use from cloud applications and authentication through [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) to allow you to centralize and customize authentication, disaster recovery, high availability, and elasticity. Key Vault supports [cryptographic keys](../key-vault/keys/about-keys.md) of various types, sizes, and curves, including RSA and Elliptic Curve keys. With managed HSMs, support is also available for AES symmetric keys. +The Key Vault service provides an abstraction over the underlying HSMs. It provides a REST API to enable service use from cloud applications and authentication through [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) to allow you to centralize and customize authentication, disaster recovery, high availability, and elasticity. Key Vault supports [cryptographic keys](../key-vault/keys/about-keys.md) of various types, sizes, and curves, including RSA and Elliptic Curve keys. With managed HSMs, support is also available for AES symmetric keys. With Key Vault, you can import or generate encryption keys in HSMs, ensuring that keys never leave the HSM protection boundary to support *bring your own key (BYOK)* scenarios, as shown in Figure 3. With Key Vault, you can import or generate encryption keys in HSMs, ensuring tha > [!NOTE] > Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents are precluded from accessing, using or extracting any data stored in the service, including cryptographic keys. For more information, see [How does Azure Key Vault protect your keys?](../key-vault/managed-hsm/mhsm-control-data.md#how-does-azure-key-vault-managed-hsm-protect-your-keys) -Key Vault provides a robust solution for encryption key lifecycle management. Upon creation, every key vault or managed HSM is automatically associated with the Azure AD tenant that owns the subscription. Anyone trying to manage or retrieve content from a key vault or managed HSM must be properly authenticated and authorized: +Key Vault provides a robust solution for encryption key lifecycle management. Upon creation, every key vault or managed HSM is automatically associated with the Microsoft Entra tenant that owns the subscription. Anyone trying to manage or retrieve content from a key vault or managed HSM must be properly authenticated and authorized: - Authentication establishes the identity of the caller (user or application). - Authorization determines which operations the caller can perform, based on a combination of [Azure role-based access control](../role-based-access-control/overview.md) (Azure RBAC) and key vault access policy or managed HSM local RBAC. -Azure AD enforces tenant isolation and implements robust measures to prevent access by unauthorized parties, as described previously in *[Azure Active Directory](#azure-active-directory)* section. Access to a key vault or managed HSM is controlled through two interfaces or planes ΓÇô management plane and data plane ΓÇô with both planes using Azure AD for authentication. +Microsoft Entra ID enforces tenant isolation and implements robust measures to prevent access by unauthorized parties, as described previously in *[Microsoft Entra ID](#azure-active-directory)* section. Access to a key vault or managed HSM is controlled through two interfaces or planes ΓÇô management plane and data plane ΓÇô with both planes using Microsoft Entra ID for authentication. - **Management plane** enables you to manage the key vault or managed HSM itself, for example, create and delete key vaults or managed HSMs, retrieve key vault or managed HSM properties, and update access policies. For authorization, the management plane uses Azure RBAC with both key vaults and managed HSMs. - **Data plane** enables you to work with the data stored in your key vaults and managed HSMs, including adding, deleting, and modifying your data. For vaults, stored data can include keys, secrets, and certificates. For managed HSMs, stored data is limited to cryptographic keys only. For authorization, the data plane uses [Key Vault access policy](../key-vault/general/assign-access-policy-portal.md) and [Azure RBAC for data plane operations](../key-vault/general/rbac-guide.md) with key vaults, or [managed HSM local RBAC](../key-vault/managed-hsm/access-control.md) with managed HSMs. -When you create a key vault or managed HSM in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. All callers in both planes must register in this tenant and authenticate to access the [key vault](../key-vault/general/security-features.md) or [managed HSM](../key-vault/managed-hsm/access-control.md). +When you create a key vault or managed HSM in an Azure subscription, it's automatically associated with the Microsoft Entra tenant of the subscription. All callers in both planes must register in this tenant and authenticate to access the [key vault](../key-vault/general/security-features.md) or [managed HSM](../key-vault/managed-hsm/access-control.md). You control access permissions and can extract detailed activity logs from the Azure Key Vault service. Azure Key Vault logs the following information: Vaults enable support for [customer-managed keys](../security/fundamentals/encry Key Vault can handle requesting and renewing certificates in vaults, including Transport Layer Security (TLS) certificates, enabling you to enroll and automatically renew certificates from supported public Certificate Authorities. Key Vault certificates support provides for the management of your X.509 certificates, which are built on top of keys and provide an automated renewal feature. Certificate owner can [create a certificate](../key-vault/certificates/create-certificate.md) through Azure Key Vault or by importing an existing certificate. Both self-signed and Certificate Authority generated certificates are supported. Moreover, the Key Vault certificate owner can implement secure storage and management of X.509 certificates without interaction with private keys. -When you create a key vault in a resource group, you can [manage access](../key-vault/general/security-features.md) by using Azure AD, which enables you to grant access at a specific scope level by assigning the appropriate Azure roles. For example, to grant access to a user to manage key vaults, you can assign a predefined key vault Contributor role to the user at a specific scope, including subscription, resource group, or specific resource. +When you create a key vault in a resource group, you can [manage access](../key-vault/general/security-features.md) by using Microsoft Entra ID, which enables you to grant access at a specific scope level by assigning the appropriate Azure roles. For example, to grant access to a user to manage key vaults, you can assign a predefined key vault Contributor role to the user at a specific scope, including subscription, resource group, or specific resource. > [!IMPORTANT] > You should control tightly who has Contributor role access to your key vaults. If a user has Contributor permissions to a key vault management plane, the user can gain access to the data plane by setting a key vault access policy. The Azure FC allocates infrastructure resources to tenants and manages unidirect CRP is the front-end service for Azure Compute, exposing consistent compute APIs through Azure Resource Manager, thereby enabling you to create and manage virtual machine resources and extensions via simple templates. -Communications among various components (for example, Azure Resource Manager to and from CRP, CRP to and from FC, FC to and from Hypervisor Agent) all operate on different communication channels with different identities and different permissions sets. This design follows common least-privilege models to ensure that a compromise of any single layer will prevent more actions. Separate communications channels ensure that communications can't bypass any layer in the chain. Figure 6 illustrates how the MC and MP securely communicate within the Azure cloud for Hypervisor interaction initiated by a userΓÇÖs [OAuth 2.0 authentication to Azure Active Directory](../active-directory/develop/v2-oauth2-auth-code-flow.md). +Communications among various components (for example, Azure Resource Manager to and from CRP, CRP to and from FC, FC to and from Hypervisor Agent) all operate on different communication channels with different identities and different permissions sets. This design follows common least-privilege models to ensure that a compromise of any single layer will prevent more actions. Separate communications channels ensure that communications can't bypass any layer in the chain. Figure 6 illustrates how the MC and MP securely communicate within the Azure cloud for Hypervisor interaction initiated by a userΓÇÖs [OAuth 2.0 authentication to Microsoft Entra ID](../active-directory/develop/v2-oauth2-auth-code-flow.md). :::image type="content" source="./media/secure-isolation-fig6.png" alt-text="Management Console and Management Plane interaction for secure management flow" border="false"::: **Figure 6.** Management Console and Management Plane interaction for secure management flow -All management commands are authenticated via RSA signed certificate or JSON Web Token (JWT). Authentication and command channels are encrypted via Transport Layer Security (TLS) 1.2 as described in *[Data encryption in transit](#data-encryption-in-transit)* section. Server certificates are used to provide TLS connectivity to the authentication providers where a separate authorization mechanism is used, for example, Azure Active Directory or datacenter Security Token Service (dSTS). dSTS is a token provider like Azure Active Directory that is isolated to the Microsoft datacenter and used for service level communications. +All management commands are authenticated via RSA signed certificate or JSON Web Token (JWT). Authentication and command channels are encrypted via Transport Layer Security (TLS) 1.2 as described in *[Data encryption in transit](#data-encryption-in-transit)* section. Server certificates are used to provide TLS connectivity to the authentication providers where a separate authorization mechanism is used, for example, Microsoft Entra ID or datacenter Security Token Service (dSTS). dSTS is a token provider like Microsoft Entra ID that is isolated to the Microsoft datacenter and used for service level communications. Figure 6 illustrates the management flow corresponding to a user command to stop a virtual machine. The steps enumerated in Table 1 apply to other management commands in the same way and use the same encryption and authentication flow. Figure 6 illustrates the management flow corresponding to a user command to stop |Step|Description|Authentication|Encryption| |-|--|--|-|-|**1.**|User authenticates via Azure Active Directory (Azure AD) by providing credentials and is issued a token.|User Credentials|TLS 1.2| -|**2.**|Browser presents token to Azure portal to authenticate user. Azure portal verifies token using token signature and valid signing keys.|JSON Web Token (Azure AD)|TLS 1.2| -|**3.**|User issues “stop VM” request on Azure portal. Azure portal sends “stop VM” request to Azure Resource Manager and presents userΓÇÖs token that was provided by Azure AD. Azure Resource Manager verifies token using token signature and valid signing keys and that the user is authorized to perform the requested operation.|JSON Web Token (Azure AD)|TLS 1.2| +|**1.**|User authenticates via Microsoft Entra ID by providing credentials and is issued a token.|User Credentials|TLS 1.2| +|**2.**|Browser presents token to Azure portal to authenticate user. Azure portal verifies token using token signature and valid signing keys.|JSON Web Token (Microsoft Entra ID)|TLS 1.2| +|**3.**|User issues “stop VM” request on Azure portal. Azure portal sends “stop VM” request to Azure Resource Manager and presents userΓÇÖs token that was provided by Microsoft Entra ID. Azure Resource Manager verifies token using token signature and valid signing keys and that the user is authorized to perform the requested operation.|JSON Web Token (Microsoft Entra ID)|TLS 1.2| |**4.**|Azure Resource Manager requests a token from dSTS server based on the client certificate that Azure Resource Manager has, enabling dSTS to grant a JSON Web Token with the correct identity and roles.|Client Certificate|TLS 1.2| |**5.**|Azure Resource Manager sends request to CRP. Call is authenticated via OAuth using a JSON Web Token representing the Azure Resource Manager system identity from dSTS, thus transition from user to system context.|JSON Web Token (dSTS)|TLS 1.2| |**6.**|CRP validates the request and determines which fabric controller can complete the request. CRP requests a certificate from dSTS based on its client certificate so that it can connect to the specific Fabric Controller (FC) that is the target of the command. Token will grant permissions only to that specific FC if CRP is allowed to communicate to that FC.|Client Certificate|TLS 1.2| Azure provides isolation of compute processing through a multi-layered approach, - **Hypervisor isolation** for services that provide cryptographically certain isolation by using separate virtual machines and using Azure Hypervisor isolation. Examples: *App Service, Azure Container Instances, Azure Databricks, Azure Functions, Azure Kubernetes Service, Azure Machine Learning, Cloud Services, Data Factory, Service Fabric, Virtual Machines, Virtual Machine Scale Sets.* - **Drawbridge isolation** inside a VM for services that provide cryptographically certain isolation to workloads running on the same virtual machine by using isolation provided by [Drawbridge](https://www.microsoft.com/research/project/drawbridge/). These services provide small units of processing using customer code. To provide security isolation, Drawbridge runs a user process together with a light-weight version of the Windows kernel (library OS) inside a *pico-process*. A pico-process is a secured process with no direct access to services or resources of the Host system. Examples: *Automation, Azure Database for MySQL, Azure Database for PostgreSQL, Azure SQL Database, Azure Stream Analytics.*-- **User context-based isolation** for services that are composed solely of Microsoft-controlled code and customer code isn't allowed to run. Examples: *API Management, Application Gateway, Azure Active Directory, Azure Backup, Azure Cache for Redis, Azure DNS, Azure Information Protection, Azure IoT Hub, Azure Key Vault, Azure portal, Azure Monitor (including Log Analytics), Microsoft Defender for Cloud, Azure Site Recovery, Container Registry, Content Delivery Network, Event Grid, Event Hubs, Load Balancer, Service Bus, Storage, Virtual Network, VPN Gateway, Traffic Manager.*+- **User context-based isolation** for services that are composed solely of Microsoft-controlled code and customer code isn't allowed to run. Examples: *API Management, Application Gateway, Microsoft Entra ID, Azure Backup, Azure Cache for Redis, Azure DNS, Azure Information Protection, Azure IoT Hub, Azure Key Vault, Azure portal, Azure Monitor (including Log Analytics), Microsoft Defender for Cloud, Azure Site Recovery, Container Registry, Content Delivery Network, Event Grid, Event Hubs, Load Balancer, Service Bus, Storage, Virtual Network, VPN Gateway, Traffic Manager.* These logical isolation options are discussed in the rest of this section. A normal Windows process can call more than 1200 functions that result in access Like a virtual machine, the pico-process is much easier to secure than a traditional OS interface because it's significantly smaller, stateless, and has fixed and easily described semantics. Another added benefit of the small ABI / driver syscall interface is the ability to audit / fuzz the driver code with little effort. For example, syscall fuzzers can fuzz the ABI with high coverage numbers in a relatively short amount of time. #### User context-based isolation-In cases where an Azure service is composed of Microsoft-controlled code and customer code isn't allowed to run, the isolation is provided by a user context. These services accept only user configuration inputs and data for processing ΓÇô arbitrary code isn't allowed. For these services, a user context is provided to establish the data that can be accessed and what Azure role-based access control (Azure RBAC) operations are allowed. This context is established by Azure Active Directory (Azure AD) as described earlier in *[Identity-based isolation](#identity-based-isolation)* section. Once the user has been identified and authorized, the Azure service creates an application user context that is attached to the request as it moves through execution, providing assurance that user operations are separated and properly isolated. +In cases where an Azure service is composed of Microsoft-controlled code and customer code isn't allowed to run, the isolation is provided by a user context. These services accept only user configuration inputs and data for processing ΓÇô arbitrary code isn't allowed. For these services, a user context is provided to establish the data that can be accessed and what Azure role-based access control (Azure RBAC) operations are allowed. This context is established by Microsoft Entra ID as described earlier in *[Identity-based isolation](#identity-based-isolation)* section. Once the user has been identified and authorized, the Azure service creates an application user context that is attached to the request as it moves through execution, providing assurance that user operations are separated and properly isolated. ### Physical isolation In addition to robust logical compute isolation available by design to all Azure tenants, if you desire physical compute isolation you can use Azure Dedicated Host or Isolated Virtual Machines, which are both dedicated to a single customer. Microsoft Azure separates your VM-based compute resources from storage as part o Each Azure [subscription](/azure/cloud-adoption-framework/decision-guides/subscriptions/) can have one or more storage accounts. Azure storage supports various [authentication options](/rest/api/storageservices/authorize-requests-to-azure-storage), including: - **Shared symmetric keys** ΓÇô Upon storage account creation, Azure generates two 512-bit storage account keys that control access to the storage account. You can rotate and regenerate these keys at any point thereafter without coordination with your applications. -- **Azure AD-based authentication** ΓÇô Access to Azure Storage can be controlled by Azure Active Directory (Azure AD), which enforces tenant isolation and implements robust measures to prevent access by unauthorized parties, including Microsoft insiders. More information about Azure AD tenant isolation is available from a white paper [Azure Active Directory Data Security Considerations](https://aka.ms/AADDataWhitePaper).+- **Microsoft Entra ID-based authentication** ΓÇô Access to Azure Storage can be controlled by Microsoft Entra ID, which enforces tenant isolation and implements robust measures to prevent access by unauthorized parties, including Microsoft insiders. More information about Microsoft Entra tenant isolation is available from a white paper [Microsoft Entra Data Security Considerations](https://aka.ms/AADDataWhitePaper). - **Shared access signatures (SAS)** ΓÇô Shared access signatures or ΓÇ£presigned URLsΓÇ¥ can be created from the shared symmetric keys. These URLs can be significantly limited in scope to reduce the available attack surface, but at the same time allow applications to grant storage access to another user, service, or device.-- **User delegation SAS** ΓÇô Delegated authentication is similar to SAS but is [based on Azure AD tokens](/rest/api/storageservices/create-user-delegation-sas) rather than the shared symmetric keys. This approach allows a service that authenticates with Azure AD to create a pre signed URL with limited scope and grant temporary access to another user, service, or device.+- **User delegation SAS** ΓÇô Delegated authentication is similar to SAS but is [based on Microsoft Entra tokens](/rest/api/storageservices/create-user-delegation-sas) rather than the shared symmetric keys. This approach allows a service that authenticates with Microsoft Entra ID to create a pre signed URL with limited scope and grant temporary access to another user, service, or device. - **Anonymous public read access** ΓÇô You can allow a small portion of your storage to be publicly accessible without authentication or authorization. This capability can be disabled at the subscription level if you desire more stringent control. Azure Storage provides storage for a wide variety of workloads, including: All data blocks stored in stream extent nodes have a 64-bit cyclic redundancy ch Your data in Azure Storage relies on data encryption at rest to provide cryptographic certainty for logical data isolation. You can choose between Microsoft-managed encryption keys (also known as platform-managed encryption keys) or customer-managed encryption keys (CMK). The handling of data encryption and decryption is transparent to customers, as discussed in the next section. ### Data encryption at rest-Azure provides extensive options for [data encryption at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs when using both Microsoft-managed encryption keys and customer-managed encryption keys. For more information, see [data encryption models](../security/fundamentals/encryption-models.md). This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management. +Azure provides extensive options for [data encryption at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs when using both Microsoft-managed encryption keys and customer-managed encryption keys. For more information, see [data encryption models](../security/fundamentals/encryption-models.md). This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. > [!NOTE] > If you require extra security and isolation assurances for your most sensitive data stored in Azure services, you can encrypt it using your own encryption keys you control in Azure Key Vault. Azure provides extensive options for [data encryption at rest](../security/funda In general, controlling key access and ensuring efficient bulk encryption and decryption of data is accomplished via the following types of encryption keys (as shown in Figure 16), although other encryption keys can be used as described in *[Storage service encryption](#storage-service-encryption)* section. - **Data Encryption Key (DEK)** is a symmetric AES-256 key that is used for bulk encryption and decryption of a partition or a block of data. The cryptographic modules are FIPS 140 validated as part of the [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server). Access to DEKs is needed by the resource provider or application instance that is responsible for encrypting and decrypting a specific block of data. A single resource may have many partitions and many DEKs. When a DEK is replaced with a new key, only the data in its associated block must be re-encrypted with the new key. The DEK is always stored encrypted by the Key Encryption Key (KEK).-- **Key Encryption Key (KEK)** is an asymmetric RSA key that is optionally provided by you. This key encryption key is utilized to encrypt the Data Encryption Key (DEK) using Azure Key Vault or Managed HSM. As mentioned previously in *[Data encryption key management](#data-encryption-key-management)* section, Azure Key Vault can use FIPS 140 validated hardware security modules (HSMs) to safeguard encryption keys; Managed HSM always uses FIPS 140 validated hardware security modules. These keys aren't exportable and there can be no clear-text version of the KEK outside the HSMs ΓÇô the binding is enforced by the underlying HSM. KEK is never exposed directly to the resource provider or other services. Access to KEK is controlled by permissions in Azure Key Vault and access to Azure Key Vault must be authenticated through Azure Active Directory. These permissions can be revoked to block access to this key and, by extension, the data that is encrypted using this key as the root of the key chain.+- **Key Encryption Key (KEK)** is an asymmetric RSA key that is optionally provided by you. This key encryption key is utilized to encrypt the Data Encryption Key (DEK) using Azure Key Vault or Managed HSM. As mentioned previously in *[Data encryption key management](#data-encryption-key-management)* section, Azure Key Vault can use FIPS 140 validated hardware security modules (HSMs) to safeguard encryption keys; Managed HSM always uses FIPS 140 validated hardware security modules. These keys aren't exportable and there can be no clear-text version of the KEK outside the HSMs ΓÇô the binding is enforced by the underlying HSM. KEK is never exposed directly to the resource provider or other services. Access to KEK is controlled by permissions in Azure Key Vault and access to Azure Key Vault must be authenticated through Microsoft Entra ID. These permissions can be revoked to block access to this key and, by extension, the data that is encrypted using this key as the root of the key chain. :::image type="content" source="./media/secure-isolation-fig16.png" alt-text="Data Encryption Keys are encrypted using your key stored in Azure Key Vault"::: **Figure 16.** Data Encryption Keys are encrypted using your key stored in Azure Key Vault Azure Disk encryption does not support Managed HSM or an on-premises key managem Azure Disk encryption relies on two encryption keys for implementation, as described previously: - *Data Encryption Key (DEK)* is a symmetric AES-256 key used to encrypt OS and Data volumes through BitLocker or DM-Crypt. DEK itself is encrypted and stored in an internal location close to the data.-- *Key Encryption Key (KEK)* is an asymmetric RSA-2048 key used to encrypt the Data Encryption Keys. KEK is kept in Azure Key Vault under your control including granting access permissions through Azure Active Directory.+- *Key Encryption Key (KEK)* is an asymmetric RSA-2048 key used to encrypt the Data Encryption Keys. KEK is kept in Azure Key Vault under your control including granting access permissions through Microsoft Entra ID. The DEK, encrypted with the KEK, is stored separately and only an entity with access to the KEK can decrypt the DEK. Access to the KEK is guarded by Azure Key Vault where you can choose to store your keys in [FIPS 140 validated hardware security modules](../key-vault/keys/hsm-protected-keys-byok.md). A multi-tenant cloud platform implies that multiple customer applications and da Azure addresses the perceived risk of resource sharing by providing a trustworthy foundation for assuring multi-tenant, cryptographically certain, logically isolated cloud services using a common set of principles: -- User access controls with authentication and identity separation that uses Azure Active Directory and Azure role-based access control (Azure RBAC).+- User access controls with authentication and identity separation that uses Microsoft Entra ID and Azure role-based access control (Azure RBAC). - Compute isolation for processing, including both logical and physical compute isolation. - Networking isolation including separation of network traffic and data encryption in transit. - Storage isolation with data encryption at rest using advanced algorithms with multiple ciphers and encryption keys and provisions for customer-managed keys (CMK) under your control in Azure Key Vault. |
azure-government | Compare Azure Government Global Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compare-azure-government-global-azure.md | Table below lists API endpoints in Azure vs. Azure Government for accessing and ||Azure Database for MySQL|mysql.database.azure.com|mysql.database.usgovcloudapi.net|| ||Azure Database for PostgreSQL|postgres.database.azure.com|postgres.database.usgovcloudapi.net|| ||Azure SQL Database|database.windows.net|database.usgovcloudapi.net||-|**Identity**|Azure AD|login.microsoftonline.com|login.microsoftonline.us|| +|**Identity**|Microsoft Entra ID|login.microsoftonline.com|login.microsoftonline.us|| |||certauth.login.microsoftonline.com|certauth.login.microsoftonline.us|| |||passwordreset.microsoftonline.com|passwordreset.microsoftonline.us|| |**Integration**|Service Bus|servicebus.windows.net|servicebus.usgovcloudapi.net|| This section outlines variations and considerations when using Developer tools i This section outlines variations and considerations when using Identity services in the Azure Government environment. For service availability, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=information-protection,active-directory-ds,active-directory®ions=usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true). -### [Azure Active Directory Premium P1 and P2](../active-directory/index.yml) +<a name='azure-active-directory-premium-p1-and-p2'></a> ++### [Microsoft Entra ID P1 and P2](../active-directory/index.yml) For feature variations and limitations, see [Cloud feature availability](../active-directory/authentication/feature-availability.md). For information on how to use Power BI capabilities for collaboration between Az The following features have known limitations in Azure Government: - Limitations with B2B Collaboration in supported Azure US Government tenants:- - For more information about B2B collaboration limitations in Azure Government and to find out if B2B collaboration is available in your Azure Government tenant, see [Azure AD B2B in government and national clouds](../active-directory/external-identities/b2b-government-national-clouds.md). + - For more information about B2B collaboration limitations in Azure Government and to find out if B2B collaboration is available in your Azure Government tenant, see [Microsoft Entra B2B in government and national clouds](../active-directory/external-identities/b2b-government-national-clouds.md). - Limitations with multi-factor authentication: - Trusted IPs isn't supported in Azure Government. Instead, use Conditional Access policies with named locations to establish when multi-factor authentication should and shouldn't be required based off the user's current IP address. Start using Azure Government: - [Guidance for developers](./documentation-government-developer-guide.md) - [Connect with the Azure Government portal](./documentation-government-get-started-connect-with-portal.md)- |
azure-government | Azure Services In Fedramp Auditscope | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md | This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and | [App Service](../../app-service/index.yml) | ✅ | ✅ | | [Application Gateway](../../application-gateway/index.yml) | ✅ | ✅ | | [Automation](../../automation/index.yml) | ✅ | ✅ |-| [Azure Active Directory (Free and Basic)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | -| [Azure Active Directory (Premium P1 + P2)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | +| [Microsoft Entra ID (Free)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | +| [Microsoft Entra ID (P1 + P2)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | | [Azure Active Directory B2C](../../active-directory-b2c/index.yml) | ✅ | ✅ |-| [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) | ✅ | ✅ | -| [Azure Active Directory Provisioning Service](../../active-directory/app-provisioning/how-provisioning-works.md)| ✅ | ✅ | -| [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | ✅ | ✅ | +| [Microsoft Entra Domain Services](../../active-directory-domain-services/index.yml) | ✅ | ✅ | +| [Microsoft Entra provisioning service](../../active-directory/app-provisioning/how-provisioning-works.md)| ✅ | ✅ | +| [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | ✅ | ✅ | | [Azure API for FHIR](../../healthcare-apis/azure-api-for-fhir/index.yml) | ✅ | ✅ | | **Service** | **FedRAMP High** | **DoD IL2** | | [Azure Arc-enabled servers](../../azure-arc/servers/index.yml) | ✅ | ✅ | This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and | [App Service](../../app-service/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Application Gateway](../../application-gateway/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Automation](../../automation/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |-| [Azure Active Directory (Free and Basic)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | ✅ | ✅ | ✅ | -| [Azure Active Directory (Premium P1 + P2)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | ✅ | ✅ | | -| [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) | ✅ | ✅ | ✅ | ✅ | | -| [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | ✅ | ✅ | ✅ | ✅ | ✅ | +| [Microsoft Entra ID (Free)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | ✅ | ✅ | ✅ | +| [Microsoft Entra ID (P1 + P2)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | ✅ | ✅ | ✅ | ✅ | | +| [Microsoft Entra Domain Services](../../active-directory-domain-services/index.yml) | ✅ | ✅ | ✅ | ✅ | | +| [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Azure API for FHIR](../../healthcare-apis/azure-api-for-fhir/index.yml) | ✅ | ✅ | ✅ | ✅ | | | [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/index.yml) | ✅ | ✅ | ✅ | ✅ | | | [Azure Arc-enabled servers](../../azure-arc/servers/index.yml) | ✅ | ✅ | ✅ | ✅ | | |
azure-government | Secure Azure Computing Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/secure-azure-computing-architecture.md | As mentioned earlier, you can build the SACA reference by using a variety of app - [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) - [Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md) - [Azure Key Vault](../../key-vault/general/overview.md)- - [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) + - [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) - [Application Gateway](../../application-gateway/overview.md) - [Azure Firewall](../../firewall/overview.md) - [Azure Front Door](../../frontdoor/front-door-overview.md) |
azure-government | Documentation Government Aad Auth Qs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-aad-auth-qs.md | Title: Azure Government integrate Azure AD Authentication -description: This article demonstrates how to integrating Azure AD authentication on Azure Government. + Title: Azure Government integrate Microsoft Entra authentication +description: This article demonstrates how to integrating Microsoft Entra authentication on Azure Government. Last updated 11/02/2021 -# Integrate Azure AD authentication with Web Apps on Azure Government +# Integrate Microsoft Entra authentication with Web Apps on Azure Government -The following quickstart helps you get started integrating Azure AD Authentication with applications on Azure Government. Azure Active Directory (Azure AD) Authentication on Azure Government is similar to the Azure commercial platform, with a [few exceptions](./compare-azure-government-global-azure.md). +The following quickstart helps you get started integrating Microsoft Entra authentication with applications on Azure Government. Microsoft Entra authentication on Azure Government is similar to the Azure commercial platform, with a [few exceptions](./compare-azure-government-global-azure.md). -Learn more about [Azure Active Directory Authentication Scenarios](../active-directory/develop/authentication-vs-authorization.md). +Learn more about [Microsoft Entra authentication Scenarios](../active-directory/develop/authentication-vs-authorization.md). -## Integrate Azure AD login into a web application using OpenID Connect +<a name='integrate-azure-ad-login-into-a-web-application-using-openid-connect'></a> -This section shows how to integrate Azure AD using the OpenID Connect protocol for signing in users into a web app. +## Integrate Microsoft Entra login into a web application using OpenID Connect ++This section shows how to integrate Microsoft Entra ID using the OpenID Connect protocol for signing in users into a web app. ### Prerequisites -- An Azure AD tenant in Azure Government. You must have an [Azure Government subscription](https://azure.microsoft.com/overview/clouds/government/request/) in order to have an Azure AD tenant in Azure Government. For more information on how to get an Azure AD tenant, see [How to get an Azure AD tenant](../active-directory/develop/quickstart-create-new-tenant.md) -- A user account in your Azure AD tenant. This sample does not work with a Microsoft account, so if you signed in to the Azure Government portal with a Microsoft account and have never created a user account in your directory before, you need to do that now.+- A Microsoft Entra tenant in Azure Government. You must have an [Azure Government subscription](https://azure.microsoft.com/overview/clouds/government/request/) in order to have a Microsoft Entra tenant in Azure Government. For more information on how to get a Microsoft Entra tenant, see [How to get a Microsoft Entra tenant](../active-directory/develop/quickstart-create-new-tenant.md) +- A user account in your Microsoft Entra tenant. This sample does not work with a Microsoft account, so if you signed in to the Azure Government portal with a Microsoft account and have never created a user account in your directory before, you need to do that now. - Have an [ASP.NET Core application deployed and running in Azure Government](documentation-government-howto-deploy-webandmobile.md) -### Step 1: Register your web application with your Azure AD Tenant +<a name='step-1-register-your-web-application-with-your-azure-ad-tenant'></a> ++### Step 1: Register your web application with your Microsoft Entra tenant 1. Sign in to the [Azure Government portal](https://portal.azure.us). 2. On the top bar, click on your account and under the **Directory** list, choose the Active Directory tenant where you wish to register your application.-3. Click on **All Services** in the left-hand nav, and choose **Azure Active Directory**. +3. Click on **All Services** in the left-hand nav, and choose **Microsoft Entra ID**. 4. Click on **App registrations** and choose **Add**. 5. Enter the name for your application, and select 'Web Application and/or Web API' as the Application Type. For the sign-on URL, enter the base URL for your application, which is your Azure App URL + "/signin-oidc." This section shows how to integrate Azure AD using the OpenID Connect protocol f Click on **Create** to create the application. 6. While still in the Azure portal, choose your application, click on **Settings**, and choose **Properties**. 7. Find the Application ID value and copy it to the clipboard.-8. For the App ID URI, enter https://\<your_tenant_name\>/\<name_of_your_app\>, replacing \<your_tenant_name\> with the name of your Azure AD tenant and \<name_of_your_app\> with the name of your application. +8. For the App ID URI, enter https://\<your_tenant_name\>/\<name_of_your_app\>, replacing \<your_tenant_name\> with the name of your Microsoft Entra tenant and \<name_of_your_app\> with the name of your application. ++<a name='step-2--configure-your-app-to-use-your-azure-ad-tenant'></a> -### Step 2: Configure your app to use your Azure AD tenant +### Step 2: Configure your app to use your Microsoft Entra tenant #### Azure Government Variations -The only variation when setting up Azure AD Authorization on the Azure Government cloud is in the Azure AD Instance: +The only variation when setting up Microsoft Entra Authorization on the Azure Government cloud is in the Microsoft Entra Instance: - "https:\//login.microsoftonline.us" #### Configure the InventoryApp project 1. Open your application in Visual Studio 2019. 2. Open the `appsettings.json` file.-3. Add an `Authentication` section and fill out the properties with your Azure AD tenant information. +3. Add an `Authentication` section and fill out the properties with your Microsoft Entra tenant information. ```cs //ClientId: Azure AD-> App registrations -> Application ID The only variation when setting up Azure AD Authorization on the Azure Governmen } } ```-4. Fill out the `ClientId` property with the Client ID for your app from the Azure Government portal. You can find the Client ID by navigating to Azure AD -> App Registrations -> Your Application -> Application ID. -5. Fill out the `TenantId` property with the Tenant ID for your app from the Azure Government portal. You can find the Tenant ID by navigating to Azure AD -> Properties -> Directory ID. +4. Fill out the `ClientId` property with the Client ID for your app from the Azure Government portal. You can find the Client ID by navigating to Microsoft Entra ID -> App Registrations -> Your Application -> Application ID. +5. Fill out the `TenantId` property with the Tenant ID for your app from the Azure Government portal. You can find the Tenant ID by navigating to Microsoft Entra ID -> Properties -> Directory ID. 6. Fill out the `Domain` property with `<tenantname>.onmicrosoft.us`. 7. Open the `startup.cs` file. 8. In your `ConfigureServices` method, add the following code: The only variation when setting up Azure AD Authorization on the Azure Governmen ## Next steps -* Navigate to the [Azure Government PaaS Sample](https://github.com/Azure-Samples/gov-paas-sample) to see Azure AD Authentication as well as other services being integrated in an Application running on Azure Government. +* Navigate to the [Azure Government PaaS Sample](https://github.com/Azure-Samples/gov-paas-sample) to see Microsoft Entra authentication as well as other services being integrated in an Application running on Azure Government. * Subscribe to the [Azure Government blog](https://blogs.msdn.microsoft.com/azuregov/) * Get help on Stack Overflow by using the "[azure-gov](https://stackoverflow.com/questions/tagged/azure-gov)" tag |
azure-government | Documentation Government How To Access Enterprise Agreement Billing Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-how-to-access-enterprise-agreement-billing-account.md | As an Azure Government Enterprise Agreement (EA) customer, you can now manage yo You can manage your Enterprise Agreement (EA) billing account using the [Azure Government portal](https://portal.azure.us/). To access the portal, sign in using your Azure Government credentials. -If you don't have Azure Government credentials, contact the User Administrator or Global Administrator of your Azure Government Active Directory (Azure AD) tenant. Ask them to add you as a new user in Azure Government Active directory. +If you don't have Azure Government credentials, contact the User Administrator or Global Administrator of your Azure Government Microsoft Entra tenant. Ask them to add you as a new user in Azure Government Active directory. A User Administrator or Global Administrator uses the following steps to add a new user: 1. Sign in to the [Azure Government portal](https://portal.azure.us/) in the User Administrator or Global Administrator role.-1. Navigate to **Azure Active Directory** > **Users**. +1. Navigate to **Microsoft Entra ID** > **Users**. 1. Select **New user** > **Create new user** from the menu. :::image type="content" source="./media/documentation-government-how-to-access-enterprise-agreement-billing-account-01.png" alt-text="Screenshot showing the New user option." lightbox="./media/documentation-government-how-to-access-enterprise-agreement-billing-account-01.png" ::: 1. On the **New User** page, provide the new user's information like user name, display name, role etc. Once you have access to your enrollment on the Azure Government portal, refer to - For more information about managing your enrollment, creating a department or subscription, adding administrators and account owners, and other administrative tasks, see [Azure EA billing administration](../cost-management-billing/manage/direct-ea-administration.md). - To view a usage summary, price sheet, and download reports, see [Review usage charges](../cost-management-billing/manage/direct-ea-azure-usage-charges-invoices.md#review-usage-charges). - To learn more about EA billing roles, read [Understand Azure Enterprise Agreement administrative roles in Azure](../cost-management-billing/manage/understand-ea-roles.md)-- For information on which REST APIs to use with your Azure enterprise enrollment and an explanation for how to resolve common issues with REST APIs, see [Azure Enterprise REST APIs](../cost-management-billing/manage/enterprise-rest-apis.md).+- For information on which REST APIs to use with your Azure enterprise enrollment and an explanation for how to resolve common issues with REST APIs, see [Azure Enterprise REST APIs](../cost-management-billing/manage/enterprise-rest-apis.md). |
azure-government | Documentation Government Overview Dod | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-dod.md | The following services are in scope for DoD IL5 PA in US DoD regions (US DoD Cen - [API Management](https://azure.microsoft.com/services/api-management/) - [Application Gateway](https://azure.microsoft.com/services/application-gateway/)-- [Azure Active Directory (Free and Basic)](../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses)-- [Azure Active Directory (Premium P1 + P2)](../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses)+- [Microsoft Entra ID (Free](../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) +- [Microsoft Entra ID (P1 + P2)](../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) - [Azure Analysis Services](https://azure.microsoft.com/services/analysis-services/) - [Azure Backup](https://azure.microsoft.com/services/backup/) - [Azure Cache for Redis](https://azure.microsoft.com/services/cache/) |
azure-government | Documentation Government Overview Itar | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-itar.md | Azure provides many options for [encrypting data in transit](../security/fundame ### Data encryption at rest -Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management. For more information about Azure Storage encryption and Azure Disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). +Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. For more information about Azure Storage encryption and Azure Disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). Azure SQL Database provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest by [default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/). TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server or an asymmetric key called TDE Protector stored under your control in [Azure Key Vault](../key-vault/general/security-features.md). Key Vault supports [bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) (BYOK), which enables you to store the TDE Protector in Key Vault and control key management tasks including key rotation, permissions, deleting keys, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-premises HSM device](../key-vault/keys/hsm-protected-keys.md). You can also use the [Always Encrypted](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure) feature of Azure SQL Database, which is designed specifically to help protect sensitive data by allowing you to encrypt data inside your applications and [never reveal the encryption keys to the database engine](/sql/relational-databases/security/encryption/always-encrypted-database-engine). In this manner, Always Encrypted provides separation between those users who own the data and can view it and those users who manage the data but should have no access. |
azure-government | Documentation Government Overview Jps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-jps.md | Azure provides many options for [encrypting data in transit](../security/fundame ### Data encryption at rest -Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management. For more information about Azure Storage encryption and Azure Disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). +Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. For more information about Azure Storage encryption and Azure Disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). Azure SQL Database provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest by [default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/). TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server or an asymmetric key called TDE Protector stored under your control in [Azure Key Vault](../key-vault/general/security-features.md). Key Vault supports [bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) (BYOK), which enables you to store the TDE Protector in Key Vault and control key management tasks including key rotation, permissions, deleting keys, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-premises HSM device](../key-vault/keys/hsm-protected-keys.md). You can also use the [Always Encrypted](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure) feature of Azure SQL Database, which is designed specifically to help protect sensitive data by allowing you to encrypt data inside your applications and [never reveal the encryption keys to the database engine](/sql/relational-databases/security/encryption/always-encrypted-database-engine). In this manner, Always Encrypted provides separation between those users who own the data (and can view it) and those users who manage the data (but should have no access). The CJIS Security Policy v5.9.2 revised the multi-factor authentication (MFA) re According to the CJIS Security Policy, identification and authentication of organizational users requires MFA to privileged and non-privileged accounts as part of CJI access control requirements. MFA is required at Authenticator Assurance Level 2 (AAL2), as described in the National Institute of Standards and Technology (NIST) [SP 800-63](https://pages.nist.gov/800-63-3/sp800-63-3.html) *Digital Identity Guidelines*. Authenticators and verifiers operated at AAL2 shall be validated to meet the requirements of FIPS 140 Level 1. -The [Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md) provides an extra level of security to your Azure Active Directory (Azure AD) account. It's available on mobile phones running Android and iOS. With the Microsoft Authenticator app, you can provide secondary verification for MFA scenarios to meet your CJIS Security Policy MFA requirements. As mentioned previously, CJIS Security Policy requires that solutions for hard tokens use cryptographic modules validated at FIPS 140 Level 1. The Microsoft Authenticator app meets FIPS 140 Level 1 validation requirements for all Azure AD authentications, as explained in [Authentication methods in Azure Active Directory - Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-azure-ad-authentication). FIPS 140 compliance for Microsoft Authenticator is currently in place for iOS and in progress for Android. +The [Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md) provides an extra level of security to your Microsoft Entra account. It's available on mobile phones running Android and iOS. With the Microsoft Authenticator app, you can provide secondary verification for MFA scenarios to meet your CJIS Security Policy MFA requirements. As mentioned previously, CJIS Security Policy requires that solutions for hard tokens use cryptographic modules validated at FIPS 140 Level 1. The Microsoft Authenticator app meets FIPS 140 Level 1 validation requirements for all Microsoft Entra authentications, as explained in [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-azure-ad-authentication). FIPS 140 compliance for Microsoft Authenticator is currently in place for iOS and in progress for Android. Moreover, Azure can help you meet and **exceed** your CJIS Security Policy MFA requirements by supporting the highest Authenticator Assurance Level 3 (AAL3). According to [NIST SP 800-63B Section 4.3](https://pages.nist.gov/800-63-3/sp800-63b.html#sec4), multi-factor **authenticators** used at AAL3 shall rely on hardware cryptographic modules validated at FIPS 140 Level 2 overall with at least FIPS 140 Level 3 for physical security, which exceeds the CJIS Security Policy MFA requirements. **Verifiers** at AAL3 shall be validated at FIPS 140 Level 1 or higher. -Azure Active Directory (Azure AD) supports both authenticator and verifier NIST SP 800-63B AAL3 requirements: +Microsoft Entra ID supports both authenticator and verifier NIST SP 800-63B AAL3 requirements: -- **Authenticator requirements:** FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements, including the underlying FIPS 140 validation requirements. Azure AD support for NIST SP 800-63B AAL3 **exceeds** the CJIS Security Policy MFA requirements.-- **Verifier requirements:** Azure AD uses the [Windows FIPS 140 Level 1](/windows/security/threat-protection/fips-140-validation) overall validated cryptographic module for all its authentication related cryptographic operations. It's therefore a FIPS 140 compliant verifier.+- **Authenticator requirements:** FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements, including the underlying FIPS 140 validation requirements. Microsoft Entra ID support for NIST SP 800-63B AAL3 **exceeds** the CJIS Security Policy MFA requirements. +- **Verifier requirements:** Microsoft Entra ID uses the [Windows FIPS 140 Level 1](/windows/security/threat-protection/fips-140-validation) overall validated cryptographic module for all its authentication related cryptographic operations. It's therefore a FIPS 140 compliant verifier. For more information, see [Azure NIST SP 800-63 documentation](/azure/compliance/offerings/offering-nist-800-63). |
azure-government | Documentation Government Overview Nerc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-nerc.md | A multi-tenant cloud platform implies that multiple customer applications and da ### Identity and access -Azure Active Directory (Azure AD) is an identity repository and cloud service that provides authentication, authorization, and access control for an organizationΓÇÖs users, groups, and objects. Azure AD can be used as a standalone cloud directory or as an integrated solution with existing on-premises Active Directory to enable key enterprise features such as directory synchronization and single sign-on. The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using Azure AD and its capabilities to support granular Azure role-based access control (RBAC). Azure AD implements extensive data protection features, including tenant isolation and access control, data operational considerations for insider access, and more. +Microsoft Entra ID is an identity repository and cloud service that provides authentication, authorization, and access control for an organizationΓÇÖs users, groups, and objects. Microsoft Entra ID can be used as a standalone cloud directory or as an integrated solution with existing on-premises Active Directory to enable key enterprise features such as directory synchronization and single sign-on. The separation of the accounts used to administer cloud applications is critical to achieving logical isolation. Account isolation in Azure is achieved using Microsoft Entra ID and its capabilities to support granular Azure role-based access control (RBAC). Microsoft Entra ID implements extensive data protection features, including tenant isolation and access control, data operational considerations for insider access, and more. For more information, see [Identity-based isolation](./azure-secure-isolation-guidance.md#identity-based-isolation). For more information, see [Networking isolation](./azure-secure-isolation-guidan Microsoft Azure separates your VM-based computation resources from storage as part of its fundamental design. The separation allows computation and storage to scale independently, making it easier to provide multi-tenancy and isolation. Therefore, Azure Storage runs on separate hardware with no network connectivity to Azure Compute except logically. -Azure provides extensive options for data encryption at rest to help you safeguard your data and meet your NERC CIP standards compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management. +Azure provides extensive options for data encryption at rest to help you safeguard your data and meet your NERC CIP standards compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. For more information, see [Storage isolation](./azure-secure-isolation-guidance.md#storage-isolation). |
azure-government | Documentation Government Overview Wwps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-overview-wwps.md | Azure Storage redundancy options can have implications on data residency as Azur As described on the [data location page](https://azure.microsoft.com/global-infrastructure/data-residency/), most Azure **regional** services honor the data at rest commitment to ensure that your data remains within the geographic boundary where the corresponding service is deployed. A handful of exceptions to this rule are noted on the data location page. You should review these exceptions to determine if the type of data stored outside your chosen deployment Geography meets your needs. -**Non-regional** Azure services don't enable you to specify the region where the services will be deployed. Some non-regional services don't store your data at all but merely provide global routing functions such as Azure Traffic Manager or Azure DNS. Other non-regional services are intended for data caching at edge locations around the globe, such as the Content Delivery Network ΓÇô such services are optional and you shouldn't use them for sensitive customer content you wish to keep in your Geography. One non-regional service that warrants extra discussion is **Azure Active Directory**, which is discussed in the next section. +**Non-regional** Azure services don't enable you to specify the region where the services will be deployed. Some non-regional services don't store your data at all but merely provide global routing functions such as Azure Traffic Manager or Azure DNS. Other non-regional services are intended for data caching at edge locations around the globe, such as the Content Delivery Network ΓÇô such services are optional and you shouldn't use them for sensitive customer content you wish to keep in your Geography. One non-regional service that warrants extra discussion is **Microsoft Entra ID**, which is discussed in the next section. -#### *Customer data in Azure Active Directory* +<a name='customer-data-in-azure-active-directory'></a> -Azure Active Directory (Azure AD) is a non-regional service that may store identity data globally, except for Azure AD deployments in: +#### *Customer data in Microsoft Entra ID* ++Microsoft Entra ID is a non-regional service that may store identity data globally, except for Microsoft Entra deployments in: - The United States, where identity data is stored solely in the United States.-- Europe, where Azure AD keeps most of the identity data within European datacenters except as noted in [Identity data storage for European customers in Azure Active Directory](../active-directory/fundamentals/active-directory-data-storage-eu.md).-- Australia and New Zealand, where identity data is stored in Australia except as noted in [Customer data storage for Australian and New Zealand customers in Azure Active Directory](../active-directory/fundamentals/active-directory-data-storage-australia-newzealand.md).+- Europe, where Microsoft Entra ID keeps most of the identity data within European datacenters except as noted in [Identity data storage for European customers in Microsoft Entra ID](../active-directory/fundamentals/active-directory-data-storage-eu.md). +- Australia and New Zealand, where identity data is stored in Australia except as noted in [Customer data storage for Australian and New Zealand customers in Microsoft Entra ID](../active-directory/fundamentals/active-directory-data-storage-australia-newzealand.md). -Azure AD provides a [dashboard](https://go.microsoft.com/fwlink/?linkid=2092972) with transparent insight into data location for every Azure AD component service. Among other features, Azure AD is an identity management service that stores directory data for your Azure administrators, including user **personal data** categorized as **End User Identifiable Information (EUII)**, for example, names, email addresses, and so on. In Azure AD, you can create User, Group, Device, Application, and other entities using various attribute types such as Integer, DateTime, Binary, String (limited to 256 characters), and so on. Azure AD isn't intended to store your customer content and it isn't possible to store blobs, files, database records, and similar structures in Azure AD. Moreover, Azure AD isn't intended to be an identity management service for your external end users ΓÇô [Azure AD B2C](../active-directory-b2c/overview.md) should be used for that purpose. +Microsoft Entra ID provides a [dashboard](https://go.microsoft.com/fwlink/?linkid=2092972) with transparent insight into data location for every Microsoft Entra component service. Among other features, Microsoft Entra ID is an identity management service that stores directory data for your Azure administrators, including user **personal data** categorized as **End User Identifiable Information (EUII)**, for example, names, email addresses, and so on. In Microsoft Entra ID, you can create User, Group, Device, Application, and other entities using various attribute types such as Integer, DateTime, Binary, String (limited to 256 characters), and so on. Microsoft Entra ID isn't intended to store your customer content and it isn't possible to store blobs, files, database records, and similar structures in Microsoft Entra ID. Moreover, Microsoft Entra ID isn't intended to be an identity management service for your external end users ΓÇô [Azure AD B2C](../active-directory-b2c/overview.md) should be used for that purpose. -Azure AD implements extensive **data protection features**, including tenant isolation and access control, data encryption in transit, secrets encryption and management, disk level encryption, advanced cryptographic algorithms used by various Azure AD components, data operational considerations for insider access, and more. Detailed information is available from a whitepaper [Active Directory Data Security Considerations](https://aka.ms/AADDataWhitePaper). +Microsoft Entra ID implements extensive **data protection features**, including tenant isolation and access control, data encryption in transit, secrets encryption and management, disk level encryption, advanced cryptographic algorithms used by various Microsoft Entra components, data operational considerations for insider access, and more. Detailed information is available from a whitepaper [Active Directory Data Security Considerations](https://aka.ms/AADDataWhitePaper). #### *Generating pseudonymous data for internal systems* Azure provides many options for [encrypting data in transit](../security/fundame ### Data encryption at rest -Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management. For more information about Azure Storage encryption and Azure Disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). +Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. For more information about Azure Storage encryption and Azure Disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). Azure SQL Database provides [transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) (TDE) at rest by [default](https://azure.microsoft.com/updates/newly-created-azure-sql-databases-encrypted-by-default/). TDE performs real-time encryption and decryption operations on the data and log files. Database Encryption Key (DEK) is a symmetric key stored in the database boot record for availability during recovery. It's secured via a certificate stored in the master database of the server or an asymmetric key called TDE Protector stored under your control in [Azure Key Vault](../key-vault/general/security-features.md). Key Vault supports [bring your own key](/azure/azure-sql/database/transparent-data-encryption-byok-overview) (BYOK), which enables you to store the TDE Protector in Key Vault and control key management tasks including key permissions, rotation, deletion, enabling auditing/reporting on all TDE Protectors, and so on. The key can be generated by the Key Vault, imported, or [transferred to the Key Vault from an on-premises HSM device](../key-vault/keys/hsm-protected-keys.md). You can also use the [Always Encrypted](/azure/azure-sql/database/always-encrypted-azure-key-vault-configure) feature of Azure SQL Database, which is designed specifically to help protect sensitive data by allowing you to encrypt data inside your applications and [never reveal the encryption keys to the database engine](/sql/relational-databases/security/encryption/always-encrypted-database-engine). In this manner, Always Encrypted provides separation between those users who own the data (and can view it) and those users who manage the data (but should have no access). Azure Stack Hub brings the following [value proposition for key scenarios](/azur - **Cloud applications to meet data sovereignty:** Deploy a single application differently depending on the country/region. You can develop and deploy applications in Azure, with full flexibility to deploy on-premises with Azure Stack Hub based on the need to meet data sovereignty or custom compliance requirements. For example, with Azure Stack Hub architecture for [data sovereignty](/azure/architecture/solution-ideas/articles/data-sovereignty-and-gravity), you can transmit data from an Azure VNet to Azure Stack Hub VNet over private connection and ultimately store data in a SQL Server database running in a VM on Azure Stack Hub. You can use Azure Stack Hub to accommodate even more restrictive requirements such as the need to deploy solutions in a disconnected environment managed by security-cleared, in-country/region personnel. These disconnected environments may not be permitted to connect to the Internet for any purpose because of the security classification they operate at. - **Cloud application model on-premises:** Use Azure Stack Hub to update and extend legacy applications and make them cloud ready. With App Service on Azure Stack Hub, you can create a web front end to consume modern APIs with modern clients while taking advantage of consistent programming models and skills. For example, with Azure Stack Hub architecture for [legacy system modernization](/azure/architecture/solution-ideas/articles/unlock-legacy-data), you can apply a consistent DevOps process, Azure Web Apps, containers, serverless computing, and microservices architectures to modernize legacy applications while integrating and preserving legacy data in mainframe and core line-of-business systems. -Azure Stack Hub requires Azure Active Directory (Azure AD) or Active Directory Federation Services (ADFS), backed by Active Directory as an [identity provider](/azure-stack/operator/azure-stack-identity-overview). You can use [role-based access control](/azure-stack/user/azure-stack-manage-permissions) (RBAC) to grant system access to authorized users, groups, and services by assigning them roles at a subscription, resource group, or individual resource level. Each role defines the access level a user, group, or service has over Azure Stack Hub resources. +Azure Stack Hub requires Microsoft Entra ID or Active Directory Federation Services (ADFS), backed by Active Directory as an [identity provider](/azure-stack/operator/azure-stack-identity-overview). You can use [role-based access control](/azure-stack/user/azure-stack-manage-permissions) (RBAC) to grant system access to authorized users, groups, and services by assigning them roles at a subscription, resource group, or individual resource level. Each role defines the access level a user, group, or service has over Azure Stack Hub resources. Azure Stack Hub protects your data at the storage subsystem level using [encryption at rest](/azure-stack/operator/azure-stack-security-bitlocker). By default, Azure Stack Hub's storage subsystem is encrypted using BitLocker with 128-bit AES encryption. BitLocker keys are persisted in an internal secret store. At deployment time, it's also possible to configure BitLocker to use 256-bit AES encryption. You can store and manage your secrets including cryptographic keys using [Key Vault in Azure Stack Hub](/azure-stack/user/azure-stack-key-vault-intro). |
azure-government | Documentation Government Plan Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-plan-identity.md | Last updated 06/15/2022 # Planning identity for Azure Government applications -Microsoft Azure Government provides the same ways to build applications and manage identities as Azure Public. Azure Government customers may already have an Azure Active Directory (Azure AD) Public tenant or may create a tenant in Azure AD Government. This article provides guidance on identity decisions based on the application and location of your identity. +Microsoft Azure Government provides the same ways to build applications and manage identities as Azure Public. Azure Government customers may already have a Microsoft Entra Public tenant or may create a tenant in Microsoft Entra Government. This article provides guidance on identity decisions based on the application and location of your identity. ## Identity models Before determining the identity approach for your application, you need to know |On-premises identity|Cloud identity|Hybrid identity| ||||-|On-premises identities belong to on-premises Active Directory environments that most customers use today.|Cloud identities originate, exist only, and are managed in Azure AD.|Hybrid identities originate as on-premises identities, but become hybrid through directory synchronization to Azure AD. After directory synchronization, they exist both on-premises and in the cloud, hence hybrid.| +|On-premises identities belong to on-premises Active Directory environments that most customers use today.|Cloud identities originate, exist only, and are managed in Microsoft Entra ID.|Hybrid identities originate as on-premises identities, but become hybrid through directory synchronization to Microsoft Entra ID. After directory synchronization, they exist both on-premises and in the cloud, hence hybrid.| > [!NOTE]-> Hybrid comes with deployment options (synchronized identity, federated identity, and so on) that all rely on directory synchronization and mostly define how identities are authenticated as discussed in [What is hybrid identity with Azure Active Directory?](../active-directory/hybrid/whatis-hybrid-identity.md). +> Hybrid comes with deployment options (synchronized identity, federated identity, and so on) that all rely on directory synchronization and mostly define how identities are authenticated as discussed in [What is hybrid identity with Microsoft Entra ID?](../active-directory/hybrid/whatis-hybrid-identity.md). > ## Selecting identity for an Azure Government application When building any Azure application, you must first decide on the authentication technology: -- **Applications using modern authentication** ΓÇô Applications using OAuth, OpenID Connect, and/or other modern authentication protocols supported by Azure AD such as newly developed application built using PaaS technologies, for example, Web Apps, Azure SQL Database, and so on.+- **Applications using modern authentication** ΓÇô Applications using OAuth, OpenID Connect, and/or other modern authentication protocols supported by Microsoft Entra such as newly developed application built using PaaS technologies, for example, Web Apps, Azure SQL Database, and so on. - **Applications using legacy authentication protocols (Kerberos/NTLM)** ΓÇô Applications typically migrated from on-premises, for example, lift-and-shift applications. Based on this decision, there are different considerations when building and deploying on Azure Government. ### Applications using modern authentication in Azure Government -[Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) shows how you can use Azure AD to provide secure sign-in and authorization to your applications. This process is the same for Azure Public and Azure Government once you choose your identity authority. +[Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) shows how you can use Microsoft Entra ID to provide secure sign-in and authorization to your applications. This process is the same for Azure Public and Azure Government once you choose your identity authority. #### Choosing your identity authority -Azure Government applications can use Azure AD Government identities, but can you use Azure AD Public identities to authenticate to an application hosted in Azure Government? Yes! Since you can use either identity authority, you need to choose which to use: +Azure Government applications can use Microsoft Entra Government identities, but can you use Microsoft Entra Public identities to authenticate to an application hosted in Azure Government? Yes! Since you can use either identity authority, you need to choose which to use: -- **Azure AD Public** ΓÇô Commonly used if your organization already has an Azure AD Public tenant to support Office 365 (Public or GCC) or another application.-- **Azure AD Government** - Commonly used if your organization already has an Azure AD Government tenant to support Office 365 (GCC High or DoD) or are creating a new tenant in Azure AD Government.+- **Microsoft Entra Public** ΓÇô Commonly used if your organization already has a Microsoft Entra Public tenant to support Office 365 (Public or GCC) or another application. +- **Microsoft Entra Government** - Commonly used if your organization already has a Microsoft Entra Government tenant to support Office 365 (GCC High or DoD) or are creating a new tenant in Microsoft Entra Government. -Once decided, the special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant. Otherwise, if you perform the app registration in the directory the subscription trusts (Azure Government) the intended set of users can't authenticate. +Once decided, the special consideration is where you perform your app registration. If you choose Microsoft Entra Public identities for your Azure Government application, you must register the application in your Microsoft Entra Public tenant. Otherwise, if you perform the app registration in the directory the subscription trusts (Azure Government) the intended set of users can't authenticate. > [!NOTE]-> Applications registered with Azure AD only allow sign-in from users in the Azure AD tenant the application was registered in. If you have multiple Azure AD Public tenants, itΓÇÖs important to know which is intended to allow sign-ins from. If you intend to allow users to authenticate to the application from multiple Azure AD tenants the application must be registered in each tenant. +> Applications registered with Microsoft Entra-only allow sign-in from users in the Microsoft Entra tenant the application was registered in. If you have multiple Microsoft Entra Public tenants, itΓÇÖs important to know which is intended to allow sign-ins from. If you intend to allow users to authenticate to the application from multiple Microsoft Entra tenants the application must be registered in each tenant. > The other consideration is the identity authority URL. You need the correct URL based on your chosen authority: |Identity authority|URL| |||-|Azure AD Public|login.microsoftonline.com| -|Azure AD Government|login.microsoftonline.us| +|Microsoft Entra Public|login.microsoftonline.com| +|Microsoft Entra Government|login.microsoftonline.us| ### Applications using legacy authentication protocols (Kerberos/NTLM) First, see [Connect to Azure Government using portal](./documentation-government There are a few important points that set the foundation of this section: - Azure subscriptions only trust one directory, therefore subscription administration must be performed by an identity from that directory.-- Azure Public subscriptions trust directories in Azure AD Public whereas Azure Government subscriptions trust directories in Azure AD Government.+- Azure Public subscriptions trust directories in Microsoft Entra Public whereas Azure Government subscriptions trust directories in Microsoft Entra Government. - If you have both Azure Public and Azure Government subscriptions, separate identities for both are required. The currently supported identity scenarios to simultaneously manage Azure Public and Azure Government subscriptions are: The following diagram is the simplest of the scenarios to implement. :::image type="content" source="./media/documentation-government-plan-identity-cloud-identities-for-subscription-administration.png" alt-text="Multi-cloud subscription administration option using cloud identities for Office 365 and Azure Government." border="false"::: -While using cloud identities is the simplest approach, it is also the least secure because passwords are used as an authentication factor. We recommend [Azure AD Multi-Factor Authentication](../active-directory/authentication/concept-mfa-howitworks.md), Microsoft's two-step verification solution, to add a critical second layer of security to secure access to Azure subscriptions when using cloud identities. +While using cloud identities is the simplest approach, it is also the least secure because passwords are used as an authentication factor. We recommend [Microsoft Entra multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md), Microsoft's two-step verification solution, to add a critical second layer of security to secure access to Azure subscriptions when using cloud identities. ### Using hybrid and cloud identities for multi-cloud subscription administration In this scenario, hybrid identities are used to administrator subscriptions in b ## Frequently asked questions -**Why does Office 365 GCC use Azure AD Public?** </br> -The first Office 365 US Government environment, Government Community Cloud (GCC), was created when Microsoft had a single cloud directory. The Office 365 GCC environment was designed to use Azure AD Public while still adhering to controls and requirements outlined in FedRAMP Moderate, Criminal Justice Information Services (CJIS), Internal Revenue Service (IRS) 1075, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Azure Government, with its Azure AD infrastructure, was created later. By that time, GCC had already secured the necessary compliance authorizations (for example, FedRAMP Moderate and CJIS) to meet Federal, State, and Local government requirements while serving hundreds of thousands of customers. Now, many Office 365 GCC customers have two Azure AD tenants: one from the Azure AD subscription that supports Office 365 GCC and the other from their Azure Government subscription, with identities in both. +**Why does Office 365 GCC use Microsoft Entra Public?** </br> +The first Office 365 US Government environment, Government Community Cloud (GCC), was created when Microsoft had a single cloud directory. The Office 365 GCC environment was designed to use Microsoft Entra Public while still adhering to controls and requirements outlined in FedRAMP Moderate, Criminal Justice Information Services (CJIS), Internal Revenue Service (IRS) 1075, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Azure Government, with its Microsoft Entra infrastructure, was created later. By that time, GCC had already secured the necessary compliance authorizations (for example, FedRAMP Moderate and CJIS) to meet Federal, State, and Local government requirements while serving hundreds of thousands of customers. Now, many Office 365 GCC customers have two Microsoft Entra tenants: one from the Microsoft Entra subscription that supports Office 365 GCC and the other from their Azure Government subscription, with identities in both. **How do I identify an Azure Government tenant?** </br> HereΓÇÖs a way to find out using your browser of choice: - - Obtain your tenant name (for example, contoso.onmicrosoft.com) or a domain name registered to your Azure AD tenant (for example, contoso.gov). + - Obtain your tenant name (for example, contoso.onmicrosoft.com) or a domain name registered to your Microsoft Entra tenant (for example, contoso.gov). - Navigate to `https://login.microsoftonline.com/<domainname>/.well-known/openid-configuration` - \<domainname\> can either be the tenant name or domain name you gathered in the previous step. - **An example URL**: `https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration` HereΓÇÖs a way to find out using your browser of choice: - The tenant_region_scope property is exactly how it sounds, regional. If you have a tenant in Azure Public in North America, the value would be **NA**. **If IΓÇÖm an Office 365 GCC customer and want to build solutions in Azure Government do I need to have two tenants?** </br>-Yes, the Azure AD Government tenant is required for your Azure Government subscription administration. +Yes, the Microsoft Entra Government tenant is required for your Azure Government subscription administration. **If IΓÇÖm an Office 365 GCC customer that has built workloads in Azure Government, where should I authenticate from: Public or Government?** </br> See [Choosing your identity authority](#choosing-your-identity-authority) earlier in this article. -**IΓÇÖm an Office 365 customer and have chosen hybrid identity as my identity model. I also have several Azure subscriptions. Is it possible to use the same Azure AD tenant to handle sign-in for Office 365, applications built in my Azure subscriptions, and/or applications reconfigured to use Azure AD for sign-in?** </br> -Yes, see [Associate or add an Azure subscription to your Azure Active Directory tenant](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) to learn more about the relationship between Azure subscriptions and Azure AD. It also contains instructions on how to associate subscriptions to the common directory of your choosing. +**IΓÇÖm an Office 365 customer and have chosen hybrid identity as my identity model. I also have several Azure subscriptions. Is it possible to use the same Microsoft Entra tenant to handle sign-in for Office 365, applications built in my Azure subscriptions, and/or applications reconfigured to use Microsoft Entra ID for sign-in?** </br> +Yes, see [Associate or add an Azure subscription to your Microsoft Entra tenant](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) to learn more about the relationship between Azure subscriptions and Microsoft Entra ID. It also contains instructions on how to associate subscriptions to the common directory of your choosing. -**Can an Azure Government subscription be associated with a directory in Azure AD Public?** </br> -No, the ability to manage Azure Government subscriptions requires identities sourced from a directory in Azure AD Government. +**Can an Azure Government subscription be associated with a directory in Microsoft Entra Public?** </br> +No, the ability to manage Azure Government subscriptions requires identities sourced from a directory in Microsoft Entra Government. ## Next steps No, the ability to manage Azure Government subscriptions requires identities sou - [Azure Government compliance](./documentation-government-plan-compliance.md) - [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md) - [Multi-tenant user management](../active-directory/fundamentals/multi-tenant-user-management-introduction.md)-- [Azure Active Directory fundamentals documentation](../active-directory/fundamentals/index.yml)+- [Microsoft Entra fundamentals documentation](../active-directory/fundamentals/index.yml) |
azure-government | Documentation Government Plan Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-plan-security.md | These principles are applicable to both Azure and Azure Government. As described Mitigating risk and meeting regulatory obligations are driving the increasing focus and importance of data encryption. Use an effective encryption implementation to enhance current network and application security measures and decrease the overall risk of your cloud environment. Azure has extensive support to safeguard customer data using [data encryption](../security/fundamentals/encryption-overview.md), including various encryption models: - Server-side encryption that uses service-managed keys, customer-managed keys (CMK) in Azure, or CMK in customer-controlled hardware.-- Client-side encryption that enables you to manage and store keys on-premises or in another secure location. Client-side encryption is built into the Java and .NET storage client libraries, which can use Azure Key Vault APIs, making the implementation straightforward. You can use Azure Active Directory to provide specific individuals with access to Azure Key Vault secrets.+- Client-side encryption that enables you to manage and store keys on-premises or in another secure location. Client-side encryption is built into the Java and .NET storage client libraries, which can use Azure Key Vault APIs, making the implementation straightforward. You can use Microsoft Entra ID to provide specific individuals with access to Azure Key Vault secrets. Data encryption provides isolation assurances that are tied directly to encryption key access. Since Azure uses strong ciphers for data encryption, only entities with access to encryption keys can have access to data. Deleting or revoking encryption keys renders the corresponding data inaccessible. ### Encryption at rest -Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management. For more information about Azure Storage service encryption and Azure disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). +Azure provides extensive options for [encrypting data at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. This process relies on multiple encryption keys and services such as Azure Key Vault and Microsoft Entra ID to ensure secure key access and centralized key management. For more information about Azure Storage service encryption and Azure disk encryption, see [Data encryption at rest](./azure-secure-isolation-guidance.md#data-encryption-at-rest). ### Encryption in transit Azure Monitor collects data from each of the following tiers: - **Guest OS monitoring data:** Data about the operating system on which your application is running. The application could be running in Azure, another cloud, or on-premises. - **Azure resource monitoring data:** Data about the operation of an Azure resource. - **Azure subscription monitoring data:** Data about the operation and management of an Azure subscription and data about the health and operation of Azure itself. -- **Azure tenant monitoring data:** Data about the operation of tenant-level Azure services, such as Azure Active Directory.+- **Azure tenant monitoring data:** Data about the operation of tenant-level Azure services, such as Microsoft Entra ID. With Azure Monitor, you can get a 360-degree view of your applications, infrastructure, and network with advanced analytics, dashboards, and visualization maps. Azure Monitor provides intelligent insights and enables better decisions with AI. You can analyze, correlate, and monitor data from various sources using a powerful query language and built-in machine learning constructs. Moreover, Azure Monitor provides out-of-the-box integration with popular DevOps, IT Service Management (ITSM), and Security Information and Event Management (SIEM) tools. |
azure-maps | About Azure Maps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/about-azure-maps.md | The following video explains Azure Maps in depth: The Azure Maps Web SDK lets you customize interactive maps with your own content and imagery. You can use this interactive map for both your web or mobile applications. The map control makes use of WebGL, so you can render large data sets with high performance. You can develop with the SDK by using JavaScript or TypeScript. ### Android SDK Use the Azure Maps Android SDK to create mobile mapping applications. ## Services in Azure Maps For more information, see [Geolocation] in the Azure Maps REST API documentation [Render] service introduces a new version of the [Get Map Tile] API that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 tile sizes (where applicable) and numerous map types such as road, weather, contour, or map tiles. For a complete list, see [TilesetID] in the REST API documentation. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API]. > [!NOTE] > For more information, see [Geolocation] in the Azure Maps REST API documentation The route service is used to calculate the estimated arrival times (ETAs) for each requested route. Factors such as real-time traffic information and historic traffic data, like the typical road speeds on the requested day of the week and time of day are considered. The route service returns the shortest or fastest routes available to multiple destinations at a time in sequence or in optimized order, based on time or distance. The service allows developers to calculate directions across several travel modes, such as car, truck, bicycle, or walking, and electric vehicle. The service also considers inputs, such as departure time, weight restrictions, or hazardous material transport. The Route service offers advanced set features, such as: For more information, see [Route] in the Azure Maps REST API documentation. The Search service helps developers search for addresses, places, business listings by name or category, and other geographic information. Also, services can [reverse geocode] addresses and cross streets based on latitudes and longitudes. The Search service also provides advanced features such as: The Traffic service is a suite of web services that developers can use for web o * Traffic flow: Real-time observed speeds and travel times for all key roads in the network. * Traffic incidents: An up-to-date view of traffic jams and incidents around the road network. -![Example of a map with traffic information](media/about-azure-maps/intro_traffic.png) For more information, see [Traffic] in the Azure Maps REST API documentation. Developers can use the [Get Weather along route API] to retrieve weather informa The [Get Map Tile] API allows you to request past, current, and future radar and satellite tiles. -![Example of map with real-time weather radar tiles](media/about-azure-maps/intro_weather.png) ## Programming model Also, Azure Maps offers a convenient [JavaScript map control] with a simple prog The Azure Maps Power BI visual provides a rich set of data visualizations for spatial data on top of a map. It's estimated that over 80% of business data has a location context. The Azure Maps Power BI visual offers a no-code solution for gaining insights into how this location context relates to and influences your business data. For more information, see [Get started with Azure Maps Power BI visual]. |
azure-maps | About Creator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/about-creator.md | This section provides a high-level overview of the indoor map creation workflow. describing the drawings. You can use the [Azure Maps Creator onboarding tool] to create new and edit existing [manifest files]. -1. **Upload**. Upload your drawing packages into your Azure Maps - account. Upload drawing packages using the [Data Upload API]. +1. **Upload**. Upload your drawing packages into your Azure Storage + account. For more information, see [How to create data registry]. -1. **Convert**. Once the drawing package is uploaded into your Azure Maps account, +1. **Convert**. Once the drawing package is uploaded into your Azure Storage account, +1. **Convert**. Once the drawing package is uploaded into your Azure Storage account, use the [Conversion] service to validate the data in the uploaded drawing package and convert it into map data. This section provides a high-level overview of the indoor map creation workflow. [Create dataset using GeoJson package]: how-to-dataset-geojson.md [Custom styling for indoor maps]: how-to-create-custom-styles.md [custom styling]: creator-indoor-maps.md#custom-styling-preview-[Data Upload API]: /rest/api/maps/data-v2/upload [dataset]: creator-indoor-maps.md#datasets [Drawing error visualizer]: drawing-error-visualizer.md [Drawing package guide]: drawing-package-guide.md?pivots=drawing-package-v2 This section provides a high-level overview of the indoor map creation workflow. [Facility Ontology]: creator-facility-ontology.md [Features API]: /rest/api/maps/2023-03-01-preview/features [features]: glossary.md#feature+[How to create data registry]: how-to-create-data-registries.md [Implement Dynamic styling for indoor maps]: indoor-map-dynamic-styling.md [Indoor map concepts]: creator-indoor-maps.md [Indoor maps wayfinding service]: how-to-creator-wayfinding.md |
azure-maps | Authentication Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/authentication-best-practices.md | When creating publicly facing client applications with Azure Maps, you must ensu Subscription key-based authentication (Shared Key) can be used in either client side applications or web services, however it's the least secure approach to securing your application or web service. The reason is the key is easily obtained from an HTTP request and grants access to all Azure Maps REST API available in the SKU (Pricing Tier). If you do use subscription keys, be sure to [rotate them regularly] and keep in mind that Shared Key doesn't allow for configurable lifetime, it must be done manually. You should also consider using [Shared Key authentication with Azure Key Vault], which enables you to securely store your secret in Azure. -If using [Azure Active Directory (Azure AD) authentication] or [Shared Access Signature (SAS) Token authentication], access to Azure Maps REST APIs is authorized using [role-based access control (RBAC)]. RBAC enables you to control what access is given to the issued tokens. You should consider how long access should be granted for the tokens. Unlike Shared Key authentication, the lifetime of these tokens is configurable. +If using [Microsoft Entra authentication] or [Shared Access Signature (SAS) Token authentication], access to Azure Maps REST APIs is authorized using [role-based access control (RBAC)]. RBAC enables you to control what access is given to the issued tokens. You should consider how long access should be granted for the tokens. Unlike Shared Key authentication, the lifetime of these tokens is configurable. > [!TIP] > For apps that run on devices or desktop computers or in a web browser, you shoul ### Confidential client applications -For apps that run on servers (such as web services and service/daemon apps), if you prefer to avoid the overhead and complexity of managing secrets, consider [Managed Identities]. Managed identities can provide an identity for your web service to use when connecting to Azure Maps using Azure Active Directory (Azure AD) authentication. If so, your web service uses that identity to obtain the required Azure AD tokens. You should use Azure RBAC to configure what access the web service is given, using the [Least privileged roles] possible. +For apps that run on servers (such as web services and service/daemon apps), if you prefer to avoid the overhead and complexity of managing secrets, consider [Managed Identities]. Managed identities can provide an identity for your web service to use when connecting to Azure Maps using Microsoft Entra authentication. If so, your web service uses that identity to obtain the required Microsoft Entra tokens. You should use Azure RBAC to configure what access the web service is given, using the [Least privileged roles] possible. ## Next steps |
azure-maps | Azure Maps Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/azure-maps-authentication.md | Title: Authentication with Microsoft Azure Maps -description: "Learn about two ways of authenticating requests in Azure Maps: shared key authentication and Azure Active Directory (Azure AD) authentication." +description: "Learn about two ways of authenticating requests in Azure Maps: shared key authentication and Microsoft Entra authentication." Last updated 07/05/2023-Azure Maps supports three ways to authenticate requests: Shared Key authentication, [Azure Active Directory (Azure AD)] authentication, and Shared Access Signature (SAS) Token authentication. This article explains authentication methods to help guide your implementation of Azure Maps services. The article also describes other account controls such as disabling local authentication for Azure Policy and Cross-Origin Resource Sharing (CORS). +Azure Maps supports three ways to authenticate requests: Shared Key authentication, [Microsoft Entra ID] authentication, and Shared Access Signature (SAS) Token authentication. This article explains authentication methods to help guide your implementation of Azure Maps services. The article also describes other account controls such as disabling local authentication for Azure Policy and Cross-Origin Resource Sharing (CORS). > [!NOTE] > To improve secure communication with Azure Maps, we now support Transport Layer Security (TLS) 1.2, and we're retiring support for TLS 1.0 and 1.1. If you currently use TLS 1.x, evaluate your TLS 1.2 readiness and develop a migration plan with the testing described in [Solving the TLS 1.0 Problem]. https://atlas.microsoft.com/mapData/upload?api-version=1.0&dataFormat=zip&subscr > [!IMPORTANT] > Primary and Secondary keys should be treated as sensitive data. The shared key is used to authenticate all Azure Maps REST API. Users who use a shared key should abstract the API key away, either through environment variables or secure secret storage, where it can be managed centrally. -## Azure AD authentication +<a name='azure-ad-authentication'></a> -Azure Subscriptions are provided with an Azure AD tenant to enable fine grained access control. Azure Maps offers authentication for Azure Maps services using Azure AD. Azure AD provides identity-based authentication for users and applications registered in the Azure AD tenant. +## Microsoft Entra authentication -Azure Maps accepts **OAuth 2.0** access tokens for Azure AD tenants associated with an Azure subscription that contains an Azure Maps account. Azure Maps also accepts tokens for: +Azure Subscriptions are provided with a Microsoft Entra tenant to enable fine grained access control. Azure Maps offers authentication for Azure Maps services using Microsoft Entra ID. Microsoft Entra ID provides identity-based authentication for users and applications registered in the Microsoft Entra tenant. -- Azure AD users+Azure Maps accepts **OAuth 2.0** access tokens for Microsoft Entra tenants associated with an Azure subscription that contains an Azure Maps account. Azure Maps also accepts tokens for: ++- Microsoft Entra users - Partner applications that use permissions delegated by users - Managed identities for Azure resources -Azure Maps generates a _unique identifier_ (client ID) for each Azure Maps account. You can request tokens from Azure AD when you combine this client ID with other parameters. +Azure Maps generates a _unique identifier_ (client ID) for each Azure Maps account. You can request tokens from Microsoft Entra ID when you combine this client ID with other parameters. -For more information about how to configure Azure AD and request tokens for Azure Maps, see [Manage authentication in Azure Maps]. +For more information about how to configure Microsoft Entra ID and request tokens for Azure Maps, see [Manage authentication in Azure Maps]. -For general information about authenticating with Azure AD, see [Authentication vs. authorization]. +For general information about authenticating with Microsoft Entra ID, see [Authentication vs. authorization]. ## Managed identities for Azure resources and Azure Maps -[Managed identities for Azure resources] provide Azure services with an automatically managed application based security principal that can authenticate with Azure AD. With Azure role-based access control (Azure RBAC), the managed identity security principal can be authorized to access Azure Maps services. Some examples of managed identities include: Azure App Service, Azure Functions, and Azure Virtual Machines. For a list of managed identities, see [Azure services that can use managed identities to access other services]. For more information on managed identities, see [Manage authentication in Azure Maps]. +[Managed identities for Azure resources] provide Azure services with an automatically managed application based security principal that can authenticate with Microsoft Entra ID. With Azure role-based access control (Azure RBAC), the managed identity security principal can be authorized to access Azure Maps services. Some examples of managed identities include: Azure App Service, Azure Functions, and Azure Virtual Machines. For a list of managed identities, see [Azure services that can use managed identities to access other services]. For more information on managed identities, see [Manage authentication in Azure Maps]. ++<a name='configure-application-azure-ad-authentication'></a> -### Configure application Azure AD authentication +### Configure application Microsoft Entra authentication -Applications authenticate with the Azure AD tenant using one or more supported scenarios provided by Azure AD. Each Azure AD application scenario represents different requirements based on business needs. Some applications may require user sign-in experiences and other applications may require an application sign-in experience. For more information, see [Authentication flows and application scenarios]. +Applications authenticate with the Microsoft Entra tenant using one or more supported scenarios provided by Microsoft Entra ID. Each Microsoft Entra application scenario represents different requirements based on business needs. Some applications may require user sign-in experiences and other applications may require an application sign-in experience. For more information, see [Authentication flows and application scenarios]. After the application receives an access token, the SDK and/or application sends an HTTPS request with the following set of required HTTP headers in addition to other REST API HTTP headers: After the application receives an access token, the SDK and/or application sends > [!NOTE] > `x-ms-client-id` is the Azure Maps account-based GUID that appears on the Azure Maps authentication page. -Here's an example of an Azure Maps route request that uses an Azure AD OAuth Bearer token: +Here's an example of an Azure Maps route request that uses a Microsoft Entra ID OAuth Bearer token: ```http GET /route/directions/json?api-version=1.0&query=52.50931,13.42936:52.50274,13.43872 For information about viewing your client ID, see [View authentication details]. ### Prerequisites -If you're new to Azure RBAC, [Azure role-based access control (Azure RBAC)] overview provides Principal types are granted a set of permissions, also known as a role definition. A role definition provides permissions to REST API actions. Azure Maps supports access to all principal types for [Azure role-based access control (Azure RBAC)] including: individual Azure AD users, groups, applications, Azure resources, and Azure managed identities. Applying access to one or more Azure Maps accounts is known as a scope. A role assignment is created when a principal, role definition, and scope are applied. +If you're new to Azure RBAC, [Azure role-based access control (Azure RBAC)] overview provides Principal types are granted a set of permissions, also known as a role definition. A role definition provides permissions to REST API actions. Azure Maps supports access to all principal types for [Azure role-based access control (Azure RBAC)] including: individual Microsoft Entra users, groups, applications, Azure resources, and Azure managed identities. Applying access to one or more Azure Maps accounts is known as a scope. A role assignment is created when a principal, role definition, and scope are applied. ### Overview -The next sections discuss concepts and components of Azure Maps integration with Azure RBAC. As part of the process to set up your Azure Maps account, an Azure AD directory is associated to the Azure subscription, which the Azure Maps account resides. +The next sections discuss concepts and components of Azure Maps integration with Azure RBAC. As part of the process to set up your Azure Maps account, a Microsoft Entra directory is associated to the Azure subscription, which the Azure Maps account resides. When you configure Azure RBAC, you choose a security principal and apply it to a role assignment. To learn how to add role assignments on the Azure portal, see [Assign Azure roles using the Azure portal]. Assigning a role assignment to a resource group can enable access to multiple Az ## Disable local authentication -Azure Maps accounts support the standard Azure property in the [Management API] for `Microsoft.Maps/accounts` called `disableLocalAuth`. When `true`, all authentication to the Azure Maps data-plane REST API is disabled, except [Azure AD authentication]. This is configured using Azure Policy to control distribution and management of shared keys and SAS tokens. For more information, see [What is Azure Policy?]. +Azure Maps accounts support the standard Azure property in the [Management API] for `Microsoft.Maps/accounts` called `disableLocalAuth`. When `true`, all authentication to the Azure Maps data-plane REST API is disabled, except [Microsoft Entra authentication]. This is configured using Azure Policy to control distribution and management of shared keys and SAS tokens. For more information, see [What is Azure Policy?]. Disabling local authentication doesn't take effect immediately. Allow a few minutes for the service to block future authentication requests. To re-enable local authentication, set the property to `false` and after a few minutes local authentication resumes. Disabling local authentication doesn't take effect immediately. Allow a few minu Shared access signature (SAS) tokens are authentication tokens created using the JSON Web token (JWT) format and are cryptographically signed to prove authentication for an application to the Azure Maps REST API. A SAS token, created by integrating a [user-assigned managed identity] with an Azure Maps account in your Azure subscription. The user-assigned managed identity is given authorization to the Azure Maps account through Azure RBAC using either built-in or custom role definitions. -Functional key differences of SAS token from Azure AD Access tokens: +Functional key differences of SAS token from Microsoft Entra access tokens: - Lifetime of a token for a max expiration of one day (24 hours). - Azure location and geography access control per token. After the application receives a SAS token, the Azure Maps SDK and/or applicatio [CORS] is an HTTP protocol that enables a web application running under one domain to access resources in another domain. Web browsers implement a security restriction known as [same-origin policy] that prevents a web page from calling APIs in a different domain; CORS provides a secure way to allow one domain (the origin domain) to call APIs in another domain. Using the Azure Maps account resource, you can configure which origins are allowed to access the Azure Maps REST API from your applications. > [!IMPORTANT]-> CORS is not an authorization mechanism. Any request made to a map account using REST API, when CORS is enabled, also needs a valid map account authentication scheme such as Shared Key, Azure AD, or SAS token. +> CORS is not an authorization mechanism. Any request made to a map account using REST API, when CORS is enabled, also needs a valid map account authentication scheme such as Shared Key, Microsoft Entra ID, or SAS token. > > CORS is supported for all map account pricing tiers, data-plane endpoints, and locations. To learn more about security best practices, see: > [!div class="nextstepaction"] > [Authentication and authorization best practices] -To learn more about authenticating an application with Azure AD and Azure Maps, see: +To learn more about authenticating an application with Microsoft Entra ID and Azure Maps, see: > [!div class="nextstepaction"] > [Manage authentication in Azure Maps] -To learn more about authenticating the Azure Maps Control with Azure AD, see: +To learn more about authenticating the Azure Maps Control with Microsoft Entra ID, see: > [!div class="nextstepaction"] > [Use the Azure Maps Map Control] |
azure-maps | Create Data Source Android Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/create-data-source-android-sdk.md | Azure Maps adheres to the [Mapbox Vector Tile Specification], an open standard. - Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render - Get Map Tile] API > [!TIP]-> When using vector or raster image tiles from the Azure Maps render service with the web SDK, you can replace `atlas.microsoft.com` with the placeholder `azmapsdomain.invalid`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Azure Active Directory authentication. +> When using vector or raster image tiles from the Azure Maps render service with the web SDK, you can replace `atlas.microsoft.com` with the placeholder `azmapsdomain.invalid`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Microsoft Entra authentication. To display data from a vector tile source on the map, connect the source to one of the data rendering layers. All layers that use a vector source must specify a `sourceLayer` value in the options. The following code loads the Azure Maps traffic flow vector tile service as a vector tile source, then displays it on a map using a line layer. This vector tile source has a single set of data in the source layer called "Traffic flow". The line data in this data set has a property called `traffic_level` that is used in this code to select the color and scale the size of lines. |
azure-maps | Create Data Source Ios Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/create-data-source-ios-sdk.md | Azure Maps adheres to the [Mapbox Vector Tile Specification], an open standard. - Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render - Get Map Tile] API > [!TIP]-> When using vector or raster image tiles from the Azure Maps render service with the iOS SDK, you can replace `atlas.microsoft.com` with the `AzureMap`'s property' `domainPlaceholder`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Azure Active Directory authentication. +> When using vector or raster image tiles from the Azure Maps render service with the iOS SDK, you can replace `atlas.microsoft.com` with the `AzureMap`'s property' `domainPlaceholder`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Microsoft Entra authentication. To display data from a vector tile source on the map, connect the source to one of the data rendering layers. All layers that use a vector source must specify a `sourceLayer` value in the options. The following code loads the Azure Maps traffic flow vector tile service as a vector tile source, then displays it on a map using a line layer. This vector tile source has a single set of data in the source layer called "Traffic flow". The line data in this data set has a property called `traffic_level` that is used in this code to select the color and scale the size of lines. |
azure-maps | Create Data Source Web Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/create-data-source-web-sdk.md | Azure Maps adheres to the [Mapbox Vector Tile Specification], an open standard. * Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render - Get Map Tile] API > [!TIP]-> When using vector or raster image tiles from the Azure Maps render service with the web SDK, you can replace `atlas.microsoft.com` with the placeholder `{azMapsDomain}`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Azure Active Directory authentication. +> When using vector or raster image tiles from the Azure Maps render service with the web SDK, you can replace `atlas.microsoft.com` with the placeholder `{azMapsDomain}`. This placeholder will be replaced with the same domain used by the map and will automatically append the same authentication details as well. This greatly simplifies authentication with the render service when using Microsoft Entra authentication. To display data from a vector tile source on the map, connect the source to one of the data rendering layers. All layers that use a vector source must specify a `sourceLayer` value in the options. The following code loads the Azure Maps traffic flow vector tile service as a vector tile source, then displays it on a map using a line layer. This vector tile source has a single set of data in the source layer called "Traffic flow". The line data in this data set has a property called `traffic_level` that is used in this code to select the color and scale the size of lines. |
azure-maps | Creator Indoor Maps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/creator-indoor-maps.md | Creator usage data is incorporated in your Azure Maps usage charts and activity >[!Important] >We recommend using: >-> - Azure Active Directory (Azure AD) in all solutions that are built with an Azure Maps account using Creator services. For more information about Azure AD, see [Azure AD authentication]. +> - Microsoft Entra ID in all solutions that are built with an Azure Maps account using Creator services. For more information about Microsoft Entra ID, see [Microsoft Entra authentication]. > >- Role-based access control settings. Using these settings, map makers can act as the Azure Maps Data Contributor role, and Creator map data users can act as the Azure Maps Data Reader role. For more information, see [Authorization with role-based access control]. Creator services create, store, and use various data types that are defined and Creator collects indoor map data by converting an uploaded drawing package. The drawing package represents a constructed or remodeled facility. For information about drawing package requirements, see [Drawing package requirements]. -Use [Data Upload] to upload a drawing package. After the Drawing packing is uploaded, the Data Upload API returns a user data identifier (`udid`). The `udid` can then be used to convert the uploaded package into indoor map data. +Follow the steps outlined in the [How to create data registry] article to upload the drawing package into your Azure storage account then register it in your Azure Maps account. ++> [!IMPORTANT] +> Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is required to convert the uploaded package into indoor map data. ## Convert a drawing package An application can use a feature stateset to dynamically render features in a fa ### Wayfinding (preview) -The [Wayfinding service] enables you to provide your customers with the shortest path between two points within a facility. Once you've imported your indoor map data and created your dataset, you can use that to create a [routeset]. The routeset provides the data required to generate paths between two points. The wayfinding service takes into account things such as the minimum width of openings and may optionally exclude elevators or stairs when navigating between levels as a result. +The [Wayfinding service] enables you to provide your customers with the shortest path between two points within a facility. Once you've imported your indoor map data and created your dataset, you can use that to create a [routeset]. The routeset provides the data required to generate paths between two points. The wayfinding service takes into account things such as the minimum width of openings and can optionally exclude elevators or stairs when navigating between levels as a result. Creator wayfinding is powered by [Havok]. The following example shows how to update a dataset, create a new tileset, and d [Alias API]: /rest/api/maps/v2/alias [Conversion service]: /rest/api/maps/v2/conversion [Creator - map configuration Rest API]: /rest/api/maps/2023-03-01-preview/map-configuration-[Data Upload]: /rest/api/maps/data-v2/update [Dataset Create]: /rest/api/maps/v2/dataset/create [Dataset service]: /rest/api/maps/v2/dataset [Feature State service]: /rest/api/maps/v2/feature-state The following example shows how to update a dataset, create a new tileset, and d [Create custom styles for indoor maps]: how-to-create-custom-styles.md [Drawing package requirements]: drawing-requirements.md [Drawing package warnings and errors]: drawing-conversion-error-codes.md+[How to create data registry]: how-to-create-data-registries.md [Indoor maps wayfinding service]: how-to-creator-wayfinding.md [Instantiate the Indoor Manager]: how-to-use-indoor-module.md#instantiate-the-indoor-manager [Manage authentication in Azure Maps]: how-to-manage-authentication.md |
azure-maps | Drawing Error Visualizer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/drawing-error-visualizer.md | The *Drawing Error Visualizer* is a stand-alone web application that displays [D * A [subscription key] * A [Creator resource] -This tutorial uses the [Postman] application, but you may choose a different API development environment. +This tutorial uses the [Postman] application, but you can choose a different API development environment. ## Download -1. Upload your drawing package to the Azure Maps Creator service to obtain a `udid` for the uploaded package. For steps on how to upload a package, see [Upload a drawing package]. +1. Follow the steps outlined in the [How to create data registry] article to upload the drawing package into your Azure storage account then register it in your Azure Maps account. ++ > [!IMPORTANT] + > Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is is how you reference the drawing package you uploaded into your Azure storage account from your source code and HTTP requests. 2. Now that the drawing package is uploaded, use `udid` for the uploaded package to convert the package into map data. For steps on how to convert a package, see [Convert a drawing package]. Unzip the _VisualizationTool.zip_ folder. It contains the following items: * _static_ folder: source code * _https://docsupdatetracker.net/index.html_ file: the web application. -Open the _https://docsupdatetracker.net/index.html_ file using any of the following browsers, with the respective version number. You may use a different version, if the version offers equally compatible behavior as the listed version. +Open the _https://docsupdatetracker.net/index.html_ file using any of the following browsers, with the respective version number. You can use a different version, if the version offers equally compatible behavior as the listed version. * Microsoft Edge 80 * Safari 13 The _ConversionWarningsAndErrors.json_ file has been placed at the root of the :::image type="content" source="./media/drawing-errors-visualizer/loading-data.gif" alt-text="Drawing Error Visualizer App - Drag and drop to load data"::: -The _ConversionWarningsAndErrors.json_ contains a list of your drawing package errors and warnings. To view detailed information about an error or warning, select the **Details** link. An intractable section appears below the list. You may now navigate to each error to learn more details on how to resolve the error. +The _ConversionWarningsAndErrors.json_ contains a list of your drawing package errors and warnings. To view detailed information about an error or warning, select the **Details** link. An intractable section appears below the list. You can now navigate to each error to learn more details on how to resolve the error. :::image type="content" source="./media/drawing-errors-visualizer/errors.png" alt-text="Drawing Error Visualizer App - Errors and Warnings"::: Learn more by reading: [Creator resource]: how-to-manage-creator.md [Drawing package requirements]: drawing-requirements.md [Drawing package warnings and errors]: drawing-conversion-error-codes.md+[How to create data registry]: how-to-create-data-registries.md [Postman]: https://www.postman.com/ [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account-[Upload a drawing package]: tutorial-creator-indoor-maps.md#upload-a-drawing-package |
azure-maps | Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/glossary.md | The following list describes common words used with the Azure Maps services. <a name="azure-location-based-services-lbs"></a> **Azure Location Based Services (LBS)**: The former name of Azure Maps when it was in preview. -<a name="azure-active-directory"></a> **Azure Active Directory (Azure AD)**: Azure AD is Microsoft's cloud-based identity and access management service. Azure Maps Azure AD integration is currently available in preview for all Azure Maps APIs. Azure AD supports Azure role-based access control (Azure RBAC) to allow fine-grained access to Azure Maps resources. To learn more about Azure Maps Azure AD integration, see [Azure Maps and Azure AD] and [Manage authentication in Azure Maps]. +<a name="azure-active-directory"></a> **Microsoft Entra ID**: Microsoft Entra ID is Microsoft's cloud-based identity and access management service. Azure Maps Microsoft Entra integration is currently available in preview for all Azure Maps APIs. Microsoft Entra ID supports Azure role-based access control (Azure RBAC) to allow fine-grained access to Azure Maps resources. To learn more about Azure Maps Microsoft Entra integration, see [Azure Maps and Microsoft Entra ID] and [Manage authentication in Azure Maps]. <a name="azure-maps-key"></a> **Azure Maps key**: See [Shared key authentication]. The following list describes common words used with the Azure Maps services. <a name="shapefile-shp"></a> **Shapefile (SHP)**: Or _ESRI Shapefile_, is a vector data storage format for storing the location, shape, and attributes of geographic features. A shapefile is stored in a set of related files. -<a name="shared-key-authentication"></a> **Shared key authentication**: Shared Key authentication relies on passing Azure Maps account generated keys with each request to Azure Maps. These keys are often referred to as subscription keys. It's recommended that keys are regularly regenerated for security. Two keys are provided so that you can maintain connections using one key while regenerating the other. When you regenerate your keys, you must update any applications that access this account to use the new keys. To learn more about Azure Maps authentication, see [Azure Maps and Azure AD] and [Manage authentication in Azure Maps]. +<a name="shared-key-authentication"></a> **Shared key authentication**: Shared Key authentication relies on passing Azure Maps account generated keys with each request to Azure Maps. These keys are often referred to as subscription keys. It's recommended that keys are regularly regenerated for security. Two keys are provided so that you can maintain connections using one key while regenerating the other. When you regenerate your keys, you must update any applications that access this account to use the new keys. To learn more about Azure Maps authentication, see [Azure Maps and Microsoft Entra ID] and [Manage authentication in Azure Maps]. <a name="software-development-kit-sdk"></a> **Software development kit (SDK)**: A collection of documentation, sample code, and sample apps to help a developer use an API to build apps. |
azure-maps | How To Dataset Geojson | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-dataset-geojson.md | Azure Maps Creator enables users to import their indoor map data in GeoJSON form - An [Azure Maps account] - A [Subscription key] - An Azure Maps [Creator resource]+- An [Azure storage account] - Basic understanding of [Creator for indoor maps] - Basic understanding of [Facility Ontology 2.0] - Zip package containing all required GeoJSON files. If you don't have GeoJSON files, you can download the [Contoso building sample]. For more information on the GeoJSON package, see the [Geojson zip package requir ### Upload the GeoJSON package -Use the [Data Upload API] to upload the Drawing package to Azure Maps Creator account. +Follow the steps outlined in the [How to create data registry] article to upload the GeoJSON package into your Azure storage account then register it in your Azure Maps account. -The Data Upload API is a long running transaction that implements the pattern defined in [Creator Long-Running Operation API V2]. --To upload the GeoJSON package: --1. Execute the following HTTP POST request that uses the [Data Upload API]: -- ```http - https://us.atlas.microsoft.com/mapData?api-version=2.0&dataFormat=zip&subscription-key={Your-Azure-Maps-Subscription-key} - ``` -- 1. Set `Content-Type` in the **Header** to `application/zip`. --1. Copy the value of the `Operation-Location` key in the response header. The `Operation-Location` key is also known as the `status URL` and is required to check the status of the upload, which is explained in the next section. --### Check the GeoJSON package upload status --To check the status of the GeoJSON package and retrieve its unique identifier (`udid`): --1. Execute the following HTTP GET request that uses the status URL you copied as the last step in the previous section of this article. The request should look like the following URL: --```http -https://us.atlas.microsoft.com/mapData/operations/{operationId}?api-version=2.0&subscription-key={Your-Azure-Maps-Subscription-key} -``` --1. Copy the value of the `Resource-Location` key in the response header, which is the `resource location URL`. The `resource location URL` contains the unique identifier (`udid`) of the GeoJSON package resource. +> [!IMPORTANT] +> Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is is how you reference the GeoJSON package you uploaded into your Azure storage account from your source code and HTTP requests. ### Create a dataset A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset: -1. Enter the following URL to the dataset service. The request should look like the following URL (replace {udid} with the `udid` obtained in [Check the GeoJSON package upload status] section): +1. Enter the following URL to the dataset service. The request should look like the following URL (replace {udid} with the `udid` obtained in [Upload the GeoJSON package] section): ```http https://us.atlas.microsoft.com/datasets?api-version=2023-03-01-preview&udid={udid}&subscription-key={Your-Azure-Maps-Subscription-key} Feature IDs can only contain alpha-numeric (a-z, A-Z, 0-9), hyphen (-), dot (.) [Access to Creator services]: how-to-manage-creator.md#access-to-creator-services [area]: creator-facility-ontology.md?pivots=facility-ontology-v2#areaelement [Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account-[Check the GeoJSON package upload status]: #check-the-geojson-package-upload-status [Contoso building sample]: https://github.com/Azure-Samples/am-creator-indoor-data-examples [Convert a drawing package]: tutorial-creator-indoor-maps.md#convert-a-drawing-package [Create a dataset]: #create-a-dataset [Create a tileset]: tutorial-creator-indoor-maps.md#create-a-tileset [Creator for indoor maps]: creator-indoor-maps.md-[Creator Long-Running Operation API V2]: creator-long-running-operation-v2.md [Creator resource]: how-to-manage-creator.md-[Data Upload API]: /rest/api/maps/data-v2/upload [Dataset Create API]: /rest/api/maps/2023-03-01-preview/dataset/create [Dataset Create]: /rest/api/maps/v2/dataset/create [dataset]: creator-indoor-maps.md#datasets [Facility Ontology 2.0]: creator-facility-ontology.md?pivots=facility-ontology-v2 [facility]: creator-facility-ontology.md?pivots=facility-ontology-v2#facility [Geojson zip package requirements]: #geojson-zip-package-requirements+[How to create data registry]: how-to-create-data-registries.md [level]: creator-facility-ontology.md?pivots=facility-ontology-v2#level [line]: creator-facility-ontology.md?pivots=facility-ontology-v2#lineelement [Next steps]: #next-steps [openings]: creator-facility-ontology.md?pivots=facility-ontology-v2#opening [point]: creator-facility-ontology.md?pivots=facility-ontology-v2#pointelement [RFC 7946]: https://www.rfc-editor.org/rfc/rfc7946.html+[Azure storage account]: /azure/storage/common/storage-account-create?tabs=azure-portal [structures]: creator-facility-ontology.md?pivots=facility-ontology-v2#structure [Subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [units]: creator-facility-ontology.md?pivots=facility-ontology-v2#unit+[Upload the GeoJSON package]: #upload-the-geojson-package [verticalPenetrations]: creator-facility-ontology.md?pivots=facility-ontology-v2#verticalpenetration [Visual Studio]: https://visualstudio.microsoft.com/downloads/ |
azure-maps | How To Dev Guide Csharp Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-dev-guide-csharp-sdk.md | dotnet add package Azure.Maps.Geolocation --prerelease ## Create and authenticate a MapsSearchClient -The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a `TokenCredential` object with the Azure Maps client ID when authenticating using Azure Active Directory (Azure AD). For more information on authentication, see [Authentication with Azure Maps]. +The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a `TokenCredential` object with the Azure Maps client ID when authenticating using Microsoft Entra ID. For more information on authentication, see [Authentication with Azure Maps]. -### Using an Azure AD credential +<a name='using-an-azure-ad-credential'></a> -You can authenticate with Azure AD using the [Azure Identity library][Identity library .NET]. To use the [DefaultAzureCredential][defaultazurecredential.NET] provider, you need to install the Azure Identity client library for .NET: +### Using a Microsoft Entra credential ++You can authenticate with Microsoft Entra ID using the [Azure Identity library][Identity library .NET]. To use the [DefaultAzureCredential][defaultazurecredential.NET] provider, you need to install the Azure Identity client library for .NET: ```powershell dotnet add package Azure.Identity ``` -You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. +You need to register the new Microsoft Entra application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. -Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resourceΓÇÖs client ID as environment variables: +Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Microsoft Entra application, and the map resourceΓÇÖs client ID as environment variables: | Environment Variable | Description | |-|| |
azure-maps | How To Dev Guide Java Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-dev-guide-java-sdk.md | New-Item demo.java ## Create and authenticate a MapsSearchClient -The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a TokenCredential object with the Azure Maps client ID when authenticating using Azure Active Directory (Azure AD). For more information on authentication, see [Authentication with Azure Maps][authentication]. +The client object used to access the Azure Maps Search APIs require either an `AzureKeyCredential` object to authenticate when using an Azure Maps subscription key or a TokenCredential object with the Azure Maps client ID when authenticating using Microsoft Entra ID. For more information on authentication, see [Authentication with Azure Maps][authentication]. -### Using an Azure AD credential +<a name='using-an-azure-ad-credential'></a> -You can authenticate with Azure AD using the [Azure Identity library]. To use the [DefaultAzureCredential] provider, you need to add the mvn dependency in the `pom.xml` file: +### Using a Microsoft Entra credential ++You can authenticate with Microsoft Entra ID using the [Azure Identity library]. To use the [DefaultAzureCredential] provider, you need to add the mvn dependency in the `pom.xml` file: ```xml <dependency> You can authenticate with Azure AD using the [Azure Identity library]. To use th </dependency> ``` -You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. +You need to register the new Microsoft Entra application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. -Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resource's client ID as environment variables: +Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Microsoft Entra application, and the map resource's client ID as environment variables: | Environment Variable | Description | |-|| |
azure-maps | How To Dev Guide Js Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-dev-guide-js-sdk.md | mapsDemo ## Create and authenticate a MapsSearchClient -You need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either an Azure Active Directory (Azure AD) credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps]. +You need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either a Microsoft Entra credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps]. > [!TIP] > The`MapsSearchClient` is the primary interface for developers using the Azure Maps search library. See [Azure Maps Search client library][JS-SDK] to learn more about the search methods available. -### Using an Azure AD credential +<a name='using-an-azure-ad-credential'></a> -You can authenticate with Azure AD using the [Azure Identity library]. To use the [DefaultAzureCredential] provider, you need to install the `@azure/identity` package: +### Using a Microsoft Entra credential ++You can authenticate with Microsoft Entra ID using the [Azure Identity library]. To use the [DefaultAzureCredential] provider, you need to install the `@azure/identity` package: ```powershell npm install @azure/identity ``` -You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. +You need to register the new Microsoft Entra application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. -Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resourceΓÇÖs client ID as environment variables: +Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Microsoft Entra application, and the map resourceΓÇÖs client ID as environment variables: | Environment Variable | Description | |--|--| main().catch((err) => { ``` -This code snippet shows how to use the `MapsSearch` method from the Azure Maps Search client library to create a `client` object with your Azure credentials. You can use either your Azure Maps subscription key or the [Azure AD credential](#using-an-azure-ad-credential) from the previous section. The `path` parameter specifies the API endpoint, which is "/search/fuzzy/{format}" in this case. The `get` method sends an HTTP GET request with the query parameters, such as `query`, `coordinates`, and `countryFilter`. The query searches for Starbucks locations near Seattle in the US. The SDK returns the results as a [FuzzySearchResult] object and writes them to the console. For more information, see the [FuzzySearchRequest] documentation. +This code snippet shows how to use the `MapsSearch` method from the Azure Maps Search client library to create a `client` object with your Azure credentials. You can use either your Azure Maps subscription key or the [Microsoft Entra credential](#using-an-azure-ad-credential) from the previous section. The `path` parameter specifies the API endpoint, which is "/search/fuzzy/{format}" in this case. The `get` method sends an HTTP GET request with the query parameters, such as `query`, `coordinates`, and `countryFilter`. The query searches for Starbucks locations near Seattle in the US. The SDK returns the results as a [FuzzySearchResult] object and writes them to the console. For more information, see the [FuzzySearchRequest] documentation. Run `search.js` with Node.js: |
azure-maps | How To Dev Guide Py Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-dev-guide-py-sdk.md | Azure Maps Python SDK supports Python version 3.7 or later. For more information ## Create and authenticate a MapsSearchClient -You need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either an Azure Active Directory (Azure AD) credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps]. +You need a `credential` object for authentication when creating the `MapsSearchClient` object used to access the Azure Maps search APIs. You can use either a Microsoft Entra credential or an Azure subscription key to authenticate. For more information on authentication, see [Authentication with Azure Maps]. > [!TIP] > The`MapsSearchClient` is the primary interface for developers using the Azure Maps search library. See [Azure Maps Search package client library] to learn more about the search methods available. -### Using an Azure AD credential +<a name='using-an-azure-ad-credential'></a> -You can authenticate with Azure AD using the [Azure Identity package]. To use the [DefaultAzureCredential] provider, you need to install the Azure Identity client package: +### Using a Microsoft Entra credential ++You can authenticate with Microsoft Entra ID using the [Azure Identity package]. To use the [DefaultAzureCredential] provider, you need to install the Azure Identity client package: ```powershell pip install azure-identity ``` -You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. +You need to register the new Microsoft Entra application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps. Next you need to specify the Azure Maps account you intend to use by specifying the maps’ client ID. The Azure Maps account client ID can be found in the Authentication sections of the Azure Maps account. For more information, see [View authentication details]. -Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Azure AD application, and the map resource’s client ID as environment variables: +Set the values of the Application (client) ID, Directory (tenant) ID, and client secret of your Microsoft Entra application, and the map resource’s client ID as environment variables: | Environment Variable | Description | |-|| |
azure-maps | How To Manage Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-manage-authentication.md | custom.ms: subject-rbac-steps # Manage authentication in Azure Maps -When you create an Azure Maps account, your client ID and shared keys are created automatically. These values are required for authentication when using either [Azure Active Directory (Azure AD)] or [Shared Key authentication]. +When you create an Azure Maps account, your client ID and shared keys are created automatically. These values are required for authentication when using either [Microsoft Entra ID] or [Shared Key authentication]. ## Prerequisites To view your Azure Maps authentication details: ## Choose an authentication category -Depending on your application needs, there are specific pathways to application security. Azure AD defines specific authentication categories to support a wide range of authentication flows. To choose the best category for your application, see [application categories]. +Depending on your application needs, there are specific pathways to application security. Microsoft Entra ID defines specific authentication categories to support a wide range of authentication flows. To choose the best category for your application, see [application categories]. > [!NOTE]-> Understanding categories and scenarios will help you secure your Azure Maps application, whether you use Azure Active Directory or shared key authentication. +> Understanding categories and scenarios will help you secure your Azure Maps application, whether you use Microsoft Entra ID or shared key authentication. ## How to add and remove managed identities You can create a user-assigned managed identity before or after creating a map a You can remove a system-assigned identity by disabling the feature through the portal or the Azure Resource Manager template in the same way that it was created. User-assigned identities can be removed individually. To remove all identities, set the identity type to `"None"`. -Removing a system-assigned identity in this way also deletes it from Azure AD. System-assigned identities are also automatically removed from Azure AD when the Azure Maps account is deleted. +Removing a system-assigned identity in this way also deletes it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the Azure Maps account is deleted. To remove all identities by using the Azure Resource Manager template, update this section: To remove all identities by using the Azure Resource Manager template, update th This table outlines common authentication and authorization scenarios in Azure Maps. Each scenario describes a type of app that can be used to access Azure Maps REST API. Use the links to learn detailed configuration information for each scenario. > [!IMPORTANT]-> For production applications, we recommend implementing Azure AD with Azure role-based access control (Azure RBAC). +> For production applications, we recommend implementing Microsoft Entra ID with Azure role-based access control (Azure RBAC). | Scenario | Authentication | Authorization | Development effort | Operational effort | | --| -- | - | | | | [Trusted daemon app or non-interactive client app] | Shared Key | N/A | Medium | High |-| [Trusted daemon or non-interactive client app] | Azure AD | High | Low | Medium | -| [Web single page app with interactive single-sign-on]| Azure AD | High | Medium | Medium | -| [Web single page app with non-interactive sign-on] | Azure AD | High | Medium | Medium | +| [Trusted daemon or non-interactive client app] | Microsoft Entra ID | High | Low | Medium | +| [Web single page app with interactive single-sign-on]| Microsoft Entra ID | High | Medium | Medium | +| [Web single page app with non-interactive sign-on] | Microsoft Entra ID | High | Medium | Medium | | [Web app, daemon app, or non-interactive sign-on app]| SAS Token | High | Medium | Low |-| [Web application with interactive single-sign-on] | Azure AD | High | High | Medium | -| [IoT device or an input constrained application] | Azure AD | High | Medium | Medium | +| [Web application with interactive single-sign-on] | Microsoft Entra ID | High | High | Medium | +| [IoT device or an input constrained application] | Microsoft Entra ID | High | Medium | Medium | ## View built-in Azure Maps role definitions The results display the current Azure Maps role assignments. ## Request tokens for Azure Maps -Request a token from the Azure AD token endpoint. In your Azure AD request, use the following details: +Request a token from the Microsoft Entra token endpoint. In your Microsoft Entra ID request, use the following details: -| Azure environment | Azure AD token endpoint | Azure resource ID | +| Azure environment | Microsoft Entra token endpoint | Azure resource ID | | - | -- | | | Azure public cloud | `https://login.microsoftonline.com` | `https://atlas.microsoft.com/` | | Azure Government cloud | `https://login.microsoftonline.us` | `https://atlas.microsoft.com/` | -For more information about requesting access tokens from Azure AD for users and service principals, see [Authentication scenarios for Azure AD]. To view specific scenarios, see [the table of scenarios]. +For more information about requesting access tokens from Microsoft Entra ID for users and service principals, see [Authentication scenarios for Microsoft Entra ID]. To view specific scenarios, see [the table of scenarios]. ## Manage and rotate shared keys Your Azure Maps subscription keys are similar to a root password for your Azure Maps account. Always be careful to protect your subscription keys. Use Azure Key Vault to securely manage and rotate your keys. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that's accessible to others. If you believe that your keys may have been compromised, rotate them. > [!NOTE]-> If possible, we recommend using Azure AD instead of Shared Key to authorize requests. Azure AD has better security than Shared Key, and it's easier to use. +> If possible, we recommend using Microsoft Entra ID instead of Shared Key to authorize requests. Microsoft Entra ID has better security than Shared Key, and it's easier to use. ### Manually rotate subscription keys Find the API usage metrics for your Azure Maps account: > [!div class="nextstepaction"] > [View usage metrics] -Explore samples that show how to integrate Azure AD with Azure Maps: +Explore samples that show how to integrate Microsoft Entra ID with Azure Maps: > [!div class="nextstepaction"]-> [Azure AD authentication samples] +> [Microsoft Entra authentication samples] [Azure portal]: https://portal.azure.com/ [Azure AD authentication samples]: https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples |
azure-maps | How To Manage Creator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-manage-creator.md | Creator usage data is incorporated in your Azure Maps usage charts and activity >[!Important] >We recommend using: >-> * Azure Active Directory (Azure AD) in all solutions that are built with an Azure Maps account using Creator services. For more information, on Azure AD, see [Azure AD authentication]. +> * Microsoft Entra ID in all solutions that are built with an Azure Maps account using Creator services. For more information, on Microsoft Entra ID, see [Microsoft Entra authentication]. > >* Role-based access control settings (RBAC). Using these settings, map makers can act as the Azure Maps Data Contributor role, and Creator map data users can act as the Azure Maps Data Reader role. For more information, see [Authorization with role-based access control]. Creator usage data is incorporated in your Azure Maps usage charts and activity Creator services and services that use data hosted in Creator (for example, Render service), are accessible at a geographical URL. The geographical URL determines the location selected during creation. For example, if Creator is created in a region in the United States geographical location, all calls to the Conversion service must be submitted to `us.atlas.microsoft.com/conversions`. To view mappings of region to geographical location, [see Creator service geographic scope]. -Also, all data imported into Creator should be uploaded into the same geographical location as the Creator resource. For example, if Creator is provisioned in the United States, all raw data should be uploaded via `us.atlas.microsoft.com/mapData/upload`. - ## Next steps Introduction to Creator services for indoor mapping: > [!div class="nextstepaction"]-> [Data upload] +> [Upload a drawing package] > [!div class="nextstepaction"] > [Data conversion] Learn how to use the Creator services to render indoor maps in your application: [Azure Maps pricing]: https://aka.ms/CreatorPricing [Azure portal]: https://portal.azure.com [Data conversion]: creator-indoor-maps.md#convert-a-drawing-package-[Data upload]: creator-indoor-maps.md#upload-a-drawing-package [Dataset]: creator-indoor-maps.md#datasets [Feature State set]: creator-indoor-maps.md#feature-statesets [Indoor map dynamic styling]: indoor-map-dynamic-styling.md [Manage authentication in Azure Maps]: how-to-manage-authentication.md [see Creator service geographic scope]: creator-geographic-scope.md [Tileset]: creator-indoor-maps.md#tilesets+[Upload a drawing package]: creator-indoor-maps.md#upload-a-drawing-package [Use the Indoor Maps module]: how-to-use-indoor-module.md |
azure-maps | How To Manage Pricing Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-manage-pricing-tier.md | You can manage the pricing tier of your Azure Maps account through the [Azure po > >After 9/14/23, Gen1 pricing tier will no longer be available when creating new Azure Maps accounts via the Azure Portal. After 10/12/23, Gen1 pricing tier will no longer be available when creating new Azure Maps accounts when using an ARM template. >-> You don't have to generate new subscription keys, client ID (for Azure AD authentication) or shared access signature (SAS) tokens if you change the pricing tier for your Azure Maps account. +> You don't have to generate new subscription keys, client ID (for Microsoft Entra authentication) or shared access signature (SAS) tokens if you change the pricing tier for your Azure Maps account. > > For more information on Gen2 pricing tier, see [Azure Maps pricing]. You can manage the pricing tier of your Azure Maps account through the [Azure po To change your pricing tier from Gen1 to Gen2 in the Azure Portal, navigate to the Pricing tier option in the settings menu of your Azure Maps account. Select Gen2 from the Pricing tier drop-down list then the Save button. > [!NOTE]-> You don't have to generate new subscription keys, client ID (for Azure AD authentication) or shared access signature (SAS) tokens if you change the pricing tier for your Azure Maps account. +> You don't have to generate new subscription keys, client ID (for Microsoft Entra authentication) or shared access signature (SAS) tokens if you change the pricing tier for your Azure Maps account. :::image type="content" source="./media/how-to-manage-pricing-tier/change-pricing-tier.png" border="true" alt-text="Change a pricing tier"::: |
azure-maps | How To Secure Daemon App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-daemon-app.md | The following are examples of daemon applications: [!INCLUDE [authentication details](./includes/view-authentication-details.md)] >[!IMPORTANT]->For production applications, we recommend implementing Azure AD and Azure role-based access control (Azure RBAC). For an overview of Azure AD concepts, see [Authentication with Azure Maps](azure-maps-authentication.md). +>For production applications, we recommend implementing Microsoft Entra ID and Azure role-based access control (Azure RBAC). For an overview of Microsoft Entra concepts, see [Authentication with Azure Maps](azure-maps-authentication.md). ## Scenario: Shared key authentication with Azure Key Vault Applications that use Shared Key authentication, should store the keys in a secure store. This scenario describes how to safely store your application key as a secret in Azure Key Vault. Instead of storing the shared key in application configuration, the application can retrieve the shared key as an Azure Key Vault secret. To simplify key regeneration, we recommend that applications use one key at a time. Applications can then regenerate the unused key and deploy the regenerated key to Azure Key Vault while still maintaining current connections with one key. To understand how to configure Azure Key Vault, see [Azure Key Vault developer guide](../key-vault/general/developers-guide.md). >[!IMPORTANT]->This scenario indirectly accesses Azure Active Directory through Azure Key Vault. However, we recommend that you use Azure AD authentication directly. Using Azure AD directly avoids the additional complexity and operational requirements of using shared key authentication and setting up Key Vault. +>This scenario indirectly accesses Microsoft Entra ID through Azure Key Vault. However, we recommend that you use Microsoft Entra authentication directly. Using Microsoft Entra ID directly avoids the additional complexity and operational requirements of using shared key authentication and setting up Key Vault. The following steps outline this process: 1. [Create an Azure Key Vault](../key-vault/general/quick-create-portal.md).-2. Create an [Azure AD service principal](../active-directory/fundamentals/service-accounts-principal.md) by creating an App registration or managed identity. The created principal is responsible for accessing the Azure Key Vault. +2. Create an [Microsoft Entra service principal](../active-directory/fundamentals/service-accounts-principal.md) by creating an App registration or managed identity. The created principal is responsible for accessing the Azure Key Vault. 3. Assign the service principal access to Azure Key secrets `get` permission. For details about how to set permissions, see [Assign a Key Vault access policy using the Azure portal](../key-vault/general/assign-access-policy-portal.md). 4. Temporarily assign access to secrets `set` permission for you as the developer. 5. Set the shared key in the Key Vault secrets and reference the secret ID as configuration for the daemon application. 6. Remove your secrets `set` permission.-7. To retrieve the shared key secret from Azure Key Vault, implement Azure Active Directory authentication in the daemon application. +7. To retrieve the shared key secret from Azure Key Vault, implement Microsoft Entra authentication in the daemon application. 8. Create an Azure Maps REST API request with the shared key. Now, the daemon application can retrieve the shared key from the Key Vault. > [!TIP] > If the app is hosted in the Azure environment, we recommend that you use a managed identity to reduce the cost and complexity of managing a secret for authentication. To learn how to set up a managed identity, see [Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET](../key-vault/general/tutorial-net-create-vault-azure-web-app.md). -## Scenario: Azure AD role-based access control +<a name='scenario-azure-ad-role-based-access-control'></a> -After an Azure Maps account is created, the Azure Maps `Client ID` value is present in the Azure portal authentication details page. This value represents the account that is to be used for REST API requests. This value should be stored in application configuration and retrieved before making HTTP requests. The goal of the scenario is to enable the daemon application to authenticate to Azure AD and call Azure Maps REST APIs. +## Scenario: Microsoft Entra role-based access control ++After an Azure Maps account is created, the Azure Maps `Client ID` value is present in the Azure portal authentication details page. This value represents the account that is to be used for REST API requests. This value should be stored in application configuration and retrieved before making HTTP requests. The goal of the scenario is to enable the daemon application to authenticate to Microsoft Entra ID and call Azure Maps REST APIs. > [!TIP] >To enable benefits of managed identity components, we recommend that you host on Azure Virtual Machines, Virtual Machine Scale Sets, or App Services. To enable application access to a managed identity, see [Overview of managed ide Some managed identity benefits are: - Azure system-managed X509 certificate public key cryptography authentication.-- Azure AD security with X509 certificates instead of client secrets.+- Microsoft Entra security with X509 certificates instead of client secrets. - Azure manages and renews all certificates associated with the Managed Identity resource. - Credential operational management is simplified because managed identity removes the need for a secured secret store service, such as Azure Key Vault. ### Host a daemon on non-Azure resources -Managed identities are only available when running on an Azure environment. As such, you must configure a service principal through an Azure AD application registration for the daemon application. +Managed identities are only available when running on an Azure environment. As such, you must configure a service principal through a Microsoft Entra application registration for the daemon application. #### Create new application registration To create a new application registration: 1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **Azure Active Directory**. +2. Select **Microsoft Entra ID**. 3. Under **Manage** in the left pane, select **App registrations**. To assign delegated API permissions to Azure Maps: 1. If you haven't done so already, sign in to the [Azure portal](https://portal.azure.com). -2. Select **Azure Active Directory**. +2. Select **Microsoft Entra ID**. 3. Under **Manage** in the left pane, select **App registrations**. To create a client secret: :::image type="content" border="true" source="./media/how-to-manage-authentication/copy-client-secret.png" alt-text="Copy client secret."::: >[!IMPORTANT]- >To securely store the certificate or secret, see the [Azure Key Vault Developer Guide](../key-vault/general/developers-guide.md). You'll use this secret to get tokens from Azure AD. + >To securely store the certificate or secret, see the [Azure Key Vault Developer Guide](../key-vault/general/developers-guide.md). You'll use this secret to get tokens from Microsoft Entra ID. [!INCLUDE [grant role-based access to users](./includes/grant-rbac-users.md)] To acquire the access token: 1. If you haven't done so already, sign in to the [Azure portal](https://portal.azure.com). -2. Select **Azure Active Directory**. +2. Select **Microsoft Entra ID**. 3. Under **Manage** in the left pane, select **App registrations**. For more information about authentication flow, see [OAuth 2.0 client credential For more detailed examples: > [!div class="nextstepaction"]-> [Authentication scenarios for Azure AD](../active-directory/develop/authentication-vs-authorization.md) +> [Authentication scenarios for Microsoft Entra ID](../active-directory/develop/authentication-vs-authorization.md) Find the API usage metrics for your Azure Maps account: > [!div class="nextstepaction"] > [View usage metrics](how-to-view-api-usage.md) -Explore samples that show how to integrate Azure AD with Azure Maps: +Explore samples that show how to integrate Microsoft Entra ID with Azure Maps: > [!div class="nextstepaction"] > [Azure Maps samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples) |
azure-maps | How To Secure Device Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-device-code.md | Title: How to secure an input constrained device using Azure AD and Azure Maps REST API + Title: How to secure an input constrained device using Microsoft Entra ID and Azure Maps REST API -description: How to configure a browser-less application that supports sign-in to Azure AD and calls Azure Maps REST API. +description: How to configure a browser-less application that supports sign-in to Microsoft Entra ID and calls Azure Maps REST API. Last updated 06/12/2020-# Secure an input constrained device by using Azure Active Directory (Azure AD) and Azure Maps REST APIs +# Secure an input constrained device by using Microsoft Entra ID and Azure Maps REST APIs This guide discusses how to secure public applications or devices that can't securely store secrets or accept browser input. These types of applications fall under the internet of things (IoT) category. Examples include Smart TVs and sensor data emitting applications. [!INCLUDE [authentication details](./includes/view-authentication-details.md)] -## Create an application registration in Azure AD +<a name='create-an-application-registration-in-azure-ad'></a> ++## Create an application registration in Microsoft Entra ID > [!NOTE] > > * **Prerequisite Reading:** [Scenario: Desktop app that calls web APIs] > * The following scenario uses the device code flow, which does not involve a web browser to acquire a token. -Create the device based application in Azure AD to enable Azure AD sign-in, which is granted access to Azure Maps REST APIs. +Create the device based application in Microsoft Entra ID to enable Microsoft Entra sign-in, which is granted access to Azure Maps REST APIs. -1. In the Azure portal, in the list of Azure services, select **Azure Active Directory** > **App registrations** > **New registration**. +1. In the Azure portal, in the list of Azure services, select **Microsoft Entra ID** > **App registrations** > **New registration**. - :::image type="content" source="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing application registration in Azure AD"::: + :::image type="content" source="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing application registration in Microsoft Entra ID"::: -2. Enter a **Name**, choose **Accounts in this organizational directory only** as the **Supported account type**. In **Redirect URIs**, specify **Public client / native (mobile & desktop)** then add `https://login.microsoftonline.com/common/oauth2/nativeclient` to the value. For more information, see Azure AD [Desktop app that calls web APIs: App registration]. Then **Register** the application. +2. Enter a **Name**, choose **Accounts in this organizational directory only** as the **Supported account type**. In **Redirect URIs**, specify **Public client / native (mobile & desktop)** then add `https://login.microsoftonline.com/common/oauth2/nativeclient` to the value. For more information, see Microsoft Entra ID [Desktop app that calls web APIs: App registration]. Then **Register** the application. :::image type="content" source="./media/azure-maps-authentication/devicecode-app-registration.png" alt-text="A screenshot showing the settings used to register an application."::: -3. Navigate to **Authentication** and enable **Treat application as a public client** to enable device code authentication with Azure AD. +3. Navigate to **Authentication** and enable **Treat application as a public client** to enable device code authentication with Microsoft Entra ID. :::image type="content" source="./media/azure-maps-authentication/devicecode-public-client.png" alt-text="A screenshot showing the advanced settings used to specify treating the application as a public client."::: Create the device based application in Azure AD to enable Azure AD sign-in, whic > Use Microsoft Authentication Library (MSAL) to acquire access tokens. > For more information, see [Desktop app that calls web APIs: Code configuration] in the active directory documentation. -8. Compose the HTTP request with the acquired token from Azure AD, and sent request with a valid HTTP client. +8. Compose the HTTP request with the acquired token from Microsoft Entra ID, and sent request with a valid HTTP client. ### Sample request |
azure-maps | How To Secure Sas App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-sas-app.md | The following steps describe how to create and configure an Azure Maps account w az provider register --namespace Microsoft.Maps ``` -1. Retrieve your Azure Active Directory (Azure AD) object ID. +1. Retrieve your Microsoft Entra object ID. ```azurecli $id = $(az rest --method GET --url 'https://graph.microsoft.com/v1.0/me?$select=id' --headers 'Content-Type=application/json' --query "id") Deploy a quickstart ARM template to create an Azure Maps account that uses a SAS For more detailed examples, see: > [!div class="nextstepaction"]-> [Authentication scenarios for Azure AD](../active-directory/develop/authentication-vs-authorization.md) +> [Authentication scenarios for Microsoft Entra ID](../active-directory/develop/authentication-vs-authorization.md) Find the API usage metrics for your Azure Maps account: > [!div class="nextstepaction"] > [View usage metrics](how-to-view-api-usage.md) -Explore samples that show how to integrate Azure AD with Azure Maps: +Explore samples that show how to integrate Microsoft Entra ID with Azure Maps: > [!div class="nextstepaction"] > [Azure Maps samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples) |
azure-maps | How To Secure Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-spa-app.md | -Secure a single-page web application with Azure Active Directory (Azure AD), even when the user isn't able to sign in to Azure AD. +Secure a single-page web application with Microsoft Entra ID, even when the user isn't able to sign in to Microsoft Entra ID. -To create this non-interactive authentication flow, first create an Azure Function secure web service that's responsible for acquiring access tokens from Azure AD. This web service is exclusively available only to your single-page web application. +To create this non-interactive authentication flow, first create an Azure Function secure web service that's responsible for acquiring access tokens from Microsoft Entra ID. This web service is exclusively available only to your single-page web application. [!INCLUDE [authentication details](./includes/view-authentication-details.md)] To create this non-interactive authentication flow, first create an Azure Functi ## Create an Azure function -To create a secured web service application that's responsible for authentication to Azure AD: +To create a secured web service application that's responsible for authentication to Microsoft Entra ID: 1. Create a function in the Azure portal. For more information, see [Getting started with Azure Functions]. 2. Configure CORS policy on the Azure function to be accessible by the single-page web application. The CORS policy secures browser clients to the allowed origins of your web application. For more information, see [Add CORS functionality]. -3. [Add a system-assigned identity] on the Azure function to enable creation of a service principal to authenticate to Azure AD. +3. [Add a system-assigned identity] on the Azure function to enable creation of a service principal to authenticate to Microsoft Entra ID. 4. Grant role-based access for the system-assigned identity to the Azure Maps account. For more information, see [Grant role-based access]. Find the API usage metrics for your Azure Maps account: > [!div class="nextstepaction"] > [View usage metrics](how-to-view-api-usage.md) -Explore other samples that show how to integrate Azure AD with Azure Maps: +Explore other samples that show how to integrate Microsoft Entra ID with Azure Maps: > [!div class="nextstepaction"] > [Azure Maps Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/ClientGrant) |
azure-maps | How To Secure Spa Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-spa-users.md | Title: How to secure a single page application with user sign-in -description: How to configure a single page application that supports Azure AD single-sign-on with Azure Maps Web SDK. +description: How to configure a single page application that supports Microsoft Entra single-sign-on with Azure Maps Web SDK. Last updated 06/12/2020-The following guide pertains to an application that is hosted on a content server or has minimal web server dependencies. The application provides protected resources secured only to Azure AD users. The objective of the scenario is to enable the web application to authenticate to Azure AD and call Azure Maps REST APIs on behalf of the user. +The following guide pertains to an application that is hosted on a content server or has minimal web server dependencies. The application provides protected resources secured only to Microsoft Entra users. The objective of the scenario is to enable the web application to authenticate to Microsoft Entra ID and call Azure Maps REST APIs on behalf of the user. [!INCLUDE [authentication details](./includes/view-authentication-details.md)] -## Create an application registration in Azure AD +<a name='create-an-application-registration-in-azure-ad'></a> -Create the web application in Azure AD for users to sign in. The web application delegates user access to Azure Maps REST APIs. +## Create an application registration in Microsoft Entra ID -1. In the Azure portal, in the list of Azure services, select **Azure Active Directory** > **App registrations** > **New registration**. +Create the web application in Microsoft Entra ID for users to sign in. The web application delegates user access to Azure Maps REST APIs. - :::image type="content" source="./media/how-to-manage-authentication/app-registration.png" alt-text="Screenshot showing the new registration page in the App registrations blade in Azure Active Directory."::: +1. In the Azure portal, in the list of Azure services, select **Microsoft Entra ID** > **App registrations** > **New registration**. -2. Enter a **Name**, choose a **Support account type**, provide a redirect URI that represents the url which Azure AD issues the token and is the url where the map control is hosted. For a detailed sample, see [Azure Maps Azure AD samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/ImplicitGrant). Then select **Register**. + :::image type="content" source="./media/how-to-manage-authentication/app-registration.png" alt-text="Screenshot showing the new registration page in the App registrations blade in Microsoft Entra ID."::: ++2. Enter a **Name**, choose a **Support account type**, provide a redirect URI that represents the url which Microsoft Entra ID issues the token and is the url where the map control is hosted. For a detailed sample, see [Azure Maps Microsoft Entra ID samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/ImplicitGrant). Then select **Register**. 3. To assign delegated API permissions to Azure Maps, go to the application. Then under **App registrations**, select **API permissions** > **Add a permission**. Under **APIs my organization uses**, search for and select **Azure Maps**. Create the web application in Azure AD for users to sign in. The web application 5. Enable `oauth2AllowImplicitFlow`. To enable it, in the **Manifest** section of your app registration, set `oauth2AllowImplicitFlow` to `true`. -6. Copy the Azure AD app ID and the Azure AD tenant ID from the app registration to use in the Web SDK. Add the Azure AD app registration details and the `x-ms-client-id` from the Azure Map account to the Web SDK. +6. Copy the Microsoft Entra app ID and the Microsoft Entra tenant ID from the app registration to use in the Web SDK. Add the Microsoft Entra app registration details and the `x-ms-client-id` from the Azure Map account to the Web SDK. ```javascript <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3/atlas.min.css" type="text/css" /> Find the API usage metrics for your Azure Maps account: > [!div class="nextstepaction"] > [View usage metrics](how-to-view-api-usage.md) -Explore samples that show how to integrate Azure AD with Azure Maps: +Explore samples that show how to integrate Microsoft Entra ID with Azure Maps: > [!div class="nextstepaction"] > [Azure Maps Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/ImplicitGrant) |
azure-maps | How To Secure Webapp Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-secure-webapp-users.md | Title: How to secure a web application with interactive single sign-in -description: How to configure a web application that supports Azure AD single sign-in with Azure Maps Web SDK using OpenID Connect protocol. +description: How to configure a web application that supports Microsoft Entra single sign-in with Azure Maps Web SDK using OpenID Connect protocol. Last updated 06/12/2020-The following guide pertains to an application that is hosted on web servers, maintains multiple business scenarios, and deploys to web servers. The application has the requirement to provide protected resources secured only to Azure AD users. The objective of the scenario is to enable the web application to authenticate to Azure AD and call Azure Maps REST APIs on behalf of the user. +The following guide pertains to an application that is hosted on web servers, maintains multiple business scenarios, and deploys to web servers. The application has the requirement to provide protected resources secured only to Microsoft Entra users. The objective of the scenario is to enable the web application to authenticate to Microsoft Entra ID and call Azure Maps REST APIs on behalf of the user. [!INCLUDE [authentication details](./includes/view-authentication-details.md)] -## Create an application registration in Azure AD +<a name='create-an-application-registration-in-azure-ad'></a> -You must create the web application in Azure AD for users to sign in. This web application then delegates user access to Azure Maps REST APIs. +## Create an application registration in Microsoft Entra ID -1. In the Azure portal, in the list of Azure services, select **Azure Active Directory** > **App registrations** > **New registration**. +You must create the web application in Microsoft Entra ID for users to sign in. This web application then delegates user access to Azure Maps REST APIs. ++1. In the Azure portal, in the list of Azure services, select **Microsoft Entra ID** > **App registrations** > **New registration**. :::image type="content" source="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing App registration." lightbox="./media/how-to-manage-authentication/app-registration.png"::: -2. Enter a **Name**, choose a **Support account type**, provide a redirect URI that represents the url to which Azure AD issues the token, which is the url where the map control is hosted. For more information, see Azure AD [Scenario: Web app that signs in users](../active-directory/develop/scenario-web-app-sign-user-overview.md). Complete the provided steps from the Azure AD scenario. +2. Enter a **Name**, choose a **Support account type**, provide a redirect URI that represents the url to which Microsoft Entra ID issues the token, which is the url where the map control is hosted. For more information, see Microsoft Entra ID [Scenario: Web app that signs in users](../active-directory/develop/scenario-web-app-sign-user-overview.md). Complete the provided steps from the Microsoft Entra scenario. 3. Once the application registration is complete, confirm that application sign-in works for users. Once sign-in works, the application can be granted delegated access to Azure Maps REST APIs. You must create the web application in Azure AD for users to sign in. This web a :::image type="content" source="./media/how-to-manage-authentication/select-app-permissions.png" alt-text="A screenshot showing select app API permissions." lightbox="./media/how-to-manage-authentication/select-app-permissions.png"::: -6. Enable the web application to call Azure Maps REST APIs by configuring the app registration with an application secret, For detailed steps, see [A web app that calls web APIs: App registration](../active-directory/develop/scenario-web-app-call-api-app-registration.md). A secret is required to authenticate to Azure AD on-behalf of the user. The app registration certificate or secret should be stored in a secure store for the web application to retrieve to authenticate to Azure AD. +6. Enable the web application to call Azure Maps REST APIs by configuring the app registration with an application secret, For detailed steps, see [A web app that calls web APIs: App registration](../active-directory/develop/scenario-web-app-call-api-app-registration.md). A secret is required to authenticate to Microsoft Entra on-behalf of the user. The app registration certificate or secret should be stored in a secure store for the web application to retrieve to authenticate to Microsoft Entra ID. - * This step may be skipped if the application already has an Azure AD app registration and secret configured. + * This step may be skipped if the application already has a Microsoft Entra app registration and secret configured. > [!TIP] > If the application is hosted in an Azure environment, we recommend using [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) and an Azure Key Vault instance to access secrets by [acquiring an access token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md) for accessing Azure Key Vault secrets or certificates. To connect to Azure Key Vault to retrieve secrets, see [tutorial to connect through managed identity](../key-vault/general/tutorial-net-create-vault-azure-web-app.md). 7. Implement a secure token endpoint for the Azure Maps Web SDK to access a token. - * For a sample token controller, see [Azure Maps Azure AD Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/blob/master/src/OpenIdConnect/AzureMapsOpenIdConnectv1/AzureMapsOpenIdConnect/Controllers/TokenController.cs). - * For a non-AspNetCore implementation or other, see [Acquire token for the app](../active-directory/develop/scenario-web-app-call-api-acquire-token.md) from Azure AD documentation. + * For a sample token controller, see [Azure Maps Microsoft Entra ID Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/blob/master/src/OpenIdConnect/AzureMapsOpenIdConnectv1/AzureMapsOpenIdConnect/Controllers/TokenController.cs). + * For a non-AspNetCore implementation or other, see [Acquire token for the app](../active-directory/develop/scenario-web-app-call-api-acquire-token.md) from Microsoft Entra documentation. * The secured token endpoint is responsible to return an access token for the authenticated and authorized user to call Azure Maps REST APIs. 8. To configure Azure role-based access control (Azure RBAC) for users or groups, see [grant role-based access for users](#grant-role-based-access-for-users-to-azure-maps). Find the API usage metrics for your Azure Maps account: > [!div class="nextstepaction"] > [View usage metrics](how-to-view-api-usage.md) -Explore samples that show how to integrate Azure AD with Azure Maps: +Explore samples that show how to integrate Microsoft Entra ID with Azure Maps: > [!div class="nextstepaction"]-> [Azure Maps Azure AD Web App Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/OpenIdConnect) +> [Azure Maps Microsoft Entra Web App Samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples/tree/master/src/OpenIdConnect) |
azure-maps | How To Use Map Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-map-control.md | This article uses the Azure Maps Web SDK, however the Azure Maps services work w To use the Map Control in a web page, you must have one of the following prerequisites: * An [Azure Maps account]-* A [subscription key] or Azure Active Directory (Azure AD) credentials. For more information, see [authentication options]. +* A [subscription key] or Microsoft Entra credentials. For more information, see [authentication options]. ## Create a new map in a web page You can embed a map in a web page by using the Map Control client-side JavaScrip </body> ``` -5. Next, initialize the map control. In order to authenticate the control, use an Azure Maps subscription key or Azure AD credentials with [authentication options]. +5. Next, initialize the map control. In order to authenticate the control, use an Azure Maps subscription key or Microsoft Entra credentials with [authentication options]. If you're using a subscription key for authentication, copy and paste the following script element inside the `<head>` element, and below the first `<script>` element. Replace `<Your Azure Maps Key>` with your Azure Maps subscription key. You can embed a map in a web page by using the Map Control client-side JavaScrip </script> ``` - If you're using Azure AD for authentication, copy and paste the following script element inside the `<head>` element, and below the first `<script>` element. + If you're using Microsoft Entra ID for authentication, copy and paste the following script element inside the `<head>` element, and below the first `<script>` element. ```HTML <script type="text/javascript"> You can embed a map in a web page by using the Map Control client-side JavaScrip language: 'en-US', authOptions: { authType: 'aad',- clientId: '<Your AAD Client Id>', - aadAppId: '<Your AAD App Id>', - aadTenant: '<Your AAD Tenant Id>' + clientId: '<Your Microsoft Entra Client Id>', + aadAppId: '<Your Microsoft Entra App Id>', + aadTenant: '<Your Microsoft Entra tenant Id>' } }); } You can embed a map in a web page by using the Map Control client-side JavaScrip 8. Open the file in your web browser and view the rendered map. It should look like the following image: - ![Map image showing rendered result](./media/how-to-use-map-control/map-of-seattle.png) + :::image type="content" source="./media/how-to-use-map-control/map-of-seattle.png" alt-text="Screenshot of a map image showing rendered result." lightbox="./media/how-to-use-map-control/map-of-seattle.png"::: ## Localizing the map map = new atlas.Map('myMap', { Here's an example of Azure Maps with the language set to "fr-FR" and the regional view set to `Auto`. -![Map image showing labels in French](./media/how-to-use-map-control/websdk-localization.png) For a list of supported languages and regional views, see [Localization support in Azure Maps]. Learn best practices and see samples: > [!div class="nextstepaction"] > [Code samples](/samples/browse/?products=azure-maps) -For a list of samples showing how to integrate Azure AD with Azure Maps, see: +For a list of samples showing how to integrate Microsoft Entra ID with Azure Maps, see: > [!div class="nextstepaction"]-> [Azure AD authentication samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples) +> [Microsoft Entra authentication samples](https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples) [3D terrain tiles]: #3d-terrain-tiles [authentication options]: /javascript/api/azure-maps-control/atlas.authenticationoptions |
azure-maps | How To Use Npm Package | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-npm-package.md | The [azure-maps-control] npm package is a client-side library that allows you to To use the npm package in an application, you must have the following prerequisites: * An [Azure Maps account]-* A [subscription key] or Azure Active Directory (Azure AD) credentials. For more information, see [authentication options]. +* A [subscription key] or Microsoft Entra credentials. For more information, see [authentication options]. ## Installation |
azure-maps | How To Use Services Module | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-services-module.md | The Azure Maps Web SDK provides a [services module]. This module is a helper lib import * as service from "azure-maps-rest"; ``` -1. Create an authentication pipeline. The pipeline must be created before you can initialize a service URL client endpoint. Use your own Azure Maps account key or Azure Active Directory (Azure AD) credentials to authenticate an Azure Maps Search service client. In this example, the Search service URL client is created. +1. Create an authentication pipeline. The pipeline must be created before you can initialize a service URL client endpoint. Use your own Azure Maps account key or Microsoft Entra credentials to authenticate an Azure Maps Search service client. In this example, the Search service URL client is created. If you use a subscription key for authentication: The Azure Maps Web SDK provides a [services module]. This module is a helper lib var searchURL = new atlas.service.SearchURL(pipeline); ``` - If you use Azure AD for authentication: + If you use Microsoft Entra ID for authentication: ```javascript // Enter your Azure AD client ID. |
azure-maps | How To Use Spatial Io Module | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-spatial-io-module.md | You can load the Azure Maps spatial IO module using one of the two options: </head> <body onload="GetMap()">- <div id="myMap"></div> + <div id="myMap" style="position:relative;width:100%;min-width:290px;height:600px;"></div> </body> </html> You can load the Azure Maps spatial IO module using one of the two options: map.layers.add(layer); ``` -1. Your HTML code should now look like the following code. This sample demonstrates how to read an XML file from a URL. Then, load and display the file's feature data on the map. +1. Your HTML code should now look like the following code. This sample demonstrates how to display an XML file's feature data on a map. ++ > [!NOTE] + > This example uses [Route66Attractions.xml]. ```html- <!DOCTYPE html> + <!DOCTYPE html> <html> <head> <title>Spatial IO Module Example</title> You can load the Azure Maps spatial IO module using one of the two options: map.layers.add(layer); //Read an XML file from a URL or pass in a raw XML string.- atlas.io.read('superCoolKmlFile.xml').then(r => { + atlas.io.read('Route66Attractions.xml').then(r => { if (r) { //Add the feature data to the data source. datasource.add(r); You can load the Azure Maps spatial IO module using one of the two options: 1. Remember to replace `<Your Azure Maps Key>` with your subscription key. You should see results similar to the following image in your HTML file: - :::image type="content" source="./media/how-to-use-spatial-io-module/spatial-data-example.png" alt-text="Screenshot of an indoor map demonstrating Spatial Data."::: + :::image type="content" source="./media/how-to-use-spatial-io-module/spatial-data-example.png" lightbox="./media/how-to-use-spatial-io-module/spatial-data-example.png" alt-text="Screenshot showing the Spatial Data sample in a map."::: ## Next steps Refer to the Azure Maps Spatial IO documentation: [How to use the Azure Maps map control npm package]: how-to-use-npm-package.md [Leverage core operations]: spatial-io-core-operations.md [Read and write spatial data]: spatial-io-read-write-spatial-data.md+[Route66Attractions.xml]: https://samples.azuremaps.com/data/Gpx/Route66Attractions.xml [Spatial IO module]: https://www.npmjs.com/package/azure-maps-spatial-io [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [Supported data format details]: spatial-io-supported-data-format-details.md |
azure-maps | How To Use Ts Rest Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-ts-rest-sdk.md | Azure Maps provides a collection of npm modules for the [Azure TypeScript REST S 1. Using `@azure-rest/maps-search` as an example, install the package with `npm install @azure-rest/maps-search`. -1. Create and authenticate a [MapsSearch] client. To create a client to access the Azure Maps Search APIs, you need a credential object. The client supports an [Azure Active Directory credential] or an [Azure Key credential] for authentication. You may need to install either [@azure/identity] or [@azure/core-auth] for different authentication methods. +1. Create and authenticate a [MapsSearch] client. To create a client to access the Azure Maps Search APIs, you need a credential object. The client supports an [Microsoft Entra credential] or an [Azure Key credential] for authentication. You may need to install either [@azure/identity] or [@azure/core-auth] for different authentication methods. If you use a subscription key for authentication, install the package with `npm install @azure/core-auth`: Azure Maps provides a collection of npm modules for the [Azure TypeScript REST S const client = MapsSearch(credential); ``` - If you use Azure AD for authentication, install the package with `npm install @azure/identity`: + If you use Microsoft Entra ID for authentication, install the package with `npm install @azure/identity`: ```javascript import MapsSearch from "@azure-rest/maps-search"; For more code samples that use the TypeScript REST SDK with Web SDK integration, [Azure Active Directory credential]: ./how-to-dev-guide-js-sdk.md#using-an-azure-ad-credential [Azure Key credential]: ./how-to-dev-guide-js-sdk.md#using-a-subscription-key-credential [@azure/identity]: https://www.npmjs.com/package/@azure/identity-[@azure/core-auth]: https://www.npmjs.com/package/@azure/core-auth +[@azure/core-auth]: https://www.npmjs.com/package/@azure/core-auth |
azure-maps | Map Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-events.md | The following table lists all supported map class events. | `sourceremoved` | Fired when a `DataSource` or `VectorTileSource` is removed from the map.| | `styledata` | Fired when the map's style loads or changes.| | `styleimagemissing` | Fired when a layer tries to load an image from the image sprite that doesn't exist |-| `tokenacquired` | Fired when an Azure Active Directory access token is obtained.| +| `tokenacquired` | Fired when a Microsoft Entra access token is obtained.| | `touchcancel` | Fired when a `touchcancel` event occurs within the map.| | `touchend` | Fired when a `touchend` event occurs within the map.| | `touchmove` | Fired when a `touchmove` event occurs within the map.| |
azure-maps | Map Get Information From Coordinate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-get-information-from-coordinate.md | document.body.onload = onload; > [!VIDEO //codepen.io/azuremaps/embed/ejEYMZ/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true] > -In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Azure Active Directory. For more information, see [Create a map]. +In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Microsoft Entra ID. For more information, see [Create a map]. The second block of code creates an object that implements the [TokenCredential] interface to authenticate HTTP requests to Azure Maps with the access token. It then passes the credential object to [MapsSearch] and creates an instance of the client. document.body.onload = onload; > [!VIDEO //codepen.io/azuremaps/embed/ddXzoB/?height=516&theme-id=0&default-tab=js,result&embed-version=2&editable=true] > -In the previous code example, the first block of code constructs a map object and sets the authentication mechanism to use Azure Active Directory. You can see [Create a map] for instructions. +In the previous code example, the first block of code constructs a map object and sets the authentication mechanism to use Microsoft Entra ID. You can see [Create a map] for instructions. The second block of code updates the style of the mouse cursor to a pointer. It instantiates a [popup](/javascript/api/azure-maps-control/atlas.popup#open) object. For more information, see [Add a popup on the map]. |
azure-maps | Map Route | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-route.md | document.body.onload = onload; > [!VIDEO //codepen.io/azuremaps/embed/RBZbep/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true] > -In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Azure Active Directory. You can see [Create a map] for instructions. +In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Microsoft Entra ID. You can see [Create a map] for instructions. The second block of code creates an object that implements the [TokenCredential] interface to authenticate HTTP requests to Azure Maps with the access token. It then passes the credential object to [MapsRoute] and creates an instance of the client. document.body.onload = onload; > [!VIDEO //codepen.io/azuremaps/embed/zRyNmP/?height=469&theme-id=0&default-tab=js,result&embed-version=2&editable=true] > -In the previous code example, the first block of code constructs a map object and sets the authentication mechanism to use Azure Active Directory. You can see [Create a map] for instructions. +In the previous code example, the first block of code constructs a map object and sets the authentication mechanism to use Microsoft Entra ID. You can see [Create a map] for instructions. The second block of code creates and adds a [DataSource] object to the map. |
azure-maps | Map Search Location | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/map-search-location.md | document.body.onload = onload; > [!VIDEO //codepen.io/azuremaps/embed/zLdYEB/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true] > -In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Azure Active Directory. For more information, see [Create a map]. +In the previous code example, the first block constructs a map object and sets the authentication mechanism to use Microsoft Entra ID. For more information, see [Create a map]. The second block of code creates an object that implements the [TokenCredential] interface to authenticate HTTP requests to Azure Maps with the access token. It then passes the credential object to [MapsSearch] and creates an instance of the client. document.body.onload = onload; > [!VIDEO //codepen.io/azuremaps/embed/KQbaeM/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true] > -In the previous code example, the first block of code constructs a map object. It sets the authentication mechanism to use Azure Active Directory. For more information, see [Create a map]. +In the previous code example, the first block of code constructs a map object. It sets the authentication mechanism to use Microsoft Entra ID. For more information, see [Create a map]. The second block of code creates a data source object using the [DataSource] class and add search results to it. A [symbol layer] uses text or icons to render point-based data wrapped in the [DataSource] as symbols on the map. A symbol layer is then created. The data source is added to the symbol layer, which is then added to the map. |
azure-maps | Tutorial Creator Indoor Maps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/tutorial-creator-indoor-maps.md | You can also create a dataset from a GeoJSON package. For more information, see * An [Azure Maps account] * A [subscription key] * A [Creator resource]+* An [Azure storage account] * The [sample drawing package] downloaded This tutorial uses the [Postman] application, but you can use a different API development environment. This tutorial uses the [Postman] application, but you can use a different API de ## Upload a drawing package -Use the [Data Upload API] to upload the drawing package to Azure Maps resources. The Data Upload API is a long-running transaction that implements the pattern defined in [Creator Long-Running Operation API V2]. +Follow the steps outlined in the [How to create data registry] article to upload the GeoJSON package into your Azure storage account then register it in your Azure Maps account. -To upload the drawing package: --1. In the Postman app, select **New**. --2. In the **Create New** window, select **HTTP Request**. --3. For **Request name**, enter a name for the request, such as **POST Data Upload**. --4. Select the **POST** HTTP method. --5. Enter the following URL to the [Data Upload API]: -- ```http - https://us.atlas.microsoft.com/mapData?api-version=2.0&dataFormat=dwgzippackage&subscription-key={Your-Azure-Maps-Subscription-key} - ``` --6. Select the **Headers** tab. --7. In the **KEY** field, select **Content-Type**. --8. In the **VALUE** field, select **application/octet-stream**. -- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-upload-header.png"alt-text="Screenshot of Postman that shows information on the Headers tab, including key and value."::: --9. Select the **Body** tab. --10. Select the **binary** option. --11. Choose **Select File**, and then select a drawing package. -- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-upload-body.png" alt-text="Screenshot of Postman that shows the Body tab in the POST window, with the button for selecting a file."::: --12. Select **Send**. --13. In the response window, select the **Headers** tab. --14. Copy the value of the **Operation-Location** key. This key is also known as the *status URL*. You need it to check the status of the drawing package upload in the next section. -- :::image type="content" source="./media/tutorial-creator-indoor-maps/data-upload-response-header.png" alt-text="Screenshot of Postman that shows the Operation-Location key on the Headers tab in the response window."::: --### Check the upload status of the drawing package --To check the status of the drawing package and retrieve its unique ID (`udid`): --1. In the Postman app, select **New**. --2. In the **Create New** window, select **HTTP Request**. --3. For **Request name**, enter a name for the request, such as **GET Data Upload Status**. --4. Select the **GET** HTTP method. --5. Enter the status URL that you copied as the last step in the previous section. The request should look like the following URL: -- ```http - https://us.atlas.microsoft.com/mapData/operations/{operationId}?api-version=2.0&subscription-key={Your-Azure-Maps-Subscription-key} - ``` --6. Select **Send**. --7. In the response window, select the **Headers** tab. --8. Copy the value of the **Resource-Location** key, which is the resource location URL. The resource location URL contains the unique identifier (`udid`) of the drawing package resource. -- :::image type="content" source="./media/tutorial-creator-indoor-maps/resource-location-url.png" alt-text="Screenshot of Postman that shows the resource location URL in the response header."::: --### (Optional) Retrieve metadata from the drawing package --You can retrieve metadata from the drawing package resource. The metadata contains information like the resource location URL, creation date, updated date, size, and upload status. --To retrieve content metadata: --1. In the Postman app, select **New**. --2. In the **Create New** window, select **HTTP Request**. --3. For **Request name**, enter a name for the request, such as **GET Data Upload Metadata**. --4. Select the **GET** HTTP method. --5. Enter the resource location URL that you copied as the last step in the previous section: -- ```http - https://us.atlas.microsoft.com/mapData/metadata/{udid}?api-version=2.0&subscription-key={Your-Azure-Maps-Subscription-key} - ``` --6. Select **Send**. --7. In the response window, select the **Body** tab. The metadata should look like the following JSON fragment: -- ```json - { - "udid": "{udid}", - "location": "https://us.atlas.microsoft.com/mapData/6ebf1ae1-2a66-760b-e28c-b9381fcff335?api-version=2.0", - "created": "5/18/2021 8:10:32 PM +00:00", - "updated": "5/18/2021 8:10:37 PM +00:00", - "sizeInBytes": 946901, - "uploadStatus": "Completed" - } - ``` +> [!IMPORTANT] +> Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is is how you reference the GeoJSON package you uploaded into your Azure storage account from your source code and HTTP requests. ## Convert a drawing package For more information, see [Map configuration] in the article about indoor map co > [Use the Azure Maps Indoor Maps module with custom styles](how-to-use-indoor-module.md) [Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account+[Azure storage account]: /azure/storage/common/storage-account-create?tabs=azure-portal [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [Creator resource]: how-to-manage-creator.md [Sample drawing package]: https://github.com/Azure-Samples/am-creator-indoor-data-examples/blob/master/Sample%20-%20Contoso%20Drawing%20Package.zip [Postman]: https://www.postman.com [Access to Creator services]: how-to-manage-creator.md#access-to-creator-services [Create a dataset using a GeoJSON package (Preview)]: how-to-dataset-geojson.md-[Data Upload API]: /rest/api/maps/data-v2/upload -[Creator Long-Running Operation API V2]: creator-long-running-operation-v2.md +[How to create data registry]: how-to-create-data-registries.md [Conversion API]: /rest/api/maps/v2/conversion [Conversion service]: /rest/api/maps/v2/conversion/convert [Creator Long-Running Operation]: creator-long-running-operation-v2.md |
azure-monitor | Ip Addresses | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/ip-addresses.md | |
azure-monitor | Java Standalone Profiler | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-profiler.md | Example configuration: "cpuTriggeredSettings": "profile-without-env-data", "memoryTriggeredSettings": "profile-without-env-data", "manualTriggeredSettings": "profile-without-env-data",- "enableRequestTriggering": true + "enableRequestTriggering": true, + "periodicRecordingDurationSeconds": 60 } } } This value can be one of: - `true` Profiling is triggered if a request trigger threshold is breached. - `false` (default value). Profiling will not be triggered by request configuration. +`periodicRecordingDurationSeconds` Profiling recording duration in seconds when a profiling session is started through "Profile now". Default value is `120`. + ## Frequently asked questions ### What is Azure Monitor Application Insights Java Profiling? |
azure-monitor | Opentelemetry Add Modify | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md | Dependencies - [Redis-4](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-redis-4) - [Azure SDK](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/instrumentation/opentelemetry-instrumentation-azure-sdk) -Automatic instrumentation of Logs is currently only supported when using `applicationinsights` v3 Beta package. (https://www.npmjs.com/package/applicationinsights/v/beta) +Instrumentations can be configured using AzureMonitorOpenTelemetryOptions -Logs -- [Node.js console](https://nodejs.org/api/console.html)-- [Bunyan](https://github.com/trentm/node-bunyan#readme)-- [Winston](https://github.com/winstonjs/winston#readme)+```typescript + // Import Azure Monitor OpenTelemetry + const { useAzureMonitor, AzureMonitorOpenTelemetryOptions } = require("@azure/monitor-opentelemetry"); + // Import OpenTelemetry HTTP Instrumentation to get config type + const { HttpInstrumentationConfig } = require("@azure/monitor-opentelemetry"); + // Import HTTP to get type + const { IncomingMessage } = require("http"); ++ // Specific Instrumentation configs could be added + const httpInstrumentationConfig: HttpInstrumentationConfig = { + ignoreIncomingRequestHook: (request: IncomingMessage) => { + return false; //Return true if you want to ignore a specific request + }, + enabled: true + }; + // Instrumentations configuration + const options: AzureMonitorOpenTelemetryOptions = { + instrumentationOptions: { + http: httpInstrumentationConfig, + azureSdk: { enabled: true }, + mongoDb: { enabled: true }, + mySql: { enabled: true }, + postgreSql: { enabled: true }, + redis: { enabled: true }, + redis4: { enabled: true }, + } + }; ++ // Enable Azure Monitor integration + useAzureMonitor(options); ++``` #### [Python](#tab/python) The following table represents the currently supported custom telemetry types: | | | | | | | | | | **Node.js** | | | | | | | | | OpenTelemetry API | | Yes | Yes | Yes | | Yes | |-| Console, Winston, Bunyan| | | | | | | Yes | -| AI Classic API | Yes | Yes | Yes | Yes | Yes | Yes | Yes | | | | | | | | | | | **Python** | | | | | | | | | OpenTelemetry API | | Yes | Yes | Yes | | Yes | | |
azure-monitor | Opentelemetry Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md | -> [!TIP] -> For Node.js, this config guidance applies to the 3.X BETA Package only. If you're using a previous version, see the [Node.js Application Insights SDK Docs](nodejs.md). ## Connection string |
azure-monitor | Opentelemetry Nodejs Exporter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-nodejs-exporter.md | - Title: Enable the Azure Monitor OpenTelemetry exporter for Node.js applications -description: This article provides guidance on how to enable the Azure Monitor OpenTelemetry exporter for Node.js applications. - Previously updated : 09/12/2023-----# Enable Azure Monitor OpenTelemetry for Node.js applications --This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry). --## OpenTelemetry Release Status --The OpenTelemetry exporter for Node.js is currently available as a public preview. --[Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) --## Get started --Follow the steps in this section to instrument your application with OpenTelemetry. --### Prerequisites --- An Azure subscription: [Create an Azure subscription for free](https://azure.microsoft.com/free/)-- An Application Insights resource: [Create an Application Insights resource](create-workspace-resource.md#create-a-workspace-based-resource)-- Application using an officially [supported version](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/monitor/monitor-opentelemetry-exporter#currently-supported-environments) of Node.js runtime:- - [OpenTelemetry supported runtimes](https://github.com/open-telemetry/opentelemetry-js#supported-runtimes) - - [Azure Monitor OpenTelemetry Exporter supported runtimes](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/monitor/monitor-opentelemetry-exporter#currently-supported-environments) --### Install the client libraries --Install these packages: --- [@opentelemetry/sdk-trace-base](https://www.npmjs.com/package/@opentelemetry/sdk-trace-base)-- [@opentelemetry/sdk-trace-node](https://www.npmjs.com/package/@opentelemetry/sdk-trace-node)-- [@azure/monitor-opentelemetry-exporter](https://www.npmjs.com/package/@azure/monitor-opentelemetry-exporter)-- [@opentelemetry/api](https://www.npmjs.com/package/@opentelemetry/api)--```sh -npm install @opentelemetry/sdk-trace-base -npm install @opentelemetry/sdk-trace-node -npm install @azure/monitor-opentelemetry-exporter -npm install @opentelemetry/api -``` --The following packages are also used for some specific scenarios described later in this article: --- [@opentelemetry/sdk-metrics](https://www.npmjs.com/package/@opentelemetry/sdk-metrics)-- [@opentelemetry/resources](https://www.npmjs.com/package/@opentelemetry/resources)-- [@opentelemetry/semantic-conventions](https://www.npmjs.com/package/@opentelemetry/semantic-conventions)-- [@opentelemetry/instrumentation-http](https://www.npmjs.com/package/@opentelemetry/instrumentation-http)--```sh -npm install @opentelemetry/sdk-metrics -npm install @opentelemetry/resources -npm install @opentelemetry/semantic-conventions -npm install @opentelemetry/instrumentation-http -``` --### Enable Azure Monitor Application Insights --This section provides guidance that shows how to enable OpenTelemetry. --#### Instrument with OpenTelemetry --The following code demonstrates how to enable OpenTelemetry in a simple JavaScript application: --```javascript -const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter"); -const { BatchSpanProcessor } = require("@opentelemetry/sdk-trace-base"); -const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node"); -const { context, trace } = require("@opentelemetry/api") --const provider = new NodeTracerProvider(); -provider.register(); --// Create an exporter instance. -const exporter = new AzureMonitorTraceExporter({ - connectionString: "<Your Connection String>" -}); --// Add the exporter to the provider. -provider.addSpanProcessor( - new BatchSpanProcessor(exporter) -); --// Create a tracer. -const tracer = trace.getTracer("example-basic-tracer-node"); --// Create a span. A span must be closed. -const parentSpan = tracer.startSpan("main"); --for (let i = 0; i < 10; i += 1) { - doWork(parentSpan); -} -// Be sure to end the span. -parentSpan.end(); --function doWork(parent) { - // Start another span. In this example, the main method already started a - // span, so that will be the parent span, and this will be a child span. - const ctx = trace.setSpan(context.active(), parent); -- // Set attributes to the span. - // Check the SpanOptions interface for more options that can be set into the span creation - const spanOptions = { - attributes: { - "key": "value" - } - }; -- const span = tracer.startSpan("doWork", spanOptions, ctx); -- // Simulate some random work. - for (let i = 0; i <= Math.floor(Math.random() * 40000000); i += 1) { - // empty - } -- // Annotate our span to capture metadata about our operation. - span.addEvent("invoking doWork"); -- // Mark the end of span execution. - span.end(); -} --``` --#### Set the Application Insights connection string --You can set the connection string either programmatically or by setting the environment variable `APPLICATIONINSIGHTS_CONNECTION_STRING`. If both have been set, the programmatic connection string takes precedence. --You can find your connection string in the Overview Pane of your Application Insights Resource. ---Here's how you set the connection string. --Replace the `<Your Connection String>` in the preceding code with the connection string from *your* Application Insights resource. --#### Confirm data is flowing --Run your application and open your **Application Insights Resource** tab in the Azure portal. It might take a few minutes for data to show up in the portal. ---> [!IMPORTANT] -> If you have two or more services that emit telemetry to the same Application Insights resource, you're required to [set Cloud Role Names](#set-the-cloud-role-name-and-the-cloud-role-instance) to represent them properly on the Application Map. --As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. To learn more, see [Statsbeat in Azure Application Insights](./statsbeat.md). --## Set the Cloud Role Name and the Cloud Role Instance --You might want to update the [Cloud Role Name](app-map.md#understand-the-cloud-role-name-within-the-context-of-an-application-map) and the Cloud Role Instance from the default values to something that makes sense to your team. They appear on the Application Map as the name underneath a node. --Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md). --```javascript -... -const { Resource } = require("@opentelemetry/resources"); -const { SemanticResourceAttributes } = require("@opentelemetry/semantic-conventions"); -const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node"); -const { MeterProvider } = require("@opentelemetry/sdk-metrics") --// - -// Setting role name and role instance -// - -const testResource = new Resource({ - [SemanticResourceAttributes.SERVICE_NAME]: "my-helloworld-service", - [SemanticResourceAttributes.SERVICE_NAMESPACE]: "my-namespace", - [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: "my-instance", -}); --// - -// Done setting role name and role instance -// - -const tracerProvider = new NodeTracerProvider({ - resource: testResource -}); --const meterProvider = new MeterProvider({ - resource: testResource -}); -``` --## Enable Sampling --You may want to enable sampling to reduce your data ingestion volume, which reduces your cost. Azure Monitor provides a custom *fixed-rate* sampler that populates events with a "sampling ratio", which Application Insights converts to "ItemCount". The *fixed-rate* sampler ensures accurate experiences and event counts. The sampler is designed to preserve your traces across services, and it's interoperable with older Application Insights SDKs. For more information, see [Learn More about sampling](sampling.md#brief-summary). --> [!NOTE] -> Metrics are unaffected by sampling. --```javascript -const { BasicTracerProvider, SimpleSpanProcessor } = require("@opentelemetry/sdk-trace-base"); -const { ApplicationInsightsSampler, AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter"); --// Sampler expects a sample rate of between 0 and 1 inclusive -// A rate of 0.1 means approximately 10% of your traces are sent -const aiSampler = new ApplicationInsightsSampler(0.75); --const provider = new BasicTracerProvider({ - sampler: aiSampler -}); --const exporter = new AzureMonitorTraceExporter({ - connectionString: "<Your Connection String>" -}); --provider.addSpanProcessor(new SimpleSpanProcessor(exporter)); -provider.register(); -``` --> [!TIP] -> When using fixed-rate/percentage sampling and you aren't sure what to set the sampling rate as, start at 5% (i.e., 0.05 sampling ratio) and adjust the rate based on the accuracy of the operations shown in the failures and performance blades. A higher rate generally results in higher accuracy. However, ANY sampling will affect accuracy so we recommend alerting on [OpenTelemetry metrics](#metrics), which are unaffected by sampling. --## Instrumentation libraries --The following libraries are validated to work with the current release. --> [!WARNING] -> Instrumentation libraries are based on experimental OpenTelemetry specifications, which impacts languages in [preview status](#opentelemetry-release-status). Microsoft's *preview* support commitment is to ensure that the following libraries emit data to Azure Monitor Application Insights, but it's possible that breaking changes or experimental mapping will block some data elements. --### Distributed Tracing -Requests/Dependencies -- [http/https](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http/README.md) version:- [0.33.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-http/v/0.33.0) - -Dependencies -- [mysql](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-mysql) version:- [0.25.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-mysql/v/0.25.0) --### Metrics --- [http/https](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http/README.md) version:- [0.33.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-http/v/0.33.0) --### Logs --Currently unavailable. --## Collect custom telemetry --This section explains how to collect custom telemetry from your application. - -Depending on your language and signal type, there are different ways to collect custom telemetry, including: - -- OpenTelemetry API-- Language-specific logging/metrics libraries-- Application Insights Classic API- -The following table represents the currently supported custom telemetry types: --| Language | Custom Events | Custom Metrics | Dependencies | Exceptions | Page Views | Requests | Traces | -|-||-|--|||-|--| -| **Node.js** | | | | | | | | -| OpenTelemetry API | | Yes | Yes | Yes | | Yes | | -| Winston, Pino, Bunyan | | | | | | | Yes | -| AI Classic API | Yes | Yes | Yes | Yes | Yes | Yes | Yes | --### Add Custom Metrics --> [!NOTE] -> Custom Metrics are under preview in Azure Monitor Application Insights. Custom metrics without dimensions are available by default. To view and alert on dimensions, you need to [opt-in](pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation). --You may want to collect metrics beyond what is collected by [instrumentation libraries](#instrumentation-libraries). --The OpenTelemetry API offers six metric "instruments" to cover various metric scenarios and you need to pick the correct "Aggregation Type" when visualizing metrics in Metrics Explorer. This requirement is true when using the OpenTelemetry Metric API to send metrics and when using an instrumentation library. --The following table shows the recommended [aggregation types](../essentials/metrics-aggregation-explained.md#aggregation-types) for each of the OpenTelemetry Metric Instruments. --| OpenTelemetry Instrument | Azure Monitor Aggregation Type | -||| -| Counter | Sum | -| Asynchronous Counter | Sum | -| Histogram | Min, Max, Average, Sum and Count | -| Asynchronous Gauge | Average | -| UpDownCounter | Sum | -| Asynchronous UpDownCounter | Sum | --> [!CAUTION] -> Aggregation types beyond what's shown in the table typically aren't meaningful. --The [OpenTelemetry Specification](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/metrics/api.md#instrument) -describes the instruments and provides examples of when you might use each one. --> [!TIP] -> The histogram is the most versatile and most closely equivalent to the Application Insights Track Metric Classic API. Azure Monitor currently flattens the histogram instrument into our five supported aggregation types, and support for percentiles is underway. Although less versatile, other OpenTelemetry instruments have a lesser impact on your application's performance. --#### Histogram Example -- ```javascript - const { - MeterProvider, - PeriodicExportingMetricReader, - } = require("@opentelemetry/sdk-metrics"); - const { - AzureMonitorMetricExporter, - } = require("@azure/monitor-opentelemetry-exporter"); -- const provider = new MeterProvider(); - const exporter = new AzureMonitorMetricExporter({ - connectionString: "<Your Connection String>", - }); -- const metricReader = new PeriodicExportingMetricReader({ - exporter: exporter, - }); -- provider.addMetricReader(metricReader); -- const meter = provider.getMeter("OTel.AzureMonitor.Demo"); - let histogram = meter.createHistogram("histogram"); -- histogram.record(1, { testKey: "testValue" }); - histogram.record(30, { testKey: "testValue2" }); - histogram.record(100, { testKey2: "testValue" }); -``` --#### Counter Example --```javascript - const { - MeterProvider, - PeriodicExportingMetricReader, - } = require("@opentelemetry/sdk-metrics"); - const { AzureMonitorMetricExporter } = require("@azure/monitor-opentelemetry-exporter"); -- const provider = new MeterProvider(); - const exporter = new AzureMonitorMetricExporter({ - connectionString: "<Your Connection String>", - }); - const metricReader = new PeriodicExportingMetricReader({ - exporter: exporter, - }); - provider.addMetricReader(metricReader); - const meter = provider.getMeter("OTel.AzureMonitor.Demo"); - let counter = meter.createCounter("counter"); - counter.add(1, { "testKey": "testValue" }); - counter.add(5, { "testKey2": "testValue" }); - counter.add(3, { "testKey": "testValue2" }); -``` --#### Gauge Example --```javascript - const { - MeterProvider, - PeriodicExportingMetricReader - } = require("@opentelemetry/sdk-metrics"); - const { AzureMonitorMetricExporter } = require("@azure/monitor-opentelemetry-exporter"); -- const provider = new MeterProvider(); - const exporter = new AzureMonitorMetricExporter({ - connectionString: - connectionString: "<Your Connection String>", - }); - const metricReader = new PeriodicExportingMetricReader({ - exporter: exporter - }); - provider.addMetricReader(metricReader); - const meter = provider.getMeter("OTel.AzureMonitor.Demo"); - let gauge = meter.createObservableGauge("gauge"); - gauge.addCallback((observableResult) => { - let randomNumber = Math.floor(Math.random() * 100); - observableResult.observe(randomNumber, {"testKey": "testValue"}); - }); -``` --### Add Custom Exceptions --Select instrumentation libraries automatically report exceptions to Application Insights. -However, you may want to manually report exceptions beyond what instrumentation libraries report. -For instance, exceptions caught by your code aren't ordinarily reported. You may wish to report them -to draw attention in relevant experiences including the failures section and end-to-end transaction views. --```javascript -const { trace } = require("@opentelemetry/api"); -const { BasicTracerProvider, SimpleSpanProcessor } = require("@opentelemetry/sdk-trace-base"); -const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter"); --const provider = new BasicTracerProvider(); -const exporter = new AzureMonitorTraceExporter({ - connectionString: "<Your Connection String>", -}); -provider.addSpanProcessor(new SimpleSpanProcessor(exporter)); -provider.register(); -const tracer = trace.getTracer("example-basic-tracer-node"); -let span = tracer.startSpan("hello"); -try{ - throw new Error("Test Error"); -} -catch(error){ - span.recordException(error); -} -``` --### Add Custom Spans --You may want to add a custom span when there's a dependency request that's not already collected by an instrumentation library or an application process that you wish to model as a span on the end-to-end transaction view. --```javascript -const { trace } = require("@opentelemetry/api"); -let tracer = trace.getTracer("testTracer"); -let customSpan = tracer.startSpan("testSpan"); -... -customSpan.end(); -``` --### Send custom telemetry using the Application Insights Classic API - -We recommend you use the OpenTelemetry APIs whenever possible, but there may be some scenarios when you have to use the Application Insights Classic APIs. - --## Modify telemetry --This section explains how to modify telemetry. --### Add span attributes --These attributes might include adding a custom property to your telemetry. You might also use attributes to set optional fields in the Application Insights schema, like Client IP. --#### Add a custom property to a Span --Any [attributes](#add-span-attributes) you add to spans are exported as custom properties. They populate the _customDimensions_ field in the requests, dependencies, traces, or exceptions table. --Use a custom processor: --> [!TIP] -> Add the processor shown here *before* the Azure Monitor Exporter. --```javascript -const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter"); -const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node"); -const { SimpleSpanProcessor } = require("@opentelemetry/sdk-trace-base"); --class SpanEnrichingProcessor { - forceFlush() { - return Promise.resolve(); - } - shutdown() { - return Promise.resolve(); - } - onStart(_span){} - onEnd(span){ - span.attributes["CustomDimension1"] = "value1"; - span.attributes["CustomDimension2"] = "value2"; - } -} --const provider = new NodeTracerProvider(); -const azureExporter = new AzureMonitorTraceExporter({ - connectionString: "<Your Connection String>" -}); --provider.addSpanProcessor(new SpanEnrichingProcessor()); -provider.addSpanProcessor(new SimpleSpanProcessor(azureExporter)); -``` --#### Set the user IP --You can populate the _client_IP_ field for requests by setting the `http.client_ip` attribute on the span. Application Insights uses the IP address to generate user location attributes and then [discards it by default](ip-collection.md#default-behavior). --Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code: --```javascript -... -const { SemanticAttributes } = require("@opentelemetry/semantic-conventions"); --class SpanEnrichingProcessor { - ... -- onEnd(span){ - span.attributes[SemanticAttributes.HTTP_CLIENT_IP] = "<IP Address>"; - } -} -``` --#### Set the user ID or authenticated user ID --You can populate the _user_Id_ or _user_AuthenticatedId_ field for requests by using the guidance in this section. User ID is an anonymous user identifier. Authenticated User ID is a known user identifier. --> [!IMPORTANT] -> Consult applicable privacy laws before you set the Authenticated User ID. --Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code: --```typescript -... -import { SemanticAttributes } from "@opentelemetry/semantic-conventions"; --class SpanEnrichingProcessor implements SpanProcessor{ - ... -- onEnd(span: ReadableSpan){ - span.attributes[SemanticAttributes.ENDUSER_ID] = "<User ID>"; - } -} -``` --### Add Log Attributes - -Currently unavailable. --### Filter telemetry --You might use the following ways to filter out telemetry before it leaves your application. --1. Exclude the URL option provided by many HTTP instrumentation libraries. -- The following example shows how to exclude a certain URL from being tracked by using the [HTTP/HTTPS instrumentation library](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http): - - ```javascript - const { registerInstrumentations } = require( "@opentelemetry/instrumentation"); - const { HttpInstrumentation } = require( "@opentelemetry/instrumentation-http"); - const { NodeTracerProvider } = require( "@opentelemetry/sdk-trace-node"); -- const httpInstrumentationConfig = { - ignoreIncomingRequestHook: (request) => { - // Ignore OPTIONS incoming requests - if (request.method === 'OPTIONS') { - return true; - } - return false; - }, - ignoreOutgoingRequestHook: (options) => { - // Ignore outgoing requests with /test path - if (options.path === '/test') { - return true; - } - return false; - } - }; -- const httpInstrumentation = new HttpInstrumentation(httpInstrumentationConfig); - const provider = new NodeTracerProvider(); - provider.register(); -- registerInstrumentations({ - instrumentations: [ - httpInstrumentation, - ] - }); - ``` --2. Use a custom processor. You can use a custom span processor to exclude certain spans from being exported. To mark spans to not be exported, set `TraceFlag` to `DEFAULT`. -Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code: -- ```javascript - const { SpanKind, TraceFlags } = require("@opentelemetry/api"); -- class SpanEnrichingProcessor { - ... -- onEnd(span) { - if(span.kind == SpanKind.INTERNAL){ - span.spanContext().traceFlags = TraceFlags.NONE; - } - } - } - ``` --### Get the trace ID or span ID - -You might want to get the trace ID or span ID. If you have logs that are sent to a different destination besides Application Insights, you might want to add the trace ID or span ID to enable better correlation when you debug and diagnose issues. -- ```javascript - const { trace } = require("@opentelemetry/api"); -- let spanId = trace.getActiveSpan().spanContext().spanId; - let traceId = trace.getActiveSpan().spanContext().traceId; - ``` --## Enable the OTLP Exporter --You might want to enable the OpenTelemetry Protocol (OTLP) Exporter alongside your Azure Monitor Exporter to send your telemetry to two locations. --> [!NOTE] -> The OTLP Exporter is shown for convenience only. We don't officially support the OTLP Exporter or any components or third-party experiences downstream of it. --1. Install the [OpenTelemetry Collector Exporter](https://www.npmjs.com/package/@opentelemetry/exporter-otlp-http) package along with the [Azure Monitor OpenTelemetry Exporter](https://www.npmjs.com/package/@azure/monitor-opentelemetry-exporter) in your project. -- ```sh - npm install @opentelemetry/exporter-otlp-http - npm install @azure/monitor-opentelemetry-exporter - ``` --2. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-js/tree/main/examples/otlp-exporter-node). -- ```javascript - const { BasicTracerProvider, SimpleSpanProcessor } = require('@opentelemetry/sdk-trace-base'); - const { OTLPTraceExporter } = require('@opentelemetry/exporter-otlp-http'); - const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter"); - - const provider = new BasicTracerProvider(); - const azureMonitorExporter = new AzureMonitorTraceExporter({ - connectionString: "<Your Connection String>", - }); - const otlpExporter = new OTLPTraceExporter(); - provider.addSpanProcessor(new SimpleSpanProcessor(azureMonitorExporter)); - provider.addSpanProcessor(new SimpleSpanProcessor(otlpExporter)); - provider.register(); - ``` ---## Next steps --- To review the source code, see the [Azure Monitor Exporter GitHub repository](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/monitor/monitor-opentelemetry-exporter).-- To install the npm package, check for updates, or view release notes, see the [Azure Monitor Exporter npm Package](https://www.npmjs.com/package/@azure/monitor-opentelemetry-exporter) page.-- To become more familiar with Azure Monitor Application Insights and OpenTelemetry, see the [Azure Monitor Example Application](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/monitor/monitor-opentelemetry-exporter/samples).-- To learn more about OpenTelemetry and its community, see the [OpenTelemetry JavaScript GitHub repository](https://github.com/open-telemetry/opentelemetry-js).-- To enable usage experiences, [enable web or browser user monitoring](javascript.md). |
azure-monitor | Overview Dashboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/overview-dashboard.md | Title: Application Insights Overview dashboard | Microsoft Docs description: Monitor applications with Application Insights and Overview dashboard functionality. Previously updated : 03/22/2023 Last updated : 10/11/2023 # Application Insights Overview dashboard -Application Insights has always provided a summary overview pane to allow quick, at-a-glance assessment of your application's health and performance. The new **Overview** dashboard provides a faster more flexible experience. +Application Insights provides a summary in the overview pane to allow at-a-glance assessment of your application's health and performance. -## How do I test out the new experience? -The new **Overview** dashboard now launches by default. ---## Better performance --Time range selection has been simplified to a simple one-click interface. +A time range selection is available at the top of the interface. :::image type="content" source="./media/overview-dashboard/app-insights-overview-dashboard-03.png" lightbox="./media/overview-dashboard/app-insights-overview-dashboard-03.png" alt-text="Screenshot that shows the time range."::: -Overall performance has been greatly increased. You have one-click access to popular features like **Search** and **Analytics**. Each default dynamically updating KPI tile provides insight into corresponding Application Insights features. To learn more about failed requests, under **Investigate**, select **Failures**. +Each tile can be selected to navigate to the corresponding experience. As an example, selecting the **Failed requests** tile opens the **Failures** experience. :::image type="content" source="./media/overview-dashboard/app-insights-overview-dashboard-04.png" lightbox="./media/overview-dashboard/app-insights-overview-dashboard-04.png" alt-text="Screenshot that shows failures."::: Overall performance has been greatly increased. You have one-click access to pop The application dashboard uses the existing dashboard technology within Azure to provide a fully customizable single pane view of your application health and performance. -To access the default dashboard, select **Application Dashboard** in the upper-left corner. +To access the default dashboard, select **Application Dashboard**. :::image type="content" source="./media/overview-dashboard/app-insights-overview-dashboard-05.png" lightbox="./media/overview-dashboard/app-insights-overview-dashboard-05.png" alt-text="Screenshot that shows the Application Dashboard button."::: -If this is your first time accessing the dashboard, it opens a default view. +If it's your first time accessing the dashboard, it opens a default view. :::image type="content" source="./media/overview-dashboard/0001-dashboard.png" lightbox="./media/overview-dashboard/0001-dashboard.png" alt-text="Screenshot that shows the Dashboard view."::: You can keep the default view if you like it. Or you can also add and delete fro > [!NOTE] > All users with access to the Application Insights resource share the same **Application Dashboard** experience. Changes made by one user will modify the view for all users. -To go back to the overview experience, select the **Overview** button. +## Frequently asked questions ++### Can I display more than 30 days of data? +No, there's a limit of 30 days of data displayed in a dashboard. -## Troubleshooting +### I'm seeing a "resource not found" error on the dashboard -Currently, there's a limit of 30 days of data displayed in a dashboard. If you select a time filter beyond 30 days, or if you select **Configure tile settings** and set a custom time range in excess of 30 days, your dashboard won't display beyond 30 days of data. This is the case even with the default data retention of 90 days. There's currently no workaround for this behavior. +A "resource not found" error can occur if you move or rename your Application Insights instance. -The default **Application Dashboard** is created on demand the first time you select the Application Dashboard button. If you move or rename your Application Insights instance, queries on the dashboard will fail with "Resource not found" errors because the dashboard queries rely on the original resource URI. Delete the default dashboard. On the Application Insights **Overview** resource menu, select **Application Dashboard** again. The default dashboard will be re-created with the new resource name. Make other custom edits to the dashboard as needed. +To work around this behavior, delete the default dashboard and select **Application Dashboard** again to re-create a new one. ## Next steps |
azure-monitor | Container Insights Syslog | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-syslog.md | -Container Insights offers the ability to collect Syslog events from Linux nodes in your [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) clusters. This includes the ability to collect logs from control plane componemts like kubelet. Customers can also use Syslog for monitoring security and health events, typically by ingesting syslog into a SIEM system like [Microsoft Sentinel](https://azure.microsoft.com/products/microsoft-sentinel/#overview). +Container Insights offers the ability to collect Syslog events from Linux nodes in your [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) clusters. This includes the ability to collect logs from control plane components like kubelet. Customers can also use Syslog for monitoring security and health events, typically by ingesting syslog into a SIEM system like [Microsoft Sentinel](https://azure.microsoft.com/products/microsoft-sentinel/#overview). > [!IMPORTANT] > Syslog collection with Container Insights is a preview feature. Preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. Previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. |
azure-monitor | Availability Zones | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/availability-zones.md | +> [!NOTE] +> Moving to a dedicated cluster in a region that supports availablility zones protects data ingested after the move, not historical data. + Azure Monitor currently supports data resilience for availability-zone-enabled dedicated clusters in these regions: | Americas | Europe | Middle East | Africa | Asia Pacific | |
azure-monitor | Logs Data Export | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-data-export.md | Data export is optimized to move large data volume to your destinations. The exp ## Pricing model Data export charges are based on the number of bytes exported to destinations in JSON formatted data, and measured in GB (10^9 bytes). Size calculation in workspace query can't correspond with export charges since doesn't include the JSON formatted data. You can use PowerShell to [calculate the total billing size of a blob container](../../storage/scripts/storage-blobs-container-calculate-billing-size-powershell.md). -For more information, including the data export billing timeline, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). +For more information, including the data export billing timeline, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). Billing for Data Export was enabled in early October 2023. ## Export destinations Use the following command to create a data export rule to a specific Event Hub b } ``` + ## View data export rule configuration If the data export rule includes an unsupported table, the configuration will su ## Next steps [Query the exported data from Azure Data Explorer](../logs/azure-data-explorer-query-storage.md)+ |
azure-netapp-files | Access Smb Volume From Windows Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/access-smb-volume-from-windows-client.md | Title: Access SMB volumes from Azure AD joined Windows virtual machines -description: Learn how to access Azure NetApp Files SMB volumes from an on-premises environment using Azure Active Directory (AD). + Title: Access SMB volumes from Microsoft Entra joined Windows virtual machines +description: Learn how to access Azure NetApp Files SMB volumes from an on-premises environment using Microsoft Entra ID. -# Access SMB volumes from Azure Active Directory-joined Windows virtual machines +# Access SMB volumes from Microsoft Entra joined Windows virtual machines -You can use Azure Active Directory (Azure AD) with the Hybrid Authentication Management module to authenticate credentials in your hybrid cloud. This solution enables Azure AD to become the trusted source for both cloud and on-premises authentication, circumventing the need for clients connecting to Azure NetApp Files to join the on-premises AD domain. +You can use Microsoft Entra ID with the Hybrid Authentication Management module to authenticate credentials in your hybrid cloud. This solution enables Microsoft Entra ID to become the trusted source for both cloud and on-premises authentication, circumventing the need for clients connecting to Azure NetApp Files to join the on-premises AD domain. >[!NOTE]->Using Azure AD for authenticating [hybrid user identities](../active-directory/hybrid/whatis-hybrid-identity.md) allows Azure AD users to access Azure NetApp Files SMB shares. This means your end users can access Azure NetApp Files SMB shares without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. Cloud-only identities aren't currently supported. For more information, see [Understand guidelines for Active Directory Domain Services site design and planning](understand-guidelines-active-directory-domain-service-site.md). +>Using Microsoft Entra ID for authenticating [hybrid user identities](../active-directory/hybrid/whatis-hybrid-identity.md) allows Microsoft Entra users to access Azure NetApp Files SMB shares. This means your end users can access Azure NetApp Files SMB shares without requiring a line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VMs. Cloud-only identities aren't currently supported. For more information, see [Understand guidelines for Active Directory Domain Services site design and planning](understand-guidelines-active-directory-domain-service-site.md). ## Requirements and considerations * Azure NetApp Files NFS volumes and dual-protocol (NFSv4.1 and SMB) volumes are not supported. * NFSv3 and SMB dual-protocol volumes with NTFS security style are supported.-* You must have installed and configured [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594) to synchronize your AD DS users with Microsoft Azure AD ID. For more information, see [Get started with Azure AD Connect by using express settings](../active-directory/hybrid/connect/how-to-connect-install-express.md). +* You must have installed and configured [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594) to synchronize your AD DS users with Microsoft Entra ID. For more information, see [Get started with Microsoft Entra Connect by using express settings](../active-directory/hybrid/connect/how-to-connect-install-express.md). - Verify the hybrid identities are synced with Azure AD users. In the Azure portal under **Azure Active Directory**, navigate to **Users**. You should see that user accounts from AD DS are listed and the property, **On-premises sync enabled** shows "yes". + Verify the hybrid identities are synced with Microsoft Entra users. In the Azure portal under **Microsoft Entra ID**, navigate to **Users**. You should see that user accounts from AD DS are listed and the property, **On-premises sync enabled** shows "yes". >[!NOTE]- >After the initial configuration of Azure AD Connect, when you add a new AD DS user, you must run the `Start-ADSyncSyncCycle` command in the Administrator PowerShell to synchronize the new user to Azure AD or wait for the scheduled sync to occur. + >After the initial configuration of Microsoft Entra Connect, when you add a new AD DS user, you must run the `Start-ADSyncSyncCycle` command in the Administrator PowerShell to synchronize the new user to Microsoft Entra ID or wait for the scheduled sync to occur. * You must have created an [SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md).-* You must have a Windows virtual machine (VM) with Azure AD login enabled. For more information, see [Log in to a Windows VM in Azure by using Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md). Be sure to [Configure role assignments for the VM](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#configure-role-assignments-for-the-vm) to determine which accounts can log in to the VM. +* You must have a Windows virtual machine (VM) with Microsoft Entra login enabled. For more information, see [Log in to a Windows VM in Azure by using Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md). Be sure to [Configure role assignments for the VM](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#configure-role-assignments-for-the-vm) to determine which accounts can log in to the VM. * DNS must be properly configured so the client VM can access your Azure NetApp Files volumes via the fully qualified domain name (FQDN). ## Steps The configuration process takes you through five process: * Add the CIFS SPN to the computer account-* Register a new Azure AD application -* Sync CIFS password from AD DS to the Azure AD application registration -* Configure the Azure AD-joined VM to use Kerberos authentication +* Register a new Microsoft Entra application +* Sync CIFS password from AD DS to the Microsoft Entra application registration +* Configure the Microsoft Entra joined VM to use Kerberos authentication * Mount the Azure NetApp Files SMB volumes ### Add the CIFS SPN to the computer account The configuration process takes you through five process: :::image type="content" source="../media/azure-netapp-files/multi-value-string-editor.png" alt-text="Screenshot of multi-value string editor window." lightbox="../media/azure-netapp-files/multi-value-string-editor.png"::: -### Register a new Azure AD application +<a name='register-a-new-azure-ad-application'></a> -1. In the Azure portal, navigate to **Azure AD**. Select **App Registrations**. +### Register a new Microsoft Entra application ++1. In the Azure portal, navigate to **Microsoft Entra ID**. Select **App Registrations**. 1. Select **+ New registration**. 1. Assign a **Name**. Under select the **Supported account type**, choose **Accounts in this organizational directory only (Single tenant)**. 1. Select **Register**. The configuration process takes you through five process: 1. From **Overview**, make note of the **Application (client) ID**, which is required later. -### Sync CIFS password from AD DS to the Azure AD application registration +<a name='sync-cifs-password-from-ad-ds-to-the-azure-ad-application-registration'></a> ++### Sync CIFS password from AD DS to the Microsoft Entra application registration 1. From your AD DS domain controller, open PowerShell. 1. Install the [Hybrid Authentication Management module](/azure/azure-sql/managed-instance/winauth-azuread-setup-incoming-trust-based-flow) for synchronizing passwords. The configuration process takes you through five process: 1. Define the following variables: * `$servicePrincipalName`: The SPN details from mounting the Azure NetApp Files volume. Use the CIFS/FQDN format. For example: `CIFS/NETBIOS-1234.CONTOSO.COM`- * `$targetApplicationID`: Application (client) ID of the Azure AD application. + * `$targetApplicationID`: Application (client) ID of the Microsoft Entra application. * `$domainCred`: use `Get-Credential` (should be an AD DS domain administrator)- * `$cloudCred`: use `Get-Credential` (should be an Azure AD global administrator) + * `$cloudCred`: use `Get-Credential` (should be a Microsoft Entra Global Administrator) ```powershell $servicePrincipalName = CIFS/NETBIOS-1234.CONTOSO.COM The configuration process takes you through five process: >[!NOTE] >The `Get-Credential` command will initiate a pop-up Window where you can enter credentials. -1. Import the CIFS details to Azure AD: +1. Import the CIFS details to Microsoft Entra ID: ```powershell Import-AzureADKerberosOnPremServicePrincipal -Domain $domain -DomainCredential $domainCred -CloudCredential $cloudCred -ServicePrincipalName $servicePrincipalName -ApplicationId $targetApplicationId ``` -### Configure the Azure AD-joined VM to use Kerberos authentication +<a name='configure-the-azure-ad-joined-vm-to-use-kerberos-authentication'></a> ++### Configure the Microsoft Entra joined VM to use Kerberos authentication -1. Log in to the Azure AD-joined VM using hybrid credentials with administrative rights (for example: user@mydirectory.onmicrosoft.com). +1. Log in to the Microsoft Entra joined VM using hybrid credentials with administrative rights (for example: user@mydirectory.onmicrosoft.com). 1. Configure the VM: 1. Navigate to **Edit group policy** > **Computer Configuration** > **Administrative Templates** > **System** > **Kerberos**.- 1. Enable **Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon**. + 1. Enable **Allow retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon**. 1. Enable **Define host name-to-Kerberos realm mappings**. Select **Show** then provide a **Value name** and **Value** using your domain name preceded by a period. For example: * Value name: KERBEROS.MICROSOFTONLINE.COM * Value: .contoso.com The configuration process takes you through five process: ### Mount the Azure NetApp Files SMB volumes -1. Log into to the Azure AD-joined VM using a hybrid identity account synced from AD DS. +1. Log into to the Microsoft Entra joined VM using a hybrid identity account synced from AD DS. 2. Mount the Azure NetApp Files SMB volume using the info provided in the Azure portal. For more information, see [Mount SMB volumes for Windows VMs](mount-volumes-vms-smb.md). 3. Confirm the mounted volume is using Kerberos authentication and not NTLM authentication. Open a command prompt, issue the `klist` command; observe the output in the cloud TGT (krbtgt) and CIFS server ticket information. The configuration process takes you through five process: * [Understand guidelines for Active Directory Domain Services](understand-guidelines-active-directory-domain-service-site.md) * [Create and manage Active Directory connections](create-active-directory-connections.md)-* [Introduction to Azure AD Connect V2.0](../active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md) +* [Introduction to Microsoft Entra Connect V2.0](../active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md) |
azure-netapp-files | Azure Government | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-government.md | When connecting to Azure Government through PowerShell, you must specify an envi | Connection type | Command | | | | | [Azure](/powershell/module/az.accounts/Connect-AzAccount) commands |`Connect-AzAccount -EnvironmentName AzureUSGovernment` | -| [Azure Active Directory](/powershell/module/azuread/connect-azuread) commands |`Connect-AzureAD -AzureEnvironmentName AzureUSGovernment` | +| [Microsoft Entra ID](/powershell/module/azuread/connect-azuread) commands |`Connect-AzureAD -AzureEnvironmentName AzureUSGovernment` | | [Azure (Classic deployment model)](/powershell/module/servicemanagement/azure/add-azureaccount) commands |`Add-AzureAccount -Environment AzureUSGovernment` | -| [Azure Active Directory (Classic deployment model)](/previous-versions/azure/jj151815(v=azure.100)) commands |`Connect-MsolService -AzureEnvironment UsGovernment` | +| [Microsoft Entra ID (Classic deployment model)](/previous-versions/azure/jj151815(v=azure.100)) commands |`Connect-MsolService -AzureEnvironment UsGovernment` | See [Connect to Azure Government with PowerShell](../azure-government/documentation-government-get-started-connect-with-ps.md) for details. |
azure-netapp-files | Azure Netapp Files Develop With Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-develop-with-rest-api.md | The REST API specification for Azure NetApp Files is published through [GitHub]( ## Access the Azure NetApp Files REST API 1. [Install the Azure CLI](/cli/azure/install-azure-cli) if you haven't done so already.-2. Create a service principal in your Azure Active Directory (Azure AD): +2. Create a service principal in your Microsoft Entra ID: 1. Verify that you have [sufficient permissions](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). 2. Enter the following command in the Azure CLI: |
azure-netapp-files | Azure Netapp Files Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-introduction.md | Azure NetApp Files provides built-in data protection to help ensure the safe sto * Data replication: Azure NetApp Files supports data replication between different Azure regions and Availability Zones, which helps to ensure high availability and disaster recovery. Replication can be done asynchronously, and the service can fail over to a secondary region or zone in an outage. * Security: - Azure NetApp Files provides built-in security features such as RBAC/IAM, Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (AADDS) and LDAP integration, and Azure Policy. This functionality helps to protect data from unauthorized access, breaches, and misconfigurations. + Azure NetApp Files provides built-in security features such as RBAC/IAM, Active Directory Domain Services (AD DS), Microsoft Entra Domain Services and LDAP integration, and Azure Policy. This functionality helps to protect data from unauthorized access, breaches, and misconfigurations. All these features work together to provide a comprehensive data protection solution that helps to ensure that your data is always available, recoverable, and secure. |
azure-netapp-files | Azure Netapp Files Solution Architectures | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md | This section provides references for Virtual Desktop infrastructure solutions. * [Create an FSLogix profile container for a host pool using Azure NetApp Files](../virtual-desktop/create-fslogix-profile-container.md) * [Azure Virtual Desktop at enterprise scale](/azure/architecture/example-scenario/wvd/windows-virtual-desktop) * [Microsoft FSLogix for the enterprise - Azure NetApp Files best practices](/azure/architecture/example-scenario/wvd/windows-virtual-desktop-fslogix#azure-netapp-files-best-practices)-* [Enhanced Performance and Scalability: Azure AD-joined Session Hosts with Azure NetApp Files](https://techcommunity.microsoft.com/t5/azure-architecture-blog/enhanced-performance-and-scalability-azure-ad-joined-session/ba-p/3836576) +* [Enhanced Performance and Scalability: Microsoft Entra joined Session Hosts with Azure NetApp Files](https://techcommunity.microsoft.com/t5/azure-architecture-blog/enhanced-performance-and-scalability-azure-ad-joined-session/ba-p/3836576) * [Setting up Azure NetApp Files for MSIX App Attach](https://techcommunity.microsoft.com/t5/windows-virtual-desktop/setting-up-azure-netapp-files-for-msix-app-attach-step-by-step/m-p/1990021)-* [Multiple forests with AD DS and Azure AD ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/wvd/multi-forest) +* [Multiple forests with AD DS and Microsoft Entra ID ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/wvd/multi-forest) * [Multiregion Business Continuity and Disaster Recovery (BCDR) for Azure Virtual Desktop ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr) * [Deploy Esri ArcGIS Pro in Azure Virtual Desktop ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/data/esri-arcgis-azure-virtual-desktop) |
azure-netapp-files | Configure Access Control Lists | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-access-control-lists.md | ACLs contain access control entities (ACEs), which specify the permissions (read ## Configure ACLs -1. If you want to configure ACLs for a Linux VM joined to Active Directory, complete the steps in [Join a Linux VM to an Azure Active Directory Domain](join-active-directory-domain.md). +1. If you want to configure ACLs for a Linux VM joined to Active Directory, complete the steps in [Join a Linux VM to a Microsoft Entra Domain](join-active-directory-domain.md). 1. [Mount the volume](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md). |
azure-netapp-files | Configure Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-customer-managed-keys.md | The following diagram demonstrates how customer-managed keys work with Azure Net 1. Azure NetApp Files grants permissions to encryption keys to a managed identity. The managed identity is either a user-assigned managed identity that you create and manage or a system-assigned managed identity associated with the NetApp account. 2. You configure encryption with a customer-managed key for the NetApp account.-3. You use the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Azure Active Directory. +3. You use the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Microsoft Entra ID. 4. Azure NetApp Files wraps the account encryption key with the customer-managed key in Azure Key Vault. Customer-managed keys have no performance impact on Azure NetApp Files. Its only difference from Microsoft-managed keys is how the key is managed. |
azure-netapp-files | Configure Kerberos Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-kerberos-encryption.md | Azure NetApp Files supports NFS client encryption in Kerberos modes (krb5, krb5i The following requirements apply to NFSv4.1 client encryption: -* Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (AADDS) connection to facilitate Kerberos ticketing +* Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services connection to facilitate Kerberos ticketing * DNS A/PTR record creation for both the client and Azure NetApp Files NFS server IP addresses * A Linux client: This article provides guidance for RHEL and Ubuntu clients. Other clients will work with similar configuration steps. * NTP server access: You can use one of the commonly used Active Directory Domain Controller (AD DC) domain controllers. You should understand the security options available for NFSv4.1 volumes, the te * [Create an NFS volume for Azure NetApp Files](azure-netapp-files-create-volumes.md) * [Create an Active Directory connection](create-active-directory-connections.md) * [Configure an NFS client for Azure NetApp Files](configure-nfs-clients.md) -* [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) +* [Configure ADDS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md) |
azure-netapp-files | Configure Ldap Extended Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-ldap-extended-groups.md | Azure NetApp Files supports fetching of extended groups from the LDAP name servi When itΓÇÖs determined that LDAP will be used for operations such as name lookup and fetching extended groups, the following process occurs: -1. Azure NetApp Files uses an LDAP client configuration to make a connection attempt to the AD DS or Azure AD DS LDAP server that is specified in the [Azure NetApp Files AD configuration](create-active-directory-connections.md). -1. If the TCP connection over the defined AD DS or Azure AD DS LDAP service port is successful, then the Azure NetApp Files LDAP client attempts to ΓÇ£bindΓÇ¥ (sign in) to the AD DS or Azure AD DS LDAP server (domain controller) by using the defined credentials in the LDAP client configuration. -1. If the bind is successful, then the Azure NetApp Files LDAP client uses the RFC 2307bis LDAP schema to make an LDAP search query to the AD DS or Azure AD DS LDAP server (domain controller). +1. Azure NetApp Files uses an LDAP client configuration to make a connection attempt to the AD DS or Microsoft Entra Domain Services LDAP server that is specified in the [Azure NetApp Files AD configuration](create-active-directory-connections.md). +1. If the TCP connection over the defined AD DS or Microsoft Entra Domain Services LDAP service port is successful, then the Azure NetApp Files LDAP client attempts to ΓÇ£bindΓÇ¥ (sign in) to the AD DS or Microsoft Entra Domain Services LDAP server (domain controller) by using the defined credentials in the LDAP client configuration. +1. If the bind is successful, then the Azure NetApp Files LDAP client uses the RFC 2307bis LDAP schema to make an LDAP search query to the AD DS or Microsoft Entra Domain Services LDAP server (domain controller). The following information is passed to the server in the query: * [Base/user DN](configure-ldap-extended-groups.md#ldap-search-scope) (to narrow search scope) * Search scope type (subtree) The following information is passed to the server in the query: * UID or username * Requested attributes (`uid`, `uidNumber`, `gidNumber` for users, or `gidNumber` for groups) 1. If the user or group isnΓÇÖt found, the request fails, and access is denied.-1. If the request is successful, then user and group attributes are [cached for future use](configure-ldap-extended-groups.md#considerations). This operation improves the performance of subsequent LDAP queries associated with the cached user or group attributes. It also reduces the load on the AD DS or Azure AD DS LDAP server. +1. If the request is successful, then user and group attributes are [cached for future use](configure-ldap-extended-groups.md#considerations). This operation improves the performance of subsequent LDAP queries associated with the cached user or group attributes. It also reduces the load on the AD DS or Microsoft Entra Domain Services LDAP server. ## Considerations * You can enable the LDAP with extended groups feature only during volume creation. This feature can't be retroactively enabled on existing volumes. -* LDAP with extended groups is supported only with Active Directory Domain Services (AD DS) or Azure Active Directory Domain services (Azure AD DS). OpenLDAP or other third-party LDAP directory services are not supported. +* LDAP with extended groups is supported only with Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services. OpenLDAP or other third-party LDAP directory services are not supported. -* LDAP over TLS must *not* be enabled if you are using Azure Active Directory Domain Services (Azure AD DS). +* LDAP over TLS must *not* be enabled if you are using Microsoft Entra Domain Services. * You can't modify the LDAP option setting (enabled or disabled) after you've created the volume. |
azure-netapp-files | Create Active Directory Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-active-directory-connections.md | Several features of Azure NetApp Files require that you have an Active Directory ## <a name="requirements-for-active-directory-connections"></a>Requirements and considerations for Active Directory connections > [!IMPORTANT]-> You must follow guidelines described in [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](understand-guidelines-active-directory-domain-service-site.md) for Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS) used with Azure NetApp Files. +> You must follow guidelines described in [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](understand-guidelines-active-directory-domain-service-site.md) for Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services used with Azure NetApp Files. > In addition, before creating the AD connection, review [Modify Active Directory connections for Azure NetApp Files](modify-active-directory-connections.md) to understand the impact of making changes to the AD connection configuration options after the AD connection has been created. Changes to the AD connection configuration options are disruptive to client access and some options cannot be changed at all. * An Azure NetApp Files account must be created in the region where the Azure NetApp Files volumes are deployed. Several features of Azure NetApp Files require that you have an Active Directory * Enterprise Admins * Administrators * Account Operators - * Azure AD DS Administrators _(Azure AD DS Only)_ + * Microsoft Entra Domain Services Administrators _ (Microsoft Entra Domain Services Only)_ * Alternatively, an AD domain user account with `msDS-SupportedEncryptionTypes` write permission on the AD connection admin account can also be used to set the Kerberos encryption type property on the AD connection admin account. >[!NOTE] Several features of Azure NetApp Files require that you have an Active Directory >[!NOTE] >It is recommended that you configure a Secondary DNS server. See [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](understand-guidelines-active-directory-domain-service-site.md). Ensure that your DNS server configuration meets the requirements for Azure NetApp Files. Otherwise, Azure NetApp Files service operations, SMB authentication, Kerberos, or LDAP operations might fail. - If you use Azure AD DS (Azure AD DS), you should use the IP addresses of the Azure AD DS domain controllers for Primary DNS and Secondary DNS respectively. + If you use Microsoft Entra Domain Services, you should use the IP addresses of the Microsoft Entra Domain Services domain controllers for Primary DNS and Secondary DNS respectively. * **AD DNS Domain Name (required)** This is the fully qualified domain name of the AD DS that will be used with Azure NetApp Files (for example, `contoso.com`). * **AD Site Name (required)** This is the AD DS site name that will be used by Azure NetApp Files for domain controller discovery. - The default site name for both AD DS and Azure AD DS is `Default-First-Site-Name`. Follow the [naming conventions for site names](/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#site-names) if you want to rename the site name. + The default site name for both AD DS and Microsoft Entra Domain Services is `Default-First-Site-Name`. Follow the [naming conventions for site names](/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#site-names) if you want to rename the site name. >[!NOTE] > See [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](understand-guidelines-active-directory-domain-service-site.md). Ensure that your AD DS site design and configuration meets the requirements for Azure NetApp Files. Otherwise, Azure NetApp Files service operations, SMB authentication, Kerberos, or LDAP operations might fail. Several features of Azure NetApp Files require that you have an Active Directory If no value is provided, Azure NetApp Files will use the `CN=Computers` container. - If you're using Azure NetApp Files with Azure Active Directory Domain Services (Azure AD DS), the organizational unit path is `OU=AADDC Computers` + If you're using Azure NetApp Files with Microsoft Entra Domain Services, the organizational unit path is `OU=AADDC Computers` :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-join-active-directory.png" alt-text="Screenshot of the Join Active Directory input fields."::: Several features of Azure NetApp Files require that you have an Active Directory This option enables LDAP over TLS for secure communication between an Azure NetApp Files volume and the Active Directory LDAP server. You can enable LDAP over TLS for NFS, SMB, and dual-protocol volumes of Azure NetApp Files. >[!NOTE]- >LDAP over TLS must not be enabled if you're using Azure Active Directory Domain Services (Azure AD DS). Azure AD DS uses LDAPS (port 636) to secure LDAP traffic instead of LDAP over TLS (port 389). + >LDAP over TLS must not be enabled if you're using Microsoft Entra Domain Services. Microsoft Entra Domain Services uses LDAPS (port 636) to secure LDAP traffic instead of LDAP over TLS (port 389). For more information, see [Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md). Alternately, navigate to the **Volumes** menu. Identify the volume for which you * [Install a new Active Directory forest using Azure CLI](/windows-server/identity/ad-ds/deploy/virtual-dc/adds-on-azure-vm) * [Enable Active Directory Domain Services (AD DS) LDAP authentication for NFS volumes](configure-ldap-over-tls.md) * [AD DS LDAP with extended groups for NFS volume access](configure-ldap-extended-groups.md)-* [Access SMB volumes from Azure AD joined Windows virtual machines](access-smb-volume-from-windows-client.md) -+* [Access SMB volumes from Microsoft Entra joined Windows virtual machines](access-smb-volume-from-windows-client.md) |
azure-netapp-files | Create Volumes Dual Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/create-volumes-dual-protocol.md | You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` * Create a reverse lookup zone on the DNS server and then add a pointer (PTR) record of the AD host machine in that reverse lookup zone. Otherwise, the dual-protocol volume creation will fail. * The **Allow local NFS users with LDAP** option in Active Directory connections intends to provide occasional and temporary access to local users. When this option is enabled, user authentication and lookup from the LDAP server stop working, and the number of group memberships that Azure NetApp Files will support will be limited to 16. As such, you should keep this option *disabled* on Active Directory connections, except for the occasion when a local user needs to access LDAP-enabled volumes. In that case, you should disable this option as soon as local user access is no longer required for the volume. See [Allow local NFS users with LDAP to access a dual-protocol volume](#allow-local-nfs-users-with-ldap-to-access-a-dual-protocol-volume) about managing local user access. * Ensure that the NFS client is up to date and running the latest updates for the operating system.-* Dual-protocol volumes support both Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (AADDS). -* Dual-protocol volumes do not support the use of LDAP over TLS with Azure Active Directory Domain Services ([Azure AD DS](../active-directory-domain-services/overview.md)). LDAP over TLS is supported with Active Directory Domain Services (AD DS). See [LDAP over TLS considerations](configure-ldap-over-tls.md#considerations). +* Dual-protocol volumes support both Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services. +* Dual-protocol volumes do not support the use of LDAP over TLS with [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md). LDAP over TLS is supported with Active Directory Domain Services (AD DS). See [LDAP over TLS considerations](configure-ldap-over-tls.md#considerations). * The NFS version used by a dual-protocol volume can be NFSv3 or NFSv4.1. The following considerations apply: * Dual protocol does not support the Windows ACLS extended attributes `set/get` from NFS clients. * NFS clients cannot change permissions for the NTFS security style, and Windows clients cannot change permissions for UNIX-style dual-protocol volumes. The values specified for `objectClass` are separate entries. For example, in Mul ![Screenshot of Multi-valued String Editor that shows multiple values specified for Object Class.](../media/azure-netapp-files/multi-valued-string-editor.png) -Azure Active Directory Domain Services (AADDS) doesnΓÇÖt allow you to modify the objectClass POSIX attribute on users and groups created in the organizational AADDC Users OU. As a workaround, you can create a custom OU and create users and groups in the custom OU. +Microsoft Entra Domain Services doesnΓÇÖt allow you to modify the objectClass POSIX attribute on users and groups created in the organizational AADDC Users OU. As a workaround, you can create a custom OU and create users and groups in the custom OU. -If you are synchronizing the users and groups in your Azure AD tenancy to users and groups in the AADDC Users OU, you cannot move users and groups into a custom OU. Users and groups created in the custom OU will not be synchronized to your AD tenancy. For more information, see the [AADDS Custom OU Considerations and Limitations](../active-directory-domain-services/create-ou.md#custom-ou-considerations-and-limitations). +If you are synchronizing the users and groups in your Microsoft Entra tenancy to users and groups in the AADDC Users OU, you cannot move users and groups into a custom OU. Users and groups created in the custom OU will not be synchronized to your AD tenancy. For more information, see the [Microsoft Entra Domain Services Custom OU considerations and limitations](../active-directory-domain-services/create-ou.md#custom-ou-considerations-and-limitations). ### Access Active Directory Attribute Editor |
azure-netapp-files | Develop Rest Api Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/develop-rest-api-powershell.md | The REST API specification for Azure NetApp Files is published through [GitHub]( ## Access the Azure NetApp Files REST API 1. [Install the Azure CLI](/cli/azure/install-azure-cli) if you haven't done so already.-2. Create a service principal in your Azure Active Directory (Azure AD): +2. Create a service principal in your Microsoft Entra ID: 1. Verify that you have [sufficient permissions](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). 2. Enter the following command in the Azure CLI: |
azure-netapp-files | Faq Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-smb.md | You can configure only one Active Directory (AD) connection per subscription and However, you can map multiple NetApp accounts that are under the same subscription and same region to a common AD server created in one of the NetApp accounts. See [Map multiple NetApp accounts in the same subscription and region to an AD connection](create-active-directory-connections.md#shared_ad). -## Does Azure NetApp Files support Azure Active Directory? +<a name='does-azure-netapp-files-support-azure-active-directory'></a> -Both [Azure Active Directory Domain Services (Azure AD DS)](../active-directory-domain-services/overview.md) and [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) are supported. You can use existing Active Directory domain controllers with Azure NetApp Files. Domain controllers can reside in Azure as virtual machines, or on premises via ExpressRoute or S2S VPN. Azure NetApp Files doesn't support AD join for [Azure Active Directory (Azure AD)](../active-directory/fundamentals/index.yml) at this time. +## Does Azure NetApp Files support Microsoft Entra ID? -If you're using Azure NetApp Files with Azure Active Directory Domain Services, the organizational unit path is `OU=AADDC Computers` when you configure Active Directory for your NetApp account. +Both [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) and [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) are supported. You can use existing Active Directory domain controllers with Azure NetApp Files. Domain controllers can reside in Azure as virtual machines, or on premises via ExpressRoute or S2S VPN. Azure NetApp Files doesn't support AD join for [Microsoft Entra ID](../active-directory/fundamentals/index.yml) at this time. ++If you're using Azure NetApp Files with Microsoft Entra Domain Services, the organizational unit path is `OU=AADDC Computers` when you configure Active Directory for your NetApp account. ## How do the Netlogon protocol changes in the April 2023 Windows Update affect Azure NetApp Files? |
azure-netapp-files | Join Active Directory Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/join-active-directory-domain.md | Title: Join a Linux VM to an Azure Active Directory Domain | Microsoft Docs -description: Describes how to join a Linux VM to an Azure Active Directory Domain + Title: Join a Linux VM to a Microsoft Entra Domain | Microsoft Docs +description: Describes how to join a Linux VM to a Microsoft Entra Domain documentationcenter: '' Last updated 12/20/2022 -# Join a Linux VM to an Azure Active Directory Domain +# Join a Linux VM to a Microsoft Entra Domain -Joining a Linux virtual machine (VM) to an [Azure Active Directory Domain Services (Azure AD DS)](../active-directory-domain-services/overview.md) managed domain enables users to sign into to VMs with one set of credentials. Once joined, the user accounts and credentials can be used to sign in, access, and manage servers. +Joining a Linux virtual machine (VM) to an [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) managed domain enables users to sign into to VMs with one set of credentials. Once joined, the user accounts and credentials can be used to sign in, access, and manage servers. Refer to [Understand guidelines for Active Directory Domain Services site design and planning](understand-guidelines-active-directory-domain-service-site.md) to learn more about using Active Directory in Azure NetApp Files. |
azure-netapp-files | Lightweight Directory Access Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/lightweight-directory-access-protocol.md | Lightweight directory access protocol (LDAP) is a standard directory access prot LDAP models define how to communicate with the LDAP directory store, how to find an object in the directory, how to describe the objects in the store, and the security that is used to access the directory. LDAP allows customization and extension of the objects that are described in the store. Therefore, you can use an LDAP store to store many types of diverse information. Many of the initial LDAP deployments focused on the use of LDAP as a directory store for applications such as email and web applications and to store employee information. Many companies are replacing or have replaced Network Information Service (NIS) with LDAP as a network directory store. -An LDAP server provides UNIX user and group identities for use with NAS volumes. In Azure NetApp Files, Active Directory is the only currently supported LDAP server that can be used. This support includes both Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). +An LDAP server provides UNIX user and group identities for use with NAS volumes. In Azure NetApp Files, Active Directory is the only currently supported LDAP server that can be used. This support includes both Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services. LDAP requests can be broken down into two main operations. This RFC extension fits nicely into how Microsoft Active Directory manages users * [Configure AD DS LDAP over TLS for Azure NetApp Files](configure-ldap-over-tls.md) * [Understand NFS group memberships and supplemental groups](network-file-system-group-memberships.md) * [Azure NetApp Files NFS FAQ](faq-nfs.md)-* [Azure NetApp Files SMB FAQ](faq-smb.md) +* [Azure NetApp Files SMB FAQ](faq-smb.md) |
azure-netapp-files | Modify Active Directory Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/modify-active-directory-connections.md | Once you've [created an Active Directory connection](create-active-directory-con | AD DNS Domain Name | The domain name of your Active Directory Domain Services that you want to join.ΓÇ»| No | None | N/A | | AD Site Name | The site to which the domain controller discovery is limited. | Yes | This should match the site name in Active Directory Sites and Services. See footnote.* | Domain discovery is limited to the new site name. If not specified, "Default-First-Site-Name" is used. | | SMB Server (Computer Account) Prefix | Naming prefix for the computer account in Active Directory that Azure NetApp Files will use for the creation of new accounts. See footnote.* | Yes | Existing volumes need to be mounted again as the mount is changed for SMB shares and NFS Kerberos volumes.* | Renaming the SMB server prefix after you create the Active Directory connection is disruptive. You'll need to remount existing SMB shares and NFS Kerberos volumes after renaming the SMB server prefix as the mount path will change. |-| Organizational Unit Path | The LDAP path for the organizational unit (OU) where SMB server computer accounts will be created. `OU=second level`, `OU=first level`| No | If you're using Azure NetApp Files with Azure Active Directory Domain Services (AADDS), the organizational path is `OU=AADDC Computers` when you configure Active Directory for your NetApp Account. | Computer accounts will be placed under the OU specified. If not specified, the default of `OU=Computers` is used by default. | +| Organizational Unit Path | The LDAP path for the organizational unit (OU) where SMB server computer accounts will be created. `OU=second level`, `OU=first level`| No | If you're using Azure NetApp Files with Microsoft Entra Domain Services, the organizational path is `OU=AADDC Computers` when you configure Active Directory for your NetApp Account. | Computer accounts will be placed under the OU specified. If not specified, the default of `OU=Computers` is used by default. | | AES Encryption | To take advantage of the strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the SMB server. | Yes | If you enable AES encryption, the user credentials used to join Active Directory must have the highest corresponding account option enabled, matching the capabilities enabled for your Active Directory. For example, if your Active Directory has only AES-128 enabled, you must enable the AES-128 account option for the user credentials. If your Active Directory has the AES-256 capability, you must enable the AES-256 account option (which also supports AES-128). If your Active Directory doesn't have any Kerberos encryption capability, Azure NetApp Files uses DES by default.* | Enable AES encryption for Active Directory Authentication | | LDAP Signing | This functionality enables secure LDAP lookups between the Azure NetApp Files service and the user-specified Active Directory Domain Services domain controller. | Yes | LDAP signing to Require Signing in group policy* | This option provides ways to increase the security for communication between LDAP clients and Active Directory domain controllers. | | Allow local NFS users with LDAP | If enabled, this option manages access for local users and LDAP users. | Yes | This option allows access to local users. It's not recommended and, if enabled, should only be used for a limited time and later disabled. | If enabled, this option allows access to local users and LDAP users. If your configuration requires access for only LDAP users, you must disable this option. | Once you've [created an Active Directory connection](create-active-directory-con * [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](understand-guidelines-active-directory-domain-service-site.md) * [Configure AD DS LDAP with extended groups for NFS](configure-ldap-extended-groups.md) * [Configure AD DS LDAP over TLS](configure-ldap-over-tls.md)-* [Create and manage Active Directory connections](create-active-directory-connections.md) +* [Create and manage Active Directory connections](create-active-directory-connections.md) |
azure-netapp-files | Network Attached Storage Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/network-attached-storage-protocols.md | When a NAS client requests access to a dual-protocol volume in Azure NetApp File 5. Azure NetApp Files compares that user against the file-level permissions in the system. 6. File permissions control the level of access the user has. -In the following illustration, `user1` authenticates to Azure NetApp Files to access a dual-protocol volume through either SMB or NFS. Azure NetApp Files finds the userΓÇÖs Windows and UNIX information in Azure Active Directory and then maps the user's Windows and UNIX identities one-to-one. The user is verified as `user1` and gets `user1`'s access credentials. +In the following illustration, `user1` authenticates to Azure NetApp Files to access a dual-protocol volume through either SMB or NFS. Azure NetApp Files finds the userΓÇÖs Windows and UNIX information in Microsoft Entra ID and then maps the user's Windows and UNIX identities one-to-one. The user is verified as `user1` and gets `user1`'s access credentials. In this instance, `user1` gets full control on their own folder (`user1-dir`) and no access to the `HR` folder. This setting is based on the security ACLs specified in the file system, and `user1` will get the expected access regardless of which protocol they're accessing the volumes from. When you use Azure NetApp Files volumes for access to both SMB and NFS, some con * You need an Active Directory connection. As such, you need to meet the [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections). * Dual-protocol volumes require a reverse lookup zone in DNS with an associated pointer (PTR) record of the AD host machine to prevent dual-protocol volume creation failures. * Your NFS client and associated packages (such as `nfs-utils`) should be up to date for the best security, reliability and feature support.-* Dual-protocol volumes support both Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS, or AADDS). -* Dual-protocol volumes don't support the use of LDAP over TLS with AADDS. See [LDAP over TLS considerations](configure-ldap-over-tls.md#considerations). +* Dual-protocol volumes support both Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services. +* Dual-protocol volumes don't support the use of LDAP over TLS with Microsoft Entra Domain Services. See [LDAP over TLS considerations](configure-ldap-over-tls.md#considerations). * Supported NFS versions include: NFSv3 and NFSv4.1. * NFSv4.1 features such as parallel network file system (pNFS), session trunking, and referrals aren't currently supported with Azure NetApp Files volumes. * [Windows extended attributes `set`/`get`](/windows/win32/api/fileapi/ns-fileapi-createfile2_extended_parameters) aren't supported in dual-protocol volumes. When you use Azure NetApp Files volumes for access to both SMB and NFS, some con * [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md) * [Create a dual-protocol volume for Azure NetApp Files](create-volumes-dual-protocol.md) * [Azure NetApp Files NFS FAQ](faq-nfs.md)-* [Azure NetApp Files SMB FAQ](faq-smb.md) +* [Azure NetApp Files SMB FAQ](faq-smb.md) |
azure-netapp-files | Troubleshoot Volumes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/troubleshoot-volumes.md | This article describes error messages and resolutions that can help you troubles | Error conditions | Resolutions | |--|-|-| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available."}]}` | This error indicates that the DNS is not reachable. <br> Consider the following solutions: <ul><li>Check if AD DS and the volume are being deployed in same region.</li> <li>Check if AD DS and the volume are using the same VNet. If they're using different VNETs, make sure that the VNets are peered with each other. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md). </li> <li>The DNS server might have network security groups (NSGs) applied. As such, it does not allow the traffic to flow. In this case, open the NSGs to the DNS or AD to connect to various ports. For port requirements, see [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections). </li></ul> <br>The same solutions apply for Azure AD DS. Azure AD DS should be deployed in the same region. The VNet should be in the same region or peered with the VNet used by the volume. | -| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-C1C8\". Reason: Kerberos Error: Invalid credentials were given Details: Error: Machine account creation procedure failed\n [ 563] Loaded the preliminary configuration.\n**[ 670] FAILURE: Could not authenticate as 'test@contoso.com':\n** Unknown user (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)\n. "}]}` | <ul><li>Make sure that the username entered is correct. </li> <li>Make sure that the user is part of the Administrator group that has the privilege to create machine (computer) accounts. </li> <li> If you use Azure AD DS, make sure that the user is part of the Azure AD group `Azure AD DC Administrators`. </li></ul> | +| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available."}]}` | This error indicates that the DNS is not reachable. <br> Consider the following solutions: <ul><li>Check if AD DS and the volume are being deployed in same region.</li> <li>Check if AD DS and the volume are using the same VNet. If they're using different VNETs, make sure that the VNets are peered with each other. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md). </li> <li>The DNS server might have network security groups (NSGs) applied. As such, it does not allow the traffic to flow. In this case, open the NSGs to the DNS or AD to connect to various ports. For port requirements, see [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections). </li></ul> <br>The same solutions apply for Microsoft Entra Domain Services. Microsoft Entra Domain Services should be deployed in the same region. The VNet should be in the same region or peered with the VNet used by the volume. | +| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-C1C8\". Reason: Kerberos Error: Invalid credentials were given Details: Error: Machine account creation procedure failed\n [ 563] Loaded the preliminary configuration.\n**[ 670] FAILURE: Could not authenticate as 'test@contoso.com':\n** Unknown user (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)\n. "}]}` | <ul><li>Make sure that the username entered is correct. </li> <li>Make sure that the user is part of the Administrator group that has the privilege to create machine (computer) accounts. </li> <li> If you use Microsoft Entra Domain Services, make sure that the user is part of the Microsoft Entra group `Azure AD DC Administrators`. </li></ul> | | The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-A452\". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed\n [ 567] Loaded the preliminary configuration.\n [ 671] Successfully connected to ip 10.x.x.x, port 88 using TCP\n**[ 1099] FAILURE: Could not authenticate as\n** 'user@contoso.com': CIFS server account password does\n** not match password stored in Active Directory\n** (KRB5KDC_ERR_PREAUTH_FAILED)\n. "}]}` | Make sure that the password entered for joining the AD connection is correct. |-| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError","message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-D9A2\". Reason: SecD Error: ou not found Details: Error: Machine account creation procedure failed\n [ 561] Loaded the preliminary configuration.\n [ 665] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ 1039] Successfully connected to ip 10.x.x.x, port 389 using TCP\n**[ 1147] FAILURE: Specifed OU 'OU=AADDC Com' does not exist in\n** contoso.com\n. "}]}` | Make sure that the OU path specified for joining the AD connection is correct. If you use Azure AD DS, make sure that the organizational unit path is `OU=AADDC Computers`. | +| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError","message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-D9A2\". Reason: SecD Error: ou not found Details: Error: Machine account creation procedure failed\n [ 561] Loaded the preliminary configuration.\n [ 665] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ 1039] Successfully connected to ip 10.x.x.x, port 389 using TCP\n**[ 1147] FAILURE: Specifed OU 'OU=AADDC Com' does not exist in\n** contoso.com\n. "}]}` | Make sure that the OU path specified for joining the AD connection is correct. If you use Microsoft Entra Domain Services, make sure that the organizational unit path is `OU=AADDC Computers`. | | The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-ANF-VOL. Reason: LDAP Error: Local error occurred Details: Error: Machine account creation procedure failed. [nnn] Loaded the preliminary configuration. [nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn] Successfully connected to ip 10.x.x.x, port 389 using [nnn] Entry for host-address: 10.x.x.x not found in the current source: FILES. Ignoring and trying next available source [nnn] Source: DNS unavailable. Entry for host-address:10.x.x.x found in any of the available sources\n*[nnn] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: local error [nnn] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address) [nnn] Unable to connect to LDAP (Active Directory) service on contoso.com (Error: Local error) [nnn] Unable to make a connection (LDAP (Active Directory):contosa.com, result: 7643. ` | The pointer (PTR) record of the AD host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone. | | The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-ANF-VOL\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed [nnn]Loaded the preliminary configuration. [nnn]Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn]FAILURE: Could not authenticate as 'contosa.com': KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP) ` | Make sure that [AES Encryption](./create-active-directory-connections.md#create-an-active-directory-connection) is enabled both in the Active Directory connection and for the service account. | | The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-NTAP-VOL\". Reason: LDAP Error: Strong authentication is required Details: Error: Machine account creation procedure failed\n [ 338] Loaded the preliminary configuration.\n [ nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ nnn ] Successfully connected to ip 10.x.x.x, port 389 using TCP\n [ 765] Unable to connect to LDAP (Active Directory) service on\n dc51.area51.com (Error: Strong(er) authentication\n required)\n*[ nnn] FAILURE: Unable to make a connection (LDAP (Active\n* Directory):contoso.com), result: 7609\n. "` | The LDAP Signing option is not selected, but the AD client has LDAP signing. [Enable LDAP Signing](create-active-directory-connections.md#create-an-active-directory-connection) and retry. | |
azure-netapp-files | Understand Guidelines Active Directory Domain Service Site | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md | Before you deploy Azure NetApp Files volumes, you must identify the AD DS integr Azure NetApp Files supports identity-based authentication over SMB through the following methods. * **AD DS authentication**: AD DS-joined Windows machines can access Azure NetApp Files shares with Active Directory credentials over SMB. Your client must have line of sight to your AD DS. If you already have AD DS set up on-premises or on a VM in Azure where your devices are domain-joined to your AD DS, you should use AD DS for Azure NetApp Files file share authentication.-* **Azure AD DS authentication**: Cloud-based, Azure AD DS-joined Windows VMs can access Azure NetApp Files file shares with Azure AD DS credentials. In this solution, Azure AD DS runs a traditional Windows Server AD domain on behalf of the customer. -* **Azure AD Kerberos for hybrid identities**: Using Azure AD for authenticating [hybrid user identities](../active-directory/hybrid/whatis-hybrid-identity.md) allows Azure AD users to access Azure NetApp Files file shares using Kerberos authentication. This means your end users can access Azure NetApp Files file shares without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined Windows or Linux virtual machines. *Cloud-only identities aren't currently supported.* +* **Microsoft Entra Domain Services authentication**: Cloud-based, Microsoft Entra Domain Services-joined Windows VMs can access Azure NetApp Files file shares with Microsoft Entra Domain Services credentials. In this solution, Microsoft Entra Domain Services runs a traditional Windows Server AD domain on behalf of the customer. +* **Microsoft Entra Kerberos for hybrid identities**: Using Microsoft Entra ID for authenticating [hybrid user identities](../active-directory/hybrid/whatis-hybrid-identity.md) allows Microsoft Entra users to access Azure NetApp Files file shares using Kerberos authentication. This means your end users can access Azure NetApp Files file shares without requiring a line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined Windows or Linux virtual machines. *Cloud-only identities aren't currently supported.* * **AD Kerberos authentication for Linux clients**: Linux clients can use Kerberos authentication over SMB for Azure NetApp Files using AD DS. Azure NetApp Files uses **time.windows.com** as the time source. Ensure that the ## Decide which AD DS to use with Azure NetApp Files -Azure NetApp Files supports both Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS) for AD connections. Before you create an AD connection, you need to decide whether to use AD DS or Azure AD DS. +Azure NetApp Files supports both Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services for AD connections. Before you create an AD connection, you need to decide whether to use AD DS or Microsoft Entra Domain Services. -For more information, see [Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services](../active-directory-domain-services/compare-identity-solutions.md). +For more information, see [Compare self-managed Active Directory Domain Services, Microsoft Entra ID, and managed Microsoft Entra Domain Services](../active-directory-domain-services/compare-identity-solutions.md). ### Active Directory Domain Services considerations You should use Active Directory Domain Services (AD DS) in the following scenari * You have AD DS users hosted in an on-premises AD DS domain that need access to Azure NetApp Files resources. * You have applications hosted partially on-premises and partially in Azure that need access to Azure NetApp Files resources.-* You donΓÇÖt need Azure AD DS integration with an Azure AD tenant in your subscription, or Azure AD DS is incompatible with your technical requirements. +* You donΓÇÖt need Microsoft Entra Domain Services integration with a Microsoft Entra tenant in your subscription, or Microsoft Entra Domain Services is incompatible with your technical requirements. > [!NOTE] > Azure NetApp Files doesn't support the use of AD DS Read-only Domain Controllers (RODC). If you choose to use AD DS with Azure NetApp Files, follow the guidance in [Extend AD DS into Azure Architecture Guide](/azure/architecture/reference-architectures/identity/adds-extend-domain) and ensure that you meet the Azure NetApp Files [network](#network-requirements) and [DNS requirements](#ad-ds-requirements) for AD DS. -### Azure Active Directory Domain Services considerations +<a name='azure-active-directory-domain-services-considerations'></a> -[Azure Active Directory Domain Services (Azure AD DS)](../active-directory-domain-services/overview.md) is a managed AD DS domain that is synchronized with your Azure AD tenant. The main benefits to using Azure AD DS are as follows: +### Microsoft Entra Domain Services considerations -* Azure AD DS is a standalone domain. As such, there's no need to set up network connectivity between on-premises and Azure. +[Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) is a managed AD DS domain that is synchronized with your Microsoft Entra tenant. The main benefits to using Microsoft Entra Domain Services are as follows: ++* Microsoft Entra Domain Services is a standalone domain. As such, there's no need to set up network connectivity between on-premises and Azure. * Provides simplified deployment and management experience. -You should use Azure AD DS in the following scenarios: +You should use Microsoft Entra Domain Services in the following scenarios: * ThereΓÇÖs no need to extend AD DS from on-premises into Azure to provide access to Azure NetApp Files resources. * Your security policies do not allow the extension of on-premises AD DS into Azure.-* You donΓÇÖt have strong knowledge of AD DS. Azure AD DS can improve the likelihood of good outcomes with Azure NetApp Files. +* You donΓÇÖt have strong knowledge of AD DS. Microsoft Entra Domain Services can improve the likelihood of good outcomes with Azure NetApp Files. -If you choose to use Azure AD DS with Azure NetApp Files, see [Azure AD DS documentation](../active-directory-domain-services/overview.md) for [architecture](../active-directory-domain-services/scenarios.md), deployment, and management guidance. Ensure that you also meet the Azure NetApp Files [Network](#network-requirements) and [DNS requirements](#ad-ds-requirements). +If you choose to use Microsoft Entra Domain Services with Azure NetApp Files, see [Microsoft Entra Domain Services documentation](../active-directory-domain-services/overview.md) for [architecture](../active-directory-domain-services/scenarios.md), deployment, and management guidance. Ensure that you also meet the Azure NetApp Files [Network](#network-requirements) and [DNS requirements](#ad-ds-requirements). ## Design AD DS site topology for use with Azure NetApp Files Azure NetApp Files SMB, dual-protocol, and NFSv4.1 Kerberos volumes support cros * [Create an SMB volume](azure-netapp-files-create-volumes-smb.md) * [Create a dual-protocol volume](create-volumes-dual-protocol.md) * [Errors for SMB and dual-protocol volumes](troubleshoot-volumes.md#errors-for-smb-and-dual-protocol-volumes)-* [Access SMB volumes from Azure AD joined Windows virtual machines](access-smb-volume-from-windows-client.md) +* [Access SMB volumes from Microsoft Entra joined Windows virtual machines](access-smb-volume-from-windows-client.md) |
azure-portal | Azure Portal Dashboard Share Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/azure-portal-dashboard-share-access.md | For each dashboard that you have published, you can assign Azure RBAC built-in r 1. Select the role you want to grant, such as [Contributor](/azure/role-based-access-control/built-in-roles#contributor) or [Reader](/azure/role-based-access-control/built-in-roles#reader), and then select **Next**. -1. Select **Select members**, then select one or more Azure Active Directory (Azure AD) groups and/or users. If you don't see the user or group you're looking for in the list, use the search box. When you have finished, choose **Select**. +1. Select **Select members**, then select one or more Microsoft Entra groups and/or users. If you don't see the user or group you're looking for in the list, use the search box. When you have finished, choose **Select**. 1. Select **Review + assign** to complete the assignment. For each dashboard that you have published, you can assign Azure RBAC built-in r ## Next steps * View the list of [Azure built-in roles](../role-based-access-control/built-in-roles.md).-* Learn about [managing groups in Azure AD](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +* Learn about [managing groups in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). * Learn more about [managing Azure resources by using the Azure portal](../azure-resource-manager/management/manage-resources-portal.md). * [Create a dashboard](azure-portal-dashboards.md) in the Azure portal. |
azure-portal | Get Subscription Tenant Id | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/get-subscription-tenant-id.md | Follow these steps to retrieve the ID for a subscription in the Azure portal. 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Under the Azure services heading, select **Subscriptions**. If you don't see **Subscriptions** here, use the search box to find it.-1. Find the subscription in the list, and note the **Subscription ID** shown in the second column. If no subscriptions appear, or you don't see the right one, you may need to [switch directories](set-preferences.md#switch-and-manage-directories) to show the subscriptions from a different Azure AD tenant. +1. Find the subscription in the list, and note the **Subscription ID** shown in the second column. If no subscriptions appear, or you don't see the right one, you may need to [switch directories](set-preferences.md#switch-and-manage-directories) to show the subscriptions from a different Microsoft Entra tenant. 1. To easily copy the **Subscription ID**, select the subscription name to display more details. Select the **Copy to clipboard** icon shown next to the **Subscription ID** in the **Essentials** section. You can paste this value into a text document or other location. :::image type="content" source="media/get-subscription-tenant-id/copy-subscription-id.png" alt-text="Screenshot showing the option to copy a subscription ID in the Azure portal."::: Follow these steps to retrieve the ID for a subscription in the Azure portal. > [!TIP] > You can also list your subscriptions and view their IDs programmatically by using [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription) (Azure PowerShell) or [az account list](/cli/azure/account#az-account-list) (Azure CLI). -## Find your Azure AD tenant +<a name='find-your-azure-ad-tenant'></a> ++## Find your Microsoft Entra tenant Follow these steps to retrieve the ID for a Microsoft Entra tenant in the Azure portal. |
azure-portal | How To Create Azure Support Request | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/supportability/how-to-create-azure-support-request.md | You can get to **Help + support** in the Azure portal. It's available from the A You must have the appropriate access to a subscription before you can create a support request for it. This means you must have the [Owner](../../role-based-access-control/built-in-roles.md#owner), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Support Request Contributor](../../role-based-access-control/built-in-roles.md#support-request-contributor) role, or a custom role with [Microsoft.Support/*](../../role-based-access-control/resource-provider-operations.md#microsoftsupport), at the subscription level. -To create a support request without a subscription, for example an Azure Active Directory scenario, you must be an [Admin](../../active-directory/roles/permissions-reference.md). +To create a support request without a subscription, for example a Microsoft Entra scenario, you must be an [Admin](../../active-directory/roles/permissions-reference.md). > [!IMPORTANT] > If a support request requires investigation into multiple subscriptions, you must have the required access for each subscription involved ([Owner](../../role-based-access-control/built-in-roles.md#owner), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), [Reader](../../role-based-access-control/built-in-roles.md#reader), [Support Request Contributor](../../role-based-access-control/built-in-roles.md#support-request-contributor), or a custom role with the [Microsoft.Support/supportTickets/read](../../role-based-access-control/resource-provider-operations.md#microsoftsupport) permission). When you allow collection of [advanced diagnostic information](https://azure.mic - [Microsoft Azure Service Fabric logs](/troubleshoot/azure/general/fabric-logs) - [StorSimple support packages and device logs](https://support.microsoft.com/topic/storsimple-support-packages-and-device-logs-cb0a1c7e-6125-a5a7-f212-51439781f646) - [SQL Server on Azure Virtual Machines logs](/troubleshoot/azure/general/sql-vm-logs)-- [Azure Active Directory logs](/troubleshoot/azure/active-directory/support-data-collection-diagnostic-logs)+- [Microsoft Entra logs](/troubleshoot/azure/active-directory/support-data-collection-diagnostic-logs) - [Azure Stack Edge support package and device logs](/troubleshoot/azure/general/azure-stack-edge-support-package-device-logs) - [Azure Synapse Analytics logs](/troubleshoot/azure/general/synapse-analytics-apache-spark-pools-diagnostic-logs) |
azure-relay | Authenticate Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-relay/authenticate-application.md | Title: Authenticate from an application - Azure Relay -description: This article provides information about authenticating an application with Azure Active Directory to access Azure Relay resources. +description: This article provides information about authenticating an application with Microsoft Entra ID to access Azure Relay resources. Last updated 08/10/2023 -# Authenticate and authorize an application with Azure Active Directory to access Azure Relay entities -Azure Relay supports using Azure Active Directory (Azure AD) to authorize requests to Azure Relay entities (Hybrid Connections, WCF Relays). With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md). +# Authenticate and authorize an application with Microsoft Entra ID to access Azure Relay entities +Azure Relay supports using Microsoft Entra ID to authorize requests to Azure Relay entities (Hybrid Connections, WCF Relays). With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md). > [!NOTE] > This feature is generally available in all regions except Microsoft Azure operated by 21Vianet. Azure Relay supports using Azure Active Directory (Azure AD) to authorize reques [!INCLUDE [relay-roles](./includes/relay-roles.md)] ## Authenticate from an app-A key advantage of using Azure AD with Azure Relay is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Azure AD authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Relay. +A key advantage of using Microsoft Entra ID with Azure Relay is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Microsoft Entra authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Microsoft Entra ID returns the access token to the application, and the application can then use the access token to authorize requests to Azure Relay. -Following sections shows you how to configure your console application for authentication with Microsoft Identity Platform 2.0. For more information, see [Microsoft Identity Platform (v2.0) overview](../active-directory/develop/v2-overview.md). +Following sections shows you how to configure your console application for authentication with Microsoft identity platform 2.0. For more information, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md). -For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md). +For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md). -### Register your application with an Azure AD tenant -The first step in using Azure AD to authorize Azure Relay entities is registering your client application with an Azure AD tenant from the Azure portal. When you register your client application, you supply information about the application to AD. Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime. +<a name='register-your-application-with-an-azure-ad-tenant'></a> -For step-by-step instructions to register your application with Azure AD, see [Quickstart: Register an application with Azure AD](../active-directory/develop/quickstart-register-app.md#register-an-application). +### Register your application with a Microsoft Entra tenant +The first step in using Microsoft Entra ID to authorize Azure Relay entities is registering your client application with a Microsoft Entra tenant from the Azure portal. When you register your client application, you supply information about the application to AD. Microsoft Entra ID then provides a client ID (also called an application ID) that you can use to associate your application with Microsoft Entra runtime. ++For step-by-step instructions to register your application with Microsoft Entra ID, see [Quickstart: Register an application with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md#register-an-application). > [!IMPORTANT] > Make note of the **Directory (tenant) ID** and the **Application (client) ID**. You will need these values to run the sample application. Assign one of the Azure Relay roles to the application's service principal at th > Follow the same steps to run the [sample console application for WCF Relay](https://github.com/Azure/azure-relay/tree/master/samples/wcf-relay/RoleBasedAccessControl). #### Highlighted code from the sample-Here's the code from the sample that shows how to use Azure AD authentication to connect to the Azure Relay service. +Here's the code from the sample that shows how to use Microsoft Entra authentication to connect to the Azure Relay service. 1. Create a [TokenProvider](/dotnet/api/microsoft.azure.relay.tokenprovider) object by using the `TokenProvider.CreateAzureActiveDirectoryTokenProvider` method. - If you haven't already created an app registration, see the [Register your application with Azure AD](#register-your-application-with-an-azure-ad-tenant) section to create it, and then create a client secret as mentioned in the [Create a client secret](#create-a-client-secret) section. + If you haven't already created an app registration, see the [Register your application with Microsoft Entra ID](#register-your-application-with-an-azure-ad-tenant) section to create it, and then create a client secret as mentioned in the [Create a client secret](#create-a-client-secret) section. If you want to use an existing app registration, follow these instructions to get **Application (client) ID** and **Directory (tenant) ID**. 1. Sign in to the [Azure portal](https://portal.azure.com).- 1. Search for and select **Azure Active Directory** using the search bar at the top. - 1. On the **Azure Active Directory** page, select **App registrations** in the **Manage** section on the left menu. + 1. Search for and select **Microsoft Entra ID** using the search bar at the top. + 1. On the **Microsoft Entra ID** page, select **App registrations** in the **Manage** section on the left menu. 1. Select your app registration. 1. On the page for your app registration, you see the values for **Application (client) ID** and **Directory (tenant) ID**. To learn more about Azure Relay, see the following topics. - [What is Relay?](relay-what-is-it.md) - [Get started with Azure Relay Hybrid connections WebSockets](relay-hybrid-connections-dotnet-get-started.md) - [Get stated with Azure Relay Hybrid connections HTTP requests](relay-hybrid-connections-http-requests-dotnet-get-started.md)-------- |
azure-relay | Authenticate Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-relay/authenticate-managed-identity.md | -# Authenticate a managed identity with Azure Active Directory to access Azure Relay resources +# Authenticate a managed identity with Microsoft Entra ID to access Azure Relay resources [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) is a cross-Azure feature that enables you to create a secure identity associated with the deployment under which your application code runs. You can then associate that identity with access-control roles that grant custom permissions for accessing specific Azure resources that your application needs. With managed identities, the Azure platform manages this runtime identity. You don't need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. A Relay client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support doesn't need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Relay namespace. When the app connects, Relay binds the managed entity's context to the client in an operation that is shown in an example later in this article. Once it's associated with a managed identity, your Relay client can do all authorized operations. Authorization is granted by associating a managed entity with Relay roles. With managed identities, the Azure platform manages this runtime identity. You d [!INCLUDE [relay-roles](./includes/relay-roles.md)] ## Enable managed identity-First, enable managed identity for the Azure resource that needs to access Azure Relay entities (hybrid connections or WCF relays). For an example, if your Relay client application is running on an Azure VM, enable managed identity for the VM by following instructions from the [Configure managed identity for an Azure VM](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) article. Once you've enabled this setting, a new managed service identity is created in your Azure Active Directory (Azure AD). +First, enable managed identity for the Azure resource that needs to access Azure Relay entities (hybrid connections or WCF relays). For an example, if your Relay client application is running on an Azure VM, enable managed identity for the VM by following instructions from the [Configure managed identity for an Azure VM](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) article. Once you've enabled this setting, a new managed service identity is created in your Microsoft Entra ID. For a list of services that support managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). The following section uses a simple application that runs under a managed identi > Follow the same steps to run the [console application for WCF Relays](https://github.com/Azure/azure-relay/tree/master/samples/wcf-relay/RoleBasedAccessControl). #### Highlighted code from the sample-Here's the code from the sample that shows how to use Azure AD authentication to connect to the Azure Relay service. +Here's the code from the sample that shows how to use Microsoft Entra authentication to connect to the Azure Relay service. 1. Create a [TokenProvider](/dotnet/api/microsoft.azure.relay.tokenprovider) object by using the `TokenProvider.CreateManagedIdentityTokenProvider` method. To learn more about Azure Relay, see the following articles. - [What is Relay?](relay-what-is-it.md) - [Get started with Azure Relay Hybrid connections WebSockets](relay-hybrid-connections-dotnet-get-started.md) - [Get stated with Azure Relay Hybrid connections HTTP requests](relay-hybrid-connections-http-requests-dotnet-get-started.md)--- |
azure-relay | Relay Authentication And Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-relay/relay-authentication-and-authorization.md | Last updated 08/10/2023 # Azure Relay authentication and authorization-There are two ways to authenticate and authorize access to Azure Relay resources: Azure Active Directory (Azure AD) and Shared Access Signatures (SAS). This article gives you details on using these two types of security mechanisms. +There are two ways to authenticate and authorize access to Azure Relay resources: Microsoft Entra ID and Shared Access Signatures (SAS). This article gives you details on using these two types of security mechanisms. -## Azure Active Directory -Azure AD integration for Azure Relay resources provides Azure role-based access control (Azure RBAC) for fine-grained control over a clientΓÇÖs access to resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can be used to authorize a request to access an Azure Relay resource. +<a name='azure-active-directory'></a> -For more information about authenticating with Azure AD, see the following articles: +## Microsoft Entra ID +Microsoft Entra integration for Azure Relay resources provides Azure role-based access control (Azure RBAC) for fine-grained control over a clientΓÇÖs access to resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can be used to authorize a request to access an Azure Relay resource. ++For more information about authenticating with Microsoft Entra ID, see the following articles: - [Authenticate with managed identities](authenticate-managed-identity.md)-- [Authenticate from an Azure Active Directory application](authenticate-application.md)+- [Authenticate from a Microsoft Entra application](authenticate-application.md) > [!IMPORTANT]-> Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Relay applications when possible. +> Authorizing users or applications using OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there is no need to store tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Relay applications when possible. ### Built-in roles For Azure Relay, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the below Azure built-in roles for authorizing access to a Relay namespace: |
azure-relay | Relay Migrate Acs Sas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-relay/relay-migrate-acs-sas.md | Title: Azure Relay - Migrate to Shared Access Signature authorization -description: Describes how to migrate Azure Relay applications from using Azure Active Directory Access Control Service to Shared Access Signature authorization. +description: Describes how to migrate Azure Relay applications from using Microsoft Entra ID Access Control Service to Shared Access Signature authorization. Last updated 08/10/2023 -# Azure Relay - Migrate from Azure Active Directory Access Control Service to Shared Access Signature authorization +# Azure Relay - Migrate from Microsoft Entra ID Access Control Service to Shared Access Signature authorization -Azure Relay applications historically had a choice of using two different authorization models: the [Shared Access Signature (SAS)](../service-bus-messaging/service-bus-sas.md) token model provided directly by the Relay service, and a federated model where the management of authorization rules is managed inside by the [Azure Active Directory](../active-directory/index.yml) Access Control Service (ACS), and tokens obtained from ACS are passed to Relay for authorizing access to the desired features. +Azure Relay applications historically had a choice of using two different authorization models: the [Shared Access Signature (SAS)](../service-bus-messaging/service-bus-sas.md) token model provided directly by the Relay service, and a federated model where the management of authorization rules is managed inside by the [Microsoft Entra ID](../active-directory/index.yml) Access Control Service (ACS), and tokens obtained from ACS are passed to Relay for authorizing access to the desired features. The ACS authorization model has long been superseded by [SAS authorization](../service-bus-messaging/service-bus-authentication-and-authorization.md) as the preferred model, and all documentation, guidance, and samples exclusively use SAS today. Moreover, it's no longer possible to create new Relay namespaces that are paired with ACS. |
azure-resource-manager | Bicep Config Linter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-config-linter.md | The following example shows the rules that are available for configuration. "no-conflicting-metadata" : { "level": "warning" },+ "no-deployments-resources" : { + "level": "warning" + } "no-hardcoded-env-urls": { "level": "warning" }, |
azure-resource-manager | Bicep Functions Date | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-functions-date.md | Title: Bicep functions - date description: Describes the functions to use in a Bicep file to work with dates. Previously updated : 06/23/2023 Last updated : 10/12/2023 # Date functions for Bicep Namespace: [sys](bicep-functions.md#namespaces-for-functions). The datetime value that results from adding the duration value to the base value. +### Remarks ++The dateTimeAdd function takes into account leap years and the number of days in a month when performing date arithmetic. The following example adds one month to January 31: ++```bicep +output add1MonthOutput string = dateTimeAdd('2023-01-31 00:00:00Z', 'P1M') //2023-03-02T00:00:00Z +output add1MonthLeapOutput string = dateTimeAdd('2024-01-31 00:00:00Z', 'P1M') //2024-03-01T00:00:00Z +``` ++In this example, `dateTimeAdd` returns `2023-03-02T00:00:00Z`, not `2023-02-28T00:00:00Z`. If the base is `2024-01-31 00:00:00Z`, it returns `2024-03-01T00:00:00Z` because 2024 is a leap year. + ### Examples The following example shows different ways of adding time values. |
azure-resource-manager | Bicep Using | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/bicep-using.md | + + Title: Using statement +description: Describes how to use the using statement in Bicep. ++ Last updated : 10/11/2023+++# Using statement ++The `using` statement in [Bicep parameter files](./parameter-files.md) ties the [Bicep parameters file](./parameter-files.md) to a [Bicep file](./file.md), an [ARM JSON template](../templates/syntax.md), or a [Bicep module](./modules.md), or a [template spec](./template-specs.md). A `using` declaration must be present in any Bicep parameters file. ++> [!NOTE] +> The Bicep parameters file is only supported in [Bicep CLI](./install.md) version 0.18.4 or later, and [Azure CLI](/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows) version 2.47.0 or later. +> +> To use the statement with ARM JSON templates, Bicep modules, and template specs, you need to have [Bicep CLI](./install.md) version 0.22.6 or later, and [Azure CLI](/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows) version 2.53.0 or later. ++## Syntax ++- To use Bicep file: ++ ```bicep + using '<path>/<file-name>.bicep' + ``` ++- To use ARM JSON template: ++ ```bicep + using '<path>/<file-name>.json' + ``` ++- To use public module: ++ ```bicep + using 'br/public:<file-path>:<tag>' + ``` ++ For example: ++ ```bicep + using 'br/public:storage/storage-account:3.0.1' ++ param name = 'mystorage' + ``` ++- To use private module: ++ ```bicep + using 'br:<acr-name>.azurecr.io/bicep/<file-path>:<tag>' + ``` ++ For example: ++ ```bicep + using 'br:myacr.azurecr.io/bicep/modules/storage:v1' + ``` ++ To use a private module with an alias defined in [bicepconfig.json](./bicep-config.md): ++ ```bicep + using 'br/<alias>:<file>:<tag>' + ``` ++ For example: ++ ```bicep + using 'br/storageModule:storage:v1' + ``` ++- To use template spec: ++ ```bicep + using 'ts:<subscription-id>/<resource-group-name>/<template-spec-name>:<tag> + ``` ++ For example: ++ ```bicep + using 'ts:00000000-0000-0000-0000-000000000000/myResourceGroup/storageSpec:1.0' + ``` ++ To use a template spec with an alias defined in [bicepconfig.json](./bicep-config.md): ++ ```bicep + using 'ts/<alias>:<template-spec-name>:<tag>' + ``` ++ For example: ++ ```bicep + using 'ts/myStorage:storageSpec:1.0' + ``` ++## Next steps ++- To learn about the Bicep parameters files, see [Parameters file](./parameter-files.md). +- To learn about configuring aliases in bicepconfig.json, see [Bicep config file](./bicep-config.md). |
azure-resource-manager | Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/deploy-cli.md | Title: Deploy resources with Azure CLI and Bicep files | Microsoft Docs description: Use Azure Resource Manager and Azure CLI to deploy resources to Azure. The resources are defined in a Bicep file. Previously updated : 06/13/2023 Last updated : 10/10/2023 You need Azure CLI and to be connected to Azure: - **Install Azure CLI commands on your local computer.** To deploy Bicep files, you need [Azure CLI](/cli/azure/install-azure-cli) version **2.20.0 or later**. - **Connect to Azure by using [az login](/cli/azure/reference-index#az-login)**. If you have multiple Azure subscriptions, you might also need to run [az account set](/cli/azure/account#az-account-set). -Samples for the Azure CLI are written for the `bash` shell. To run this sample in Windows PowerShell or Command Prompt, you may need to change elements of the script. +Samples for the Azure CLI are written for the `bash` shell. To run this sample in Windows PowerShell or Command Prompt, you might need to change elements of the script. If you don't have Azure CLI installed, you can use Azure Cloud Shell. For more information, see [Deploy Bicep files from Azure Cloud Shell](./deploy-cloud-shell.md). Currently, Azure CLI doesn't support deploying remote Bicep files. You can use [ ## Parameters -To pass parameter values, you can use either inline parameters or a parameters file. +To pass parameter values, you can use either inline parameters or a parameters file. The parameter file can be either a [Bicep parameters file](#bicep-parameter-files) or a [JSON parameters file](#json-parameter-files). ### Inline parameters However, if you're using Azure CLI with Windows Command Prompt (CMD) or PowerShe The evaluation of parameters follows a sequential order, meaning that if a value is assigned multiple times, only the last assigned value is used. To ensure proper parameter assignment, it is advised to provide your parameters file initially and selectively override specific parameters using the _KEY=VALUE_ syntax. It's important to mention that if you are supplying a `bicepparam` parameters file, you can use this argument only once. -### Parameters files +### JSON parameter files -Rather than passing parameters as inline values in your script, you may find it easier to use a `.bicepparam` file or a JSON file that contains the parameter values. The parameters file must be a local file. External parameters files aren't supported with Azure CLI. +Rather than passing parameters as inline values in your script, you might find it easier to use a parameters file, either a `.bicepparam` file or a JSON parameters file, that contains the parameter values. The parameters file must be a local file. External parameters files aren't supported with Azure CLI. -For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md). --To pass a local Bicep parameters file, specify the path and file name. The following example shows a parameters file named _storage.bicepparam_. The file is in the same directory where the command is run. +The following example shows a parameters file named _storage.parameters.json_. The file is in the same directory where the command is run. ```azurecli-interactive az deployment group create \ --name ExampleDeployment \ --resource-group ExampleGroup \ --template-file storage.bicep \- --parameters storage.bicepparam + --parameters '@storage.parameters.json' ``` -The following example shows a parameters file named _storage.parameters.json_. The file is in the same directory where the command is run. +For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md). ++### Bicep parameter files ++With Azure CLI version 2.53.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there is no need to provide the `--template-file` switch when specifying a Bicep parameter file for the `--parameters` switch. Including the `--template-file` switch will result in an "Only a .bicep template is allowed with a .bicepparam file" error. ++The following example shows a parameters file named _storage.bicepparam_. The file is in the same directory where the command is run. ```azurecli-interactive az deployment group create \ --name ExampleDeployment \ --resource-group ExampleGroup \- --template-file storage.bicep \ - --parameters storage.parameters.json + --parameters storage.bicepparam ``` +The parameters file must be a local file. External parameters files aren't supported with Azure CLI. For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md). + ## Preview changes Before deploying your Bicep file, you can preview the changes the Bicep file will make to your environment. Use the [what-if operation](./deploy-what-if.md) to verify that the Bicep file makes the changes that you expect. What-if also validates the Bicep file for errors. |
azure-resource-manager | Deploy To Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/deploy-to-tenant.md | Last updated 06/23/2023 # Tenant deployments with Bicep file -As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) across your Azure AD tenant. With tenant level templates, you can declaratively apply policies and assign roles at a global level. +As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) across your Microsoft Entra tenant. With tenant level templates, you can declaratively apply policies and assign roles at a global level. ### Training resources targetScope = 'tenant' The principal deploying the template must have permissions to create resources at the tenant scope. The principal must have permission to execute the deployment actions (`Microsoft.Resources/deployments/*`) and to create the resources defined in the template. For example, to create a management group, the principal must have Contributor permission at the tenant scope. To create role assignments, the principal must have Owner permission. -The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps: +The Global Administrator for the Microsoft Entra ID doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps: 1. Elevate account access so the Global Administrator can assign roles. For more information, see [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md). |
azure-resource-manager | Deployment Script Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/deployment-script-bicep.md | These scripts can be used for performing custom steps such as: - perform data plane operations, for example, copy blobs or seed database - look up and validate a license key - create a self-signed certificate-- create an object in Azure Active Directory (Azure AD)+- create an object in Microsoft Entra ID - look up IP Address blocks from custom system The benefits of deployment script: Property value details: - [Sample 1](https://raw.githubusercontent.com/Azure/azure-docs-bicep-samples/master/samples/deployment-script/deploymentscript-keyvault.bicep): create a key vault and use deployment script to assign a certificate to the key vault. - [Sample 2](https://raw.githubusercontent.com/Azure/azure-docs-bicep-samples/master/samples/deployment-script/deploymentscript-keyvault-subscription.bicep): create a resource group at the subscription level, create a key vault in the resource group, and then use deployment script to assign a certificate to the key vault. - [Sample 3](https://raw.githubusercontent.com/Azure/azure-docs-bicep-samples/master/samples/deployment-script/deploymentscript-keyvault-mi.bicep): create a user-assigned managed identity, assign the contributor role to the identity at the resource group level, create a key vault, and then use deployment script to assign a certificate to the key vault.-- [Sample 4](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad): manually create a user-assigned managed identity and assign it permission to use the Microsoft Graph API to create Azure AD applications; in the Bicep file, use a deployment script to create an Azure AD application and service principal, and output the object IDs and client ID.+- [Sample 4](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad): manually create a user-assigned managed identity and assign it permission to use the Microsoft Graph API to create Microsoft Entra applications; in the Bicep file, use a deployment script to create a Microsoft Entra application and service principal, and output the object IDs and client ID. ## Use inline scripts After the script is tested successfully, you can use it as a deployment script i ## Use Microsoft Graph within a deployment script -A deployment script can use [Microsoft Graph](/graph/overview) to create and work with objects in Azure AD. +A deployment script can use [Microsoft Graph](/graph/overview) to create and work with objects in Microsoft Entra ID. ### Commands |
azure-resource-manager | Deployment Stacks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/deployment-stacks.md | The Azure PowerShell includes these parameters to customize the deny assignment: - `DenySettingsMode`: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: `None`, `DenyDelete`, and `DenyWriteAndDelete`. - `DenySettingsApplyToChildScopes`: Deny settings are applied to nested resources under managed resources. - `DenySettingsExcludedAction`: List of role-based management operations that are excluded from the deny settings. Up to 200 actions are permitted.-- `DenySettingsExcludedPrincipal`: List of Azure Active Directory (Azure AD) principal IDs excluded from the lock. Up to five principals are permitted.+- `DenySettingsExcludedPrincipal`: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are permitted. # [CLI](#tab/azure-cli) The Azure CLI includes these parameters to customize the deny assignment: - `deny-settings-mode`: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: `none`, `denyDelete`, and `denyWriteAndDelete`. - `deny-settings-apply-to-child-scopes`: Deny settings are applied to nested resources under managed resources. - `deny-settings-excluded-actions`: List of role-based access control (RBAC) management operations excluded from the deny settings. Up to 200 actions are allowed.-- `deny-settings-excluded-principals`: List of Azure Active Directory (Azure AD) principal IDs excluded from the lock. Up to five principals are allowed.+- `deny-settings-excluded-principals`: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are allowed. # [Portal](#tab/azure-portal) |
azure-resource-manager | Linter Rule No Deployments Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/linter-rule-no-deployments-resources.md | + + Title: Linter rule - no deployments resources +description: Linter rule - no deployments resources ++ Last updated : 10/12/2023+++# Linter rule - no deployments resources ++This linter rule issues a warning when a template contains a `Microsoft.Resources/deployments` resource on the root level. ++## Linter rule code ++Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings: ++`no-deployments-resources` ++## Solution ++The following example fails this test because the template contains a `Microsoft.Resources/deployments` resource on the root level. ++```bicep +param name string +param specId string +resource foo 'Microsoft.Resources/deployments@2023-07-01' = { + name: name + properties: { + mode: 'Incremental' + templateLink: { + uri: specId + } + parameters: {} + } +} +``` ++It should be declared as a [Bicep module](./modules.md). ++## Next steps ++For more information about the linter, see [Use Bicep linter](./linter.md). |
azure-resource-manager | Linter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/linter.md | The default set of linter rules is minimal and taken from [arm-ttk test cases](. - [max-resources](./linter-rule-max-resources.md) - [max-variables](./linter-rule-max-variables.md) - [no-conflicting-metadata](./linter-rule-no-conflicting-metadata.md)+- [no-deployments-resources](./linter-rule-no-deployments-resources.md) - [no-hardcoded-env-urls](./linter-rule-no-hardcoded-environment-urls.md) - [no-hardcoded-location](./linter-rule-no-hardcoded-location.md) - [no-loc-expr-outside-params](./linter-rule-no-loc-expr-outside-params.md) You can integrate these checks as a part of your CI/CD pipelines. You can use a ## Silencing false positives -Sometimes a rule can have false positives. For example, you may need to include a link to a blob storage directly without using the [environment()](./bicep-functions-deployment.md#environment) function. +Sometimes a rule can have false positives. For example, you might need to include a link to a blob storage directly without using the [environment()](./bicep-functions-deployment.md#environment) function. In this case you can disable the warning for one line only, not the entire document, by adding `#disable-next-line <rule name>` before the line with the warning. ```bicep |
azure-resource-manager | Parameter Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/parameter-files.md | Title: Create parameters files for Bicep deployment description: Create parameters file for passing in values during deployment of a Bicep file Previously updated : 09/12/2023 Last updated : 10/10/2023 # Create parameters files for Bicep deployment Rather than passing parameters as inline values in your script, you can use a Bi > [!NOTE] > The Bicep parameters file is only supported in [Bicep CLI](./install.md) version 0.18.4 or newer, and [Azure CLI](/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows) version 2.47.0 or newer. -A single Bicep file can have multiple Bicep parameters files associated with it. However, each Bicep parameters file is intended for one particular Bicep file. This relationship is established using the `using` statement within the Bicep parameters file. For more information, see [Bicep parameters file](#parameters-file). +A single Bicep file can have multiple Bicep parameters files associated with it. However, each Bicep parameters file is intended for one particular Bicep file. This relationship is established using the [`using` statement](./bicep-using.md) within the Bicep parameters file. -You can compile Bicep parameters files into JSON parameters files to deploy with a Bicep file. See [build-params](./bicep-cli.md#build-params). +You can compile Bicep parameters files into JSON parameters files to deploy with a Bicep file. See [build-params](./bicep-cli.md#build-params). You can also decompile a JSON parameters file into a Bicep parameters file. See [decompile-params](./bicep-cli.md#decompile-params). ## Parameters file param storagePrefix param storageAccountType ``` -The `using` statement ties the Bicep parameters file to a Bicep file. +The `using` statement ties the Bicep parameters file to a Bicep file. For more information, see [using statement](./bicep-using.md). After typing the keyword `param` in Visual Studio Code, it prompts you the available parameters and their descriptions from the linked Bicep file: From Bicep CLI, you can build a Bicep parameters file into a JSON parameters fil ## Deploy Bicep file with parameters file -From Azure CLI, you can pass both a json based local parameters file using `@` and the parameters file name and a .bicepparam based local parameters file just using the file name. For example, `storage.bicepparam` or `@storage.parameters.json`. +From Azure CLI, you can pass a parameter file with your Bicep file deployment. ++# [Bicep parameters file](#tab/Bicep) ++With Azure CLI version 2.53.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there is no need to provide the `--template-file` switch when specifying a Bicep parameter file for the `--parameters` switch. Including the `--template-file` switch will result in an "Only a .bicep template is allowed with a .bicepparam file" error. + ```azurecli az deployment group create \ --name ExampleDeployment \ --resource-group ExampleGroup \- --template-file storage.bicep \ --parameters storage.bicepparam ``` -For more information, see [Deploy resources with Bicep and Azure CLI](./deploy-cli.md#parameters). To deploy _.bicep_ files you need Azure CLI version 2.20 or higher. +# [JSON parameters file](#tab/JSON) ++```azurecli +az deployment group create \ + --name ExampleDeployment \ + --resource-group ExampleGroup \ + --template-file storage.bicep \ + --parameters storage.parameters.json +``` ++++For more information, see [Deploy resources with Bicep and Azure CLI](./deploy-cli.md#parameters). From Azure PowerShell, pass a local parameters file using the `TemplateParameterFile` parameter. +# [Bicep parameters file](#tab/Bicep) + ```azurepowershell-New-AzResourceGroupDeployment -Name ExampleDeployment -ResourceGroupName ExampleResourceGroup ` +New-AzResourceGroupDeployment ` + -Name ExampleDeployment ` + -ResourceGroupName ExampleResourceGroup ` -TemplateFile C:\MyTemplates\storage.bicep ` -TemplateParameterFile C:\MyTemplates\storage.bicepparam ``` -For more information, see [Deploy resources with Bicep and Azure PowerShell](./deploy-powershell.md#parameters). To deploy _.bicep_ files you need Azure PowerShell version 5.6.0 or higher. +# [JSON parameters file](#tab/JSON) +++```azurepowershell +New-AzResourceGroupDeployment ` + -Name ExampleDeployment ` + -ResourceGroupName ExampleResourceGroup ` + -TemplateFile C:\MyTemplates\storage.bicep ` + -TemplateParameterFile C:\MyTemplates\storage.parameters.json +``` ++++For more information, see [Deploy resources with Bicep and Azure PowerShell](./deploy-powershell.md#parameters). To deploy _.bicep_ files you need Azure PowerShell version 5.6.0 or later. ## Parameter precedence |
azure-resource-manager | Parameters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/parameters.md | Title: Parameters in Bicep files description: Describes how to define parameters in a Bicep file. Previously updated : 10/05/2023 Last updated : 10/12/2023 # Parameters in Bicep param demoObject object param demoArray array ``` +The `param` keyword is also used in [.bicepparam files](./parameter-files.md). In .bicepparam files, you don't need to specify the data type as it is defined in Bicep files. ++```bicep +param <parameter-name> = <value> +``` ++For more information, see [Parameters file](./parameter-files.md). + ## Default value You can specify a default value for a parameter. The default value is used when a value isn't provided during deployment. |
azure-resource-manager | Quickstart Create Template Specs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/quickstart-create-template-specs.md | To deploy a template spec using a Bicep file, use a module. The module links to ## Grant access -If you want to let other users in your organization deploy your template spec, you need to grant them read access. You can assign the Reader role to an Azure AD group for the resource group that contains template specs you want to share. For more information, see [Tutorial: Grant a group access to Azure resources using Azure PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md). +If you want to let other users in your organization deploy your template spec, you need to grant them read access. You can assign the Reader role to a Microsoft Entra group for the resource group that contains template specs you want to share. For more information, see [Tutorial: Grant a group access to Azure resources using Azure PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md). ## Update Bicep file |
azure-resource-manager | Scenarios Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/scenarios-rbac.md | If you don't explicitly specify the scope, Bicep uses the file's `targetScope`. A role assignment's resource name must be a globally unique identifier (GUID). -Role assignment resource names must be unique within the Azure Active Directory tenant, even if the scope is narrower. +Role assignment resource names must be unique within the Microsoft Entra tenant, even if the scope is narrower. For your Bicep deployment to be repeatable, it's important for the name to be deterministic - in other words, to use the same name every time you deploy. It's a good practice to create a GUID that uses the scope, principal ID, and role ID together. It's a good idea to use the `guid()` function to help you to create a deterministic GUID for your role assignment names, like in this example: When you create the role assignment resource, you need to specify a fully qualif ### Principal -The `principalId` property must be set to a GUID that represents the Azure Active Directory (Azure AD) identifier for the principal. In Azure AD, this is sometimes referred to as the *object ID*. +The `principalId` property must be set to a GUID that represents the Microsoft Entra identifier for the principal. In Microsoft Entra ID, this is sometimes referred to as the *object ID*. The `principalType` property specifies whether the principal is a user, a group, or a service principal. Managed identities are a form of service principal. The following example shows how to create a user-assigned managed identity and a ### Resource deletion behavior -When you delete a user, group, service principal, or managed identity from Azure AD, it's a good practice to delete any role assignments. They aren't deleted automatically. +When you delete a user, group, service principal, or managed identity from Microsoft Entra ID, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid. If you try to reuse a role assignment's name for another role assignment, the deployment will fail. To work around this behavior, you should either remove the old role assignment before you recreate it, or ensure that you use a unique name when you deploy a new role assignment. This [quickstart template](/samples/azure/azure-quickstart-templates/key-vault-managed-identity-role-assignment) illustrates how you can define a role assignment in a Bicep module and use a principal ID as a seed value for the role assignment name. Custom role definitions enable you to define a set of permissions that can then To create a custom role definition, define a resource of type `Microsoft.Authorization/roleDefinitions`. See the [Create a new role def via a subscription level deployment](https://azure.microsoft.com/resources/templates/create-role-def/) quickstart for an example. -Role definition resource names must be unique within the Azure Active Directory tenant, even if the assignable scopes are narrower. +Role definition resource names must be unique within the Microsoft Entra tenant, even if the assignable scopes are narrower. > [!NOTE] > Some services manage their own role definitions and assignments. For example, Azure Cosmos DB maintains its own [`Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments`](/azure/templates/microsoft.documentdb/databaseaccounts/sqlroleassignments?tabs=bicep) and [`Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions`](/azure/templates/microsoft.documentdb/databaseaccounts/sqlroledefinitions?tabs=bicep) resources. For more information, see the specific service's documentation. |
azure-resource-manager | Tutorial Use Deployment Stacks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/tutorial-use-deployment-stacks.md | The Azure PowerShell includes these parameters to customize the deny assignment: - `DenySettingsMode`: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: `None`, `DenyDelete`, and `DenyWriteAndDelete`. - `DenySettingsApplyToChildScopes`: Deny settings are applied to child Azure management scopes. - `DenySettingsExcludedActions`: List of role-based management operations that are excluded from the deny settings. Up to 200 actions are permitted.-- `DenySettingsExcludedPrincipals`: List of Azure Active Directory (Azure AD) principal IDs excluded from the lock. Up to five principals are permitted.+- `DenySettingsExcludedPrincipals`: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are permitted. # [CLI](#tab/azure-cli) The Azure CLI includes these parameters to customize the deny assignment: - `deny-settings-mode`: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: `none`, `denyDelete`, and `denyWriteAndDelete`. - `deny-settings-apply-to-child-scopes`: Deny settings are applied to child Azure management scopes. - `deny-settings-excluded-actions`: List of role-based access control (RBAC) management operations excluded from the deny settings. Up to 200 actions are allowed.-- `deny-settings-excluded-principals`: List of Azure Active Directory (Azure AD) principal IDs excluded from the lock. Up to five principals are allowed.+- `deny-settings-excluded-principals`: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are allowed. |
azure-resource-manager | Approve Just In Time Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/approve-just-in-time-access.md | The work flow for granting access is: This article focuses on the actions consumers take to enable JIT access and approve requests. To learn about publishing a managed application with JIT access, see [Request just-in-time access in Azure Managed Applications](request-just-in-time-access.md). > [!NOTE]-> To use just-in-time access, you must have a [Azure Active Directory P2 license](../../active-directory/privileged-identity-management/subscription-requirements.md). +> To use just-in-time access, you must have a [Microsoft Entra ID P2 license](../../active-directory/privileged-identity-management/subscription-requirements.md). ## Enable during deployment This article focuses on the actions consumers take to enable JIT access and appr The activation maximum duration specifies the maximum amount of time a publisher can request for access to the managed resource group. - The approvers list is the Azure Active Directory users that can approve of JIT access requests. To add an approver, select **Add Approver** and search for the user. + The approvers list is the Microsoft Entra users that can approve of JIT access requests. To add an approver, select **Add Approver** and search for the user. After updating the setting, select **Save**. To change the settings for a deployed managed application: ## Approve requests -When the publisher requests access, you're notified of the request. You can approve JIT access requests either directly through the managed application, or across all managed applications through the Azure AD Privileged Identity Management service. To use just-in-time access, you must have a [Azure Active Directory P2 license](../../active-directory/privileged-identity-management/subscription-requirements.md). +When the publisher requests access, you're notified of the request. You can approve JIT access requests either directly through the managed application, or across all managed applications through the Microsoft Entra Privileged Identity Management service. To use just-in-time access, you must have a [Microsoft Entra ID P2 license](../../active-directory/privileged-identity-management/subscription-requirements.md). To approve requests through the managed application: To approve requests through the managed application: 1. In the form, provide the reason for the approval and select **Approve**. -To approve requests through Azure AD Privileged Identity Management: +To approve requests through Microsoft Entra Privileged Identity Management: -1. Select **All services** and begin searching for **Azure AD Privileged Identity Management**. Select it from the available options. +1. Select **All services** and begin searching for **Microsoft Entra Privileged Identity Management**. Select it from the available options. ![Search for service](./media/approve-just-in-time-access/search.png) |
azure-resource-manager | Create Storage Customer Managed Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/create-storage-customer-managed-key.md | This article describes how to create an Azure Managed Application that deploys a ## Prerequisites -- An Azure account with an active subscription and permissions to Azure Active Directory resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.+- An Azure account with an active subscription and permissions to Microsoft Entra resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin. - [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For Bicep files, install the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep). - Install the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell) or [Azure CLI](/cli/azure/install-azure-cli). - Be familiar with how to [create](publish-service-catalog-app.md) and [deploy](deploy-service-catalog-quickstart.md) a service catalog definition. Create another role assignment so that your account can create a new key in your 1. Assign the following role: - **Role**: Key Vault Crypto Officer - **Assign Access to**: User, group, or service principal- - **Member**: Your Azure Active Directory account + - **Member**: Your Microsoft Entra account 1. Select **Review + assign** to view your settings. 1. Select **Review + assign** to create the role assignment. |
azure-resource-manager | Deploy Service Catalog Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/deploy-service-catalog-quickstart.md | Go to the managed resource group with the name prefix **mrg-sampleManagedApplica :::image type="content" source="./media/deploy-service-catalog-quickstart/view-managed-resource-group.png" alt-text="Screenshot that shows the managed resource group that contains the resources deployed by the managed application definition."::: -The managed resource group and each resource created by the managed application has a role assignment. When you used a quickstart article to create the definition, you created an Azure Active Directory group. That group was used in the managed application definition. When you deployed the managed application, a role assignment for that group was added to the managed resources. +The managed resource group and each resource created by the managed application has a role assignment. When you used a quickstart article to create the definition, you created a Microsoft Entra group. That group was used in the managed application definition. When you deployed the managed application, a role assignment for that group was added to the managed resources. To see the role assignment from the Azure portal: To see the role assignment from the Azure portal: You can also view the resource's **Deny assignments**. -The role assignment gives the application's publisher access to manage the storage account. In this example, the publisher might be your IT department. The _Deny assignments_ prevents customers from making changes to a managed resource's configuration. Managed apps are designed so that customers don't need to maintain the resources. The _Deny assignment_ excludes the Azure Active Directory group that was assigned in **Role assignments**. +The role assignment gives the application's publisher access to manage the storage account. In this example, the publisher might be your IT department. The _Deny assignments_ prevents customers from making changes to a managed resource's configuration. Managed apps are designed so that customers don't need to maintain the resources. The _Deny assignment_ excludes the Microsoft Entra group that was assigned in **Role assignments**. |
azure-resource-manager | Key Vault Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/key-vault-access.md | This article describes how to configure the Key Vault to work with Managed Appli Assign the **Contributor** role to the **Appliance Resource Provider** user at the key vault scope. The **Contributor** role is a _privileged administrator role_ for the role assignment. For detailed steps, go to [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). -The **Appliance Resource Provider** is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can verify if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it's not found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider. +The **Appliance Resource Provider** is a service principal in your Microsoft Entra tenant. From the Azure portal, you can verify if it's registered by going to **Microsoft Entra ID** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it's not found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider. ## Reference Key Vault secret |
azure-resource-manager | Publish Bicep Definition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-bicep-definition.md | You can also use Bicep deploy a managed application definition from your service To complete the tasks in this article, you need the following items: -- An Azure account with an active subscription and permissions to Azure Active Directory resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.+- An Azure account with an active subscription and permissions to Microsoft Entra resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin. - [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For Bicep files, install the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep). - Install the latest version of [Azure PowerShell](/powershell/azure/install-az-ps) or [Azure CLI](/cli/azure/install-azure-cli). az storage account create \ --allow-blob-public-access true ``` -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Azure Active Directory user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, go to [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, go to [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then use the parameter `--auth-mode login` in the commands to create the container and upload the file. packageuri=$(az storage blob url \ ## Create the managed application definition -In this section, you get identity information from Azure Active Directory, create a resource group, and deploy the managed application definition. +In this section, you get identity information from Microsoft Entra ID, create a resource group, and deploy the managed application definition. ### Get group ID and role definition ID The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor. -This example uses a security group, and your Azure Active Directory account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use the variable's value when you deploy the managed application definition. +This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use the variable's value when you deploy the managed application definition. -To create a new Azure Active Directory group, go to [Manage Azure Active Directory groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). +To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). # [PowerShell](#tab/azure-powershell) |
azure-resource-manager | Publish Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-managed-identity.md | -Learn how to configure a managed application to contain a managed identity. A managed identity can be used to allow the customer to grant the managed application access to existing resources. The Azure platform manages the identity and doesn't require you to provision or rotate any secrets. For more about managed identities in Azure Active Directory (Azure AD), see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). +Learn how to configure a managed application to contain a managed identity. A managed identity can be used to allow the customer to grant the managed application access to existing resources. The Azure platform manages the identity and doesn't require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). Your application can be granted two types of identities: |
azure-resource-manager | Publish Service Catalog App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-app.md | You can also use Bicep deploy a managed application definition from your service To complete this quickstart, you need the following items: -- An Azure account with an active subscription and permissions to Azure Active Directory resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.+- An Azure account with an active subscription and permissions to Microsoft Entra resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin. - [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For Bicep files, install the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep). - Install the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell) or [Azure CLI](/cli/azure/install-azure-cli). az storage account create \ --kind StorageV2 ``` -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Azure Active Directory user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then use the parameter `--auth-mode login` in the commands to create the container and upload the file. Make a note of the _app.zip_ file's URL because you need it to create the manage ## Create the managed application definition -In this section, you get identity information from Azure Active Directory, create a resource group, and deploy the managed application definition. +In this section, you get identity information from Microsoft Entra ID, create a resource group, and deploy the managed application definition. ### Get group ID and role definition ID The next step is to select a user, security group, or application for managing t # [PowerShell](#tab/azure-powershell) -This example uses a security group, and your Azure Active Directory account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use this variable's value when you deploy the managed application definition. +This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use this variable's value when you deploy the managed application definition. -To create a new Azure Active Directory group, go to [Manage Azure Active Directory groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). +To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). ```azurepowershell $principalid=(Get-AzADGroup -DisplayName <managedAppDemo>).Id $roleid=(Get-AzRoleDefinition -Name Owner).Id # [Azure CLI](#tab/azure-cli) -This example uses a security group, and your Azure Active Directory account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use this variable's value when you deploy the managed application definition. +This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use this variable's value when you deploy the managed application definition. -To create a new Azure Active Directory group, go to [Manage Azure Active Directory groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). +To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). ```azurecli principalid=$(az ad group show --group <managedAppDemo> --query id --output tsv) |
azure-resource-manager | Publish Service Catalog Bring Your Own Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/publish-service-catalog-bring-your-own-storage.md | You can also use Bicep deploy a managed application definition from your service To complete this quickstart, you need the following items: -- An Azure account with an active subscription and permissions to Azure Active Directory resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.+- An Azure account with an active subscription and permissions to Microsoft Entra resources like users, groups, or service principals. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin. - [Visual Studio Code](https://code.visualstudio.com/) with the latest [Azure Resource Manager Tools extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools). For Bicep files, install the [Bicep extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep). - Install the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell) or [Azure CLI](/cli/azure/install-azure-cli). az storage account create \ --kind StorageV2 ``` -After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Azure Active Directory user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, go to [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). +After you create the storage account, add the role assignment _Storage Blob Data Contributor_ to the storage account scope. Assign access to your Microsoft Entra user account. Depending on your access level in Azure, you might need other permissions assigned by your administrator. For more information, go to [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). After you add the role to the storage account, it takes a few minutes to become active in Azure. You can then use the parameter `--auth-mode login` in the commands to create the container and upload the file. If you're running CLI commands with Git Bash for Windows, you might get an `Inva -The _Appliance Resource Provider_ is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can verify if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it isn't found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider. +The _Appliance Resource Provider_ is a service principal in your Microsoft Entra tenant. From the Azure portal, you can verify if it's registered by going to **Microsoft Entra ID** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it isn't found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider. ## Get group ID and role definition ID The next step is to select a user, security group, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the assigned role. The role can be any Azure built-in role like Owner or Contributor. -This example uses a security group, and your Azure Active Directory account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use the variable's value when you deploy the managed application definition. +This example uses a security group, and your Microsoft Entra account should be a member of the group. To get the group's object ID, replace the placeholder `<managedAppDemo>` including the angle brackets (`<>`), with your group's name. You use the variable's value when you deploy the managed application definition. -To create a new Azure Active Directory group, go to [Manage Azure Active Directory groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). +To create a new Microsoft Entra group, go to [Manage Microsoft Entra groups and group membership](../../active-directory/fundamentals/how-to-manage-groups.md). # [PowerShell](#tab/azure-powershell) |
azure-resource-manager | Tutorial Create Managed App With Custom Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider.md | az managedapp definition create \ ![Add authorization](./media/tutorial-create-managed-app-with-custom-provider/add-authorization.png) -5. Select an Azure Active Directory group to manage the resources, and select **OK**. +5. Select a Microsoft Entra group to manage the resources, and select **OK**. ![Add authorization group](./media/tutorial-create-managed-app-with-custom-provider/add-auth-group.png) |
azure-resource-manager | Authenticate Multi Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/authenticate-multi-tenant.md | When the request references a resource from different tenant, Resource Manager c ## Next steps * To learn about authentication requests, see [Authentication flows and application scenarios](../../active-directory/develop/authentication-flows-app-scenarios.md).-* For more information about tokens, see [Azure Active Directory access tokens](../../active-directory/develop/access-tokens.md). +* For more information about tokens, see [Microsoft Entra access tokens](../../active-directory/develop/access-tokens.md). |
azure-resource-manager | Azure Services Resource Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-services-resource-providers.md | The resources providers that are marked with **- registered** are registered by | Resource provider namespace | Azure service | | | - |-| Microsoft.AAD | [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) | +| Microsoft.AAD | [Microsoft Entra Domain Services](../../active-directory-domain-services/index.yml) | | Microsoft.Addons | core | | Microsoft.App | [Azure Container Apps](../../container-apps/index.yml) |-| Microsoft.ADHybridHealthService - [registered](#registration) | [Azure Active Directory](../../active-directory/index.yml) | +| Microsoft.ADHybridHealthService - [registered](#registration) | [Microsoft Entra ID](../../active-directory/index.yml) | | Microsoft.Advisor | [Azure Advisor](../../advisor/index.yml) | | Microsoft.AlertsManagement | [Azure Monitor](../../azure-monitor/index.yml) | | Microsoft.AnalysisServices | [Azure Analysis Services](../../analysis-services/index.yml) | The resources providers that are marked with **- registered** are registered by | Microsoft.Automation | [Automation](../../automation/index.yml) | | Microsoft.AutonomousSystems | [Autonomous Systems](https://www.microsoft.com/ai/autonomous-systems) | | Microsoft.AVS | [Azure VMware Solution](../../azure-vmware/index.yml) |-| Microsoft.AzureActiveDirectory | [Azure Active Directory B2C](../../active-directory-b2c/index.yml) | +| Microsoft.AzureActiveDirectory | [Microsoft Entra ID B2C](../../active-directory-b2c/index.yml) | | Microsoft.AzureArcData | Azure Arc-enabled data services | | Microsoft.AzureData | SQL Server registry | | Microsoft.AzureStack | core | Resource providers marked with **- registered** in the previous section are auto > [!IMPORTANT] > Register a resource provider only when you're ready to use it. This registration step helps maintain least privileges within your subscription. A malicious user can't use unregistered resource providers. >-> Registering unnecessary resource providers may result in unrecognized apps appearing in your Azure Active Directory tenant. Microsoft adds the app for a resource provider when you register it. These apps are typically added by the Windows Azure Service Management API. To prevent unnecessary apps in your tenant, only register needed resource providers. +> Registering unnecessary resource providers may result in unrecognized apps appearing in your Microsoft Entra tenant. Microsoft adds the app for a resource provider when you register it. These apps are typically added by the Windows Azure Service Management API. To prevent unnecessary apps in your tenant, only register needed resource providers. ## Find resource provider |
azure-resource-manager | Azure Subscription Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-subscription-service-limits.md | The following limits apply when you use Azure Resource Manager and Azure resourc [!INCLUDE [azure-resource-groups-limits](../../../includes/azure-resource-groups-limits.md)] -## Azure Active Directory limits +<a name='azure-active-directory-limits'></a> ++## Microsoft Entra ID limits [!INCLUDE [AAD-service-limits](../../../includes/active-directory-service-limits-include.md)] |
azure-resource-manager | Lock Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/lock-resources.md | The distinction means locks protect a resource from changes, but they don't rest Applying locks can lead to unexpected results. Some operations, which don't seem to modify a resource, require blocked actions. Locks prevent the POST method from sending data to the Azure Resource Manager (ARM) API. Some common examples of blocked operations are: -- A read-only lock on a **storage account** prevents users from listing the account keys. A POST request handles the Azure Storage [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation to protect access to the account keys. The account keys provide complete access to data in the storage account. When a read-only lock is configured for a storage account, users who don't have the account keys need to use Azure AD credentials to access blob or queue data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue). +- A read-only lock on a **storage account** prevents users from listing the account keys. A POST request handles the Azure Storage [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation to protect access to the account keys. The account keys provide complete access to data in the storage account. When a read-only lock is configured for a storage account, users who don't have the account keys need to use Microsoft Entra credentials to access blob or queue data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue). - A read-only lock on a **storage account** protects RBAC assignments scoped for a storage account or a data container (blob container or queue). |
azure-resource-manager | Manage Resources Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/manage-resources-rest.md | Learn how to use the REST API for [Azure Resource Manager](overview.md) to manag ## Obtain an access token To make a REST API call to Azure, you first need to obtain an access token. Include this access token in the headers of your Azure REST API calls using the "Authorization" header and setting the value to "Bearer {access-token}". -If you need to programatically retrieve new tokens as part of your application, you can obtain an access token by [Registering your client application with Azure AD](/rest/api/azure/#register-your-client-application-with-azure-ad). +If you need to programatically retrieve new tokens as part of your application, you can obtain an access token by [Registering your client application with Microsoft Entra ID](/rest/api/azure/#register-your-client-application-with-azure-ad). If you are getting started and want to test Azure REST APIs using your individual token, you can retrieve your current access token quickly with either Azure PowerShell or Azure CLI. |
azure-resource-manager | Classic Model Move Limitations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-limitations/classic-model-move-limitations.md | To move classic resources to a new resource group within the same subscription, When moving classic cloud services to a new subscription, the following restrictions apply: -- The source and target subscriptions need to be under the same Azure AD tenant.+- The source and target subscriptions need to be under the same Microsoft Entra tenant. - Cloud Service Provider (CSP) subscriptions do not support migrating classic cloud services. - All classic resources in the subscription must be moved in the same operation. - The target subscription must not have any other classic resources. |
azure-resource-manager | Move Resource Group And Subscription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-resource-group-and-subscription.md | There are some important steps to do before moving a resource. By verifying thes 1. The source and destination subscriptions must be active. If you have trouble enabling an account that has been disabled, [create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Select **Subscription Management** for the issue type. -1. The source and destination subscriptions must exist within the same [Azure Active Directory tenant](../../active-directory/develop/quickstart-create-new-tenant.md). To check that both subscriptions have the same tenant ID, use Azure PowerShell or Azure CLI. +1. The source and destination subscriptions must exist within the same [Microsoft Entra tenant](../../active-directory/develop/quickstart-create-new-tenant.md). To check that both subscriptions have the same tenant ID, use Azure PowerShell or Azure CLI. For Azure PowerShell, use: There are some important steps to do before moving a resource. By verifying thes If the tenant IDs for the source and destination subscriptions aren't the same, use the following methods to reconcile the tenant IDs: * [Transfer ownership of an Azure subscription to another account](../../cost-management-billing/manage/billing-subscription-transfer.md)- * [How to associate or add an Azure subscription to Azure Active Directory](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) + * [How to associate or add an Azure subscription to Microsoft Entra ID](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) 1. If you're attempting to move resources to or from a Cloud Solution Provider (CSP) partner, see [Transfer Azure subscriptions between subscribers and CSPs](../../cost-management-billing/manage/transfer-subscriptions-subscribers-csp.md). |
azure-resource-manager | Move Resources Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-resources-overview.md | Azure resources can be moved to a new resource group or subscription, or across You can move Azure resources to either another Azure subscription or another resource group under the same subscription. You can use the Azure portal, Azure PowerShell, Azure CLI, or the REST API to move resources. To learn more, see [Move resources to a new resource group or subscription](move-resource-group-and-subscription.md). -The move operation doesn't support moving resources to new [Azure Active Directory tenant](../../active-directory/develop/quickstart-create-new-tenant.md). If the tenant IDs for the source and destination subscriptions aren't the same, use the following methods to reconcile the tenant IDs: +The move operation doesn't support moving resources to new [Microsoft Entra tenant](../../active-directory/develop/quickstart-create-new-tenant.md). If the tenant IDs for the source and destination subscriptions aren't the same, use the following methods to reconcile the tenant IDs: * [Transfer ownership of an Azure subscription to another account](../../cost-management-billing/manage/billing-subscription-transfer.md)-* [How to associate or add an Azure subscription to Azure Active Directory](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) +* [How to associate or add an Azure subscription to Microsoft Entra ID](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md) ### Upgrade a subscription |
azure-resource-manager | Move Support Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-support-resources.md | Last updated 01/30/2023 This article lists whether an Azure resource type supports the move operation. It also provides information about special conditions to consider when moving a resource. -Before starting your move operation, review the [checklist](./move-resource-group-and-subscription.md#checklist-before-moving-resources) to make sure you have satisfied prerequisites. Moving resources across [Azure Active Directory tenants](../../active-directory/develop/quickstart-create-new-tenant.md) isn't supported. +Before starting your move operation, review the [checklist](./move-resource-group-and-subscription.md#checklist-before-moving-resources) to make sure you have satisfied prerequisites. Moving resources across [Microsoft Entra tenants](../../active-directory/develop/quickstart-create-new-tenant.md) isn't supported. > [!IMPORTANT] > In most cases, a child resource can't be moved independently from its parent resource. Child resources have a resource type in the format of `<resource-provider-namespace>/<parent-resource>/<child-resource>`. For example, `Microsoft.ServiceBus/namespaces/queues` is a child resource of `Microsoft.ServiceBus/namespaces`. When you move the parent resource, the child resource is automatically moved with it. If you don't see a child resource in this article, you can assume it is moved with the parent resource. If the parent resource doesn't support move, the child resource can't be moved. |
azure-resource-manager | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/overview.md | Azure provides four levels of scope: [management groups](../../governance/manage You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a [policy](../../governance/policy/overview.md) to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied to the resource group and all its resources. However, another resource group doesn't have that policy assignment. -For information about managing identities and access, see [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). +For information about managing identities and access, see [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md). You can deploy templates to tenants, management groups, subscriptions, or resource groups. |
azure-resource-manager | Resource Providers And Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/resource-providers-and-types.md | Before you use a resource provider, you must make sure your Azure subscription i > [!IMPORTANT] > Register a resource provider only when you're ready to use it. This registration step helps maintain least privileges within your subscription. A malicious user can't use unregistered resource providers. >-> Registering unnecessary resource providers may result in unrecognized apps appearing in your Azure Active Directory tenant. Microsoft adds the app for a resource provider when you register it. These apps are typically added by the Windows Azure Service Management API. To prevent unnecessary apps in your tenant, only register needed resource providers. +> Registering unnecessary resource providers may result in unrecognized apps appearing in your Microsoft Entra tenant. Microsoft adds the app for a resource provider when you register it. These apps are typically added by the Windows Azure Service Management API. To prevent unnecessary apps in your tenant, only register needed resource providers. Some resource providers are registered by default. For a list of resource providers registered by default, see [Resource providers for Azure services](azure-services-resource-providers.md). |
azure-resource-manager | Tls Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/tls-support.md | For a more detailed guidance, see the [checklist to deprecate older TLS versions * [Solving the TLS 1.0 Problem, 2nd Edition](/security/engineering/solving-tls1-problem) ΓÇô deep dive into migrating to TLS 1.2. * [How to enable TLS 1.2 on clients](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client) ΓÇô for Microsoft Configuration Manager. * [Configure Transport Layer Security (TLS) for a client application](../../storage/common/transport-layer-security-configure-client-version.md) ΓÇô contains instructions to update TLS version in PowerShell -* [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment) ΓÇô contains information on updating TLS version for WinHTTP. +* [Enable support for TLS 1.2 in your environment for Microsoft Entra TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment) ΓÇô contains information on updating TLS version for WinHTTP. * [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls) ΓÇô best practices when configuring security protocols for applications targeting .NET Framework. * [TLS best practices with the .NET Framework](https://github.com/dotnet/docs/issues/4675) ΓÇô GitHub to ask questions about best practices with .NET Framework. * [Troubleshooting TLS 1.2 compatibility with PowerShell](https://github.com/microsoft/azure-devops-tls12) ΓÇô probe to check TLS 1.2 compatibility and identify issues when incompatible with PowerShell. |
azure-resource-manager | Deploy Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deploy-cli.md | Title: Azure deployment templates with Azure CLI ΓÇô Azure Resource Manager | Microsoft Docs description: Use Azure Resource Manager and Azure CLI to create and deploy resource groups to Azure. The resources are defined in an Azure deployment template. Previously updated : 05/22/2023 Last updated : 10/10/2023 keywords: azure cli deploy arm template, create resource group azure, azure deployment template, deployment resources, arm template, azure arm template The Azure deployment template can take a few minutes to complete. When it finish ## Deploy remote template -Instead of storing ARM templates on your local machine, you may prefer to store them in an external location. You can store templates in a source control repository (such as GitHub). Or, you can store them in an Azure storage account for shared access in your organization. +Instead of storing ARM templates on your local machine, you might prefer to store them in an external location. You can store templates in a source control repository (such as GitHub). Or, you can store them in an Azure storage account for shared access in your organization. [!INCLUDE [Deploy templates in private GitHub repo](../../../includes/resource-manager-private-github-repo-templates.md)] Before deploying your ARM template, you can preview the changes the template wil ## Parameters -To pass parameter values, you can use either inline parameters or a parameter file. +To pass parameter values, you can use either inline parameters or a parameters file. The parameter file can be either a [Bicep parameters file](#bicep-parameter-files) or a [JSON parameters file](#json-parameter-files). ### Inline parameters az deployment group create \ However, if you're using Azure CLI with Windows Command Prompt (CMD) or PowerShell, set the variable to a JSON string. Escape the quotation marks: `$params = '{ \"prefix\": {\"value\":\"start\"}, \"suffix\": {\"value\":\"end\"} }'`. -### Parameter files +### JSON parameter files -Rather than passing parameters as inline values in your script, you may find it easier to use a JSON file that contains the parameter values. The parameter file must be a local file. External parameter files aren't supported with Azure CLI. --For more information about the parameter file, see [Create Resource Manager parameter file](parameter-files.md). +Rather than passing parameters as inline values in your script, you might find it easier to use a parameters file, either a `.bicepparam` file or a JSON parameters file, that contains the parameter values. The parameters file must be a local file. External parameters files aren't supported with Azure CLI. To pass a local parameter file, use `@` to specify a local file named _storage.parameters.json_. az deployment group create \ --parameters '@storage.parameters.json' ``` +For more information about the parameter file, see [Create Resource Manager parameter file](./parameter-files.md). ++### Bicep parameter files ++With Azure CLI version 2.53.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there is no need to provide the `--template-file` switch when specifying a Bicep parameter file for the `--parameters` switch. Including the `--template-file` switch will result in an "Only a .bicep template is allowed with a .bicepparam file" error. ++```azurecli-interactive +az deployment group create \ + --name ExampleDeployment \ + --resource-group ExampleGroup \ + --parameters storage.bicepparam +``` ++The parameters file must be a local file. External parameters files aren't supported with Azure CLI. For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md). ++ ## Comments and the extended JSON format You can include `//` style comments in your parameter file, but you must name the file with a `.jsonc` extension. |
azure-resource-manager | Deploy To Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deploy-to-tenant.md | -As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) across your Azure AD tenant. With tenant level templates, you can declaratively apply policies and assign roles at a global level. +As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) across your Microsoft Entra tenant. With tenant level templates, you can declaratively apply policies and assign roles at a global level. > [!TIP] > We recommend [Bicep](../bicep/overview.md) because it offers the same capabilities as ARM templates and the syntax is easier to use. To learn more, see [tenant deployments](../bicep/deploy-to-tenant.md). The schema for a parameter file is the same for all deployment scopes. For param The principal deploying the template must have permissions to create resources at the tenant scope. The principal must have permission to execute the deployment actions (`Microsoft.Resources/deployments/*`) and to create the resources defined in the template. For example, to create a management group, the principal must have Contributor permission at the tenant scope. To create role assignments, the principal must have Owner permission. -The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps: +The Global Administrator for the Microsoft Entra ID doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps: 1. Elevate account access so the Global Administrator can assign roles. For more information, see [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md). |
azure-resource-manager | Deployment Script Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/deployment-script-template.md | These scripts can be used for performing custom steps such as: - Perform data plane operations, for example, copy blobs or seed database. - Look up and validate a license key. - Create a self-signed certificate.-- Create an object in Azure Active Directory (Azure AD).+- Create an object in Microsoft Entra ID. - Look up IP Address blocks from custom system. The benefits of deployment script: Property value details: - [Sample 3](https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/deployment-script/deploymentscript-keyvault-mi.json): create a user-assigned managed identity, assign the contributor role to the identity at the resource group level, create a key vault, and then use deployment script to assign a certificate to the key vault. - [Sample 4](https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/deployment-script/deploymentscript-keyvault-lock-sub.json): it is the same scenario as Sample 1 in this list. A new resource group is created to run the deployment script. This template is a subscription level template. - [Sample 5](https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/deployment-script/deploymentscript-keyvault-lock-group.json): it is the same scenario as Sample 4. This template is a resource group level template.-- [Sample 6](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad): manually create a user-assigned managed identity and assign it permission to use the Microsoft Graph API to create Azure AD applications; in the Bicep file, use a deployment script to create an Azure AD application and service principal, and output the object IDs and client ID.+- [Sample 6](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad): manually create a user-assigned managed identity and assign it permission to use the Microsoft Graph API to create Microsoft Entra applications; in the Bicep file, use a deployment script to create a Microsoft Entra application and service principal, and output the object IDs and client ID. ## Use inline scripts After the script is tested successfully, you can use it as a deployment script i ## Use Microsoft Graph within a deployment script -A deployment script can use [Microsoft Graph](/graph/overview) to create and work with objects in Azure AD. +A deployment script can use [Microsoft Graph](/graph/overview) to create and work with objects in Microsoft Entra ID. ### Commands |
azure-resource-manager | Quickstart Create Template Specs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/quickstart-create-template-specs.md | To deploy a template spec, use the same deployment commands as you would use to ## Grant access -If you want to let other users in your organization deploy your template spec, you need to grant them read access. You can assign the Reader role to an Azure AD group for the resource group that contains template specs you want to share. For more information, see [Tutorial: Grant a group access to Azure resources using Azure PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md). +If you want to let other users in your organization deploy your template spec, you need to grant them read access. You can assign the Reader role to a Microsoft Entra group for the resource group that contains template specs you want to share. For more information, see [Tutorial: Grant a group access to Azure resources using Azure PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md). ## Update template |
azure-resource-manager | Template Functions Date | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/templates/template-functions-date.md | Title: Template functions - date description: Describes the functions to use in an Azure Resource Manager template (ARM template) to work with dates. Previously updated : 05/22/2023 Last updated : 10/12/2023 # Date functions for ARM templates In Bicep, use the [dateTimeAdd](../bicep/bicep-functions-date.md#datetimeadd) fu The datetime value that results from adding the duration value to the base value. +### Remarks ++The dateTimeAdd function takes into account leap years and the number of days in a month when performing date arithmetic. The following example adds one month to January 31: ++```json +"outputs": { + "add10YearsOutput": { + "type": "string", + "value": "[dateTimeAdd('2023-01-31 00:00:00Z', 'P1M')]" //2023-03-02T00:00:00Z + }, + "add1MonthOutput": { + "type": "string", + "value": "[dateTimeAdd('2024-01-31 00:00:00Z', 'P1M')]" //2024-03-01T00:00:00Z + } +} +``` ++In this example, `dateTimeAdd` returns `2023-03-02T00:00:00Z`, not `2023-02-28T00:00:00Z`. If the base is `2024-01-31 00:00:00Z`, it returns `2024-03-01T00:00:00Z` because 2024 is a leap year. + ### Examples The following example template shows different ways of adding time values. |
azure-vmware | Backup Azure Netapp Files Datastores Vms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/backup-azure-netapp-files-datastores-vms.md | Before you back up your Azure NetApp Files datastores, you must add your Azure a * Cloud Backup for Virtual Machines requires outbound internet access from your Azure VMware Solution SDDC. For more information, see [Internet connectivity design considerations](../azure-vmware/concepts-design-public-internet-access.md). -* You must have sufficient permissions to [Create an Azure AD app and service principal](../active-directory/develop/howto-create-service-principal-portal.md) within your Azure AD tenant and assign to the application a role in your Azure subscription. You can use the built-in role of "contributor" or you can create a custom role with only the required permissions: +* You must have sufficient permissions to [Create a Microsoft Entra app and service principal](../active-directory/develop/howto-create-service-principal-portal.md) within your Microsoft Entra tenant and assign to the application a role in your Azure subscription. You can use the built-in role of "contributor" or you can create a custom role with only the required permissions: ```json "actions": [ |
azure-vmware | Concepts Hub And Spoke | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-hub-and-spoke.md | For identity purposes, the best approach is to deploy at least one domain contro Additionally, deploy another domain controller on the Azure VMware Solution side to act as identity and DNS source within the vSphere environment. -As a recommended best practice, integrate [AD domain with Azure Active Directory](/azure/architecture/reference-architectures/identity/azure-ad). +As a recommended best practice, integrate [AD domain with Microsoft Entra ID](/azure/architecture/reference-architectures/identity/azure-ad). <!-- LINKS - external --> [Azure Architecture Center]: /azure/architecture/ |
azure-vmware | Concepts Private Clouds Clusters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-private-clouds-clusters.md | Title: Concepts - Private clouds and clusters description: Understand the key capabilities of Azure VMware Solution software-defined data centers and VMware vSphere clusters. Previously updated : 06/27/2023 Last updated : 10/12/2023 Each Azure VMware Solution architectural component has the following function: [!INCLUDE [disk-capabilities-of-the-host](includes/disk-capabilities-of-the-host.md)] +## Azure Region Availability Zone (AZ) to SKU mapping ++When planning your Azure VMware Solution design, use the following table to understand what SKUs are available in each physical Availability Zone of an [Azure region](https://azure.microsoft.com/explore/global-infrastructure/geographies/#geographies). This is important for placing your private clouds in close proximity to your Azure native workloads, including integrated services such as Azure NetApp Files and Pure Cloud Block Storage (CBS). The Multi-AZ capability for Azure VMware Solution Stretched Clusters is also tagged in the table below. ++Customer quota for Azure VMware Solution is assigned by Azure region, and you are not able to specify the Availability Zone during private cloud provisioning. An auto selection algorithm is used to balance deployments across the Azure region. If you have a particular Availability Zone you want to deploy to, open an SR with Microsoft requesting a "special placement policy" for your Subscription, Azure region, Availability Zone, and SKU type. This policy will remain in place until you request it be removed or changed. ++| Azure region | Availability Zone | SKU | Multi-AZ SDDC | +| : | :: | :: | :: | +| Australia East | AZ01 | AV36P | Yes | +| Australia East | AZ02 | AV36 | No | +| Australia East | AZ03 | AV36P | Yes | +| Australia South East | N/A | AV36 | No | +| Brazil South | AZ02 | AV36 | No | +| Canada Central | AZ02 | AV36, AV36P | No | +| Canada East | N/A | AV36 | No | +| Central US | AZ01 | AV36P | No | +| Central US | AZ02 | AV36 | No | +| East Asia | AZ01 | AV36 | No | +| East US | AZ01 | AV36P | No | +| East US | AZ02 | AV36P | No | +| East US | AZ03 | AV36, AV36P | No | +| East US 2 | AZ01 | AV36 | No | +| East US 2 | AZ02 | AV36P, AV52 | No | +| France Central | AZ01 | AV36 | No | +| Germany West Central | AZ02 | AV36 | Yes | +| Germany West Central | AZ03 | AV36, AV36P | Yes | +| Japan East | N/A | AV36 | No | +| Japan West | N/A | AV36 | No | +| North Central US | AZ01 | AV36 | No | +| North Central US | AZ02 | AV36P | No | +| North Europe | AZ02 | AV36 | No | +| Qatar Central | AZ03 | AV36P | No | +| South Africa North | AZ03 | AV36 | No | +| South Central US | AZ01 | AV36 | No | +| South Central US | AZ02 | AV36P, AV52 | No | +| South East Asia | AZ02 | AV36 | No | +| Sweden Central | AZ01 | AV36 | No | +| Switzerland North | AZ01 | AV36 | No | +| Switzerland West | N/A | AV36 | No | +| UK South | AZ01 | AV36, AV36P, AV52 | Yes | +| UK South | AZ02 | AV36 | Yes | +| UK South | AZ03 | AV36P | No | +| UK West | AZ01 | AV36 | No | +| West Europe | AZ01 | AV36, AV36P, AV52 | Yes | +| West Europe | AZ02 | AV36 | Yes | +| West Europe | AZ03 | AV36P | Yes | +| West US | AZ01 | AV36, AV36P | No | +| West US 2 | AZ01 | AV36 | No | +| West US 2 | AZ02 | AV36P | No | +| West US 3 | AZ01 | AV36P | No | +| US Gov Arizona | AZ02 | AV36P | No | +| US Gov Virginia | AZ03 | AV36 | No | + ## Clusters [!INCLUDE [hosts-minimum-initial-deployment-statement](includes/hosts-minimum-initial-deployment-statement.md)] Each Azure VMware Solution architectural component has the following function: ## VMware software versions +Microsoft is a member of the VMware Metal-as-a-Service (MaaS) program and uses the [VMware Cloud Provider Stack (VCPS)](https://docs.vmware.com/en/VMware-Cloud-Provider-Stack/1.1/com.vmware.vcps.gsg.doc/GUID-5D686FB2-9886-44D3-845B-FDEF650C7575.html) for Azure VMware Solution upgrade planning. + [!INCLUDE [vmware-software-versions](includes/vmware-software-versions.md)] ## Host maintenance and lifecycle management Azure VMware Solution continuously monitors the health of both the physical unde ## Next steps -Now that you've covered Azure VMware Solution private cloud concepts, you may want to learn about: +Now that you've covered Azure VMware Solution private cloud concepts, you might want to learn about: - [Azure VMware Solution networking and interconnectivity concepts](concepts-networking.md) - [Azure VMware Solution storage concepts](concepts-storage.md) |
azure-vmware | Configure Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-customer-managed-keys.md | The Customer-managed keys (CMKs) feature supports the following key types. See t ## Topology -The following diagram shows how Azure VMware Solution uses Azure Active Directory (Azure AD) and a key vault to deliver the customer-managed key. +The following diagram shows how Azure VMware Solution uses Microsoft Entra ID and a key vault to deliver the customer-managed key. :::image type="content" source="media/configure-customer-managed-keys/customer-managed-keys-diagram-topology.png" alt-text="Diagram showing the customer-managed keys topology." border="false" lightbox="media/configure-customer-managed-keys/customer-managed-keys-diagram-topology.png"::: A customer can enable CMK encryption for a specified CMK key version to supply t ## Enable CMK with system-assigned identity -System-assigned identity is restricted to one per resource and is tied to the lifecycle of the resource. You can grant permissions to the managed identity on Azure resource. The managed identity is authenticated with Azure AD, so you don't have to store any credentials in code. +System-assigned identity is restricted to one per resource and is tied to the lifecycle of the resource. You can grant permissions to the managed identity on Azure resource. The managed identity is authenticated with Microsoft Entra ID, so you don't have to store any credentials in code. >[!IMPORTANT] > Ensure that key vault is in the same region as the Azure VMware Solution private cloud. |
azure-vmware | Configure Identity Source Vcenter | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/configure-identity-source-vcenter.md | Title: Configure external identity source for vCenter Server -description: Learn how to configure Azure Active Directory over LDAP or LDAPS for vCenter Server as an external identity source. +description: Learn how to configure Microsoft Entra ID over LDAP or LDAPS for vCenter Server as an external identity source. Last updated 10/21/2022 |
azure-vmware | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/introduction.md | For more information, see [Networking concepts](concepts-networking.md). ## Access and security -Azure VMware Solution private clouds use vSphere role-based access control for enhanced security. You can integrate vSphere SSO LDAP capabilities with Azure Active Directory. For more information, see the [Access and Identity concepts](concepts-identity.md) page. +Azure VMware Solution private clouds use vSphere role-based access control for enhanced security. You can integrate vSphere SSO LDAP capabilities with Microsoft Entra ID. For more information, see the [Access and Identity concepts](concepts-identity.md) page. vSAN data-at-rest encryption, by default, is enabled and is used to provide vSAN datastore security. For more information, see [Storage concepts](concepts-storage.md). |
azure-web-pubsub | Concept Azure Ad Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-azure-ad-authorization.md | The Azure Web PubSub Service enables the authorization of requests to Azure Web By utilizing role-based access control (RBAC) with Microsoft Entra ID, permissions can be granted to a security principal<sup>[<a href="#security-principal">1</a>]</sup>. Microsoft Entra authorizes this security principal and returns an OAuth 2.0 token, which Web PubSub resources can then use to authorize a request. -Using Microsoft Entra ID for authorization of Web PubSub requests offers improved security and ease of use compared to Access Key authorization. Microsoft recommends utilizing Microsoft Entra ID authorization with Web PubSub resources when possible to ensure access with the minimum necessary privileges. +Using Microsoft Entra ID for authorization of Web PubSub requests offers improved security and ease of use compared to Access Key authorization. Microsoft recommends utilizing Microsoft Entra authorization with Web PubSub resources when possible to ensure access with the minimum necessary privileges. <a id="security-principal"></a> _[1] security principal: a user/resource group, an application, or a service principal such as system-assigned identities and user-assigned identities._ We provided helper functions (for example `GenerateClientAccessUri) for supporte ## Assign Azure roles for access rights -Microsoft Entra ID authorizes access rights to secured resources through [Azure role-based access control](../role-based-access-control/overview.md). Azure Web PubSub defines a set of Azure built-in roles that encompass common sets of permissions used to access Web PubSub resources. You can also define custom roles for access to Web PubSub resources. +Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control](../role-based-access-control/overview.md). Azure Web PubSub defines a set of Azure built-in roles that encompass common sets of permissions used to access Web PubSub resources. You can also define custom roles for access to Web PubSub resources. ### Resource scope To learn how to create an Azure application and use Microsoft Entra authorizatio - [Authorize request to Web PubSub resources with Microsoft Entra ID from applications](howto-authorize-from-application.md) -To learn how to configure a managed identity and use Microsoft Entra ID auth, see +To learn how to configure a managed identity and use Microsoft Entra auth, see - [Authorize request to Web PubSub resources with Microsoft Entra ID from managed identities](howto-authorize-from-managed-identity.md) |
azure-web-pubsub | Howto Create Serviceclient With Java And Azure Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-create-serviceclient-with-java-and-azure-identity.md | This how-to guide shows you how to create a `WebPubSubServiceClient` using Micro ## Complete sample -- [Simple chatroom with Microsoft Entra ID authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/java/chatapp-aad)+- [Simple chatroom with Microsoft Entra authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/java/chatapp-aad) |
azure-web-pubsub | Howto Create Serviceclient With Javascript And Azure Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-create-serviceclient-with-javascript-and-azure-identity.md | This how-to guide shows you how to create a `WebPubSubServiceClient` using Micro ## Complete sample -- [Simple chatroom with Microsoft Entra ID authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/javascript/chatapp-aad)+- [Simple chatroom with Microsoft Entra authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/javascript/chatapp-aad) |
azure-web-pubsub | Howto Create Serviceclient With Net And Azure Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-create-serviceclient-with-net-and-azure-identity.md | This how-to guide shows you how to create a `WebPubSubServiceClient` using Micro ## Complete sample -- [Simple chatroom with Microsoft Entra ID authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/csharp/chatapp-aad)+- [Simple chatroom with Microsoft Entra authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/csharp/chatapp-aad) |
azure-web-pubsub | Howto Create Serviceclient With Python And Azure Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-create-serviceclient-with-python-and-azure-identity.md | This how-to guide shows you how to create a `WebPubSubServiceClient` using Micro ## Complete sample -- [Simple chatroom with Microsoft Entra ID authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/python/chatapp-aad)+- [Simple chatroom with Microsoft Entra authorization](https://github.com/Azure/azure-webpubsub/tree/main/samples/python/chatapp-aad) |
azure-web-pubsub | Quickstart Serverless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/quickstart-serverless.md | In this tutorial, you learn how to: ``` > [!NOTE]- > In this sample, we use [AAD](../app-service/configure-authentication-user-identities.md) user identity header `x-ms-client-principal-name` to retrieve `userId`. And this won't work in a local function. You can make it empty or change to other ways to get or generate `userId` when playing in local. For example, let client type a user name and pass it in query like `?user={$username}` when call `negotiate` function to get service connection url. And in the `negotiate` function, set `userId` with value `{query.user}`. + > In this sample, we use [Microsoft Entra ID](../app-service/configure-authentication-user-identities.md) user identity header `x-ms-client-principal-name` to retrieve `userId`. And this won't work in a local function. You can make it empty or change to other ways to get or generate `userId` when playing in local. For example, let client type a user name and pass it in query like `?user={$username}` when call `negotiate` function to get service connection url. And in the `negotiate` function, set `userId` with value `{query.user}`. # [JavaScript](#tab/javascript) |
azure-web-pubsub | Socketio Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/socketio-authentication.md | + + Title: Authentication +description: Learn how to authenticate with Web PubSub for Socket.IO. +keywords: Socket.IO, Socket.IO on Azure, authentication ++ Last updated : 09/22/2023++++# How to use authentication in Web PubSub for Socket.IO +## Background +[Socket.IO protocol](https://socket.io/docs/v4/socket-io-protocol/) is an application layer protocol, which is built on a transport layer protocol named [Engine.IO protocol](https://socket.io/docs/v4/engine-io-protocol/). +Engine.IO is responsible for establishing the low-level connection between the server and the client. An Engine.IO connection manages exactly one real connection, which is either a HTTP long-polling connection or a WebSocket connection. ++[Native authentication mechanism provided by Socket.IO library](https://socket.io/docs/v4/middlewares/#sending-credentials) are applied on Socket.IO connection level. The Engine.IO connection has already been built successfully before the authentication takes effect. The underlying Engine.IO connection could be built between client and server without any authentication mechanism. Attackers could make use of Engine.IO connection without any authentication to consume customer's resource without any restriction. ++## Authentication for Socket.IO connection +This level of authentication is NOT recommended in production environment. For it doesn't provide any protection for the low-level Engine.IO connection, which makes your resource easy to be attacked. ++## Authentication for Engine.IO connection +This level of authentication is recommended for it protects the Engine.IO connection. +For now, Socket.IO library doesn't provide such an authentication mechanism for Engine.IO connections. The [Azure SocketIO server SDK](https://github.com/Azure/azure-webpubsub/tree/main/sdk/webpubsub-socketio-extension) introduces in a negotiation mechanism and provides APIs to use. ++Client sends negotiation request containing authentication information to server before the Engine.IO connection is built. Here are the details how the mechanism works: + +1. Before connecting with the service endpoint, the client sends negotiation to the server, which carries information required by authentication. +2. The server receives the negotiation request, parse the authentication information and authenticate the client according to the parsed information. Then the server responds the request with an access token in [JWT token](https://jwt.io/) format. +3. The client connects with the service endpoint with the access token given by server. The access token must be placed in query string named with `access_token` of the Socket.IO request. +4. The service will validate the `access_token`. The connection will be rejected if `access_token` is not valid. ++The web application that handles negotiation request could be an independent one or a part of Socket.IO application. ++### Basic Usage +- Server-side ++1. Create a Socket.IO server supported by the service +```javascript +const azure = require("@azure/web-pubsub-socket.io"); +const app = express(); +const server = require('http').createServer(app); ++const io = require('socket.io')(server); +const wpsOptions = { hub: "eio_hub", connectionString: process.env.WebPubSubConnectionString }; ++azure.useAzureSocketIO(io, wpsOptions); +``` +++2. Use `negotiate` to convert the Socket.IO server and a `ConfigureNegotiateOptions` into a complete express handler: +```javascript +app.get("/negotiate", azure.negotiate(io, (req) => { userId: "user1" });) +``` +++- Client-side +1. Execute the negotiation request and parse the result +```javascript +const negotiateResponse = await fetch(`/negotiate/?username=${username}`); +if (!negotiateResponse.ok) { + console.log("Failed to negotiate, status code =", negotiateResponse.status); + return ; +} +const json = await negotiateResponse.json(); +``` ++2. Let the client connect with our service endpoint with the information in negotiation response. +```javascript +var socket = io(json.endpoint, { + path: json.path, + query: { access_token: json.token } +}); +``` ++A complete sample is given in [chat-with-negotiate](https://github.com/Azure/azure-webpubsub/blob/main/sdk/webpubsub-socketio-extension/examples/chat-with-negotiate/index.js). ++### Integration with Passport library ++#### Background +In Node.js ecosystem, the most dominant Web authentication workflow is [`express`](https://www.npmjs.com/package/express) + [`express-session`](https://www.npmjs.com/package/express-session) + [`passport`](https://www.npmjs.com/package/passport). Here's a list explaining their roles: +- `express`: a backend framework +- `express-session`: an official session management library supported by Express team. +- `passport`: an authentication package for express. It focuses on request authentication and supports over 500 authentication strategies, including local authentication (username and password), OAuth (Google, GitHub, Facebook), JWT, OpenID, and more. + - After a successful authentication, `passport` provides an object describing the authenticated user. This object is assigned to the `user` property in the express request variable. And the property could be accessed in subsequent middleware. ++#### Usage ++We provide a built-in `ConfigureNegotiateOptions` via `userPassport` and a middleware via `restorePassport` to support integration with `passport`. ++Socket.IO provides a [example](https://github.com/socketio/socket.io/blob/4.6.2/examples/passport-example/index.js) showing how to use passport authentication with native Socket.IO library. ++This part of code uses a set of Socket.IO middleware to restore passport object into request. +```javascript +const io = require('socket.io')(server); ++// convert a connect middleware to a Socket.IO middleware +const wrap = middleware => (socket, next) => middleware(socket.request, {}, next); ++io.use(wrap(sessionMiddleware)); +io.use(wrap(passport.initialize())); +io.use(wrap(passport.session())); ++io.use((socket, next) => { + if (socket.request.user) { + next(); + } else { + next(new Error('unauthorized')) + } +}); +``` ++After using `useAzureSocketIO` to enable the service, the developer should add a negotiation handler to express app. `usePassport` generates its `ConfigureNegotiateOptions`. +Then the express `restorePassport` should be used as a Socket.IO middleware to restore passport object into `socket.request`. ++```javascript +const io = require('socket.io')(server); ++await useAzureSocketIO(io, { ...wpsOptions }); ++app.get("/negotiate", negotiate(io, usePassport())); ++io.use(wrap(restorePassport())); ++io.use(wrap(passport.initialize())); +io.use(wrap(passport.session())); ++io.use((socket, next) => { + if (socket.request.user) { + next(); + } else { + next(new Error('unauthorized')) + } +}); +``` ++This workflow won't restore session object. Session is inaccessible by Socket.IO middleware. `socket.request.session` doesn't work for it's always null. +```javascript +// This usage will NOT work +io.use((socket, next) => { + var session = socket.request.session; + // ... some code uses `session` +}); ++// This usage will NOT work +io.on('connect', (socket) => { + const session = socket.request.session; + // ... some code uses `session` +}); +``` ++A complete sample is given in [chat-with-auth-passport](https://github.com/Azure/azure-webpubsub/blob/main/sdk/webpubsub-socketio-extension/examples/chat-with-auth-passport). |
backup | About Azure Vm Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/about-azure-vm-restore.md | This article describes how the [Azure Backup service](./backup-overview.md) rest | [Restore to create a new virtual machine](./backup-azure-arm-restore-vms.md) | Restores the entire VM to OLR (if the source VM still exists) or ALR | <ul><li> If the source VM is lost or corrupt, then you can restore entire VM <li> You can create a copy of the VM <li> You can perform a restore drill for audit or compliance <li> If license for Marketplace Azure VM has expired, [create VM restore](./backup-azure-arm-restore-vms.md#create-a-vm) option can't be used.</ul> | | [Restore disks of the VM](./backup-azure-arm-restore-vms.md#restore-disks) | Restore disks attached to the VM | All disks: This option creates the template and restores the disk. You can edit this template with special configurations (for example, availability sets) to meet your requirements and then use both the template and restore the disk to recreate the VM. | | [Restore specific files within the VM](./backup-azure-restore-files-from-vm.md) | Choose restore point, browse, select files, and restore them to the same (or compatible) OS as the backed-up VM. | If you know which specific files to restore, then use this option instead of restoring the entire VM. |-| [Restore an encrypted VM](./backup-azure-vms-encryption.md) | From the portal, restore the disks and then use PowerShell to create the VM | <ul><li> [Encrypted VM with Azure Active Directory](../virtual-machines/windows/disk-encryption-windows-aad.md) <li> [Encrypted VM without Azure AD](../virtual-machines/windows/disk-encryption-windows.md) <li> [Encrypted VM *with Azure AD* migrated to *without Azure AD*](../virtual-machines/windows/disk-encryption-faq.yml#can-i-migrate-vms-that-were-encrypted-with-an-azure-ad-app-to-encryption-without-an-azure-ad-app-)</ul> | +| [Restore an encrypted VM](./backup-azure-vms-encryption.md) | From the portal, restore the disks and then use PowerShell to create the VM | <ul><li> [Encrypted VM with Microsoft Entra ID](../virtual-machines/windows/disk-encryption-windows-aad.md) <li> [Encrypted VM without Microsoft Entra ID](../virtual-machines/windows/disk-encryption-windows.md) <li> [Encrypted VM *with Microsoft Entra ID* migrated to *without Microsoft Entra ID*](../virtual-machines/windows/disk-encryption-faq.yml#can-i-migrate-vms-that-were-encrypted-with-an-azure-ad-app-to-encryption-without-an-azure-ad-app-)</ul> | | [Cross Region Restore](./backup-azure-arm-restore-vms.md#cross-region-restore) | Create a new VM or restore disks to a secondary region (Azure paired region) | <ul><li> **Full outage**: With the cross region restore feature, there's no wait time to recover data in the secondary region. You can initiate restores in the secondary region even before Azure declares an outage. <li> **Partial outage**: Downtime can occur in specific storage clusters where Azure Backup stores your backed-up data or even in-network, connecting Azure Backup and storage clusters associated with your backed-up data. With Cross Region Restore, you can perform a restore in the secondary region using a replica of backed up data in the secondary region. <li> **No outage**: You can conduct business continuity and disaster recovery (BCDR) drills for audit or compliance purposes with the secondary region data. This allows you to perform a restore of backed up data in the secondary region even if there isn't a full or partial outage in the primary region for business continuity and disaster recovery drills.</ul> | ## Next steps |
backup | Active Directory Backup Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/active-directory-backup-restore.md | Backing up Active Directory, and ensuring successful restores in cases of corrup This article outlines the proper procedures for backing up and restoring Active Directory domain controllers with Azure Backup, whether they're Azure virtual machines or on-premises servers. It discusses a scenario where you need to restore an entire domain controller to its state at the time of backup. To see which restore scenario is appropriate for you, see [this article](/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-guide). >[!NOTE]-> This article does not discuss restoring items from [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md). For information on restoring Azure Active Directory users, see [this article](../active-directory/fundamentals/active-directory-users-restore.md). +> This article does not discuss restoring items from [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). For information on restoring Microsoft Entra users, see [this article](../active-directory/fundamentals/active-directory-users-restore.md). ## Best practices |
backup | Azure Backup Architecture For Sap Hana Backup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-backup-architecture-for-sap-hana-backup.md | This section provides you with an understanding about the backup process of an H 1. To stream the backup data, Backint creates up to three pipes, which directly write to Recovery Services vault of Azure Backup. - If you arenΓÇÖt using firewall/NVA in your setup, then the backup stream is transferred over the Azure network to the Recovery Services vault / Azure Storage. Also, you can set up [Virtual Network Service Endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) or [Private Endpoint](../private-link/private-endpoint-overview.md) to allow SAP HANA to send backup traffic directly to Recovery Services Vault / Azure Storage, skipping NVA/Azure Firewall. Additionally, when you use firewall/NVA, the traffic to Azure Active Directory and Azure Backup Service will pass through the firewall/NVA and it doesnΓÇÖt affect the overall backup performance. + If you arenΓÇÖt using firewall/NVA in your setup, then the backup stream is transferred over the Azure network to the Recovery Services vault / Azure Storage. Also, you can set up [Virtual Network Service Endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) or [Private Endpoint](../private-link/private-endpoint-overview.md) to allow SAP HANA to send backup traffic directly to Recovery Services Vault / Azure Storage, skipping NVA/Azure Firewall. Additionally, when you use firewall/NVA, the traffic to Microsoft Entra ID and Azure Backup Service will pass through the firewall/NVA and it doesnΓÇÖt affect the overall backup performance. 1. Azure Backup attempts to achieve speeds up to 420 MB/sec for non-log backups and up to 100 MB/sec for log backups. [Learn more](./tutorial-backup-sap-hana-db.md#understanding-backup-and-restore-throughput-performance) about backup and restore throughput performance. |
backup | Azure Backup Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-backup-glossary.md | Backs up operating system files. This backup allows you to recover when a comput ## Tenant -A tenant is a representation of an organization. It's a dedicated instance of Azure AD that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft, like signing up for Azure, Microsoft Intune, or Microsoft 365. +A tenant is a representation of an organization. It's a dedicated instance of Microsoft Entra ID that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft, like signing up for Azure, Microsoft Intune, or Microsoft 365. ## Tier |
backup | Azure Kubernetes Service Backup Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-kubernetes-service-backup-troubleshoot.md | To scale node pool on Azure portal, follow these steps: **Cause**: When you enable pod-managed identity on your AKS cluster, an *AzurePodIdentityException* named *aks-addon-exception* is added to the *kube-system* namespace. An *AzurePodIdentityException* allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the NMI server. -The extension pods aren't exempt, and require the Azure Active Directory (Azure AD) pod identity to be enabled manually. +The extension pods aren't exempt, and require the Microsoft Entra pod identity to be enabled manually. **Resolution**: Create *pod-identity* exception in AKS cluster (that works only for *dataprotection-microsoft* namespace and for *not kube-system*). [Learn more](/cli/azure/aks/pod-identity/exception?view=azure-cli-latest&preserve-view=true#az-aks-pod-identity-exception-add). This error appears due to absence of these FQDN rules because of which configura ## Next steps -- [About Azure Kubernetes Service (AKS) backup (preview)](azure-kubernetes-service-backup-overview.md)+- [About Azure Kubernetes Service (AKS) backup (preview)](azure-kubernetes-service-backup-overview.md) |
backup | Azure Kubernetes Service Cluster Backup Concept | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/azure-kubernetes-service-cluster-backup-concept.md | Learn [how to manage the operation to install Backup Extension using Azure CLI]( ## Trusted Access -Many Azure services depend on *clusterAdmin kubeconfig* and the *publicly accessible kube-apiserver endpoint* to access AKS clusters. The **AKS Trusted Access** feature enables you to bypass the private endpoint restriction. Without using Microsoft Azure Active Directory (Azure AD) application, this feature enables you to give explicit consent to your system-assigned identity of allowed resources to access your AKS clusters using an Azure resource RoleBinding. The Trusted Access feature allows you to access AKS clusters with different configurations, which aren't limited to private clusters, clusters with local accounts disabled, Azure AD clusters, and authorized IP range clusters. +Many Azure services depend on *clusterAdmin kubeconfig* and the *publicly accessible kube-apiserver endpoint* to access AKS clusters. The **AKS Trusted Access** feature enables you to bypass the private endpoint restriction. Without using Microsoft Entra application, this feature enables you to give explicit consent to your system-assigned identity of allowed resources to access your AKS clusters using an Azure resource RoleBinding. The Trusted Access feature allows you to access AKS clusters with different configurations, which aren't limited to private clusters, clusters with local accounts disabled, Microsoft Entra ID clusters, and authorized IP range clusters. Your Azure resources access AKS clusters through the AKS regional gateway using system-assigned managed identity authentication. The managed identity must have the appropriate Kubernetes permissions assigned via an Azure resource role. Also, as part of the backup and restore operations, the following roles are assi - [Back up Azure Kubernetes Service cluster (preview)](azure-kubernetes-service-cluster-backup.md) - [Restore Azure Kubernetes Service cluster (preview)](azure-kubernetes-service-cluster-restore.md) - [Manage Azure Kubernetes Service cluster backups (preview)](azure-kubernetes-service-cluster-manage-backups.md)- |
backup | Backup Azure Arm Restore Vms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-arm-restore-vms.md | For more information, see [Back up and restore Active Directory domain controlle ## Restore VMs with managed identities -Managed identities eliminate the need for the user to maintain the credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. +Managed identities eliminate the need for the user to maintain the credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. Azure Backup offers the flexibility to restore the managed Azure VM with [managed identities](../active-directory/managed-identities-azure-resources/overview.md). You can choose to select [system-managed identities](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) or user-managed identities as shown in the figure below. This is introduced as one of the input parameters in the [**Restore configuration** blade](#create-a-vm) of Azure VM. Managed identities used as one of the input parameters is only used for accessing the storage accounts, which are used as staging location during restore and not for any other Azure resource controlling. These managed identities have to be associated to the vault. |
backup | Backup Azure Backup Import Export | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-backup-import-export.md | Before you start the offline backup workflow, complete the following prerequisit * Azure PowerShell 3.7.0 is required on the computer running the Azure Backup Agent. Download and [install the 3.7.0 version of Azure PowerShell](https://github.com/Azure/azure-powershell/releases/tag/v3.7.0-March2017). * On the computer running the Azure Backup Agent, make sure that Microsoft Edge or Internet Explorer 11 is installed and JavaScript is enabled. * Create an Azure storage account in the same subscription as the Recovery Services vault.-* Make sure you have the [necessary permissions](../active-directory/develop/howto-create-service-principal-portal.md) to create the Azure Active Directory application. The offline backup workflow creates an Azure Active Directory application in the subscription associated with the Azure storage account. The goal of the application is to provide Azure Backup with secure and scoped access to the Azure Import/Export service, which is required for the offline backup workflow. +* Make sure you have the [necessary permissions](../active-directory/develop/howto-create-service-principal-portal.md) to create the Microsoft Entra application. The offline backup workflow creates a Microsoft Entra application in the subscription associated with the Azure storage account. The goal of the application is to provide Azure Backup with secure and scoped access to the Azure Import/Export service, which is required for the offline backup workflow. * Register the *Microsoft.DataBox* resource provider with the subscription that contains the Azure storage account. To register the resource provider: 1. On the main menu, select **Subscriptions**. 1. If you're subscribed to multiple subscriptions, select the subscription you plan to use for the offline backup. If you use only one subscription, then your subscription appears. This section describes the offline backup workflow so that your data can be deli After you fill in the boxes, select **Next**. Save the **Staging Location** and the **Azure Import Job Name** information. It's required to prepare the disks. -1. When prompted, sign in to your Azure subscription. You must sign in so that Azure Backup can create the Azure Active Directory application. Enter the required permissions to access the Azure Import/Export service. +1. When prompted, sign in to your Azure subscription. You must sign in so that Azure Backup can create the Microsoft Entra application. Enter the required permissions to access the Azure Import/Export service. :::image type="content" source="./media/backup-azure-backup-import-export/azure-login.png" alt-text="Screenshot showing the Azure subscription sign-in page."::: After the initial backup is finished, you can safely delete the data imported to ## Next steps -* For any questions about the Azure Import/Export service workflow, see [Use the Microsoft Azure Import/Export service to transfer data to Blob storage](../import-export/storage-import-export-service.md). +* For any questions about the Azure Import/Export service workflow, see [Use the Microsoft Azure Import/Export service to transfer data to Blob storage](../import-export/storage-import-export-service.md). |
backup | Backup Azure Backup Server Import Export | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-backup-server-import-export.md | Ensure that the following prerequisites are met before you start the offline bac * Update Rollup 1 is installed on SC DPM 2019 or MABS v3, along with the [latest MARS agent](https://aka.ms/azurebackup_agent). > [!NOTE]- > With DPM 2019 UR1 and MABS v3 UR1 the offline seeding authenticates using Azure Active Directory. + > With DPM 2019 UR1 and MABS v3 UR1 the offline seeding authenticates using Microsoft Entra ID. * On the DPM or MABS server, make sure Microsoft Edge or Internet Explorer 11 is installed, and JavaScript is enabled. * Create an Azure Storage account in the same subscription as the Recovery Services vault.-* Make sure you have the [necessary permissions](../active-directory/develop/howto-create-service-principal-portal.md) to create the Azure Active Directory application. The Offline Backup workflow creates an Azure Active Directory application in the subscription associated with the Azure Storage account. The goal of the application is to provide Azure Backup with secure and scoped access to the Azure Import Service, required for the Offline Backup workflow. +* Make sure you have the [necessary permissions](../active-directory/develop/howto-create-service-principal-portal.md) to create the Microsoft Entra application. The Offline Backup workflow creates a Microsoft Entra application in the subscription associated with the Azure Storage account. The goal of the application is to provide Azure Backup with secure and scoped access to the Azure Import Service, required for the Offline Backup workflow. * Register the Microsoft.DataBox resource provider with the subscription containing the Azure Storage account. To register the resource provider: 1. In the main menu, select **Subscriptions**. 2. If you're subscribed to multiple subscriptions, select the subscription you're using for the offline backup. If you use only one subscription, then your subscription appears. |
backup | Backup Azure Database Postgresql Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-overview.md | Additionally, ensure that the database user (corresponding to the credentials st - ALTER USER username CREATEDB; - Assign the role _azure_pg_admin_ to the database user. -### Azure Active Directory based authentication model +<a name='azure-active-directory-based-authentication-model'></a> -We had earlier launched a different authentication model that was entirely based on Azure Active Directory (Azure AD). However, we now provide the new key vault-based authentication model (as explained above) as an alternative option, which eases the configuration process. +### Microsoft Entra ID based authentication model ++We had earlier launched a different authentication model that was entirely based on Microsoft Entra ID. However, we now provide the new key vault-based authentication model (as explained above) as an alternative option, which eases the configuration process. [Download this document](https://download.microsoft.com/download/7/4/d/74d689aa-909d-4d3e-9b18-f8e465a7ebf5/OSSbkpprep_automated.docx) to get an automated script and related instructions to use this authentication model. ItΓÇÖll grant an appropriate set of permissions to an Azure PostgreSQL server, for backup and restore. >[!Note]->All the new configure protection will take place with the new key vault authentication model only. However, all the existing backup instances configured protection with the Azure AD based authentication will continue to exist and have regular backups taken. To restore these backups, you need to follow the Azure AD based authentication. +>All the new configure protection will take place with the new key vault authentication model only. However, all the existing backup instances configured protection with the Microsoft Entra ID based authentication will continue to exist and have regular backups taken. To restore these backups, you need to follow the Microsoft Entra ID based authentication. ## Grant access on the Azure PostgreSQL server and Key vault manually |
backup | Backup Azure Database Postgresql Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-troubleshoot.md | Steps: ## UserErrorBackupUserAuthFailed -Create a database backup user that can authenticate with Azure Active Directory: +Create a database backup user that can authenticate with Microsoft Entra ID: -This error may come from an absence of an Azure Active Directory admin for the PostgreSQL server, or in absence of a backup user that can authenticate using Azure Active Directory. +This error may come from an absence of a Microsoft Entra admin for the PostgreSQL server, or in absence of a backup user that can authenticate using Microsoft Entra ID. Steps: Add an Active Directory Admin to the OSS server: -This step is required to connect to the database through a user that can authenticate with Azure Active Directory instead of a password. The Azure AD Admin user in Azure Database for PostgreSQL will have the role **azure_ad_admin**. Only an **azure_ad_admin** role can create new database users that can authenticate with Azure AD. +This step is required to connect to the database through a user that can authenticate with Microsoft Entra ID instead of a password. The Microsoft Entra Admin user in Azure Database for PostgreSQL will have the role **azure_ad_admin**. Only an **azure_ad_admin** role can create new database users that can authenticate with Microsoft Entra ID. 1. Go to the Active Directory Admin tab in the left navigation pane of the server view, and add yourself (or someone else) as the Active Directory admin. |
backup | Backup Azure Dpm Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-dpm-introduction.md | Supported file types | These file types can be backed up with Azure Backup:<br> Unsupported file types | <li>Servers on case-sensitive file systems<li> hard links (skipped)<li> reparse points (skipped)<li> encrypted and compressed (skipped)<li> encrypted and sparse (skipped)<li> Compressed stream<li> parse stream Local storage | Each machine you want to back up must have local free storage that's at least 5% of the size of the data that's being backed up. For example, backing up 100 GB of data requires a minimum of 5 GB of free space in the scratch location. Vault storage | ThereΓÇÖs no limit to the amount of data you can back up to an Azure Backup vault, but the size of a data source (for example a virtual machine or database) shouldnΓÇÖt exceed 54,400 GB.-Azure ExpressRoute | You can back up your data over Azure ExpressRoute with public peering (available for old circuits) and Microsoft peering. Backup over private peering isn't supported.<br/><br/> **With public peering**: Ensure access to the following domains/addresses:<br/><br/> URLs:<br> `www.msftncsi.com` <br> .Microsoft.com <br> .WindowsAzure.com <br> .microsoftonline.com <br> .windows.net <br>`www.msftconnecttest.com`<br><br>IP addresses<br> 20.190.128.0/18 <br> 40.126.0.0/18<br> <br/>**With Microsoft peering**, select the following services/regions and relevant community values:<br/><br/>- Azure Active Directory (12076:5060)<br/><br/>- Microsoft Azure Region (according to the location of your Recovery Services vault)<br/><br/>- Azure Storage (according to the location of your Recovery Services vault)<br/><br/>For more information, see [ExpressRoute routing requirements](../expressroute/expressroute-routing.md).<br/><br/>**Note**: Public peering is deprecated for new circuits. +Azure ExpressRoute | You can back up your data over Azure ExpressRoute with public peering (available for old circuits) and Microsoft peering. Backup over private peering isn't supported.<br/><br/> **With public peering**: Ensure access to the following domains/addresses:<br/><br/> URLs:<br> `www.msftncsi.com` <br> .Microsoft.com <br> .WindowsAzure.com <br> .microsoftonline.com <br> .windows.net <br>`www.msftconnecttest.com`<br><br>IP addresses<br> 20.190.128.0/18 <br> 40.126.0.0/18<br> <br/>**With Microsoft peering**, select the following services/regions and relevant community values:<br/><br/>- Microsoft Entra ID (12076:5060)<br/><br/>- Microsoft Azure Region (according to the location of your Recovery Services vault)<br/><br/>- Azure Storage (according to the location of your Recovery Services vault)<br/><br/>For more information, see [ExpressRoute routing requirements](../expressroute/expressroute-routing.md).<br/><br/>**Note**: Public peering is deprecated for new circuits. Azure Backup agent | If DPM is running on System Center 2012 SP1, install Rollup 2 or later for DPM SP1. This is required for agent installation.<br/><br/> This article describes how to deploy the latest version of the Azure Backup agent, also known as the Microsoft Azure Recovery Service (MARS) agent. If you have an earlier version deployed, update to the latest version to ensure that backup works as expected. <br><br> [Ensure your server is running on TLS 1.2](transport-layer-security.md). Before you start, you need an Azure account with the Azure Backup feature enabled. If you don't have an account, you can create a free trial account in just a couple of minutes. Read about [Azure Backup pricing](https://azure.microsoft.com/pricing/details/backup/). |
backup | Backup Azure Integrate Microsoft Defender Using Logic Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-integrate-microsoft-defender-using-logic-apps.md | To authorize the API connection to Office 365, follow these steps: 4. Select **Authorize**. >[!Note]- >Ensure that you authenticate against Azure AD. + >Ensure that you authenticate against Microsoft Entra ID. 5. Select **Save**. When the backup policy on the backup item gets disabled, the logic app also send ## Next steps -[About backup and restore plan to protect against ransomware](../security/fundamentals/backup-plan-to-protect-against-ransomware.md). +[About backup and restore plan to protect against ransomware](../security/fundamentals/backup-plan-to-protect-against-ransomware.md). |
backup | Backup Azure Microsoft Azure Backup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-microsoft-azure-backup.md | If your machine has limited internet access, ensure that firewall settings on th If you're using ExpressRoute Microsoft peering, select the following services/regions: -* Azure Active Directory (12076:5060) +* Microsoft Entra ID (12076:5060) * Microsoft Azure Region (according to the location of your Recovery Services vault) * Azure Storage (according to the location of your Recovery Services vault) |
backup | Backup Azure Move Recovery Services Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-move-recovery-services-vault.md | All public regions and sovereign regions are supported, except France South, Fra - During vault move across resource groups, both the source and target resource groups are locked preventing the write and delete operations. For more information, see this [article](../azure-resource-manager/management/move-resource-group-and-subscription.md). - Only admin subscription has the permissions to move a vault.-- For moving vaults across subscriptions, the target subscription must reside in the same tenant as the source subscription and its state must be enabled. To move a vault to a different Azure AD, see [Transfer subscription to a different directory](../role-based-access-control/transfer-subscription.md) and [Recovery Service vault FAQs](./backup-azure-backup-faq.yml).+- For moving vaults across subscriptions, the target subscription must reside in the same tenant as the source subscription and its state must be enabled. To move a vault to a different Microsoft Entra ID, see [Transfer subscription to a different directory](../role-based-access-control/transfer-subscription.md) and [Recovery Service vault FAQs](./backup-azure-backup-faq.yml). - You must have permission to perform write operations on the target resource group. - Moving the vault only changes the resource group. The Recovery Services vault will reside on the same location and it can't be changed. - You can move only one Recovery Services vault, per region, at a time. |
backup | Backup Azure Private Endpoints Concept | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-private-endpoints-concept.md | This article describes how the [enhanced capabilities of private endpoints](#key - A private endpoint for a vault uses 10 private IPs, and the count may increase over time. Ensure that you've enough IPs available while creating private endpoints. -- Private endpoints for Azure Backup donΓÇÖt include access to Azure Active Directory (Azure AD). Ensure that you enable the access so that IPs and FQDNs required for Azure AD to work in a region have outbound access in allowed state in the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable.+- Private endpoints for Azure Backup donΓÇÖt include access to Microsoft Entra ID. Ensure that you enable the access so that IPs and FQDNs required for Microsoft Entra ID to work in a region have outbound access in allowed state in the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable. - You need to re-register the Recovery Services resource provider with the subscription, if you've registered it before *May 1, 2020*. To re-register the provider, go to *your subscription* in the Azure portal > **Resource provider**, and then select **Microsoft.RecoveryServices** > **Re-register**. The following table lists the scenarios and recommendations: | Scenario | Recommendation | | | |-| Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent, DPM server. | Use of private endpoints is recommended to allow backup and restore without needing to add to an allowlist any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks. In that scenario, ensure that VMs that host SQL databases can reach Azure AD IPs or FQDNs. | +| Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent, DPM server. | Use of private endpoints is recommended to allow backup and restore without needing to add to an allowlist any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks. In that scenario, ensure that VMs that host SQL databases can reach Microsoft Entra IPs or FQDNs. | | Azure VM backup | VM backup doesn't require you to allow access to any IPs or FQDNs. So, it doesn't require private endpoints for backup and restore of disks. <br><br> However, file recovery from a vault containing private endpoints would be restricted to virtual networks that contain a private endpoint for the vault. <br><br> When using ACLΓÇÖed unmanaged disks, ensure the storage account containing the disks allows access to trusted Microsoft services if it's ACL'ed. | | Azure Files backup | Azure Files backups are stored in the local storage account. So it doesn't require private endpoints for backup and restore. | The following table lists the scenarios and recommendations: As mentioned above, private endpoints are especially useful for backup of workloads (SQL, SAP HANA) in Azure VMs and MARS agent backups. -In all the scenarios (with or without private endpoints), both the workload extensions (for backup of SQL and SAP HANA instances running inside Azure VMs) and the MARS agent make connection calls to Azure AD (to FQDNs mentioned under sections 56 and 59 in [Microsoft 365 Common and Office Online](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online)). +In all the scenarios (with or without private endpoints), both the workload extensions (for backup of SQL and SAP HANA instances running inside Azure VMs) and the MARS agent make connection calls to Microsoft Entra ID (to FQDNs mentioned under sections 56 and 59 in [Microsoft 365 Common and Office Online](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online)). In addition to these connections, when the workload extension or MARS agent is installed for Recovery Services vault without private endpoints, connectivity to the following domains is also required: In addition to these connections, when the workload extension or MARS agent is i | | | | | Azure Backup | `*.backup.windowsazure.com` | 443 | | Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` | 443 |-| Azure Active Directory | `*.australiacentral.r.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | +| Microsoft Entra ID | `*.australiacentral.r.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | When the workload extension or MARS agent is installed for Recovery Services vault with private endpoint, the following endpoints are communicated: When the workload extension or MARS agent is installed for Recovery Services vau | | | | | Azure Backup | `*.privatelink.<geo>.backup.windowsazure.com` | 443 | | Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` | 443 |-| Azure Active Directory | `*.australiacentral.r.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | +| Microsoft Entra ID | `*.australiacentral.r.login.microsoft.com` <br><br> Allow access to FQDNs under sections 56 and 59 according to [this article](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | >[!Note] >In the above text, `<geo>` refers to the region code (for example, **eus** for East US and **ne** for North Europe). Refer to the following lists for regions codes: The private IP mappings for the storage account are listed in the private endpoi If you've configured a DNS proxy server, using third-party proxy servers or firewalls, the above domain names must be allowed and redirected to a custom DNS (which has DNS records for the above FQDNs) or to *168.63.129.16* on the Azure virtual network which has private DNS zones linked to it. -The following example shows Azure firewall used as DNS proxy to redirect the domain name queries for Recovery Services vault, blob, queues and Azure AD to 168.63.129.16. +The following example shows Azure firewall used as DNS proxy to redirect the domain name queries for Recovery Services vault, blob, queues and Microsoft Entra ID to 168.63.129.16. :::image type="content" source="./media/backup-azure-private-endpoints-concept/private-endpoint-setup-with-microsoft-azure-recovery-service-diagram-inline.png" alt-text="Diagram shows the private endpoint setup with MARS." lightbox="./media/backup-azure-private-endpoints-concept/private-endpoint-setup-with-microsoft-azure-recovery-service-diagram-expanded.png"::: The following diagram shows how the resolution works when using a private DNS zo The workload extension running on Azure VM requires connection to at least two storage accounts endpoints - the first one is used as communication channel (via queue messages) and second one for storing backup data. The MARS agent requires access to at least one storage account endpoint that is used for storing backup data. For a private endpoint enabled vault, the Azure Backup service creates private endpoint for these storage accounts. This prevents any network traffic related to Azure Backup (control plane traffic to service and backup data to storage blob) from leaving the virtual network.-In addition to the Azure Backup cloud services, the workload extension and agent require connectivity to the Azure Storage accounts and Azure Active Directory (Azure AD). +In addition to the Azure Backup cloud services, the workload extension and agent require connectivity to the Azure Storage accounts and Microsoft Entra ID. The following diagram shows how the name resolution works for storage accounts using a private DNS zone. The following diagram shows how the name resolution works for storage accounts u ## Next steps -- Learn [how to configure and manage private endpoints for Azure Backup](backup-azure-private-endpoints-configure-manage.md).+- Learn [how to configure and manage private endpoints for Azure Backup](backup-azure-private-endpoints-configure-manage.md). |
backup | Backup Azure Private Endpoints Configure Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-private-endpoints-configure-manage.md | Once the private endpoints created for the vault in your VNet have been approved In the VM, in the locked down network, ensure the following: -1. The VM should have access to Azure AD. +1. The VM should have access to Microsoft Entra ID. 2. Execute **nslookup** on the backup URL (`xxxxxxxx.privatelink.<geo>.backup.windowsazure.com`) from your VM, to ensure connectivity. This should return the private IP assigned in your virtual network. ### Configure backup To delete private endpoints using REST API, see [this section](/rest/api/virtual ## Next steps -- Learn [about private endpoint for Azure Backup](backup-azure-private-endpoints-concept.md).+- Learn [about private endpoint for Azure Backup](backup-azure-private-endpoints-concept.md). |
backup | Backup Azure Sap Hana Database Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-sap-hana-database-troubleshoot.md | Refer to the [prerequisites](tutorial-backup-sap-hana-db.md#prerequisites) and [ **Error message** | `Unable to connect to the AAD service from the HANA system.` | ---**Possible causes** | Firewall or proxy settings as Backup extension's plugin service account is not allowing the outbound connection to Azure Active Directory. -**Recommended action** | Fix the firewall or proxy settings for the outbound connection to Azure Active Directory to succeed. +**Possible causes** | Firewall or proxy settings as Backup extension's plugin service account is not allowing the outbound connection to Microsoft Entra ID. +**Recommended action** | Fix the firewall or proxy settings for the outbound connection to Microsoft Entra ID to succeed. ### UserErrorMisConfiguredSslCaStore |
backup | Backup Azure Sap Hana Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-sap-hana-database.md | Refer to the [prerequisites](tutorial-backup-sap-hana-db.md#prerequisites) and t ### Establish network connectivity -For all operations, an SAP HANA database running on an Azure VM requires connectivity to the Azure Backup service, Azure Storage, and Azure Active Directory. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data. +For all operations, an SAP HANA database running on an Azure VM requires connectivity to the Azure Backup service, Azure Storage, and Microsoft Entra ID. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data. The following table lists the various alternatives you can use for establishing connectivity: The following table lists the various alternatives you can use for establishing | Private endpoints | Allow backups over private IPs inside the virtual network <br><br> Provide granular control on the network and vault side | Incurs standard private endpoint [costs](https://azure.microsoft.com/pricing/details/private-link/) | | NSG service tags | Easier to manage as range changes are automatically merged <br><br> No additional costs | Can be used with NSGs only <br><br> Provides access to the entire service | | Azure Firewall FQDN tags | Easier to manage since the required FQDNs are automatically managed | Can be used with Azure Firewall only |-| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage*. However, for *Azure Backup* and *Azure Active Directory*, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. | -| [Virtual Network Service Endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) | Can be used for Azure Storage. <br><br> Provides large benefit to optimize performance of data plane traffic. | Can't be used for Azure AD, Azure Backup service. | -| Network Virtual Appliance | Can be used for Azure Storage, Azure AD, Azure Backup service. <br><br> **Data plane** <ul><li> Azure Storage: `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net` </li></ul> <br><br> **Management plane** <ul><li> Azure AD: Allow access to FQDNs mentioned in sections 56 and 59 of [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). </li><li> Azure Backup service: `.backup.windowsazure.com` </li></ul> <br>Learn more about [Azure Firewall service tags](../firewall/fqdn-tags.md). | Adds overhead to data plane traffic and decrease throughput/performance. | +| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage*. However, for *Azure Backup* and *Microsoft Entra ID*, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. | +| [Virtual Network Service Endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) | Can be used for Azure Storage. <br><br> Provides large benefit to optimize performance of data plane traffic. | Can't be used for Microsoft Entra ID, Azure Backup service. | +| Network Virtual Appliance | Can be used for Azure Storage, Microsoft Entra ID, Azure Backup service. <br><br> **Data plane** <ul><li> Azure Storage: `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net` </li></ul> <br><br> **Management plane** <ul><li> Microsoft Entra ID: Allow access to FQDNs mentioned in sections 56 and 59 of [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). </li><li> Azure Backup service: `.backup.windowsazure.com` </li></ul> <br>Learn more about [Azure Firewall service tags](../firewall/fqdn-tags.md). | Adds overhead to data plane traffic and decrease throughput/performance. | More details around using these options are shared below: More details around using these options are shared below: Private endpoints allow you to connect securely from servers inside a virtual network to your Recovery Services vault. The private endpoint uses an IP from the VNET address space for your vault. The network traffic between your resources inside the virtual network and the vault travels over your virtual network and a private link on the Microsoft backbone network. This eliminates exposure from the public internet. Read more on private endpoints for Azure Backup [here](./private-endpoints.md). > [!NOTE]-> Private endpoints are supported for Azure Backup and Azure storage. Azure AD has support private end-points in private preview. Until they are generally available, Azure backup supports setting up proxy for Azure AD so that no outbound connectivity is required for HANA VMs. For more information, see the [proxy support section](#use-an-http-proxy-server-to-route-traffic). +> Private endpoints are supported for Azure Backup and Azure storage. Microsoft Entra ID has support private end-points in private preview. Until they are generally available, Azure backup supports setting up proxy for Microsoft Entra ID so that no outbound connectivity is required for HANA VMs. For more information, see the [proxy support section](#use-an-http-proxy-server-to-route-traffic). #### NSG tags -If you use Network Security Groups (NSG), use the *AzureBackup* service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar [NSG rules](../virtual-network/network-security-groups-overview.md#service-tags) for Azure AD (*AzureActiveDirectory*) and Azure Storage(*Storage*). The following steps describe the process to create a rule for the Azure Backup tag: +If you use Network Security Groups (NSG), use the *AzureBackup* service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar [NSG rules](../virtual-network/network-security-groups-overview.md#service-tags) for Microsoft Entra ID (*AzureActiveDirectory*) and Azure Storage(*Storage*). The following steps describe the process to create a rule for the Azure Backup tag: 1. In **All Services**, go to **Network security groups** and select the network security group. If you use Network Security Groups (NSG), use the *AzureBackup* service tag to a 1. Select **Add** to save the newly created outbound security rule. -You can similarly create NSG outbound security rules for Azure Storage and Azure AD. For more information on service tags, see [this article](../virtual-network/service-tags-overview.md). +You can similarly create NSG outbound security rules for Azure Storage and Microsoft Entra ID. For more information on service tags, see [this article](../virtual-network/service-tags-overview.md). #### Azure Firewall tags If you're using Azure Firewall, create an application rule by using the *AzureBa #### Allow access to service IP ranges -If you choose to allow access service IPs, refer to the IP ranges in the JSON file available [here](https://www.microsoft.com/download/confirmation.aspx?id=56519). You'll need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Azure Active Directory. +If you choose to allow access service IPs, refer to the IP ranges in the JSON file available [here](https://www.microsoft.com/download/confirmation.aspx?id=56519). You'll need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Microsoft Entra ID. #### Allow access to service FQDNs You can also use the following FQDNs to allow access to the required services fr #### Use an HTTP proxy server to route traffic > [!NOTE]-> Currently, we only support HTTP Proxy for Azure Active Directory (Azure AD) traffic for SAP HANA. If you need to remove outbound connectivity requirements (for Azure Backup and Azure Storage traffic) for database backups via Azure Backup in HANA VMs, use other options, such as private endpoints. +> Currently, we only support HTTP Proxy for Microsoft Entra traffic for SAP HANA. If you need to remove outbound connectivity requirements (for Azure Backup and Azure Storage traffic) for database backups via Azure Backup in HANA VMs, use other options, such as private endpoints. -##### Using an HTTP proxy server for Azure AD traffic +<a name='using-an-http-proxy-server-for-azure-ad-traffic'></a> ++##### Using an HTTP proxy server for Microsoft Entra traffic 1. Go to the "opt/msawb/bin" folder 2. Create a new JSON file named "ExtensionSettingsOverrides.json" You can also use the following FQDNs to allow access to the required services fr chown root:msawb ExtensionSettingsOverrides.json ``` -5. No restart of any service is required. The Azure Backup service will attempt to route the Azure AD traffic via the proxy server mentioned in the JSON file. +5. No restart of any service is required. The Azure Backup service will attempt to route the Microsoft Entra traffic via the proxy server mentioned in the JSON file. [!INCLUDE [How to create a Recovery Services vault](../../includes/backup-create-rs-vault.md)] |
backup | Backup Azure Vms Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-automation.md | The following section lists steps necessary to create a VM using `VMConfig` file } ``` - * **Non-managed and encrypted VMs with Azure AD (BEK only)** - For non-managed, encrypted VMs with Azure AD (encrypted using BEK only), you need to restore the secret to the key vault before you can attach disks. For more information, see the [Restore an encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). The following sample shows how to attach OS and data disks for encrypted VMs. When setting the OS disk, make sure to mention the relevant OS type. + * **Non-managed and encrypted VMs with Microsoft Entra ID (BEK only)** - For non-managed, encrypted VMs with Microsoft Entra ID (encrypted using BEK only), you need to restore the secret to the key vault before you can attach disks. For more information, see the [Restore an encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). The following sample shows how to attach OS and data disks for encrypted VMs. When setting the OS disk, make sure to mention the relevant OS type. ```powershell $dekUrl = "https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163" The following section lists steps necessary to create a VM using `VMConfig` file } ``` - * **Non-managed and encrypted VMs with Azure AD (BEK and KEK)** - For non-managed, encrypted VMs with Azure AD (encrypted using BEK and KEK), restore the key and secret to the key vault before attaching the disks. For more information, see [Restore an encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). The following sample shows how to attach OS and data disks for encrypted VMs. + * **Non-managed and encrypted VMs with Microsoft Entra ID (BEK and KEK)** - For non-managed, encrypted VMs with Microsoft Entra ID (encrypted using BEK and KEK), restore the key and secret to the key vault before attaching the disks. For more information, see [Restore an encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). The following sample shows how to attach OS and data disks for encrypted VMs. ```powershell $dekUrl = "https://ContosoKeyVault.vault.azure.net:443/secrets/ContosoSecret007/xx000000xx0849999f3xx30000003163" The following section lists steps necessary to create a VM using `VMConfig` file } ``` - * **Non-managed and encrypted VMs without Azure AD (BEK only)** - For non-managed, encrypted VMs without Azure AD (encrypted using BEK only), if source **keyVault/secret are not available** restore the secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS blob (this step isn't required for a data blob). The $dekurl can be fetched from the restored keyVault. + * **Non-managed and encrypted VMs without Microsoft Entra ID (BEK only)** - For non-managed, encrypted VMs without Microsoft Entra ID (encrypted using BEK only), if source **keyVault/secret are not available** restore the secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS blob (this step isn't required for a data blob). The $dekurl can be fetched from the restored keyVault. The following script needs to be executed only when the source keyVault/secret isn't available. The following section lists steps necessary to create a VM using `VMConfig` file } ``` - * **Non-managed and encrypted VMs without Azure AD (BEK and KEK)** - For non-managed, encrypted VMs without Azure AD (encrypted using BEK & KEK), if source **keyVault/key/secret are not available** restore the key and secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS blob (this step isn't required for a data blob). The $dekurl and $kekurl can be fetched from the restored keyVault. + * **Non-managed and encrypted VMs without Microsoft Entra ID (BEK and KEK)** - For non-managed, encrypted VMs without Microsoft Entra ID (encrypted using BEK & KEK), if source **keyVault/key/secret are not available** restore the key and secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS blob (this step isn't required for a data blob). The $dekurl and $kekurl can be fetched from the restored keyVault. The script below needs to be executed only when the source keyVault/key/secret isn't available. The following section lists steps necessary to create a VM using `VMConfig` file * **Managed and non-encrypted VMs** - For managed non-encrypted VMs, attach the restored managed disks. For in-depth information, see [Attach a data disk to a Windows VM using PowerShell](../virtual-machines/windows/attach-disk-ps.md). - * **Managed and encrypted VMs with Azure AD (BEK only)** - For managed encrypted VMs with Azure AD (encrypted using BEK only), attach the restored managed disks. For in-depth information, see [Attach a data disk to a Windows VM using PowerShell](../virtual-machines/windows/attach-disk-ps.md). + * **Managed and encrypted VMs with Microsoft Entra ID (BEK only)** - For managed encrypted VMs with Microsoft Entra ID (encrypted using BEK only), attach the restored managed disks. For in-depth information, see [Attach a data disk to a Windows VM using PowerShell](../virtual-machines/windows/attach-disk-ps.md). - * **Managed and encrypted VMs with Azure AD (BEK and KEK)** - For managed encrypted VMs with Azure AD (encrypted using BEK and KEK), attach the restored managed disks. For in-depth information, see [Attach a data disk to a Windows VM using PowerShell](../virtual-machines/windows/attach-disk-ps.md). + * **Managed and encrypted VMs with Microsoft Entra ID (BEK and KEK)** - For managed encrypted VMs with Microsoft Entra ID (encrypted using BEK and KEK), attach the restored managed disks. For in-depth information, see [Attach a data disk to a Windows VM using PowerShell](../virtual-machines/windows/attach-disk-ps.md). - * **Managed and encrypted VMs without Azure AD (BEK only)** -For managed, encrypted VMs without Azure AD (encrypted using BEK only), if source **keyVault/secret are not available** restore the secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS disk (this step isn't required for a data disk). The $dekurl can be fetched from the restored keyVault. + * **Managed and encrypted VMs without Microsoft Entra ID (BEK only)** -For managed, encrypted VMs without Microsoft Entra ID (encrypted using BEK only), if source **keyVault/secret are not available** restore the secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS disk (this step isn't required for a data disk). The $dekurl can be fetched from the restored keyVault. The script below needs to be executed only when the source keyVault/secret isn't available. The following section lists steps necessary to create a VM using `VMConfig` file After the secrets are available and the encryption details are set on the OS disk, to attach the restored managed disks, see [Attach a data disk to a Windows VM using PowerShell](../virtual-machines/windows/attach-disk-ps.md). - * **Managed and encrypted VMs without Azure AD (BEK and KEK)** - For managed, encrypted VMs without Azure AD (encrypted using BEK & KEK), if source **keyVault/key/secret are not available** restore the key and secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS disk (this step isn't required for data disks). The $dekurl and $kekurl can be fetched from the restored keyVault. + * **Managed and encrypted VMs without Microsoft Entra ID (BEK and KEK)** - For managed, encrypted VMs without Microsoft Entra ID (encrypted using BEK & KEK), if source **keyVault/key/secret are not available** restore the key and secrets to key vault using the procedure in [Restore an non-encrypted virtual machine from an Azure Backup recovery point](backup-azure-restore-key-secret.md). Then execute the following scripts to set encryption details on the restored OS disk (this step isn't required for data disks). The $dekurl and $kekurl can be fetched from the restored keyVault. The following script needs to be executed only when the source keyVault/key/secret isn't available. The following section lists steps necessary to create a VM using `VMConfig` file 7. Push ADE extension. If the ADE extensions aren't pushed, then the data disks will be marked as unencrypted, so it's mandatory for the steps below to be executed: - * **For VM with Azure AD** - Use the following command to manually enable encryption for the data disks + * **For VM with Microsoft Entra ID** - Use the following command to manually enable encryption for the data disks **BEK only** The following section lists steps necessary to create a VM using `VMConfig` file Set-AzVMDiskEncryptionExtension -ResourceGroupName $RG -VMName $vm.Name -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $dekUrl -DiskEncryptionKeyVaultId $keyVaultId -KeyEncryptionKeyUrl $kekUrl -KeyEncryptionKeyVaultId $keyVaultId -VolumeType Data ``` - * **For VM without Azure AD** - Use the following command to manually enable encryption for the data disks. + * **For VM without Microsoft Entra ID** - Use the following command to manually enable encryption for the data disks. If during the command execution it asks for AADClientID, then you need to update your Azure PowerShell. |
backup | Backup Azure Vms Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-vms-encryption.md | For more information about encryption of managed disks with customer-managed key Azure Backup supports backup of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE). ADE uses BitLocker for encryption of Windows VMs, and the dm-crypt feature for Linux VMs. ADE integrates with Azure Key Vault to manage disk-encryption keys and secrets. Key Vault Key Encryption Keys (KEKs) can be used to add an additional layer of security, encrypting encryption secrets before writing them to Key Vault. -Azure Backup can back up and restore Azure VMs using ADE with and without the Azure AD app, as summarized in the following table. +Azure Backup can back up and restore Azure VMs using ADE with and without the Microsoft Entra app, as summarized in the following table. **VM disk type** | **ADE (BEK/dm-crypt)** | **ADE and KEK** | | In addition, there are a couple of things that you might need to do in some circ ### Back up ADE encrypted VMs with RBAC enabled key vaults -To enable backups for ADE encrypted VMs using Azure RBAC enabled key vaults, you need to assign Key Vault Administrator role to the Backup Management Service Azure AD app by adding a role assignment in Access Control of key vault. +To enable backups for ADE encrypted VMs using Azure RBAC enabled key vaults, you need to assign Key Vault Administrator role to the Backup Management Service Microsoft Entra app by adding a role assignment in Access Control of key vault. :::image type="content" source="./media/backup-azure-vms-encryption/enable-key-vault-encryption-inline.png" alt-text="Screenshot shows the checkbox to enable ADE encrypted key vault." lightbox="./media/backup-azure-vms-encryption/enable-key-vault-encryption-expanded.png"::: The initial backup will run in accordance with the schedule, but you can run it Azure Backup needs read-only access to back up the keys and secrets, along with the associated VMs. -- Your Key Vault is associated with the Azure AD tenant of the Azure subscription. If you're a **Member user**, Azure Backup acquires access to the Key Vault without further action.+- Your Key Vault is associated with the Microsoft Entra tenant of the Azure subscription. If you're a **Member user**, Azure Backup acquires access to the Key Vault without further action. - If you're a **Guest user**, you must provide permissions for Azure Backup to access the key vault. You need to have access to key vaults to configure Backup for encrypted VMs. To provide Azure RBAC permissions on Key Vault, see [this article](../key-vault/general/rbac-guide.md?tabs=azure-cli#enable-azure-rbac-permissions-on-key-vault). You can also set the access policy using [PowerShell](./backup-azure-vms-automat If you run into any issues, review these articles: - [Common errors](backup-azure-vms-troubleshoot.md) when backing up and restoring encrypted Azure VMs.-- [Azure VM agent/backup extension](backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md) issues.+- [Azure VM agent/backup extension](backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md) issues. |
backup | Backup Mabs Files Applications Azure Stack | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-mabs-files-applications-azure-stack.md | To view Azure Backup Server entities in the Azure portal, you can follow the fol For information on using Azure Backup Server to protect other workloads, see one of the following articles: * [About Azure Backup service](./backup-overview.md)-* [About Azure AD](../active-directory/fundamentals/active-directory-whatis.md) +* [About Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) * [About Azure Recovery Services vault](./backup-azure-recovery-services-vault-overview.md) * [About Azure Storage](../storage/common/storage-introduction.md) * [About Azure Stack Hub](/azure-stack/operator/azure-stack-overview) |
backup | Backup Sql Server Azure Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-sql-server-azure-troubleshoot.md | AzureBackup workload extension operation failed. | The VM is shut down, or the V | Error message | Possible causes | Recommended actions | ||||-The VM is not able to contact Azure Backup service due to internet connectivity issues. | The VM needs outbound connectivity to Azure Backup Service, Azure Storage, or Azure Active Directory services.| <li> If you use NSG to restrict connectivity, then you should use the *AzureBackup* service tag to allows outbound access to Azure Backup Service, and similarly for the Azure AD (*AzureActiveDirectory*) and Azure Storage(*Storage*) services. Follow these [steps](./backup-sql-server-database-azure-vms.md#nsg-tags) to grant access. <li> Ensure DNS is resolving Azure endpoints. <li> Check if the VM is behind a load balancer blocking internet access. By assigning public IP to the VMs, discovery will work. <li> Verify there's no firewall/antivirus/proxy that are blocking calls to the above three target services. +The VM is not able to contact Azure Backup service due to internet connectivity issues. | The VM needs outbound connectivity to Azure Backup Service, Azure Storage, or Microsoft Entra services.| <li> If you use NSG to restrict connectivity, then you should use the *AzureBackup* service tag to allows outbound access to Azure Backup Service, and similarly for the Microsoft Entra ID (*AzureActiveDirectory*) and Azure Storage(*Storage*) services. Follow these [steps](./backup-sql-server-database-azure-vms.md#nsg-tags) to grant access. <li> Ensure DNS is resolving Azure endpoints. <li> Check if the VM is behind a load balancer blocking internet access. By assigning public IP to the VMs, discovery will work. <li> Verify there's no firewall/antivirus/proxy that are blocking calls to the above three target services. ### UserErrorOperationNotAllowedDatabaseMirroringEnabled |
backup | Backup Sql Server Database Azure Vms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-sql-server-database-azure-vms.md | Before you back up a SQL Server database, check the following criteria: ### Establish network connectivity -For all operations, a SQL Server VM requires connectivity to the Azure Backup service, Azure Storage, and Azure Active Directory. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data. +For all operations, a SQL Server VM requires connectivity to the Azure Backup service, Azure Storage, and Microsoft Entra ID. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data. The following table lists the various alternatives you can use for establishing connectivity: The following table lists the various alternatives you can use for establishing | Private endpoints | Allow backups over private IPs inside the virtual network <br><br> Provide granular control on the network and vault side | Incurs standard private endpoint [costs](https://azure.microsoft.com/pricing/details/private-link/) | | NSG service tags | Easier to manage as range changes are automatically merged <br><br> No additional costs | Can be used with NSGs only <br><br> Provides access to the entire service | | Azure Firewall FQDN tags | Easier to manage since the required FQDNs are automatically managed | Can be used with Azure Firewall only |-| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage* and *Azure Active Directory*. However, for Azure Backup, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. | +| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage* and *Microsoft Entra ID*. However, for Azure Backup, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. | | Use an HTTP proxy | Single point of internet access to VMs | Additional costs to run a VM with the proxy software | The following sections provide more details around using these options. Private endpoints allow you to connect securely from servers inside a virtual ne #### NSG tags -If you use Network Security Groups (NSG), use the *AzureBackup* service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar [NSG rules](../virtual-network/network-security-groups-overview.md#service-tags) for Azure AD (*AzureActiveDirectory*) and Azure Storage(*Storage*). The following steps describe the process to create a rule for the Azure Backup tag: +If you use Network Security Groups (NSG), use the *AzureBackup* service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar [NSG rules](../virtual-network/network-security-groups-overview.md#service-tags) for Microsoft Entra ID (*AzureActiveDirectory*) and Azure Storage(*Storage*). The following steps describe the process to create a rule for the Azure Backup tag: 1. In **All Services**, go to **Network security groups** and select the network security group. If you use Network Security Groups (NSG), use the *AzureBackup* service tag to a 1. Select **Add** to save the newly created outbound security rule. -You can similarly create NSG outbound security rules for Azure Storage and Azure AD. +You can similarly create NSG outbound security rules for Azure Storage and Microsoft Entra ID. #### Azure Firewall tags If you're using Azure Firewall, create an application rule by using the *AzureBa #### Allow access to service IP ranges -If you choose to allow access service IPs, refer to the IP ranges in the JSON file available [here](https://www.microsoft.com/download/confirmation.aspx?id=56519). You'll need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Azure Active Directory. +If you choose to allow access service IPs, refer to the IP ranges in the JSON file available [here](https://www.microsoft.com/download/confirmation.aspx?id=56519). You'll need to allow access to IPs corresponding to Azure Backup, Azure Storage, and Microsoft Entra ID. #### Allow access to service FQDNs When using an internal load balancer, you need to allow the outbound connectivit #### Use an HTTP proxy server to route traffic -When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Azure AD for authentication. Route the backup extension traffic for these three services through the HTTP proxy. Use the list of IPs and FQDNs mentioned above for allowing access to the required services. Authenticated proxy servers aren't supported. +When you back up a SQL Server database on an Azure VM, the backup extension on the VM uses the HTTPS APIs to send management commands to Azure Backup and data to Azure Storage. The backup extension also uses Microsoft Entra ID for authentication. Route the backup extension traffic for these three services through the HTTP proxy. Use the list of IPs and FQDNs mentioned above for allowing access to the required services. Authenticated proxy servers aren't supported. > [!NOTE] > Disable proxy for localhost communications within the VM. Proxy will be honored for outbound communications from the SQL VM. If you need to disable auto-protection, select the instance name under **Configu Learn how to: * [Restore backed-up SQL Server databases](restore-sql-database-azure-vm.md)-* [Manage backed-up SQL Server databases](manage-monitor-sql-database-backup.md) +* [Manage backed-up SQL Server databases](manage-monitor-sql-database-backup.md) |
backup | Backup Support Matrix Iaas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-support-matrix-iaas.md | Azure VM data disks | Support for backup of Azure VMs is up to 32 disks.<br><br> Data disk size | Individual disk size can be up to 32 TB and a maximum of 256 TB combined for all disks in a VM. Storage type | Standard HDD, Standard SSD, Premium SSD. <br><br> Backup and restore of [zone-redundant storage disks](../virtual-machines/disks-redundancy.md#zone-redundant-storage-for-managed-disks) is supported. Managed disks | Supported.-Encrypted disks | Supported.<br/><br/> Azure VMs enabled with Azure Disk Encryption can be backed up (with or without the Azure Active Directory app).<br/><br/> Encrypted VMs can't be recovered at the file or folder level. You must recover the entire VM.<br/><br/> You can enable encryption on VMs that Azure Backup is already protecting. <br><br> You can back up and restore disks encrypted via platform-managed keys or customer-managed keys. You can also assign a disk-encryption set while restoring in the same region. That is, providing a disk-encryption set while performing cross-region restore is currently not supported. However, you can assign the disk-encryption set to the restored disk after the restore is complete. +Encrypted disks | Supported.<br/><br/> Azure VMs enabled with Azure Disk Encryption can be backed up (with or without the Microsoft Entra app).<br/><br/> Encrypted VMs can't be recovered at the file or folder level. You must recover the entire VM.<br/><br/> You can enable encryption on VMs that Azure Backup is already protecting. <br><br> You can back up and restore disks encrypted via platform-managed keys or customer-managed keys. You can also assign a disk-encryption set while restoring in the same region. That is, providing a disk-encryption set while performing cross-region restore is currently not supported. However, you can assign the disk-encryption set to the restored disk after the restore is complete. Disks with a write accelerator enabled | Azure VMs with disk backup for a write accelerator became available in all Azure public regions on May 18, 2022. If disk backup for a write accelerator is not required as part of VM backup, you can choose to remove it by using the [selective disk feature](selective-disk-backup-restore.md). <br><br>**Important** <br> Virtual machines with write accelerator disks need internet connectivity for a successful backup, even though those disks are excluded from the backup. Disks enabled for access with a private endpoint | Not supported. Backup and restore of deduplicated VMs or disks | Azure Backup doesn't support deduplication. For more information, see [this article](./backup-support-matrix.md#disk-deduplication-support). <br/> <br/> Azure Backup doesn't deduplicate across VMs in the Recovery Services vault. <br/> <br/> If there are VMs in a deduplication state during restore, the files can't be restored because the vault doesn't understand the format. However, you can successfully perform the full VM restore. NVMe/[ephemeral disks](../virtual-machines/ephemeral-os-disks.md) | Not supporte [Resilient File System (ReFS)](/windows-server/storage/refs/refs-overview) restore | Supported. Volume Shadow Copy Service (VSS) supports app-consistent backups on ReFS. Dynamic disk with spanned or striped volumes | Supported, unless you enable the selective disk feature on an Azure VM. VMs with encryption at host | Supported-Disks with enabled Data Access with Azure Active Directory Authentication for disk upload/download | Not Supported +Disks with enabled Data Access with Microsoft Entra authentication for disk upload/download | Not Supported Storage Replicas | Not supported ## VM network support |
backup | Enable Multi User Authorization Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/enable-multi-user-authorization-quickstart.md | Once the Backup admin has the Reader role on the Resource Guard, they can enable ## Next steps - [Protected operations using MUA](multi-user-authorization.md?pivots=vaults-recovery-services-vault#protected-operations-using-mua)-- [Authorize critical (protected) operations using Azure Active Directory Privileged Identity Management](multi-user-authorization.md#authorize-critical-protected-operations-using-azure-active-directory-privileged-identity-management)+- [Authorize critical (protected) operations using Microsoft Entra Privileged Identity Management](multi-user-authorization.md#authorize-critical-protected-operations-using-azure-active-directory-privileged-identity-management) - [Performing a protected operation after approval](multi-user-authorization.md#performing-a-protected-operation-after-approval) - Disable MUA on a [Recovery Services vault](multi-user-authorization.md?tabs=azure-portal&pivots=vaults-recovery-services-vault#disable-mua-on-a-recovery-services-vault) or a [Backup vault](multi-user-authorization.md?tabs=azure-portal&pivots=vaults-backup-vault#disable-mua-on-a-backup-vault). |
backup | Guidance Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/guidance-best-practices.md | Azure Backup requires movement of data from your workload to the Recovery Servic * **Azure VM backup**: All the required communication and data transfer between storage and Azure Backup service happens within the Azure network without needing to access your virtual network. So backup of Azure VMs placed inside secured networks don't require you to allow access to any IPs or FQDNs. -* **SAP HANA databases on Azure VM, SQL Server databases on Azure VM**: Requires connectivity to the Azure Backup service, Azure Storage, and Azure Active Directory. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data. For complete network guidance while using NSG tags, Azure firewall, and HTTP Proxy, refer to these [SQL](backup-sql-server-database-azure-vms.md#establish-network-connectivity) and [SAP HANA](./backup-azure-sap-hana-database.md#establish-network-connectivity) articles. +* **SAP HANA databases on Azure VM, SQL Server databases on Azure VM**: Requires connectivity to the Azure Backup service, Azure Storage, and Microsoft Entra ID. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data. For complete network guidance while using NSG tags, Azure firewall, and HTTP Proxy, refer to these [SQL](backup-sql-server-database-azure-vms.md#establish-network-connectivity) and [SAP HANA](./backup-azure-sap-hana-database.md#establish-network-connectivity) articles. * **Hybrid**: The MARS (Microsoft Azure Recovery Services) agent requires network access for all critical operations - install, configure, backup, and restore. The MARS agent can connect to the Azure Backup service over [Azure ExpressRoute](install-mars-agent.md#azure-expressroute-support) by using public peering (available for old circuits) and Microsoft peering, using [private endpoints](install-mars-agent.md#private-endpoint-support) or via [proxy/firewall with appropriate access controls](install-mars-agent.md#verify-internet-access). To fulfill all these needs, use [Azure Private Endpoint](../private-link/private * When you enable private endpoints for the vault, they're only used for backup and restore of SQL and SAP HANA workloads in an Azure VM, MARS agent, DPM/MABS backups. You can use the vault for the backup of other workloads as well (they wonΓÇÖt require private endpoints though). In addition to the backup of SQL and SAP HANA workloads, backup using the MARS agent and DPM/MABS Server, private endpoints are also used to perform file recovery in the case of Azure VM backup. [Learn more here](private-endpoints-overview.md#recommended-and-supported-scenarios). -* Azure Active Directory doesn't currently support private endpoints. So, IPs and FQDNs required for Azure Active Directory will need to be allowed outbound access from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable. Learn more about the [prerequisites here](./private-endpoints.md#before-you-start). +* Microsoft Entra ID doesn't currently support private endpoints. So, IPs and FQDNs required for Microsoft Entra ID will need to be allowed outbound access from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable. Learn more about the [prerequisites here](./private-endpoints.md#before-you-start). ## Governance considerations |
backup | Microsoft Azure Backup Server Protection V3 Ur1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/microsoft-azure-backup-server-protection-v3-ur1.md | With public peering: Ensure access to the following domains/addresses: With Microsoft peering, select the following services/regions and relevant community values: -* Azure Active Directory (12076:5060) +* Microsoft Entra ID (12076:5060) * Microsoft Azure Region (according to the location of your Recovery Services vault) * Azure Storage (according to the location of your Recovery Services vault) MABS doesn't support protecting the following data types: ## Next steps -* [Support matrix for backup with Microsoft Azure Backup Server or System Center DPM](backup-support-matrix-mabs-dpm.md) +* [Support matrix for backup with Microsoft Azure Backup Server or System Center DPM](backup-support-matrix-mabs-dpm.md) |
backup | Microsoft Azure Backup Server Protection V3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/microsoft-azure-backup-server-protection-v3.md | With public peering: Ensure access to the following domains/addresses: With Microsoft peering, select the following services/regions and relevant community values: -* Azure Active Directory (12076:5060) +* Microsoft Entra ID (12076:5060) * Microsoft Azure Region (according to the location of your Recovery Services vault) * Azure Storage (according to the location of your Recovery Services vault) Azure Backup Server can protect data in the following clustered applications: * SQL Server - Azure Backup Server doesn't support backing up SQL Server databases hosted on cluster-shared volumes (CSVs). -Azure Backup Server can protect cluster workloads that are located in the same domain as the MABS server, and in a child or trusted domain. If you want to protect data sources in untrusted domains or workgroups, use NTLM or certificate authentication for a single server, or certificate authentication only for a cluster. +Azure Backup Server can protect cluster workloads that are located in the same domain as the MABS server, and in a child or trusted domain. If you want to protect data sources in untrusted domains or workgroups, use NTLM or certificate authentication for a single server, or certificate authentication only for a cluster. |
backup | Multi User Authorization Concept | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/multi-user-authorization-concept.md | Here's the flow of events in a typical scenario: If the Backup admin didn't have the required permissions/roles, the request would have failed. -1. The security admin ensures that the privileges to perform critical operations are revoked after authorized actions are performed or after a defined duration. Using JIT tools [Azure Active Directory Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) may be useful in ensuring this. +1. The security admin ensures that the privileges to perform critical operations are revoked after authorized actions are performed or after a defined duration. Using JIT tools [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) may be useful in ensuring this. >[!NOTE] >MUA provides protection on the above listed operations performed on the vaulted backups only. Any operations performed directly on the data source (that is, the Azure resource/workload that is protected) are beyond the scope of the Resource Guard. |
backup | Multi User Authorization Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/multi-user-authorization-tutorial.md | Once the Backup admin has the Reader role on the Resource Guard, they can enable ## Next steps - [Protected operations using MUA](multi-user-authorization.md?pivots=vaults-recovery-services-vault#protected-operations-using-mua)-- [Authorize critical (protected) operations using Azure Active Directory Privileged Identity Management](multi-user-authorization.md#authorize-critical-protected-operations-using-azure-active-directory-privileged-identity-management)+- [Authorize critical (protected) operations using Microsoft Entra Privileged Identity Management](multi-user-authorization.md#authorize-critical-protected-operations-using-azure-active-directory-privileged-identity-management) - [Performing a protected operation after approval](multi-user-authorization.md#performing-a-protected-operation-after-approval) - Disable MUA on a [Recovery Services vault](multi-user-authorization.md?tabs=azure-portal&pivots=vaults-recovery-services-vault#disable-mua-on-a-recovery-services-vault) or a [Backup vault](multi-user-authorization.md?tabs=azure-portal&pivots=vaults-backup-vault#disable-mua-on-a-backup-vault).- |
backup | Multi User Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/multi-user-authorization.md | -This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using [Azure Active Directory Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup. +This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup. >[!NOTE] >- Multi-user authorization for Azure Backup is available in all public Azure regions. Depicted below is an illustration of what happens when the Backup admin tries to :::image type="content" source="./media/multi-user-authorization/test-vault-properties-security-settings-inline.png" alt-text="Screenshot showing the Test Vault properties security settings." lightbox="./media/multi-user-authorization/test-vault-properties-security-settings-expanded.png"::: -## Authorize critical (protected) operations using Azure Active Directory Privileged Identity Management +<a name='authorize-critical-protected-operations-using-azure-active-directory-privileged-identity-management'></a> -The following sections discuss authorizing these requests using PIM. There are cases where you may need to perform critical operations on your backups and MUA can help you ensure that these are performed only when the right approvals or permissions exist. As discussed earlier, the Backup admin needs to have a Contributor role on the Resource Guard to perform critical operations that are in the Resource Guard scope. One of the ways to allow just-in-time for such operations is through the use of [Azure Active Directory (Azure AD) Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). +## Authorize critical (protected) operations using Microsoft Entra Privileged Identity Management ++The following sections discuss authorizing these requests using PIM. There are cases where you may need to perform critical operations on your backups and MUA can help you ensure that these are performed only when the right approvals or permissions exist. As discussed earlier, the Backup admin needs to have a Contributor role on the Resource Guard to perform critical operations that are in the Resource Guard scope. One of the ways to allow just-in-time for such operations is through the use of [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). >[!NOTE]->Though using Azure AD PIM is the recommended approach, you can use manual or custom methods to manage access for the Backup admin on the Resource Guard. For managing access to the Resource Guard manually, use the ΓÇÿAccess control (IAM)ΓÇÖ setting on the left navigation bar of the Resource Guard and grant the **Contributor** role to the Backup admin. +>Though using Microsoft Entra PIM is the recommended approach, you can use manual or custom methods to manage access for the Backup admin on the Resource Guard. For managing access to the Resource Guard manually, use the ΓÇÿAccess control (IAM)ΓÇÖ setting on the left navigation bar of the Resource Guard and grant the **Contributor** role to the Backup admin. ++<a name='create-an-eligible-assignment-for-the-backup-admin-if-using-azure-active-directory-privileged-identity-management'></a> -### Create an eligible assignment for the Backup admin (if using Azure Active Directory Privileged Identity Management) +### Create an eligible assignment for the Backup admin (if using Microsoft Entra Privileged Identity Management) The Security admin can use PIM to create an eligible assignment for the Backup admin as a Contributor to the Resource Guard. This enables the Backup admin to raise a request (for the Contributor role) when they need to perform a protected operation. To do so, the **security admin** performs the following: By default, the setup above may not have an approver (and an approval flow requi > [!Note] > If this isn't configured, any requests will be automatically approved without going through the security admins or a designated approverΓÇÖs review. More details on this can be found [here](../active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md) -1. In Azure AD PIM, select **Azure Resources** on the left navigation bar and select your Resource Guard. +1. In Microsoft Entra PIM, select **Azure Resources** on the left navigation bar and select your Resource Guard. 1. Go to **Settings** and then go to the **Contributor** role. By default, the setup above may not have an approver (and an approval flow requi After the security admin creates an eligible assignment, the Backup admin needs to activate the assignment for the Contributor role to be able to perform protected actions. The following actions are performed by the **Backup admin** to activate the role assignment. -1. Go to [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). If the Resource Guard is in another directory, switch to that directory and then go to [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). +1. Go to [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). If the Resource Guard is in another directory, switch to that directory and then go to [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). 1. Go to **My roles** > **Azure resources** on the left menu. 1. The Backup admin can see an Eligible assignment for the contributor role. Select **Activate** to activate it. 1. The Backup admin is informed via portal notification that the request is sent for approval. After the security admin creates an eligible assignment, the Backup admin needs ### Approve activation of requests to perform critical operations Once the Backup admin raises a request for activating the Contributor role, the request is to be reviewed and approved by the **security admin**.-1. In the security tenant, go to [Azure AD Privileged Identity Management.](../active-directory/privileged-identity-management/pim-configure.md) +1. In the security tenant, go to [Microsoft Entra Privileged Identity Management.](../active-directory/privileged-identity-management/pim-configure.md) 1. Go to **Approve Requests**. 1. Under **Azure resources**, the request raised by the Backup admin requesting activation as a **Contributor** can be seen. 1. Review the request. If genuine, select the request and select **Approve** to approve it. Disabling MUA is a protected operation, so, so, vaults are protected using MUA. To disable MUA on a vault, follow these steps: -1. The Backup admin requests the Security admin for **Contributor** role on the Resource Guard. They can request this to use the methods approved by the organization such as JIT procedures, like [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md), or other internal tools and procedures. +1. The Backup admin requests the Security admin for **Contributor** role on the Resource Guard. They can request this to use the methods approved by the organization such as JIT procedures, like [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md), or other internal tools and procedures. 1. The Security admin approves the request (if they find it worthy of being approved) and informs the Backup admin. Now the Backup admin has the ΓÇÿContributorΓÇÖ role on the Resource Guard. 1. The Backup admin goes to the vault > **Properties** > **Multi-user Authorization**. 1. Select **Update**. The tenant ID is required if the resource guard exists in a different tenant. This article describes how to configure Multi-user authorization (MUA) for Azure Backup to add an additional layer of protection to critical operations on your Backup vault. -This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using [Azure Active Directory Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup. +This article demonstrates Resource Guard creation in a different tenant that offers maximum protection. It also demonstrates how to request and approve requests for performing critical operations using [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) in the tenant housing the Resource Guard. You can optionally use other mechanisms to manage JIT permissions on the Resource Guard as per your setup. >[!NOTE] >- Multi-user authorization using Resource Guard for Backup vault is now generally available. To perform a protected operation (disabling MUA), follow these steps: :::image type="content" source="./media/multi-user-authorization/test-vault-properties-security-settings-inline.png" alt-text="Screenshot showing the test Backup vault properties security settings." lightbox="./media/multi-user-authorization/test-vault-properties-security-settings-expanded.png"::: -## Authorize critical (protected) operations using Azure Active Directory Privileged Identity Management +<a name='authorize-critical-protected-operations-using-azure-active-directory-privileged-identity-management'></a> ++## Authorize critical (protected) operations using Microsoft Entra Privileged Identity Management There are scenarios where you may need to perform critical operations on your backups and you can perform them with the right approvals or permissions with MUA. The following sections explain how to authorize the critical operation requests using Privileged Identity Management (PIM). -The Backup admin must have a Contributor role on the Resource Guard to perform critical operations in the Resource Guard scope. One of the ways to allow just-in-time (JIT) operations is through the use of [Azure Active Directory (Azure AD) Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). +The Backup admin must have a Contributor role on the Resource Guard to perform critical operations in the Resource Guard scope. One of the ways to allow just-in-time (JIT) operations is through the use of [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). >[!NOTE]->We recommend that you use the Azure AD PIM. However, you can also use manual or custom methods to manage access for the Backup admin on the Resource Guard. To manually manage access to the Resource Guard, use the *Access control (IAM)* setting on the left pane of the Resource Guard and grant the **Contributor** role to the Backup admin. +>We recommend that you use the Microsoft Entra PIM. However, you can also use manual or custom methods to manage access for the Backup admin on the Resource Guard. To manually manage access to the Resource Guard, use the *Access control (IAM)* setting on the left pane of the Resource Guard and grant the **Contributor** role to the Backup admin. ++<a name='create-an-eligible-assignment-for-the-backup-admin-using-azure-active-directory-privileged-identity-management'></a> -### Create an eligible assignment for the Backup admin using Azure Active Directory Privileged Identity Management +### Create an eligible assignment for the Backup admin using Microsoft Entra Privileged Identity Management The **Security admin** can use PIM to create an eligible assignment for the Backup admin as a Contributor to the Resource Guard. This enables the Backup admin to raise a request (for the Contributor role) when they need to perform a protected operation. By default, the above setup may not have an approver (and an approval flow requi >[!Note] >If the approver setup isn't configured, the requests are automatically approved without going through the Security admins or a designated approverΓÇÖs review. [Learn more](../active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md). -1. In Azure AD PIM, select **Azure Resources** on the left pane and select your Resource Guard. +1. In Microsoft Entra PIM, select **Azure Resources** on the left pane and select your Resource Guard. 1. Go to **Settings** > **Contributor** role. After the Security admin creates an eligible assignment, the Backup admin needs To activate the role assignment, follow the steps: -1. Go to [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). If the Resource Guard is in another directory, switch to that directory and then go to [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). +1. Go to [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). If the Resource Guard is in another directory, switch to that directory and then go to [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). 1. Go to **My roles** > **Azure resources** in the left pane. 1. Select **Activate** to activate the eligible assignment for *Contributor* role. Once the Backup admin raises a request for activating the Contributor role, the To review and approve the request, follow these steps: -1. In the security tenant, go to [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). +1. In the security tenant, go to [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md). 1. Go to **Approve Requests**. 1. Under **Azure resources**, you can see the request awaiting approval. The following screenshot shows an example of [disabling soft delete](backup-azur ## Disable MUA on a Backup vault -Disabling the MUA is a protected operation that must be done by the Backup admin only. To do this, the Backup admin must have the required *Contributor* role in the Resource Guard. To obtain this permission, the Backup admin must first request the Security admin for the Contributor role on the Resource Guard using the just-in-time (JIT) procedure, such as [Azure Active Directory (Azure AD) Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) or internal tools. +Disabling the MUA is a protected operation that must be done by the Backup admin only. To do this, the Backup admin must have the required *Contributor* role in the Resource Guard. To obtain this permission, the Backup admin must first request the Security admin for the Contributor role on the Resource Guard using the just-in-time (JIT) procedure, such as [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md) or internal tools. Then the Security admin approves the request if it's genuine and updates the Backup admin who now has Contributor role on the Resource guard. Learn more on [how to get this role](?pivots=vaults-backup-vault#assign-permissions-to-the-backup-admin-on-the-resource-guard-to-enable-mua). |
backup | Offline Backup Azure Data Box Dpm Mabs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/offline-backup-azure-data-box-dpm-mabs.md | Specify alternate source: *WIM:D:\Sources\Install.wim:4* The DPM/MABS server will then fetch the Data Box jobs in the subscription that are in *Delivered* state. > [!NOTE]- > The first time sign-in takes longer than usual. The Azure PowerShell module gets installed in the background, and also the Azure AD Application is registered. + > The first time sign-in takes longer than usual. The Azure PowerShell module gets installed in the background, and also the Microsoft Entra Application is registered. > > - The following PowerShell modules are installed:<br> - AzureRM.Profile *5.8.3*<br> - AzureRM.Resources *6.7.3*<br> - AzureRM.Storage *5.2.0*<br> - Azure.Storage *4.6.1*<br>- > - The Azure AD application is registered as *AzureOfflineBackup_\<object GUID of the user>*. + > - The Microsoft Entra application is registered as *AzureOfflineBackup_\<object GUID of the user>*. 13. Select the correct Data box order for which you've unpacked, connected, and unlocked your Data Box disk. Select **Next**. Follow these steps once the data backup to the Azure Data Box Disk is successful ## Troubleshooting -The Microsoft Azure Backup (MAB) agent on the DPM server creates an Azure AD application for you, in your tenant. This application requires a certificate for authentication that's created and uploaded when configuring offline seeding policy. +The Microsoft Azure Backup (MAB) agent on the DPM server creates a Microsoft Entra application for you, in your tenant. This application requires a certificate for authentication that's created and uploaded when configuring offline seeding policy. -We use Azure PowerShell for creating and uploading the certificate to the Azure AD Application. +We use Azure PowerShell for creating and uploading the certificate to the Microsoft Entra Application. ### Issue -At the time of configuring offline backup, due to a known code defect in the Azure PowerShell cmdlet you're unable to add multiple certificates to the same Azure AD Application created by the MAB agent. This will impact you if you've configured an offline seeding policy for the same or a different server. +At the time of configuring offline backup, due to a known code defect in the Azure PowerShell cmdlet you're unable to add multiple certificates to the same Microsoft Entra Application created by the MAB agent. This will impact you if you've configured an offline seeding policy for the same or a different server. ### Verify if the issue is caused by this specific root cause Check if you see one of the following error messages in the DPM/MABS console at #### Step 2 1. Open the **Temp** folder in the installation path (default temp folder path is *C:\Program Files\Microsoft Azure Recovery Services Agent\Temp*. Look for the *CBUICurr* file and open the file.-2. In the *CBUICurr* file, scroll to the last line and check if the failure is due to "Unable to create an Azure AD application credential in customer's account. Exception: Update to existing credential with KeyId \<some guid> isn't allowed". +2. In the *CBUICurr* file, scroll to the last line and check if the failure is due to "Unable to create a Microsoft Entra application credential in customer's account. Exception: Update to existing credential with KeyId \<some guid> isn't allowed". ### Workaround To resolve this issue, do the following steps and retry the policy configuration. 1. Sign into the Azure sign-in page that appears on the DPM/MABS server UI using a different account with admin access on the subscription that will have the Data Box job created.-2. If no other server has offline seeding configured and no other server is dependent on the `AzureOfflineBackup_<Azure User Id>` application, then delete this application from **Azure portal > Azure Active Directory > App registrations**. +2. If no other server has offline seeding configured and no other server is dependent on the `AzureOfflineBackup_<Azure User Id>` application, then delete this application from **Azure portal > Microsoft Entra ID > App registrations**. > [!NOTE] > Check if the application `AzureOfflineBackup_<Azure User Id>` doesn't have any other offline seeding configured and also no other server is dependent on this application. Go to **Settings > Keys** under the Public Keys section. It shouldn't have any other **public keys** added. See the following screenshot for reference: |
backup | Offline Backup Azure Data Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/offline-backup-azure-data-box.md | This section explains the steps to take after the backup of the data to the Azur ## Troubleshooting -The Microsoft Azure Recovery Services (MARS) Agent creates an Azure Active Directory (Azure AD) application for you in your tenant. This application requires a certificate for authentication that's created and uploaded when you configure an offline seeding policy. We use Azure PowerShell to create and upload the certificate to the Azure AD application. +The Microsoft Azure Recovery Services (MARS) Agent creates a Microsoft Entra application for you in your tenant. This application requires a certificate for authentication that's created and uploaded when you configure an offline seeding policy. We use Azure PowerShell to create and upload the certificate to the Microsoft Entra application. ### Problem -When you configure offline backup, you might face a problem because of a bug in the Azure PowerShell cmdlet. You might be unable to add multiple certificates to the same Azure AD application created by the MAB Agent. This problem will affect you if you configured an offline seeding policy for the same or a different server. +When you configure offline backup, you might face a problem because of a bug in the Azure PowerShell cmdlet. You might be unable to add multiple certificates to the same Microsoft Entra application created by the MAB Agent. This problem will affect you if you configured an offline seeding policy for the same or a different server. ### Verify if the problem is caused by this specific root cause Sign in to PowerShell that appears on the MAB UI by using a different account wi #### Step 2 of workaround -If no other server has offline seeding configured and no other server is dependent on the `AzureOfflineBackup_<Azure User Id>` application, delete this application. Select **Azure portal** > **Azure Active Directory** > **App registrations**. +If no other server has offline seeding configured and no other server is dependent on the `AzureOfflineBackup_<Azure User Id>` application, delete this application. Select **Azure portal** > **Microsoft Entra ID** > **App registrations**. >[!NOTE] > Check to see if the `AzureOfflineBackup_<Azure User Id>` application doesn't have any other offline seeding configured and also if no other server is dependent on this application. Go to **Settings** > **Keys** under the **Public Keys** section. It shouldn't have any other public keys added. See the following screenshot for reference. |
backup | Offline Backup Server Previous Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/offline-backup-server-previous-versions.md | Ensure that the following prerequisites are met before you start the offline bac ## Upload an offline backup certificate manually -To manually upload the offline backup certificate to a previously created Azure Active Directory application meant for offline backup, follow these steps: +To manually upload the offline backup certificate to a previously created Microsoft Entra application meant for offline backup, follow these steps: 1. Sign in to the Azure portal.-1. Go to **Azure Active Directory** > **App registrations**. +1. Go to **Microsoft Entra ID** > **App registrations**. 1. On the **Owned applications** tab, locate an application with the display name format `AzureOfflineBackup _<Azure User Id`. ![Screenshot shows how to locate application on Owned applications tab.](./media/offline-backup-dpm-mabs-previous-versions/owned-applications.png) |
backup | Private Endpoints Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/private-endpoints-overview.md | This article will help you understand how private endpoints for Azure Backup wor - If the public network access for the vault is set to **Allow from all networks**, the vault allows backups and restores from any machine registered to the vault. If the public network access for the vault is set to **Deny**, the vault only allows backups and restores from the machines registered to the vault that are requesting backups/restores via private IPs allocated for the vault. - A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher for certain Azure regions. So we suggest that you have enough private IPs (/26) available when you attempt to create private endpoints for Backup. - While a Recovery Services vault is used by (both) Azure Backup and Azure Site Recovery, this article discusses use of private endpoints for Azure Backup only.-- Private endpoints for Backup donΓÇÖt include access to Azure Active Directory (Azure AD) and the same needs to be ensured separately. So, IPs and FQDNs required for Azure AD to work in a region will need outbound access to be allowed from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable.+- Private endpoints for Backup donΓÇÖt include access to Microsoft Entra ID and the same needs to be ensured separately. So, IPs and FQDNs required for Microsoft Entra ID to work in a region will need outbound access to be allowed from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable. - You need to re-register the Recovery Services resource provider with the subscription if you registered it before May 1 2020. To re-register the provider, go to your subscription in the Azure portal, navigate to **Resource provider** on the left navigation bar, then select **Microsoft.RecoveryServices** and select **Re-register**. - [Cross-region restore](backup-create-rs-vault.md#set-cross-region-restore) for SQL and SAP HANA database backups aren't supported if the vault has private endpoints enabled. - When you move a Recovery Services vault already using private endpoints to a new tenant, you'll need to update the Recovery Services vault to recreate and reconfigure the vaultΓÇÖs managed identity and create new private endpoints as needed (which should be in the new tenant). If this isn't done, the backup and restore operations will start failing. Also, any Azure role-based access control (Azure RBAC) permissions set up within the subscription will need to be reconfigured. While private endpoints are enabled for the vault, they're used for backup and r | Scenarios | Recommendations | | | |-| Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent, DPM server. | Use of private endpoints is recommended to allow backup and restore without needing to add to an allowlist any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks. In that scenario, ensure that VMs that host SQL databases can reach Azure AD IPs or FQDNs. | +| Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent, DPM server. | Use of private endpoints is recommended to allow backup and restore without needing to add to an allowlist any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks. In that scenario, ensure that VMs that host SQL databases can reach Microsoft Entra IPs or FQDNs. | | **Azure VM backup** | VM backup doesn't require you to allow access to any IPs or FQDNs. So, it doesn't require private endpoints for backup and restore of disks. <br><br> However, file recovery from a vault containing private endpoints would be restricted to virtual networks that contain a private endpoint for the vault. <br><br> When using ACLΓÇÖed unmanaged disks, ensure the storage account containing the disks allows access to **trusted Microsoft services** if it's ACLΓÇÖed. | | **Azure Files backup** | Azure Files backups are stored in the local storage account. So it doesn't require private endpoints for backup and restore. | While private endpoints are enabled for the vault, they're used for backup and r As mentioned above, private endpoints are especially useful for backup of workloads (SQL, SAP HANA) in Azure VMs and MARS agent backups. -In all the scenarios (with or without private endpoints), both the workload extensions (for backup of SQL and SAP HANA instances running inside Azure VMs) and the MARS agent make connection calls to Azure AD (to FQDNs mentioned under sections 56 and 59 in [Microsoft 365 Common and Office Online](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online)). +In all the scenarios (with or without private endpoints), both the workload extensions (for backup of SQL and SAP HANA instances running inside Azure VMs) and the MARS agent make connection calls to Microsoft Entra ID (to FQDNs mentioned under sections 56 and 59 in [Microsoft 365 Common and Office Online](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online)). In addition to these connections when the workload extension or MARS agent is installed for recovery services vault *without private endpoints*, connectivity to the following domains is also required: In addition to these connections when the workload extension or MARS agent is in | | | | | Azure Backup | `*.backup.windowsazure.com` | 443 | | Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` <br><br> `*.storage.azure.net` | 443 |-| Azure Active Directory (Azure AD) | `*.australiacentral.r.login.microsoft.com` <br><br> [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | +| Microsoft Entra ID | `*.australiacentral.r.login.microsoft.com` <br><br> [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | When the workload extension or MARS agent is installed for Recovery Services vault with private endpoint, the following endpoints are hit: When the workload extension or MARS agent is installed for Recovery Services vau | | | | | Azure Backup | `*.privatelink.<geo>.backup.windowsazure.com` | 443 | | Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` <br><br> `*.storage.azure.net` | 443 | -| Azure Active Directory (Azure AD) |`*.australiacentral.r.login.microsoft.com` <br><br> [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | +| Microsoft Entra ID |`*.australiacentral.r.login.microsoft.com` <br><br> [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | 443 <br><br> As applicable | >[!Note] >In the above text, `<geo>` refers to the region code (for example, **eus** for East US and **ne** for North Europe). Refer to the following lists for regions codes: The private endpoints for blobs and queues follow a standard naming pattern, the If you've configured a DNS proxy server, using third-party proxy servers or firewalls, the above domain names must be allowed and redirected to a custom DNS (which has DNS records for the above FQDNs) or to 168.63.129.16 on Azure virtual network which has private DNS zones linked to it. -The following example shows Azure firewall used as DNS proxy to redirect the domain name queries for Recovery Services vault, blob, queues and Azure AD to *168.63.129.16*. +The following example shows Azure firewall used as DNS proxy to redirect the domain name queries for Recovery Services vault, blob, queues and Microsoft Entra ID to *168.63.129.16*. :::image type="content" source="./media/private-endpoints-overview/azure-firewall-used-as-dns-proxy-inline.png" alt-text="Diagram showing the use of Azure firewall as DNS proxy to redirect the domain name queries." lightbox="./media/private-endpoints-overview/azure-firewall-used-as-dns-proxy-expanded.png"::: The following diagram shows how the resolution works when using a private DNS zo The workload extension running on Azure VM requires connection to at least two storage accounts - the first one is used as communication channel (via queue messages) and second one for storing backup data. The MARS agent requires access to one storage account used for storing backup data. -For a private endpoint enabled vault, the Azure Backup service creates private endpoint for these storage accounts. This prevents any network traffic related to Azure Backup (control plane traffic to service and backup data to storage blob) from leaving the virtual network. In addition to Azure Backup cloud services, the workload extension and agent require connectivity to Azure Storage accounts and Azure Active Directory (Azure AD). +For a private endpoint enabled vault, the Azure Backup service creates private endpoint for these storage accounts. This prevents any network traffic related to Azure Backup (control plane traffic to service and backup data to storage blob) from leaving the virtual network. In addition to Azure Backup cloud services, the workload extension and agent require connectivity to Azure Storage accounts and Microsoft Entra ID. As a pre-requisite, Recovery Services vault requires permissions for creating additional private endpoints in the same Resource Group. We also recommend providing the Recovery Services vault the permissions to create DNS entries in the private DNS zones (`privatelink.blob.core.windows.net`, `privatelink.queue.core.windows.net`). Recovery Services vault searches for private DNS zones in the resource groups where VNet and private endpoint are created. If it has the permissions to add DNS entries in these zones, theyΓÇÖll be created by the vault; otherwise, you must create them manually. |
backup | Private Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/private-endpoints.md | Once the private endpoints created for the vault in your VNet have been approved In the VM in the locked down network, ensure the following: -1. The VM should have access to Azure AD. +1. The VM should have access to Microsoft Entra ID. 2. Execute **nslookup** on the backup URL (`xxxxxxxx.privatelink.<geo>.backup.windowsazure.com`) from your VM, to ensure connectivity. This should return the private IP assigned in your virtual network. ### Configure backup To configure a proxy server for Azure VM or on-premises machine, follow these st | - | | - | | Azure Backup | *.backup.windowsazure.com | 443 | | Azure Storage | *.blob.core.windows.net <br><br> *.queue.core.windows.net <br><br> *.blob.storage.azure.net | 443 |- | Azure active directory <br><br> Updated domain URLs mentioned under sections 56 and 59 in [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com <br><br> 20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48 <br><br> *.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net | As applicable. | + | Microsoft Entra ID <br><br> Updated domain URLs mentioned under sections 56 and 59 in [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). | *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com <br><br> 20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48 <br><br> *.hip.live.com, *.microsoftonline.com, *.microsoftonline-p.com, *.msauth.net, *.msauthimages.net, *.msecnd.net, *.msftauth.net, *.msftauthimages.net, *.phonefactor.net, enterpriseregistration.windows.net, management.azure.com, policykeyservice.dc.ad.msft.net | As applicable. | 1. Allow access to these domains in the proxy server and link private DNS zone ( `*.privatelink.<geo>.backup.windowsazure.com`, `*.privatelink.blob.core.windows.net`, `*.privatelink.queue.core.windows.net`) with the VNET where proxy server is created or uses a custom DNS server with the respective DNS entries. <br><br> The VNET where proxy server is running and the VNET where private endpoint NIC is created should be peered, which would allow the proxy server to redirect the requests to private IP. |
backup | Restore Azure Sql Vm Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/restore-azure-sql-vm-rest-api.md | The recovery point is identified with the `{name}` field in the response above. To perform Cross-region restore, you will require an access token to enable proper communication between the Azure Backup services. To get an access token, follow these steps: -1. Use the [AAD Properties API](/rest/api/backup/aad-properties/get) to fetch Azure Active Directory (AAD) properties for the secondary region (*westus* in the below example). +1. Use the [Microsoft Entra Properties API](/rest/api/backup/aad-properties/get) to fetch Microsoft Entra properties for the secondary region (*westus* in the below example). ```http GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.RecoveryServices/locations/westus/backupAadProperties?api-version=2018-12-20 To perform Cross-region restore, you will require an access token to enable prop POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.RecoveryServices/vaults/{vaultName}/backupFabrics/{fabricName}/protectionContainers/{containerName}/protectedItems/{protectedItemName}/recoveryPoints/{recoveryPointId}/accessToken?api-version=2018-12-20 ``` - For the request body, paste the contents of the response returned by the AAD Properties API in the previous step. + For the request body, paste the contents of the response returned by the Microsoft Entra Properties API in the previous step. The response returned format is as follows: |
backup | Troubleshoot Azure Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/troubleshoot-azure-files.md | Recommended Actions: Ensure that the following configurations in the storage acc :::image type="content" source="./media/troubleshoot-azure-files/storage-account-network-configuration.png" alt-text="Screenshot shows the required networking details in a storage account." lightbox="./media/troubleshoot-azure-files/storage-account-network-configuration.png"::: -- Ensure that the target storage account has the following configuration: *Permitted scope for copy operations* is set to *From storage accounts in the same Azure AD tenant*.+- Ensure that the target storage account has the following configuration: *Permitted scope for copy operations* is set to *From storage accounts in the same Microsoft Entra tenant*. :::image type="content" source="./media/troubleshoot-azure-files/target-storage-account-configuration.png" alt-text="Screenshot shows the target storage account configuration." lightbox="./media/troubleshoot-azure-files/target-storage-account-configuration.png"::: Check if the backed-up file share is permanently deleted. If yes, stop the backu For more information about backing up Azure file shares, see: - [Back up Azure file shares](backup-afs.md)-- [Back up Azure file share FAQ](backup-azure-files-faq.yml)+- [Back up Azure file share FAQ](backup-azure-files-faq.yml) |
backup | Tutorial Backup Sap Hana Db | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/tutorial-backup-sap-hana-db.md | If you want to throttle backup service disk IOPS consumption to a maximum value, Running the pre-registration script performs the following functions: * Based on your Linux distribution, the script installs or updates any necessary packages required by the Azure Backup agent.-* It performs outbound network connectivity checks with Azure Backup servers and dependent services like Azure Active Directory and Azure Storage. +* It performs outbound network connectivity checks with Azure Backup servers and dependent services like Microsoft Entra ID and Azure Storage. * It logs into your HANA system using the custom user key or SYSTEM user key mentioned as part of the [prerequisites](#prerequisites). This is used to create a backup user (AZUREWLBACKUPHANAUSER) in the HANA system and the user key can be deleted after the pre-registration script runs successfully. _Note that the SYSTEM user key must not be deleted_. * It checks and warns if the */opt/msawb* folder is placed in the root partition and the root partition is 2 GB in size. The script recommends that you increase the root partition size to 4 GB or move the */opt/msawb* folder to a different location where it has space to grow to a maximum of 4 GB in size. Note that if you place the */opt/msawb* folder in the root partition of 2 GB size, this could lead to root partition getting full and causing the backups to fail. * AZUREWLBACKUPHANAUSER is assigned these required roles and permissions: Here's a summary of steps required for completing the pre-registration script ru | `<sid>`adm (OS) | HANA OS | Run the command:<br> `hdbuserstore List` | Check if the result includes the default store as below: <br><br> `KEY SYSTEM` <br> `ENV : <hostname>:3<Instance#>13` <br> `USER : SYSTEM` | | Root (OS) | HANA OS | Run the [Azure Backup HANA pre-registration script](https://go.microsoft.com/fwlink/?linkid=2173610). | `./msawb-plugin-config-com-sap-hana.sh -a --sid <SID> -n <Instance#> --system-key SYSTEM` | | `<sid>`adm (OS) | HANA OS | Run the command: <br> `hdbuserstore List` | Check if result includes new lines as below: <br><br> `KEY AZUREWLBACKUPHANAUSER` <br> `ENV : localhost: 3<Instance#>13` <br> `USER: AZUREWLBACKUPHANAUSER` |-| Azure Contributor | Azure portal | Configure NSG, NVA, Azure Firewall, and so on to allow outbound traffic to Azure Backup service, Azure AD, and Azure Storage. | [Set up network connectivity](backup-azure-sap-hana-database.md#establish-network-connectivity) | +| Azure Contributor | Azure portal | Configure NSG, NVA, Azure Firewall, and so on to allow outbound traffic to Azure Backup service, Microsoft Entra ID, and Azure Storage. | [Set up network connectivity](backup-azure-sap-hana-database.md#establish-network-connectivity) | | Azure Contributor | Azure portal | Create or open a Recovery Services vault and then select HANA backup. | Find all the target HANA VMs to back up. | | Azure Contributor | Azure portal | Discover HANA databases and configure backup policy. | For example: <br><br> Weekly backup: Every Sunday 2:00 AM, retention of weekly 12 weeks, monthly 12 months, yearly 3 years <br> Differential or incremental: Every day, except for Sunday <br> Log: every 15 minutes retained for 35 days | | Azure Contributor | Azure portal | Recovery Service vault ΓÇô Backup Items ΓÇô SAP HANA | Check backup jobs (Azure Workload). | |
batch | Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/accounts.md | An Azure Batch account is a uniquely identified entity within the Batch service. ## Batch accounts -All processing and resources are associated with a Batch account. When your application makes a request against the Batch service, it authenticates the request using the Azure Batch account name, the URL of the account, and either an access key or an Azure Active Directory token. +All processing and resources are associated with a Batch account. When your application makes a request against the Batch service, it authenticates the request using the Azure Batch account name, the URL of the account, and either an access key or a Microsoft Entra token. You can run multiple Batch workloads in a single Batch account. You can also distribute your workloads among Batch accounts that are in the same subscription but located in different Azure regions. |
batch | Batch Aad Auth Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-aad-auth-management.md | Title: Use Azure Active Directory to authenticate Batch Management solutions -description: Explore using Azure Active Directory to authenticate from applications that use the Batch Management .NET library. + Title: Use Microsoft Entra ID to authenticate Batch Management solutions +description: Explore using Microsoft Entra ID to authenticate from applications that use the Batch Management .NET library. Last updated 04/27/2017 -Applications that call the Azure Batch Management service authenticate with [Microsoft Authentication Library](../active-directory/develop/msal-overview.md) (Azure AD). Azure AD is Microsoft's multi-tenant cloud based directory and identity management service. Azure itself uses Azure AD for the authentication of its customers, service administrators, and organizational users. +Applications that call the Azure Batch Management service authenticate with [Microsoft Authentication Library](../active-directory/develop/msal-overview.md) (Microsoft Entra ID). Microsoft Entra ID is Microsoft's multi-tenant cloud based directory and identity management service. Azure itself uses Microsoft Entra ID for the authentication of its customers, service administrators, and organizational users. -The Batch Management .NET library exposes types for working with Batch accounts, account keys, applications, and application packages. The Batch Management .NET library is an Azure resource provider client, and is used together with [Azure Resource Manager](../azure-resource-manager/management/overview.md) to manage these resources programmatically. Azure AD is required to authenticate requests made through any Azure resource provider client, including the Batch Management .NET library, and through Azure Resource Manager. +The Batch Management .NET library exposes types for working with Batch accounts, account keys, applications, and application packages. The Batch Management .NET library is an Azure resource provider client, and is used together with [Azure Resource Manager](../azure-resource-manager/management/overview.md) to manage these resources programmatically. Microsoft Entra ID is required to authenticate requests made through any Azure resource provider client, including the Batch Management .NET library, and through Azure Resource Manager. -In this article, we explore using Azure AD to authenticate from applications that use the Batch Management .NET library. We show how to use Azure AD to authenticate a subscription administrator or co-administrator, using integrated authentication. We use the [AccountManagement](https://github.com/Azure/azure-batch-samples/tree/master/CSharp/AccountManagement) sample project, available on GitHub, to walk through using Azure AD with the Batch Management .NET library. +In this article, we explore using Microsoft Entra ID to authenticate from applications that use the Batch Management .NET library. We show how to use Microsoft Entra ID to authenticate a subscription administrator or co-administrator, using integrated authentication. We use the [AccountManagement](https://github.com/Azure/azure-batch-samples/tree/master/CSharp/AccountManagement) sample project, available on GitHub, to walk through using Microsoft Entra ID with the Batch Management .NET library. To learn more about using the Batch Management .NET library and the AccountManagement sample, see [Manage Batch accounts and quotas with the Batch Management client library for .NET](batch-management-dotnet.md). -## Register your application with Azure AD +<a name='register-your-application-with-azure-ad'></a> -The [Microsoft Authentication Library](../active-directory/develop/msal-authentication-flows.md) (MSAL) provides a programmatic interface to Azure AD for use within your applications. To call MSAL from your application, you must register your application in an Azure AD tenant. When you register your application, you supply Azure AD with information about your application, including a name for it within the Azure AD tenant. Azure AD then provides an application ID that you use to associate your application with Azure AD at runtime. To learn more about the application ID, see [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md). +## Register your application with Microsoft Entra ID -To register the AccountManagement sample application, follow the steps in the [Adding an Application](../active-directory/develop/quickstart-register-app.md) section in [Integrating applications with Azure Active Directory](../active-directory/develop/quickstart-register-app.md). Specify **Native Client Application** for the type of application. The industry standard OAuth 2.0 URI for the **Redirect URI** is `urn:ietf:wg:oauth:2.0:oob`. However, you can specify any valid URI (such as `http://myaccountmanagementsample`) for the **Redirect URI**, as it does not need to be a real endpoint. +The [Microsoft Authentication Library](../active-directory/develop/msal-authentication-flows.md) (MSAL) provides a programmatic interface to Microsoft Entra ID for use within your applications. To call MSAL from your application, you must register your application in a Microsoft Entra tenant. When you register your application, you supply Microsoft Entra ID with information about your application, including a name for it within the Microsoft Entra tenant. Microsoft Entra ID then provides an application ID that you use to associate your application with Microsoft Entra ID at runtime. To learn more about the application ID, see [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md). ++To register the AccountManagement sample application, follow the steps in the [Adding an Application](../active-directory/develop/quickstart-register-app.md) section in [Integrating applications with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md). Specify **Native Client Application** for the type of application. The industry standard OAuth 2.0 URI for the **Redirect URI** is `urn:ietf:wg:oauth:2.0:oob`. However, you can specify any valid URI (such as `http://myaccountmanagementsample`) for the **Redirect URI**, as it does not need to be a real endpoint. ![Adding an application](./media/batch-aad-auth-management/app-registration-management-plane.png) Once you complete the registration process, you'll see the application ID and th ## Grant the Azure Resource Manager API access to your application -Next, you'll need to delegate access to your application to the Azure Resource Manager API. The Azure AD identifier for the Resource Manager API is **Windows Azure Service Management API**. +Next, you'll need to delegate access to your application to the Azure Resource Manager API. The Microsoft Entra identifier for the Resource Manager API is **Windows Azure Service Management API**. Follow these steps in the Azure portal: Follow these steps in the Azure portal: 6. In step 2, select the check box next to **Access Azure classic deployment model as organization users**, and click the **Select** button. 7. Click the **Done** button. -The **Required Permissions** blade now shows that permissions to your application are granted to both the MSAL and Resource Manager APIs. Permissions are granted to MSAL by default when you first register your app with Azure AD. +The **Required Permissions** blade now shows that permissions to your application are granted to both the MSAL and Resource Manager APIs. Permissions are granted to MSAL by default when you first register your app with Microsoft Entra ID. ![Delegate permissions to the Azure Resource Manager API](./media/batch-aad-auth-management/required-permissions-management-plane.png) -## Azure AD endpoints +<a name='azure-ad-endpoints'></a> ++## Microsoft Entra endpoints -To authenticate your Batch Management solutions with Azure AD, you'll need two well-known endpoints. +To authenticate your Batch Management solutions with Microsoft Entra ID, you'll need two well-known endpoints. -- The **Azure AD common endpoint** provides a generic credential gathering interface when a specific tenant is not provided, as in the case of integrated authentication:+- The **Microsoft Entra common endpoint** provides a generic credential gathering interface when a specific tenant is not provided, as in the case of integrated authentication: `https://login.microsoftonline.com/common` private const string ResourceUri = "https://management.core.windows.net/"; ## Reference your application ID -Your client application uses the application ID (also referred to as the client ID) to access Azure AD at runtime. Once you've registered your application in the Azure portal, update your code to use the application ID provided by Azure AD for your registered application. In the AccountManagement sample application, copy your application ID from the Azure portal to the appropriate constant: +Your client application uses the application ID (also referred to as the client ID) to access Microsoft Entra ID at runtime. Once you've registered your application in the Azure portal, update your code to use the application ID provided by Microsoft Entra ID for your registered application. In the AccountManagement sample application, copy your application ID from the Azure portal to the appropriate constant: ```csharp // Specify the unique identifier (the "Client ID") for your application. This is required so that your Also copy the redirect URI that you specified during the registration process. T private const string RedirectUri = "http://myaccountmanagementsample"; ``` -## Acquire an Azure AD authentication token +<a name='acquire-an-azure-ad-authentication-token'></a> ++## Acquire a Microsoft Entra authentication token -After you register the AccountManagement sample in the Azure AD tenant and update the sample source code with your values, the sample is ready to authenticate using Azure AD. When you run the sample, the MSAL attempts to acquire an authentication token. At this step, it prompts you for your Microsoft credentials: +After you register the AccountManagement sample in the Microsoft Entra tenant and update the sample source code with your values, the sample is ready to authenticate using Microsoft Entra ID. When you run the sample, the MSAL attempts to acquire an authentication token. At this step, it prompts you for your Microsoft credentials: ```csharp // Obtain an access token using the "common" AAD resource. This allows the application After you provide your credentials, the sample application can proceed to issue ## Next steps - For more information on running the [AccountManagement sample application](https://github.com/Azure/azure-batch-samples/tree/master/CSharp/AccountManagement), see [Manage Batch accounts and quotas with the Batch Management client library for .NET](batch-management-dotnet.md).-- To learn more about Azure AD, see the [Azure Active Directory Documentation](../active-directory/index.yml).+- To learn more about Microsoft Entra ID, see the [Microsoft Entra Documentation](../active-directory/index.yml). - In-depth examples showing how to use MSAL are available in the [Azure Code Samples](https://azure.microsoft.com/resources/samples/?service=active-directory) library.-- To authenticate Batch service applications using Azure AD, see [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md).+- To authenticate Batch service applications using Microsoft Entra ID, see [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). |
batch | Batch Aad Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-aad-auth.md | Title: Authenticate Azure Batch services with Azure Active Directory -description: Learn how to authenticate Azure Batch service applications with Azure AD by using integrated authentication or a service principal. + Title: Authenticate Azure Batch services with Microsoft Entra ID +description: Learn how to authenticate Azure Batch service applications with Microsoft Entra ID by using integrated authentication or a service principal. Last updated 04/03/2023 -# Authenticate Azure Batch services with Azure Active Directory +# Authenticate Azure Batch services with Microsoft Entra ID -Azure Batch supports authentication with [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) (Azure AD), Microsoft's multi-tenant cloud based directory and identity management service. Azure uses Azure AD to authenticate its own customers, service administrators, and organizational users. +Azure Batch supports authentication with [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis), Microsoft's multi-tenant cloud based directory and identity management service. Azure uses Microsoft Entra ID to authenticate its own customers, service administrators, and organizational users. -This article describes two ways to use Azure AD authentication with Azure Batch: +This article describes two ways to use Microsoft Entra authentication with Azure Batch: - **Integrated authentication** authenticates a user who's interacting with an application. The application gathers a user's credentials and uses those credentials to authorize access to Batch resources. - A **service principal** authenticates an unattended application. The service principal defines the policy and permissions for the application and represents the application to access Batch resources at runtime. -For more information about Azure AD, see the [Azure AD documentation](/azure/active-directory/index). +For more information about Microsoft Entra ID, see the [Microsoft Entra documentation](/azure/active-directory/index). ## Gather endpoints for authentication -To authenticate Batch applications with Azure AD, you need to include the Azure AD endpoint and Batch resource endpoint in your code. +To authenticate Batch applications with Microsoft Entra ID, you need to include the Microsoft Entra endpoint and Batch resource endpoint in your code. -### Azure AD endpoint +<a name='azure-ad-endpoint'></a> -The base Azure AD authority endpoint is `https://login.microsoftonline.com/`. To authenticate with Azure AD, use this endpoint with the *tenant ID* that identifies the Azure AD tenant to use for authentication: +### Microsoft Entra endpoint ++The base Microsoft Entra authority endpoint is `https://login.microsoftonline.com/`. To authenticate with Microsoft Entra ID, use this endpoint with the *tenant ID* that identifies the Microsoft Entra tenant to use for authentication: `https://login.microsoftonline.com/<tenant-id>` -You can get your tenant ID from the main Azure AD page in the Azure portal. You can also select **Properties** in the left navigation and see the **Tenant ID** on the **Properties** page. +You can get your tenant ID from the main Microsoft Entra ID page in the Azure portal. You can also select **Properties** in the left navigation and see the **Tenant ID** on the **Properties** page. ![Screenshot of the Tenant ID in the Azure portal.](./media/batch-aad-auth/aad-directory-id.png) >[!IMPORTANT]->- The tenant-specific Azure AD endpoint is required when you authenticate by using a service principal. +>- The tenant-specific Microsoft Entra endpoint is required when you authenticate by using a service principal. >->- When you authenticate by using integrated authentication, the tenant-specific endpoint is recommended, but optional. You can also use the Azure AD common endpoint to provide a generic credential gathering interface when a specific tenant isn't provided. The common endpoint is `https://login.microsoftonline.com/common`. +>- When you authenticate by using integrated authentication, the tenant-specific endpoint is recommended, but optional. You can also use the Microsoft Entra common endpoint to provide a generic credential gathering interface when a specific tenant isn't provided. The common endpoint is `https://login.microsoftonline.com/common`. >->For more information about Azure AD endpoints, see [Authentication vs. authorization](/azure/active-directory/develop/authentication-vs-authorization). +>For more information about Microsoft Entra endpoints, see [Authentication vs. authorization](/azure/active-directory/develop/authentication-vs-authorization). ### Batch resource endpoint Use the Batch resource endpoint `https://batch.core.windows.net/` to acquire a t ## Register your application with a tenant -The first step in using Azure AD authentication is to register your application in an Azure AD tenant. Once you register your application, you can call the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) (MSAL) from your code. The MSAL provides an API for authenticating with Azure AD from your application. Registering your application is required whether you use integrated authentication or a service principal. +The first step in using Microsoft Entra authentication is to register your application in a Microsoft Entra tenant. Once you register your application, you can call the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) (MSAL) from your code. The MSAL provides an API for authenticating with Microsoft Entra ID from your application. Registering your application is required whether you use integrated authentication or a service principal. -When you register your application, you supply information about your application to Azure AD. Azure AD then provides an *application ID*, also called a *client ID*, that you use to associate your application with Azure AD at runtime. For more information about the application ID, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals). +When you register your application, you supply information about your application to Microsoft Entra ID. Microsoft Entra ID then provides an *application ID*, also called a *client ID*, that you use to associate your application with Microsoft Entra ID at runtime. For more information about the application ID, see [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/app-objects-and-service-principals). To register your Batch application, follow the steps at [Register an application](/azure/active-directory/develop/quickstart-register-app#register-an-application). After you register your application, you can see the **Application (client) ID** ## Configure integrated authentication -To authenticate with integrated authentication, you need to grant your application permission to connect to the Batch service API. This step enables your application to use Azure AD to authenticate calls to the Batch service API. +To authenticate with integrated authentication, you need to grant your application permission to connect to the Batch service API. This step enables your application to use Microsoft Entra ID to authenticate calls to the Batch service API. After you register your application, follow these steps to grant the application access to the Batch service: After you register your application, follow these steps to grant the application 1. On the **Request API permissions** page, select **Azure Batch**. 1. On the **Azure Batch** page, under **Select permissions**, select the checkbox next to **user_impersonation**, and then select **Add permissions**. -The **API permissions** page now shows that your Azure AD application has access to both **Microsoft Graph** and **Azure Batch**. Permissions are granted to Microsoft Graph automatically when you register an app with Azure AD. +The **API permissions** page now shows that your Microsoft Entra application has access to both **Microsoft Graph** and **Azure Batch**. Permissions are granted to Microsoft Graph automatically when you register an app with Microsoft Entra ID. ## Configure a service principal -To authenticate an application that runs unattended, you use a service principal. When your application authenticates by using a service principal, it sends both the application ID and a secret key to Azure AD. +To authenticate an application that runs unattended, you use a service principal. When your application authenticates by using a service principal, it sends both the application ID and a secret key to Microsoft Entra ID. After you register your application, follow these steps in the Azure portal to configure a service principal: Your application should now appear on the **Role assignments** tab of the Batch A custom role grants granular permission to a user for submitting jobs, tasks, and more. You can use custom roles to prevent users from performing operations that affect cost, such as creating pools or modifying nodes. -You can use a custom role to grant or deny permissions to an Azure AD user, group, or service principal for the following Azure Batch RBAC operations: +You can use a custom role to grant or deny permissions to a Microsoft Entra user, group, or service principal for the following Azure Batch RBAC operations: - Microsoft.Batch/batchAccounts/pools/write - Microsoft.Batch/batchAccounts/pools/delete You can use a custom role to grant or deny permissions to an Azure AD user, grou - Microsoft.Batch/batchAccounts/read, for any read operation - Microsoft.Batch/batchAccounts/listKeys/action, for any operation -Custom roles are for users authenticated by Azure AD, not for the Batch shared key account credentials. The Batch account credentials give full permission to the Batch account. Jobs that use [autopool](nodes-and-pools.md#autopools) require pool-level permissions. +Custom roles are for users authenticated by Microsoft Entra ID, not for the Batch shared key account credentials. The Batch account credentials give full permission to the Batch account. Jobs that use [autopool](nodes-and-pools.md#autopools) require pool-level permissions. > [!NOTE] > Certain role assignments need to be specified in the `actions` field, whereas others need to be specified in the `dataActions` field. For more information, see [Azure resource provider operations](/azure/role-based-access-control/resource-provider-operations#microsoftbatch). For more information on creating a custom role, see [Azure custom roles](../role ## Code examples -The code examples in this section show how to authenticate with Azure AD by using integrated authentication or with a service principal. The code examples use .NET and Python, but the concepts are similar for other languages. +The code examples in this section show how to authenticate with Microsoft Entra ID by using integrated authentication or with a service principal. The code examples use .NET and Python, but the concepts are similar for other languages. > [!NOTE]-> An Azure AD authentication token expires after one hour. When you use a long-lived **BatchClient** object, it's best to get a token from MSAL on every request to ensure that you always have a valid token. +> A Microsoft Entra authentication token expires after one hour. When you use a long-lived **BatchClient** object, it's best to get a token from MSAL on every request to ensure that you always have a valid token. >-> To do this in .NET, write a method that retrieves the token from Azure AD, and pass that method to a **BatchTokenCredentials** object as a delegate. Every request to the Batch service calls the delegate method to ensure that a valid token is provided. By default MSAL caches tokens, so a new token is retrieved from Azure AD only when necessary. For more information about tokens in Azure AD, see [Security tokens](/azure/active-directory/develop/security-tokens). +> To do this in .NET, write a method that retrieves the token from Microsoft Entra ID, and pass that method to a **BatchTokenCredentials** object as a delegate. Every request to the Batch service calls the delegate method to ensure that a valid token is provided. By default MSAL caches tokens, so a new token is retrieved from Microsoft Entra-only when necessary. For more information about tokens in Microsoft Entra ID, see [Security tokens](/azure/active-directory/develop/security-tokens). ++<a name='code-example-use-azure-ad-integrated-authentication-with-batch-net'></a> -### Code example: Use Azure AD integrated authentication with Batch .NET +### Code example: Use Microsoft Entra integrated authentication with Batch .NET To authenticate with integrated authentication from Batch .NET: To authenticate with integrated authentication from Batch .NET: using Microsoft.Identity.Client; ``` -1. Reference the Azure AD endpoint, including the tenant ID. You can get your tenant ID from the Azure AD **Overview** page in the Azure portal. +1. Reference the Microsoft Entra endpoint, including the tenant ID. You can get your tenant ID from the Microsoft Entra ID **Overview** page in the Azure portal. ```csharp private const string AuthorityUri = "https://login.microsoftonline.com/<tenant-id>"; To authenticate with integrated authentication from Batch .NET: private const string RedirectUri = "https://<redirect-uri>"; ``` -1. Write a callback method to acquire the authentication token from Azure AD. The following example calls MSAL to authenticate a user who's interacting with the application. The MSAL [IConfidentialClientApplication.AcquireTokenByAuthorizationCode](/dotnet/api/microsoft.identity.client.iconfidentialclientapplication.acquiretokenbyauthorizationcode) method prompts the user for their credentials. The application proceeds once the user provides credentials. +1. Write a callback method to acquire the authentication token from Microsoft Entra ID. The following example calls MSAL to authenticate a user who's interacting with the application. The MSAL [IConfidentialClientApplication.AcquireTokenByAuthorizationCode](/dotnet/api/microsoft.identity.client.iconfidentialclientapplication.acquiretokenbyauthorizationcode) method prompts the user for their credentials. The application proceeds once the user provides credentials. The *authorizationCode* parameter is the authorization code obtained from the authorization server after the user authenticates. `WithRedirectUri` specifies the redirect URI that the authorization server redirects the user to after authentication. To authenticate with integrated authentication from Batch .NET: } ``` -### Code example: Use an Azure AD service principal with Batch .NET +<a name='code-example-use-an-azure-ad-service-principal-with-batch-net'></a> ++### Code example: Use a Microsoft Entra service principal with Batch .NET To authenticate with a service principal from Batch .NET: To authenticate with a service principal from Batch .NET: using Microsoft.Identity.Client; ``` -1. Reference the Azure AD endpoint, including the tenant ID. When you use a service principal, you must provide a tenant-specific endpoint. You can get your tenant ID from the Azure AD **Overview** page in the Azure portal. +1. Reference the Microsoft Entra endpoint, including the tenant ID. When you use a service principal, you must provide a tenant-specific endpoint. You can get your tenant ID from the Microsoft Entra ID **Overview** page in the Azure portal. ```csharp private const string AuthorityUri = "https://login.microsoftonline.com/<tenant-id>"; To authenticate with a service principal from Batch .NET: private const string ClientKey = "<secret-key>"; ``` -1. Write a callback method to acquire the authentication token from Azure AD. The following [ConfidentialClientApplicationBuilder.Create](/dotnet/api/microsoft.identity.client.confidentialclientapplicationbuilder.create) method calls MSAL for unattended authentication. +1. Write a callback method to acquire the authentication token from Microsoft Entra ID. The following [ConfidentialClientApplicationBuilder.Create](/dotnet/api/microsoft.identity.client.confidentialclientapplicationbuilder.create) method calls MSAL for unattended authentication. ```csharp public static async Task<string> GetAccessToken(string[] scopes) To authenticate with a service principal from Batch .NET: } ``` -### Code example: Use an Azure AD service principal with Batch Python +<a name='code-example-use-an-azure-ad-service-principal-with-batch-python'></a> ++### Code example: Use a Microsoft Entra service principal with Batch Python To authenticate with a service principal from Batch Python: To authenticate with a service principal from Batch Python: from azure.common.credentials import ServicePrincipalCredentials ``` -1. To use a service principal, provide a tenant-specific endpoint. You can get your tenant ID from the Azure AD **Overview** page or **Properties** page in the Azure portal. +1. To use a service principal, provide a tenant-specific endpoint. You can get your tenant ID from the Microsoft Entra ID **Overview** page or **Properties** page in the Azure portal. ```python TENANT_ID = "<tenant-id>" To authenticate with a service principal from Batch Python: ) ``` -For a Python example of how to create a Batch client authenticated by using an Azure AD token, see the [Deploying Azure Batch Custom Image with a Python Script sample](https://github.com/azurebigcompute/recipes/blob/master/Azure%20Batch/CustomImages/CustomImagePython.md). +For a Python example of how to create a Batch client authenticated by using a Microsoft Entra token, see the [Deploying Azure Batch Custom Image with a Python Script sample](https://github.com/azurebigcompute/recipes/blob/master/Azure%20Batch/CustomImages/CustomImagePython.md). ## Next steps - [Authenticate Batch Management solutions with Active Directory](batch-aad-auth-management.md) - [Client credential flows in MSAL.NET](/entra/msal/dotnet/acquiring-tokens/web-apps-apis/client-credential-flows) - [Using MSAL.NET to get tokens by authorization code (for web sites)](/entra/msal/dotnet/acquiring-tokens/web-apps-apis/authorization-codes)-- [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals)-- [How to create an Azure AD application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal)+- [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/app-objects-and-service-principals) +- [How to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal) - [Microsoft identity platform code samples](/azure/active-directory/develop/sample-v2-code) |
batch | Batch Account Create Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-account-create-portal.md | On your Batch account page, you can access all account settings and properties f :::image type="content" source="media/batch-account-create-portal/batch-account-keys.png" alt-text="Screenshot of Batch account keys in the Azure portal."::: - Batch also supports Azure Active Directory (Azure AD) authentication. User subscription mode Batch accounts must be accessed by using Azure AD. For more information, see [Authenticate Azure Batch services with Azure Active Directory](batch-aad-auth.md). + Batch also supports Microsoft Entra authentication. User subscription mode Batch accounts must be accessed by using Microsoft Entra ID. For more information, see [Authenticate Azure Batch services with Microsoft Entra ID](batch-aad-auth.md). - To view the name and keys of the storage account associated with your Batch account, select **Storage account**. |
batch | Batch Apis Tools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-apis-tools.md | You can efficiently process large-scale workloads for your organization, or prov When you develop Batch solutions, you use the following accounts in your Azure subscription: -- **Batch account**: Azure Batch resources, including pools, compute nodes, jobs, and tasks, are associated with an Azure [Batch account](accounts.md). When your application makes a request against the Batch service, it authenticates the request using the Azure Batch account name, the URL of the account, and either an access key or an Azure Active Directory token. You can [create a Batch account](batch-account-create-portal.md) in the Azure portal or programmatically.+- **Batch account**: Azure Batch resources, including pools, compute nodes, jobs, and tasks, are associated with an Azure [Batch account](accounts.md). When your application makes a request against the Batch service, it authenticates the request using the Azure Batch account name, the URL of the account, and either an access key or a Microsoft Entra token. You can [create a Batch account](batch-account-create-portal.md) in the Azure portal or programmatically. - **Storage account**: Batch includes built-in support for working with files in [Azure Storage](../storage/index.yml). Nearly every Batch scenario uses Azure Blob storage for staging the programs that your tasks run and the data that they process, and for the storage of output data that they generate. Each Batch account is usually associated with a corresponding storage account. ## Service-level and management-level APIs |
batch | Batch Cli Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-cli-get-started.md | az login Next, sign in to your Batch account in the Azure CLI using the [az batch account login](/cli/azure/batch/account#az-batch-account-login) command. This step gives you access to Batch service commands. Then, you can manage Batch resources like pools, jobs, and tasks. -You can authenticate your Batch account in the Azure CLI in two ways. The default method is to [authenticate using Azure AD](#authenticate-with-azure-ad). We recommend using this method in most scenarios. Another option is to [use Shared Key authentication](#authenticate-with-shared-key). +You can authenticate your Batch account in the Azure CLI in two ways. The default method is to [authenticate using Microsoft Entra ID](#authenticate-with-azure-ad). We recommend using this method in most scenarios. Another option is to [use Shared Key authentication](#authenticate-with-shared-key). If you're creating Azure CLI scripts to automate Batch commands, you can use either authentication method. In some scenarios, Shared Key authentication might be simpler than creating a service principal. -#### Authenticate with Azure AD +<a name='authenticate-with-azure-ad'></a> -The default method for authenticating with your Batch account is through Azure AD. When you [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli) interactively or with a service principal, you can use those same cached credentials to sign you into your Batch account with Azure AD. This authentication method also offers Azure role-based access control (Azure RBAC). With Azure RBAC, user access depends on their assigned role, not account keys. You only need to manage the Azure roles, not account keys. Azure AD then handles access and authentication. +#### Authenticate with Microsoft Entra ID -To sign in to your Batch account with Azure AD, run `az batch login`. Make sure to include the require parameters for your Batch account's name (`-n`), and your resource group's name (`-g`). +The default method for authenticating with your Batch account is through Microsoft Entra ID. When you [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli) interactively or with a service principal, you can use those same cached credentials to sign you into your Batch account with Microsoft Entra ID. This authentication method also offers Azure role-based access control (Azure RBAC). With Azure RBAC, user access depends on their assigned role, not account keys. You only need to manage the Azure roles, not account keys. Microsoft Entra ID then handles access and authentication. ++To sign in to your Batch account with Microsoft Entra ID, run `az batch login`. Make sure to include the require parameters for your Batch account's name (`-n`), and your resource group's name (`-g`). ```azurecli-interactive az batch account login -g <your-resource-group> -n <your-batch-account> |
batch | Batch Custom Image Pools To Azure Compute Gallery Migration Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-custom-image-pools-to-azure-compute-gallery-migration-guide.md | For more information about this process, see See the [considerations for large pools](batch-sig-images.md#considerations-for-large-pools). -- Can I use Azure Compute Gallery images in different subscriptions or in different Azure AD tenants?+- Can I use Azure Compute Gallery images in different subscriptions or in different Microsoft Entra tenants? - If the Shared Image isn't in the same subscription as the Batch account, you must register the `Microsoft.Batch` resource provider for that subscription. The two subscriptions must be in the same Azure AD tenant. The image can be in a different region as long as it has replicas in the same region as your Batch account. + If the Shared Image isn't in the same subscription as the Batch account, you must register the `Microsoft.Batch` resource provider for that subscription. The two subscriptions must be in the same Microsoft Entra tenant. The image can be in a different region as long as it has replicas in the same region as your Batch account. ## Next steps |
batch | Batch Custom Images | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-custom-images.md | This topic explains how to create a custom image pool using only a managed image - To create a pool with the image using the Batch APIs, specify the **resource ID** of the image, which is of the form `/subscriptions/xxxx-xxxxxx-xxxxx-xxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/myImage`. - The managed image resource should exist for the lifetime of the pool to allow scale-up and can be removed after the pool is deleted. -- **Azure Active Directory (Azure AD) authentication**. The Batch client API must use Azure AD authentication. Azure Batch support for Azure AD is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md).+- **Microsoft Entra authentication**. The Batch client API must use Microsoft Entra authentication. Azure Batch support for Microsoft Entra ID is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). ## Prepare a managed image To create a managed image from a snapshot, use Azure command-line tools such as Once you have found the resource ID of your managed image, create a custom image pool from that image. The following steps show you how to create a custom image pool using either Batch Service or Batch Management. > [!NOTE]-> Make sure that the identity you use for Azure AD authentication has permissions to the image resource. See [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). +> Make sure that the identity you use for Microsoft Entra authentication has permissions to the image resource. See [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). > > The resource for the managed image must exist for the lifetime of the pool. If the underlying resource is deleted, the pool cannot be scaled. |
batch | Batch Management Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-management-dotnet.md | You can lower maintenance overhead in your Azure Batch applications by using the - **Create and delete Batch accounts** within any region. If, as an independent software vendor (ISV) for example, you provide a service for your clients in which each is assigned a separate Batch account for billing purposes, you can add account creation and deletion capabilities to your customer portal. - **Retrieve and regenerate account keys** programmatically for any of your Batch accounts. This can help you comply with security policies that enforce periodic rollover or expiry of account keys. When you have several Batch accounts in various Azure regions, automation of this rollover process increases your solution's efficiency. - **Check account quotas** and take the trial-and-error guesswork out of determining which Batch accounts have what limits. By checking your account quotas before starting jobs, creating pools, or adding compute nodes, you can proactively adjust where or when these compute resources are created. You can determine which accounts require quota increases before allocating additional resources in those accounts.-- **Combine features of other Azure services** for a full-featured management experience by using Batch Management .NET, [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md), and the [Azure Resource Manager](../azure-resource-manager/management/overview.md) together in the same application. By using these features and their APIs, you can provide a frictionless authentication experience, the ability to create and delete resource groups, and the capabilities that are described above for an end-to-end management solution.+- **Combine features of other Azure services** for a full-featured management experience by using Batch Management .NET, [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md), and the [Azure Resource Manager](../azure-resource-manager/management/overview.md) together in the same application. By using these features and their APIs, you can provide a frictionless authentication experience, the ability to create and delete resource groups, and the capabilities that are described above for an end-to-end management solution. > [!NOTE] > While this article focuses on the programmatic management of your Batch accounts, keys, and quotas, you can also perform many of these activities by [using the Azure portal](batch-account-create-portal.md). await batchManagementClient.Account.DeleteAsync("MyResourceGroup", account.Name) ``` > [!NOTE]-> Applications that use the Batch Management .NET library and its BatchManagementClient class require service administrator or coadministrator access to the subscription that owns the Batch account to be managed. For more information, see the Azure Active Directory section and the [AccountManagement](https://github.com/Azure-Samples/azure-batch-samples/tree/master/CSharp/AccountManagement) code sample. +> Applications that use the Batch Management .NET library and its BatchManagementClient class require service administrator or coadministrator access to the subscription that owns the Batch account to be managed. For more information, see the Microsoft Entra ID section and the [AccountManagement](https://github.com/Azure-Samples/azure-batch-samples/tree/master/CSharp/AccountManagement) code sample. ## Retrieve and regenerate account keys Console.WriteLine("Active job and job schedule quota: {0}", account.Properties.A > [!IMPORTANT] > While there are default quotas for Azure subscriptions and services, many of these limits can be raised by [requesting a quota increase in the Azure portal](batch-quota-limit.md#increase-a-quota). -## Use Azure AD with Batch Management .NET +<a name='use-azure-ad-with-batch-management-net'></a> -The Batch Management .NET library is an Azure resource provider client, and is used together with [Azure Resource Manager](../azure-resource-manager/management/overview.md) to manage account resources programmatically. Azure AD is required to authenticate requests made through any Azure resource provider client, including the Batch Management .NET library, and through Azure Resource Manager. For information about using Azure AD with the Batch Management .NET library, see [Use Azure Active Directory to authenticate Batch solutions](batch-aad-auth.md). +## Use Microsoft Entra ID with Batch Management .NET ++The Batch Management .NET library is an Azure resource provider client, and is used together with [Azure Resource Manager](../azure-resource-manager/management/overview.md) to manage account resources programmatically. Microsoft Entra ID is required to authenticate requests made through any Azure resource provider client, including the Batch Management .NET library, and through Azure Resource Manager. For information about using Microsoft Entra ID with the Batch Management .NET library, see [Use Microsoft Entra ID to authenticate Batch solutions](batch-aad-auth.md). ## Sample project on GitHub To see Batch Management .NET in action, check out the [AccountManagement](https://github.com/Azure/azure-batch-samples/tree/master/CSharp/AccountManagement) sample project on GitHub. The AccountManagement sample application demonstrates the following operations: -1. Acquire a security token from Azure AD by using [Acquire and cache tokens using the Microsoft Authentication Library (MSAL)](../active-directory/develop/msal-net-acquire-token-silently.md). If the user is not already signed in, they are prompted for their Azure credentials. -2. With the security token obtained from Azure AD, create a [SubscriptionClient](/dotnet/api/microsoft.azure.management.resourcemanager.subscriptionclient) to query Azure for a list of subscriptions associated with the account. The user can select a subscription from the list if it contains more than one subscription. +1. Acquire a security token from Microsoft Entra ID by using [Acquire and cache tokens using the Microsoft Authentication Library (MSAL)](../active-directory/develop/msal-net-acquire-token-silently.md). If the user is not already signed in, they are prompted for their Azure credentials. +2. With the security token obtained from Microsoft Entra ID, create a [SubscriptionClient](/dotnet/api/microsoft.azure.management.resourcemanager.subscriptionclient) to query Azure for a list of subscriptions associated with the account. The user can select a subscription from the list if it contains more than one subscription. 3. Get credentials associated with the selected subscription. 4. Create a [ResourceManagementClient](/dotnet/api/microsoft.azure.management.resourcemanager.resourcemanagementclient) object by using the credentials. 5. Use a [ResourceManagementClient](/dotnet/api/microsoft.azure.management.resourcemanager.resourcemanagementclient) object to create a resource group. To see Batch Management .NET in action, check out the [AccountManagement](https: - Delete the newly created account. 7. Delete the resource group. -To run the sample application successfully, you must first register it with your Azure AD tenant in the Azure portal and grant permissions to the Azure Resource Manager API. Follow the steps provided in [Authenticate Batch Management solutions with Active Directory](batch-aad-auth-management.md). +To run the sample application successfully, you must first register it with your Microsoft Entra tenant in the Azure portal and grant permissions to the Azure Resource Manager API. Follow the steps provided in [Authenticate Batch Management solutions with Active Directory](batch-aad-auth-management.md). ## Next steps |
batch | Batch Pool No Public Ip Address | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-pool-no-public-ip-address.md | To restrict access to these nodes and reduce the discoverability of these nodes ## Prerequisites -- **Authentication**. To use a pool without public IP addresses inside a [virtual network](./batch-virtual-network.md), the Batch client API must use Azure Active Directory (AD) authentication. Azure Batch support for Azure AD is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). If you aren't creating your pool within a virtual network, either Azure AD authentication or key-based authentication can be used.+- **Authentication**. To use a pool without public IP addresses inside a [virtual network](./batch-virtual-network.md), the Batch client API must use Microsoft Entra authentication. Azure Batch support for Microsoft Entra ID is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). If you aren't creating your pool within a virtual network, either Microsoft Entra authentication or key-based authentication can be used. - **An Azure VNet**. If you're creating your pool in a [virtual network](batch-virtual-network.md), follow these requirements and configurations. To prepare a VNet with one or more subnets in advance, you can use the Azure portal, Azure PowerShell, the Azure CLI, or other methods. |
batch | Batch Powershell Cmdlets Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-powershell-cmdlets-get-started.md | When prompted, confirm you want to remove the account. Account removal can take ## Create a BatchAccountContext object -You can authenticate to manage Batch resources using either shared key authentication or Azure Active Directory authentication. To authenticate using the Batch PowerShell cmdlets, first create a BatchAccountContext object to store your account credentials or identity. You pass the BatchAccountContext object into cmdlets that use the **BatchContext** parameter. +You can authenticate to manage Batch resources using either shared key authentication or Microsoft Entra authentication. To authenticate using the Batch PowerShell cmdlets, first create a BatchAccountContext object to store your account credentials or identity. You pass the BatchAccountContext object into cmdlets that use the **BatchContext** parameter. ### Shared key authentication $context = Get-AzBatchAccountKeys -AccountName <account_name> > [!NOTE] > By default, the account's primary key is used for authentication, but you can explicitly select the key to use by changing your BatchAccountContext objectΓÇÖs **KeyInUse** property: `$context.KeyInUse = "Secondary"`. -### Azure Active Directory authentication +<a name='azure-active-directory-authentication'></a> ++### Microsoft Entra authentication ```powershell $context = Get-AzBatchAccount -AccountName <account_name> |
batch | Batch Sig Images | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-sig-images.md | Using a Shared Image configured for your scenario can provide several advantages ## Prerequisites > [!NOTE]-> You need to authenticate using Azure AD. If you use shared-key-auth, you will get an authentication error. +> You need to authenticate using Microsoft Entra ID. If you use shared-key-auth, you will get an authentication error. - **An Azure Batch account.** To create a Batch account, see the Batch quickstarts using the [Azure portal](quick-create-portal.md) or [Azure CLI](quick-create-cli.md). - **an Azure Compute Gallery image**. To create a Shared Image, you need to have or create a managed image resource. The image should be created from snapshots of the VM's OS disk and optionally its attached data disks. > [!NOTE]-> If the Shared Image is not in the same subscription as the Batch account, you must [register the Microsoft.Batch resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) for that subscription. The two subscriptions must be in the same Azure AD tenant. +> If the Shared Image is not in the same subscription as the Batch account, you must [register the Microsoft.Batch resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) for that subscription. The two subscriptions must be in the same Microsoft Entra tenant. > > The image can be in a different region as long as it has replicas in the same region as your Batch account. -If you use an Azure AD application to create a custom image pool with an Azure Compute Gallery image, that application must have been granted an [Azure built-in role](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles) that gives it access to the the Shared Image. You can grant this access in the Azure portal by navigating to the Shared Image, selecting **Access control (IAM)** and adding a role assignment for the application. +If you use a Microsoft Entra application to create a custom image pool with an Azure Compute Gallery image, that application must have been granted an [Azure built-in role](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles) that gives it access to the the Shared Image. You can grant this access in the Azure portal by navigating to the Shared Image, selecting **Access control (IAM)** and adding a role assignment for the application. ## Prepare a Shared Image Once you have successfully created your managed image, you need to create an Azu To create a pool from your Shared Image using the Azure CLI, use the `az batch pool create` command. Specify the Shared Image ID in the `--image` field. Make sure the OS type and SKU matches the versions specified by `--node-agent-sku-id` > [!NOTE]-> You need to authenticate using Azure AD. If you use shared-key-auth, you will get an authentication error. +> You need to authenticate using Microsoft Entra ID. If you use shared-key-auth, you will get an authentication error. > [!IMPORTANT] > The node agent SKU id must align with the publisher/offer/SKU in order for the node to start. |
batch | Batch Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-virtual-network.md | To allow compute nodes to communicate securely with other virtual machines, or w ## Prerequisites -- **Authentication**. To use an Azure Virtual Network, the Batch client API must use Azure Active Directory (Azure AD) authentication. To learn more, see [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md).+- **Authentication**. To use an Azure Virtual Network, the Batch client API must use Microsoft Entra authentication. To learn more, see [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). - **An Azure Virtual Network**. To prepare a Virtual Network with one or more subnets in advance, you can use the Azure portal, Azure PowerShell, the Microsoft Azure CLI (CLI), or other methods. - To create an Azure Resource Manager-based Virtual Network, see [Create a virtual network](../virtual-network/manage-virtual-network.md#create-a-virtual-network). A Resource Manager-based Virtual Network is recommended for new deployments, and is supported only on pools that use Virtual Machine Configuration. |
batch | Create Pool Public Ip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/create-pool-public-ip.md | For information about creating pools without public IP addresses, read [Create a ## Prerequisites -- The Batch client API must use [Azure Active Directory (AD) authentication](batch-aad-auth.md) to use a public IP address.+- The Batch client API must use [Microsoft Entra authentication](batch-aad-auth.md) to use a public IP address. - An [Azure VNet](batch-virtual-network.md) from the same subscription where you're creating your pool and IP addresses. You can only use Azure Resource Manager-based VNets. Verify that the VNet meets all of the [general VNet requirements](batch-virtual-network.md#general-virtual-network-requirements). - At least one existing Azure public IP address. Follow the [public IP address requirements](#public-ip-address-requirements) to create and configure the IP addresses. |
batch | Credential Access Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/credential-access-key-vault.md | In this article, you'll learn how to set up Batch nodes with certificates to sec To authenticate to Azure Key Vault from a Batch node, you need: -- An Azure Active Directory (Azure AD) credential+- A Microsoft Entra credential - A certificate - A Batch account - A Batch pool with at least one node If you don't already have a certificate, [use the PowerShell cmdlet `New-SelfSig ## Create a service principal -Access to Key Vault is granted to either a **user** or a **service principal**. To access Key Vault programmatically, use a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the certificate you created in the previous step. The service principal must be in the same Azure AD tenant as the Key Vault. +Access to Key Vault is granted to either a **user** or a **service principal**. To access Key Vault programmatically, use a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the certificate you created in the previous step. The service principal must be in the same Microsoft Entra tenant as the Key Vault. ```powershell $now = [System.DateTime]::Parse("2020-02-10") if($psModuleCheck.count -eq 0) { ## Access Key Vault -Now you're ready to access Key Vault in scripts running on your Batch nodes. To access Key Vault from a script, all you need is for your script to authenticate against Azure AD using the certificate. To do this in PowerShell, use the following example commands. Specify the appropriate GUID for **Thumbprint**, **App ID** (the ID of your service principal), and **Tenant ID** (the tenant where your service principal exists). +Now you're ready to access Key Vault in scripts running on your Batch nodes. To access Key Vault from a script, all you need is for your script to authenticate against Microsoft Entra ID using the certificate. To do this in PowerShell, use the following example commands. Specify the appropriate GUID for **Thumbprint**, **App ID** (the ID of your service principal), and **Tenant ID** (the tenant where your service principal exists). ```powershell Add-AzureRmAccount -ServicePrincipal -CertificateThumbprint -ApplicationId |
batch | Managed Identity Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/managed-identity-pools.md | -complicated identity and credential management by providing an identity for the Azure resource in Azure Active Directory -(Azure AD). This identity is used to obtain Azure Active Directory (Azure AD) tokens to authenticate with target +complicated identity and credential management by providing an identity for the Azure resource in Microsoft Entra ID +(Microsoft Entra ID). This identity is used to obtain Microsoft Entra tokens to authenticate with target resources in Azure. This topic explains how to enable user-assigned managed identities on Batch pools and how to use managed identities within the nodes. see the following links: You can also manually configure your tasks so that the managed identities can directly access [Azure resources that support managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). -Within the Batch nodes, you can get managed identity tokens and use them to authenticate through Azure AD authentication via the [Azure Instance Metadata Service](../virtual-machines/windows/instance-metadata-service.md). +Within the Batch nodes, you can get managed identity tokens and use them to authenticate through Microsoft Entra authentication via the [Azure Instance Metadata Service](../virtual-machines/windows/instance-metadata-service.md). For Windows, the PowerShell script to get an access token to authenticate is: |
batch | Nodes And Pools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/nodes-and-pools.md | For more information about using application packages to deploy your application ## Virtual network (VNet) and firewall configuration -When you provision a pool of compute nodes in Batch, you can associate the pool with a subnet of an Azure [virtual network (VNet)](../virtual-network/virtual-networks-overview.md). To use an Azure VNet, the Batch client API must use Azure Active Directory (AD) authentication. Azure Batch support for Azure AD is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). +When you provision a pool of compute nodes in Batch, you can associate the pool with a subnet of an Azure [virtual network (VNet)](../virtual-network/virtual-networks-overview.md). To use an Azure VNet, the Batch client API must use Microsoft Entra authentication. Azure Batch support for Microsoft Entra ID is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). ### VNet requirements |
batch | Quick Run Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/quick-run-dotnet.md | Review the code to understand the steps in the [Azure Batch .NET Quickstart](htt } ``` -1. The app creates a [BatchClient](/dotnet/api/microsoft.azure.batch.batchclient) object to create and manage Batch pools, jobs, and tasks. The Batch client uses shared key authentication. Batch also supports Azure Active Directory (Azure AD) authentication. +1. The app creates a [BatchClient](/dotnet/api/microsoft.azure.batch.batchclient) object to create and manage Batch pools, jobs, and tasks. The Batch client uses shared key authentication. Batch also supports Microsoft Entra authentication. ```csharp var cred = new BatchSharedKeyCredentials(BatchAccountUrl, BatchAccountName, BatchAccountKey); |
batch | Quick Run Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/quick-run-python.md | Review the code to understand the steps in the [Azure Batch Python Quickstart](h for file_path in input_file_paths] ``` -1. The app creates a [BatchServiceClient](/python/api/azure.batch.batchserviceclient) object to create and manage pools, jobs, and tasks in the Batch account. The Batch client uses shared key authentication. Batch also supports Azure Active Directory (Azure AD) authentication. +1. The app creates a [BatchServiceClient](/python/api/azure.batch.batchserviceclient) object to create and manage pools, jobs, and tasks in the Batch account. The Batch client uses shared key authentication. Batch also supports Microsoft Entra authentication. ```python credentials = SharedKeyCredentials(config.BATCH_ACCOUNT_NAME, |
batch | Batch Cli Sample Create Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/scripts/batch-cli-sample-create-account.md | keywords: batch, azure cli samples, azure cli code samples, azure cli script sam # CLI example: Create a Batch account in Batch service mode This script creates an Azure Batch account in Batch service mode and shows how to query or update various properties of the account. When you create a Batch account in the default Batch service mode, its compute nodes are assigned internally by the Batch-service. Allocated compute nodes are subject to a separate vCPU (core) quota and the account can be authenticated either via shared key credentials or an Azure Active Directory token. +service. Allocated compute nodes are subject to a separate vCPU (core) quota and the account can be authenticated either via shared key credentials or a Microsoft Entra token. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] |
batch | Batch Cli Sample Create User Subscription Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/scripts/batch-cli-sample-create-user-subscription-account.md | keywords: batch, azure cli samples, azure cli examples, azure cli code samples # CLI example: Create a Batch account in user subscription mode -This script creates an Azure Batch account in user subscription mode. An account that allocates compute nodes into your subscription must be authenticated via an Azure Active Directory token. The compute nodes allocated count toward your subscription's vCPU (core) quota. +This script creates an Azure Batch account in user subscription mode. An account that allocates compute nodes into your subscription must be authenticated via a Microsoft Entra token. The compute nodes allocated count toward your subscription's vCPU (core) quota. [!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)] |
batch | Security Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/security-best-practices.md | node communication model will be ### Batch account authentication -Batch account access supports two methods of authentication: Shared Key and [Azure Active Directory (Azure AD)](batch-aad-auth.md). +Batch account access supports two methods of authentication: Shared Key and [Microsoft Entra ID](batch-aad-auth.md). -We strongly recommend using Azure AD for Batch account authentication. Some Batch capabilities require this method of authentication, including many of the security-related features discussed here. The service API authentication mechanism for a Batch account can be restricted to only Azure AD using the [allowedAuthenticationModes](/rest/api/batchmanagement/batch-account/create) property. When this property is set, API calls using Shared Key authentication will be rejected. +We strongly recommend using Microsoft Entra ID for Batch account authentication. Some Batch capabilities require this method of authentication, including many of the security-related features discussed here. The service API authentication mechanism for a Batch account can be restricted to only Microsoft Entra ID using the [allowedAuthenticationModes](/rest/api/batchmanagement/batch-account/create) property. When this property is set, API calls using Shared Key authentication will be rejected. ### Batch account pool allocation mode By default, endpoints with public IP addresses are used to communicate with Batc ### Batch account API - When a Batch account is created, a public endpoint is created that is used to invoke most operations for the account using a [REST API](/rest/api/batchservice/). The account endpoint has a base URL using the format `https://{account-name}.{region-id}.batch.azure.com`. Access to the Batch account is secured, with communication to the account endpoint being encrypted using HTTPS, and each request authenticated using either shared key or Azure Active Directory (Azure AD) authentication. + When a Batch account is created, a public endpoint is created that is used to invoke most operations for the account using a [REST API](/rest/api/batchservice/). The account endpoint has a base URL using the format `https://{account-name}.{region-id}.batch.azure.com`. Access to the Batch account is secured, with communication to the account endpoint being encrypted using HTTPS, and each request authenticated using either shared key or Microsoft Entra authentication. ### Azure Resource Manager In addition to operations specific to a Batch account, [management operations](/rest/api/batchmanagement/) apply to single and multiple Batch accounts. These management operations are accessed via Azure Resource Manager. -Batch management operations via Azure Resource Manager are encrypted using HTTPS, and each request is authenticated using Azure AD authentication. +Batch management operations via Azure Resource Manager are encrypted using HTTPS, and each request is authenticated using Microsoft Entra authentication. ### Batch pool compute nodes |
batch | Simplified Node Communication Pool No Public Ip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/simplified-node-communication-pool-no-public-ip.md | To restrict access to these nodes and reduce the discoverability of these nodes - Use simplified compute node communication. For more information, see [Use simplified compute node communication](simplified-compute-node-communication.md). -- The Batch client API must use Azure Active Directory (AD) authentication. Azure Batch support for Azure AD is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md).+- The Batch client API must use Microsoft Entra authentication. Azure Batch support for Microsoft Entra ID is documented in [Authenticate Batch service solutions with Active Directory](batch-aad-auth.md). - Create your pool in an [Azure virtual network (VNet)](batch-virtual-network.md), follow these requirements and configurations. To prepare a VNet with one or more subnets in advance, you can use the Azure portal, Azure PowerShell, the Azure Command-Line Interface (Azure CLI), or other methods. |
batch | Tutorial Parallel Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/tutorial-parallel-dotnet.md | CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConnection CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient(); ``` -The app creates a [BatchClient](/dotnet/api/microsoft.azure.batch.batchclient) object to create and manage pools, jobs, and tasks in the Batch service. The Batch client in the sample uses shared key authentication. Batch also supports authentication through [Azure Active Directory](batch-aad-auth.md) to authenticate individual users or an unattended application. +The app creates a [BatchClient](/dotnet/api/microsoft.azure.batch.batchclient) object to create and manage pools, jobs, and tasks in the Batch service. The Batch client in the sample uses shared key authentication. Batch also supports authentication through [Microsoft Entra ID](batch-aad-auth.md) to authenticate individual users or an unattended application. ```csharp BatchSharedKeyCredentials sharedKeyCredentials = new BatchSharedKeyCredentials(BatchAccountUrl, BatchAccountName, BatchAccountKey); |
batch | Tutorial Parallel Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/tutorial-parallel-python.md | blob_client = azureblob.BlockBlobService( account_key=_STORAGE_ACCOUNT_KEY) ``` -The app creates a [BatchServiceClient](/python/api/azure.batch.batchserviceclient) object to create and manage pools, jobs, and tasks in the Batch service. The Batch client in the sample uses shared key authentication. Batch also supports authentication through [Azure Active Directory](batch-aad-auth.md), to authenticate individual users or an unattended application. +The app creates a [BatchServiceClient](/python/api/azure.batch.batchserviceclient) object to create and manage pools, jobs, and tasks in the Batch service. The Batch client in the sample uses shared key authentication. Batch also supports authentication through [Microsoft Entra ID](batch-aad-auth.md), to authenticate individual users or an unattended application. ```python credentials = batchauth.SharedKeyCredentials(_BATCH_ACCOUNT_NAME, |
cdn | Cdn App Dev Net | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-app-dev-net.md | You need Visual Studio 2015 to complete this tutorial. [Visual Studio Community [!INCLUDE [cdn-app-dev-prep](../../includes/cdn-app-dev-prep.md)] ## Create your project and add NuGet packages-Now that we've created a resource group for our CDN profiles and given our Azure AD application permission to manage CDN profiles and endpoints within that group, we can start creating our application. +Now that we've created a resource group for our CDN profiles and given our Microsoft Entra application permission to manage CDN profiles and endpoints within that group, we can start creating our application. > [!IMPORTANT] > The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade. For more information, see the [migration guide](../active-directory/develop/msal-migration.md). private static AuthenticationResult GetAccessToken() } ``` -Be sure to replace `<redirect URI>` with the redirect URI you entered when you registered the application in Azure AD. +Be sure to replace `<redirect URI>` with the redirect URI you entered when you registered the application in Microsoft Entra ID. ## List CDN profiles and endpoints Now we're ready to perform CDN operations. The first thing our method does is list all the profiles and endpoints in our resource group, and if it finds a match for the profile and endpoint names specified in our constants, makes a note for later so we don't try to create duplicates. |
cdn | Cdn App Dev Node | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-app-dev-node.md | To complete this tutorial, you should already have [Node.js](https://www.nodejs. [!INCLUDE [cdn-app-dev-prep](../../includes/cdn-app-dev-prep.md)] ## Create your project and add NPM dependencies-Now that we've created a resource group for our CDN profiles and given our Azure AD application permission to manage CDN profiles and endpoints within that group, we can start creating our application. +Now that we've created a resource group for our CDN profiles and given our Microsoft Entra application permission to manage CDN profiles and endpoints within that group, we can start creating our application. Create a folder to store your application. From a console with the Node.js tools in your current path, set your current location to this new folder and initialize your project by executing: You will then be presented a series of questions to initialize your project. Fo ![NPM init output](./media/cdn-app-dev-node/cdn-npm-init.png) -Our project is now initialized with a *packages.json* file. Our project is going to use some Azure libraries contained in NPM packages. We'll use the library for Azure Active Directory authentication in Node.js (@azure/identity) and the Azure CDN Client Library for JavaScript (@azure/arm-cdn). Let's add those to the project as dependencies. +Our project is now initialized with a *packages.json* file. Our project is going to use some Azure libraries contained in NPM packages. We'll use the library for Microsoft Entra authentication in Node.js (@azure/identity) and the Azure CDN Client Library for JavaScript (@azure/arm-cdn). Let's add those to the project as dependencies. ```console npm install --save @azure/identity |
cdn | Cdn Custom Ssl | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-custom-ssl.md | You can use your own certificate to enable the HTTPS feature. This process is do ### Register Azure CDN -Register Azure CDN as an app in your Azure Active Directory. +Register Azure CDN as an app in your Microsoft Entra ID. > [!NOTE] > * `205478c0-bd83-4e1b-a9d6-db63a3e1e1c8` is the service principal for `Microsoft.AzureFrontDoor-Cdn`. |
certification | How To Test Pnp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/how-to-test-pnp.md | The following steps show you how to use the [Azure Certified Device portal](http ### Onboarding -To use the [certification portal](https://certify.azure.com), you must use an Azure Active Directory from your work or school tenant. +To use the [certification portal](https://certify.azure.com), you must use a Microsoft Entra ID from your work or school tenant. To publish the models to the Azure IoT Public Model Repository, your account must be a member of the [Microsoft Partner Network](https://partner.microsoft.com). The system checks that the Microsoft Partner Network ID exists and the account is fully vetted before publishing to the device catalog. |
certification | Tutorial 01 Creating Your Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/certification/tutorial-01-creating-your-project.md | In this tutorial, you will learn how to: ## Prerequisites -- Valid work/school [Azure Active Directory account](../active-directory/fundamentals/active-directory-whatis.md).+- Valid work/school [Microsoft Entra account](../active-directory/fundamentals/active-directory-whatis.md). - Verified Microsoft Partner Network (MPN) account. If you don't have an MPN account, [join the partner network](https://partner.microsoft.com/) before you begin. > [!NOTE] |
chaos-studio | Chaos Studio Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-service-limits.md | Chaos Studio applies limits to the number of resources, duration of activities, | Experiment history retention time (days) | 120 | The time period after which individual results of experiment executions are automatically removed. | | Number of experiment resources per region and subscription | 500 | The maximum number of experiment resources a subscription can store in a given region. | | Number of targets per action | 50 | The maximum number of resources an individual action can target for execution. For example, the maximum Virtual Machines that can be shut down by a single Virtual Machine Shutdown fault. |-| Number of agents per target | 1,000 | The maximum number of running that can be associated with a single target. For example, the agents running on all instances within a single Virtual Machine Scale Set. | +| Number of agents per target | 1,000 | The maximum number of running agents that can be associated with a single target. For example, the agents running on all instances within a single Virtual Machine Scale Set. | | Number of targets per region and subscription | 10,000 | The maximum number of target resources within a single subscription and region. | ## API throttling limits Chaos Studio applies limits to all Azure Resource Manager operations. Requests m | Operation | Requests | |--|--|-| Microsoft.Chaos/experiments/write | 100 | +| Microsoft.Chaos/experiments/write | 100 | | Microsoft.Chaos/experiments/read | 300 | | Microsoft.Chaos/experiments/delete | 100 | | Microsoft.Chaos/experiments/start/action | 20 | Chaos Studio applies limits to all Azure Resource Manager operations. Requests m | Microsoft.Chaos/locations/targetTypes/read | 50 | | Microsoft.Chaos/locations/targetTypes/capabilityTypes/read | 50 | +## Recommended actions +If you have feedback on the current quotas and limits, submit a feedback request in [Community Feedback](https://feedback.azure.com/d365community/forum/18f8dc01-dc37-ec11-b6e6-000d3a9c7101). ++Currently, you can't request increases to Chaos Studio quotas, but a request process is in development. ++If you expect to exceed the maximum concurrent experiments executing per region and subscription: +* Split your experiments across regions. Experiments can target resources outside the experiment resource's region or target multiple resources across different regions. +* Test more scenarios in each experiment by using more actions, steps, and/or branches (up to the maximum current limits). ++If your testing requires longer experiments than the currently supported duration: +* Run multiple experiments in sequence. + +If you want to see experiment execution history: +* Use Chaos Studio's [REST API](../chaos-studio/chaos-studio-samples-rest-api.md) with the "executionDetails" endpoint, for each experiment ID. |
communication-services | Voice And Video Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/analytics/logs/voice-and-video-logs.md | The call summary log contains data to help you identify key properties of all ca | `operationVersion` | The `api-version` value associated with the operation, if the `operationName` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. | | `category` | The log category of the event. This property is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. | | `correlationId` | The unique ID for a call. It identifies correlated events from all of the participants and endpoints that connect during a single call, and you can use it to join data from different logs. If you ever need to open a support case with Microsoft, you can use the `correlationId` value to easily identify the call that you're troubleshooting. |-| `identifier` | The unique ID for the user. The identity can be an Azure Communication Services user, an Azure Active Directory (Azure AD) user ID, a Teams anonymous user ID, or a Teams bot ID. You can use this ID to correlate user events across logs. | +| `identifier` | The unique ID for the user. The identity can be an Azure Communication Services user, a Microsoft Entra user ID, a Teams anonymous user ID, or a Teams bot ID. You can use this ID to correlate user events across logs. | | `callStartTime` | A time stamp for the start of the call, based on the first attempted connection from any endpoint. | | `callDuration` | The duration of the call, expressed in seconds. It's based on the first attempted connection and the end of the last connection between two endpoints. | | `callType` | The type of the call. It contains either `"P2P"` or `"Group"`. A `"P2P"` call is a direct 1:1 connection between only two, non-server endpoints. A `"Group"` call is a call that has more than two endpoints or is created as `"Group"` call before the connection. | For each endpoint within a call, a distinct call diagnostic log is created for o | `category` | The log category of the event. This property is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. | | `correlationId` | The unique ID for a call. It identifies correlated events from all of the participants and endpoints that connect during a single call. If you ever need to open a support case with Microsoft, you can use the `correlationId` value to easily identify the call that you're troubleshooting. | | `participantId` | The ID that's generated to represent the two-way connection between a `"Participant"` endpoint (`endpointType` = `"Server"`) and the server. When `callType` = `"P2P"`, there's a direct connection between two endpoints, and no `participantId` value is generated. |-| `identifier` | The unique ID for the user. The identity can be an Azure Communication Services user, an Azure AD user ID, a Teams object ID, or a Teams bot ID. You can use this ID to correlate user events across logs. | +| `identifier` | The unique ID for the user. The identity can be an Azure Communication Services user, a Microsoft Entra user ID, a Teams object ID, or a Teams bot ID. You can use this ID to correlate user events across logs. | | `endpointId` | The unique ID that represents each endpoint that's connected to the call, where `endpointType` defines the endpoint type. When the value is `null`, the connected entity is the Communication Services server. `EndpointId` can persist for the same user across multiple calls (`correlationId`) for native clients but is unique for every call when the client is a web browser. | | `endpointType` | The value that describes the properties of each `endpointId` instance. It can contain `"Server"`, `"VOIP"`, `"PSTN"`, `"BOT"`, `"Voicemail"`, `"Anonymous"`, or `"Unknown"`. | | `mediaType` | The string value that describes the type of media that's being transmitted between endpoints within each stream. Possible values include `"Audio"`, `"Video"`, `"VBSS"` (video-based screen sharing), and `"AppSharing"`. | |
communication-services | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/authentication.md | -Every client interaction with Azure Communication Services needs to be authenticated. In a typical architecture, see [client and server architecture](./client-and-server-architecture.md), *access keys* or *Azure AD authentication* are used for server-side authentication. +Every client interaction with Azure Communication Services needs to be authenticated. In a typical architecture, see [client and server architecture](./client-and-server-architecture.md), *access keys* or *Microsoft Entra authentication* are used for server-side authentication. Another type of authentication uses *user access tokens* to authenticate against services that require user participation. For example, the chat or calling service utilizes *user access tokens* to allow users to be added in a thread and have conversations with each other. The following table shows the Azure Communication Services SDKs and their authen | SDK | Authentication option | | -- | -|-| Identity | Access Key or Azure AD authentication | -| SMS | Access Key or Azure AD authentication | -| Phone Numbers | Access Key or Azure AD authentication | -| Email | Access Key or Azure AD authentication | +| Identity | Access Key or Microsoft Entra authentication | +| SMS | Access Key or Microsoft Entra authentication | +| Phone Numbers | Access Key or Microsoft Entra authentication | +| Email | Access Key or Microsoft Entra authentication | | Calling | User Access Token | | Chat | User Access Token | Since the access key is part of the connection string of your resource, authenti If you wish to call Azure Communication Services' APIs manually using an access key, then you will need to sign the request. Signing the request is explained, in detail, within a [tutorial](../tutorials/hmac-header-tutorial.md). -### Azure AD authentication +<a name='azure-ad-authentication'></a> -The Azure platform provides role-based access (Azure RBAC) to control access to the resources. Azure RBAC security principal represents a user, group, service principal, or managed identity that is requesting access to Azure resources. Azure AD authentication provides superior security and ease of use over other authorization options. For example, by using managed identity, you avoid having to store your account access key within your code, as you do with Access Key authorization. While you can continue to use Access Key authorization with communication services applications, Microsoft recommends moving to Azure AD where possible. +### Microsoft Entra authentication ++The Azure platform provides role-based access (Azure RBAC) to control access to the resources. Azure RBAC security principal represents a user, group, service principal, or managed identity that is requesting access to Azure resources. Microsoft Entra authentication provides superior security and ease of use over other authorization options. For example, by using managed identity, you avoid having to store your account access key within your code, as you do with Access Key authorization. While you can continue to use Access Key authorization with communication services applications, Microsoft recommends moving to Microsoft Entra ID where possible. To set up a service principal, [create a registered application from the Azure CLI](../quickstarts/identity/service-principal.md?pivots=platform-azcli). Then, the endpoint and credentials can be used to authenticate the SDKs. See examples of how [service principal](../quickstarts/identity/service-principal.md) is used. -Communication services support Azure AD authentication but do not support managed identity for Communication services resources. You can find more details, about the managed identity support in the [Azure Active Directory documentation](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). +Communication services support Microsoft Entra authentication but do not support managed identity for Communication services resources. You can find more details, about the managed identity support in the [Microsoft Entra documentation](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). -Use our [Trusted authentication service hero sample](../samples/trusted-auth-sample.md) to map Azure Communication Services access tokens with your Azure Active Directory. +Use our [Trusted authentication service hero sample](../samples/trusted-auth-sample.md) to map Azure Communication Services access tokens with your Microsoft Entra ID. ### User Access Tokens -User access tokens are generated using the Identity SDK and are associated with users created in the Identity SDK. See an example of how to [create users and generate tokens](../quickstarts/identity/access-tokens.md). Then, user access tokens are used to authenticate participants added to conversations in the Chat or Calling SDK. For more information, see [add chat to your app](../quickstarts/chat/get-started.md). User access token authentication is different compared to access key and Azure AD authentication in that it is used to authenticate a user rather than a secured Azure resource. +User access tokens are generated using the Identity SDK and are associated with users created in the Identity SDK. See an example of how to [create users and generate tokens](../quickstarts/identity/access-tokens.md). Then, user access tokens are used to authenticate participants added to conversations in the Chat or Calling SDK. For more information, see [add chat to your app](../quickstarts/chat/get-started.md). User access token authentication is different compared to access key and Microsoft Entra authentication in that it is used to authenticate a user rather than a secured Azure resource. ## Using identity for monitoring and metrics The user identity is intended to act as a primary key for logs and metrics colle > [Create and manage Communication Services resources](../quickstarts/create-communication-resource.md) > [!div class="nextstepaction"]-> [Create an Azure Active Directory service principal application from the Azure CLI](../quickstarts/identity/service-principal.md?pivots=platform-azcli) +> [Create a Microsoft Entra service principal application from the Azure CLI](../quickstarts/identity/service-principal.md?pivots=platform-azcli) > [!div class="nextstepaction"] > [Create user access tokens](../quickstarts/identity/access-tokens.md) |
communication-services | Azure Communication Services Azure Cognitive Services Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/call-automation/azure-communication-services-azure-cognitive-services-integration.md | -All this is possible with one-click where enterprises can access a secure solution and link their models through the portal. Furthermore, developers and enterprises don't need to manage credentials. Connecting your Azure AI services uses managed identities to access user-owned resources. Developers can use managed identities to authenticate any resource that supports Azure Active Directory authentication. +All this is possible with one-click where enterprises can access a secure solution and link their models through the portal. Furthermore, developers and enterprises don't need to manage credentials. Connecting your Azure AI services uses managed identities to access user-owned resources. Developers can use managed identities to authenticate any resource that supports Microsoft Entra authentication. BYO Azure AI services can be easily integrated into any application regardless of the programming language. When creating an Azure Resource in Azure portal, enable the BYO option and provide the URL to the Azure AI services. This simple experience allows developers to meet their needs, scale, and avoid investing time and resources into designing and maintaining a custom solution. |
communication-services | Credentials Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/credentials-best-practices.md | const fetchTokenFromMyServerForUser = async function (abortSignal, username) { ### Example 2: Refreshing a token for a Teams User -Let's assume we have a Node.js application built on Express with the `/getTokenForTeamsUser` endpoint allowing to exchange an Azure Active Directory (Azure AD) access token of a Teams user for a new Communication Identity access token with a matching expiration time. +Let's assume we have a Node.js application built on Express with the `/getTokenForTeamsUser` endpoint allowing to exchange a Microsoft Entra access token of a Teams user for a new Communication Identity access token with a matching expiration time. ```javascript app.post('/getTokenForTeamsUser', async (req, res) => { app.post('/getTokenForTeamsUser', async (req, res) => { Next, we need to implement a token refresher callback in the client application, whose responsibility will be to: -1. Refresh the Azure AD access token of the Teams User -2. Exchange the Azure AD access token of the Teams User for a Communication Identity access token +1. Refresh the Microsoft Entra access token of the Teams User +2. Exchange the Microsoft Entra access token of the Teams User for a Communication Identity access token ```javascript const fetchTokenFromMyServerForUser = async function (abortSignal, username) { const fetchTokenFromMyServerForUser = async function (abortSignal, username) { } ``` -In this example, we use the Microsoft Authentication Library (MSAL) to refresh the Azure AD access token. Following the guide to [acquire an Azure AD token to call an API](../../active-directory/develop/scenario-spa-acquire-token.md), we first try to obtain the token without the user's interaction. If that's not possible, we trigger one of the interactive flows. +In this example, we use the Microsoft Authentication Library (MSAL) to refresh the Microsoft Entra access token. Following the guide to [acquire a Microsoft Entra token to call an API](../../active-directory/develop/scenario-spa-acquire-token.md), we first try to obtain the token without the user's interaction. If that's not possible, we trigger one of the interactive flows. ```javascript const refreshAadToken = async function (abortSignal, username) { If you want to cancel scheduled refresh tasks, [dispose](#cleaning-up-resources) ### Proactively refreshing a token for a Teams User -To minimize the number of roundtrips to the Azure Communication Identity API, make sure the Azure AD token you're passing for an [exchange](../quickstarts/manage-teams-identity.md#step-3-exchange-the-azure-ad-access-token-of-the-teams-user-for-a-communication-identity-access-token) has long enough validity (> 10 minutes). In case that MSAL returns a cached token with a shorter validity, you have the following options to bypass the cache: +To minimize the number of roundtrips to the Azure Communication Identity API, make sure the Microsoft Entra token you're passing for an [exchange](../quickstarts/manage-teams-identity.md#step-3-exchange-the-azure-ad-access-token-of-the-teams-user-for-a-communication-identity-access-token) has long enough validity (> 10 minutes). In case that MSAL returns a cached token with a shorter validity, you have the following options to bypass the cache: 1. Refresh the token forcibly 2. Increase the MSAL's token renewal window to more than 10 minutes |
communication-services | Identity Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/identity-model.md | If you want to remove a user's ability to access specific functionality, revoke In Azure Communication Services, a rotation of access keys revokes all active access tokens that were created by using a former access key. All identities lose access to Azure Communication Services, and they must issue new access tokens. -We recommend issuing access tokens in your server-side service and not in the client's application. The reasoning is that issuing requires an access key or Azure AD authentication. Sharing secrets with the client's application isn't recommended for security reasons. +We recommend issuing access tokens in your server-side service and not in the client's application. The reasoning is that issuing requires an access key or Microsoft Entra authentication. Sharing secrets with the client's application isn't recommended for security reasons. The client application should use a trusted service endpoint that can authenticate your clients. The endpoint should issue access tokens on their behalf. For more information, see [Client and server architecture](./client-and-server-architecture.md). |
communication-services | Calling Chat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/calling-chat.md | To enable calling and chat between your Communication Services users and Teams t ## Get Teams user ID To start a call or chat with a Teams user or Teams Voice application, you need an identifier of the target. You have the following options to retrieve the ID:-- User interface of [Azure AD](../troubleshooting-info.md?#getting-user-id) or with on-premises directory synchronization [Azure AD Connect](../../../active-directory/hybrid/how-to-connect-sync-whatis.md)+- User interface of [Microsoft Entra ID](../troubleshooting-info.md?#getting-user-id) or with on-premises directory synchronization [Microsoft Entra Connect](../../../active-directory/hybrid/how-to-connect-sync-whatis.md) - Programmatically via [Microsoft Graph API](/graph/api/resources/users) ## Calling-With the Calling SDK, a Communication Services user or endpoint can start a 1:1 call with Teams users, identified by their Azure Active Directory (Azure AD) object ID. You can easily modify an existing application that calls other Communication Services users to call Teams users. +With the Calling SDK, a Communication Services user or endpoint can start a 1:1 call with Teams users, identified by their Microsoft Entra object ID. You can easily modify an existing application that calls other Communication Services users to call Teams users. [Manage calls - An Azure Communication Services how-to guide | Microsoft Docs](../../how-tos/calling-sdk/manage-calls.md?pivots=platform-web) const call = callAgent.startCall([teamsCallee]); - Third-party [devices for Teams](/MicrosoftTeams/devices/teams-ip-phones) and [Skype IP phones](/skypeforbusiness/certification/devices-ip-phones) aren't supported. ## Chat-With the Chat SDK, Communication Services users or endpoints can have group chats with Teams users, identified by their Azure Active Directory (Azure AD) object ID. You can easily modify an existing application that creates chats with other Communication Services users to create chats with Teams users instead. Here is an example of how to use the Chat SDK to add Teams users as participants. To learn how to use Chat SDK to send a message, manage participants, and more, see our [quickstart](../../quickstarts/chat/get-started.md?pivots=programming-language-javascript). +With the Chat SDK, Communication Services users or endpoints can have group chats with Teams users, identified by their Microsoft Entra object ID. You can easily modify an existing application that creates chats with other Communication Services users to create chats with Teams users instead. Here is an example of how to use the Chat SDK to add Teams users as participants. To learn how to use Chat SDK to send a message, manage participants, and more, see our [quickstart](../../quickstarts/chat/get-started.md?pivots=programming-language-javascript). Creating a chat with a Teams user: ```js |
communication-services | Custom Teams Endpoint Authentication Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/custom-teams-endpoint-authentication-overview.md | - This article gives you insight into the authentication process for single-tenant and multi-tenant, *Azure Active Directory* (Azure AD) applications. You can use authentication when you build calling experiences for Teams users with the *Calling software development kit* (SDK) that *Azure Communication Services* makes available. Use cases in this article also break down individual authentication artifacts. + This article gives you insight into the authentication process for single-tenant and multi-tenant, *Microsoft Entra ID* (Microsoft Entra ID) applications. You can use authentication when you build calling experiences for Teams users with the *Calling software development kit* (SDK) that *Azure Communication Services* makes available. Use cases in this article also break down individual authentication artifacts. ## Case 1: Example of a single-tenant application-The Fabrikam company has built a custom, Teams calling application for internal company use. All Teams users are managed by Azure Active Directory. Access to Azure Communication Services is controlled by *Azure role-based access control (Azure RBAC)*. +The Fabrikam company has built a custom, Teams calling application for internal company use. All Teams users are managed by Microsoft Entra ID. Access to Azure Communication Services is controlled by *Azure role-based access control (Azure RBAC)*. ![A diagram that outlines the authentication process for Fabrikam's calling application for Teams users and its Azure Communication Services resource.](./media/custom-teams-endpoint/authentication-case-single-tenant-azure-rbac-overview.svg) The following sequence diagram details single-tenant authentication. Before we begin:-- Alice or her Azure AD administrator needs to give the custom Teams application consent, prior to the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md).+- Alice or her Microsoft Entra administrator needs to give the custom Teams application consent, prior to the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md). - The Azure Communication Services resource admin needs to grant Alice permission to perform her role. Learn more about [Azure RBAC role assignment](../../../role-based-access-control/role-assignments-portal.md). Steps:-1. Authenticate Alice using Azure Active Directory: Alice is authenticated using a standard OAuth flow with *Microsoft Authentication Library (MSAL)*. If authentication is successful, the client application receives an Azure AD access token, with a value of 'A1' and an Object ID of an Azure AD user with a value of 'A2'. Tokens are outlined later in this article. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md). -1. Get an access token for Alice: The Fabrikam application by using a custom authentication artifact with value 'B' performs authorization logic to decide whether Alice has permission to exchange the Azure AD access token for an Azure Communication Services access token. After successful authorization, the Fabrikam application performs control plane logic, using artifacts 'A1', 'A2', and 'A3'. Azure Communication Services access token 'D' is generated for Alice within the Fabrikam application. This access token can be used for data plane actions in Azure Communication Services, like Calling. The 'A2' and 'A3' artifacts are passed along with the artifact 'A1' for validation. The validation assures that the Azure AD Token was issued to the expected user. The application and will prevent attackers from using the Azure AD access tokens issued to other applications or other users. For more information on how to get 'A' artifacts, see [Receive the Azure AD user token and object ID via the MSAL library](../../quickstarts/manage-teams-identity.md?pivots=programming-language-csharp#step-1-receive-the-azure-ad-user-token-and-object-id-via-the-msal-library) and [Getting Application ID](../troubleshooting-info.md#getting-application-id). +1. Authenticate Alice using Microsoft Entra ID: Alice is authenticated using a standard OAuth flow with *Microsoft Authentication Library (MSAL)*. If authentication is successful, the client application receives a Microsoft Entra access token, with a value of 'A1' and an Object ID of a Microsoft Entra user with a value of 'A2'. Tokens are outlined later in this article. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md). +1. Get an access token for Alice: The Fabrikam application by using a custom authentication artifact with value 'B' performs authorization logic to decide whether Alice has permission to exchange the Microsoft Entra access token for an Azure Communication Services access token. After successful authorization, the Fabrikam application performs control plane logic, using artifacts 'A1', 'A2', and 'A3'. Azure Communication Services access token 'D' is generated for Alice within the Fabrikam application. This access token can be used for data plane actions in Azure Communication Services, like Calling. The 'A2' and 'A3' artifacts are passed along with the artifact 'A1' for validation. The validation assures that the Microsoft Entra Token was issued to the expected user. The application and will prevent attackers from using the Microsoft Entra access tokens issued to other applications or other users. For more information on how to get 'A' artifacts, see [Receive the Microsoft Entra user token and object ID via the MSAL library](../../quickstarts/manage-teams-identity.md?pivots=programming-language-csharp#step-1-receive-the-azure-ad-user-token-and-object-id-via-the-msal-library) and [Getting Application ID](../troubleshooting-info.md#getting-application-id). 1. Call Bob: Alice makes a call to Teams user Bob, with Fabrikam's app. The call takes place via the Calling SDK with an Azure Communication Services access token. Learn more about [developing custom Teams clients](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md). Artifacts: - Artifact A1- - Type: Azure AD access token + - Type: Microsoft Entra access token - Audience: _`Azure Communication Services`_ ΓÇö control plane- - Source: Fabrikam's Azure AD tenant + - Source: Fabrikam's Microsoft Entra tenant - Permissions: _`https://auth.msft.communication.azure.com/Teams.ManageCalls`_, _`https://auth.msft.communication.azure.com/Teams.ManageChats`_ - Artifact A2- - Type: Object ID of an Azure AD user - - Source: Fabrikam's Azure AD tenant + - Type: Object ID of a Microsoft Entra user + - Source: Fabrikam's Microsoft Entra tenant - Authority: `https://login.microsoftonline.com/<tenant>/` - Artifact A3- - Type: Azure AD application ID - - Source: Fabrikam's Azure AD tenant + - Type: Microsoft Entra application ID + - Source: Fabrikam's Microsoft Entra tenant - Artifact B- - Type: Custom Fabrikam authorization artifact (issued either by Azure AD or a different authorization service) + - Type: Custom Fabrikam authorization artifact (issued either by Microsoft Entra ID or a different authorization service) - Artifact C - Type: Azure Communication Services resource authorization artifact. - - Source: "Authorization" HTTP header with either a bearer token for [Azure AD authentication](../authentication.md#azure-ad-authentication) or a Hash-based Message Authentication Code (HMAC) payload and a signature for [access key-based authentication](../authentication.md#access-key). + - Source: "Authorization" HTTP header with either a bearer token for [Microsoft Entra authentication](../authentication.md#azure-ad-authentication) or a Hash-based Message Authentication Code (HMAC) payload and a signature for [access key-based authentication](../authentication.md#access-key). - Artifact D - Type: Azure Communication Services access token - Audience: _`Azure Communication Services`_ ΓÇö data plane The Contoso company has built a custom Teams calling application for external cu The following sequence diagram details multi-tenant authentication. Before we begin:-- Alice or her Azure AD administrator needs to give Contoso's Azure Active Directory application consent before the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md).+- Alice or her Microsoft Entra administrator needs to give Contoso's Microsoft Entra application consent before the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md). Steps:-1. Authenticate Alice using the Fabrikam application: Alice is authenticated through Fabrikam's application. A standard OAuth flow with Microsoft Authentication Library (MSAL) is used. Make sure you configure MSAL with a correct [authority](../../../active-directory/develop/msal-client-application-configuration.md#authority). If authentication is successful, the Contoso client application receives an Azure AD access token with a value of 'A1' and an Object ID of an Azure AD user with a value of 'A2'. Token details are outlined below. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md). -1. Get an access token for Alice: The Contoso application by using a custom authentication artifact with value 'B' performs authorization logic to decide whether Alice has permission to exchange the Azure AD access token for an Azure Communication Services access token. After successful authorization, the Contoso application performs control plane logic, using artifacts 'A1', 'A2', and 'A3'. An Azure Communication Services access token 'D' is generated for Alice within the Contoso application. This access token can be used for data plane actions in Azure Communication Services, like Calling. The 'A2' and 'A3' artifacts are passed along with the artifact 'A1'. The validation assures that the Azure AD Token was issued to the expected user. The application and will prevent attackers from using the Azure AD access tokens issued to other applications or other users. For more information on how to get 'A' artifacts, see [Receive the Azure AD user token and object ID via the MSAL library](../../quickstarts/manage-teams-identity.md?pivots=programming-language-csharp#step-1-receive-the-azure-ad-user-token-and-object-id-via-the-msal-library) and [Getting Application ID](../troubleshooting-info.md#getting-application-id). +1. Authenticate Alice using the Fabrikam application: Alice is authenticated through Fabrikam's application. A standard OAuth flow with Microsoft Authentication Library (MSAL) is used. Make sure you configure MSAL with a correct [authority](../../../active-directory/develop/msal-client-application-configuration.md#authority). If authentication is successful, the Contoso client application receives a Microsoft Entra access token with a value of 'A1' and an Object ID of a Microsoft Entra user with a value of 'A2'. Token details are outlined below. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md). +1. Get an access token for Alice: The Contoso application by using a custom authentication artifact with value 'B' performs authorization logic to decide whether Alice has permission to exchange the Microsoft Entra access token for an Azure Communication Services access token. After successful authorization, the Contoso application performs control plane logic, using artifacts 'A1', 'A2', and 'A3'. An Azure Communication Services access token 'D' is generated for Alice within the Contoso application. This access token can be used for data plane actions in Azure Communication Services, like Calling. The 'A2' and 'A3' artifacts are passed along with the artifact 'A1'. The validation assures that the Microsoft Entra Token was issued to the expected user. The application and will prevent attackers from using the Microsoft Entra access tokens issued to other applications or other users. For more information on how to get 'A' artifacts, see [Receive the Microsoft Entra user token and object ID via the MSAL library](../../quickstarts/manage-teams-identity.md?pivots=programming-language-csharp#step-1-receive-the-azure-ad-user-token-and-object-id-via-the-msal-library) and [Getting Application ID](../troubleshooting-info.md#getting-application-id). 1. Call Bob: Alice makes a call to Teams user Bob, with Fabrikam's application. The call takes place via the Calling SDK with an Azure Communication Services access token. Learn more about developing custom, Teams apps [in this quickstart](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md). Artifacts: - Artifact A1- - Type: Azure AD access token + - Type: Microsoft Entra access token - Audience: Azure Communication Services ΓÇö control plane- - Source: Contoso application registration's Azure AD tenant + - Source: Contoso application registration's Microsoft Entra tenant - Permission: _`https://auth.msft.communication.azure.com/Teams.ManageCalls`_, _`https://auth.msft.communication.azure.com/Teams.ManageChats`_ - Artifact A2- - Type: Object ID of an Azure AD user - - Source: Fabrikam's Azure AD tenant + - Type: Object ID of a Microsoft Entra user + - Source: Fabrikam's Microsoft Entra tenant - Authority: `https://login.microsoftonline.com/<tenant>/` or `https://login.microsoftonline.com/organizations/` (based on your [scenario](../../../active-directory/develop/msal-client-application-configuration.md#authority)) - Artifact A3- - Type: Azure AD application ID - - Source: Contoso application registration's Azure AD tenant + - Type: Microsoft Entra application ID + - Source: Contoso application registration's Microsoft Entra tenant - Artifact B- - Type: Custom Contoso authorization artifact (issued either by Azure AD or a different authorization service) + - Type: Custom Contoso authorization artifact (issued either by Microsoft Entra ID or a different authorization service) - Artifact C - Type: Azure Communication Services resource authorization artifact. - - Source: "Authorization" HTTP header with either a bearer token for [Azure AD authentication](../authentication.md#azure-ad-authentication) or a Hash-based Message Authentication Code (HMAC) payload and a signature for [access key-based authentication](../authentication.md#access-key) + - Source: "Authorization" HTTP header with either a bearer token for [Microsoft Entra authentication](../authentication.md#azure-ad-authentication) or a Hash-based Message Authentication Code (HMAC) payload and a signature for [access key-based authentication](../authentication.md#access-key) - Artifact D - Type: Azure Communication Services access token - Audience: _`Azure Communication Services`_ ΓÇö data plane |
communication-services | Custom Teams Endpoint Use Cases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/custom-teams-endpoint-use-cases.md | -Microsoft Teams provides identities managed by Azure Active Directory and calling experiences controlled by Teams Admin Center and policies. Users might have assigned licenses to enable phone calls and advanced calling capabilities of Microsoft Teams Phone. Azure Communication Services support for Teams identities allows managing Teams voice over IP (VoIP) calls, Teams phone calls, and join Teams meetings. Developers might extend the Azure Communication Services with Graph API to provide contextual data from Microsoft 365 ecosystem. This page is providing inspiration on how to use existing Microsoft technologies to provide an end-to-end experience for calling scenarios with Teams users and Azure Communication Services calling SDKs. +Microsoft Teams provides identities managed by Microsoft Entra ID and calling experiences controlled by Teams Admin Center and policies. Users might have assigned licenses to enable phone calls and advanced calling capabilities of Microsoft Teams Phone. Azure Communication Services support for Teams identities allows managing Teams voice over IP (VoIP) calls, Teams phone calls, and join Teams meetings. Developers might extend the Azure Communication Services with Graph API to provide contextual data from Microsoft 365 ecosystem. This page is providing inspiration on how to use existing Microsoft technologies to provide an end-to-end experience for calling scenarios with Teams users and Azure Communication Services calling SDKs. ## Use case 1: Make outbound Teams PSTN call This scenario is showing a multi-tenant use case, where company Contoso is providing SaaS to company Fabrikam. SaaS allows Fabrikam's users to make Teams phone calls via a custom website that takes the identity of the Teams user and configuration of the PSTN connectivity assigned to that Teams user. var teamsUser = { microsoftTeamsUserId: 'e8b753b5-4117-464e-9a08-713e1ff266b3'}; const oneToOneCall = callAgent.startCall([teamsUser], { threadId: '19:8c0a1a67-50ce-4114-bb6c-da9c5dbcf6ca_e8b753b5-4117-464e-9a08-713e1ff266b3@unq.gbl.spaces' }); ``` -4. Connecting VoIP call to Megan: The call is routed through the Teams and ringing Teams clients associated with Megan. Megan sees an incoming call from Alice with the name defined in the Azure AD. +4. Connecting VoIP call to Megan: The call is routed through the Teams and ringing Teams clients associated with Megan. Megan sees an incoming call from Alice with the name defined in the Microsoft Entra ID. 5. Megans accepts the call: Megan accepts the call and the connection between Alice and Megan is established. |
communication-services | Capabilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/guest/capabilities.md | In this article, you will learn which capabilities are supported for Teams exter | | Indicator of call's state <br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | | | Indicate participants being muted | ✔️ | | | Indicate participants' reasons for terminating the call | ✔️ |+| | Get associated toll and toll-free phone numbers with the meeting | ✔️ | | Screen sharing | Share the entire screen from within the application | ✔️ | | | Share a specific application (from the list of running applications) | ✔️ | | | Share a web browser tab from the list of open tabs | ✔️ | |
communication-services | Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/guest/security.md | -Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Azure Active Directory, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide). Additionally, you can find more about Microsoft's [resiliency and continuity here](/compliance/assurance/assurance-data-resiliency-overview). +Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Microsoft Entra ID, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide). Additionally, you can find more about Microsoft's [resiliency and continuity here](/compliance/assurance/assurance-data-resiliency-overview). Additionally, Microsoft Teams provides several policies and tenant configurations to control Teams external users joining and in-meeting experience. Teams administrators can use settings in the Microsoft Teams admin center or PowerShell to control whether Teams external users can join Teams meetings, bypass lobby, start a meeting, participate in chat, or default role assignment. You can learn more about the [policies here](./teams-administration.md). Additionally, Microsoft Teams provides several policies and tenant configuration Microsoft Purview provides robust data security features to protect sensitive information. One of the key features of Purview is [data loss prevention (DLP)](/microsoft-365/compliance/dlp-microsoft-teams), which helps organizations to prevent accidental or unauthorized sharing of sensitive data. Developers can use [Communication Services UI library](../../ui-library/ui-library-overview.md) or follow [how-to guide](../../../how-tos/chat-sdk/data-loss-prevention.md) to support data loss prevention in Teams meetings. In addition, Purview offers [Customer Key](/microsoft-365/compliance/customer-key-overview), which allows customers to manage the encryption keys used to protect their data fully. Chat messages sent by Teams external users are encrypted at rest with the Customer Key provided in Purview. These features help customers meet compliance requirements. ## Azure Communication Services-Azure Communication Services handles security by implementing various security measures to prevent and mitigate common security threats. These measures include data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and authentication mechanisms to verify the identity of users. The security framework for Azure Communication Services is based on industry standards and best practices. Azure also undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure Communication Services integrates with other Azure security services, such as Azure Active Directory, to provide customers with a comprehensive security solution. Customers can also control access to the services and manage their security settings through the Azure portal. You can learn here more about [Azure security baseline](/security/benchmark/azure/baselines/azure-communication-services-security-baseline?toc=/azure/communication-services/toc.json), about security of [call flows](../../call-flows.md) and [call flow topologies](../../detailed-call-flows.md). +Azure Communication Services handles security by implementing various security measures to prevent and mitigate common security threats. These measures include data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and authentication mechanisms to verify the identity of users. The security framework for Azure Communication Services is based on industry standards and best practices. Azure also undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure Communication Services integrates with other Azure security services, such as Microsoft Entra ID, to provide customers with a comprehensive security solution. Customers can also control access to the services and manage their security settings through the Azure portal. You can learn here more about [Azure security baseline](/security/benchmark/azure/baselines/azure-communication-services-security-baseline?toc=/azure/communication-services/toc.json), about security of [call flows](../../call-flows.md) and [call flow topologies](../../detailed-call-flows.md). |
communication-services | Teams User Calling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/teams-user-calling.md | -The Azure Communication Services Calling SDK for JavaScript enables Teams user devices to drive voice and video communication experiences. This page provides detailed descriptions of Calling features, including platform and browser support information. To get started right away, check out [Calling quickstarts](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md). +The Azure Communication Services Calling SDK enables Teams user devices to drive voice and video communication experiences. This page provides detailed descriptions of Calling features, including platform and browser support information. To get started right away with JavaScript, check out [Calling quickstarts](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md). Key features of the Calling SDK: -- **Addressing** - Azure Communication Services is using [Azure Active Directory user identifier](/powershell/module/azuread/get-azureaduser) to address communication endpoints. Clients use Azure Active Directory identities to authenticate to the service and communicate with each other. These identities are used in Calling APIs that provide clients visibility into who is connected to a call (the roster). And are also used in [Microsoft Graph API](/graph/api/user-get).+- **Addressing** - Azure Communication Services is using [Microsoft Entra user identifier](/powershell/module/azuread/get-azureaduser) to address communication endpoints. Clients use Microsoft Entra identities to authenticate to the service and communicate with each other. These identities are used in Calling APIs that provide clients visibility into who is connected to a call (the roster). And are also used in [Microsoft Graph API](/graph/api/user-get). - **Encryption** - The Calling SDK encrypts traffic and prevents tampering on the wire. - **Device Management and Media** - The Calling SDK provides facilities for binding to audio and video devices, encodes content for efficient transmission over the communications data plane, and renders content to output devices and views that you specify. APIs are also provided for screen and application sharing. - **Notifications** - The Calling SDK provides APIs that allow clients to be notified of an incoming call. In situations where your app is not running in the foreground, patterns are available to [fire pop-up notifications](../notifications.md) ("toasts") to inform users of an incoming call. ## Calling capabilities -The following list presents the set of features that are currently available in the Azure Communication Services Calling SDK for JavaScript when participating in 1:1 voice-over-IP (VoIP) or group VoIP calls. +The following list presents the set of features that are currently available in the Azure Communication Services Calling SDK when participating in 1:1 voice-over-IP (VoIP) or group VoIP calls. -| Group of features | Capability | JavaScript | -| -- | - | - | -| Core Capabilities | Place a one-to-one call to Teams user | ✔️ | -| | Place a one-to-one call to Azure Communication Services user | ❌ | -| | Place a group call with more than two Teams users (up to 350 users) | ✔️ | -| | Promote a one-to-one call with two Teams users into a group call with more than two Teams users | ✔️ | -| | Join a group call after it has started | ❌ | -| | Invite another VoIP participant to join an ongoing group call | ✔️ | -| | Test your mic, speaker, and camera with an audio testing service (available by calling 8:echo123) | ✔️ | -| | Placing a call honors Teams external access configuration | ✔️ | -| | Placing a call honors Teams guest access configuration | ✔️ | -| Mid call control | Turn your video on/off | ✔️ | -| | Mute/Unmute mic | ✔️ | -| | Switch between cameras | ✔️ | -| | Local hold/un-hold | ✔️ | -| | Indicator of dominant speakers in the call | ✔️ | -| | Choose speaker device for calls | ✔️ | -| | Choose microphone for calls | ✔️ | -| | Indicator of participant's state<br/>*Idle, Early media, Connecting, Connected, On hold, In Lobby, Disconnected* | ✔️ | -| | Indicator of call's state <br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | -| | Indicate participants being muted | ✔️ | -| | Indicate participants' reasons for terminating the call | ✔️ | -| Screen sharing | Share the entire screen from within the application | ✔️ | -| | Share a specific application (from the list of running applications) | ✔️ | -| | Share a web browser tab from the list of open tabs | ✔️ | -| | Receive your screen sharing stream | ❌ | -| | Share content in "content-only" mode | ✔️ | -| | Receive video stream with content for "content-only" screen sharing experience | ✔️ | -| | Share content in "standout" mode | ❌ | -| | Receive video stream with content for a "standout" screen sharing experience | ❌ | -| | Share content in "side-by-side" mode | ❌ | -| | Receive video stream with content for "side-by-side" screen sharing experience | ❌ | -| | Share content in "reporter" mode | ❌ | -| | Receive video stream with content for "reporter" screen sharing experience | ❌ | -| Roster | List participants | ✔️ | -| | Add an Azure Communication Services user | ❌ | -| | Add a Teams user | ✔️ | -| | Adding Teams users honors Teams external access configuration | ✔️ | -| | Adding Teams user honors Teams guest access configuration | ✔️ | -| | Add a phone number | ✔️ | -| | Remove a participant | ✔️ | -| | Admit participants in the lobby into the Teams meeting | ✔️ | -| | Be admitted from the lobby into the Teams meeting | ✔️ | -| | Adding Teams users honors information barriers | ✔️ | -| Device Management | Ask for permission to use audio and/or video | ✔️ | -| | Get camera list | ✔️ | -| | Set camera | ✔️ | -| | Get selected camera | ✔️ | -| | Get microphone list | ✔️ | -| | Set microphone | ✔️ | -| | Get selected microphone | ✔️ | -| | Get speakers list | ✔️ | -| | Set speaker | ✔️ | -| | Get selected speaker | ✔️ | -| Video Rendering | Render single video in many places (local camera or remote stream) | ✔️ | -| | Set / update scaling mode | ✔️ | -| | Render remote video stream | ✔️ | -| | See together mode video stream | ❌ | -| | See Large gallery view | ❌ | -| | Receive video stream from Teams media bot | ❌ | -| | Receive adjusted stream for "content from Camera" | ❌ | -| | Add and remove video stream from spotlight | ✔️ | -| | Allow video stream to be selected for spotlight | ✔️ | -| | Apply Teams background effects | ❌ | -| Recording & transcription | Manage Teams convenient recording | ❌ | -| | Receive information of call being recorded | ✔️ | -| | Manage Teams transcription | ❌ | -| | Receive information of call being transcribed | ✔️ | -| | Manage Teams closed captions | ❌ | -| | Support for compliance recording | ✔️ | -| Engagement | Raise and lower hand | ✔️ | -| | Indicate other participants' raised and lowered hands | ✔️ | -| | Trigger reactions | ❌ | -| | Indicate other participants' reactions | ❌ | -| Integrations | Control Teams third-party applications | ❌ | -| | Receive PowerPoint Live stream | ❌ | -| | Receive Whiteboard stream | ❌ | -| | Interact with a poll | ❌ | -| | Interact with a Q&A | ❌ | -| Accessibility | Receive closed captions | ❌ | -| Advanced call routing | Start a call and add user operations honor forwarding rules | ✔️ | -| | Read and configure call forwarding rules | ❌ | -| | Start a call and add user operations honor simultaneous ringing | ✔️ | -| | Read and configure simultaneous ringing | ❌ | -| | Start a call and add user operations honor "Do not disturb" status | ✔️ | -| | Placing participant on hold plays music on hold | ❌ | -| | Being placed by Teams user on Teams client on hold plays music on hold | ✔️ | -| | Park a call | ❌ | -| | Be parked | ✔️ | -| | Transfer a call to a user | ✔️ | -| | Be transferred to a user or call | ✔️ | -| | Transfer a call to a call | ✔️ | -| | Transfer a call to Voicemail | ❌ | -| | Be transferred to voicemail | ✔️ | -| | Merge ongoing calls | ❌ | -| | Does start a call and add user operations honor shared line configuration | ✔️ | -| | Start a call on behalf of the Teams user | ❌ | -| | Read and configure shared line configuration | ❌ | -| | Receive a call from Teams auto attendant | ✔️ | -| | Transfer a call to Teams auto attendant | ✔️ | -| | Receive a call from Teams call queue | ✔️ | -| | Transfer a call from Teams call queue | ✔️ | -| Teams calling policy | Honor "Make private calls" | ✔️ | -| | Honor setting "Cloud recording for calling" | No API available | -| | Honor setting "Transcription" | No API available | -| | Honor setting "Call forwarding and simultaneous ringing to people in your organization" | ✔️ | -| | Honor setting "Call forwarding and simultaneous ringing to external phone numbers" | ✔️ | -| | Honor setting "Voicemail is available for routing inbound calls" | ✔️ | -| | Honor setting "Inbound calls can be routed to call groups" | ✔️ | -| | Honor setting "Delegation for inbound and outbound calls" | ✔️ | -| | Honor setting "Prevent toll bypass and send calls through the PSTN" | ❌ | -| | Honor setting "Music on hold" | ❌ | -| | Honor setting "Busy on busy when in a call" | ❌ | -| | Honor setting "Web PSTN calling" | ❌ | -| | Honor setting "Real-time captions in Teams calls" | No API available | -| | Honor setting "Automatically answer incoming meeting invites" | ❌ | -| | Honor setting "Spam filtering" | ✔️ | -| | Honor setting "SIP devices can be used for calls" | ✔️ | -| DevOps | [Azure Metrics](../metrics.md) | ✔️ | -| | [Azure Monitor](../analytics/logs/voice-and-video-logs.md) | ✔️ | -| | [Azure Communication Services Insights](../analytics/insights/voice-and-video-insights.md) | ✔️ | -| | [Azure Communication Services Voice and video calling events](../../../event-grid/communication-services-voice-video-events.md) | ❌ | -| | [Teams Call Analytics](/MicrosoftTeams/use-call-analytics-to-troubleshoot-poor-call-quality) | ✔️ | -| | [Teams real-time Analytics](/microsoftteams/use-real-time-telemetry-to-troubleshoot-poor-meeting-quality) | ❌ | +| Group of features | Capability | JavaScript | Windows | Java (Android) | Objective-C (iOS)| +| -- | - | - | -- | -- | -- | +| Core Capabilities | Place a one-to-one call to Teams user | ✔️ | ✔️ | ✔️ | ✔️ | +| | Place a one-to-one call to Azure Communication Services user | ❌ | ❌ | ❌ | ❌ | +| | Place a group call with more than two Teams users (up to 350 users) | ✔️ | ✔️ | ✔️ | ✔️ | +| | Promote a one-to-one call with two Teams users into a group call with more than two Teams users | ✔️ | ✔️ | ✔️ | ✔️ | +| | Join a group call after it has started | ❌ | ❌ | ❌ | ❌ | +| | Invite another VoIP participant to join an ongoing group call | ✔️ | ✔️ | ✔️ | ✔️ | +| | Test your mic, speaker, and camera with an audio testing service (available by calling 8:echo123) | ✔️ | ✔️ | ✔️ | ✔️ | +| | Placing a call honors Teams external access configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Placing a call honors Teams guest access configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| Mid call control | Turn your video on/off | ✔️ | ✔️ | ✔️ | ✔️ | +| | Mute/Unmute mic | ✔️ | ✔️ | ✔️ | ✔️ | +| | Switch between cameras | ✔️ | ✔️ | ✔️ | ✔️ | +| | Local hold/un-hold | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicator of dominant speakers in the call | ✔️ | ✔️ | ✔️ | ✔️ | +| | Choose speaker device for calls | ✔️ | ✔️ | ❌<sup>2</sup> | ❌<sup>2</sup> | +| | Choose microphone for calls | ✔️ | ✔️ | ❌<sup>2</sup> | ❌<sup>2</sup> | +| | Indicator of participant's state<br/>*Idle, Early media, Connecting, Connected, On hold, In Lobby, Disconnected* | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicator of call's state <br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicate participants being muted | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicate participants' reasons for terminating the call | ✔️ | ✔️ | ✔️ | ✔️ | +| Screen sharing | Share the entire screen from within the application | ✔️ | ✔️<sup>1</sup> | ✔️<sup>1</sup> | ✔️<sup>1</sup> | +| | Share a specific application (from the list of running applications) | ✔️ | ✔️<sup>1</sup> | ❌ | ❌ | +| | Share a web browser tab from the list of open tabs | ✔️ | ✔️ | ✔️ | ✔️ | +| | Receive your screen sharing stream | ❌ | ❌ | ❌ | ❌ | +| | Share content in "content-only" mode | ✔️ | ✔️ | ✔️ | ✔️ | +| | Receive video stream with content for "content-only" screen sharing experience | ✔️ | ✔️ | ✔️ | ✔️ | +| | Share content in "standout" mode | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream with content for a "standout" screen sharing experience | ❌ | ❌ | ❌ | ❌ | +| | Share content in "side-by-side" mode | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream with content for "side-by-side" screen sharing experience | ❌ | ❌ | ❌ | ❌ | +| | Share content in "reporter" mode | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream with content for "reporter" screen sharing experience | ❌ | ❌ | ❌ | ❌ | +| | Share system audio during screen sharing | ✔️ | ❌ | ❌ | ❌ | +| Roster | List participants | ✔️ | ✔️ | ✔️ | ✔️ | +| | Add an Azure Communication Services user | ❌ | ❌ | ❌ | ❌ | +| | Add a Teams user | ✔️ | ✔️ | ✔️ | ✔️ | +| | Adding Teams users honors Teams external access configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Adding Teams user honors Teams guest access configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Add a phone number | ✔️ | ✔️ | ✔️ | ✔️ | +| | Remove a participant | ✔️ | ✔️ | ✔️ | ✔️ | +| | Admit participants in the lobby into the Teams meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | Be admitted from the lobby into the Teams meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | Adding Teams users honors information barriers | ✔️ | ✔️ | ✔️ | ✔️ | +| Device Management | Ask for permission to use audio and/or video | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get camera list | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set camera | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get selected camera | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get microphone list | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set microphone | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get selected microphone | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get speakers list | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set speaker | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get selected speaker | ✔️ | ✔️ | ✔️ | ✔️ | +| Video Rendering | Render single video in many places (local camera or remote stream) | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set / update scaling mode | ✔️ | ✔️ | ✔️ | ✔️ | +| | Render remote video stream | ✔️ | ✔️ | ✔️ | ✔️ | +| | See together mode video stream | ❌ | ❌ | ❌ | ❌ | +| | See Large gallery view | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream from Teams media bot | ❌ | ❌ | ❌ | ❌ | +| | Receive adjusted stream for "content from Camera" | ❌ | ❌ | ❌ | ❌ | +| | Add and remove video stream from spotlight | ✔️ | ✔️ | ✔️ | ✔️ | +| | Allow video stream to be selected for spotlight | ✔️ | ✔️ | ✔️ | ✔️ | +| Video Effects | [Background Blur](../../quickstarts/voice-video-calling/get-started-video-effects.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | Custom background image | ✔️ | ❌ | ❌ | ❌ | +| Recording & transcription | Manage Teams convenient recording | ❌ | ❌ | ❌ | ❌ | +| | Receive information of call being recorded | ✔️ | ✔️ | ✔️ | ✔️ | +| | Manage Teams transcription | ❌ | ❌ | ❌ | ❌ | +| | Receive information of call being transcribed | ✔️ | ✔️ | ✔️ | ✔️ | +| | Manage Teams closed captions | ✔️ | ✔️ | ✔️ | ✔️ | +| | Support for compliance recording | ✔️ | ✔️ | ✔️ | ✔️ | +| Engagement | Raise and lower hand | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicate other participants' raised and lowered hands | ✔️ | ✔️ | ✔️ | ✔️ | +| | Trigger reactions | ❌ | ❌ | ❌ | ❌ | +| | Indicate other participants' reactions | ❌ | ❌ | ❌ | ❌ | +| Integrations | Control Teams third-party applications | ❌ | ❌ | ❌ | ❌ | +| | Receive PowerPoint Live stream | ❌ | ❌ | ❌ | ❌ | +| | Receive Whiteboard stream | ❌ | ❌ | ❌ | ❌ | +| | Interact with a poll | ❌ | ❌ | ❌ | ❌ | +| | Interact with a Q&A | ❌ | ❌ | ❌ | ❌ | +| Advanced call routing | Start a call and add user operations honor forwarding rules | ✔️ | ✔️ | ✔️ | ✔️ | +| | Read and configure call forwarding rules | ❌ | ❌ | ❌ | ❌ | +| | Start a call and add user operations honor simultaneous ringing | ✔️ | ✔️ | ✔️ | ✔️ | +| | Read and configure simultaneous ringing | ❌ | ❌ | ❌ | ❌ | +| | Start a call and add user operations honor "Do not disturb" status | ✔️ | ✔️ | ✔️ | ✔️ | +| | Placing participant on hold plays music on hold | ❌ | ❌ | ❌ | ❌ | +| | Being placed by Teams user on Teams client on hold plays music on hold | ✔️ | ✔️ | ✔️ | ✔️ | +| | Park a call | ❌ | ❌ | ❌ | ❌ | +| | Be parked | ✔️ | ✔️ | ✔️ | ✔️ | +| | Transfer a call to a user | ✔️ | ✔️ | ✔️ | ✔️ | +| | Be transferred to a user or call | ✔️ | ✔️ | ✔️ | ✔️ | +| | Transfer a call to a call | ✔️ | ✔️ | ✔️ | ✔️ | +| | Transfer a call to Voicemail | ❌ | ❌ | ❌ | ❌ | +| | Be transferred to voicemail | ✔️ | ✔️ | ✔️ | ✔️ | +| | Merge ongoing calls | ❌ | ❌ | ❌ | ❌ | +| | Does start a call and add user operations honor shared line configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Start a call on behalf of the Teams user | ❌ | ❌ | ❌ | ❌ | +| | Read and configure shared line configuration | ❌ | ❌ | ❌ | ❌ | +| | Receive a call from Teams auto attendant | ✔️ | ✔️ | ✔️ | ✔️ | +| | Transfer a call to Teams auto attendant | ✔️ | ✔️ | ✔️ | ✔️ | +| | Receive a call from Teams call queue | ✔️ | ✔️ | ✔️ | ✔️ | +| | Transfer a call from Teams call queue | ✔️ | ✔️ | ✔️ | ✔️ | +| Teams calling policy | Honor "Make private calls" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Cloud recording for calling" | No API available | No API available |No API available |No API available | +| | Honor setting "Transcription" | No API available | No API available |No API available |No API available | +| | Honor setting "Call forwarding and simultaneous ringing to people in your organization" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Call forwarding and simultaneous ringing to external phone numbers" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Voicemail is available for routing inbound calls" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Inbound calls can be routed to call groups" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Delegation for inbound and outbound calls" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Prevent toll bypass and send calls through the PSTN" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Music on hold" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Busy on busy when in a call" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Real-time captions in Teams calls" | No API available | No API available |No API available |No API available | +| | Honor setting "Spam filtering" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "SIP devices can be used for calls" | ✔️ | ✔️ | ✔️ | ✔️ | +| DevOps | [Azure Metrics](../metrics.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Monitor](../analytics/logs/voice-and-video-logs.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Communication Services Insights](../analytics/insights/voice-and-video-insights.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Communication Services Voice and video calling events](../../../event-grid/communication-services-voice-video-events.md) | ❌ | ❌ | ❌ | ❌ | +| | [Teams Call Analytics](/MicrosoftTeams/use-call-analytics-to-troubleshoot-poor-call-quality) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Teams real-time Analytics](/microsoftteams/use-real-time-telemetry-to-troubleshoot-poor-meeting-quality) | ❌ | ❌ | ❌ | ❌ | +++1. The Share Screen capability can be achieved using Raw Media, if you want to learn, **how to add Raw Media**, visit [the quickstart guide](../../quickstarts/voice-video-calling/get-started-raw-media-access.md). +2. The Calling SDK doesn't have an explicit API, you need to use the OS (android & iOS) API to achieve it. Support for streaming, timeouts, platforms, and browsers is shared with [Communication Services calling SDK overview](../voice-video-calling/calling-sdk-features.md). |
communication-services | Azure Ad Api Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/teams-user/azure-ad-api-permissions.md | Title: Azure AD API permissions for communication as Teams user + Title: Microsoft Entra API permissions for communication as Teams user -description: This article describes Azure AD API permissions for communication as a Teams user with Azure Communication Services. +description: This article describes Microsoft Entra API permissions for communication as a Teams user with Azure Communication Services. -# Azure AD permissions for communication as Teams user -In this article, you will learn about Azure AD permissions available for communication as a Teams user in Azure Communication Services. Azure AD application for Azure Communication Services provides delegated permissions for chat and calling. Both permissions are required to exchange Azure AD access token for Communication Services access token for Teams users. +# Microsoft Entra permissions for communication as Teams user +In this article, you will learn about Microsoft Entra permissions available for communication as a Teams user in Azure Communication Services. Microsoft Entra application for Azure Communication Services provides delegated permissions for chat and calling. Both permissions are required to exchange Microsoft Entra access token for Communication Services access token for Teams users. ## Delegated permissions None. - Application admin - Cloud application admin -Find more details in [Azure Active Directory documentation](../../../../active-directory/roles/permissions-reference.md). +Find more details in [Microsoft Entra documentation](../../../../active-directory/roles/permissions-reference.md). |
communication-services | Meeting Capabilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/teams-user/meeting-capabilities.md | -The Azure Communication Services Calling SDK for JavaScript enables Teams user devices to drive voice and video communication experiences. This page provides detailed descriptions of Teams meeting features. To get started right away, check out [Calling quickstarts](../../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md). +The Azure Communication Services Calling SDK enables Microsoft 365 users to join and participate in voice and video meeting experiences. This page provides detailed descriptions of Teams meeting features. To get started right away, check out [Calling quickstarts](../../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md). -The following list of capabilities is allowed when Teams user participates in Teams meeting: +The following list of capabilities is allowed when Microsoft 365 users participate in Teams meeting: -| Group of features | Capability | JavaScript | -| -- | - | - | -| Core Capabilities | Join Teams meeting | ✔️ | -| | Leave meeting | ✔️ | -| | End meeting for everyone | ✔️ | -| | Change meeting options | ❌ | -| | Lock & unlock meeting | ❌ | -| | Prevent joining locked meeting | ✔️ | -| | Honor assigned Teams meeting role | ✔️ | -| Mid call control | Turn your video on/off | ✔️ | -| | Mute/Unmute mic | ✔️ | -| | Switch between cameras | ✔️ | -| | Local hold/un-hold | ✔️ | -| | Indicator of dominant speakers in the call | ✔️ | -| | Choose speaker device for calls | ✔️ | -| | Choose microphone for calls | ✔️ | -| | Indicator of participant's state<br/>*Idle, Early media, Connecting, Connected, On hold, In Lobby, Disconnected* | ✔️ | -| | Indicator of call's state <br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | -| | Indicate participants being muted | ✔️ | -| | Indicate participants' reasons for terminating the call | ✔️ | -| Screen sharing | Share the entire screen from within the application | ✔️ | -| | Share a specific application (from the list of running applications) | ✔️ | -| | Share a web browser tab from the list of open tabs | ✔️ | -| | Receive your screen sharing stream | ❌ | -| | Share content in "content-only" mode | ✔️ | -| | Receive video stream with content for "content-only" screen sharing experience | ✔️ | -| | Share content in "standout" mode | ❌ | -| | Receive video stream with content for a "standout" screen sharing experience | ❌ | -| | Share content in "side-by-side" mode | ❌ | -| | Receive video stream with content for "side-by-side" screen sharing experience | ❌ | -| | Share content in "reporter" mode | ❌ | -| | Receive video stream with content for "reporter" screen sharing experience | ❌ | -| Roster | List participants | ✔️ | -| | Add an Azure Communication Services user | ❌ | -| | Add a Teams user | ✔️ | -| | Adding Teams user honors Teams external access configuration | ✔️ | -| | Adding Teams user honors Teams guest access configuration | ✔️ | -| | Add a phone number | ✔️ | -| | Remove a participant | ✔️ | -| | Manage breakout rooms | ❌ | -| | Participation in breakout rooms | ❌ | -| | Admit participants in the lobby into the Teams meeting | ✔️ | -| | Be admitted from the lobby into the Teams meeting | ✔️ | -| | Promote participant to a presenter or attendee | ❌ | -| | Be promoted to presenter or attendee | ✔️ | -| | Disable or enable mic for attendees | ❌ | -| | Honor disabling or enabling a mic as an attendee | ✔️ | -| | Disable or enable camera for attendees | ❌ | -| | Honor disabling or enabling a camera as an attendee | ✔️ | -| | Adding Teams user honors information barriers | ✔️ | -| Device Management | Ask for permission to use audio and/or video | ✔️ | -| | Get camera list | ✔️ | -| | Set camera | ✔️ | -| | Get selected camera | ✔️ | -| | Get microphone list | ✔️ | -| | Set microphone | ✔️ | -| | Get selected microphone | ✔️ | -| | Get speakers list | ✔️ | -| | Set speaker | ✔️ | -| | Get selected speaker | ✔️ | -| Video Rendering | Render single video in many places (local camera or remote stream) | ✔️ | -| | Set / update scaling mode | ✔️ | -| | Render remote video stream | ✔️ | -| | See together mode video stream | ❌ | -| | See Large gallery view | ❌ | -| | Receive video stream from Teams media bot | ❌ | -| | Receive adjusted stream for "content from Camera" | ❌ | -| | Add and remove video stream from spotlight | ✔️ | -| | Allow video stream to be selected for spotlight | ✔️ | -| | Apply Teams background effects | ❌ | -| Recording & transcription | Manage Teams convenient recording | ❌ | -| | Receive information of call being recorded | ✔️ | -| | Manage Teams transcription | ❌ | -| | Receive information of call being transcribed | ✔️ | -| | Manage Teams closed captions | ❌ | -| | Support for compliance recording | ✔️ | -| | [Azure Communication Services recording](../../voice-video-calling/call-recording.md) | ❌ | -| Engagement | Raise and lower hand | ✔️ | -| | Indicate other participants' raised and lowered hands | ✔️ | -| | Trigger reactions | ❌ | -| | Indicate other participants' reactions | ❌ | -| Integrations | Control Teams third-party applications | ❌ | -| | Receive PowerPoint Live stream | ❌ | -| | Receive Whiteboard stream | ❌ | -| | Interact with a poll | ❌ | -| | Interact with a Q&A | ❌ | -| | Interact with a OneNote | ❌ | -| | Manage SpeakerCoach | ❌ | -| | [Include participant in Teams meeting attendance report](https://support.microsoft.com/office/view-and-download-meeting-attendance-reports-in-teams-ae7cf170-530c-47d3-84c1-3aedac74d310) | ❌ -| Accessibility | Receive closed captions | ❌ | -| | Communication access real-time translation (CART) | ❌ | -| | Language interpretation | ❌ | -| Advanced call routing | Does meeting dial-out honor forwarding rules | ✔️ | -| | Read and configure call forwarding rules | ❌ | -| | Does meeting dial-out honor simultaneous ringing | ✔️ | -| | Read and configure simultaneous ringing | ❌ | -| | Does meeting dial-out honor shared line configuration | ✔️ | -| | Dial-out from meeting on behalf of the Teams user | ❌ | -| | Read and configure shared line configuration | ❌ | -| Teams meeting policy | Honor setting "Let anonymous people join a meeting" | ✔️ | -| | Honor setting "Mode for IP audio" | ❌ | -| | Honor setting "Mode for IP video" | ❌ | -| | Honor setting "IP video" | ❌ | -| | Honor setting "Local broadcasting" | ❌ | -| | Honor setting "Media bit rate (kBps)" | ❌ | -| | Honor setting "Network configuration lookup" | ❌ | -| | Honor setting "Transcription" | No API available | -| | Honor setting "Cloud recording" | No API available | -| | Honor setting "Meetings automatically expire" | ✔️ | -| | Honor setting "Default expiration time" | ✔️ | -| | Honor setting "Store recordings outside of your country or region" | ✔️ | -| | Honor setting "Screen sharing mode" | No API available | -| | Honor setting "Participants can give or request control" | No API available | -| | Honor setting "External participants can give or request control" | No API available | -| | Honor setting "PowerPoint Live" | No API available | -| | Honor setting "Whiteboard" | No API available | -| | Honor setting "Shared notes" | No API available | -| | Honor setting "Select video filters" | ❌ | -| | Honor setting "Let anonymous people start a meeting" | ✔️ | -| | Honor setting "Who can present in meetings" | ❌ | -| | Honor setting "Automatically admit people" | ✔️ | -| | Honor setting "Dial-in users can bypass the lobby" | ✔️ | -| | Honor setting "Meet now in private meetings" | ✔️ | -| | Honor setting "Live captions" | No API available | -| | Honor setting "Chat in meetings" | ✔️ | -| | Honor setting "Teams Q&A" | No API available | -| | Honor setting "Meeting reactions" | No API available | -| DevOps | [Azure Metrics](../../metrics.md) | ✔️ | -| | [Azure Monitor](../../analytics/logs/voice-and-video-logs.md) | ✔️ | -| | [Azure Communication Services Insights](../../analytics/insights/voice-and-video-insights.md) | ✔️ | -| | [Azure Communication Services Voice and video calling events](../../../../event-grid/communication-services-voice-video-events.md) | ❌ | -| | [Teams Call Analytics](/MicrosoftTeams/use-call-analytics-to-troubleshoot-poor-call-quality) | ✔️ | -| | [Teams real-time Analytics](/microsoftteams/use-real-time-telemetry-to-troubleshoot-poor-meeting-quality) | ❌ | +| Group of features | Capability | JavaScript | Windows | Java (Android) | Objective-C (iOS)| +| -- | - | - | | | | +| Core Capabilities | Join Teams meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | Leave meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | End meeting for everyone | ✔️ | ✔️ | ✔️ | ✔️ | +| | Change meeting options | ❌ | ❌ | ❌ | ❌ | +| | Lock & unlock meeting | ❌ | ❌ | ❌ | ❌ | +| | Prevent joining locked meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor assigned Teams meeting role | ✔️ | ✔️ | ✔️ | ✔️ | +| Mid call control | Turn your video on/off | ✔️ | ✔️ | ✔️ | ✔️ | +| | Mute/Unmute mic | ✔️ | ✔️ | ✔️ | ✔️ | +| | Switch between cameras | ✔️ | ✔️ | ✔️ | ✔️ | +| | Local hold/un-hold | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicator of dominant speakers in the call | ✔️ | ✔️ | ✔️ | ✔️ | +| | Choose speaker device for calls | ✔️ | ✔️ | ❌<sup>2</sup> | ❌<sup>2</sup> | +| | Choose microphone for calls | ✔️ | ✔️ | ❌<sup>2</sup> | ❌<sup>2</sup> | +| | Indicator of participant's state<br/>*Idle, Early media, Connecting, Connected, On hold, In Lobby, Disconnected* | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicator of call's state <br/>*Early Media, Incoming, Connecting, Ringing, Connected, Hold, Disconnecting, Disconnected* | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicate participants being muted | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicate participants' reasons for terminating the call | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get associated toll and toll-free phone numbers with the meeting | ✔️ | ❌ | ❌ | ❌ | +| Screen sharing | Share the entire screen from within the application | ✔️ | ✔️<sup>1</sup> | ✔️<sup>1</sup> | ✔️<sup>1</sup> | +| | Share a specific application (from the list of running applications) | ✔️ | ✔️<sup>1</sup> | ❌ | ❌ | +| | Share a web browser tab from the list of open tabs | ✔️ | ✔️ | ✔️ | ✔️ | +| | Receive your screen sharing stream | ❌ | ❌ | ❌ | ❌ | +| | Share content in "content-only" mode | ✔️ | ✔️ | ✔️ | ✔️ | +| | Receive video stream with content for "content-only" screen sharing experience | ✔️ | ✔️ | ✔️ | ✔️ | +| | Share content in "standout" mode | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream with content for a "standout" screen sharing experience | ❌ | ❌ | ❌ | ❌ | +| | Share content in "side-by-side" mode | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream with content for "side-by-side" screen sharing experience | ❌ | ❌ | ❌ | ❌ | +| | Share content in "reporter" mode | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream with content for "reporter" screen sharing experience | ❌ | ❌ | ❌ | ❌ | +| | Share system audio during screen sharing | ✔️ | ❌ | ❌ | ❌ | +| Roster | List participants | ✔️ | ✔️ | ✔️ | ✔️ | +| | Add an Azure Communication Services user | ❌ | ❌ | ❌ | ❌ | +| | Add a Teams user | ✔️ | ✔️ | ✔️ | ✔️ | +| | Adding Teams user honors Teams external access configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Adding Teams user honors Teams guest access configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Add a phone number | ✔️ | ✔️ | ✔️ | ✔️ | +| | Remove a participant | ✔️ | ✔️ | ✔️ | ✔️ | +| | Manage breakout rooms | ❌ | ❌ | ❌ | ❌ | +| | Participation in breakout rooms | ❌ | ❌ | ❌ | ❌ | +| | Admit participants in the lobby into the Teams meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | Be admitted from the lobby into the Teams meeting | ✔️ | ✔️ | ✔️ | ✔️ | +| | Promote participant to a presenter or attendee | ❌ | ❌ | ❌ | ❌ | +| | Be promoted to presenter or attendee | ✔️ | ✔️ | ✔️ | ✔️ | +| | Disable or enable mic for attendees | ❌ | ❌ | ❌ | ❌ | +| | Honor disabling or enabling a mic as an attendee | ✔️ | ✔️ | ✔️ | ✔️ | +| | Disable or enable camera for attendees | ❌ | ❌ | ❌ | ❌ | +| | Honor disabling or enabling a camera as an attendee | ✔️ | ✔️ | ✔️ | ✔️ | +| | Adding Teams user honors information barriers | ✔️ | ✔️ | ✔️ | ✔️ | +| Device Management | Ask for permission to use audio and/or video | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get camera list | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set camera | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get selected camera | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get microphone list | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set microphone | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get selected microphone | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get speakers list | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set speaker | ✔️ | ✔️ | ✔️ | ✔️ | +| | Get selected speaker | ✔️ | ✔️ | ✔️ | ✔️ | +| Video Rendering | Render single video in many places (local camera or remote stream) | ✔️ | ✔️ | ✔️ | ✔️ | +| | Set / update scaling mode | ✔️ | ✔️ | ✔️ | ✔️ | +| | Render remote video stream | ✔️ | ✔️ | ✔️ | ✔️ | +| | See together mode video stream | ❌ | ❌ | ❌ | ❌ | +| | See Large gallery view | ❌ | ❌ | ❌ | ❌ | +| | Receive video stream from Teams media bot | ❌ | ❌ | ❌ | ❌ | +| | Receive adjusted stream for "content from Camera" | ❌ | ❌ | ❌ | ❌ | +| | Add and remove video stream from spotlight | ✔️ | ✔️ | ✔️ | ✔️ | +| | Allow video stream to be selected for spotlight | ✔️ | ✔️ | ✔️ | ✔️ | +| Video Effects | [Background Blur](../../../quickstarts/voice-video-calling/get-started-video-effects.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | Custom background image | ✔️ | ❌ | ❌ | ❌ | +| Recording & transcription | Manage Teams convenient recording | ❌ | ❌ | ❌ | ❌ | +| | Receive information of call being recorded | ✔️ | ✔️ | ✔️ | ✔️ | +| | Manage Teams transcription | ❌ | ❌ | ❌ | ❌ | +| | Receive information of call being transcribed | ✔️ | ✔️ | ✔️ | ✔️ | +| | Support for compliance recording | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Communication Services recording](../../voice-video-calling/call-recording.md) | ❌ | ❌ | ❌ | ❌ | +| Engagement | Raise and lower hand | ✔️ | ✔️ | ✔️ | ✔️ | +| | Indicate other participants' raised and lowered hands | ✔️ | ✔️ | ✔️ | ✔️ | +| | Trigger reactions | ❌ | ❌ | ❌ | ❌ | +| | Indicate other participants' reactions | ❌ | ❌ | ❌ | ❌ | +| Integrations | Control Teams third-party applications | ❌ | ❌ | ❌ | ❌ | +| | Receive PowerPoint Live stream | ❌ | ❌ | ❌ | ❌ | +| | Receive Whiteboard stream | ❌ | ❌ | ❌ | ❌ | +| | Interact with a poll | ❌ | ❌ | ❌ | ❌ | +| | Interact with a Q&A | ❌ | ❌ | ❌ | ❌ | +| | Interact with a OneNote | ❌ | ❌ | ❌ | ❌ | +| | Manage SpeakerCoach | ❌ | ❌ | ❌ | ❌ | +| | [Include participant in Teams meeting attendance report](https://support.microsoft.com/office/view-and-download-meeting-attendance-reports-in-teams-ae7cf170-530c-47d3-84c1-3aedac74d310) | ❌ | ❌ | ❌ | ❌ | +| Accessibility | Receive closed captions | ✔️ | ✔️ | ✔️ | ✔️ | +| | Communication access real-time translation (CART) | ❌ | ❌ | ❌ | ❌ | +| | Language interpretation | ❌ | ❌ | ❌ | ❌ | +| Advanced call routing | Does meeting dial-out honor forwarding rules | ✔️ | ✔️ | ✔️ | ✔️ | +| | Read and configure call forwarding rules | ❌ | ❌ | ❌ | ❌ | +| | Does meeting dial-out honor simultaneous ringing | ✔️ | ✔️ | ✔️ | ✔️ | +| | Read and configure simultaneous ringing | ❌ | ❌ | ❌ | ❌ | +| | Does meeting dial-out honor shared line configuration | ✔️ | ✔️ | ✔️ | ✔️ | +| | Dial-out from meeting on behalf of the Teams user | ❌ | ❌ | ❌ | ❌ | +| | Read and configure shared line configuration | ❌ | ❌ | ❌ | ❌ | +| Teams meeting policy | Honor setting "Let anonymous people join a meeting" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Mode for IP audio" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Mode for IP video" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "IP video" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Local broadcasting" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Media bit rate (kBps)" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Network configuration lookup" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Transcription" | No API available | No API available | No API available | No API available | +| | Honor setting "Cloud recording" | No API available | No API available | No API available | No API available | +| | Honor setting "Meetings automatically expire" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Default expiration time" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Store recordings outside of your country or region" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Screen sharing mode" | No API available | No API available | No API available | No API available | +| | Honor setting "Participants can give or request control" | No API available | No API available | No API available | No API available | +| | Honor setting "External participants can give or request control" | No API available | No API available | No API available | No API available | +| | Honor setting "PowerPoint Live" | No API available | No API available | No API available | No API available | +| | Honor setting "Whiteboard" | No API available | No API available | No API available | No API available | +| | Honor setting "Shared notes" | No API available | No API available | No API available | No API available | +| | Honor setting "Select video filters" | ❌ | ❌ | ❌ | ❌ | +| | Honor setting "Let anonymous people start a meeting" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Who can present in meetings" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Automatically admit people" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Dial-in users can bypass the lobby" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Meet now in private meetings" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Live captions" | No API available | No API available | No API available | No API available | +| | Honor setting "Chat in meetings" | ✔️ | ✔️ | ✔️ | ✔️ | +| | Honor setting "Teams Q&A" | No API available | No API available | No API available | No API available | +| | Honor setting "Meeting reactions" | No API available | No API available | No API available | No API available | +| DevOps | [Azure Metrics](../../metrics.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Monitor](../../analytics/logs/voice-and-video-logs.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Communication Services Insights](../../analytics/insights/voice-and-video-insights.md) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Azure Communication Services Voice and video calling events](../../../../event-grid/communication-services-voice-video-events.md) | ❌ | ❌ | ❌ | ❌ | +| | [Teams Call Analytics](/MicrosoftTeams/use-call-analytics-to-troubleshoot-poor-call-quality) | ✔️ | ✔️ | ✔️ | ✔️ | +| | [Teams real-time Analytics](/microsoftteams/use-real-time-telemetry-to-troubleshoot-poor-meeting-quality) | ❌ | ❌ | ❌ | ❌ | +1. The Share Screen capability can be achieved using Raw Media, if you want to learn, **how to add Raw Media**, visit [the quickstart guide](../../../quickstarts/voice-video-calling/get-started-raw-media-access.md). +2. The Calling SDK doesn't have an explicit API, you need to use the OS (android & iOS) API to achieve it. ## Teams meeting options Teams meeting organizers can configure the Teams meeting options to adjust the e | [Always let callers bypass the lobby](/microsoftteams/meeting-policies-participants-and-guests#allow-dial-in-users-to-bypass-the-lobby)| Participants joining through phone can bypass lobby | Not applicable | | Announce when callers join or leave| Participants hear announcement sounds when phone participants join and leave the meeting | ✔️ | | [Choose co-organizers](https://support.microsoft.com/office/add-co-organizers-to-a-meeting-in-teams-0de2c31c-8207-47ff-ae2a-fc1792d466e2)| Teams user can be selected as co-organizer. It affects the availability of actions in Teams meetings. | ✔️ |-| [Who can present in meetings](/microsoftteams/meeting-policies-in-teams-general#designated-presenter-role-mode) | Controls who in the Teams meeting can share screen. | ❌ | +| [Who can present in meetings](/microsoftteams/meeting-policies-in-teams-general#designated-presenter-role-mode) | Controls who in the Teams meeting can share screen. | ✔️ | |[Manage what attendees see](https://support.microsoft.com/office/spotlight-someone-s-video-in-a-teams-meeting-58be74a4-efac-4e89-a212-8d198182081e)|Teams organizer, co-organizer and presenter can spotlight videos for everyone. Azure Communication Services does not receive the spotlight signals. |❌| |[Allow mic for attendees](https://support.microsoft.com/office/manage-attendee-audio-and-video-permissions-in-teams-meetings-f9db15e1-f46f-46da-95c6-34f9f39e671a)|If Teams user is attendee, then this option controls whether Teams user can send local audio |✔️| |[Allow camera for attendees](https://support.microsoft.com/office/manage-attendee-audio-and-video-permissions-in-teams-meetings-f9db15e1-f46f-46da-95c6-34f9f39e671a)|If Teams user is attendee, then this option controls whether Teams user can send local video |✔️| |
communication-services | Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/interop/teams-user/security.md | -In this article, you'll learn about the security measures and frameworks implemented by Microsoft Teams, Azure Communication Services, and Azure Active Directory to provide a secure collaboration environment. The products implement data encryption, secure real-time communication, two-factor authentication, user authentication, and authorization to prevent common security threats. The security frameworks for these services are based on industry standards and best practices. +In this article, you'll learn about the security measures and frameworks implemented by Microsoft Teams, Azure Communication Services, and Microsoft Entra ID to provide a secure collaboration environment. The products implement data encryption, secure real-time communication, two-factor authentication, user authentication, and authorization to prevent common security threats. The security frameworks for these services are based on industry standards and best practices. ## Microsoft Teams-Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Azure Active Directory, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide). Additionally, you can find more about Microsoft's [resiliency and continuity here](/compliance/assurance/assurance-data-resiliency-overview). +Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Microsoft Entra ID, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide). Additionally, you can find more about Microsoft's [resiliency and continuity here](/compliance/assurance/assurance-data-resiliency-overview). ## Azure Communication Services-Azure Communication Services handles security by implementing various security measures to prevent and mitigate common security threats. These measures include data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and authentication mechanisms to verify the identity of users. The security framework for Azure Communication Services is based on industry standards and best practices. Azure also undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure Communication Services integrates with other Azure security services, such as Azure Active Directory, to provide customers with a comprehensive security solution. Customers can also control access to the services and manage their security settings through the Azure portal. You can learn here more about [Azure security baseline](/security/benchmark/azure/baselines/azure-communication-services-security-baseline?toc=/azure/communication-services/toc.json), about security of [call flows](../../call-flows.md) and [call flow topologies](../../detailed-call-flows.md). +Azure Communication Services handles security by implementing various security measures to prevent and mitigate common security threats. These measures include data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and authentication mechanisms to verify the identity of users. The security framework for Azure Communication Services is based on industry standards and best practices. Azure also undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure Communication Services integrates with other Azure security services, such as Microsoft Entra ID, to provide customers with a comprehensive security solution. Customers can also control access to the services and manage their security settings through the Azure portal. You can learn here more about [Azure security baseline](/security/benchmark/azure/baselines/azure-communication-services-security-baseline?toc=/azure/communication-services/toc.json), about security of [call flows](../../call-flows.md) and [call flow topologies](../../detailed-call-flows.md). -## Azure Active Directory -Azure Active Directory provides a range of security features for Microsoft Teams to help handle common security threats and provide a secure collaboration environment. Azure AD helps to secure user authentication and authorization, allowing administrators to manage user access to Teams and other applications through a single, centralized platform. Azure AD also integrates with Teams to provide multi-factor authentication and conditional access policies, which can be used to enforce security policies and control access to sensitive information. The security framework for Azure Active Directory is based on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security that covers all stages of development. Azure AD undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure AD integrates with other Azure security services, such as Azure Information Protection, to provide customers with a comprehensive security solution. You can learn here more about [Azure identity management security](../../../../security/fundamentals/identity-management-overview.md). +<a name='azure-active-directory'></a> ++## Microsoft Entra ID +Microsoft Entra ID provides a range of security features for Microsoft Teams to help handle common security threats and provide a secure collaboration environment. Microsoft Entra ID helps to secure user authentication and authorization, allowing administrators to manage user access to Teams and other applications through a single, centralized platform. Microsoft Entra ID also integrates with Teams to provide multi-factor authentication and conditional access policies, which can be used to enforce security policies and control access to sensitive information. The security framework for Microsoft Entra ID is based on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security that covers all stages of development. Microsoft Entra undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Microsoft Entra ID integrates with other Azure security services, such as Azure Information Protection, to provide customers with a comprehensive security solution. You can learn here more about [Azure identity management security](../../../../security/fundamentals/identity-management-overview.md). |
communication-services | Join Teams Meeting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/join-teams-meeting.md | Custom applications built with Azure Communication Services to connect and commu ## Meeting experience -As with Teams anonymous meeting join, your application must have the meeting link to join, which can be retrieved via the Graph API or from the calendar in Microsoft Teams. The name of BYOI users that is displayed in Teams is configurable via the Communication Services Calling SDK. They are labeled as ΓÇ£externalΓÇ¥ to let Teams users know they weren't authenticated using Azure Active Directory. +As with Teams anonymous meeting join, your application must have the meeting link to join, which can be retrieved via the Graph API or from the calendar in Microsoft Teams. The name of BYOI users that is displayed in Teams is configurable via the Communication Services Calling SDK. They are labeled as ΓÇ£externalΓÇ¥ to let Teams users know they weren't authenticated using Microsoft Entra ID. A Communication Service user won't be admitted to a Teams meeting until there is at least one Teams user present in the meeting. Once a Teams user is present, then the Communication Services user will wait in the lobby until explicitly admitted by a Teams user, unless the "Who can bypass the lobby?" meeting policy/setting is set to "Everyone". |
communication-services | Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/metrics.md | The following operations are available on Authentication API request metrics: | DeleteIdentity | Deletes an identity. | | CreateToken | Creates an access token. | | RevokeToken | Revokes all access tokens created for an identity before a time given. |-| ExchangeTeamsUserAccessToken | Exchange an Azure Active Directory (Azure AD) access token of a Teams user for a new Communication Identity access token with a matching expiration time.| +| ExchangeTeamsUserAccessToken | Exchange a Microsoft Entra access token of a Teams user for a new Communication Identity access token with a matching expiration time.| :::image type="content" source="./media/acs-auth-metrics.png" alt-text="Screenshot of authentication Request Metric." lightbox="./media/acs-auth-metrics.png"::: |
communication-services | Phone Number Management For Indonesia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/phone-number-management-for-indonesia.md | Use the below tables to find all the relevant information on number availability | Number Type | Send SMS | Receive SMS | Make Calls | Receive Calls | | :- | :- | :- | :- | : |-| Toll-Free | - | - | - | Public Preview\* | +| Toll-Free | - | - | - | General Availability\* | \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details. |
communication-services | Sub Eligibility Number Capability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/numbers/sub-eligibility-number-capability.md | Numbers can be purchased on eligible Azure subscriptions and in geographies wher > - [France](../numbers/phone-number-management-for-france.md) > - [Germany](../numbers/phone-number-management-for-germany.md) > - [Hong Kong SAR](../numbers/phone-number-management-for-hong-kong.md)+> - [Indonesia](../numbers/phone-number-management-for-indonesia.md) > - [Ireland](../numbers/phone-number-management-for-ireland.md) > - [Israel](../numbers/phone-number-management-for-israel.md) > - [Italy](../numbers/phone-number-management-for-italy.md) |
communication-services | Teams Interop Pricing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/pricing/teams-interop-pricing.md | The following sections cover communication defined based on the criteria mention ## Communication as Teams external user -Teams external user is a user that does not belong to any Azure AD tenant, and Teams administrator regulates its access via policies targeting `Teams anonymous users`. +Teams external user is a user that does not belong to any Microsoft Entra tenant, and Teams administrator regulates its access via policies targeting `Teams anonymous users`. ### Teams clients Teams meeting organizer's license covers the usage generated by Teams external users joining Teams meeting via built-in experience in Teams web, desktop, and mobile clients. The Teams meeting organizer's license does not cover the usage generated in the third-party Teams extension and Teams app. The following table shows the price of using Teams clients as Teams external users: Teams external users in the lobby or on hold generate consumption on the Azure C ## Communication as Teams user -Teams user is an Azure AD user with appropriate licenses. Teams users can be from the same or different organizations, depending on the Azure AD tenant. Teams administrator regulates the communication of Teams users via policies targeting `people in my organization` and `people in trusted organization`. +Teams user is a Microsoft Entra user with appropriate licenses. Teams users can be from the same or different organizations, depending on the Microsoft Entra tenant. Teams administrator regulates the communication of Teams users via policies targeting `people in my organization` and `people in trusted organization`. ### Teams clients Teams meeting organizer's license covers the usage generated by Teams users joining Teams meetings and participating in calls via built-in experience in Teams web, desktop, and mobile clients. The Teams license does not cover the usage generated in third-party Teams extensions and Teams apps. The following table shows the price of using Teams clients as Teams users: |
communication-services | Teams Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/teams-endpoint.md | The diagrams in the next sections demonstrate multi-tenant use cases where the f Voice, video, and screen-sharing capabilities are provided via [Azure Communication Services Calling SDKs](./interop/teams-user-calling.md). The following diagram shows an overview of the process you'll follow as you integrate your calling experiences with Azure Communication Services support Teams identities. -You can use the Azure Communication Services Identity SDK to exchange Azure Active Directory (Azure AD) access tokens of Teams users for Communication Identity access tokens. +You can use the Azure Communication Services Identity SDK to exchange Microsoft Entra access tokens of Teams users for Communication Identity access tokens. ![Diagram of the process to integrate the calling capabilities into your product with Azure Communication Services.](./media/teams-identities/teams-identity-calling-overview.svg) |
communication-services | Teams Interop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/teams-interop.md | Azure Communication Services can be used to build custom applications and experi Azure Communication Services supports two types of Teams interoperability depending on the identity of the user: -- **[External user](#external-user).** You control user authentication, and users of your custom applications don't need to have Azure Active Directory identities or Teams licenses. This model allows you to build custom applications for non-Teams users to connect and communicate with Teams users.-- **[Teams user](#teams-user).** Azure Active Directory controls user authentication, and users of your custom application must have Teams licenses. This model allows you to build custom applications for Teams users to enable specialized workflows or experiences that are impossible with the existing Teams clients.+- **[External user](#external-user).** You control user authentication, and users of your custom applications don't need to have Microsoft Entra identities or Teams licenses. This model allows you to build custom applications for non-Teams users to connect and communicate with Teams users. +- **[Teams user](#teams-user).** Microsoft Entra ID controls user authentication, and users of your custom application must have Teams licenses. This model allows you to build custom applications for Teams users to enable specialized workflows or experiences that are impossible with the existing Teams clients. Applications can implement both authentication models and leave the choice of authentication up to the user. The following table compares two models: |Feature|External user| Teams user| |||| |Target user base|Customers|Enterprise|-|Identity provider|Any|Azure Active Directory| -| Display name |Any with the suffix "(External)"| Azure Active Directory user's value of the property "Display name" | -|Authentication & authorization|Custom*| Azure Active Directory and custom*| +|Identity provider|Any|Microsoft Entra ID| +| Display name |Any with the suffix "(External)"| Microsoft Entra user's value of the property "Display name" | +|Authentication & authorization|Custom*| Microsoft Entra ID and custom*| |Calling available via | Communication Services Calling SDKs | Communication Services Calling SDKs | |Chat is available via | Communication Services Chat SDKs | Graph API | |Join Teams meetings | Yes | Yes | Applications can implement both authentication models and leave the choice of au ## External user -The bring your own identity (BYOI) authentication model allows you to build custom applications for external users to connect and communicate with Teams users. You control user authentication, and users of your custom applications don't need to have Azure Active Directory identities or Teams licenses. The first scenario that has been enabled allows users of your application to join Microsoft Teams meetings as external accounts, similar to [anonymous users that join meetings](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) using the Teams web application. This is ideal for business-to-consumer applications that combine employees (familiar with Teams) and external users (using a custom application) into a meeting experience. In the future, we will be enabling additional scenarios, including direct calling and chat which will allow your application to initiate calls and chats with Teams users outside the context of a Teams meeting. +The bring your own identity (BYOI) authentication model allows you to build custom applications for external users to connect and communicate with Teams users. You control user authentication, and users of your custom applications don't need to have Microsoft Entra identities or Teams licenses. The first scenario that has been enabled allows users of your application to join Microsoft Teams meetings as external accounts, similar to [anonymous users that join meetings](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) using the Teams web application. This is ideal for business-to-consumer applications that combine employees (familiar with Teams) and external users (using a custom application) into a meeting experience. In the future, we will be enabling additional scenarios, including direct calling and chat which will allow your application to initiate calls and chats with Teams users outside the context of a Teams meeting. For more information, see [Join a Teams meeting](join-teams-meeting.md). It is currently not possible for a Teams user to join a call that was initiated ## Teams user -Developers can use [Communication Services Calling SDK with Teams identity](./interop/teams-user-calling.md) to build custom applications for Teams users. Custom applications can enable specialized workflows for Teams users, such as managing incoming and outgoing phone calls or bringing Teams calling experience into devices not supported with the standard Teams client. Azure Active Directory authenticates Teams users, and all attributes and details about the user are bound to their Azure Active Directory account. +Developers can use [Communication Services Calling SDK with Teams identity](./interop/teams-user-calling.md) to build custom applications for Teams users. Custom applications can enable specialized workflows for Teams users, such as managing incoming and outgoing phone calls or bringing Teams calling experience into devices not supported with the standard Teams client. Microsoft Entra authenticates Teams users, and all attributes and details about the user are bound to their Microsoft Entra account. When a Communication Services endpoint connects to a Teams meeting or Teams call using a Teams identity, the endpoint is treated like a Teams user with a Teams client. The experience is driven by policies assigned to users within and outside of the organization. Teams users can join Teams meetings, place calls to other Teams users, receive calls from phone numbers, and transfer an ongoing call to the Teams call queue or share screen. -Teams users authenticate against Azure Active Directory in the client application. Developers then exchange authentication tokens from Azure Active Directory for access tokens via the Communication Services Identity SDK. This exchange creates a connection between Azure Active Directory and Communication Services. You are encouraged to implement an exchange of tokens in your backend services as credentials for Azure Communication Services sign exchange requests. In your backend services, you can require any additional authentication. +Teams users authenticate against Microsoft Entra ID in the client application. Developers then exchange authentication tokens from Microsoft Entra ID for access tokens via the Communication Services Identity SDK. This exchange creates a connection between Microsoft Entra ID and Communication Services. You are encouraged to implement an exchange of tokens in your backend services as credentials for Azure Communication Services sign exchange requests. In your backend services, you can require any additional authentication. ## Teams meeting and calling experiences |
communication-services | Troubleshooting Info | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/troubleshooting-info.md | These are accessed by looking at where your app is keeping its local data. There 6. Please attach all the `*.blog` and `*.etl` files to your Azure support request. -## Finding Azure Active Directory information +<a name='finding-azure-active-directory-information'></a> ++## Finding Microsoft Entra information * **Getting Directory ID** * **Getting Application ID** These are accessed by looking at where your app is keeping its local data. There To find your Directory (tenant) ID, follow the steps listed below: 1. Navigate to [Azure portal](https://portal.azure.com) and sign in to the Azure portal using the credentials.-1. From the left-pane, select Azure Active Directory. -1. From **Overview** page in Azure AD, copy the Directory (tenant) ID and store it in your application code. +1. From the left-pane, select Microsoft Entra ID. +1. From **Overview** page in Microsoft Entra ID, copy the Directory (tenant) ID and store it in your application code. - ![Screenshot of how to copy Azure Active Directory tenant ID and store it.](./media/troubleshooting/copy-aad-directory-id.png) + ![Screenshot of how to copy Microsoft Entra tenant ID and store it.](./media/troubleshooting/copy-aad-directory-id.png) ## Getting Application ID To find your Application ID, follow the steps listed below: 1. Navigate to [Azure portal](https://portal.azure.com) and sign in to the Azure portal using the credentials.-1. From the left-pane, select Azure Active Directory. -1. From **App registrations** in Azure AD, select your application. +1. From the left-pane, select Microsoft Entra ID. +1. From **App registrations** in Microsoft Entra ID, select your application. 1. Copy the **Application ID** and store it in your application code. - ![Screenshot of how to copy Azure Active Directory application ID and store it.](./media/troubleshooting/copy-aad-application-id.png) + ![Screenshot of how to copy Microsoft Entra application ID and store it.](./media/troubleshooting/copy-aad-application-id.png) The directory (tenant) ID can also be found in the application overview page. To find your Application ID, follow the steps listed below: To find your User ID, follow the steps listed below: 1. Navigate to [Azure portal](https://portal.azure.com) and sign in to the Azure portal using the credentials.-1. From the left-pane, select Azure Active Directory. -1. From **Users** in Azure AD, select your user. -1. From **Profile** page in Azure AD Users, copy the **Object ID** and store it in your application code. +1. From the left-pane, select Microsoft Entra ID. +1. From **Users** in Microsoft Entra ID, select your user. +1. From **Profile** page in Microsoft Entra users, copy the **Object ID** and store it in your application code. - ![Screenshot of how to copy Azure Active Directory user ID and store it.](./media/troubleshooting/copy-aad-user-id.png) + ![Screenshot of how to copy Microsoft Entra user ID and store it.](./media/troubleshooting/copy-aad-user-id.png) ## Getting immutable resource ID Sometimes you also need to provide immutable resource ID of your Communication Service resource. To find it, follow the steps listed below: The Azure Communication Services SMS SDK uses the following error codes to help - Log Filename APIs for Calling SDK - [Metrics](metrics.md) - [Service limits](service-limits.md)-- |
communication-services | Calling Sdk Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md | The following list presents the set of features that are currently available in | Screen sharing | Share the entire screen from within the application | ✔️ | ✔️<sup>2</sup> | ✔️<sup>2</sup> | ✔️<sup>2</sup> | | | Share a specific application (from the list of running applications) | ✔️ | ✔️<sup>2</sup> | ❌ | ❌ | | | Share a web browser tab from the list of open tabs | ✔️ | | | |-| | Share system audio during screen sharing | ❌ | ❌ | ❌ | ❌ | +| | Share system audio during screen sharing | ✔️ | ❌ | ❌ | ❌ | | | Participant can view remote screen share | ✔️ | ✔️ | ✔️ | ✔️ | | Roster | List participants | ✔️ | ✔️ | ✔️ | ✔️ | | | Remove a participant | ✔️ | ✔️ | ✔️ | ✔️ | The Azure Communication Services Calling SDK supports the following streaming co | **Maximum # of incoming remote streams that can be rendered simultaneously** | 9 videos + 1 screen sharing on desktop browsers*, 4 videos + 1 screen sharing on web mobile browsers | 9 videos + 1 screen sharing | \* Starting from ACS Web Calling SDK version [1.16.3](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md#1163-stable-2023-08-24)-While the Calling SDK don't enforce these limits, your users may experience performance degradation if they're exceeded. Use the API of [Optimal Video Count](../../how-tos/calling-sdk/manage-video.md?pivots=platform-web#remote-video-quality) to determine how many current incoming video streams your web environment can support. +While the Calling SDK don't enforce these limits, your users might experience performance degradation if they're exceeded. Use the API of [Optimal Video Count](../../how-tos/calling-sdk/manage-video.md?pivots=platform-web#remote-video-quality) to determine how many current incoming video streams your web environment can support. ## Calling SDK timeouts The following table represents the set of supported browsers, which are currentl - Outgoing Screen Sharing isn't supported on iOS or Android mobile browsers. - Firefox support is in public preview. - Currently, the calling SDK only supports Android System WebView on Android, iOS WebView(WKWebView) in public preview. Other types of embedded browsers or WebView on other OS platforms aren't officially supported, for example, GeckoView, Chromium Embedded Framework (CEF), Microsoft Edge WebView2.-Running JavaScript Calling SDK on these platforms isn't actively tested, it may or may not work. +Running JavaScript Calling SDK on these platforms isn't actively tested, it might or might not work. - [An iOS app on Safari can't enumerate/select mic and speaker devices](../known-issues.md#enumerating-devices-isnt-possible-in-safari-when-the-application-runs-on-ios-or-ipados) (for example, Bluetooth); this issue is a limitation of the OS, and there's always only one device, OS controls default device selection. ## Android Calling SDK support |
communication-services | Teams Interop Call Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/how-tos/call-automation/teams-interop-call-automation.md | Tenant level setting that enables/disables federation between their tenant and s [Set-CsExternalAccessPolicy (SkypeForBusiness)](/powershell/module/skype/set-csexternalaccesspolicy) User policy that allows the admin to further control which users in their organization can participate in federated communications with Communication Services users. -## Step 2: Use the Graph API to get Azure AD object ID for Teams users and optionally check their presence -A Teams userΓÇÖs Azure Active Directory (Azure AD) object ID (OID) is required to add them to or transfer to them from a Communication Services call. The OID can be retrieved through 1) Office portal, 2) Azure AD portal, 3) Azure AD Connect; or 4) Graph API. The example below uses Graph API. +<a name='step-2-use-the-graph-api-to-get-azure-ad-object-id-for-teams-users-and-optionally-check-their-presence'></a> -Consent must be granted by an Azure AD admin before Graph can be used to search for users, learn more by following on the [Microsoft Graph Security API overview](/graph/security-concept-overview) document. The OID can be retrieved using the list users API to search for users. The following shows a search by display name, but other properties can be searched as well: +## Step 2: Use the Graph API to get Microsoft Entra object ID for Teams users and optionally check their presence +A Teams userΓÇÖs Microsoft Entra object ID (OID) is required to add them to or transfer to them from a Communication Services call. The OID can be retrieved through 1) Office portal, 2) Microsoft Entra admin center, 3) Microsoft Entra Connect; or 4) Graph API. The example below uses Graph API. ++Consent must be granted by a Microsoft Entra admin before Graph can be used to search for users, learn more by following on the [Microsoft Graph Security API overview](/graph/security-concept-overview) document. The OID can be retrieved using the list users API to search for users. The following shows a search by display name, but other properties can be searched as well: [List users using Microsoft Graph v1.0](/graph/api/user-list): ```rest |
communication-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/overview.md | Find comprehensive components, composites, and UX guidance in the [UI Library De There are two other Microsoft communication products you may consider using, these products aren't directly interoperable with Communication Services at this time: + - [Microsoft Graph Cloud Communication APIs](/graph/cloud-communications-concept-overview) allow organizations to build communication experiences tied to Microsoft Entra users with Microsoft 365 licenses. This workflow is ideal for applications tied to Microsoft Entra ID or where you want to extend productivity experiences in Microsoft Teams. There are also APIs to build applications and customization within the [Teams experience.](/microsoftteams/platform/?preserve-view=true&view=msteams-client-js-latest) - [Azure PlayFab Party](/gaming/playfab/features/multiplayer/networking/) simplifies adding low-latency chat and data communication to games. While you can power gaming chat and networking systems with Communication Services, PlayFab is a tailored option and free on Xbox. |
communication-services | Eligible Teams Licenses | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/eligible-teams-licenses.md | -To use Azure Communication Services support for Teams users, you need an Azure Active Directory instance with users that have a valid Teams license. Furthermore, license must be assigned to the administrators or relevant users. Also, note that [MSA accounts (personal Microsoft accounts)](../../active-directory/external-identities/microsoft-account.md) are not supported. This article describes the service plans requirements to use Azure Communication Services support for Teams users. +To use Azure Communication Services support for Teams users, you need a Microsoft Entra instance with users that have a valid Teams license. Furthermore, license must be assigned to the administrators or relevant users. Also, note that [MSA accounts (personal Microsoft accounts)](../../active-directory/external-identities/microsoft-account.md) are not supported. This article describes the service plans requirements to use Azure Communication Services support for Teams users. ## Eligible products and service plans -Ensure that your Azure Active Directory users have at least one of the following eligible service plans or products: +Ensure that your Microsoft Entra users have at least one of the following eligible service plans or products: | Service Plan (friendly names) | Service Plan ID | Product names| |: |: | : | Ensure that your Azure Active Directory users have at least one of the following | TEAMS_AR_DOD | fd500458-c24c-478e-856c-a6067a8376cd | Office 365 E3_USGOV_DOD | | | | Microsoft 365 E3_USGOV_DOD | -For more information, see [Azure AD Product names and service plan identifiers](../../active-directory/enterprise-users/licensing-service-plan-reference.md). +For more information, see [Microsoft Entra Product names and service plan identifiers](../../active-directory/enterprise-users/licensing-service-plan-reference.md). ### How to find assigned service plans and products? |
communication-services | Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/identity/service-principal.md | Title: Use Azure Active Directory in Communication Services + Title: Use Microsoft Entra ID in Communication Services -description: Azure Active Directory lets you authorize Azure Communication Services access from applications running in Azure VMs, function apps, and other resources. +description: Microsoft Entra ID lets you authorize Azure Communication Services access from applications running in Azure VMs, function apps, and other resources. zone_pivot_groups: acs-azcli-js-csharp-java-python -# Quickstart: Authenticate using Azure Active Directory +# Quickstart: Authenticate using Microsoft Entra ID -Get started with Azure Communication Services by using Azure Active Directory. The Communication Services Identity and SMS SDKs support Azure Active Directory (Azure AD) authentication. +Get started with Azure Communication Services by using Microsoft Entra ID. The Communication Services Identity and SMS SDKs support Microsoft Entra authentication. This quickstart shows you how to authorize access to the Identity and SMS SDKs from an Azure environment that supports Active Directory. It also describes how to test your code in a development environment by creating a service principal for your work. |
communication-services | Manage Teams Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/manage-teams-identity.md | -In this quickstart, you'll build a .NET console application to authenticate a Microsoft 365 user by using the Microsoft Authentication Library (MSAL) and retrieving a Microsoft Azure Active Directory (Azure AD) user token. You'll then exchange that token for an access token of Teams user with the Azure Communication Services Identity SDK. The access token for Teams user can then be used by the Communication Services Calling SDK to integrate calling capability as Teams user. +In this quickstart, you'll build a .NET console application to authenticate a Microsoft 365 user by using the Microsoft Authentication Library (MSAL) and retrieving a Microsoft Entra user token. You'll then exchange that token for an access token of Teams user with the Azure Communication Services Identity SDK. The access token for Teams user can then be used by the Communication Services Calling SDK to integrate calling capability as Teams user. > [!NOTE] > When you're in a production environment, we recommend that you implement this exchange mechanism in back-end services, because requests for an exchange are signed with a secret. In this quickstart, you'll build a .NET console application to authenticate a Mi ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - An active Azure Communication Services resource and connection string. For more information, see [Create an Azure Communication Services resource](./create-communication-resource.md).-- An Azure Active Directory instance with users that have a Teams license. For more information, see [Teams License requirements](./eligible-teams-licenses.md).+- A Microsoft Entra instance with users that have a Teams license. For more information, see [Teams License requirements](./eligible-teams-licenses.md). ## Introduction -Teams identities are bound to tenants in Azure Active Directory. Your application can be used by users from the same or another tenant. In this quickstart, you'll work through a multitenant use case with multiple actors: users, developers, and administrators from fictional companies Contoso and Fabrikam. In this use case, Contoso is a company that's building software as a service (SaaS) for Fabrikam. +Teams identities are bound to tenants in Microsoft Entra ID. Your application can be used by users from the same or another tenant. In this quickstart, you'll work through a multitenant use case with multiple actors: users, developers, and administrators from fictional companies Contoso and Fabrikam. In this use case, Contoso is a company that's building software as a service (SaaS) for Fabrikam. The following sections will guide you through the steps for administrators, developers, and users. The diagrams demonstrate the multitenant use case. If you're working with a single tenant, execute all steps from Contoso and Fabrikam in a single tenant. ## Administrator actions -The Administrator role has extended permissions in Azure AD. Members of this role can set up resources and can read information from the Azure portal. In the following diagram, you can see all actions that have to be executed by Administrators. +The Administrator role has extended permissions in Microsoft Entra ID. Members of this role can set up resources and can read information from the Azure portal. In the following diagram, you can see all actions that have to be executed by Administrators. ![Administrator actions to enable Azure Communication Services support for Teams identities.](./media/teams-identities/teams-identity-admin-overview.svg) -1. The Contoso Administrator creates or selects an existing *application* in Azure Active Directory. The property *Supported account types* defines whether users from various tenants can authenticate to the application. The property *Redirect URI* redirects a successful authentication request to the Contoso *server*. +1. The Contoso Administrator creates or selects an existing *application* in Microsoft Entra ID. The property *Supported account types* defines whether users from various tenants can authenticate to the application. The property *Redirect URI* redirects a successful authentication request to the Contoso *server*. 1. The Contoso Administrator adds API permissions to `Teams.ManageCalls` and `Teams.ManageChats` from Communication Services. 1. The Contoso Administrator allows public client flow for the application.-1. The Contoso Administrator creates or selects existing communication services, which will be used for authentication of the exchanging requests. Azure AD user tokens will be exchanged for an access token of Teams user. For more information, see [Create and manage Communication Services resources](./create-communication-resource.md). +1. The Contoso Administrator creates or selects existing communication services, which will be used for authentication of the exchanging requests. Microsoft Entra user tokens will be exchanged for an access token of Teams user. For more information, see [Create and manage Communication Services resources](./create-communication-resource.md). 1. The Fabrikam Administrator grants Communication Services `Teams.ManageCalls` and `Teams.ManageChats` permissions to the Contoso application. This step is required if only Fabrikam Administrator can grant access to the application with the `Teams.ManageCalls` and `Teams.ManageChats` permissions. -### Step 1: Create an Azure AD application registration or select an Azure AD application +<a name='step-1-create-an-azure-ad-application-registration-or-select-an-azure-ad-application'></a> -Users must be authenticated against Azure AD applications with the Azure Communication Service Teams.ManageCalls and Teams.ManageChats permissions. If you don't have an existing application that you want to use for this quickstart, you can create a new application registration. +### Step 1: Create a Microsoft Entra application registration or select a Microsoft Entra application ++Users must be authenticated against Microsoft Entra applications with the Azure Communication Service Teams.ManageCalls and Teams.ManageChats permissions. If you don't have an existing application that you want to use for this quickstart, you can create a new application registration. The following application settings influence the experience: - The *Supported account types* property defines whether the application is single tenant ("Accounts in this organizational directory only") or multitenant ("Accounts in any organizational directory"). For this scenario, you can use multitenant. On the **Authentication** pane of your application, you can see a configured pla ### Step 3: Add the Communication Services permissions in the application -The application must declare Teams.ManageCalls and Teams.ManageChats permissions to have access to Teams calling capabilities in the Tenant. Teams user would be requesting an Azure AD user token with this permission for token exchange. +The application must declare Teams.ManageCalls and Teams.ManageChats permissions to have access to Teams calling capabilities in the Tenant. Teams user would be requesting a Microsoft Entra user token with this permission for token exchange. -1. Navigate to your Azure AD app in the Azure portal and select **API permissions** +1. Navigate to your Microsoft Entra app in the Azure portal and select **API permissions** 1. Select **Add Permissions** 1. In the **Add Permissions** menu, select **Azure Communication Services** 1. Select the permissions **Teams.ManageCalls** and **Teams.ManageChats**, then select **Add permissions** -![Add Teams.ManageCalls and Teams.ManageChats permission to the Azure Active Directory application created in previous step.](./media/active-directory-permissions.png) +![Add Teams.ManageCalls and Teams.ManageChats permission to the Microsoft Entra application created in previous step.](./media/active-directory-permissions.png) ### Step 4: Create or select a Communication Services resource -Your Communication Services resource is used to authenticate all requests for exchanging Azure AD user token for an access token of Teams user. You can trigger this exchange by using the Communication Services Identity SDK, which you can authenticate with an access key, or by using Azure role-based access control (Azure RBAC). You can get the access key either in the Azure portal or by configuring Azure RBAC on the **Access control (IAM)** pane by Communication Services resource. +Your Communication Services resource is used to authenticate all requests for exchanging Microsoft Entra user token for an access token of Teams user. You can trigger this exchange by using the Communication Services Identity SDK, which you can authenticate with an access key, or by using Azure role-based access control (Azure RBAC). You can get the access key either in the Azure portal or by configuring Azure RBAC on the **Access control (IAM)** pane by Communication Services resource. If you want to create a new Communication Services resource, see [Create and manage Communication Services resources](./create-communication-resource.md). ### Step 5: Provide Administrator consent -Azure Active Directory tenant can be configured, to require Azure AD administrator consent for the Teams.ManageCalls and Teams.ManageChats permissions of the application. In such a case, the Azure AD Administrator must grant permissions to the Contoso application for Communication Services Teams.ManageCalls and Teams.ManageChats. The Fabrikam Azure AD Administrator provides consent via a unique URL. +Microsoft Entra tenant can be configured, to require Microsoft Entra administrator consent for the Teams.ManageCalls and Teams.ManageChats permissions of the application. In such a case, the Microsoft Entra Administrator must grant permissions to the Contoso application for Communication Services Teams.ManageCalls and Teams.ManageChats. The Fabrikam Microsoft Entra Administrator provides consent via a unique URL. The following roles can provide consent on behalf of a company: - Global admin The following roles can provide consent on behalf of a company: If you want to check roles in Azure portal, see [List Azure role assignments](../../role-based-access-control/role-assignments-list-portal.md). -To construct an Administrator consent URL, the Fabrikam Azure AD Administrator does the following steps: +To construct an Administrator consent URL, the Fabrikam Microsoft Entra Administrator does the following steps: 1. In the URL *https://login.microsoftonline.com/{Tenant_ID}/adminconsent?client_id={Application_ID}*, the Administrator replaces {Tenant_ID} with the Fabrikam [Tenant ID](../concepts/troubleshooting-info.md#getting-directory-id), and replaces {Application_ID} with the Contoso [Application ID](../concepts/troubleshooting-info.md#getting-application-id). 1. The Administrator logs in and grants permissions on behalf of the organization. -The service principal of the Contoso application in the Fabrikam tenant is created if consent is granted. The Fabrikam Administrator can review the consent in Azure AD by doing the following steps: +The service principal of the Contoso application in the Fabrikam tenant is created if consent is granted. The Fabrikam Administrator can review the consent in Microsoft Entra ID by doing the following steps: 1. Sign in to the Azure portal as an administrator.-1. Go to Azure Active Directory. +1. Go to Microsoft Entra ID. 1. On the **Enterprise applications** pane, set the **Application type** filter to **All applications**. 1. In the field for filtering the applications, enter the name of the Contoso application. 1. Select **Apply**. The service principal of the Contoso application in the Fabrikam tenant is creat You can see that the status of the Communication Services Teams.ManageCalls and Teams.ManageChats permissions are *Granted for {Directory_name}*. -If you run into the issue "The app is trying to access a service '1fd5118e-2576-4263-8130-9503064c837a'(Azure Communication Services) that your organization '{GUID}' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application to create the required service principal." your Azure Active Directory tenant lacks a service principal for the Azure Communication Services application. To fix this issue, use PowerShell as an Azure AD administrator to connect to your tenant. Replace `Tenant_ID` with an ID of your AAD tenancy. +If you run into the issue "The app is trying to access a service '1fd5118e-2576-4263-8130-9503064c837a'(Azure Communication Services) that your organization '{GUID}' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application to create the required service principal." your Microsoft Entra tenant lacks a service principal for the Azure Communication Services application. To fix this issue, use PowerShell as a Microsoft Entra administrator to connect to your tenant. Replace `Tenant_ID` with an ID of your Microsoft Entra tenancy. ```script Connect-AzureAD -TenantId "Tenant_ID" ```-If the command is not found, start PowerShell as an administrator and install the Azure AD package. +If the command is not found, start PowerShell as an administrator and install the Microsoft Entra ID package. ```script Install-Module AzureAD New-AzureADServicePrincipal -AppId "1fd5118e-2576-4263-8130-9503064c837a" ## Developer actions -The Contoso developer needs to set up the *client application* to authenticate users. The developer then needs to create an endpoint on the back-end *server* to process the Azure AD user token after redirection. When the Azure AD user token is received, it's exchanged for the access token of Teams user and returned to the *client application*. +The Contoso developer needs to set up the *client application* to authenticate users. The developer then needs to create an endpoint on the back-end *server* to process the Microsoft Entra user token after redirection. When the Microsoft Entra user token is received, it's exchanged for the access token of Teams user and returned to the *client application*. The developer's required actions are shown in following diagram: ![Diagram of developer actions to enable Azure Communication Services support for Teams identities.](./media/teams-identities/teams-identity-developer-overview.svg) 1. The Contoso developer configures the Microsoft Authentication Library (MSAL) to authenticate the user for the application that was created earlier by the Administrator for Communication Services Teams.ManageCalls and Teams.ManageChats permissions.-1. The Contoso developer initializes the Communication Services Identity SDK and exchanges the incoming Azure AD user token for the access token of Teams user via the identity SDK. The access token of Teams user is then returned to the *client application*. +1. The Contoso developer initializes the Communication Services Identity SDK and exchanges the incoming Microsoft Entra user token for the access token of Teams user via the identity SDK. The access token of Teams user is then returned to the *client application*. -By using the MSAL, developers can acquire Azure AD user tokens from the Microsoft Identity platform endpoint to authenticate users and access secure web APIs. It can be used to provide secure access to Communication Services. The MSAL supports many different application architectures and platforms, including .NET, JavaScript, Java, Python, Android, and iOS. +By using the MSAL, developers can acquire Microsoft Entra user tokens from the Microsoft identity platform endpoint to authenticate users and access secure web APIs. It can be used to provide secure access to Communication Services. The MSAL supports many different application architectures and platforms, including .NET, JavaScript, Java, Python, Android, and iOS. For more information about setting up environments in public documentation, see [Microsoft Authentication Library overview](../../active-directory/develop/msal-overview.md). > [!NOTE]-> The following sections describe how to exchange the Azure AD access token for the access token of Teams user for the console application. +> The following sections describe how to exchange the Microsoft Entra access token for the access token of Teams user for the console application. ::: zone pivot="programming-language-csharp" [!INCLUDE [.NET](./includes/manage-teams-identity-net.md)] The user represents the Fabrikam users of the Contoso application. The user expe ![Diagram of user actions to enable Azure Communication Services support for Teams identities.](./media/teams-identities/teams-identity-user-overview.svg) 1. The Fabrikam user uses the Contoso *client application* and is prompted to authenticate.-1. The Contoso *client application* uses the MSAL to authenticate the user against the Fabrikam Azure AD tenant for the Contoso application with Communication Services Teams.ManageCalls and Teams.ManageChats permissions. +1. The Contoso *client application* uses the MSAL to authenticate the user against the Fabrikam Microsoft Entra tenant for the Contoso application with Communication Services Teams.ManageCalls and Teams.ManageChats permissions. 1. Authentication is redirected to the *server*, as defined in the property *Redirect URI* in the MSAL and the Contoso application.-1. The Contoso *server* exchanges the Azure AD user token for the access token of Teams user by using the Communication Services Identity SDK and returns the access token of Teams user to the *client application*. +1. The Contoso *server* exchanges the Microsoft Entra user token for the access token of Teams user by using the Communication Services Identity SDK and returns the access token of Teams user to the *client application*. With a valid access token for Teams user in the *client application*, developers can integrate the Communication Services Calling SDK and manage calls as Teams user. With a valid access token for Teams user in the *client application*, developers In this quickstart, you learned how to: > [!div class="checklist"]-> * Create and configure an application in Azure AD. -> * Use the Microsoft Authentication Library (MSAL) to issue an Azure AD user token. -> * Use the Communication Services Identity SDK to exchange the Azure AD user token for an access token of Teams user. +> * Create and configure an application in Microsoft Entra ID. +> * Use the Microsoft Authentication Library (MSAL) to issue a Microsoft Entra user token. +> * Use the Communication Services Identity SDK to exchange the Microsoft Entra user token for an access token of Teams user. > [!div class="nextstepaction"] |
communication-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/samples/overview.md | Azure Communication Services has many samples available, which you can use to te | : | : | : | | [Calling Hero Sample](./calling-hero-sample.md) | Provides a sample of creating a calling application. | [Web](https://github.com/Azure-Samples/communication-services-web-calling-hero), [iOS](https://github.com/Azure-Samples/communication-services-ios-calling-hero), [Android](https://github.com/Azure-Samples/communication-services-android-calling-hero) | | [Chat Hero Sample](./chat-hero-sample.md) | Provides a sample of creating a chat application. | [Web](https://github.com/Azure-Samples/communication-services-web-chat-hero) |-| [Trusted Authentication Server Sample](./trusted-auth-sample.md) | Provides a sample implementation of a trusted authentication service used to generate user and access tokens for Azure Communication Services. The service by default maps generated identities to Azure Active Directory | [node.JS](https://github.com/Azure-Samples/communication-services-authentication-hero-nodejs), [C#](https://github.com/Azure-Samples/communication-services-authentication-hero-csharp) +| [Trusted Authentication Server Sample](./trusted-auth-sample.md) | Provides a sample implementation of a trusted authentication service used to generate user and access tokens for Azure Communication Services. The service by default maps generated identities to Microsoft Entra ID | [node.JS](https://github.com/Azure-Samples/communication-services-authentication-hero-nodejs), [C#](https://github.com/Azure-Samples/communication-services-authentication-hero-csharp) | [Web Calling Sample](./web-calling-sample.md) | A step by step walk-through of Azure Communication Services Calling features, including PSTN, within the Web. | [Web](https://github.com/Azure-Samples/communication-services-web-calling-tutorial/) | | [Web Calling Push Notifications Sample](./web-calling-push-notifications-sample.md) | A step by step walk-through of how to set up an architecture for web calling push notifications. | [Web](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/calling-web-push-notifications) | | [Network Traversal Sample]( https://github.com/Azure-Samples/communication-services-network-traversal-hero) | Sample app demonstrating network traversal functionality | Node.js |
communication-services | Trusted Auth Sample | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/samples/trusted-auth-sample.md | zone_pivot_groups: acs-js-csharp Azure Communication Services requires developers to generate user and access token credentials inside of a trusted authentication service. Azure Communication Services is identity-agnostic, to learn more check out our [conceptual documentation](../concepts/identity-model.md). -This repository provides a sample of a server implementation of an authentication service for Azure Communication Services. It uses best practices to build a trusted backend service that issues Azure Communication Services credentials and maps them to Azure Active Directory identities. +This repository provides a sample of a server implementation of an authentication service for Azure Communication Services. It uses best practices to build a trusted backend service that issues Azure Communication Services credentials and maps them to Microsoft Entra identities. This sample can help you in the following scenarios:-- As a developer, you need to enable an authentication flow to generate Azure Communication Services user identities mapped to an Azure Active Directory identity. Using this identity you then will provision access tokens to be used in calling and chat experiences.-- As a developer, you need to enable an authentication flow for Azure Communication Services support Teams identities, which is done by using an Microsoft 365 Azure Active Directory identity of a Teams' user to fetch an Azure Communication Services token to be able to join Teams calling/chat.+- As a developer, you need to enable an authentication flow to generate Azure Communication Services user identities mapped to a Microsoft Entra identity. Using this identity you then will provision access tokens to be used in calling and chat experiences. +- As a developer, you need to enable an authentication flow for Azure Communication Services support Teams identities, which is done by using an Microsoft 365 Microsoft Entra identity of a Teams' user to fetch an Azure Communication Services token to be able to join Teams calling/chat. > [!NOTE] >If you are looking to get started with Azure Communication Services, but are still in learning / prototyping phases, check out our [quickstarts for getting started with Azure communication services users and access tokens](../quickstarts/identity/access-tokens.md?pivots=programming-language-csharp). ![Screenshot of the Azure Communication Services Authentication Server Sample Architecture](./media/auth/acs-authentication-server-sample-overview-flow.png) -Since this sample only focuses on the server APIs, the client application is not part of it. If you want to add the client application to login user using Azure Active Directory, then follow the MSAL samples [here](https://github.com/AzureAD/microsoft-authentication-library-for-js). +Since this sample only focuses on the server APIs, the client application is not part of it. If you want to add the client application to login user using Microsoft Entra ID, then follow the MSAL samples [here](https://github.com/AzureAD/microsoft-authentication-library-for-js). ## Prerequisites To be able to run this sample, you will need to: -- Register a Client and Server (Web API) applications in Azure Active Directory as part of [On Behalf Of workflow](../../active-directory/develop/v2-oauth2-on-behalf-of-flow.md). Follow instructions on [registrations set up guideline](https://github.com/Azure-Samples/communication-services-authentication-hero-csharp/blob/main/docs/deployment-guides/set-up-app-registrations.md)+- Register a Client and Server (Web API) applications in Microsoft Entra ID as part of [On Behalf Of workflow](../../active-directory/develop/v2-oauth2-on-behalf-of-flow.md). Follow instructions on [registrations set up guideline](https://github.com/Azure-Samples/communication-services-authentication-hero-csharp/blob/main/docs/deployment-guides/set-up-app-registrations.md) - A deployed Azure Communication Services resource. [Create an Azure Communication Services resource](../quickstarts/create-communication-resource.md?tabs=linux&pivots=platform-azp). - Update the Server (Web API) application with information from the app registrations. |
communication-services | Meeting Interop Features File Attachment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/chat-interop/meeting-interop-features-file-attachment.md | The Chat SDK is designed to work with Microsoft Teams seamlessly. Specifically, ## Add file attachment support -The Chat SDK for JavaScript provides `previewUrl` and `url` for each file attachment. Specifically, `url` provides a direct download URL to the file. While `previewUrl` provides a link to a webpage on SharePoint where the user can see the content of the file, edit the file and download the file if permission allows. +The Chat SDK for JavaScript provides `previewUrl` for each file attachment. Specifically, the `previewUrl` provides a link to a webpage on the SharePoint where the user can see the content of the file, edit the file and download the file if permission allows. You should be aware of couple constraints that come with this feature: -1. The Teams admin of the sender's tenant could impose policies that limits or disable this feature entirely. For example, the Teams admin could disable certain permissions (such as "Anyone") that could cause the file attachment URLs (`previewUrl` and `Url`) to be inaccessible. +1. The Teams admin of the sender's tenant could impose policies that limits or disable this feature entirely. For example, the Teams admin could disable certain permissions (such as "Anyone") that could cause the file attachment URLs (`previewUrl`) to be inaccessible. 2. We currently only support the following file permissions: - "Anyone", and - "People you choose" (with email address) The Teams user should be made aware of that all other permissions (such as "People in your organization") aren't supported. The Teams user should double check if the default permission is supported after uploading the file on their Teams client. -3. The direct download URL (`url`) might be inaccessible if file is protected (files with restricted permissions such as file being password protected or shared with a specific email address owner) +3. The direct download URL (`url`) is not supported. In addition to regular files (with `AttachmentType` of `file`), the Chat SDK for JavaScript also provides the `AttachmentType` of `teamsImage` for image attachments so that you can use it to mirror the behavior of how Microsoft Teams client converts image attachment to inline images in the UI layer. See section "Image Attachment Handling" for more info. |
communication-services | Integrate Azure Function | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/tutorials/integrate-azure-function.md | Open the link in a browser. The result will be similar to this example: ## (Optional) secure the Azure Function endpoint For demonstration purposes, this sample uses a publicly accessible endpoint by default to fetch an Azure Communication Services token. For production scenarios, one option is to use your own secured endpoint to provision your own tokens. -With extra configuration, this sample supports connecting to an Azure Active Directory (Azure AD) protected endpoint so that user log is required for the app to fetch an Azure Communication Services token. The user will be required to sign in with Microsoft account to access the app. This setup increases the security level while users are required to log in. Decide whether to enable it based on the use cases. +With extra configuration, this sample supports connecting to a Microsoft Entra protected endpoint so that user log is required for the app to fetch an Azure Communication Services token. The user will be required to sign in with Microsoft account to access the app. This setup increases the security level while users are required to log in. Decide whether to enable it based on the use cases. -Note that we currently don't support Azure AD in sample code. Follow the links below to enable it in your app and Azure Function: +Note that we currently don't support Microsoft Entra ID in sample code. Follow the links below to enable it in your app and Azure Function: -[Register your app under Azure Active Directory (using Android platform settings)](../../active-directory/develop/tutorial-v2-android.md). +[Register your app under Microsoft Entra ID (using Android platform settings)](../../active-directory/develop/tutorial-v2-android.md). -[Configure your App Service or Azure Functions app to use Azure AD log in](../../app-service/configure-authentication-provider-aad.md). +[Configure your App Service or Azure Functions app to use Microsoft Entra ID log in](../../app-service/configure-authentication-provider-aad.md). |
confidential-ledger | Authentication Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/authentication-azure-ad.md | Title: Azure Active Directory authentication with Azure confidential ledger -description: Azure Active Directory authentication with Azure confidential ledger + Title: Microsoft Entra authentication with Azure confidential ledger +description: Microsoft Entra authentication with Azure confidential ledger Last updated 07/12/2022 -# Azure confidential ledger authentication with Azure Active Directory (Azure AD) +# Azure confidential ledger authentication with Microsoft Entra ID -The recommended way to access Azure confidential ledger is by authenticating to the **Azure Active Directory (Azure AD)** service; doing so guarantees that Azure confidential ledger never gets the accessing principal's directory credentials. +The recommended way to access Azure confidential ledger is by authenticating to the **Microsoft Entra ID** service; doing so guarantees that Azure confidential ledger never gets the accessing principal's directory credentials. To do so, the client performs a two-steps process: 1. In the first step, the client:- 1. Communicates with the Azure AD service. - 1. Authenticates to the Azure AD service. + 1. Communicates with the Microsoft Entra service. + 1. Authenticates to the Microsoft Entra service. 1. Requests an access token issued specifically for Azure confidential ledger. 1. In the second step, the client issues requests to Azure confidential ledger, providing the access token acquired in the first step as a proof of identity to Azure confidential ledger. -Azure confidential ledger then executes the request on behalf of the security principal for which Azure AD issued the access token. All authorization checks are performed using this identity. +Azure confidential ledger then executes the request on behalf of the security principal for which Microsoft Entra ID issued the access token. All authorization checks are performed using this identity. In most cases, the recommendation is to use one of Azure confidential ledger SDKs to access the service programmatically, as they remove much of the hassle of implementing the flow above (and much more). See, for example, the [Python client library](https://pypi.org/project/azure-confidentialledger/) and [.NET client library](/dotnet/api/azure.security.confidentialledger). The main authenticating scenarios are: -- **A client application authenticating a signed-in user**: In this scenario, an interactive (client) application triggers an Azure AD prompt to the user for credentials (such as username and password). See [user authentication](#user-authentication).+- **A client application authenticating a signed-in user**: In this scenario, an interactive (client) application triggers a Microsoft Entra prompt to the user for credentials (such as username and password). See [user authentication](#user-authentication). -- **A "headless" application**: In this scenario, an application is running with no user present to provide credentials. Instead the application authenticates as "itself" to Azure AD using some credentials it has been configured with. See [application authentication](#application-authentication).+- **A "headless" application**: In this scenario, an application is running with no user present to provide credentials. Instead the application authenticates as "itself" to Microsoft Entra ID using some credentials it has been configured with. See [application authentication](#application-authentication). -- **On-behalf-of authentication**. In this scenario, sometimes called the "web service" or "web app" scenario, the application gets an Azure AD access token from another application, and then "converts" it to another Azure AD access token that can be used with Azure confidential ledger. In other words, the application acts as a mediator between the user or application that provided credentials and the Azure confidential ledger service. See [on-behalf-of authentication](#on-behalf-of-authentication).+- **On-behalf-of authentication**. In this scenario, sometimes called the "web service" or "web app" scenario, the application gets a Microsoft Entra access token from another application, and then "converts" it to another Microsoft Entra access token that can be used with Azure confidential ledger. In other words, the application acts as a mediator between the user or application that provided credentials and the Azure confidential ledger service. See [on-behalf-of authentication](#on-behalf-of-authentication). -## Azure AD parameters +<a name='azure-ad-parameters'></a> -### Azure AD resource for Azure confidential ledger +## Microsoft Entra parameters -When acquiring an access token from Azure AD, the client must indicate which *Azure AD resource* the token should be issued to. The Azure AD resource of an Azure confidential ledger endpoint is the URI of the endpoint, barring the port information and the path. +<a name='azure-ad-resource-for-azure-confidential-ledger'></a> ++### Microsoft Entra resource for Azure confidential ledger ++When acquiring an access token from Microsoft Entra ID, the client must indicate which *Microsoft Entra resource* the token should be issued to. The Microsoft Entra resource of an Azure confidential ledger endpoint is the URI of the endpoint, barring the port information and the path. For example, if you had an Azure confidential ledger called "myACL", the URI would be: For example, if you had an Azure confidential ledger called "myACL", the URI wou https://myACL.confidential-ledger.azure.com ``` -### Azure AD tenant ID +<a name='azure-ad-tenant-id'></a> -Azure AD is a multi-tenant service, and every organization can create an object called **directory** in Azure AD. The directory object holds security-related objects such as user accounts, applications, and groups. Azure AD often refers to the directory as a **tenant**. Azure AD tenants are identified by a GUID (**tenant ID**). In many cases, Azure AD tenants can also be identified by the domain name of the organization. +### Microsoft Entra tenant ID ++Microsoft Entra ID is a multi-tenant service, and every organization can create an object called **directory** in Microsoft Entra ID. The directory object holds security-related objects such as user accounts, applications, and groups. Microsoft Entra ID often refers to the directory as a **tenant**. Microsoft Entra tenants are identified by a GUID (**tenant ID**). In many cases, Microsoft Entra tenants can also be identified by the domain name of the organization. For example, an organization called "Contoso" might have the tenant ID `4da81d62-e0a8-4899-adad-4349ca6bfe24` and the domain name `contoso.com`. -### Azure AD authority endpoint +<a name='azure-ad-authority-endpoint'></a> ++### Microsoft Entra authority endpoint -Azure AD has many endpoints for authentication: +Microsoft Entra ID has many endpoints for authentication: -- When the tenant hosting the principal being authenticated is known (in other words, when one knows which Azure AD directory the user or application are in), the Azure AD endpoint is `https://login.microsoftonline.com/{tenantId}`. Here, `{tenantId}` is either the organization's tenant ID in Azure AD, or its domain name (for example, `contoso.com`).+- When the tenant hosting the principal being authenticated is known (in other words, when one knows which Microsoft Entra directory the user or application are in), the Microsoft Entra endpoint is `https://login.microsoftonline.com/{tenantId}`. Here, `{tenantId}` is either the organization's tenant ID in Microsoft Entra ID, or its domain name (for example, `contoso.com`). - When the tenant hosting the principal being authenticated isn't known, the "common" endpoint can be used by replacing the `{tenantId}` above with the value `common`. -The Azure AD service endpoint used for authentication is also called *Azure AD authority URL* or simply **Azure AD authority**. +The Microsoft Entra service endpoint used for authentication is also called *Microsoft Entra authority URL* or simply **Microsoft Entra authority**. > [!NOTE]-> The Azure AD service endpoint changes in national clouds. When working with an Azure confidential ledger service deployed in a national cloud, please set the corresponding national cloud Azure AD service endpoint. To change the endpoint, set an environment variable `AadAuthorityUri` to the required URI. +> The Microsoft Entra service endpoint changes in national clouds. When working with an Azure confidential ledger service deployed in a national cloud, please set the corresponding national cloud Microsoft Entra service endpoint. To change the endpoint, set an environment variable `AadAuthorityUri` to the required URI. ## User authentication -The easiest way to access Azure confidential ledger with user authentication is to use the Azure confidential ledger SDK and set the `Federated Authentication` property of the Azure confidential ledger connection string to `true`. The first time the SDK is used to send a request to the service the user will be presented with a sign-in form to enter the Azure AD credentials. Following a successful authentication the request will be sent to Azure confidential ledger. +The easiest way to access Azure confidential ledger with user authentication is to use the Azure confidential ledger SDK and set the `Federated Authentication` property of the Azure confidential ledger connection string to `true`. The first time the SDK is used to send a request to the service the user will be presented with a sign-in form to enter the Microsoft Entra credentials. Following a successful authentication the request will be sent to Azure confidential ledger. -Applications that don't use the Azure confidential ledger SDK can still use the [Microsoft Authentication Library (MSAL)](../active-directory/develop/msal-overview.md) instead of implementing the Azure AD service security protocol client. See [Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2). +Applications that don't use the Azure confidential ledger SDK can still use the [Microsoft Authentication Library (MSAL)](../active-directory/develop/msal-overview.md) instead of implementing the Microsoft Entra service security protocol client. See [Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2). If your application is intended to serve as front-end and authenticate users for an Azure confidential ledger cluster, the application must be granted delegated permissions on Azure confidential ledger. ## Application authentication -Applications that use Azure confidential ledger authenticate by using a token from Azure Active Directory. The owner of the application must first register it in Azure Active Directory. Registration also creates a second application object that identifies the app across all tenants. +Applications that use Azure confidential ledger authenticate by using a token from Microsoft Entra ID. The owner of the application must first register it in Microsoft Entra ID. Registration also creates a second application object that identifies the app across all tenants. -For detailed steps on registering an Azure confidential ledger application with Azure Active Directory, review these articles: +For detailed steps on registering an Azure confidential ledger application with Microsoft Entra ID, review these articles: -- [How to register an Azure confidential ledger application with Azure AD](register-application.md)-- [Use portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md)+- [How to register an Azure confidential ledger application with Microsoft Entra ID](register-application.md) +- [Use portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md) - [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli). At the end of registration, the application owner gets the following values: -- An **Application ID** (also known as the Azure Active Directory Client ID or appID)+- An **Application ID** (also known as the Microsoft Entra Client ID or appID) - An **authentication key** (also known as the shared secret). -The application must present both these values to Azure Active Directory to get a token. +The application must present both these values to Microsoft Entra ID to get a token. The Azure confidential ledger SDKs use Azure Identity client library, which allows seamless authentication to Azure confidential ledger across environments with same code. The Azure confidential ledger SDKs use Azure Identity client library, which allo ## On-behalf-of authentication -In this scenario, an application was sent an Azure AD access token for some arbitrary resource managed by the application, and it uses that token to acquire a new Azure AD access token for the Azure confidential ledger resource so that the application could access the confidential ledger on behalf of the principal indicated by the original Azure AD access token. +In this scenario, an application was sent a Microsoft Entra access token for some arbitrary resource managed by the application, and it uses that token to acquire a new Microsoft Entra access token for the Azure confidential ledger resource so that the application could access the confidential ledger on behalf of the principal indicated by the original Microsoft Entra access token. -This flow is called the[OAuth2 token exchange flow](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04). It generally requires multiple configuration steps with Azure AD, and in some cases(depending on the Azure AD tenant configuration) might require special consent from the administrator of the Azure AD tenant. +This flow is called the[OAuth2 token exchange flow](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04). It generally requires multiple configuration steps with Microsoft Entra ID, and in some cases(depending on the Microsoft Entra tenant configuration) might require special consent from the administrator of the Microsoft Entra tenant. ## Next steps -- [How to register an Azure confidential ledger application with Azure AD](register-application.md)+- [How to register an Azure confidential ledger application with Microsoft Entra ID](register-application.md) - [Overview of Microsoft Azure confidential ledger](overview.md)-- [Integrating applications with Azure Active Directory](../active-directory/develop/quickstart-register-app.md)-- [Use portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md)+- [Integrating applications with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md) +- [Use portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md) - [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli). - [Authenticating Azure confidential ledger nodes](authenticate-ledger-nodes.md) |
confidential-ledger | Manage Azure Ad Token Based Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/manage-azure-ad-token-based-users.md | Title: Manage Azure AD token-based users in Azure confidential ledger -description: Learn how to manage Azure AD token-based users in Azure confidential ledger + Title: Manage Microsoft Entra token-based users in Azure confidential ledger +description: Learn how to manage Microsoft Entra token-based users in Azure confidential ledger Last updated 02/09/2023-# Manage Azure AD token-based users in Azure confidential ledger +# Manage Microsoft Entra token-based users in Azure confidential ledger -Azure AD-based users are identified by their Azure AD object ID. +Microsoft Entra ID-based users are identified by their Microsoft Entra object ID. Users with Administrator privileges can manage users of the confidential ledger. Available roles are Reader (read-only), Contributor (read and write), and Administrator (read, write, and manage users). main().catch((err) => { ## Next steps -- [Register an ACL app with Azure AD](register-application.md)+- [Register an ACL app with Microsoft Entra ID](register-application.md) - [Manage certificate-based users](manage-certificate-based-users.md) |
confidential-ledger | Manage Certificate Based Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/manage-certificate-based-users.md | main().catch((err) => { ## Next steps - [Create a client certificate](create-client-certificate.md)-- [Manage Azure AD token-based users](manage-azure-ad-token-based-users.md)+- [Manage Microsoft Entra token-based users](manage-azure-ad-token-based-users.md) |
confidential-ledger | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/overview.md | The confidential ledger is exposed through REST APIs which can be integrated int ## Ledger security -The ledger APIs support certificate-based authentication process with owner roles as well as Azure Active Directory (AAD) based authentication and also role-based access (for example, owner, reader, and contributor). +The ledger APIs support certificate-based authentication process with owner roles as well as Microsoft Entra ID based authentication and also role-based access (for example, owner, reader, and contributor). The data to the ledger is sent through TLS 1.3 connection and the TLS 1.3 connection terminates inside the hardware backed security enclaves (Intel® SGX enclaves). This ensures that no one can intercept the connection between a customer's client and the confidential ledger server nodes. |
confidential-ledger | Quickstart Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/quickstart-cli.md | For more information on Azure confidential ledger, and for examples of what can ## Get your principal ID -To create a confidential ledger, you'll need your Azure Active Directory principal ID (also called your object ID). To obtain your principal ID, use the Azure CLI [az ad signed-in-user](/cli/azure/ad/signed-in-user) command, and filter the results by `objectId`: +To create a confidential ledger, you'll need your Microsoft Entra principal ID (also called your object ID). To obtain your principal ID, use the Azure CLI [az ad signed-in-user](/cli/azure/ad/signed-in-user) command, and filter the results by `objectId`: ```azurecli az ad signed-in-user show --query objectId |
confidential-ledger | Quickstart Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/quickstart-portal.md | Sign in to the [Azure portal](https://portal.azure.com). 1. Select the **Security** tab. -1. You must now add an Azure AD-based or certificate-based user to your confidential ledger with a role of "Administrator." In this quickstart, we'll add an Azure AD-based user. Select **+ Add AAD-Based User**. +1. You must now add a Microsoft Entra ID-based or certificate-based user to your confidential ledger with a role of "Administrator." In this quickstart, we'll add a Microsoft Entra ID-based user. Select **+ Add Microsoft Entra ID-Based User**. -1. You must add an Azure AD-based or Certificate-based user. Search the right-hand pane for your email address. Select your row, and then choose **Select** at the bottom of the pane. Your user profile may already be in the Azure AD-based user section, in which case you cannot add yourself again. +1. You must add a Microsoft Entra ID-based or Certificate-based user. Search the right-hand pane for your email address. Select your row, and then choose **Select** at the bottom of the pane. Your user profile may already be in the Microsoft Entra ID-based user section, in which case you cannot add yourself again. 1. In the **Ledger Role** drop-down field, select **Administrator**. |
confidential-ledger | Quickstart Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/quickstart-powershell.md | In this quickstart, you create a confidential ledger with [Azure PowerShell](/po ## Get your principal ID and tenant ID -To create a confidential ledger, you'll need your Azure Active Directory principal ID (also called your object ID). To obtain your principal ID, use the Azure PowerShell [Get-AzADUser](/powershell/module/az.resources/get-azaduser) cmdlet, with the `-SignedIn` flag: +To create a confidential ledger, you'll need your Microsoft Entra principal ID (also called your object ID). To obtain your principal ID, use the Azure PowerShell [Get-AzADUser](/powershell/module/az.resources/get-azaduser) cmdlet, with the `-SignedIn` flag: ```azurepowershell Get-AzADUser -SignedIn |
confidential-ledger | Quickstart Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/quickstart-python.md | This quickstart uses the Azure Identity library, along with Azure CLI or Azure P In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment?tabs=cmd#use-python-virtual-environments). -Install the Azure Active Directory identity client library: +Install the Microsoft Entra identity client library: ```terminal pip install azure-identity |
confidential-ledger | Register Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-ledger/register-application.md | Title: How to register an Azure confidential ledger application with Azure AD -description: In this how to, you learn how to register an Azure confidential ledger application with Azure AD + Title: How to register an Azure confidential ledger application with Microsoft Entra ID +description: In this how to, you learn how to register an Azure confidential ledger application with Microsoft Entra ID -# How to register an Azure confidential ledger application with Azure AD +# How to register an Azure confidential ledger application with Microsoft Entra ID -In this article you'll learn how to integrate your Azure confidential ledger application with Azure AD, by registering it with the Microsoft identity platform. +In this article you'll learn how to integrate your Azure confidential ledger application with Microsoft Entra ID, by registering it with the Microsoft identity platform. The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform. [Learn more about the Microsoft identity platform](../active-directory/develop/v2-overview.md). ## Prerequisites -- An Azure account with an active subscription and permission to manage applications in Azure Active Directory (Azure AD). [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- An Azure AD tenant. [Learn how to set up a tenant](../active-directory/develop/quickstart-create-new-tenant.md).+- An Azure account with an active subscription and permission to manage applications in Microsoft Entra ID. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- A Microsoft Entra tenant. [Learn how to set up a tenant](../active-directory/develop/quickstart-create-new-tenant.md). - An application that calls Azure confidential ledger. ## Register an application Follow these steps to create the app registration: 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. +1. Search for and select **Microsoft Entra ID**. 1. Under **Manage**, select **App registrations** > **New registration**. 1. Enter a display **Name** for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform. Follow these steps to create the app registration: | Supported account types | Description | | - | - | | **Accounts in this organizational directory only** | Select this option if you're building an application for use only by users (or guests) in _your_ tenant.<br><br>Often called a _line-of-business_ (LOB) application, this app is a _single-tenant_ application in the Microsoft identity platform. |- | **Accounts in any organizational directory** | Select this option if you want users in _any_ Azure Active Directory (Azure AD) tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations.<br><br>This type of app is known as a _multitenant_ application in the Microsoft identity platform. | + | **Accounts in any organizational directory** | Select this option if you want users in _any_ Microsoft Entra tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations.<br><br>This type of app is known as a _multitenant_ application in the Microsoft identity platform. | | **Accounts in any organizational directory and personal Microsoft accounts** | Select this option to target the widest set of customers.<br><br>By selecting this option, you're registering a _multitenant_ application that can also support users who have personal _Microsoft accounts_. | | **Personal Microsoft accounts** | Select this option if you're building an application only for users who have personal Microsoft accounts. Personal Microsoft accounts include Skype, Xbox, Live, and Hotmail accounts. | 1. Don't enter anything for **Redirect URI (optional)**. You'll configure a redirect URI in the next section. Follow these steps to create the app registration: When registration finishes, the Azure portal displays the app registration's **Overview** pane. You see the **Application (client) ID**. Also called the _client ID_, this value uniquely identifies your application in the Microsoft identity platform. > [!IMPORTANT]-> New app registrations are hidden to users by default. When you are ready for users to see the app on their [My Apps page](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) you can enable it. To enable the app, in the Azure portal navigate to **Azure Active Directory** > **Enterprise applications** and select the app. Then on the **Properties** page toggle **Visible to users?** to Yes. +> New app registrations are hidden to users by default. When you are ready for users to see the app on their [My Apps page](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) you can enable it. To enable the app, in the Azure portal navigate to **Microsoft Entra ID** > **Enterprise applications** and select the app. Then on the **Properties** page toggle **Visible to users?** to Yes. Your application's code, or more typically an authentication library used in your application, also uses the client ID. The ID is used as part of validating the security tokens it receives from the identity platform. For application security recommendations, see [Microsoft identity platform best ## Next steps -- [Azure confidential ledger authentication with Azure Active Directory (Azure AD)](authentication-azure-ad.md)+- [Azure confidential ledger authentication with Microsoft Entra ID](authentication-azure-ad.md) - [Overview of Microsoft Azure confidential ledger](overview.md)-- [Integrating applications with Azure Active Directory](../active-directory/develop/quickstart-register-app.md)-- [Use portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md)+- [Integrating applications with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md) +- [Use portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md) - [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli). - [Authenticating Azure confidential ledger nodes](authenticate-ledger-nodes.md) |
connectors | Built In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/built-in.md | For a smaller number of services, systems, and protocols, Azure Logic Apps provi For example, a Standard workflow can use both managed connectors and built-in connectors for Azure Blob, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, and SQL Server. A Consumption workflow doesn't have the built-in versions. A Consumption workflow can use built-in connectors for Azure API Management, Azure App Services, and Batch, while a Standard workflow doesn't have these built-in connectors. -Also, in Standard workflows, some [built-in connectors with specific attributes are informally known as *service providers*](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Azure Active Directory (Azure AD), or a managed identity. All built-in connectors run in the same process as the Azure Logic Apps runtime. For more information, review [Single-tenant versus multi-tenant and integration service environment (ISE)](../logic-apps/single-tenant-overview-compare.md). +Also, in Standard workflows, some [built-in connectors with specific attributes are informally known as *service providers*](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Microsoft Entra ID, or a managed identity. All built-in connectors run in the same process as the Azure Logic Apps runtime. For more information, review [Single-tenant versus multi-tenant and integration service environment (ISE)](../logic-apps/single-tenant-overview-compare.md). This article provides a general overview about built-in connectors in Consumption workflows versus Standard workflows. In Standard workflows, a built-in connector that has the following attributes is * Provides access from a Standard workflow to a service, such as Azure Blob Storage, Azure Service Bus, Azure Event Hubs, SFTP, and SQL Server. - Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Azure Active Directory (Azure AD), or a managed identity. + Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Microsoft Entra ID, or a managed identity. * Runs in the same process as the redesigned Azure Logic Apps runtime. |
connectors | Compare Built In Azure Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/compare-built-in-azure-connectors.md | Authentication considerations for built-in and Azure connectors differ based on | Environment | Connector type | Authentication | |-|-|-| | Azure portal | Built-in | Connection strings, credentials, or connection parameters are stored in your logic app's configuration or app settings. |-| Azure portal | Azure | Connections are authenticated using either a managed identity or [Azure Active Directory (Azure AD) app registration with access policies enabled on the Azure API connections](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md#set-up-connection-authentication). | +| Azure portal | Azure | Connections are authenticated using either a managed identity or [Microsoft Entra app registration with access policies enabled on the Azure API connections](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md#set-up-connection-authentication). | | Visual Studio Code | Built-in | Connection strings or credentials are stored in the logic app project's **local.settings.json** file. | | Visual Studio Code | Azure | During workflow design, API connections are created and stored in the Azure cloud backend. To run these connections in your local environment, a bearer token is issued for seven days and is stored in your logic app project's **local.settings.json** file. | |||| |
connectors | Connectors Azure Application Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-azure-application-insights.md | tags: connectors > the other connectors and is the preferred method for running a query against a Log Analytics workspace or an Application Insights resource. > > For example, when you connect to your Application Insights resource, you don't have to create or provide an application ID and API key. -> Authentication is integrated with Azure Active Directory. For the how-to guide to use the Azure Monitor Logs connector, see +> Authentication is integrated with Microsoft Entra ID. For the how-to guide to use the Azure Monitor Logs connector, see > [Connect to Log Analytics or Application Insights from workflows in Azure Logic Apps](connectors-azure-monitor-logs.md). For more information, see the following documentation: |
connectors | Connectors Azure Monitor Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-azure-monitor-logs.md | tags: connectors > the same functionality as the other connectors and is the preferred method for running a query against a > Log Analytics workspace or an Application Insights resource. For example, when you connect to your Application > Insights resource, you don't have to create or provide an application ID and API key. Authentication is -> integrated with Azure Active Directory. +> integrated with Microsoft Entra ID. To build workflows in Azure Logic Apps that retrieve data from a Log Analytics workspace or an Application Insights resource in Azure Monitor, you can use the Azure Monitor Logs connector. For technical information about this connector's operations, see the [connector' This example continues with the action named **Run query and visualize results**. -1. In the connection box, from the **Tenant** list, select your Azure Active Directory (Azure AD) tenant, and then select **Create**. +1. In the connection box, from the **Tenant** list, select your Microsoft Entra tenant, and then select **Create**. > [!NOTE] > For technical information about this connector's operations, see the [connector' ## Next steps - Learn more about [log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md)-- Learn more about [queries for Log Analytics](../azure-monitor/logs/get-started-queries.md)+- Learn more about [queries for Log Analytics](../azure-monitor/logs/get-started-queries.md) |
connectors | Connectors Create Api Cosmos Db | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-create-api-cosmos-db.md | In a **Logic App (Consumption)** workflow, an Azure Cosmos DB connection require | Property | Required | Value | Description | |-|-|-|-| | **Connection name** | Yes | <*connection-name*> | The name to use for your connection. |-| **Authentication Type** | Yes | <*connection-type*> | The authentication type that you want to use. This example uses **Access key**. <p><p>- If you select **Access Key**, provide the remaining required property values to create the connection. <p><p>- If you select **Azure AD Integrated**, no other property values are required, but you have to configure your connection by following the steps for [Azure AD authentication and Azure Cosmos DB connector](/connectors/documentdb/#azure-ad-authentication-and-cosmos-db-connector). | +| **Authentication Type** | Yes | <*connection-type*> | The authentication type that you want to use. This example uses **Access key**. <p><p>- If you select **Access Key**, provide the remaining required property values to create the connection. <p><p>- If you select **Microsoft Entra integrated**, no other property values are required, but you have to configure your connection by following the steps for [Microsoft Entra authentication and Azure Cosmos DB connector](/connectors/documentdb/#azure-ad-authentication-and-cosmos-db-connector). | | **Access key to your Azure Cosmos DB account** | Yes | <*access-key*> | The access key for the Azure Cosmos DB account to use for this connection. This value is either a read-write key or a read-only key. <p><p>**Note**: To find the key, go to the Azure Cosmos DB account page. In the navigation menu, under **Settings**, select **Keys**. Copy one of the available key values. | | **Account Id** | Yes | <*acccount-ID*> | The name for the Azure Cosmos DB account to use for this connection. | ||||| This example uses the **Response Item Id** in the **Item Id** field to populate * [Managed connectors for Azure Logic Apps](managed.md) * [Built-in connectors for Azure Logic Apps](built-in.md)-* [What are connectors in Azure Logic Apps](introduction.md) +* [What are connectors in Azure Logic Apps](introduction.md) |
connectors | Connectors Create Api Office365 Outlook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-create-api-office365-outlook.md | For information about this connector's operations and any limits, based on the c > [!NOTE] > > If you're using [Microsoft Azure operated by 21Vianet](https://portal.azure.cn), - > Azure Active Directory (Azure AD) authentication works only with an account for + > Microsoft Entra authentication works only with an account for > Microsoft Office 365 operated by 21Vianet (.cn), not .com accounts. * The logic app workflow from where you want to access your Outlook account. To add an Office 365 Outlook trigger, you have to start with a blank workflow. To add an Office 365 Outlook action, your workflow can start with any trigger. Based on whether you have a Consumption or Standard logic app workflow, follow t > [!NOTE] > > Your connection doesn't expire until revoked, even if you change your sign-in credentials. - > For more information, see [Configurable token lifetimes in Azure Active Directory](../active-directory/develop/configurable-token-lifetimes.md). + > For more information, see [Configurable token lifetimes in Microsoft Entra ID](../active-directory/develop/configurable-token-lifetimes.md). 1. In the trigger information box, provide the required information, for example: Based on whether you have a Consumption or Standard logic app workflow, follow t > [!NOTE] > > Your connection doesn't expire until revoked, even if you change your sign-in credentials. - > For more information, see [Configurable token lifetimes in Azure Active Directory](../active-directory/develop/configurable-token-lifetimes.md). + > For more information, see [Configurable token lifetimes in Microsoft Entra ID](../active-directory/develop/configurable-token-lifetimes.md). 1. In the trigger information box, provide the required information, for example: Based on whether you have a Consumption or Standard logic app workflow, follow t > [!NOTE] > > Your connection doesn't expire until revoked, even if you change your sign-in credentials. - > For more information, see [Configurable token lifetimes in Azure Active Directory](../active-directory/develop/configurable-token-lifetimes.md). + > For more information, see [Configurable token lifetimes in Microsoft Entra ID](../active-directory/develop/configurable-token-lifetimes.md). 1. In the trigger information box, provide the required information, for example: Based on whether you have a Consumption or Standard logic app workflow, follow t > [!NOTE] > > Your connection doesn't expire until revoked, even if you change your sign-in credentials. - > For more information, see [Configurable token lifetimes in Azure Active Directory](../active-directory/develop/configurable-token-lifetimes.md). + > For more information, see [Configurable token lifetimes in Microsoft Entra ID](../active-directory/develop/configurable-token-lifetimes.md). 1. In the trigger information box, provide the required information, for example: If you try connecting to Outlook by using a different account than the one curre ## Next steps * [Managed connectors for Azure Logic Apps](managed.md)-* [Built-in connectors for Azure Logic Apps](built-in.md) +* [Built-in connectors for Azure Logic Apps](built-in.md) |
connectors | Connectors Create Api Servicebus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-create-api-servicebus.md | Later, when you add a Service Bus trigger or action for the first time, you're p | Authentication type | Required information | ||-| | **Access Key** | The connection string for your Service Bus namespace. For more information, review [Get connection string for Service Bus namespace](#get-connection-string) |-| **Azure AD Integrated** | The endpoint URL for your Service Bus namespace. For more information, review [Get endpoint URL for Service Bus namespace](#get-endpoint-url). | +| **Microsoft Entra integrated** | The endpoint URL for your Service Bus namespace. For more information, review [Get endpoint URL for Service Bus namespace](#get-endpoint-url). | | **Logic Apps Managed Identity** | The endpoint URL for your Service Bus namespace. For more information, review [Get endpoint URL for Service Bus namespace](#get-endpoint-url). | <a name="built-in-connector-auth"></a> Later, when you add a Service Bus trigger or action for the first time, you're p | Authentication type | Required information | ||-| | **Connection String** | The connection string for your Service Bus namespace. For more information, review [Get connection string for Service Bus namespace](#get-connection-string) |-| **Active Directory OAuth** | - The fully qualified name for your Service Bus namespace, for example, **<*your-Service-Bus-namespace*>.servicebus.windows.net**. For more information, review [Get fully qualified name for Service Bus namespace](#get-fully-qualified-namespace). For the other property values, review [Azure Active Directory Open Authentication](../logic-apps/logic-apps-securing-a-logic-app.md#azure-active-directory-oauth-authentication). | +| **Active Directory OAuth** | - The fully qualified name for your Service Bus namespace, for example, **<*your-Service-Bus-namespace*>.servicebus.windows.net**. For more information, review [Get fully qualified name for Service Bus namespace](#get-fully-qualified-namespace). For the other property values, review [Microsoft Entra ID Open Authentication](../logic-apps/logic-apps-securing-a-logic-app.md#azure-active-directory-oauth-authentication). | | **Managed identity** | The fully qualified name for your Service Bus namespace, for example, **<*your-Service-Bus-namespace*>.servicebus.windows.net**. For more information, review [Get fully qualified name for Service Bus namespace](#get-fully-qualified-namespace). | <a name="get-connection-string"></a> |
connectors | Connectors Create Api Sqlazure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-create-api-sqlazure.md | For more information, review the [SQL Server managed connector reference](/conne You can use the SQL Server built-in connector or managed connector. - * To use Azure Active Directory authentication or managed identity authentication with your logic app, you have to set up your SQL Server to work with these authentication types. For more information, see [Authentication - SQL Server managed connector reference](/connectors/sql/#authentication). + * To use Microsoft Entra authentication or managed identity authentication with your logic app, you have to set up your SQL Server to work with these authentication types. For more information, see [Authentication - SQL Server managed connector reference](/connectors/sql/#authentication). - * To use the built-in connector, you can authenticate your connection with either a managed identity, Azure Active Directory, or a connection string. You can adjust connection pooling by specifying parameters in the connection string. For more information, review [Connection Pooling](/dotnet/framework/data/adonet/connection-pooling). + * To use the built-in connector, you can authenticate your connection with either a managed identity, Microsoft Entra ID, or a connection string. You can adjust connection pooling by specifying parameters in the connection string. For more information, review [Connection Pooling](/dotnet/framework/data/adonet/connection-pooling). * To use the SQL Server managed connector, follow the same requirements as a Consumption logic app workflow in multi-tenant Azure Logic Apps. For other connector requirements, review the [SQL Server managed connector reference](/connectors/sql/). In the connection information box, complete the following steps: | Authentication | Description | |-|-| | **Connection string** | - Supported only in Standard workflows with the SQL Server built-in connector. <br><br>- Requires the connection string to your SQL server and database. |- | **Active Directory OAuth** | - Supported only in Standard workflows with the SQL Server built-in connector. For more information, see the following documentation: <br><br>- [Authentication for SQL Server connector](/connectors/sql/#authentication) <br>- [Enable Azure Active Directory Open Authentication (Azure AD OAuth)](../logic-apps/logic-apps-securing-a-logic-app.md#enable-oauth) <br>- [Azure Active Directory Open Authentication](../logic-apps/logic-apps-securing-a-logic-app.md#azure-active-directory-oauth-authentication) | + | **Active Directory OAuth** | - Supported only in Standard workflows with the SQL Server built-in connector. For more information, see the following documentation: <br><br>- [Authentication for SQL Server connector](/connectors/sql/#authentication) <br>- [Enable Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth)](../logic-apps/logic-apps-securing-a-logic-app.md#enable-oauth) <br>- [Microsoft Entra ID Open Authentication](../logic-apps/logic-apps-securing-a-logic-app.md#azure-active-directory-oauth-authentication) | | **Logic Apps Managed Identity** | - Supported with the SQL Server managed connector and ISE-versioned connector. In Standard workflows, this authentication type is available for the SQL Server built-in connector, but the option is named **Managed identity** instead. <br><br>- Requires the following items: <br><br> A valid managed identity that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. <br><br> **SQL DB Contributor** role access to the SQL Server resource <br><br> **Contributor** access to the resource group that includes the SQL Server resource. <br><br>For more information, see the following documentation: <br><br>- [Managed identity authentication for SQL Server connector](/connectors/sql/#managed-identity-authentication) <br>- [SQL - Server-Level Roles](/sql/relational-databases/security/authentication-access/server-level-roles) |- | **Service principal (Azure AD application)** | - Supported with the SQL Server managed connector. <br><br>- Requires an Azure AD application and service principal. For more information, see [Create an Azure AD application and service principal that can access resources using the Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). | - | [**Azure AD Integrated**](/azure/azure-sql/database/authentication-aad-overview) | - Supported with the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires a valid managed identity in Azure Active Directory (Azure AD) that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. For more information, see these topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) <br>- [Azure SQL - Azure AD Integrated authentication](/azure/azure-sql/database/authentication-aad-overview) | + | **Service principal (Microsoft Entra application)** | - Supported with the SQL Server managed connector. <br><br>- Requires a Microsoft Entra application and service principal. For more information, see [Create a Microsoft Entra application and service principal that can access resources using the Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). | + | [**Microsoft Entra integrated**](/azure/azure-sql/database/authentication-aad-overview) | - Supported with the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires a valid managed identity in Microsoft Entra that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. For more information, see these topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) <br>- [Azure SQL - Microsoft Entra integrated authentication](/azure/azure-sql/database/authentication-aad-overview) | | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Supported with the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server database. For more information, see the following topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) | - The following examples show how the connection information box might appear if you use the SQL Server *managed* connector and select **Azure AD Integrated** authentication: + The following examples show how the connection information box might appear if you use the SQL Server *managed* connector and select **Microsoft Entra integrated** authentication: **Consumption workflows** In the connection information box, complete the following steps: ![Screenshot shows Azure portal, Standard workflow, and SQL Server cloud connection information with selected authentication type.](./media/connectors-create-api-sqlazure/select-azure-ad-sql-cloud-standard.png) -1. After you select **Azure AD Integrated**, select **Sign in**. Based on whether you use Azure SQL Database or SQL Managed Instance, select your user credentials for authentication. +1. After you select **Microsoft Entra integrated**, select **Sign in**. Based on whether you use Azure SQL Database or SQL Managed Instance, select your user credentials for authentication. 1. Select these values for your database: When you call a stored procedure by using the SQL Server connector, the returned * [Managed connectors for Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors) * [Built-in connectors for Azure Logic Apps](built-in.md)-- |
connectors | Connectors Integrate Security Operations Create Api Microsoft Graph Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-integrate-security-operations-create-api-microsoft-graph-security.md | To learn more about Microsoft Graph Security, see the [Microsoft Graph Security * An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -* To use the Microsoft Graph Security connector, you must have *explicitly given* Azure Active Directory (AD) tenant administrator consent, which is part of the [Microsoft Graph Security Authentication requirements](/graph/security-authorization). This consent requires the Microsoft Graph Security connector's application ID and name, which you can also find in the [Azure portal](https://portal.azure.com): +* To use the Microsoft Graph Security connector, you must have *explicitly given* Microsoft Entra tenant administrator consent, which is part of the [Microsoft Graph Security Authentication requirements](/graph/security-authorization). This consent requires the Microsoft Graph Security connector's application ID and name, which you can also find in the [Azure portal](https://portal.azure.com): | Property | Value | |-|-| To learn more about Microsoft Graph Security, see the [Microsoft Graph Security | **Application ID** | `c4829704-0edc-4c3d-a347-7c4a67586f3c` | ||| - To grant consent for the connector, your Azure AD tenant administrator can follow either these steps: + To grant consent for the connector, your Microsoft Entra tenant administrator can follow either these steps: - * [Grant tenant administrator consent for Azure AD applications](../active-directory/develop/v2-permissions-and-consent.md). + * [Grant tenant administrator consent for Microsoft Entra applications](../active-directory/develop/v2-permissions-and-consent.md). - * During your logic app's first run, your app can request consent from your Azure AD tenant administrator through the [application consent experience](../active-directory/develop/application-consent-experience.md). + * During your logic app's first run, your app can request consent from your Microsoft Entra tenant administrator through the [application consent experience](../active-directory/develop/application-consent-experience.md). * Basic knowledge about how to create logic apps |
connectors | Connectors Native Http | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-native-http.md | For example, you can monitor a service endpoint for your website by checking tha This article shows how to use the HTTP trigger and HTTP action so that your logic app can send outbound calls to other services and systems. -For information about encryption, security, and authorization for outbound calls from your logic app, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), self-signed certificates, or [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), see [Secure access and data - Access for outbound calls to other services and systems](../logic-apps/logic-apps-securing-a-logic-app.md#secure-outbound-requests). +For information about encryption, security, and authorization for outbound calls from your logic app, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), self-signed certificates, or [Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth)](../active-directory/develop/index.yml), see [Secure access and data - Access for outbound calls to other services and systems](../logic-apps/logic-apps-securing-a-logic-app.md#secure-outbound-requests). ## Prerequisites If you have a **Logic App (Standard)** resource in single-tenant Azure Logic App * [TLS/SSL certificate](#tls-ssl-certificate-authentication): Add the app setting, `WEBSITE_LOAD_ROOT_CERTIFICATES`, and set the value to the thumbprint for your TLS/SSL certificate. -* [Client certificate or Azure Active Directory Open Authentication (Azure AD OAuth) with the "Certificate" credential type](#client-certificate-authentication): Add the app setting, `WEBSITE_LOAD_USER_PROFILE`, and set the value to `1`. +* [Client certificate or Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth) with the "Certificate" credential type](#client-certificate-authentication): Add the app setting, `WEBSITE_LOAD_USER_PROFILE`, and set the value to `1`. <a name="tls-ssl-certificate-authentication"></a> For more information, review the following documentation: <a name="client-certificate-authentication"></a> -### Client certificate or Azure AD OAuth with "Certificate" credential type authentication +<a name='client-certificate-or-azure-ad-oauth-with-certificate-credential-type-authentication'></a> ++### Client certificate or Microsoft Entra ID OAuth with "Certificate" credential type authentication 1. In your logic app resource's app settings, [add or update the app setting](../logic-apps/edit-app-settings-host-settings.md#manage-app-settings), `WEBSITE_LOAD_USER_PROFILE`. |
connectors | Connectors Native Reqres | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-native-reqres.md | Now, continue building your workflow by adding another action as the next step. > after this time expires, your workflow returns the **504 GATEWAY TIMEOUT** status to the caller. If your workflow > doesn't include a Response action, your workflow immediately returns the **202 ACCEPTED** status to the caller. -For information about security, authorization, and encryption for inbound calls to your workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), exposing your logic app resource with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). +For information about security, authorization, and encryption for inbound calls to your workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth)](../active-directory/develop/index.yml), exposing your logic app resource with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). ## Trigger outputs To test your workflow, send an HTTP request to the generated URL. For example, y In a Standard logic app workflow that starts with the Request trigger (but not a webhook trigger), you can use the Azure Functions provision for authenticating inbound calls sent to the endpoint created by that trigger by using a managed identity. This provision is also known as "**Easy Auth**". For more information, review [Trigger workflows in Standard logic apps with Easy Auth](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/trigger-workflows-in-standard-logic-apps-with-easy-auth/ba-p/3207378). -For more information about security, authorization, and encryption for inbound calls to your logic app workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), exposing your logic app with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). +For more information about security, authorization, and encryption for inbound calls to your logic app workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth)](../active-directory/develop/index.yml), exposing your logic app with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). ## Next steps |
connectors | Connectors Native Webhook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/connectors-native-webhook.md | For more information, see these topics: * [Webhooks and subscriptions](../logic-apps/logic-apps-workflow-actions-triggers.md#webhooks-and-subscriptions) * [Create custom APIs that support a webhook](../logic-apps/logic-apps-create-api-app.md) -For information about encryption, security, and authorization for inbound calls to your logic app, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), or [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). +For information about encryption, security, and authorization for inbound calls to your logic app, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), or [Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth)](../active-directory/develop/index.yml), see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). ## Prerequisites |
connectors | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/connectors/introduction.md | Although you create connections within a workflow, these connections are actuall ### Connection security and encryption -Connection configuration details, such as server address, username, and password, credentials, and secrets are [encrypted and stored in the secured Azure environment](../security/fundamentals/encryption-overview.md). This information can be used only in logic app resources and by clients who have permissions for the connection resource, which is enforced using linked access checks. Connections that use Azure Active Directory Open Authentication (Azure AD OAuth), such as Office 365, Salesforce, and GitHub, require that you sign in, but Azure Logic Apps stores only access and refresh tokens as secrets, not sign-in credentials. +Connection configuration details, such as server address, username, and password, credentials, and secrets are [encrypted and stored in the secured Azure environment](../security/fundamentals/encryption-overview.md). This information can be used only in logic app resources and by clients who have permissions for the connection resource, which is enforced using linked access checks. Connections that use Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth), such as Office 365, Salesforce, and GitHub, require that you sign in, but Azure Logic Apps stores only access and refresh tokens as secrets, not sign-in credentials. -Established connections can access the target service or system for as long as that service or system allows. For services that use Azure AD OAuth connections, such as Office 365 and Dynamics, Azure Logic Apps refreshes access tokens indefinitely. Other services might have limits on how long Logic Apps can use a token without refreshing. Some actions, such as changing your password, invalidate all access tokens. +Established connections can access the target service or system for as long as that service or system allows. For services that use Microsoft Entra ID OAuth connections, such as Office 365 and Dynamics, Azure Logic Apps refreshes access tokens indefinitely. Other services might have limits on how long Logic Apps can use a token without refreshing. Some actions, such as changing your password, invalidate all access tokens. > [!NOTE] > The following table includes known issues for connectors in Azure Logic Apps: | Error message| Description | Resolution | |--|-||-| `Error: BadGateway. Client request id: '{GUID}'` | This error results from updating the tags on a logic app resource where one or more connections don't support Azure Active Directory (Azure AD) OAuth authentication, such as SFTP ad SQL, breaking those connections. | To prevent this behavior, avoid updating those tags. | +| `Error: BadGateway. Client request id: '{GUID}'` | This error results from updating the tags on a logic app resource where one or more connections don't support Microsoft Entra ID OAuth authentication, such as SFTP ad SQL, breaking those connections. | To prevent this behavior, avoid updating those tags. | ## Next steps |
container-apps | Authentication Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/authentication-azure-active-directory.md | Title: Enable authentication and authorization in Azure Container Apps with Azure Active Directory -description: Learn to use the built-in Azure Active Directory authentication provider in Azure Container Apps. + Title: Enable authentication and authorization in Azure Container Apps with Microsoft Entra ID +description: Learn to use the built-in Microsoft Entra authentication provider in Azure Container Apps. Last updated 04/20/2022 -# Enable authentication and authorization in Azure Container Apps with Azure Active Directory +# Enable authentication and authorization in Azure Container Apps with Microsoft Entra ID -This article shows you how to configure authentication for Azure Container Apps so that your app signs in users with the [Microsoft identity platform](../active-directory/develop/v2-overview.md) (Azure AD) as the authentication provider. +This article shows you how to configure authentication for Azure Container Apps so that your app signs in users with the [Microsoft identity platform](../active-directory/develop/v2-overview.md) as the authentication provider. The Container Apps Authentication feature can automatically create an app registration with the Microsoft identity platform. You can also use a registration that you or a directory admin creates separately. You're now ready to use the Microsoft identity platform for authentication in yo ## <a name="aad-advanced"> </a>Option 2: Use an existing registration created separately -You can also manually register your application for the Microsoft identity platform, customizing the registration and configuring Container Apps Authentication with the registration details. This approach is useful if you want to use an app registration from a different Azure AD tenant other than the one your application is defined. +You can also manually register your application for the Microsoft identity platform, customizing the registration and configuring Container Apps Authentication with the registration details. This approach is useful if you want to use an app registration from a different Microsoft Entra tenant other than the one your application is defined. -### <a name="aad-register"> </a>Create an app registration in Azure AD for your container app +### <a name="aad-register"> </a>Create an app registration in Microsoft Entra ID for your container app First, you'll create your app registration. As you do so, collect the following information that you'll need later when you configure the authentication in the container app: First, you'll create your app registration. As you do so, collect the following To register the app, perform the following steps: -1. Sign in to the [Azure portal], search for and select **Container Apps**, and then select your app. Note your app's **URL**. You'll use it to configure your Azure Active Directory app registration. -1. From the portal menu, select **Azure Active Directory**, then go to the **App registrations** tab and select **New registration**. +1. Sign in to the [Azure portal], search for and select **Container Apps**, and then select your app. Note your app's **URL**. You'll use it to configure your Microsoft Entra app registration. +1. From the portal menu, select **Microsoft Entra ID**, then go to the **App registrations** tab and select **New registration**. 1. In the **Register an application** page, enter a **Name** for your app registration. 1. In **Redirect URI**, select **Web** and type `<app-url>/.auth/login/aad/callback`. For example, `https://<hostname>.azurecontainerapps.io/.auth/login/aad/callback`. 1. Select **Register**. To register the app, perform the following steps: 1. (Optional) To create a client secret, select **Certificates & secrets** > **Client secrets** > **New client secret**. Enter a description and expiration and select **Add**. Copy the client secret value shown in the page. It won't be shown again. 1. (Optional) To add multiple **Reply URLs**, select **Authentication**. -### <a name="aad-secrets"> </a>Enable Azure Active Directory in your container app +### <a name="aad-secrets"> </a>Enable Microsoft Entra ID in your container app 1. Sign in to the [Azure portal] and navigate to your app. 1. Select **Authentication** in the menu on the left. Select **Add identity provider**. To register the app, perform the following steps: |-|-| |Application (client) ID| Use the **Application (client) ID** of the app registration. | |Client Secret| Use the client secret you generated in the app registration. With a client secret, hybrid flow is used and the Container Apps will return access and refresh tokens. When the client secret isn't set, implicit flow is used and only an ID token is returned. These tokens are sent by the provider and stored in the EasyAuth token store.|- |Issuer Url| Use `<authentication-endpoint>/<TENANT-ID>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (for example, "https://login.microsoftonline.com" for global Azure), also replacing *\<TENANT-ID>* with the **Directory (tenant) ID** in which the app registration was created. This value is used to redirect users to the correct Azure AD tenant, and to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. For applications that use Azure AD v1, omit `/v2.0` in the URL.| + |Issuer Url| Use `<authentication-endpoint>/<TENANT-ID>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (for example, "https://login.microsoftonline.com" for global Azure), also replacing *\<TENANT-ID>* with the **Directory (tenant) ID** in which the app registration was created. This value is used to redirect users to the correct Microsoft Entra tenant, and to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. For applications that use Azure AD v1, omit `/v2.0` in the URL.| |Allowed Token Audiences| The configured **Application (client) ID** is *always* implicitly considered to be an allowed audience. If this value refers to a cloud or server app and you want to accept authentication tokens from a client container app (the authentication token can be retrieved in the `X-MS-TOKEN-AAD-ID-TOKEN` header), add the **Application (client) ID** of the client app here. | The client secret will be stored as [secrets](manage-secrets.md) in your container app. You can register native clients to request access your container app's APIs on b 1. Select **Create**. 1. After the app registration is created, copy the value of **Application (client) ID**. 1. Select **API permissions** > **Add a permission** > **My APIs**.-1. Select the app registration you created earlier for your container app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Azure AD for your container app](#aad-register). +1. Select the app registration you created earlier for your container app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Microsoft Entra ID for your container app](#aad-register). 1. Under **Delegated permissions**, select **user_impersonation**, and then select **Add permissions**. You've now configured a native client application that can request access your container app on behalf of a user. Your application can acquire a token to call a Web API hosted in your container You can now [request an access token using the client ID and client secret](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#first-case-access-token-request-with-a-shared-secret) by setting the `resource` parameter to the **Application ID URI** of the target app. The resulting access token can then be presented to the target app using the standard [OAuth 2.0 Authorization header](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#use-a-token), and Container Apps Authentication / Authorization will validate and use the token as usual to now indicate that the caller (an application in this case, not a user) is authenticated. -This process allows _any_ client application in your Azure AD tenant to request an access token and authenticate to the target app. If you also want to enforce _authorization_ to allow only certain client applications, you must adjust the configuration. +This process allows _any_ client application in your Microsoft Entra tenant to request an access token and authenticate to the target app. If you also want to enforce _authorization_ to allow only certain client applications, you must adjust the configuration. 1. [Define an App Role](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md) in the manifest of the app registration representing the container app you want to protect. 1. On the app registration representing the client that needs to be authorized, select **API permissions** > **Add a permission** > **My APIs**. |
container-apps | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/authentication.md | Azure Container Apps provides built-in authentication and authorization features For details surrounding authentication and authorization, refer to the following guides for your choice of provider. -* [Azure Active Directory](authentication-azure-active-directory.md) +* [Microsoft Entra ID](authentication-azure-active-directory.md) * [Facebook](authentication-facebook.md) * [GitHub](authentication-github.md) * [Google](authentication-google.md) The built-in authentication feature for Container Apps can save you time and eff * Azure Container Apps provides access to various built-in authentication providers. * The built-in auth features donΓÇÖt require any particular language, SDK, security expertise, or even any code that you have to write.-* You can integrate with multiple providers including Azure Active Directory, Facebook, Google, and Twitter. +* You can integrate with multiple providers including Microsoft Entra ID, Facebook, Google, and Twitter. ## Identity providers Container Apps uses [federated identity](https://en.wikipedia.org/wiki/Federated | Provider | Sign-in endpoint | How-To guidance | | - | - | - |-| [Microsoft Identity Platform](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [Microsoft Identity Platform](authentication-azure-active-directory.md) | +| [Microsoft identity platform](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [Microsoft identity platform](authentication-azure-active-directory.md) | | [Facebook](https://developers.facebook.com/docs/facebook-login) | `/.auth/login/facebook` | [Facebook](authentication-facebook.md) | | [GitHub](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps) | `/.auth/login/github` | [GitHub](authentication-github.md) | | [Google](https://developers.google.com/identity/choose-auth) | `/.auth/login/google` | [Google](authentication-google.md) | In the [Azure portal](https://portal.azure.com), you can edit your container app > Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. > [!NOTE]- > By default, any user in your Azure AD tenant can request a token for your application from Azure AD. You can [configure the application in Azure AD](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md) if you want to restrict access to your app to a defined set of users. + > By default, any user in your Microsoft Entra tenant can request a token for your application from Microsoft Entra ID. You can [configure the application in Microsoft Entra ID](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md) if you want to restrict access to your app to a defined set of users. ## Customize sign-in and sign-out Users can initiate a sign-out by sending a `GET` request to the app's `/.auth/lo * Clears authentication cookies from the current session. * Deletes the current user's tokens from the token store.-* For Azure Active Directory and Google, performs a server-side sign-out on the identity provider. +* For Microsoft Entra ID and Google, performs a server-side sign-out on the identity provider. Here's a simple sign-out link in a webpage: Code that is written in any language or framework can get the information that i Refer to the following articles for details on securing your container app. -* [Azure Active Directory](authentication-azure-active-directory.md) +* [Microsoft Entra ID](authentication-azure-active-directory.md) * [Facebook](authentication-facebook.md) * [GitHub](authentication-github.md) * [Google](authentication-google.md) |
container-apps | Azure Arc Enable Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/azure-arc-enable-cluster.md | The [custom location](../azure-arc/kubernetes/custom-locations.md) is an Azure l > [!NOTE]- > If you experience issues creating a custom location on your cluster, you may need to [enable the custom location feature on your cluster](../azure-arc/kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster). This is required if logged into the CLI using a Service Principal or if you are logged in with an Azure Active Directory user with restricted permissions on the cluster resource. + > If you experience issues creating a custom location on your cluster, you may need to [enable the custom location feature on your cluster](../azure-arc/kubernetes/custom-locations.md#enable-custom-locations-on-your-cluster). This is required if logged into the CLI using a Service Principal or if you are logged in with a Microsoft Entra user with restricted permissions on the cluster resource. > 1. Validate that the custom location is successfully created with the following command. The output should show the `provisioningState` property as `Succeeded`. If not, rerun the command after a minute. |
container-apps | Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/containers.md | You can define multiple containers in a single container app to implement the [s Examples of sidecar containers include: -- An agent that reads logs from the primary app container on a [shared volume](storage-mounts.md?pivots=aca-cli#temporary-storage) and forwards them to a logging service.+- An agent that reads logs from the primary app container on a [shared volume](storage-mounts.md?pivots=aca-cli#replica-scoped-storage) and forwards them to a logging service. - A background process that refreshes a cache used by the primary app container in a shared volume. |
container-apps | Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/managed-identity.md | -A managed identity from Azure Active Directory (Azure AD) allows your container app to access other Azure AD-protected resources. For more about managed identities in Azure AD, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +A managed identity from Microsoft Entra ID allows your container app to access other Microsoft Entra protected resources. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Your container app can be granted two types of identities: Your container app can be granted two types of identities: ## Why use a managed identity? -You can use a managed identity in a running container app to authenticate to any [service that supports Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +You can use a managed identity in a running container app to authenticate to any [service that supports Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). With managed identities: For a complete ARM template example, see [ARM API Specification](azure-resource- ## Configure a target resource -For some resources, you'll need to configure role assignments for your app's managed identity to grant access. Otherwise, calls from your app to services, such as Azure Key Vault and Azure SQL Database, will be rejected even if you use a valid token for that identity. To learn more about Azure role-based access control (Azure RBAC), see [What is RBAC?](../role-based-access-control/overview.md). To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +For some resources, you'll need to configure role assignments for your app's managed identity to grant access. Otherwise, calls from your app to services, such as Azure Key Vault and Azure SQL Database, will be rejected even if you use a valid token for that identity. To learn more about Azure role-based access control (Azure RBAC), see [What is RBAC?](../role-based-access-control/overview.md). To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). > [!IMPORTANT] > The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh. ## Connect to Azure services in app code -With managed identities, an app can obtain tokens to access Azure resources that use Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application. +With managed identities, an app can obtain tokens to access Azure resources that use Microsoft Entra ID, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application. Container Apps provides an internally accessible [REST endpoint](managed-identity.md?tabs=cli%2Chttp#rest-endpoint-reference) to retrieve tokens. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint. Connecting to other Azure services is as simple as adding a credential object to the service-specific client. Content-Type: application/json ``` -This response is the same as the [response for the Azure AD service-to-service access token request](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#successful-response). To access Key Vault, you'll then add the value of `access_token` to a client connection with the vault. +This response is the same as the [response for the Microsoft Entra service-to-service access token request](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md#successful-response). To access Key Vault, you'll then add the value of `access_token` to a client connection with the vault. ### REST endpoint reference To get a token for a resource, make an HTTP GET request to the endpoint, includi | Parameter name | In | Description | | -- | | - |-| resource | Query | The Azure AD resource URI of the resource for which a token should be obtained. The resource could be one of the [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI. | +| resource | Query | The Microsoft Entra resource URI of the resource for which a token should be obtained. The resource could be one of the [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI. | | api-version | Query | The version of the token API to be used. Use "2019-08-01" or later. | | X-IDENTITY-HEADER | Header | The value of the `IDENTITY_HEADER` environment variable. This header mitigates server-side request forgery (SSRF) attacks. | | client_id | Query | (Optional) The client ID of the user-assigned identity to be used. Can't be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used. | az containerapp identity show --name <APP_NAME> --resource-group <GROUP_NAME> ## Remove a managed identity -When you remove a system-assigned identity, it's deleted from Azure Active Directory. System-assigned identities are also automatically removed from Azure Active Directory when you delete the container app resource itself. Removing user-assigned managed identities from your container app doesn't remove them from Azure Active Directory. +When you remove a system-assigned identity, it's deleted from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the container app resource itself. Removing user-assigned managed identities from your container app doesn't remove them from Microsoft Entra ID. # [Azure portal](#tab/portal) |
container-apps | Service Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/service-connector.md | The following steps create a service connection using an access key or a system- - **Name of the storage account**: the name of the storage account that contains your blob. > [!IMPORTANT]- > To use Managed Identity, you must have the permission to manage [Azure Active Directory role assignments](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have this permission, you won't be able to create a connection. You can ask your subscription owner to grant you this permission or use an access key instead to create the connection. + > To use Managed Identity, you must have the permission to manage [Microsoft Entra role assignments](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have this permission, you won't be able to create a connection. You can ask your subscription owner to grant you this permission or use an access key instead to create the connection. > [!NOTE] > If you don't have a Blob Storage, you can run `az containerapp connection create storage-blob --new --secret` to provision a new one. |
container-apps | Storage Mounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/storage-mounts.md | zone_pivot_groups: arm-azure-cli-portal A container app has access to different types of storage. A single app can take advantage of more than one type of storage if necessary. -| Storage type | Description | Usage examples | +| Storage type | Description | Persistence | Usage example | |--|--|--|-| [Container file system](#container-file-system) | Temporary storage scoped to the local container | Writing a local app cache. | -| [Ephemeral storage](#temporary-storage) | Temporary storage scoped to an individual replica | Sharing files between containers in a replica. For instance, the main app container can write log files that are processed by a sidecar container. | -| [Azure Files](#azure-files) | Permanent storage | Writing files to a file share to make data accessible by other systems. | +| [Container-scoped storage](#container-scoped-storage) | Ephemeral storage available to a running container | Data is available until container shuts down | Writing a local app cache. | +| [Replica-scoped storage](#replica-scoped-storage) | Ephemeral storage for sharing files between containers in the same replica | Data is available until replica shuts down | The main app container writing log files that are processed by a sidecar container. | +| [Azure Files](#azure-files) | Permanent storage | Data is persisted to Azure Files | Writing files to a file share to make data accessible by other systems. | -## Container file system +## Ephemeral storage ++A container app can read and write temporary data to ephemeral storage. Ephermal storage can be scoped to a container or a replica. The total amount of container-scoped and replica-scoped storage available to each replica depends on the total amount of vCPUs allocated to the replica. ++| vCPUs | Total ephemeral storage | +|--|--| +| 0.25 or lower | 1 GiB | +| 0.5 or lower | 2 GiB | +| 1 or lower | 4 GiB | +| Over 1 | 8 GiB | ++### Container-scoped storage A container can write to its own file system. Container file system storage has the following characteristics: * The storage is temporary and disappears when the container is shut down or restarted. * Files written to this storage are only visible to processes running in the current container.-* There are no capacity guarantees. The available storage depends on the amount of disk space available in the container. -## <a name="temporary-storage"></a>Ephemeral volume +### Replica-scoped storage -You can mount an ephemeral, temporary volume that is equivalent to [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir) in Kubernetes. Ephemeral storage is scoped to a single replica. +You can mount an ephemeral, temporary volume that is equivalent to [EmptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir) (empty directory) in Kubernetes. This storage is scoped to a single replica. Use an `EmptyDir` volume to share data between containers in the same replica. -Ephemeral storage has the following characteristics: +Replica-scoped storage has the following characteristics: * Files are persisted for the lifetime of the replica. * If a container in a replica restarts, the files in the volume remain.-* Any containers in the replica can mount the same volume. -* A container can mount multiple ephemeral volumes. -* The available storage depends on the total amount of vCPUs allocated to the replica. +* Any init or app containers in the replica can mount the same volume. +* A container can mount multiple `EmptyDir` volumes. - | vCPUs | Ephemeral storage | - |--|--| - | 0.25 or lower | 1 GiB | - | 0.5 or lower | 2 GiB | - | 1 or lower | 4 GiB | - | Over 1 | 8 GiB | +To configure replica-scoped storage, first define an `EmptyDir` volume in the revision. Then define a volume mount in one or more containers in the revision. -To configure ephemeral storage, first define an `EmptyDir` volume in the revision. Then define a volume mount in one or more containers in the revision. --### Prerequisites +#### Prerequisites | Requirement | Instructions | |--|--| | Azure account | If you don't have one, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). | | Azure Container Apps environment | [Create a container apps environment](environment.md). | -### Configuration +#### Configuration ::: zone pivot="azure-cli" -When configuring ephemeral storage using the Azure CLI, you must use a YAML definition to create or update your container app. +When configuring replica-scoped storage using the Azure CLI, you must use a YAML definition to create or update your container app. -1. To update an existing container app to use ephemeral storage, export your app's specification to a YAML file named *app.yaml*. +1. To update an existing container app to use replica-scoped storage, export your app's specification to a YAML file named *app.yaml*. ```azure-cli az containerapp show -n <APP_NAME> -g <RESOURCE_GROUP_NAME> -o yaml > app.yaml When configuring ephemeral storage using the Azure CLI, you must use a YAML defi - Add a `volumes` array to the `template` section of your container app definition and define a volume. If you already have a `volumes` array, add a new volume to the array. - The `name` is an identifier for the volume. - Use `EmptyDir` as the `storageType`.- - For each container in the template that you want to mount the ephemeral volume, define a volume mount in the `volumeMounts` array of the container definition. + - For each container in the template that you want to mount the volume, define a volume mount in the `volumeMounts` array of the container definition. - The `volumeName` is the name defined in the `volumes` array. - The `mountPath` is the path in the container to mount the volume. When configuring ephemeral storage using the Azure CLI, you must use a YAML defi activeRevisionsMode: Single template: containers:- - image: <IMAGE_NAME> - name: my-container + - image: <IMAGE_NAME1> + name: my-container-1 + volumeMounts: + - mountPath: /myempty + volumeName: myempty + - image: <IMAGE_NAME_2> + name: my-container-2 volumeMounts: - mountPath: /myempty volumeName: myempty See the [YAML specification](azure-resource-manager-api-spec.md?tabs=yaml) for a ::: zone pivot="azure-resource-manager" -To create an ephemeral volume and mount it in a container, make the following changes to the container apps resource in an ARM template: +To create a replica-scoped volume and mount it in a container, make the following changes to the container apps resource in an ARM template: - Add a `volumes` array to the `template` section of your container app definition and define a volume. If you already have a `volumes` array, add a new volume to the array. - The `name` is an identifier for the volume. - Use `EmptyDir` as the `storageType`.-- For each container in the template that you want to mount temporary storage, define a volume mount in the `volumeMounts` array of the container definition.+- For each container in the template that you want to mount the volume, define a volume mount in the `volumeMounts` array of the container definition. - The `volumeName` is the name defined in the `volumes` array. - The `mountPath` is the path in the container to mount the volume. Example ARM template snippet: "volumeName": "myempty" } ]+ }, + { + "name": "sidecar", + "image": "[parameters('sidecar_image')]", + "resources": { + "cpu": 0.5, + "memory": "1Gi" + }, + "volumeMounts": [ + { + "mountPath": "/myempty", + "volumeName": "myempty" + } + ] } ], "scale": { See the [ARM template API specification](azure-resource-manager-api-spec.md) for ::: zone pivot="azure-portal" -To create an ephemeral volume and mount it in a container, deploy a new revision of your container app using the Azure portal. +To create a replica-scoped volume and mount it in a container, deploy a new revision of your container app using the Azure portal. 1. In the Azure portal, navigate to your container app. To enable Azure Files storage in your container, you need to set up your contain * Define a volume of type `AzureFile` in a revision. * Define a volume mount in one or more containers in the revision. -#### Prerequisites +### Prerequisites | Requirement | Instructions | |--|--| |
container-apps | Tutorial Java Quarkus Connect Managed Identity Postgresql Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/tutorial-java-quarkus-connect-managed-identity-postgresql-database.md | This tutorial walks you through the process of building, configuring, deploying, What you will learn: > [!div class="checklist"]-> * Configure a Quarkus app to authenticate using Azure Active Directory (Azure AD) with a PostgreSQL Database. +> * Configure a Quarkus app to authenticate using Microsoft Entra ID with a PostgreSQL Database. > * Create an Azure container registry and push a Java app image to it. > * Create a Container App in Azure. > * Create a PostgreSQL database in Azure. |
container-registry | Authenticate Aks Cross Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/authenticate-aks-cross-tenant.md | -# Pull images from a container registry to an AKS cluster in a different Azure AD tenant +# Pull images from a container registry to an AKS cluster in a different Microsoft Entra tenant -In some cases, you might have your Azure AKS cluster in one Azure Active Directory (Azure AD) tenant and your Azure container registry in a different tenant. This article walks through the steps to enable cross-tenant authentication using the AKS service principal credential to pull from the container registry. +In some cases, you might have your Azure AKS cluster in one Microsoft Entra tenant and your Azure container registry in a different tenant. This article walks through the steps to enable cross-tenant authentication using the AKS service principal credential to pull from the container registry. > [!NOTE] > You can't attach the registry and authenticate using an AKS managed identity when the cluster and the container registry are in different tenants. You use the following steps to: ## Step-by-step instructions -### Step 1: Create multitenant Azure AD application +<a name='step-1-create-multitenant-azure-ad-application'></a> ++### Step 1: Create multitenant Microsoft Entra application 1. Sign in to the [Azure portal](https://portal.azure.com/) in **Tenant A**.-1. Search for and select **Azure Active Directory**. +1. Search for and select **Microsoft Entra ID**. 1. Under **Manage**, select **App registrations > + New registration**. 1. In **Supported account types**, select **Accounts in any organizational directory**. 1. In **Redirect URI**, enter *https://www.microsoft.com*. In **Tenant B**, assign the AcrPull role to the service principal, scoped to the :::image type="content" source="media/authenticate-kubernetes-cross-tenant/multitenant-app-acr-pull.png" alt-text="Assign acrpull role to multitenant app"::: -### Step 4: Update AKS with the Azure AD application secret +<a name='step-4-update-aks-with-the-azure-ad-application-secret'></a> ++### Step 4: Update AKS with the Microsoft Entra application secret Use the multitenant application (client) ID and client secret collected in Step 1 to [update the AKS service principal credential](../aks/update-credentials.md#update-aks-cluster-with-service-principal-credentials). Updating the service principal can take several minutes. * Learn more [Azure Container Registry authentication with service principals](container-registry-auth-service-principal.md) * Learn more about image pull secrets in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod)-- Learn about [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md)+- Learn about [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md) - Learn more about [scenarios to authenticate with Azure Container Registry](authenticate-kubernetes-options.md) from a Kubernetes cluster-- |
container-registry | Authenticate Kubernetes Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/authenticate-kubernetes-options.md | To pull images to your Kubernetes cluster from an Azure container registry, an a | Kubernetes cluster |Authentication method | Description | Example | ||||-| | AKS cluster |AKS managed identity | Enable the AKS kubelet [managed identity](../aks/use-managed-identity.md) to pull images from an attached Azure container registry.<br/><br/> Registry and cluster must be in same Active Directory tenant but can be in the same or a different Azure subscription. | [Authenticate with Azure Container Registry from Azure Kubernetes Service](../aks/cluster-container-registry-integration.md?toc=/azure/container-registry/toc.json&bc=/azure/container-registry/breadcrumb/toc.json)| -| AKS cluster | AKS service principal | Enable the [AKS service principal](../aks/kubernetes-service-principal.md) with permissions to a target Azure container registry.<br/><br/>Registry and cluster can be in the same or a different Azure subscription or Azure Active Directory tenant. | [Pull images from an Azure container registry to an AKS cluster in a different AD tenant](authenticate-aks-cross-tenant.md) +| AKS cluster | AKS service principal | Enable the [AKS service principal](../aks/kubernetes-service-principal.md) with permissions to a target Azure container registry.<br/><br/>Registry and cluster can be in the same or a different Azure subscription or Microsoft Entra tenant. | [Pull images from an Azure container registry to an AKS cluster in a different AD tenant](authenticate-aks-cross-tenant.md) | Kubernetes cluster other than AKS |Pod [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | Use general Kubernetes mechanism to manage registry credentials for pod deployments.<br/><br/>Configure AD service principal, repository-scoped token, or other supported [registry credentials](container-registry-authentication.md). | [Pull images from an Azure container registry to a Kubernetes cluster using a pull secret](container-registry-auth-kubernetes.md) | |
container-registry | Container Registry Auth Aci | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-auth-aci.md | Title: Access from Container Instances -description: Learn how to provide access to images in your private container registry from Azure Container Instances by using an Azure Active Directory service principal. +description: Learn how to provide access to images in your private container registry from Azure Container Instances by using a Microsoft Entra service principal. Last updated 10/11/2022 # Authenticate with Azure Container Registry from Azure Container Instances -You can use an Azure Active Directory (Azure AD) service principal to provide access to your private container registries in Azure Container Registry. +You can use a Microsoft Entra service principal to provide access to your private container registries in Azure Container Registry. -In this article, you learn to create and configure an Azure AD service principal with *pull* permissions to your registry. Then, you start a container in Azure Container Instances (ACI) that pulls its image from your private registry, using the service principal for authentication. +In this article, you learn to create and configure a Microsoft Entra service principal with *pull* permissions to your registry. Then, you start a container in Azure Container Instances (ACI) that pulls its image from your private registry, using the service principal for authentication. ## When to use a service principal |
container-registry | Container Registry Auth Kubernetes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-auth-kubernetes.md | Last updated 10/11/2022 You can use an Azure container registry as a source of container images with any Kubernetes cluster, including "local" Kubernetes clusters such as [minikube](https://minikube.sigs.k8s.io/) and [kind](https://kind.sigs.k8s.io/). This article shows how to create a Kubernetes pull secret using credentials for an Azure container registry. Then, use the secret to pull images from an Azure container registry in a pod deployment. -This example creates a pull secret using Azure Active Directory [service principal credentials](container-registry-auth-service-principal.md). You can also configure a pull secret using other Azure container registry credentials, such as a [repository-scoped access token](container-registry-repository-scoped-permissions.md). +This example creates a pull secret using Microsoft Entra [service principal credentials](container-registry-auth-service-principal.md). You can also configure a pull secret using other Azure container registry credentials, such as a [repository-scoped access token](container-registry-repository-scoped-permissions.md). > [!NOTE] > While pull secrets are commonly used, they bring additional management overhead. If you're using [Azure Kubernetes Service](../aks/intro-kubernetes.md), we recommend [other options](authenticate-kubernetes-options.md) such as using the cluster's managed identity or service principal to securely pull the image without an additional `imagePullSecrets` setting on each pod. |
container-registry | Container Registry Auth Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-auth-service-principal.md | Title: Authenticate with service principal -description: Provide access to images in your private container registry by using an Azure Active Directory service principal. +description: Provide access to images in your private container registry by using a Microsoft Entra service principal. Last updated 10/11/2022 # Azure Container Registry authentication with service principals -You can use an Azure Active Directory (Azure AD) service principal to provide push, pull, or other access to your container registry. By using a service principal, you can provide access to "headless" services and applications. +You can use a Microsoft Entra service principal to provide push, pull, or other access to your container registry. By using a service principal, you can provide access to "headless" services and applications. ## What is a service principal? -Azure AD [*service principals*](../active-directory/develop/app-objects-and-service-principals.md) provide access to Azure resources within your subscription. You can think of a service principal as a user identity for a service, where "service" is any application, service, or platform that needs to access the resources. You can configure a service principal with access rights scoped only to those resources you specify. Then, configure your application or service to use the service principal's credentials to access those resources. +Microsoft Entra ID [*service principals*](../active-directory/develop/app-objects-and-service-principals.md) provide access to Azure resources within your subscription. You can think of a service principal as a user identity for a service, where "service" is any application, service, or platform that needs to access the resources. You can configure a service principal with access rights scoped only to those resources you specify. Then, configure your application or service to use the service principal's credentials to access those resources. -In the context of Azure Container Registry, you can create an Azure AD service principal with pull, push and pull, or other permissions to your private registry in Azure. For a complete list, see [Azure Container Registry roles and permissions](container-registry-roles.md). +In the context of Azure Container Registry, you can create a Microsoft Entra service principal with pull, push and pull, or other permissions to your private registry in Azure. For a complete list, see [Azure Container Registry roles and permissions](container-registry-roles.md). ## Why use a service principal? -By using an Azure AD service principal, you can provide scoped access to your private container registry. Create different service principals for each of your applications or services, each with tailored access rights to your registry. And, because you can avoid sharing credentials between services and applications, you can rotate credentials or revoke access for only the service principal (and thus the application) you choose. +By using a Microsoft Entra service principal, you can provide scoped access to your private container registry. Create different service principals for each of your applications or services, each with tailored access rights to your registry. And, because you can avoid sharing credentials between services and applications, you can rotate credentials or revoke access for only the service principal (and thus the application) you choose. For example, configure your web application to use a service principal that provides it with image `pull` access only, while your build system uses a service principal that provides it with both `push` and `pull` access. If development of your application changes hands, you can rotate its service principal credentials without affecting the build system. You should use a service principal to provide registry access in **headless scen > A service principal is recommended in several [Kubernetes scenarios](authenticate-kubernetes-options.md) to pull images from an Azure container registry. With Azure Kubernetes Service (AKS), you can also use an automated mechanism to authenticate with a target registry by enabling the cluster's [managed identity](../aks/cluster-container-registry-integration.md). * *Push*: Build container images and push them to a registry using continuous integration and deployment solutions like Azure Pipelines or Jenkins. -For individual access to a registry, such as when you manually pull a container image to your development workstation, we recommend using your own [Azure AD identity](container-registry-authentication.md#individual-login-with-azure-ad) instead for registry access (for example, with [az acr login][az-acr-login]). +For individual access to a registry, such as when you manually pull a container image to your development workstation, we recommend using your own [Microsoft Entra identity](container-registry-authentication.md#individual-login-with-azure-ad) instead for registry access (for example, with [az acr login][az-acr-login]). [!INCLUDE [container-registry-service-principal](../../includes/container-registry-service-principal.md)] The CLI uses the token created when you ran `az login` to authenticate your sess ## Create service principal for cross-tenant scenarios -A service principal can also be used in Azure scenarios that require pulling images from a container registry in one Azure Active Directory (tenant) to a service or app in another. For example, an organization might run an app in Tenant A that needs to pull an image from a shared container registry in Tenant B. +A service principal can also be used in Azure scenarios that require pulling images from a container registry in one Microsoft Entra ID (tenant) to a service or app in another. For example, an organization might run an app in Tenant A that needs to pull an image from a shared container registry in Tenant B. To create a service principal that can authenticate with a container registry in a cross-tenant scenario: |
container-registry | Container Registry Authentication Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-authentication-managed-identity.md | If you're not familiar with the managed identities for Azure resources feature, After you set up selected Azure resources with a managed identity, give the identity the access you want to another resource, just like any security principal. For example, assign a managed identity a role with pull, push and pull, or other permissions to a private registry in Azure. (For a complete list of registry roles, see [Azure Container Registry roles and permissions](container-registry-roles.md).) You can give an identity access to one or more resources. -Then, use the identity to authenticate to any [service that supports Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication), without any credentials in your code. Choose how to authenticate using the managed identity, depending on your scenario. To use the identity to access an Azure container registry from a virtual machine, you authenticate with Azure Resource Manager. +Then, use the identity to authenticate to any [service that supports Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication), without any credentials in your code. Choose how to authenticate using the managed identity, depending on your scenario. To use the identity to access an Azure container registry from a virtual machine, you authenticate with Azure Resource Manager. ## Create a container registry |
container-registry | Container Registry Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-authentication.md | Title: Registry authentication options -description: Authentication options for a private Azure container registry, including signing in with an Azure Active Directory identity, using service principals, and using optional admin credentials. +description: Authentication options for a private Azure container registry, including signing in with a Microsoft Entra identity, using service principals, and using optional admin credentials. There are several ways to authenticate with an Azure container registry, each of Recommended ways include: * Authenticate to a registry directly via [individual login](#individual-login-with-azure-ad)-* Applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) [service principal](#service-principal) +* Applications and container orchestrators can perform unattended, or "headless," authentication by using a Microsoft Entra [service principal](#service-principal) If you use a container registry with Azure Kubernetes Service (AKS) or another Kubernetes cluster, see [Scenarios to authenticate with Azure Container Registry from Kubernetes](authenticate-kubernetes-options.md). The following table lists available authentication methods and typical scenarios | [Admin user](#admin-account)  | `docker login`  | Interactive push/pull by individual developer or tester<br/><br/>Portal deployment of image from registry to Azure App Service or Azure Container Instances | No, always pull and push access  | Single account per registry, not recommended for multiple users  | | [Repository-scoped access token](container-registry-repository-scoped-permissions.md)  | `docker login`<br/><br/>`az acr login` in Azure CLI<br/><br/> `Connect-AzContainerRegistry` in Azure PowerShell<br/><br/> [Kubernetes pull secret](container-registry-auth-kubernetes.md)  | Interactive push/pull to repository by individual developer or tester<br/><br/> Unattended pull from repository by individual system or external device  | Yes  | Not currently integrated with AD identity  | -## Individual login with Azure AD +<a name='individual-login-with-azure-ad'></a> ++## Individual login with Microsoft Entra ID ### [Azure CLI](#tab/azure-cli) az login az acr login --name <acrName> ``` -When you log in with `az acr login`, the CLI uses the token created when you executed `az login` to seamlessly authenticate your session with your registry. To complete the authentication flow, the Docker CLI and Docker daemon must be installed and running in your environment. `az acr login` uses the Docker client to set an Azure Active Directory token in the `docker.config` file. Once you've logged in this way, your credentials are cached, and subsequent `docker` commands in your session do not require a username or password. +When you log in with `az acr login`, the CLI uses the token created when you executed `az login` to seamlessly authenticate your session with your registry. To complete the authentication flow, the Docker CLI and Docker daemon must be installed and running in your environment. `az acr login` uses the Docker client to set a Microsoft Entra token in the `docker.config` file. Once you've logged in this way, your credentials are cached, and subsequent `docker` commands in your session do not require a username or password. > [!TIP] > Also use `az acr login` to authenticate an individual identity when you want to push or pull artifacts other than Docker images to your registry, such as [OCI artifacts](container-registry-oci-artifacts.md). For registry access, the token used by `az acr login` is valid for **3 hours**, so we recommend that you always log in to the registry before running a `docker` command. If your token expires, you can refresh it by using the `az acr login` command again to reauthenticate. -Using `az acr login` with Azure identities provides [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). For some scenarios, you may want to log in to a registry with your own individual identity in Azure AD, or configure other Azure users with specific [Azure roles and permissions](container-registry-roles.md). For cross-service scenarios or to handle the needs of a workgroup or a development workflow where you don't want to manage individual access, you can also log in with a [managed identity for Azure resources](container-registry-authentication-managed-identity.md). +Using `az acr login` with Azure identities provides [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). For some scenarios, you may want to log in to a registry with your own individual identity in Microsoft Entra ID, or configure other Azure users with specific [Azure roles and permissions](container-registry-roles.md). For cross-service scenarios or to handle the needs of a workgroup or a development workflow where you don't want to manage individual access, you can also log in with a [managed identity for Azure resources](container-registry-authentication-managed-identity.md). ### az acr login with --expose-token Connect-AzAccount Connect-AzContainerRegistry -Name <acrName> ``` -When you log in with `Connect-AzContainerRegistry`, PowerShell uses the token created when you executed `Connect-AzAccount` to seamlessly authenticate your session with your registry. To complete the authentication flow, the Docker CLI and Docker daemon must be installed and running in your environment. `Connect-AzContainerRegistry` uses the Docker client to set an Azure Active Directory token in the `docker.config` file. Once you've logged in this way, your credentials are cached, and subsequent `docker` commands in your session do not require a username or password. +When you log in with `Connect-AzContainerRegistry`, PowerShell uses the token created when you executed `Connect-AzAccount` to seamlessly authenticate your session with your registry. To complete the authentication flow, the Docker CLI and Docker daemon must be installed and running in your environment. `Connect-AzContainerRegistry` uses the Docker client to set a Microsoft Entra token in the `docker.config` file. Once you've logged in this way, your credentials are cached, and subsequent `docker` commands in your session do not require a username or password. > [!TIP] > Also use `Connect-AzContainerRegistry` to authenticate an individual identity when you want to push or pull artifacts other than Docker images to your registry, such as [OCI artifacts](container-registry-oci-artifacts.md). For registry access, the token used by `Connect-AzContainerRegistry` is valid for **3 hours**, so we recommend that you always log in to the registry before running a `docker` command. If your token expires, you can refresh it by using the `Connect-AzContainerRegistry` command again to reauthenticate. -Using `Connect-AzContainerRegistry` with Azure identities provides [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). For some scenarios, you may want to log in to a registry with your own individual identity in Azure AD, or configure other Azure users with specific [Azure roles and permissions](container-registry-roles.md). For cross-service scenarios or to handle the needs of a workgroup or a development workflow where you don't want to manage individual access, you can also log in with a [managed identity for Azure resources](container-registry-authentication-managed-identity.md). +Using `Connect-AzContainerRegistry` with Azure identities provides [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). For some scenarios, you may want to log in to a registry with your own individual identity in Microsoft Entra ID, or configure other Azure users with specific [Azure roles and permissions](container-registry-roles.md). For cross-service scenarios or to handle the needs of a workgroup or a development workflow where you don't want to manage individual access, you can also log in with a [managed identity for Azure resources](container-registry-authentication-managed-identity.md). |
container-registry | Container Registry Content Trust | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-content-trust.md | docker build --disable-content-trust -t myacr.azurecr.io/myimage:v1 . ## Grant image signing permissions -Only the users or systems you've granted permission can push trusted images to your registry. To grant trusted image push permission to a user (or a system using a service principal), grant their Azure Active Directory identities the `AcrImageSigner` role. This is in addition to the `AcrPush` (or equivalent) role required for pushing images to the registry. For details, see [Azure Container Registry roles and permissions](container-registry-roles.md). +Only the users or systems you've granted permission can push trusted images to your registry. To grant trusted image push permission to a user (or a system using a service principal), grant their Microsoft Entra identities the `AcrImageSigner` role. This is in addition to the `AcrPush` (or equivalent) role required for pushing images to the registry. For details, see [Azure Container Registry roles and permissions](container-registry-roles.md). > [!IMPORTANT] > You can't grant trusted image push permission to the following administrative accounts: > * the [admin account](container-registry-authentication.md#admin-account) of an Azure container registry-> * a user account in Azure Active Directory with the [classic system administrator role](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> * a user account in Microsoft Entra ID with the [classic system administrator role](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). > [!NOTE] > Starting July 2021, the `AcrImageSigner` role includes both the `Microsoft.ContainerRegistry/registries/sign/write` action and the `Microsoft.ContainerRegistry/registries/trustedCollections/write` data action. |
container-registry | Container Registry Enable Conditional Access Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-enable-conditional-access-policy.md | Create a Conditional Access policy and assign your test group of users as follow 1. Sign in to the [Azure portal](https://portal.azure.com) by using an account with *global administrator* permissions. - 1. Search for and select **Azure Active Directory**. Then select **Security** from the menu on the left-hand side. + 1. Search for and select **Microsoft Entra ID**. Then select **Security** from the menu on the left-hand side. 1. Select **Conditional Access**, select **+ New policy**, and then select **Create new policy**. |
container-registry | Container Registry Health Error Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-health-error-reference.md | This error means that the challenge endpoint of the target registry did not issu ## CONNECTIVITY_AAD_LOGIN_ERROR -This error means that the challenge endpoint of the target registry issued a challenge, but the registry does not support Azure Active Directory authentication. +This error means that the challenge endpoint of the target registry issued a challenge, but the registry does not support Microsoft Entra authentication. -*Potential solutions*: Try a different way to authenticate, for example, with admin credentials. If users need to authenticate using Azure Active Directory, open an issue at https://aka.ms/acr/issues. +*Potential solutions*: Try a different way to authenticate, for example, with admin credentials. If users need to authenticate using Microsoft Entra ID, open an issue at https://aka.ms/acr/issues. ## CONNECTIVITY_REFRESH_TOKEN_ERROR |
container-registry | Container Registry Helm Repos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-helm-repos.md | Successfully packaged chart and saved it to: /my/path/hello-world-0.1.0.tgz Run `helm registry login` to authenticate with the registry. You may pass [registry credentials](container-registry-authentication.md) appropriate for your scenario, such as service principal credentials, user identity, or a repository-scoped token. -- Authenticate with an Azure Active Directory [service principal with pull and push permissions](container-registry-auth-service-principal.md#create-a-service-principal) (AcrPush role) to the registry.+- Authenticate with a Microsoft Entra [service principal with pull and push permissions](container-registry-auth-service-principal.md#create-a-service-principal) (AcrPush role) to the registry. ```azurecli SERVICE_PRINCIPAL_NAME=<acr-helm-sp> ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv) Run `helm registry login` to authenticate with the registry. You may pass [regi --query "password" --output tsv) USER_NAME=$(az identity show -n $SERVICE_PRINCIPAL_NAME -g $RESOURCE_GROUP_NAME --subscription $SUBSCRIPTION_ID --query "clientId" -o tsv) ```-- Authenticate with your [individual Azure AD identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) to push and pull Helm charts using an AD token.+- Authenticate with your [individual Microsoft Entra identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) to push and pull Helm charts using an AD token. ```azurecli USER_NAME="00000000-0000-0000-0000-000000000000" PASSWORD=$(az acr login --name $ACR_NAME --expose-token --output tsv --query accessToken) |
container-registry | Container Registry Import Images | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-import-images.md | Import-AzContainerRegistryImage -RegistryName myregistry -ResourceGroupName myRe ## Import from an Azure container registry in the same AD tenant -You can import an image from an Azure container registry in the same AD tenant using integrated Azure Active Directory permissions. +You can import an image from an Azure container registry in the same AD tenant using integrated Microsoft Entra permissions. -* Your identity must have Azure Active Directory permissions to read from the source registry (Reader role) and to import to the target registry (Contributor role, or a [custom role](container-registry-roles.md#custom-roles) that allows the importImage action). +* Your identity must have Microsoft Entra permissions to read from the source registry (Reader role) and to import to the target registry (Contributor role, or a [custom role](container-registry-roles.md#custom-roles) that allows the importImage action). * The registry can be in the same or a different Azure subscription in the same Active Directory tenant. Import-AzContainerRegistryImage -RegistryName myregistry -ResourceGroupName myRe ## Import from an Azure container registry in a different AD tenant -To import from an Azure container registry in a different Azure Active Directory tenant, specify the source registry by login server name, and provide credentials that enable pull access to the registry. +To import from an Azure container registry in a different Microsoft Entra tenant, specify the source registry by login server name, and provide credentials that enable pull access to the registry. ### Cross-tenant import with username and password In this article, you learned about importing container images to an Azure contai -* Image import can help you move content to a container registry in a different Azure region, subscription, or Azure AD tenant. For more information, see [Manually move a container registry to another region](manual-regional-move.md). +* Image import can help you move content to a container registry in a different Azure region, subscription, or Microsoft Entra tenant. For more information, see [Manually move a container registry to another region](manual-regional-move.md). * Learn how to [disable artifact export](data-loss-prevention.md) from a network-restricted container registry. |
container-registry | Container Registry Intro | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-intro.md | Azure provides tooling including the Azure CLI, the Azure portal, and API suppor ## Key features -* **Registry service tiers** - Create one or more container registries in your Azure subscription. Registries are available in three tiers: [Basic, Standard, and Premium](container-registry-skus.md), each of which supports webhook integration, registry authentication with Azure Active Directory, and delete functionality. Take advantage of local, network-close storage of your container images by creating a registry in the same Azure location as your deployments. Use the [geo-replication](container-registry-geo-replication.md) feature of Premium registries for advanced replication and container image distribution scenarios. +* **Registry service tiers** - Create one or more container registries in your Azure subscription. Registries are available in three tiers: [Basic, Standard, and Premium](container-registry-skus.md), each of which supports webhook integration, registry authentication with Microsoft Entra ID, and delete functionality. Take advantage of local, network-close storage of your container images by creating a registry in the same Azure location as your deployments. Use the [geo-replication](container-registry-geo-replication.md) feature of Premium registries for advanced replication and container image distribution scenarios. * **Security and access** - You log in to a registry using the Azure CLI or the standard `docker login` command. Azure Container Registry transfers container images over HTTPS, and supports TLS to secure client connections. > [!IMPORTANT] > Starting January 13, 2020, Azure Container Registry will require all secure connections from servers and applications to use TLS 1.2. Enable TLS 1.2 by using any recent docker client (version 18.03.0 or later). Support for TLS 1.0 and 1.1 will be retired. - You [control access](container-registry-authentication.md) to a container registry using an Azure identity, an Azure Active Directory-backed [service principal](../active-directory/develop/app-objects-and-service-principals.md), or a provided admin account. Use Azure role-based access control (Azure RBAC) to assign users or systems fine-grained permissions to a registry. + You [control access](container-registry-authentication.md) to a container registry using an Azure identity, a Microsoft Entra ID-backed [service principal](../active-directory/develop/app-objects-and-service-principals.md), or a provided admin account. Use Azure role-based access control (Azure RBAC) to assign users or systems fine-grained permissions to a registry. Security features of the Premium service tier include [content trust](container-registry-content-trust.md) for image tag signing, and [firewalls and virtual networks (preview)](container-registry-vnet.md) to restrict access to the registry. Microsoft Defender for Cloud optionally integrates with Azure Container Registry to [scan images](../security-center/defender-for-container-registries-introduction.md?bc=%2fazure%2fcontainer-registry%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fcontainer-registry%2ftoc.json) whenever an image is pushed to a registry. |
container-registry | Container Registry Oci Artifacts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-oci-artifacts.md | REGISTRY=$ACR_NAME.azurecr.io ## Sign in to a registry -Authenticate with your [individual Azure AD identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) using an AD token. Always use "000..." for the `USER_NAME` as the token is parsed through the `PASSWORD` variable. +Authenticate with your [individual Microsoft Entra identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) using an AD token. Always use "000..." for the `USER_NAME` as the token is parsed through the `PASSWORD` variable. ```azurecli # Login to Azure |
container-registry | Container Registry Oras Artifacts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-oras-artifacts.md | TAG=v1 IMAGE=$REGISTRY/${REPO}:$TAG ``` -Authenticate with your [individual Azure AD identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) using an AD token. Always use "000..." for the `USER_NAME` as the token is parsed through the `PASSWORD` variable. +Authenticate with your [individual Microsoft Entra identity](container-registry-authentication.md?tabs=azure-cli#individual-login-with-azure-ad) using an AD token. Always use "000..." for the `USER_NAME` as the token is parsed through the `PASSWORD` variable. ```azurecli # Login to Azure |
container-registry | Container Registry Repository Scoped Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-repository-scoped-permissions.md | This feature is available in all the service tiers. For information about regist ## Limitations -* You can't currently assign repository-scoped permissions to an Azure Active Directory identity, such as a service principal or managed identity. +* You can't currently assign repository-scoped permissions to a Microsoft Entra identity, such as a service principal or managed identity. ## Concepts In the portal, select the token in the **Tokens** screen, and select **Discard** ## Next steps * To manage scope maps and tokens, use additional commands in the [az acr scope-map][az-acr-scope-map] and [az acr token][az-acr-token] command groups.-* See the [authentication overview](container-registry-authentication.md) for other options to authenticate with an Azure container registry, including using an Azure Active Directory identity, a service principal, or an admin account. +* See the [authentication overview](container-registry-authentication.md) for other options to authenticate with an Azure container registry, including using a Microsoft Entra identity, a service principal, or an admin account. * Learn about [connected registries](intro-connected-registry.md) and using tokens for [access](overview-connected-registry-access.md). <!-- LINKS - External --> |
container-registry | Container Registry Skus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-skus.md | Azure Container Registry is available in multiple service tiers (also known as S | Tier | Description | | | -- |-| **Basic** | A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries have the same programmatic capabilities as Standard and Premium (such as Azure Active Directory [authentication integration](container-registry-authentication.md#individual-login-with-azure-ad), [image deletion][container-registry-delete], and [webhooks][container-registry-webhook]). However, the included storage and image throughput are most appropriate for lower usage scenarios. | +| **Basic** | A cost-optimized entry point for developers learning about Azure Container Registry. Basic registries have the same programmatic capabilities as Standard and Premium (such as Microsoft Entra [authentication integration](container-registry-authentication.md#individual-login-with-azure-ad), [image deletion][container-registry-delete], and [webhooks][container-registry-webhook]). However, the included storage and image throughput are most appropriate for lower usage scenarios. | | **Standard** | Standard registries offer the same capabilities as Basic, with increased included storage and image throughput. Standard registries should satisfy the needs of most production scenarios. | | **Premium** | Premium registries provide the highest amount of included storage and concurrent operations, enabling high-volume scenarios. In addition to higher image throughput, Premium adds features such as [geo-replication][container-registry-geo-replication] for managing a single registry across multiple regions, [content trust](container-registry-content-trust.md) for image tag signing, [private link with private endpoints](container-registry-private-link.md) to restrict access to the registry. | |
container-registry | Container Registry Tasks Authentication Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-tasks-authentication-managed-identity.md | For illustration purposes, the example commands in this article use [az acr task ## Why use a managed identity? -A managed identity for Azure resources provides selected Azure services with an automatically managed identity in Azure Active Directory. You can configure an ACR task with a managed identity so that the task can access other secured Azure resources, without passing credentials in the task steps. +A managed identity for Azure resources provides selected Azure services with an automatically managed identity in Microsoft Entra ID. You can configure an ACR task with a managed identity so that the task can access other secured Azure resources, without passing credentials in the task steps. Managed identities are of two types: |
container-registry | Container Registry Troubleshoot Login | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/container-registry-troubleshoot-login.md | May include one or more of the following: ## Further diagnosis -Run the [az acr check-health](/cli/azure/acr#az-acr-check-health) command to get more information about the health of the registry environment and optionally access to a target registry. For example, diagnose Docker configuration errors or Azure Active Directory login problems. +Run the [az acr check-health](/cli/azure/acr#az-acr-check-health) command to get more information about the health of the registry environment and optionally access to a target registry. For example, diagnose Docker configuration errors or Microsoft Entra login problems. See [Check the health of an Azure container registry](container-registry-check-health.md) for command examples. If errors are reported, review the [error reference](container-registry-health-error-reference.md) and the following sections for recommended solutions. When using `docker login`, provide the full login server name of the registry, s docker login myregistry.azurecr.io ``` -When using [az acr login](/cli/azure/acr#az-acr-login) with an Azure Active Directory identity, first [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli), and then specify the Azure resource name of the registry. The resource name is the name provided when the registry was created, such as *myregistry* (without a domain suffix). Example: +When using [az acr login](/cli/azure/acr#az-acr-login) with a Microsoft Entra identity, first [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli), and then specify the Azure resource name of the registry. The resource name is the name provided when the registry was created, such as *myregistry* (without a domain suffix). Example: ```azurecli az acr login --name myregistry Check the validity of the credentials you use for your scenario, or were provide Related links: * [Authentication overview](container-registry-authentication.md#authentication-options)-* [Individual login with Azure AD](container-registry-authentication.md#individual-login-with-azure-ad) +* [Individual login with Microsoft Entra ID](container-registry-authentication.md#individual-login-with-azure-ad) * [Login with service principal](container-registry-auth-service-principal.md) * [Login with managed identity](container-registry-authentication-managed-identity.md) * [Login with repository-scoped token](container-registry-repository-scoped-permissions.md) * [Login with admin account](container-registry-authentication.md#admin-account)-* [Azure AD authentication and authorization error codes](../active-directory/develop/reference-aadsts-error-codes.md) +* [Microsoft Entra authentication and authorization error codes](../active-directory/develop/reference-aadsts-error-codes.md) * [az acr login](/cli/azure/acr#az-acr-login) reference ### Confirm credentials are authorized to access registry Related links: * [Azure roles and permissions - Azure Container Registry](container-registry-roles.md) * [Login with repository-scoped token](container-registry-repository-scoped-permissions.md) * [Add or remove Azure role assignments using the Azure portal](../role-based-access-control/role-assignments-portal.md)-* [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md) +* [Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md) * [Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret)-* [Azure AD authentication and authorization codes](../active-directory/develop/reference-aadsts-error-codes.md) +* [Microsoft Entra authentication and authorization codes](../active-directory/develop/reference-aadsts-error-codes.md) ### Check that credentials aren't expired Related links: * [Reset service principal credentials](/cli/azure/ad/sp/credential#az-ad-sp-credential-reset) * [Regenerate token passwords](container-registry-repository-scoped-permissions.md#regenerate-token-passwords)-* [Individual login with Azure AD](container-registry-authentication.md#individual-login-with-azure-ad) +* [Individual login with Microsoft Entra ID](container-registry-authentication.md#individual-login-with-azure-ad) ## Advanced troubleshooting |
container-registry | Quickstart Client Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/quickstart-client-libraries.md | dotnet add package Azure.Containers.ContainerRegistry --prerelease ## Authenticate the client -For your application to connect to your registry, you'll need to create a `ContainerRegistryClient` that can authenticate with it. Use the [Azure Identity library][dotnet_identity] to add Azure Active Directory support for authenticating Azure SDK clients with their corresponding Azure services. +For your application to connect to your registry, you'll need to create a `ContainerRegistryClient` that can authenticate with it. Use the [Azure Identity library][dotnet_identity] to add Microsoft Entra ID support for authenticating Azure SDK clients with their corresponding Azure services. When you're developing and debugging your application locally, you can use your own user to authenticate with your registry. One way to accomplish this is to [authenticate your user with the Azure CLI](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity#authenticating-via-the-azure-cli) and run your application from this environment. If your application is using a client that has been constructed to authenticate with `DefaultAzureCredential`, it will correctly authenticate with the registry at the specified endpoint. ContainerRegistryClient client = new ContainerRegistryClient(endpoint, new Defau See the [Azure Identity README][dotnet_identity] for more approaches to authenticating with `DefaultAzureCredential`, both locally and in deployment environments. To connect to registries in non-public Azure clouds, see the [API reference][dotnet_docs]. -For more information on using Azure AD with Azure Container Registry, see the [authentication overview](container-registry-authentication.md). +For more information on using Microsoft Entra ID with Azure Container Registry, see the [authentication overview](container-registry-authentication.md). ## Examples await foreach (string repositoryName in repositoryNames) ## Authenticate the client -The [Azure Identity library][java_identity] provides Azure Active Directory support for authentication. +The [Azure Identity library][java_identity] provides Microsoft Entra ID support for authentication. The following samples assume you have a registry endpoint string containing the `https://` prefix and the name of the login server, for example "https://myregistry.azurecr.io". ContainerRegistryAsyncClient client = new ContainerRegistryClientBuilder() .buildAsyncClient(); ``` -For more information on using Azure AD with Azure Container Registry, see the [authentication overview](container-registry-authentication.md). +For more information on using Microsoft Entra ID with Azure Container Registry, see the [authentication overview](container-registry-authentication.md). ## Examples npm install @azure/container-registry ## Authenticate the client -The [Azure Identity library][javascript_identity] provides Azure Active Directory support for authentication. +The [Azure Identity library][javascript_identity] provides Microsoft Entra ID support for authentication. ```javascript const { ContainerRegistryClient } = require("@azure/container-registry"); const endpoint = process.env.CONTAINER_REGISTRY_ENDPOINT; const client = new ContainerRegistryClient(endpoint, new DefaultAzureCredential()); ``` -For more information on using Azure AD with Azure Container Registry, see the [authentication overview](container-registry-authentication.md). +For more information on using Microsoft Entra ID with Azure Container Registry, see the [authentication overview](container-registry-authentication.md). ## Examples pip install --pre azure-containerregistry ## Authenticate the client -The [Azure Identity library][python_identity] provides Azure Active Directory support for authentication. The `DefaultAzureCredential` assumes the `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_CLIENT_SECRET` environment variables are set. For more information, see [Azure Identity environment variables](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity#environment-variables). +The [Azure Identity library][python_identity] provides Microsoft Entra ID support for authentication. The `DefaultAzureCredential` assumes the `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_CLIENT_SECRET` environment variables are set. For more information, see [Azure Identity environment variables](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity#environment-variables). ```python # Create a ContainerRegistryClient that will authenticate through Active Directory |
cosmos-db | Analytical Store Private Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/analytical-store-private-endpoints.md | To configure network isolation for this account from a Synapse workspace: ``` > [!NOTE]- > Azure Cosmos DB account and Azure Synapse Analytics workspace should be under same Azure Active Directory (AD) tenant. + > Azure Cosmos DB account and Azure Synapse Analytics workspace should be under same Microsoft Entra tenant. 2. You can now access the account from serverless SQL pools, using T-SQL queries over Azure Synapse Link. However, to ensure network isolation for the data in analytical store, you must add an **analytical** managed private endpoint for this account. Otherwise, the data in the analytical store will not be blocked from public access. |
cosmos-db | Cmk Troubleshooting Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cmk-troubleshooting-guide.md | Another option is to create a new identity with [the expected permission](./how- After assigning the permissions, wait upwards to one hour for the account to stop being in revoke state. If the issue isn't resolved after more than two hours, contact customer service. -## Azure Active Directory Token Acquisition error +<a name='azure-active-directory-token-acquisition-error'></a> ++## Microsoft Entra Token Acquisition error ### Reason for error? -You see this error when Azure Cosmos DB is unable to obtain the default's identity Microsoft Azure Active Directory access token. The token is used for communicating with the Azure Key Vault in order to wrap and unwrap the data encryption key. +You see this error when Azure Cosmos DB is unable to obtain the default's identity Microsoft Entra access token. The token is used for communicating with the Azure Key Vault in order to wrap and unwrap the data encryption key. ### Troubleshooting |
cosmos-db | Concepts Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/concepts-limits.md | Depending on the current RU/s provisioned and resource settings, each resource c | | | | Maximum RU/s per container | 20,000* | | Maximum storage across all items per (logical) partition | 20 GB |-| Maximum storage per container (API for NoSQL, MongoDB, Table, and Gremlin)| 1 TB | -| Maximum storage per container (API for Cassandra)| 1 TB | +| Maximum storage per container | 1 TB | *Maximum RU/sec availability is dependent on data stored in the container. See, [Serverless Performance](serverless-performance.md) Here's a list of limits per account. | Resource | Limit | | | |-| Maximum number of databases and containers per account | 100┬╣ | +| Maximum number of databases and containers per account | 500 | | Maximum number of regions | 1 (Any Azure region) | -┬╣ You can increase any of these per-account limits by creating an [Azure Support request](create-support-request-quota-increase.md). - ## Per-container limits Depending on which API you use, an Azure Cosmos DB container can represent either a collection, a table, or graph. Containers support configurations for [unique key constraints](unique-keys.md), [stored procedures, triggers, and UDFs](stored-procedures-triggers-udfs.md), and [indexing policy](how-to-manage-indexing-policy.md). The following table lists the limits specific to configurations within a container. |
cosmos-db | Continuous Backup Restore Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/continuous-backup-restore-permissions.md | This operation is currently not supported. ## <a id="custom-restorable-action"></a>Custom role creation for restore action with CLI -The subscription owner can provide the permission to restore to any other Azure AD identity. The restore permission is based on the action: `Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action`, and it should be included in their restore permission. There is a built-in role called *CosmosRestoreOperator* that has this role included. You can either assign the permission using this built-in role or create a custom role. +The subscription owner can provide the permission to restore to any other Microsoft Entra identity. The restore permission is based on the action: `Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action`, and it should be included in their restore permission. There is a built-in role called *CosmosRestoreOperator* that has this role included. You can either assign the permission using this built-in role or create a custom role. The RestorableAction below represents a custom role. You have to explicitly create this role. The following JSON template creates a custom role *RestorableAction* with restore permission: |
cosmos-db | Data Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/data-explorer.md | To open Azure Cosmos DB Explorer from the Azure portal: Currently, viewing documents that contain a UUID isn't supported in Data Explorer. This limitation doesn't affect loading collections, only viewing individual documents or queries that include these documents. To view and manage these documents, users should continue to use the tool that was originally used to create these documents. -Customers receiving HTTP-401 errors may be due to insufficient Azure RBAC permissions for your Azure account, particularly if the account has a custom role. Any custom roles must have `Microsoft.DocumentDB/databaseAccounts/listKeys/*` action to use Data Explorer if signing in using their Azure Active Directory credentials. +Customers receiving HTTP-401 errors may be due to insufficient Azure RBAC permissions for your Azure account, particularly if the account has a custom role. Any custom roles must have `Microsoft.DocumentDB/databaseAccounts/listKeys/*` action to use Data Explorer if signing in using their Microsoft Entra credentials. ## Next steps |
cosmos-db | How To Always Encrypted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-always-encrypted.md | The first step to get started with Always Encrypted is to create your CMKs in Az 1. Create a new key in the **Keys** section. 1. Once the key is created, browse to its current version, and copy its full key identifier:<br>`https://<my-key-vault>.vault.azure.net/keys/<key>/<version>`. If you omit the key version at the end of the key identifier, the latest version of the key is used. -Next, you need to configure how the Azure Cosmos DB SDK will access your Azure Key Vault instance. This authentication is done through an Azure Active Directory (AD) identity. Most likely, you'll use the identity of an Azure AD application or a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the proxy between your client code and your Azure Key Vault instance, although any kind of identity could be used. Use the following steps to use your Azure AD identity as the proxy: +Next, you need to configure how the Azure Cosmos DB SDK will access your Azure Key Vault instance. This authentication is done through a Microsoft Entra identity. Most likely, you'll use the identity of a Microsoft Entra application or a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the proxy between your client code and your Azure Key Vault instance, although any kind of identity could be used. Use the following steps to use your Microsoft Entra identity as the proxy: 1. From your Azure Key Vault instance, browse to the **Access policies** section, and add a new policy: 1. In **Key permissions**, select **Get**, **List**, **Unwrap Key**, **Wrap Key**, **Verify** and **Sign**.- 1. In **Select principal**, search for your Azure AD identity. + 1. In **Select principal**, search for your Microsoft Entra identity. ### Protect your CMK from accidental deletion If you're using an existing Azure Key Vault instance, you can verify that these To use Always Encrypted, an instance of a `KeyResolver` must be attached to your Azure Cosmos DB SDK instance. This class, defined in the `Azure.Security.KeyVault.Keys.Cryptography` namespace, is used to interact with the key store hosting your CMKs. -The following snippets use the `DefaultAzureCredential` class to retrieve the Azure AD identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/dotnet/api/overview/azure/identity-readme#credential-classes). +The following snippets use the `DefaultAzureCredential` class to retrieve the Microsoft Entra identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/dotnet/api/overview/azure/identity-readme#credential-classes). > [!NOTE] > You will need the additional [Azure.Identity package](https://www.nuget.org/packages/Azure.Identity/) to access the `TokenCredential` classes. var client = new CosmosClient("<connection-string>") To use Always Encrypted, an instance of a `KeyEncryptionKeyClientBuilder` must be attached to your Azure Cosmos DB SDK instance. This class, defined in the `com.azure.security.keyvault.keys.cryptography` namespace, is used to interact with the key store hosting your CMKs. -The following snippets use the `DefaultAzureCredential` class to retrieve the Azure AD identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/java/api/overview/azure/identity-readme#credential-classes). +The following snippets use the `DefaultAzureCredential` class to retrieve the Microsoft Entra identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/java/api/overview/azure/identity-readme#credential-classes). ```java TokenCredential tokenCredential = new DefaultAzureCredentialBuilder() |
cosmos-db | How To Restrict User Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-restrict-user-data.md | +- using your Microsoft Entra identity when interacting with the Azure portal, - using Azure Cosmos DB [keys](database-security.md#primary-keys) or [resource tokens](secure-access-to-data.md#resource-tokens) when issuing calls from APIs and SDKs. Each authentication method gives access to different sets of operations, with some overlap: Each authentication method gives access to different sets of operations, with so In some scenarios, you may want to restrict some users of your organization to perform data operations (that is CRUD requests and queries) only. This is typically the case for developers who don't need to create or delete resources, or change the provisioned throughput of the containers they are working on. You can restrict the access by applying the following steps:-1. Creating a custom Azure Active Directory role for the users whom you want to restrict access. The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's [granular actions](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb). +1. Creating a custom Microsoft Entra role for the users whom you want to restrict access. The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's [granular actions](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb). 1. Disallowing the execution of non-data operations with keys. You can achieve this by restricting these operations to Azure Resource Manager calls only. The next sections of this article show how to perform these steps. Login-AzAccount Select-AzSubscription $MySubscriptionId ``` -## Create the custom Azure Active Directory role +<a name='create-the-custom-azure-active-directory-role'></a> -The following script creates an Azure Active Directory role assignment with "Key Only" access for Azure Cosmos DB accounts. The role is based on [Azure custom roles](../role-based-access-control/custom-roles.md) and [Granular actions for Azure Cosmos DB](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb). These roles and actions are part of the `Microsoft.DocumentDB` Azure Active Directory namespace. +## Create the custom Microsoft Entra role ++The following script creates a Microsoft Entra role assignment with "Key Only" access for Azure Cosmos DB accounts. The role is based on [Azure custom roles](../role-based-access-control/custom-roles.md) and [Granular actions for Azure Cosmos DB](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb). These roles and actions are part of the `Microsoft.DocumentDB` Microsoft Entra namespace. 1. First, create a JSON document named `AzureCosmosKeyOnlyAccess.json` with the following content: |
cosmos-db | How To Setup Cross Tenant Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-setup-cross-tenant-customer-managed-keys.md | Deploy an ARM template with the following specific parameters: | | | | | `keyVaultKeyUri` | Identifier of the customer-managed key residing in the service provider's key vault. | `https://my-vault.vault.azure.com/keys/my-key` | | `identity` | Object specifying that the managed identity should be assigned to the Azure Cosmos DB account. | `"identity":{"type":"UserAssigned","userAssignedIdentities":{"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity":{}}}` |-| `defaultIdentity` | Combination of the resource ID of the managed identity and the application ID of the multi-tenant Azure Active Directory application. | `UserAssignedIdentity=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity&FederatedClientId=11111111-1111-1111-1111-111111111111` | +| `defaultIdentity` | Combination of the resource ID of the managed identity and the application ID of the multi-tenant Microsoft Entra application. | `UserAssignedIdentity=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity&FederatedClientId=11111111-1111-1111-1111-111111111111` | Here's an example of a template segment with the three parameters configured: |
cosmos-db | How To Setup Customer Managed Keys Existing Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-setup-customer-managed-keys-existing-accounts.md | For enabling CMK on existing account that has continuous backup and point in tim -1. Configure managed identity to your cosmos account [Configure managed identities with Azure AD for your Azure Cosmos DB account](./how-to-setup-managed-identity.md) +1. Configure managed identity to your cosmos account [Configure managed identities with Microsoft Entra ID for your Azure Cosmos DB account](./how-to-setup-managed-identity.md) 1. Update cosmos account to set default identity to point to managed identity added in previous step |
cosmos-db | How To Setup Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-setup-customer-managed-keys.md | az cosmosdb show \ ## Using a managed identity in the Azure Key Vault access policy -This access policy ensures that your encryption keys can be accessed by your Azure Cosmos DB account. The access policy is implemented by granting access to a specific Azure Active Directory (AD) identity. Two types of identities are supported: +This access policy ensures that your encryption keys can be accessed by your Azure Cosmos DB account. The access policy is implemented by granting access to a specific Microsoft Entra identity. Two types of identities are supported: - Azure Cosmos DB's first-party identity can be used to grant access to the Azure Cosmos DB service. - Your Azure Cosmos DB account's [managed identity](how-to-setup-managed-identity.md) can be used to grant access to your account specifically. Steps to assign a new managed-identity: ## Next steps - Learn more about [data encryption in Azure Cosmos DB](database-encryption-at-rest.md).- |
cosmos-db | How To Setup Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-setup-managed-identity.md | Title: Configure managed identities with Azure AD for your Azure Cosmos DB account -description: Learn how to configure managed identities with Azure Active Directory for your Azure Cosmos DB account + Title: Configure managed identities with Microsoft Entra ID for your Azure Cosmos DB account +description: Learn how to configure managed identities with Microsoft Entra ID for your Azure Cosmos DB account Last updated 10/15/2021 -# Configure managed identities with Azure Active Directory for your Azure Cosmos DB account +# Configure managed identities with Microsoft Entra ID for your Azure Cosmos DB account [!INCLUDE[NoSQL, MongoDB, Cassandra, Gremlin, Table](includes/appliesto-nosql-mongodb-cassandra-gremlin-table.md)] -Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. This article shows how to create a managed identity for Azure Cosmos DB accounts. +Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. This article shows how to create a managed identity for Azure Cosmos DB accounts. ## Prerequisites |
cosmos-db | How To Setup Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/how-to-setup-rbac.md | Title: Configure role-based access control with Azure AD + Title: Configure role-based access control with Microsoft Entra ID -description: Learn how to configure role-based access control with Azure Active Directory for your Azure Cosmos DB account +description: Learn how to configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account -# Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account +# Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account [!INCLUDE[NoSQL](includes/appliesto-nosql.md)] +- Authenticate your data requests with a Microsoft Entra identity. - Authorize your data requests with a fine-grained, role-based permission model. ## Concepts The Azure Cosmos DB data plane role-based access control is built on concepts th - The [permission model](#permission-model) is composed of a set of **actions**; each of these actions maps to one or multiple database operations. Some examples of actions include reading an item, writing an item, or executing a query. - Azure Cosmos DB users create **[role definitions](#role-definitions)** containing a list of allowed actions.-- Role definitions get assigned to specific Azure AD identities through **[role assignments](#role-assignments)**. A role assignment also defines the scope that the role definition applies to; currently, three scopes are currently:+- Role definitions get assigned to specific Microsoft Entra identities through **[role assignments](#role-assignments)**. A role assignment also defines the scope that the role definition applies to; currently, three scopes are currently: - An Azure Cosmos DB account, - An Azure Cosmos DB database, - An Azure Cosmos DB container. The Azure Cosmos DB data plane role-based access control is built on concepts th > - Create/Replace/Delete/Read Triggers > - Create/Replace/Delete/Read User Defined Functions >-> You *cannot use any Azure Cosmos DB data plane SDK* to authenticate management operations with an Azure AD identity. Instead, you must use [Azure role-based access control](role-based-access-control.md) through one of the following options: +> You *cannot use any Azure Cosmos DB data plane SDK* to authenticate management operations with a Microsoft Entra identity. Instead, you must use [Azure role-based access control](role-based-access-control.md) through one of the following options: > > - [Azure Resource Manager templates (ARM templates)](./sql/manage-with-templates.md) > - [Azure PowerShell scripts](./sql/manage-with-powershell.md) For a reference and examples of using Azure Resource Manager templates to create ## <a id="role-assignments"></a> Create role assignments -You can associate built-in or custom role definitions with your Azure AD identities. When creating a role assignment, you need to provide: +You can associate built-in or custom role definitions with your Microsoft Entra identities. When creating a role assignment, you need to provide: - The name of your Azure Cosmos DB account. - The resource group containing your account. You can associate built-in or custom role definitions with your Azure AD identit The scope must match or be a subscope of one of the role definition's assignable scopes. > [!NOTE]-> If you want to create a role assignment for a service principal, make sure to use its **Object ID** as found in the **Enterprise applications** section of the **Azure Active Directory** portal blade. +> If you want to create a role assignment for a service principal, make sure to use its **Object ID** as found in the **Enterprise applications** section of the **Microsoft Entra ID** portal blade. > [!NOTE] > The operations described are available in: resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignm For a reference and examples of using Azure Resource Manager templates to create role assignments, see [``Microsoft.DocumentDB`` ``databaseAccounts/sqlRoleAssignments``](/azure/templates/microsoft.documentdb/2021-10-15/databaseaccounts/sqlroleassignments). -## Initialize the SDK with Azure AD +<a name='initialize-the-sdk-with-azure-ad'></a> -To use the Azure Cosmos DB role-based access control in your application, you have to update the way you initialize the Azure Cosmos DB SDK. Instead of passing your account's primary key, you have to pass an instance of a `TokenCredential` class. This instance provides the Azure Cosmos DB SDK with the context required to fetch an Azure AD token on behalf of the identity you wish to use. +## Initialize the SDK with Microsoft Entra ID -The way you create a `TokenCredential` instance is beyond the scope of this article. There are many ways to create such an instance depending on the type of Azure AD identity you want to use (user principal, service principal, group etc.). Most importantly, your `TokenCredential` instance must resolve to the identity (principal ID) that you've assigned your roles to. You can find examples of creating a `TokenCredential` class: +To use the Azure Cosmos DB role-based access control in your application, you have to update the way you initialize the Azure Cosmos DB SDK. Instead of passing your account's primary key, you have to pass an instance of a `TokenCredential` class. This instance provides the Azure Cosmos DB SDK with the context required to fetch a Microsoft Entra token on behalf of the identity you wish to use. ++The way you create a `TokenCredential` instance is beyond the scope of this article. There are many ways to create such an instance depending on the type of Microsoft Entra identity you want to use (user principal, service principal, group etc.). Most importantly, your `TokenCredential` instance must resolve to the identity (principal ID) that you've assigned your roles to. You can find examples of creating a `TokenCredential` class: - [In .NET](/dotnet/api/overview/azure/identity-readme#credential-classes) - [In Java](/java/api/overview/azure/identity-readme#credential-classes) client = CosmosClient("<account-endpoint>", aad_credentials) ## Authenticate requests on the REST API -When constructing the [REST API authorization header](/rest/api/cosmos-db/access-control-on-cosmosdb-resources), set the **type** parameter to **aad** and the hash signature **(sig)** to the **OAuth token** as shown in the following example: +When constructing the [REST API authorization header](/rest/api/cosmos-db/access-control-on-cosmosdb-resources), set the **type** parameter to **Microsoft Entra ID** and the hash signature **(sig)** to the **OAuth token** as shown in the following example: `type=aad&ver=1.0&sig=<token-from-oauth>` ## Use data explorer > [!NOTE]-> The data explorer exposed in the Azure portal does not support the Azure Cosmos DB role-based access control yet. To use your Azure AD identity when exploring your data, you must use the [Azure Cosmos DB Explorer](https://cosmos.azure.com/?feature.enableAadDataPlane=true) instead. +> The data explorer exposed in the Azure portal does not support the Azure Cosmos DB role-based access control yet. To use your Microsoft Entra identity when exploring your data, you must use the [Azure Cosmos DB Explorer](https://cosmos.azure.com/?feature.enableAadDataPlane=true) instead. When you access the [Azure Cosmos DB Explorer](https://cosmos.azure.com/?feature.enableAadDataPlane=true) with the specific `?feature.enableAadDataPlane=true` query parameter and sign in, the following logic is used to access your data: When you access the [Azure Cosmos DB Explorer](https://cosmos.azure.com/?feature ## Audit data requests -[Diagnostic logs](monitor-resource-logs.md) get augmented with identity and authorization information for each data operation when using Azure Cosmos DB role-based access control. This augmentation lets you perform detailed auditing and retrieve the Azure AD identity used for every data request sent to your Azure Cosmos DB account. +[Diagnostic logs](monitor-resource-logs.md) get augmented with identity and authorization information for each data operation when using Azure Cosmos DB role-based access control. This augmentation lets you perform detailed auditing and retrieve the Microsoft Entra identity used for every data request sent to your Azure Cosmos DB account. This additional information flows in the **DataPlaneRequests** log category and consists of two extra columns: -- `aadPrincipalId_g` shows the principal ID of the Azure AD identity that was used to authenticate the request.+- `aadPrincipalId_g` shows the principal ID of the Microsoft Entra identity that was used to authenticate the request. - `aadAppliedRoleAssignmentId_g` shows the [role assignment](#role-assignments) that was honored when authorizing the request. ## <a id="disable-local-auth"></a> Enforcing role-based access control as the only authentication method When creating or updating your Azure Cosmos DB account using Azure Resource Mana ## Limits - You can create up to 100 role definitions and 2,000 role assignments per Azure Cosmos DB account.-- You can only assign role definitions to Azure AD identities belonging to the same Azure AD tenant as your Azure Cosmos DB account.-- Azure AD group resolution isn't currently supported for identities that belong to more than 200 groups.-- The Azure AD token is currently passed as a header with each individual request sent to the Azure Cosmos DB service, increasing the overall payload size.+- You can only assign role definitions to Microsoft Entra identities belonging to the same Microsoft Entra tenant as your Azure Cosmos DB account. +- Microsoft Entra group resolution isn't currently supported for identities that belong to more than 200 groups. +- The Microsoft Entra token is currently passed as a header with each individual request sent to the Azure Cosmos DB service, increasing the overall payload size. ## Frequently asked questions Azure portal support for role management isn't available yet. The [.NET V3](nosql/sdk-dotnet-v3.md), [Java V4](nosql/sdk-java-v4.md), [JavaScript V3](nosql/sdk-nodejs.md) and [Python V4.3+](nosql/sdk-python.md) SDKs are currently supported. -### Is the Azure AD token automatically refreshed by the Azure Cosmos DB SDKs when it expires? +<a name='is-the-azure-ad-token-automatically-refreshed-by-the-azure-cosmos-db-sdks-when-it-expires'></a> ++### Is the Microsoft Entra token automatically refreshed by the Azure Cosmos DB SDKs when it expires? Yes. |
cosmos-db | Integrated Power Bi Synapse Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/integrated-power-bi-synapse-link.md | Use the following steps to build a Power BI report from Azure Cosmos DB data in > [!NOTE] > Your Azure Cosmos DB container proprieties will be represented as columns in T-SQL views, including deep nested JSON data. This is a quick start for your BI dashboards. These views will be available in your Synapse workspace/database; you can also use these exact same views in Synapse Workspace for data exploration, data science, data engineering, etc. Please note that advanced scenarios may demand more complex views or fine tuning of these views, for better performance. For more information. see [best practices for Synapse Link when using Synapse serverless SQL pools](../synapse-analytics/sql/resources-self-help-sql-on-demand.md#azure-cosmos-db-performance-issues) article. -1. You can either choose an existing workspace or create a new one. To select an existing workspace, provide the **Subscription**, **Workspace**, and the **Database** details. Azure portal will use your Azure AD credentials to automatically connect to your Synapse workspace and create T-SQL views. Make sure you have "Synapse administrator" permissions to this workspace. +1. You can either choose an existing workspace or create a new one. To select an existing workspace, provide the **Subscription**, **Workspace**, and the **Database** details. Azure portal will use your Microsoft Entra credentials to automatically connect to your Synapse workspace and create T-SQL views. Make sure you have "Synapse administrator" permissions to this workspace. :::image type="content" source="./media/integrated-power-bi-synapse-link/synapse-create-views.png" alt-text="Connect to Synapse Link workspace and create views." border="true" lightbox="./media/integrated-power-bi-synapse-link/synapse-create-views.png"::: |
cosmos-db | Managed Identity Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/managed-identity-based-authentication.md | Title: Use system-assigned managed identities to access Azure Cosmos DB data -description: Learn how to configure an Azure Active Directory (Azure AD) system-assigned managed identity (managed service identity) to access keys from Azure Cosmos DB. +description: Learn how to configure a Microsoft Entra system-assigned managed identity (managed service identity) to access keys from Azure Cosmos DB. |
cosmos-db | Integrations Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/mongodb/integrations-overview.md | You can use Azure Key Vault to - * [Secure Azure Cosmos DB for MongoDB account credentials.](../store-credentials-key-vault.md) * [Configure customer-managed keys for your account.](../how-to-setup-cmk.md) -### Azure AD +<a name='azure-ad'></a> -Azure AD managed identities eliminate the need for developers to manage credentials. Here's how you can [create a managed identity for Azure Cosmos DB accounts](../how-to-setup-managed-identity.md). +### Microsoft Entra ID ++Microsoft Entra managed identities eliminate the need for developers to manage credentials. Here's how you can [create a managed identity for Azure Cosmos DB accounts](../how-to-setup-managed-identity.md). ## Next steps Learn about other key integrations: * [Monitor Azure Cosmos DB with Azure Monitor.](/azure/cosmos-db/monitor-cosmos-db?tabs=azure-diagnostics.md)-* [Set up analytics with Azure Synapse Link.](../configure-synapse-link.md) +* [Set up analytics with Azure Synapse Link.](../configure-synapse-link.md) |
cosmos-db | Bicep Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/bicep-samples.md | This article shows Bicep samples for API for NoSQL accounts. You can also find B |[Create an Azure Cosmos DB account, database, container with analytical store](manage-with-bicep.md#create-analytical-store) | Create a API for NoSQL account in one region with a container configured with Analytical TTL enabled and option to use manual or autoscale throughput. | |[Create an Azure Cosmos DB account, database, container with standard (manual) throughput](manage-with-bicep.md#create-manual) | Create a API for NoSQL account in two regions, a database and container with standard throughput. | |[Create an Azure Cosmos DB account, database and container with a stored procedure, trigger and UDF](manage-with-bicep.md#create-sproc) | Create a API for NoSQL account in two regions with a stored procedure, trigger and UDF for a container. |-|[Create an Azure Cosmos DB account with Azure AD identity, Role Definitions and Role Assignment](manage-with-bicep.md#create-rbac) | Create a API for NoSQL account with Azure AD identity, Role Definitions and Role Assignment on a Service Principal. | +|[Create an Azure Cosmos DB account with Microsoft Entra identity, Role Definitions and Role Assignment](manage-with-bicep.md#create-rbac) | Create a API for NoSQL account with Microsoft Entra identity, Role Definitions and Role Assignment on a Service Principal. | |[Create a free-tier Azure Cosmos DB account](manage-with-bicep.md#free-tier) | Create an Azure Cosmos DB for NoSQL account on free-tier. | ## Next steps |
cosmos-db | How To Dotnet Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-get-started.md | To connect to the API for NoSQL of Azure Cosmos DB, create an instance of the [` - [Connect with a API for NoSQL endpoint and read/write key](#connect-with-an-endpoint-and-key) - [Connect with a API for NoSQL connection string](#connect-with-a-connection-string)-- [Connect with Azure Active Directory](#connect-using-the-microsoft-identity-platform)+- [Connect with Microsoft Entra ID](#connect-using-the-microsoft-identity-platform) ### Connect with an endpoint and key Create a new instance of the **CosmosClient** class with the ``COSMOS_CONNECTION :::code language="csharp" source="~/cosmos-db-nosql-dotnet-samples/102-client-connection-string/Program.cs" id="connection_string" highlight="3"::: -### Connect using the Microsoft Identity Platform +### Connect using the Microsoft identity platform -To connect to your API for NoSQL account using the Microsoft Identity Platform and Azure AD, use a security principal. The exact type of principal will depend on where you host your application code. The table below serves as a quick reference guide. +To connect to your API for NoSQL account using the Microsoft identity platform and Microsoft Entra ID, use a security principal. The exact type of principal will depend on where you host your application code. The table below serves as a quick reference guide. | Where the application runs | Security principal |--|--|| For this example, we create a [``ClientSecretCredential``](/dotnet/api/azure.ide :::code language="csharp" source="~/cosmos-db-nosql-dotnet-samples/104-client-secret-credential/Program.cs" id="credential" highlight="3-5"::: -You can obtain the client ID, tenant ID, and client secret when you register an application in Azure Active Directory (AD). For more information about registering Azure AD applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). +You can obtain the client ID, tenant ID, and client secret when you register an application in Microsoft Entra ID. For more information about registering Microsoft Entra applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` environment variable and the **TokenCredential** object as parameters. |
cosmos-db | How To Javascript Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-javascript-get-started.md | To connect to the API for NoSQL of Azure Cosmos DB, create an instance of the [` - [Connect with a API for NoSQL endpoint and read/write key](#connect-with-an-endpoint-and-key) - [Connect with a API for NoSQL connection string](#connect-with-a-connection-string)-- [Connect with Azure Active Directory](#connect-using-the-microsoft-identity-platform)+- [Connect with Microsoft Entra ID](#connect-using-the-microsoft-identity-platform) ### Connect with an endpoint and key Create a new instance of the **CosmosClient** class with the ``COSMOS_CONNECTION const cosmosClient = new CosmosClient(process.env.COSMOS_CONNECTION_STRING); ``` -### Connect using the Microsoft Identity Platform +### Connect using the Microsoft identity platform -To connect to your API for NoSQL account using the Microsoft Identity Platform and Azure AD, use a security principal. The exact type of principal depends on where you host your application code. The table below serves as a quick reference guide. +To connect to your API for NoSQL account using the Microsoft identity platform and Microsoft Entra ID, use a security principal. The exact type of principal depends on where you host your application code. The table below serves as a quick reference guide. | Where the application runs | Security principal |--|--|| If you plan to deploy the application out of Azure, you can obtain an OAuth toke For this example, we create a [``ClientSecretCredential``](/javascript/api/@azure/identity/tokencredential) instance by using client and tenant identifiers, along with a client secret. -You can obtain the client ID, tenant ID, and client secret when you register an application in Azure Active Directory (AD). For more information about registering Azure AD applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). +You can obtain the client ID, tenant ID, and client secret when you register an application in Microsoft Entra ID. For more information about registering Microsoft Entra applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` environment variable and the **TokenCredential** object as parameters. |
cosmos-db | How To Python Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-python-get-started.md | To connect to the API for NoSQL of Azure Cosmos DB, create an instance of the [C - [Connect with an API for NoSQL endpoint and read/write key](#connect-with-an-endpoint-and-key) - [Connect with an API for NoSQL connection string](#connect-with-a-connection-string)-- [Connect with Azure Active Directory](#connect-using-the-microsoft-identity-platform)+- [Connect with Microsoft Entra ID](#connect-using-the-microsoft-identity-platform) ### Connect with an endpoint and key Create a new instance of the **CosmosClient** class with the ``COSMOS_CONNECTION :::code language="python" source="~/cosmos-db-nosql-python-samples/003-how-to/app_connection_string.py" id="connection_string"::: -### Connect using the Microsoft Identity Platform +### Connect using the Microsoft identity platform -To connect to your API for NoSQL account using the Microsoft Identity Platform and Azure AD, use a security principal. The exact type of principal will depend on where you host your application code. The table below serves as a quick reference guide. +To connect to your API for NoSQL account using the Microsoft identity platform and Microsoft Entra ID, use a security principal. The exact type of principal will depend on where you host your application code. The table below serves as a quick reference guide. | Where the application runs | Security principal |--|--|| In your *app.py*: :::code language="python" source="~/cosmos-db-nosql-python-samples/003-how-to/app_aad_default.py" id="credential"::: > [!IMPORTANT]-> For details on how to add the correct role to enable `DefaultAzureCredential` to work, see [Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account](../how-to-setup-rbac.md). In particular, see the section on creating roles and assigning them to a principal ID. +> For details on how to add the correct role to enable `DefaultAzureCredential` to work, see [Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account](../how-to-setup-rbac.md). In particular, see the section on creating roles and assigning them to a principal ID. #### Create CosmosClient with a custom credential implementation For this example, we create a [``ClientSecretCredential``](/python/api/azure-ide In your *app.py*: -* Get the credential information from environment variables for a service principal. You can obtain the client ID, tenant ID, and client secret when you register an application in Azure Active Directory (AD). For more information about registering Azure AD applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). +* Get the credential information from environment variables for a service principal. You can obtain the client ID, tenant ID, and client secret when you register an application in Microsoft Entra ID. For more information about registering Microsoft Entra applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). * Import the [ClientSecretCredential](/python/api/azure-identity/azure.identity.clientsecretcredential) and create an instance with the ``TENANT_ID``, ``CLIENT_ID``, and ``CLIENT_SECRET`` environment variables as parameters. |
cosmos-db | Manage With Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/manage-with-bicep.md | Create an Azure Cosmos DB account, database and container with with a stored pro <a id="create-rbac"></a> -## Azure Cosmos DB account with Azure AD and RBAC +<a name='azure-cosmos-db-account-with-azure-ad-and-rbac'></a> -Create an Azure Cosmos DB account, a natively maintained Role Definition, and a natively maintained Role Assignment for an AAD identity. +## Azure Cosmos DB account with Microsoft Entra ID and RBAC ++Create an Azure Cosmos DB account, a natively maintained Role Definition, and a natively maintained Role Assignment for a Microsoft Entra identity. :::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.documentdb/cosmosdb-sql-rbac/main.bicep"::: |
cosmos-db | Manage With Templates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/manage-with-templates.md | This template creates an Azure Cosmos DB account, database and container with wi <a id="create-rbac"></a> -## Azure Cosmos DB account with Azure AD and RBAC +<a name='azure-cosmos-db-account-with-azure-ad-and-rbac'></a> -This template will create a SQL Azure Cosmos DB account, a natively maintained Role Definition, and a natively maintained Role Assignment for an Azure AD identity. This template is also available for one-click deploy from Azure Quickstart Templates Gallery. +## Azure Cosmos DB account with Microsoft Entra ID and RBAC ++This template will create a SQL Azure Cosmos DB account, a natively maintained Role Definition, and a natively maintained Role Assignment for a Microsoft Entra identity. This template is also available for one-click deploy from Azure Quickstart Templates Gallery. [:::image type="content" source="../../media/template-deployments/deploy-to-azure.svg" alt-text="Deploy to Azure":::](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.documentdb%2Fcosmosdb-sql-rbac%2Fazuredeploy.json) |
cosmos-db | Manage With Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/manage-with-terraform.md | Create an Azure Cosmos account, database and container with a stored procedure, :::code language="terraform" source="~/terraform_samples/quickstart/101-cosmos-db-serverside-functionality/variables.tf"::: -## <a id="create-rbac"></a>Azure Cosmos DB account with Azure AD and role-based access control +## <a id="create-rbac"></a>Azure Cosmos DB account with Microsoft Entra ID and role-based access control -Create an Azure Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an Azure Active Directory identity. +Create an Azure Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for a Microsoft Entra identity. ### `main.tf` |
cosmos-db | Migrate Hbase To Cosmos Db | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/migrate-hbase-to-cosmos-db.md | Data security is a shared responsibility of the customer and the database provid | **Security control** | **HBase** | **Azure Cosmos DB** | | -- | -- | - | | Network Security and firewall setting | Control traffic using security functions such as network devices. | Supports policy-based IP-based access control on the inbound firewall. |-| User authentication and fine-grained user controls | Fine-grained access control by combining LDAP with security components such as Apache Ranger. | You can use the account primary key to create user and permission resources for each database. Resource tokens are associated with permissions in the database to determine how users can access application resources in the database (read/write, read-only, or no access). You can also use your Azure Active Directory (AAD) ID to authenticate your data requests. This allows you to authorize data requests using a fine-grained RBAC model.| +| User authentication and fine-grained user controls | Fine-grained access control by combining LDAP with security components such as Apache Ranger. | You can use the account primary key to create user and permission resources for each database. Resource tokens are associated with permissions in the database to determine how users can access application resources in the database (read/write, read-only, or no access). You can also use your Microsoft Entra ID to authenticate your data requests. This allows you to authorize data requests using a fine-grained RBAC model.| | Ability to replicate data globally for regional failures | Make a database replica in a remote data center using HBase's replication. | Azure Cosmos DB performs configuration-free global distribution and allows you to replicate data to data centers around the world in Azure with the select of a button. In terms of security, global replication ensures that your data is protected from local failures. | | Ability to fail over from one data center to another | You need to implement failover yourself. | If you're replicating data to multiple data centers and the region's data center goes offline, Azure Cosmos DB automatically rolls over the operation. | | Local data replication within a data center | The HDFS mechanism allows you to have multiple replicas across nodes within a single file system. | Azure Cosmos DB automatically replicates data to maintain high availability, even within a single data center. You can choose the consistency level yourself. | Additionally, for old version of data, you can expire old versions using [TTL](t * To optimize the code, see [Performance tips for Azure Cosmos DB](./performance-tips-async-java.md) article. -* Explore Java Async V3 SDK, [SDK reference](https://github.com/Azure/azure-cosmosdb-java/tree/v3) GitHub repo. +* Explore Java Async V3 SDK, [SDK reference](https://github.com/Azure/azure-cosmosdb-java/tree/v3) GitHub repo. |
cosmos-db | Migrate Passwordless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/migrate-passwordless.md | Title: Migrate applications to use passwordless authentication with Azure Cosmos DB for NoSQL -description: Learn to migrate existing applications away from connection strings to instead use Azure AD and Azure RBAC for enhanced security. +description: Learn to migrate existing applications away from connection strings to instead use Microsoft Entra ID and Azure RBAC for enhanced security. In this tutorial, you learned how to migrate an application to passwordless conn You can read the following resources to explore the concepts discussed in this article in more depth: -* [Authorize access to blobs using Azure Active Directory](../../storage/blobs/authorize-access-azure-active-directory.md)) +* [Authorize access to blobs using Microsoft Entra ID](../../storage/blobs/authorize-access-azure-active-directory.md)) * To learn more about .NET, see [Get started with .NET in 10 minutes](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/intro). |
cosmos-db | Powerbi Visualize | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/powerbi-visualize.md | To build a Power BI report/dashboard: > [!NOTE] > Your Azure Cosmos DB container proprieties will be represented as columns in T-SQL views, including deep nested JSON data. This is a quick start for your BI dashboards. These views will be available in your Synapse workspace/database; you can also use these exact same views in Synapse Workspace for data exploration, data science, data engineering, etc. Please note that advanced scenarios may demand more complex views or fine tuning of these views, for better performance. For more information. see [best practices for Synapse Link when using Synapse serverless SQL pools](../../synapse-analytics/sql/resources-self-help-sql-on-demand.md#azure-cosmos-db-performance-issues) article. -1. You can either choose an existing workspace or create a new one. To select an existing workspace, provide the **Subscription**, **Workspace**, and the **Database** details. Azure portal will use your Azure AD credentials to automatically connect to your Synapse workspace and create T-SQL views. Make sure you have "Synapse administrator" permissions to this workspace. +1. You can either choose an existing workspace or create a new one. To select an existing workspace, provide the **Subscription**, **Workspace**, and the **Database** details. Azure portal will use your Microsoft Entra credentials to automatically connect to your Synapse workspace and create T-SQL views. Make sure you have "Synapse administrator" permissions to this workspace. :::image type="content" source="../media/integrated-power-bi-synapse-link/synapse-create-views.png" alt-text="Connect to Synapse Link workspace and create views." border="true" lightbox="../media/integrated-power-bi-synapse-link/synapse-create-views.png"::: |
cosmos-db | Quickstart Spark | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/quickstart-spark.md | if(!dfRelevantSequences.isEmpty){ The Azure Cosmos DB Spark 3 OLTP Connector for API for NoSQL has a complete configuration reference that provides more advanced settings for writing and querying data, serialization, streaming using change feed, partitioning and throughput management and more. For a complete listing with details, see our [Spark Connector Configuration Reference](https://aka.ms/azure-cosmos-spark-3-config) on GitHub. -## Azure Active Directory authentication +<a name='azure-active-directory-authentication'></a> -1. Following the instructions on how to [register an application with Azure AD and create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). +## Microsoft Entra authentication -1. You should still be in Azure portal > Azure Active Directory > App Registrations. In the `Certificates & secrets` section, create a new secret. Save the value for later. +1. Following the instructions on how to [register an application with Microsoft Entra ID and create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). ++1. You should still be in Azure portal > Microsoft Entra ID > App Registrations. In the `Certificates & secrets` section, create a new secret. Save the value for later. 1. Click on the overview tab and find the values for `clientId` and `tenantId`, along with `clientSecret` that you created earlier, and `cosmosEndpoint`, `subscriptionId`, and `resourceGroupName`from your account. Create a notebook as below and replace the configurations with the appropriate values: The Azure Cosmos DB Spark 3 OLTP Connector for API for NoSQL has a complete conf ] ``` -1. Now go to Azure portal > Azure Active Directory > **Enterprise Applications** and search for the application you created earlier. Record the Object ID found here. +1. Now go to Azure portal > Microsoft Entra ID > **Enterprise Applications** and search for the application you created earlier. Record the Object ID found here. > [!NOTE]- > Make sure to use its Object ID as found in the **Enterprise applications** section of the Azure Active Directory portal blade (and not the App registrations section you used earlier). + > Make sure to use its Object ID as found in the **Enterprise applications** section of the Microsoft Entra admin center blade (and not the App registrations section you used earlier). 1. Now create a role assignment. Replace the `<aadPrincipalId>` with Object ID you recorded above (note this is NOT the same as Object ID visible from the app registrations view you saw earlier). Also replace `<myResourceGroup>` and `<myCosmosAccount>` accordingly in the below. Replace `<roleDefinitionId>` with the `id` value fetched from running the `az cosmosdb sql role definition list` command you ran above. Then run in Azure CLI: The Azure Cosmos DB Spark 3 OLTP Connector for API for NoSQL has a complete conf az cosmosdb sql role assignment create --account-name $accountName --resource-group $resourceGroupName --scope "/" --principal-id $principalId --role-definition-id $readOnlyRoleDefinitionId ``` -1. Now that you have created an Azure Active Directory application and service principal, created a custom role, and assigned that role permissions to your Cosmos DB account, you should be able to run your notebook. +1. Now that you have created a Microsoft Entra application and service principal, created a custom role, and assigned that role permissions to your Cosmos DB account, you should be able to run your notebook. ## Migrate to Spark 3 Connector |
cosmos-db | Samples Resource Manager Templates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/samples-resource-manager-templates.md | This article only shows Azure Resource Manager template examples for API for NoS |[Create an Azure Cosmos DB account, database, container with analytical store](manage-with-templates.md#create-analytical-store) | This template creates a API for NoSQL account in one region with a container configured with Analytical TTL enabled and option to use manual or autoscale throughput. | |[Create an Azure Cosmos DB account, database, container with standard (manual) throughput](manage-with-templates.md#create-manual) | This template creates a API for NoSQL account in two regions, a database and container with standard throughput. | |[Create an Azure Cosmos DB account, database and container with a stored procedure, trigger and UDF](manage-with-templates.md#create-sproc) | This template creates a API for NoSQL account in two regions with a stored procedure, trigger and UDF for a container. |-|[Create an Azure Cosmos DB account with Azure AD identity, Role Definitions and Role Assignment](manage-with-templates.md#create-rbac) | This template creates a API for NoSQL account with Azure AD identity, Role Definitions and Role Assignment on a Service Principal. | +|[Create an Azure Cosmos DB account with Microsoft Entra identity, Role Definitions and Role Assignment](manage-with-templates.md#create-rbac) | This template creates a API for NoSQL account with Microsoft Entra identity, Role Definitions and Role Assignment on a Service Principal. | |[Create a private endpoint for an existing Azure Cosmos DB account](../how-to-configure-private-endpoints.md#create-a-private-endpoint-by-using-a-resource-manager-template) | This template creates a private endpoint for an existing Azure Cosmos DB for NoSQL account in an existing virtual network. | |[Create a free-tier Azure Cosmos DB account](manage-with-templates.md#free-tier) | This template creates an Azure Cosmos DB for NoSQL account on free-tier. | |
cosmos-db | Samples Terraform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/samples-terraform.md | This article shows Terraform samples for NoSQL accounts. | [Create an Azure Cosmos account, database, container with analytical store](manage-with-terraform.md#create-analytical-store) | Create an API for NoSQL account in one region with a container configured with Analytical TTL enabled and option to use manual or autoscale throughput. | | [Create an Azure Cosmos account, database, container with standard (manual) throughput](manage-with-terraform.md#create-manual) | Create an API for NoSQL account in two regions, a database and container with standard throughput. | | [Create an Azure Cosmos account, database and container with a stored procedure, trigger and UDF](manage-with-terraform.md#create-sproc) | Create an API for NoSQL account in two regions with a stored procedure, trigger and UDF for a container. |-| [Create an Azure Cosmos account with Azure AD identity, Role Definitions and Role Assignment](manage-with-terraform.md#create-rbac) | Create an API for NoSQL account with Azure AD identity, Role Definitions and Role Assignment on a Service Principal. | +| [Create an Azure Cosmos account with Microsoft Entra identity, Role Definitions and Role Assignment](manage-with-terraform.md#create-rbac) | Create an API for NoSQL account with Microsoft Entra identity, Role Definitions and Role Assignment on a Service Principal. | | [Create a free-tier Azure Cosmos account](manage-with-terraform.md#free-tier) | Create an Azure Cosmos DB API for NoSQL account on free-tier. | ## Next steps |
cosmos-db | Troubleshoot Changefeed Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/troubleshoot-changefeed-functions.md | To resolve this issue: * Upgrade to the latest available version. -### Your Azure function fails to start, with error message "Forbidden (403); Substatus: 5300... The given request [POST ...] can't be authorized by Azure AD token in data plane" +<a name='your-azure-function-fails-to-start-with-error-message-forbidden-403-substatus-5300-the-given-request-post--cant-be-authorized-by-azure-ad-token-in-data-plane'></a> -This error means that your function is attempting to [perform a non-data operation by using Azure Active Directory (Azure AD) identities](troubleshoot-forbidden.md#non-data-operations-are-not-allowed). You can't use `CreateLeaseContainerIfNotExists = true` when you're using Azure AD identities. +### Your Azure function fails to start, with error message "Forbidden (403); Substatus: 5300... The given request [POST ...] can't be authorized by Microsoft Entra token in data plane" ++This error means that your function is attempting to [perform a non-data operation by using Microsoft Entra identities](troubleshoot-forbidden.md#non-data-operations-are-not-allowed). You can't use `CreateLeaseContainerIfNotExists = true` when you're using Microsoft Entra identities. ### Your Azure function fails to start, with error message "The lease collection, if partitioned, must have partition key equal to id" |
cosmos-db | Troubleshoot Forbidden | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/troubleshoot-forbidden.md | Partition key reached maximum size of {...} GB This error means that your current [partitioning design](../partitioning-overview.md#logical-partitions) and workload is trying to store more than the allowed amount of data for a given partition key value. There is no limit to the number of logical partitions in your container but the size of data each logical partition can store is limited. You can reach to support for clarification. ## Non-data operations are not allowed-This scenario happens when [attempting to perform non-data operations](../how-to-setup-rbac.md#permission-model) using Azure Active Directory (Azure AD) identities. On this scenario, it's common to see errors like the ones below: +This scenario happens when [attempting to perform non-data operations](../how-to-setup-rbac.md#permission-model) using Microsoft Entra identities. On this scenario, it's common to see errors like the ones below: ``` Operation 'POST' on resource 'calls' is not allowed through Azure Cosmos DB endpoint Forbidden (403); Substatus: 5300; The given request [PUT ...] cannot be authoriz ### Solution Perform the operation through Azure Resource Manager, Azure portal, Azure CLI, or Azure PowerShell.-If you are using the [Azure Functions Azure Cosmos DB Trigger](../../azure-functions/functions-bindings-cosmosdb-v2-trigger.md) make sure the `CreateLeaseContainerIfNotExists` property of the trigger isn't set to `true`. Using Azure AD identities blocks any non-data operation, such as creating the lease container. +If you are using the [Azure Functions Azure Cosmos DB Trigger](../../azure-functions/functions-bindings-cosmosdb-v2-trigger.md) make sure the `CreateLeaseContainerIfNotExists` property of the trigger isn't set to `true`. Using Microsoft Entra identities blocks any non-data operation, such as creating the lease container. ## Next steps * Configure [IP Firewall](../how-to-configure-firewall.md). |
cosmos-db | Tutorial Create Notebook Vscode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/tutorial-create-notebook-vscode.md | In this section, you'll create the Azure Cosmos database, container, and import 1. Create a new code cell. -1. In the code cell, add code to [execute a SQL query using the SDK](quickstart-dotnet.md#query-items) storing the output of the query in a variable of type <xref:System.Collections.Generic.List%601> named **results**. +1. In the code cell, add code to [execute a SQL query using the SDK](query/index.yml) storing the output of the query in a variable of type <xref:System.Collections.Generic.List%601> named **results**. ```csharp using System.Collections.Generic; |
cosmos-db | Tutorial Deploy App Bicep Aks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/tutorial-deploy-app-bicep-aks.md | az aks get-credentials \ ## Connect the AKS pods to Azure Key Vault -Azure Active Directory (Azure AD) pod-managed identities use AKS primitives to associate managed identities for Azure resources and identities in Azure AD with pods. You'll use these identities to grant access to the Azure Key Vault Provider for Secrets Store CSI Driver. +Microsoft Entra pod-managed identities use AKS primitives to associate managed identities for Azure resources and identities in Microsoft Entra ID with pods. You'll use these identities to grant access to the Azure Key Vault Provider for Secrets Store CSI Driver. Use the following command to find the values of the tenant ID (`homeTenantId`): |
cosmos-db | Concepts Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/concepts-authentication.md | Title: Active Directory authentication - Azure Cosmos DB for PostgreSQL -description: Learn about the concepts of native PostgreSQL and Azure Active Directory authentication with Azure Cosmos DB for PostgreSQL +description: Learn about the concepts of native PostgreSQL and Microsoft Entra authentication with Azure Cosmos DB for PostgreSQL -# Azure Active Directory and PostgreSQL authentication with Azure Cosmos DB for PostgreSQL +# Microsoft Entra ID and PostgreSQL authentication with Azure Cosmos DB for PostgreSQL [!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)] > [!IMPORTANT]-> Azure Active Directory authentication in Azure Cosmos DB for PostgreSQL is currently in preview. +> Microsoft Entra authentication in Azure Cosmos DB for PostgreSQL is currently in preview. > This preview version is provided without a service level agreement, and it's not recommended > for production workloads. Certain features might not be supported or might have constrained > capabilities. > > You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview). -Azure Cosmos DB for PostgreSQL supports PostgreSQL authentication and integration with Azure Active Directory (Azure AD). Each Azure Cosmos DB for PostgreSQL cluster is created with native PostgreSQL authentication enabled and one built-in PostgreSQL role named `citus`. You can add more native PostgreSQL roles after cluster provisioning is completed. +Azure Cosmos DB for PostgreSQL supports PostgreSQL authentication and integration with Microsoft Entra ID. Each Azure Cosmos DB for PostgreSQL cluster is created with native PostgreSQL authentication enabled and one built-in PostgreSQL role named `citus`. You can add more native PostgreSQL roles after cluster provisioning is completed. -You can also enable Azure AD authentication on a cluster in addition to the PostgreSQL authentication method or instead of it. You can configure authentication methods on each Azure Cosmos DB for PostgreSQL cluster independently. If you need to change authentication method, you can do it at any time after cluster provisioning is completed. Changing authentication methods doesn't require cluster restart. +You can also enable Microsoft Entra authentication on a cluster in addition to the PostgreSQL authentication method or instead of it. You can configure authentication methods on each Azure Cosmos DB for PostgreSQL cluster independently. If you need to change authentication method, you can do it at any time after cluster provisioning is completed. Changing authentication methods doesn't require cluster restart. ## PostgreSQL authentication Notably, the `citus` role has some restrictions: * Can't create roles * Can't create databases -`citus` role can't be deleted but would be disabled if 'Azure Active Directory authentication only' authentication method is selected on cluster. +`citus` role can't be deleted but would be disabled if 'Microsoft Entra authentication only' authentication method is selected on cluster. -## Azure Active Directory authentication (preview) +<a name='azure-active-directory-authentication-preview'></a> -[Microsoft Azure Active Directory (Azure AD)](./../../active-directory/fundamentals/active-directory-whatis.md) authentication is a mechanism of connecting to Azure Cosmos DB for PostgreSQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. +## Microsoft Entra authentication (preview) -Benefits of using Azure AD include: +[Microsoft Entra ID](./../../active-directory/fundamentals/active-directory-whatis.md) authentication is a mechanism of connecting to Azure Cosmos DB for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. ++Benefits of using Microsoft Entra ID include: - Authentication of users across Azure Services in a uniform way - Management of password policies and password rotation in a single place-- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords-- Azure AD authentication uses PostgreSQL database roles to authenticate identities at the database level+- Multiple forms of authentication supported by Microsoft Entra ID, which can eliminate the need to store passwords +- Microsoft Entra authentication uses PostgreSQL database roles to authenticate identities at the database level - Support of token-based authentication for applications connecting to Azure Cosmos DB for PostgreSQL -### Manage PostgreSQL access for Azure AD principals +<a name='manage-postgresql-access-for-azure-ad-principals'></a> ++### Manage PostgreSQL access for Microsoft Entra principals ++When Microsoft Entra authentication is enabled and Microsoft Entra principal is added as a Microsoft Entra administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra administrator sign-in can be a Microsoft Entra user, Service Principal or Managed Identity. Multiple Microsoft Entra administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs. -When Azure AD authentication is enabled and Azure AD principal is added as an Azure AD administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Azure AD administrator sign-in can be an Azure AD user, Service Principal or Managed Identity. Multiple Azure AD administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs. +Additionally, any number of non-admin Microsoft Entra roles can be added to a cluster at any time once Microsoft Entra authentication is enabled. Database permissions for non-admin Microsoft Entra roles are managed similar to regular roles. -Additionally, any number of non-admin Azure AD roles can be added to a cluster at any time once Azure AD authentication is enabled. Database permissions for non-admin Azure AD roles are managed similar to regular roles. +<a name='connect-using-azure-ad-identities'></a> -### Connect using Azure AD identities +### Connect using Microsoft Entra identities -Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities: +Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities: -- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA+- Microsoft Entra Password +- Microsoft Entra integrated +- Microsoft Entra Universal with MFA - Using Active Directory Application certificates or client secrets - Managed Identity Once you've authenticated against the Active Directory, you then retrieve a toke ### Other considerations -- Multiple Azure AD principals (a user, service principal, or managed identity) can be configured as Azure AD administrator for an Azure Cosmos DB for PostgreSQL cluster at any time.-- If an Azure AD principal is deleted from Azure AD service, it still remains as a PostgreSQL role on the cluster, but it's no longer able to acquire new access token. In this case, although the matching role still exists in the Postgres database it's unable to authenticate to the cluster nodes. Database administrators need to transfer ownership and drop such roles manually.+- Multiple Microsoft Entra principals (a user, service principal, or managed identity) can be configured as Microsoft Entra administrator for an Azure Cosmos DB for PostgreSQL cluster at any time. +- If a Microsoft Entra principal is deleted from Microsoft Entra service, it still remains as a PostgreSQL role on the cluster, but it's no longer able to acquire new access token. In this case, although the matching role still exists in the Postgres database it's unable to authenticate to the cluster nodes. Database administrators need to transfer ownership and drop such roles manually. > [!NOTE] -> Login with the deleted Azure AD user can still be done till the token expires (up to 90 minutes from token issuing). If you also remove the user from Azure Cosmos DB for PostgreSQL cluster this access will be revoked immediately. +> Login with the deleted Microsoft Entra user can still be done till the token expires (up to 90 minutes from token issuing). If you also remove the user from Azure Cosmos DB for PostgreSQL cluster this access will be revoked immediately. -- Azure Cosmos DB for PostgreSQL matches access tokens to the database role using the userΓÇÖs unique Azure Active Directory user ID, as opposed to using the username. If an Azure AD user is deleted and a new user is created with the same name, Azure Cosmos DB for PostgreSQL considers that a different user. Therefore, if a user is deleted from Azure AD and a new user is added with the same name the new user would be unable to connect with the existing role.+- Azure Cosmos DB for PostgreSQL matches access tokens to the database role using the userΓÇÖs unique Microsoft Entra user ID, as opposed to using the username. If a Microsoft Entra user is deleted and a new user is created with the same name, Azure Cosmos DB for PostgreSQL considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and a new user is added with the same name the new user would be unable to connect with the existing role. ## Next steps -- Check out [Azure AD limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication)+- Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication) - [Learn how to configure authentication for Azure Cosmos DB for PostgreSQL clusters](./how-to-configure-authentication.md) - Set up private network access to the cluster nodes, see [Manage private access](./howto-private-access.md) - Set up public network access to the cluster nodes, see [Manage public access](./howto-manage-firewall-using-portal.md) |
cosmos-db | How To Configure Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/how-to-configure-authentication.md | Title: Use Azure Active Directory and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL -description: Learn how to set up Azure Active Directory (Azure AD) and add native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL + Title: Use Microsoft Entra ID and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL +description: Learn how to set up Microsoft Entra ID and add native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL -# Use Azure Active Directory and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL +# Use Microsoft Entra ID and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL [!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)] > [!IMPORTANT]-> Azure Active Directory authentication in Azure Cosmos DB for PostgreSQL is currently in preview. +> Microsoft Entra authentication in Azure Cosmos DB for PostgreSQL is currently in preview. > This preview version is provided without a service level agreement, and it's not recommended > for production workloads. Certain features might not be supported or might have constrained > capabilities. > > You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview). -In this article, you configure authentication methods for Azure Cosmos DB for PostgreSQL. You manage Azure Active Directory (Azure AD) admin users and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL. You also learn how to use an Azure AD token with Azure Cosmos DB for PostgreSQL. +In this article, you configure authentication methods for Azure Cosmos DB for PostgreSQL. You manage Microsoft Entra admin users and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL. You also learn how to use a Microsoft Entra token with Azure Cosmos DB for PostgreSQL. An Azure Cosmos DB for PostgreSQL cluster is created with one built-in native PostgreSQL role named 'citus'. You can add more native PostgreSQL roles after cluster provisioning is completed. -You can also configure Azure AD authentication for Azure Cosmos DB for PostgreSQL. You can enable Azure AD authentication in addition or instead of the native PostgreSQL authentication on your cluster. You can change authentication methods enabled on cluster at any point after the cluster is provisioned. When Azure Active Directory authentication is enabled, you can add multiple Azure AD users to an Azure Cosmos DB for PostgreSQL cluster and make any of them administrators. Azure AD user can be a user or a service principal. +You can also configure Microsoft Entra authentication for Azure Cosmos DB for PostgreSQL. You can enable Microsoft Entra authentication in addition or instead of the native PostgreSQL authentication on your cluster. You can change authentication methods enabled on cluster at any point after the cluster is provisioned. When Microsoft Entra authentication is enabled, you can add multiple Microsoft Entra users to an Azure Cosmos DB for PostgreSQL cluster and make any of them administrators. Microsoft Entra user can be a user or a service principal. ## Choose authentication method You need to use Azure portal to configure authentication methods on an Azure Cosmos DB for PostgreSQL cluster. -Complete the following items on your Azure Cosmos DB for PostgreSQL cluster to enable or disable Azure Active Directory authentication and native PostgreSQL authentication. +Complete the following items on your Azure Cosmos DB for PostgreSQL cluster to enable or disable Microsoft Entra authentication and native PostgreSQL authentication. 1. On the cluster page, under the **Cluster management** heading, choose **Authentication** to open authentication management options.-1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Azure Active Directory authentication (preview)**, or **PostgreSQL and Azure Active Directory authentication (preview)** as the authentication method based on your requirements. +1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra authentication (preview)**, or **PostgreSQL and Microsoft Entra authentication (preview)** as the authentication method based on your requirements. -Once done proceed with [configuring Azure Active Directory authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on **Authentication** page. +Once done proceed with [configuring Microsoft Entra authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on **Authentication** page. -## Configure Azure Active Directory authentication +<a name='configure-azure-active-directory-authentication'></a> -To add or remove Azure AD roles on cluster, follow these steps on **Authentication** page: +## Configure Microsoft Entra authentication -1. In **Azure Active Directory (Azure AD) authentication (preview)** section, select **Add Azure AD admins**. -1. In **Select Azure AD Admins** panel, select one or more valid Azure AD user or enterprise application in the current AD tenant to be an Azure AD administrator on your Azure Cosmos DB for PostgreSQL cluster. +To add or remove Microsoft Entra roles on cluster, follow these steps on **Authentication** page: ++1. In **Microsoft Entra authentication (preview)** section, select **Add Microsoft Entra admins**. +1. In **Select Microsoft Entra Admins** panel, select one or more valid Microsoft Entra user or enterprise application in the current AD tenant to be a Microsoft Entra administrator on your Azure Cosmos DB for PostgreSQL cluster. 1. Use **Select** to confirm your choice. 1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding native PostgreSQL roles. To add Postgres roles on cluster, follow these steps on **Authentication** page: 1. In **PostgreSQL authentication** section, select **Add PostgreSQL role**. 1. Enter the role name and password. Select **Save**.-1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding Azure Active Directory admin users. +1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding Microsoft Entra admin users. The native PostgreSQL user is created on the coordinator node of the cluster, and propagated to all the worker nodes. Roles created through the Azure portal have the LOGIN attribute, which means theyΓÇÖre true users who can sign in to the database. -## Connect to Azure Cosmos for PostgreSQL by using Azure AD authentication +<a name='connect-to-azure-cosmos-for-postgresql-by-using-azure-ad-authentication'></a> ++## Connect to Azure Cosmos for PostgreSQL by using Microsoft Entra authentication -Azure AD integration works with standard PostgreSQL client tools like **psql**, which aren't Azure AD aware and support only specifying the username and password when you're connecting to PostgreSQL. In such cases, the Azure AD token is passed as the password. +Microsoft Entra integration works with standard PostgreSQL client tools like **psql**, which aren't Microsoft Entra aware and support only specifying the username and password when you're connecting to PostgreSQL. In such cases, the Microsoft Entra token is passed as the password. We've tested the following clients: We've tested the following clients: - **Other libpq-based clients**: Examples include common application frameworks and object-relational mappers (ORMs). - **pgAdmin**: Clear **Connect now** at server creation. -Use the following procedures to authenticate with Azure AD as an Azure Cosmos DB for PostgreSQL user. You can follow along in [Azure Cloud Shell](./../../cloud-shell/quickstart.md), on an Azure virtual machine, or on your local machine. +Use the following procedures to authenticate with Microsoft Entra ID as an Azure Cosmos DB for PostgreSQL user. You can follow along in [Azure Cloud Shell](./../../cloud-shell/quickstart.md), on an Azure virtual machine, or on your local machine. ### Sign in to the user's Azure subscription -Start by authenticating with Azure AD by using the Azure CLI. This step isn't required in Azure Cloud Shell. +Start by authenticating with Microsoft Entra ID by using the Azure CLI. This step isn't required in Azure Cloud Shell. ```azurecli az login ``` -The command opens a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and password. +The command opens a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and password. ++<a name='retrieve-the-azure-ad-access-token'></a> -### Retrieve the Azure AD access token +### Retrieve the Microsoft Entra access token -Use the Azure CLI to acquire an access token for the Azure AD authenticated user to access Azure Cosmos for PostgreSQL. Here's an example: +Use the Azure CLI to acquire an access token for the Microsoft Entra authenticated user to access Azure Cosmos for PostgreSQL. Here's an example: ```azurecli-interactive az account get-access-token --resource https://postgres.cosmos.azure.com ``` -After authentication is successful, Azure AD returns an access token for current Azure subscription: +After authentication is successful, Microsoft Entra ID returns an access token for current Azure subscription: ```json { export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --quer > [!NOTE]-> Make sure PGPASSWORD variable is set to the Azure AD access token for your -> subscription for Azure AD authentication. If you need to do Postgres role authentication +> Make sure PGPASSWORD variable is set to the Microsoft Entra access token for your +> subscription for Microsoft Entra authentication. If you need to do Postgres role authentication > from the same session you can set PGPASSWORD to the Postgres role password > or clear the PGPASSWORD variable value to enter the password interactively. > Authentication would fail with the wrong value in PGPASSWORD. psql "host=mycluster.[uniqueID].postgres.cosmos.azure.com user=user@tenant.onmic ### Use a token as a password for signing in with PgAdmin -To connect by using an Azure AD token with PgAdmin, follow these steps: +To connect by using a Microsoft Entra token with PgAdmin, follow these steps: 1. Clear the **Connect now** option at server creation. 1. Enter your server details on the **Connection** tab and save.- 1. Make sure a valid Azure AD user is specified in **Username**. + 1. Make sure a valid Microsoft Entra user is specified in **Username**. 1. From the pgAdmin **Object** menu, select **Connect Server**. 1. Enter the Active Directory token password when you're prompted. Here are some essential considerations when you're connecting: -- `user@tenant.onmicrosoft.com` is the name of the Azure AD user.-- Be sure to use the exact way the Azure user is spelled. Azure AD user and group names are case-sensitive.+- `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra user. +- Be sure to use the exact way the Azure user is spelled. Microsoft Entra user and group names are case-sensitive. - If the name contains spaces, use a backslash (`\`) before each space to escape it. - The access token's validity is 5 minutes to 90 minutes. You should get the access token before initiating the sign-in to Azure Cosmos for PostgreSQL. -You're now authenticated to your Azure Cosmos for PostgreSQL server through Azure AD authentication. +You're now authenticated to your Azure Cosmos for PostgreSQL server through Microsoft Entra authentication. ## Manage native PostgreSQL roles To update a user, visit the **Authentication** page for your cluster, and select the ellipses **...** next to the user. The ellipses open a menu to delete the user or reset their password. -The `citus` role is privileged and can't be deleted. However, `citus` role would be disabled, if 'Azure Active Directory authentication only' authentication method is selected for the cluster. +The `citus` role is privileged and can't be deleted. However, `citus` role would be disabled, if 'Microsoft Entra authentication only' authentication method is selected for the cluster. ## How to modify privileges for user roles For example, to allow PostgreSQL `db_user` to read `mytable`, grant the permissi GRANT SELECT ON mytable TO db_user; ``` -To grant the same permissions to Azure AD role `user@tenant.onmicrosoft.com` use the following command: +To grant the same permissions to Microsoft Entra role `user@tenant.onmicrosoft.com` use the following command: ```sql GRANT SELECT ON mytable TO "user@tenant.onmicrosoft.com"; system-wide (for example, for all tables in a schema): GRANT SELECT ON ALL TABLES IN SCHEMA public TO db_user; ``` -Or for Azure AD role +Or for Microsoft Entra role ```sql -- applies to the coordinator node and propagates to worker nodes for Azure AD role user@tenant.onmicrosoft.com GRANT SELECT ON ALL TABLES IN SCHEMA public TO "user@tenant.onmicrosoft.com"; ## Next steps - Learn about [authentication in Azure Cosmos DB for PostgreSQL](./concepts-authentication.md)-- Check out [Azure AD limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication)-- Review [Azure Active Directory fundamentals](./../../active-directory/fundamentals/active-directory-whatis.md)+- Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication) +- Review [Microsoft Entra fundamentals](./../../active-directory/fundamentals/active-directory-whatis.md) - [Learn more about SQL GRANT in PostgreSQL](https://www.postgresql.org/docs/current/sql-grant.html) |
cosmos-db | Product Updates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/product-updates.md | Updates that change cluster internals, such as installing a [new minor PostgreSQ * General availability: Citus 12 is now available in [all supported regions](./resources-regions.md) with PostgreSQL 14 and PostgreSQL 15. * Check [what's new in Citus 12](https://www.citusdata.com/updates/v12-0/). * See [Postgres and Citus version in-place upgrade](./concepts-upgrade.md).-* Preview: [Azure Active Directory (Azure AD) authentication](./concepts-authentication.md#azure-active-directory-authentication-preview) is now supported in addition to Postgres roles. +* Preview: [Microsoft Entra authentication](./concepts-authentication.md#azure-active-directory-authentication-preview) is now supported in addition to Postgres roles. * Preview: Azure CLI is now supported for all Azure Cosmos DB for PostgreSQL management operations. * See [details](/cli/azure/cosmosdb/postgres). Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) * [Geo-redundant backup and restore](./concepts-backup.md#backup-redundancy) * [32 TiB storage per node in multi-node clusters](./resources-compute.md#multi-node-cluster)-* [Azure Active Directory (Azure AD) authentication](./concepts-authentication.md#azure-active-directory-authentication-preview) +* [Microsoft Entra authentication](./concepts-authentication.md#azure-active-directory-authentication-preview) ## Contact us |
cosmos-db | Reference Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/reference-limits.md | currently **not supported**: ## Authentication -### Azure Active Directory authentication -If [Azure Active Directory (Azure AD)](./concepts-authentication.md#azure-active-directory-authentication-preview) is enabled on an Azure Cosmos DB for PostgreSQL cluster, the following is currently **not supported**: +<a name='azure-active-directory-authentication'></a> ++### Microsoft Entra authentication +If [Microsoft Entra ID](./concepts-authentication.md#azure-active-directory-authentication-preview) is enabled on an Azure Cosmos DB for PostgreSQL cluster, the following is currently **not supported**: * PostgreSQL 11, 12, and 13 * PgBouncer-* Azure AD groups +* Microsoft Entra groups ### Database creation |
cosmos-db | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/role-based-access-control.md | -Azure Cosmos DB provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Cosmos DB. An individual who has a profile in Azure Active Directory can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Cosmos DB resources. Role assignments are scoped to control-plane access only, which includes access to Azure Cosmos DB accounts, databases, containers, and offers (throughput). +Azure Cosmos DB provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Cosmos DB. An individual who has a profile in Microsoft Entra ID can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Cosmos DB resources. Role assignments are scoped to control-plane access only, which includes access to Azure Cosmos DB accounts, databases, containers, and offers (throughput). ## Built-in roles In addition to the built-in roles, users may also create [custom roles](../role- The Azure Cosmos DB resource provider can be locked down to prevent any changes to resources from a client connecting using the account keys (that is applications connecting via the Azure Cosmos DB SDK). This feature may be desirable for users who want higher degrees of control and governance for production environments. Preventing changes from the SDK also enables features such as resource locks and diagnostic logs for control plane operations. The clients connecting from Azure Cosmos DB SDK will be prevented from changing any property for the Azure Cosmos DB accounts, databases, containers, and throughput. The operations involving reading and writing data to Azure Cosmos DB containers themselves are not impacted. -When this feature is enabled, changes to any resource can only be made from a user with the right Azure role and Azure Active Directory credentials including Managed Service Identities. +When this feature is enabled, changes to any resource can only be made from a user with the right Azure role and Microsoft Entra credentials including Managed Service Identities. > [!WARNING] > Enabling this feature can have impact on your application. Make sure that you understand the impact before enabling it. Update-AzCosmosDBAccount -ResourceGroupName [ResourceGroupName] -Name [CosmosDBA - [Azure custom roles](../role-based-access-control/custom-roles.md) - [Azure Cosmos DB resource provider operations](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb) - [Configure role-based access control for your Azure Cosmos DB for MongoDB](mongodb/how-to-setup-rbac.md)- |
cosmos-db | Secure Access To Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/secure-access-to-data.md | Azure Cosmos DB provides three ways to control access to your data. | Access control type | Characteristics | ||| | [Primary/secondary keys](#primary-keys) | Shared secret allowing any management or data operation. It comes in both read-write and read-only variants. |-| [Role-based access control](#rbac) | Fine-grained, role-based permission model using Azure Active Directory (Azure AD) identities for authentication. | +| [Role-based access control](#rbac) | Fine-grained, role-based permission model using Microsoft Entra identities for authentication. | | [Resource tokens](#resource-tokens)| Fine-grained permission model based on native Azure Cosmos DB users and permissions. | ## <a id="primary-keys"></a> Primary/secondary keys CosmosClient client = new CosmosClient(endpointUrl, authorizationKey); Azure Cosmos DB exposes a built-in role-based access control (RBAC) system that lets you: -- Authenticate your data requests with an Azure Active Directory identity.+- Authenticate your data requests with a Microsoft Entra identity. - Authorize your data requests with a fine-grained, role-based permission model. Azure Cosmos DB RBAC is the ideal access control method in situations where: - You don't want to use a shared secret like the primary key, and prefer to rely on a token-based authentication mechanism,-- You want to use Azure AD identities to authenticate your requests,+- You want to use Microsoft Entra identities to authenticate your requests, - You need a fine-grained permission model to tightly restrict which database operations your identities are allowed to perform, - You wish to materialize your access control policies as "roles" that you can assign to multiple identities. CosmosClient client = new CosmosClient(accountEndpoint: "MyEndpoint", authKeyOrR | Subject | RBAC | Resource tokens | |--|--|--|-| Authentication | With Azure Active Directory (Azure AD). | Based on the native Azure Cosmos DB users<br>Integrating resource tokens with Azure AD requires extra work to bridge Azure AD identities and Azure Cosmos DB users. | +| Authentication | With Microsoft Entra ID. | Based on the native Azure Cosmos DB users<br>Integrating resource tokens with Microsoft Entra ID requires extra work to bridge Microsoft Entra identities and Azure Cosmos DB users. | | Authorization | Role-based: role definitions map allowed actions and can be assigned to multiple identities. | Permission-based: for each Azure Cosmos DB user, you need to assign data access permissions. |-| Token scope | An Azure AD token carries the identity of the requester. This identity is matched against all assigned role definitions to perform authorization. | A resource token carries the permission granted to a specific Azure Cosmos DB user on a specific Azure Cosmos DB resource. Authorization requests on different resources may require different tokens. | -| Token refresh | The Azure AD token is automatically refreshed by the Azure Cosmos DB SDKs when it expires. | Resource token refresh is not supported. When a resource token expires, a new one needs to be issued. | +| Token scope | A Microsoft Entra token carries the identity of the requester. This identity is matched against all assigned role definitions to perform authorization. | A resource token carries the permission granted to a specific Azure Cosmos DB user on a specific Azure Cosmos DB resource. Authorization requests on different resources may require different tokens. | +| Token refresh | The Microsoft Entra token is automatically refreshed by the Azure Cosmos DB SDKs when it expires. | Resource token refresh is not supported. When a resource token expires, a new one needs to be issued. | ## Add users and assign roles |
cosmos-db | Serverless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/serverless.md | You can monitor consumption by viewing a chart in your Azure Cosmos DB account i You can use the same [chart in Azure Monitor](monitor-request-unit-usage.md). When you use Azure Monitor, you can set up [alerts](../azure-monitor/alerts/alerts-metric-overview.md) so that you're notified when your RU consumption passes a threshold that you set. +## High availability ++Azure Cosmos DB serverless extends high availability support with availability zones in [designated regions](../../articles/reliability/availability-zones-service-support.md#azure-regions-with-availability-zone-support). The associated Service Level Agreements (SLAs) are aligned with the [Single-region writes with availability zone](../../articles/cosmos-db/high-availability.md#slas) configuration, ensuring reliability for your deployments. ++ ## Next steps To get started with using the serverless pricing option in Azure Cosmos DB, review the following articles: |
cosmos-db | Synapse Link Power Bi | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/synapse-link-power-bi.md | Next open the Power BI desktop and connect to the serverless SQL endpoint by usi 1. Enter the name of the SQL endpoint where the database is located. Enter `SynapseLinkBI-ondemand.sql.azuresynapse.net` within the **Server** field. In this example, **SynapseLinkBI** is name of the workspace. Replace it if you have given a different name to your workspace. Select **Direct Query** for data connectivity mode and then **OK**. -1. Select the preferred authentication method such as Azure AD. +1. Select the preferred authentication method such as Microsoft Entra ID. 1. Select the **RetailCosmosDB** database and the **RetailSales**, **StoreDemographics** views. |
cost-management-billing | Understand Usage Details Fields | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/understand-usage-details-fields.md | Some fields might differ in casing and spacing between account types. Older vers MCA customers can use the following information to reconcile charges between billing and pricing currencies. -1. Manually calculate the CostInPricingCurrency by: `(EffectivePrice)` * `(Quantity)` -2. Convert the calculated CostInPricingCurrency to the CostInBillingCurrency by: `(CalculatedCostinPricingCurrency)` * `(ExchangeRatePricingToBilling)` +1. Manually calculate the `CostInPricingCurrency` by: `(EffectivePrice)` * `(Quantity)` +2. Convert the calculated `CostInPricingCurrency` to the `CostInBillingCurrency` by: `(CalculatedCostinPricingCurrency)` * `(ExchangeRatePricingToBilling)` 3. Summarize the values that you calculated for `CostInBillingCurrency` and compare them to the invoice. |
cost-management-billing | Tutorial Azure Hybrid Benefits Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/scope-level/tutorial-azure-hybrid-benefits-sql.md | Title: Tutorial - Optimize centrally managed Azure Hybrid Benefit for SQL Server description: This tutorial guides you through proactively assigning SQL Server licenses in Azure to manage and optimize Azure Hybrid Benefit. Previously updated : 04/25/2022 Last updated : 10/12/2023 An optional, but useful, method to investigate your Azure SQL usage (including u ### Determine the number of eligible SQL Server core licenses available to assign to Azure -The quantity depends on how many licenses, with Software Assurance or subscription, that you purchased and how many are already in use outside Azure, usually on-premises. +The quantity depends on how many licenses, with Software Assurance or subscription, that you purchased and how many are already in use outside Azure, on-premises. Your software procurement or software asset management department is likely to have this information. Your software procurement or software asset management department is likely to h ## Buy more licenses if needed -After reviewing the information gathered, if determine that the number of SQL Server licenses available is insufficient to cover planned Azure SQL usage, then talk to your procurement department to buy more SQL Server core licenses with Software Assurance (or subscription licenses). +After reviewing the information gathered, if you determine that the number of SQL Server licenses available is insufficient to cover planned Azure SQL usage, then talk to your procurement department to buy more SQL Server core licenses with Software Assurance (or subscription licenses). -Buying SQL Server licenses and applying Azure Hybrid Benefit is less expensive than paying for SQL Server by the hour in Azure. By purchasing enough licenses to cover all planned Azure SQL usage, your organization will maximize cost savings from the benefit. +Buying SQL Server licenses and applying Azure Hybrid Benefit is less expensive than paying for SQL Server by the hour in Azure. By purchasing enough licenses to cover all planned Azure SQL usage, your organization maximizes cost savings from the benefit. ## Assign licenses to Azure Buying SQL Server licenses and applying Azure Hybrid Benefit is less expensive t 1. Navigate to **Cost Management + Billing** > **Reservations + Hybrid Benefits**. 1. A table is shown that includes the Azure Hybrid Benefit licenses assignments that you've made and the utilization percentage of each one.-1. If any of the utilization percentages are 100%, that means your organization is paying hourly rates for some SQL Server resources. Engage with other groups in your organization again to confirm whether current usage levels are temporary or if they'll continue. If the latter, your organization should consider purchasing more licenses and assigning them to Azure to reduce cost. +1. If any of the utilization percentages are 100%, then your organization is paying hourly rates for some SQL Server resources. Engage with other groups in your organization again to confirm whether current usage levels are temporary or if they're expected to continue. If the latter, your organization should consider purchasing more licenses and assigning them to Azure to reduce cost. 1. If utilization approaches 100%, but doesn't exceed it, determine whether usage is expected to rise in the near term. If so, you can proactively acquire and assign more licenses. ## Establish a management schedule The preceding section discusses ongoing monitoring. We also recommend that you e ### License assignment review date -After you assign licenses and set a review date, Microsoft later sends you email notifications to let you know that the license assignment will expire. +After you assign a license and set a review date, the license assignment automatically expires 90 days after the review date. The license assignment becomes inactive and no longer applies 90 days after expiration. -Email notifications are sent: +Microsoft sends email notifications: - 90 days before expiration - 30 days before expiration-- 7 days before expiration+- Seven days before expiration -No notification is sent on the review date. The license assignment becomes inactive and no longer applies 90 days after expiration. +Before the license assignment expires, you can set the review date to a future date so that you continue to receive the benefit. When the license assignment expires, you're charged with pay-as-you-go prices. To change the review date, use the following steps: ++1. Sign in to the Azure portal and navigate to **Cost Management + Billing**. +2. Select a license assignment that you want to change the review date for. +3. Select the review date. +4. Fill the review date and select **Save**. ++No notification is sent on the review date. ## Example walkthrough In the following example, assume that you're the billing administrator for the Contoso Insurance company. You manage Contoso's Azure Hybrid Benefit for SQL Server. -You're informed by your procurement department that you can centrally manage Azure Hybrid Benefit for SQL server at an overall account level. Procurement learned about it from their Microsoft account team. You're interested because it's been challenging to manage Azure Hybrid Benefit lately. In part, because your developers have been enabling the benefit (or not) arbitrarily on resources as they share scripts with each other. +Your procurement department informs you that you can centrally manage Azure Hybrid Benefit for SQL server at an overall account level. Procurement learned about it from their Microsoft account team. You're interested because it's been challenging to manage Azure Hybrid Benefit lately. In part, because your developers have been enabling the benefit (or not) arbitrarily on resources as they share scripts with each other. You locate the new Azure Hybrid Benefit experience in the Cost Management + Billing area of the Azure portal. Then, do the following steps. 1. Use the preceding instructions to make sure self-installed SQL VMs are registered. They include talking to subscription owners to complete the registration for the subscriptions where you don't have sufficient permissions. 1. You review Azure resource usage data from recent months and you talk to others in Contoso. You determine that 2000 SQL Server Enterprise Edition and 750 SQL Server Standard Edition core licenses, or 8750 normalized cores, are needed to cover expected Azure SQL usage for the next year. Expected usage also includes migrating workloads (1500 SQL Server Enterprise Edition + 750 SQL Server Standard Edition = 6750 normalized) and net new Azure SQL workloads (another 500 SQL Server Enterprise Edition or 2000 normalized cores).-1. Next, confirm with your with procurement team that the needed licenses are already available or will soon be purchased. The confirmation ensures that the licenses are available to assign to Azure. +1. Next, confirm with your with procurement team that the needed licenses are already available or that they're planned to get purchased. The confirmation ensures that the licenses are available to assign to Azure. - Licenses you have in use on premises can be considered available to assign to Azure if the associated workloads are being migrated to Azure. As mentioned previously, Azure Hybrid Benefit allows dual use for up to 180 days.- - You determine that there are 1800 SQL Server Enterprise Edition licenses and 2000 SQL Server Standard Edition licenses available to assign to Azure. The available licenses equal 9200 normalized cores. That's a little more than the 8750 needed (2000 x 4 + 750 = 8750). + - You determine that there are 1800 SQL Server Enterprise Edition licenses and 2000 SQL Server Standard Edition licenses available to assign to Azure. The available licenses equal 9200 normalized cores. That value is a little more than the 8750 needed (2000 x 4 + 750 = 8750). 1. Then, you assign the 1800 SQL Server Enterprise Edition and 2000 SQL Server Standard Edition to Azure. That action results in 9200 normalized cores that the system can apply to Azure SQL resources as they run each hour. Assigning more licenses than are required now provides a buffer if usage grows faster than you expect. Afterward, you monitor assigned license usage periodically, ideally monthly. After 10 months, usage approaches 95%, indicating faster Azure SQL usage growth than you expected. You talk to your procurement team to get more licenses so that you can assign them. |
data-factory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/whats-new-archive.md | This archive page retains updates from older months. Check out our [What's New video archive](https://www.youtube.com/playlist?list=PLt4mCx89QIGS1rQlNt2-7iuHHAKSomVLv) for all of our monthly update +## February 2023 ++### Data movement ++- Anonymous authentication type supported for Azure Blob storage [Learn more](connector-azure-blob-storage.md?tabs=data-factory#anonymous-authentication) +- Updated SAP template to easily move SAP data to ADLSGen2 in Delta format [Learn more](industry-sap-templates.md) ++### Monitoring ++Container monitoring view available in default ADF studio [Learn more](how-to-manage-studio-preview-exp.md#container-view) ++### Orchestration ++- Set pipeline output value (Public preview) [Learn more](tutorial-pipeline-return-value.md) +- Managed Airflow (Public preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-managed-airflow-in-azure-data-factory/ba-p/3730151) ++### Developer productivity ++Dark theme support added (Public preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-dark-mode-for-adf-studio/ba-p/3757961) + ## January 2023 ### Data flow |
data-factory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/whats-new.md | This page is updated monthly, so revisit it regularly. For older months' update Check out our [What's New video archive](https://www.youtube.com/playlist?list=PLt4mCx89QIGS1rQlNt2-7iuHHAKSomVLv) for all of our monthly update videos. +## September 2023 ++### Pipelines ++Added support for metadata driven pipelines for dynamic full and incremental processing in Azure SQL [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/metadata-driven-pipelines-for-dynamic-full-and-incremental/ba-p/3925362) + ## August 2023 ### Change Data Capture The Azure Blob Storage connector now supports anonymous authentication. [Learn m Azure Data Lake Storage Gen2 connector now supports shared access signature authentication. [Learn more](connector-azure-data-lake-storage.md#shared-access-signature-authentication) -## February 2023 --### Data movement --- Anonymous authentication type supported for Azure Blob storage [Learn more](connector-azure-blob-storage.md?tabs=data-factory#anonymous-authentication)-- Updated SAP template to easily move SAP data to ADLSGen2 in Delta format [Learn more](industry-sap-templates.md)--### Monitoring --Container monitoring view available in default ADF studio [Learn more](how-to-manage-studio-preview-exp.md#container-view) --### Orchestration --- Set pipeline output value (Public preview) [Learn more](tutorial-pipeline-return-value.md)-- Managed Airflow (Public preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-managed-airflow-in-azure-data-factory/ba-p/3730151)--### Developer productivity --Dark theme support added (Public preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-dark-mode-for-adf-studio/ba-p/3757961) - ## More information - [What's new archive](whats-new-archive.md) |
databox-online | Azure Stack Edge Gpu 2309 Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-2309-release-notes.md | This article applies to the **Azure Stack Edge 2309** release, which maps to sof > [!Warning] > In this release, you must update the packet core version to AP5GC 2308 before you update to Azure Stack Edge 2309. For detailed steps, see [Azure Private 5G Core 2308 release notes](../private-5g-core/azure-private-5g-core-release-notes-2308.md).-> If you update to Azure Stack Edge 2309 before updating to Packet Core 2308.0.1, you will experience a total system outage. In this case, you must delete and re-create the Azure Kubernetes service cluster on your Azure Stack Edge device. +> If you update to Azure Stack Edge 2309 before updating to Packet Core 2308.0.1, you will experience a total system outage. In this case, you must delete and re-create the Azure Kubernetes service cluster on your Azure Stack Edge device. +> Each time you change the Kubernetes workload profile, you are prompted for the Kubernetes update. Go ahead and apply the update. ## Supported update paths The 2309 release has the following new features and enhancements: | No. | Feature | Issue | Workaround/comments | | | | | |-|**1.**|AKS Update |The AKS Kubernetes update may fail if the one of the AKS VMs are not running. This issue may be seen in the 2-node cluster. |If the AKS update has failed, [Connect to the PowerShell interface of the device](azure-stack-edge-gpu-connect-powershell-interface.md). Check the state of the Kubernetes VMs by running `Get-VM` cmdlet. If the VM is off, run the `Start-VM` cmdlet to restart the VM. Once the Kubernetes VM is running, reapply the update. | +|**1.**|AKS Update |The AKS Kubernetes update might fail if the one of the AKS VMs are not running. This issue might be seen in the 2-node cluster. |If the AKS update has failed, [Connect to the PowerShell interface of the device](azure-stack-edge-gpu-connect-powershell-interface.md). Check the state of the Kubernetes VMs by running `Get-VM` cmdlet. If the VM is off, run the `Start-VM` cmdlet to restart the VM. Once the Kubernetes VM is running, reapply the update. | ## Known issues from previous releases The following table provides a summary of known issues carried over from the pre | No. | Feature | Issue | Workaround/comments | | | | | | | **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <br> 1. In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**<br> 2. Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). <br> 3. Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.<br> 4. Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd". After this, steps 3-4 from the current documentation should be identical. |-| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs. These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.| +| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, might result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs. These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.| |**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error will show as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: can't create directory 'test': Permission deniedΓÇï| |**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.| |**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<br> - Only block blobs are supported. Page blobs aren't supported.<br> - There's no snapshot or copy API support.<br> - Hadoop workload ingestion through `distcp` isn't supported as it uses the copy operation heavily.||-|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you may see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.| +|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you might see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.| |**7.**|Kubernetes cluster|When applying an update on your device that is running a Kubernetes cluster, the Kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You'll need to restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.| |**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).| |**9.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Don't use reserved IPs.| |**10.**|Kubernetes |Kubernetes doesn't currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|-|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules may require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).| +|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules might require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).| |**12.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts can't be bound to paths in IoT Edge containers. If possible, map the parent directory.| |**13.**|Kubernetes |If you bring your own certificates for IoT Edge and add those certificates on your Azure Stack Edge device after the compute is configured on the device, the new certificates aren't picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|-|**14.**|Certificates |In certain instances, certificate state in the local UI may take several seconds to update. |The following scenarios in the local UI may be affected. <br> - **Status** column in **Certificates** page. <br> - **Security** tile in **Get started** page. <br> - **Configuration** tile in **Overview** page.<br> | +|**14.**|Certificates |In certain instances, certificate state in the local UI might take several seconds to update. |The following scenarios in the local UI might be affected. <br> - **Status** column in **Certificates** page. <br> - **Security** tile in **Get started** page. <br> - **Configuration** tile in **Overview** page.<br> | |**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| | |**16.**|Web proxy |NTLM authentication-based web proxy isn't supported. ||-|**17.**|Internet Explorer|If enhanced security features are enabled, you may not be able to access local web UI pages. | Disable enhanced security, and restart your browser.| +|**17.**|Internet Explorer|If enhanced security features are enabled, you might not be able to access local web UI pages. | Disable enhanced security, and restart your browser.| |**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)| |**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). | |**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| | The following table provides a summary of known issues carried over from the pre |**24.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting isn't retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. | |**25.**|Wi-Fi |Wi-Fi doesn't work on Azure Stack Edge Pro 2 in this release. | |**26.**|Azure IoT Edge |The managed Azure IoT Edge solution on Azure Stack Edge is running on an older, obsolete IoT Edge runtime that is at end of life. For more information, see [IoT Edge v1.1 EoL: What does that mean for me?](https://techcommunity.microsoft.com/t5/internet-of-things-blog/iot-edge-v1-1-eol-what-does-that-mean-for-me/ba-p/3662137). Although the solution does not stop working past end of life, there are no plans to update it. |To run the latest version of Azure IoT Edge [LTSs](../iot-edge/version-history.md#version-history) with the latest updates and features on their Azure Stack Edge, we **recommend** that you deploy a [customer self-managed IoT Edge solution](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md) that runs on a Linux VM. For more information, see [Move workloads from managed IoT Edge on Azure Stack Edge to an IoT Edge solution on a Linux VM](azure-stack-edge-move-to-self-service-iot-edge.md). |-|**27.**|AKS on Azure Stack Edge |When you update your AKS on Azure Stack Edge deployment from a previous preview version to 2303 release, there is an additional nodepool rollout. |The update may take longer. | +|**27.**|AKS on Azure Stack Edge |When you update your AKS on Azure Stack Edge deployment from a previous preview version to 2303 release, there is an additional nodepool rollout. |The update might take longer. | |**28.**|Azure portal |When the Arc deployment fails in this release, you will see a generic *NO PARAM* error code, as all the errors are not propagated in the portal. |There is no workaround for this behavior in this release. | |**29.**|AKS on Azure Stack Edge |In this release, you can't modify the virtual networks once the AKS cluster is deployed on your Azure Stack Edge cluster.| To modify the virtual network, you will need to delete the AKS cluster, then modify virtual networks, and then recreate AKS cluster on your Azure Stack Edge. | |**30.**|AKS on Azure Stack Edge |In this release, attaching the PVC takes a long time. As a result, some pods that use persistent volumes (PVs) come up slowly after the host reboots. |A workaround is to restart the nodepool VM by connecting via the Windows PowerShell interface of the device. | |
databox-online | Azure Stack Edge Gpu Install Update | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-install-update.md | In Azure portal, the process will require two clicks, the first update gets your From the local UI, you will have to run each update separately: update the device version to 2303, update Kubernetes version to 2210, update Kubernetes version to 2303, and then the third update gets both the device version and Kubernetes version to 2309. +Each time you change the Kubernetes profile, you are prompted for the Kubernetes update. Go ahead and apply the update. + ### Updates for a single-node vs two-node The procedure to update an Azure Stack Edge is the same whether it is a single-node device or a two-node cluster. This applies both to the Azure portal or the local UI procedure. - **Single node** - For a single node device, installing an update or hotfix is disruptive and will restart your device. Your device will experience a downtime for the entire duration of the update. -- **Two-node** - For a two-node cluster, this is an optimized update. The two-node cluster may experience short, intermittent disruptions while the update is in progress. We recommend that you shouldn't perform any operations on the device node when update is in progress. +- **Two-node** - For a two-node cluster, this is an optimized update. The two-node cluster might experience short, intermittent disruptions while the update is in progress. We recommend that you shouldn't perform any operations on the device node when update is in progress. The Kubernetes worker VMs will go down when a node goes down. The Kubernetes master VM will fail over to the other node. Workloads will continue to run. For more information, see [Kubernetes failover scenarios for Azure Stack Edge](azure-stack-edge-gpu-kubernetes-failover-scenarios.md). We recommend that you install updates through the Azure portal. The device autom > - Make sure that the device is healthy and status shows as **Your device is running fine!** before you proceed to install the updates. -Depending on the software version that you are running, install process may differ slightly. +Depending on the software version that you are running, install process might differ slightly. - If you are updating from 2106 to 2110 or later, you will have a one-click install. See the **version 2106 and later** tab for instructions. - If you are updating to versions prior to 2110, you will have a two-click install. See **version 2105 and earlier** tab for instructions. |
databox-online | Azure Stack Edge Reset Reactivate Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-reset-reactivate-device.md | To wipe the data off the data disks of your device, you need to reset your devic Before you reset, create a copy of the local data on the device if needed. You can copy the data from the device to an Azure Storage container. >[!IMPORTANT]-> Resetting your device will erase all local data and workloads from your device, and that can't be reversed. Reset your device only if you want to start afresh with the device. +> - Resetting your device will erase all local data and workloads from your device, and that can't be reversed. Reset your device only if you want to start afresh with the device. +> - If running AP5GC/SAP Kubernetes workload profiles and you updated your Azure Stack Edge to 2309, and reset your Azure Stack Edge device, you see the following behavior: +> -- In the local web UI, if you go to Software updates page, you see that the Kubernetes version is unavailable. +> -- In Azure portal, you are prompted to apply a Kubernetes update. +> Go ahead and apply the Kubernetes update. +> -- After device reset, you must select a Kubernetes workload profile again. Otherwise, the default "Other workloads" profile will be applied. For more information, see [Configure compute IPs](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md?pivots=two-node#configure-compute-ips-1). You can reset your device in the local web UI or in PowerShell. For PowerShell instructions, see [Reset your device](./azure-stack-edge-connect-powershell-interface.md#reset-your-device). |
dev-box | Concept Dev Box Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/concept-dev-box-concepts.md | IT administrators and platform engineers configure the network that's used for d When you're creating a network connection, you must choose the Active Directory join type: -- If your dev boxes need to connect exclusively to cloud-based resources, use native Azure Active Directory (Azure AD).-- If your dev boxes need to connect to on-premises resources and cloud-based resources, use hybrid Azure AD.+- If your dev boxes need to connect exclusively to cloud-based resources, use native Microsoft Entra ID. +- If your dev boxes need to connect to on-premises resources and cloud-based resources, use hybrid Microsoft Entra ID. -To learn more about native Azure AD join and hybrid Azure AD join, see [Plan your Azure Active Directory device deployment](../active-directory/devices/plan-device-deployment.md). +To learn more about native Microsoft Entra join and Microsoft Entra hybrid join, see [Plan your Microsoft Entra device deployment](../active-directory/devices/plan-device-deployment.md). The virtual network specified in a network connection also determines the region for a dev box. You can create multiple network connections based on the regions where you support developers. You can then use those connections when you're creating dev box pools to ensure that dev box users create dev boxes in a region close to them. Using a region close to the dev box user provides the best experience. |
dev-box | How To Authenticate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/how-to-authenticate.md | Last updated 09/07/2023 > Before authenticating, ensure that the user or identity has the appropriate permissions to perform the desired action. For more information, see [configuring project admins](./how-to-project-admin.md) and [configuring Dev Box users](./how-to-dev-box-user.md). -## Using Azure AD authentication for REST APIs +<a name='using-azure-ad-authentication-for-rest-apis'></a> -Use the following procedures to authenticate with Azure AD. You can follow along in [Azure Cloud Shell](../../articles/cloud-shell/quickstart.md), on an Azure virtual machine, or on your local machine. +## Using Microsoft Entra authentication for REST APIs ++Use the following procedures to authenticate with Microsoft Entra ID. You can follow along in [Azure Cloud Shell](../../articles/cloud-shell/quickstart.md), on an Azure virtual machine, or on your local machine. ### Sign in to the user's Azure subscription -Start by authenticating with Azure AD by using the Azure CLI. This step isn't required in Azure Cloud Shell. +Start by authenticating with Microsoft Entra ID by using the Azure CLI. This step isn't required in Azure Cloud Shell. ```azurecli az login ``` -The command opens a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and password. +The command opens a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and password. Next, set the correct subscription context. If you authenticate from an incorrect subscription or tenant you may receive unexpected 403 Forbidden errors. az account set --subscription <subscription_id> ``` -### Retrieve the Azure AD access token +<a name='retrieve-the-azure-ad-access-token'></a> ++### Retrieve the Microsoft Entra access token -Use the Azure CLI to acquire an access token for the Azure AD authenticated user. +Use the Azure CLI to acquire an access token for the Microsoft Entra authenticated user. Note that the resource ID is different depending on if you are accessing administrator (control plane) APIs or developer (data plane) APIs. For administrator APIs, use the following command: For developer APIs, use the following command: az account get-access-token --resource https://devcenter.azure.com ``` -After authentication is successful, Azure AD returns an access token for current Azure subscription: +After authentication is successful, Microsoft Entra ID returns an access token for current Azure subscription: ```json { The token is a Base64 string. The token is valid for at least 5 minutes with the To access REST APIs, you must set the Authorization header on your request. The header value should be the string `Bearer` followed by a space and the token you received in the previous step. ## Next steps-- Review [Azure Active Directory fundamentals](../../articles/active-directory/fundamentals/whatis.md).+- Review [Microsoft Entra fundamentals](../../articles/active-directory/fundamentals/whatis.md). |
dev-box | How To Configure Network Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/how-to-configure-network-connections.md | When you're planning network connectivity for your dev boxes, you must: - Ensure that you have sufficient permissions to create and configure network connections. - Ensure that you have at least one virtual network and subnet available for your dev boxes. - Identify the region or location that's closest to your dev box users. Deploying dev boxes into a region that's close to users gives them a better experience.-- Determine whether dev boxes should connect to your existing networks by using Azure Active Directory (Azure AD) join or hybrid Azure AD join.+- Determine whether dev boxes should connect to your existing networks by using Microsoft Entra join or Microsoft Entra hybrid join. ## Permissions The following sections show you how to create and configure a network connection The Dev Box service requires a configured and working Active Directory join, which defines how dev boxes join your domain and access resources. There are two choices: -- **Azure AD join**: If your organization uses Azure AD, you can use an Azure AD join (sometimes called a native Azure AD join). Dev box users sign in to Azure AD-joined dev boxes by using their Azure AD account and access resources based on the permissions assigned to that account. Azure AD join enables access to cloud-based and on-premises apps and resources.+- **Microsoft Entra join**: If your organization uses Microsoft Entra ID, you can use a Microsoft Entra join (sometimes called a native Microsoft Entra join). Dev box users sign in to Microsoft Entra joined dev boxes by using their Microsoft Entra account and access resources based on the permissions assigned to that account. Microsoft Entra join enables access to cloud-based and on-premises apps and resources. - For more information, see [Plan your Azure Active Directory join deployment](../active-directory/devices/device-join-plan.md). -- **Hybrid Azure AD join**: If your organization has an on-premises Active Directory implementation, you can still benefit from some of the functionality in Azure AD by using hybrid Azure AD-joined dev boxes. These dev boxes are joined to your on-premises Active Directory instance and registered with Azure AD.+ For more information, see [Plan your Microsoft Entra join deployment](../active-directory/devices/device-join-plan.md). +- **Microsoft Entra hybrid join**: If your organization has an on-premises Active Directory implementation, you can still benefit from some of the functionality in Microsoft Entra ID by using Microsoft Entra hybrid joined dev boxes. These dev boxes are joined to your on-premises Active Directory instance and registered with Microsoft Entra ID. - Hybrid Azure AD-joined dev boxes require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. + Microsoft Entra hybrid joined dev boxes require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. - For more information, see [Plan your hybrid Azure Active Directory join deployment](../active-directory/devices/hybrid-join-plan.md). + For more information, see [Plan your Microsoft Entra hybrid join deployment](../active-directory/devices/hybrid-join-plan.md). ### Create a network connection Follow the steps on the relevant tab to create your network connection. -#### [**Azure AD join**](#tab/AzureADJoin/) +<a name='azure-ad-join'></a> ++#### [**Microsoft Entra join**](#tab/AzureADJoin/) 1. Sign in to the [Azure portal](https://portal.azure.com). Follow the steps on the relevant tab to create your network connection. |Name|Value| |-|-|- |**Domain join type**|Select **Azure active directory join**.| + |**Domain join type**|Select **Microsoft Entra join**.| |**Subscription**|Select the subscription in which you want to create the network connection.| |**ResourceGroup**|Select an existing resource group, or select **Create new** and then enter a name for the new resource group.| |**Name**|Enter a descriptive name for the network connection.| |**Virtual network**|Select the virtual network that you want the network connection to use.| |**Subnet**|Select the subnet that you want the network connection to use.| - :::image type="content" source="./media/how-to-manage-network-connection/create-native-network-connection-full-blank.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, with the option for Azure Active Directory join selected."::: + :::image type="content" source="./media/how-to-manage-network-connection/create-native-network-connection-full-blank.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, with the option for Microsoft Entra join selected."::: 1. Select **Review + Create**. Follow the steps on the relevant tab to create your network connection. 1. When the deployment is complete, select **Go to resource**. Confirm that the connection appears on the **Network connections** page. -#### [**Hybrid Azure AD join**](#tab/HybridAzureADJoin/) +<a name='hybrid-azure-ad-join'></a> ++#### [**Microsoft Entra hybrid join**](#tab/HybridAzureADJoin/) 1. Sign in to the [Azure portal](https://portal.azure.com). Follow the steps on the relevant tab to create your network connection. |Name|Value| |-|-|- |**Domain join type**|Select **Hybrid Azure active directory join**.| + |**Domain join type**|Select **Microsoft Entra hybrid join**.| |**Subscription**|Select the subscription in which you want to create the network connection.| |**ResourceGroup**|Select an existing resource group, or select **Create new** and then enter a name for the new resource group.| |**Name**|Enter a descriptive name for the network connection.| Follow the steps on the relevant tab to create your network connection. |**AD username UPN**| Enter the username, in user principal name (UPN) format, that you want to use for connecting Cloud PCs to your Active Directory domain. For example: `svcDomainJoin@corp.contoso.com`. This service account must have permission to join computers to the domain and the target OU (if one is set). | |**AD domain password**| Enter the password for the user. | - :::image type="content" source="./media/how-to-manage-network-connection/create-hybrid-network-connection-full-blank.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, with the option for hybrid Azure Active Directory join selected."::: + :::image type="content" source="./media/how-to-manage-network-connection/create-hybrid-network-connection-full-blank.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, with the option for Microsoft Entra hybrid join selected."::: 1. Select **Review + Create**. |
dev-box | Overview What Is Microsoft Dev Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/overview-what-is-microsoft-dev-box.md | Dev Box has the following benefits for IT admins: - Dev boxes automatically enroll in Intune. Use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to manage dev boxes. - Keep all Windows devices up to date by using expedited quality updates in Intune to deploy zero-day patches across your organization. - If a dev box is compromised, isolate it while helping users get backup and running on a new dev box.-- Dev Box provides secure access in a secure environment. Access controls in Azure Active Directory (Azure AD) organize access by project or user type:- - Join dev boxes natively to an Azure AD or Active Directory domain. +- Dev Box provides secure access in a secure environment. Access controls in Microsoft Entra ID organize access by project or user type: + - Join dev boxes natively to a Microsoft Entra ID or Active Directory domain. - Set conditional access policies that require users to connect via a compliant device. - Require multifactor authentication at sign-in. - Configure risk-based sign-in policies for dev boxes that access sensitive source code and customer data. This diagram shows the components of the Dev Box service and the relationships b Dev Box service configuration begins with the creation of a dev center, which represents the units of organization in the enterprise. Dev centers are logical containers to help organize dev box resources. There's no limit on the number of dev centers that you can create, but most organizations need only one. -Azure network connections enable dev boxes to communicate with your organization's network. The network connection provides a link between the dev center and your organization's virtual networks. In the network connection, you define how a dev box joins Azure AD. Use an Azure AD join to connect exclusively to cloud-based resources, or use a hybrid Azure AD join to connect to on-premises resources and cloud-based resources. +Azure network connections enable dev boxes to communicate with your organization's network. The network connection provides a link between the dev center and your organization's virtual networks. In the network connection, you define how a dev box joins Microsoft Entra ID. Use a Microsoft Entra join to connect exclusively to cloud-based resources, or use a Microsoft Entra hybrid join to connect to on-premises resources and cloud-based resources. Dev box definitions define the configuration of the dev boxes that are available to users. You can use an image from Azure Marketplace, like the **Visual Studio 2022 Enterprise on Windows 11 Enterprise + Microsoft 365 Apps 22H2** image. Or you can create your own custom image and store it in Azure Compute Gallery. Specify a SKU with compute and storage to complete the dev box definition. |
dev-box | Quickstart Configure Dev Box Arm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-configure-dev-box-arm-template.md | If your environment meets the prerequisites and you're familiar with using ARM t - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. - Owner or Contributor role on an Azure subscription or resource group.-- Entra AD. Your organization must use Entra AD for identity and access management.+- Microsoft Entra AD. Your organization must use Microsoft Entra AD for identity and access management. ## Review the template |
dev-box | Quickstart Configure Dev Box Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-configure-dev-box-service.md | To complete this quickstart, you need: - An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. - Owner or Contributor role on an Azure subscription or resource group.-- Azure AD. Your organization must use Azure AD for identity and access management.-- User licenses. To use Dev Box, each user must be licensed for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Intune, and Azure Active Directory (Azure AD) P1. These licenses are available independently and are included in the following subscriptions:+- Microsoft Entra ID. Your organization must use Microsoft Entra ID for identity and access management. +- User licenses. To use Dev Box, each user must be licensed for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Intune, and Microsoft Entra ID P1. These licenses are available independently and are included in the following subscriptions: - Microsoft 365 F3 - Microsoft 365 E3, Microsoft 365 E5 - Microsoft 365 A3, Microsoft 365 A5 You must have a virtual network and subnet available for your network connection ### Create the network connection -You now need a [network connection](concept-dev-box-concepts.md#network-connection) to associate the virtual network and subnet with the dev center. A network connection specifies the type of join dev boxes use to join your Azure AD domain, either an Azure AD join or a hybrid Active Directory join. Choose an Azure AD join unless you have a specific requirement for a hybrid join, like connecting to on-premises resources. +You now need a [network connection](concept-dev-box-concepts.md#network-connection) to associate the virtual network and subnet with the dev center. A network connection specifies the type of join dev boxes use to join your Microsoft Entra domain, either a Microsoft Entra join or a hybrid Active Directory join. Choose a Microsoft Entra join unless you have a specific requirement for a hybrid join, like connecting to on-premises resources. - To determine which type of join is appropriate for your dev boxes, refer to: - - [Azure AD joined devices](../active-directory/devices/concept-directory-join.md). - - [Hybrid Azure AD joined devices](../active-directory/devices/concept-hybrid-join.md). + - [Microsoft Entra joined devices](../active-directory/devices/concept-directory-join.md). + - [Microsoft Entra hybrid joined devices](../active-directory/devices/concept-hybrid-join.md). To create the network connection, complete the steps on the relevant tab. -#### [Azure AD join](#tab/AzureADJoin/) +<a name='azure-ad-join'></a> ++#### [Microsoft Entra join](#tab/AzureADJoin/) 1. Sign in to the [Azure portal](https://portal.azure.com). To create the network connection, complete the steps on the relevant tab. Name|Value| |-|-|- |**Domain join type**|Select **Azure active directory join**.| + |**Domain join type**|Select **Microsoft Entra join**.| |**Subscription**|Select the subscription in which you want to create the network connection.| |**ResourceGroup**|Select an existing resource group, or select **Create new** and then enter a name for the new resource group.| |**Name**|Enter a descriptive name for your network connection.| |**Virtual network**|Select the virtual network that you want the network connection to use.| |**Subnet**|Select the subnet that you want the network connection to use.| - :::image type="content" source="./media/quickstart-configure-dev-box-service/create-nc-native-join.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, including the option for Azure Active Directory join."::: + :::image type="content" source="./media/quickstart-configure-dev-box-service/create-nc-native-join.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, including the option for Microsoft Entra join."::: 1. Select **Review + Create**. To create the network connection, complete the steps on the relevant tab. 1. When the deployment is complete, select **Go to resource**. The network connection appears on the **Network connections** page. -#### [Hybrid Azure AD join](#tab/HybridAzureADJoin/) +<a name='hybrid-azure-ad-join'></a> ++#### [Microsoft Entra hybrid join](#tab/HybridAzureADJoin/) 1. Sign in to the [Azure portal](https://portal.azure.com). To create the network connection, complete the steps on the relevant tab. |Name|Value| |-|-|- |**Domain join type**|Select **Hybrid Azure active directory join**.| + |**Domain join type**|Select **Microsoft Entra hybrid join**.| |**Subscription**|Select the subscription in which you want to create the network connection.| |**ResourceGroup**|Select an existing resource group, or select **Create new** and then enter a name for the new resource group.| |**Name**|Enter a descriptive name for your network connection.| To create the network connection, complete the steps on the relevant tab. |**AD username UPN**| Enter the username, in user principal name (UPN) format, that you want to use for connecting the Cloud PCs to your Active Directory domain. For example: `svcDomainJoin@corp.contoso.com`. This service account must have permission to join computers to the domain and the target OU (if one is set). | |**AD domain password**| Enter the password for the user. | - :::image type="content" source="./media/quickstart-configure-dev-box-service/create-nc-hybrid-join.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, including the option for hybrid Azure Active Directory join."::: + :::image type="content" source="./media/quickstart-configure-dev-box-service/create-nc-hybrid-join.png" alt-text="Screenshot that shows the Basics tab on the pane for creating a network connection, including the option for Microsoft Entra hybrid join."::: 1. Select **Review + Create**. You can assign the DevCenter Project Admin role by using the steps described ear In this quickstart, you configured the Microsoft Dev Box resources that are required to enable users to create their own dev boxes. To learn how to create and connect to a dev box, advance to the next quickstart: > [!div class="nextstepaction"]-> [Create a dev box](./quickstart-create-dev-box.md) +> [Create a dev box](./quickstart-create-dev-box.md) |
digital-twins | Concepts Apis Sdks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-apis-sdks.md | Here's some general information for calling the Azure Digital Twins APIs directl Here's some more information about authentication for API requests. * One way to generate a bearer token for Azure Digital Twins API requests is with the [az account get-access-token](/cli/azure/account#az-account-get-access-token()) CLI command. For detailed instructions, see [Get bearer token](how-to-use-postman-with-digital-twins.md#get-bearer-token).-* Requests to the Azure Digital Twins APIs require a user or service principal that is a part of the same [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) tenant where the Azure Digital Twins instance exists. To prevent malicious scanning of Azure Digital Twins endpoints, requests with access tokens from outside the originating tenant will be returned a "404 Sub-Domain not found" error message. This error will be returned even if the user or service principal was given an Azure Digital Twins Data Owner or Azure Digital Twins Data Reader role through [Azure AD B2B](../active-directory/external-identities/what-is-b2b.md) collaboration. For information on how to achieve access across multiple tenants, see [Write app authentication code](how-to-authenticate-client.md#authenticate-across-tenants). +* Requests to the Azure Digital Twins APIs require a user or service principal that is a part of the same [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) tenant where the Azure Digital Twins instance exists. To prevent malicious scanning of Azure Digital Twins endpoints, requests with access tokens from outside the originating tenant will be returned a "404 Sub-Domain not found" error message. This error will be returned even if the user or service principal was given an Azure Digital Twins Data Owner or Azure Digital Twins Data Reader role through [Microsoft Entra B2B](../active-directory/external-identities/what-is-b2b.md) collaboration. For information on how to achieve access across multiple tenants, see [Write app authentication code](how-to-authenticate-client.md#authenticate-across-tenants). ### SDK notes |
digital-twins | Concepts Data Explorer Plugin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-data-explorer-plugin.md | The plugin works by calling the [Azure Digital Twins Query API](/rest/api/digita >[!IMPORTANT]->The user of the plugin must be granted the **Azure Digital Twins Data Reader** role or the **Azure Digital Twins Data Owner** role, as the user's Azure AD token is used to authenticate. Information on how to assign this role can be found in [Security for Azure Digital Twins solutions](concepts-security.md#authorization-azure-roles-for-azure-digital-twins). +>The user of the plugin must be granted the **Azure Digital Twins Data Reader** role or the **Azure Digital Twins Data Owner** role, as the user's Microsoft Entra token is used to authenticate. Information on how to assign this role can be found in [Security for Azure Digital Twins solutions](concepts-security.md#authorization-azure-roles-for-azure-digital-twins). For more information on using the plugin, see the [Kusto documentation for the azure_digital_twins_query_request plugin](/azure/data-explorer/kusto/query/azure-digital-twins-query-request-plugin). |
digital-twins | Concepts Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/concepts-security.md | Azure Digital Twins also supports encryption of data at rest. ## Roles and permissions with Azure RBAC -Azure RBAC is provided to Azure Digital Twins via integration with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD). +Azure RBAC is provided to Azure Digital Twins via integration with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). -You can use Azure RBAC to grant permissions to a *security principal*, which may be a user, a group, or an application service principal. The security principal is authenticated by Azure AD, and receives an OAuth 2.0 token in return. This token can be used to authorize an access request to an Azure Digital Twins instance. +You can use Azure RBAC to grant permissions to a *security principal*, which may be a user, a group, or an application service principal. The security principal is authenticated by Microsoft Entra ID, and receives an OAuth 2.0 token in return. This token can be used to authorize an access request to an Azure Digital Twins instance. ### Authentication and authorization -With Azure AD, access is a two-step process. When a security principal (a user, group, or application) attempts to access Azure Digital Twins, the request must be *authenticated* and *authorized*. +With Microsoft Entra ID, access is a two-step process. When a security principal (a user, group, or application) attempts to access Azure Digital Twins, the request must be *authenticated* and *authorized*. 1. First, the security principal's identity is authenticated, and an OAuth 2.0 token is returned. 2. Next, the token is passed as part of a request to the Azure Digital Twins service, to authorize access to the specified resource. If a user attempts to perform an action not allowed by their role, they may rece ## Managed identity for accessing other resources -Setting up an [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) *managed identity* for an Azure Digital Twins instance can allow the instance to easily access other Azure AD-protected resources, such as [Azure Key Vault](../key-vault/general/overview.md). The identity is managed by the Azure platform, and doesn't require you to provision or rotate any secrets. For more about managed identities in Azure AD, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +Setting up an [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) *managed identity* for an Azure Digital Twins instance can allow the instance to easily access other Microsoft Entra protected resources, such as [Azure Key Vault](../key-vault/general/overview.md). The identity is managed by the Azure platform, and doesn't require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Azure Digital Twins supports both types of managed identities, *system-assigned* and *user-assigned*. To resolve this error, you can do one of the following actions: * See how to interact with these concepts from client application code in [Write app authentication code](how-to-authenticate-client.md). -* Read more about [Azure RBAC](../role-based-access-control/overview.md). +* Read more about [Azure RBAC](../role-based-access-control/overview.md). |
digital-twins | How To Authenticate Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-authenticate-client.md | -Azure Digital Twins authenticates using [Azure AD Security Tokens based on OAUTH 2.0](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). To authenticate your SDK, you'll need to get a bearer token with the right permissions to Azure Digital Twins, and pass it along with your API calls. +Azure Digital Twins authenticates using [Microsoft Entra Security Tokens based on OAUTH 2.0](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). To authenticate your SDK, you'll need to get a bearer token with the right permissions to Azure Digital Twins, and pass it along with your API calls. This article describes how to obtain credentials using the `Azure.Identity` client library. While this article shows code examples in C#, such as what you'd write for the [.NET (C#) SDK](/dotnet/api/overview/azure/digitaltwins.core-readme), you can use a version of `Azure.Identity` regardless of what SDK you're using (for more on the SDKs available for Azure Digital Twins, see [Azure Digital Twins APIs and SDKs](concepts-apis-sdks.md). Finally, complete the following configuration steps for a published Azure functi ## Authenticate across tenants -Azure Digital Twins is a service that only supports one [Azure Active Directory (Azure AD) tenant](../active-directory/develop/quickstart-create-new-tenant.md): the main tenant from the subscription where the Azure Digital Twins instance is located. +Azure Digital Twins is a service that only supports one [Microsoft Entra tenant](../active-directory/develop/quickstart-create-new-tenant.md): the main tenant from the subscription where the Azure Digital Twins instance is located. [!INCLUDE [digital-twins-tenant-limitation](../../includes/digital-twins-tenant-limitation.md)] Read more about how security works in Azure Digital Twins: * [Security for Azure Digital Twins solutions](concepts-security.md) Or, now that authentication is set up, move on to creating and managing models in your instance:-* [Manage DTDL models](how-to-manage-model.md) +* [Manage DTDL models](how-to-manage-model.md) |
digital-twins | How To Create App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-create-app-registration.md | # Mandatory fields. Title: Create an app registration with Azure Digital Twins access -description: Create an Azure Active Directory app registration that can access Azure Digital Twins resources. +description: Create a Microsoft Entra app registration that can access Azure Digital Twins resources. Last updated 01/11/2023-This article describes how to create an [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) *app registration* that can access Azure Digital Twins. This article includes steps for the [Azure portal](https://portal.azure.com) and the [Azure CLI](/cli/azure/what-is-azure-cli). +This article describes how to create an [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) *app registration* that can access Azure Digital Twins. This article includes steps for the [Azure portal](https://portal.azure.com) and the [Azure CLI](/cli/azure/what-is-azure-cli). When working with Azure Digital Twins, it's common to interact with your instance through client applications. Those applications need to authenticate with Azure Digital Twins, and some of the [authentication mechanisms](how-to-authenticate-client.md) that apps can use involve an app registration. Start by selecting the tab below for your preferred interface. # [Portal](#tab/portal) -Navigate to [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) in the Azure portal (you can use this link or find it with the portal search bar). Select **App registrations** from the service menu, and then **+ New registration**. +Navigate to [Microsoft Entra ID](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) in the Azure portal (you can use this link or find it with the portal search bar). Select **App registrations** from the service menu, and then **+ New registration**. In the **Register an application** page that follows, fill in the requested values:-* **Name**: An Azure AD application display name to associate with the registration +* **Name**: a Microsoft Entra application display name to associate with the registration * **Supported account types**: Select **Accounts in this organizational directory only (Default Directory only - Single tenant)**-* **Redirect URI**: An **Azure AD application reply URL** for the Azure AD application. Add a **Public client/native (mobile & desktop)** URI for `http://localhost`. +* **Redirect URI**: An **Microsoft Entra application reply URL** for the Microsoft Entra application. Add a **Public client/native (mobile & desktop)** URI for `http://localhost`. When you're finished, select the **Register** button. Start on your app registration page in the Azure portal. 1. Select **Certificates & secrets** from the registration's menu, and then select **+ New client secret**. - :::image type="content" source="media/how-to-create-app-registration/client-secret.png" alt-text="Screenshot of the Azure portal showing an Azure AD app registration and a highlight around 'New client secret'."::: + :::image type="content" source="media/how-to-create-app-registration/client-secret.png" alt-text="Screenshot of the Azure portal showing a Microsoft Entra app registration and a highlight around 'New client secret'."::: 1. Enter whatever values you want for Description and Expires, and select **Add**. Select **Add permissions** when finished. On the **API permissions** page, verify that there's now an entry for Azure Digital Twins reflecting **Read.Write** permissions: You can also verify the connection to Azure Digital Twins within the app registration's *manifest.json*, which was automatically updated with the Azure Digital Twins information when you added the API permissions. To do so, select **Manifest** from the menu to view the app registration's manif These values are shown in the screenshot below: If these values are missing, retry the steps in the [section for adding the API permission](#provide-api-permissions). It's possible that your organization requires more actions from subscription own # [Portal](#tab/portal) -Here are some common potential activities that an owner or administrator on the subscription may need to do. These and other operations can be performed from the [Azure AD App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) page in the Azure portal. -* Grant admin consent for the app registration. Your organization may have **Admin Consent Required** globally turned on in Azure AD for all app registrations within your subscription. If so, the owner/administrator will need to select this button for your company on the app registration's **API permissions** page for the app registration to be valid: +Here are some common potential activities that an owner or administrator on the subscription may need to do. These and other operations can be performed from the [Microsoft Entra App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) page in the Azure portal. +* Grant admin consent for the app registration. Your organization may have **Admin Consent Required** globally turned on in Microsoft Entra ID for all app registrations within your subscription. If so, the owner/administrator will need to select this button for your company on the app registration's **API permissions** page for the app registration to be valid: :::image type="content" source="media/how-to-create-app-registration/grant-admin-consent.png" alt-text="Screenshot of the Azure portal showing the 'Grant admin consent' button under API permissions." lightbox="media/how-to-create-app-registration/grant-admin-consent.png"::: Here are some common potential activities that an owner or administrator on the # [CLI](#tab/cli) Here are some common potential activities that an owner or administrator on the subscription may need to do.-* Grant admin consent for the app registration. Your organization may have **Admin Consent Required** globally turned on in Azure AD for all app registrations within your subscription. If so, the owner/administrator may need to grant additional delegated or application permissions. +* Grant admin consent for the app registration. Your organization may have **Admin Consent Required** globally turned on in Microsoft Entra ID for all app registrations within your subscription. If so, the owner/administrator may need to grant additional delegated or application permissions. * Activate public client access by appending `--set publicClient=true` to a create or update command for the registration. * Set specific reply URLs for web and desktop access using the `--reply-urls` parameter. For more information on using this parameter with `az ad` commands, see the [az ad app documentation](/cli/azure/ad/app). * Allow for implicit OAuth2 authentication flows using the `--oauth2-allow-implicit-flow` parameter. For more information on using this parameter with `az ad` commands, see the [az ad app documentation](/cli/azure/ad/app). For more information about app registration and its different setup options, see ## Next steps -In this article, you set up an Azure AD app registration that can be used to authenticate client applications with the Azure Digital Twins APIs. +In this article, you set up a Microsoft Entra app registration that can be used to authenticate client applications with the Azure Digital Twins APIs. Next, read about authentication mechanisms, including one that uses app registrations and others that don't:-* [Write app authentication code](how-to-authenticate-client.md) +* [Write app authentication code](how-to-authenticate-client.md) |
digital-twins | How To Create Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-create-endpoints.md | After successfully running these commands, the Event Grid topic, event hub, or S ## Endpoint options: Identity-based authentication -This section describes how to use a [managed identity for an Azure Digital Twins instance](concepts-security.md#managed-identity-for-accessing-other-resources) when forwarding events to supported routing destinations. Setting up a managed identity isn't required for routing, but it can help the instance to easily access other Azure AD-protected resources, such as [Event Hubs](../event-hubs/event-hubs-about.md), [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md) destinations, and [Azure Storage Container](../storage/blobs/storage-blobs-introduction.md). Managed identities can be *system-assigned* or *user-assigned*. +This section describes how to use a [managed identity for an Azure Digital Twins instance](concepts-security.md#managed-identity-for-accessing-other-resources) when forwarding events to supported routing destinations. Setting up a managed identity isn't required for routing, but it can help the instance to easily access other Microsoft Entra protected resources, such as [Event Hubs](../event-hubs/event-hubs-about.md), [Service Bus](../service-bus-messaging/service-bus-messaging-overview.md) destinations, and [Azure Storage Container](../storage/blobs/storage-blobs-introduction.md). Managed identities can be *system-assigned* or *user-assigned*. The rest of this section walks through three steps for setting up an endpoint with a managed identity. |
digital-twins | How To Move Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-move-regions.md | The exact resources you need to edit depends on your scenario, but here are some * Azure Maps. * IoT Hub Device Provisioning Service. * Personal or company apps outside of Azure, such as the client app created in [Code a client app](tutorial-code.md), that connect to the instance and call Azure Digital Twins APIs.-* Azure AD app registrations don't need to be recreated. If you're using an [app registration](./how-to-create-app-registration.md) to connect to the Azure Digital Twins APIs, you can reuse the same app registration with your new instance. +* Microsoft Entra app registrations don't need to be recreated. If you're using an [app registration](./how-to-create-app-registration.md) to connect to the Azure Digital Twins APIs, you can reuse the same app registration with your new instance. After you finish this step, your new instance in the target region should be a copy of the original instance. To delete the instance by using the Azure portal, [open the portal](https://port Select the **Delete** button, and follow the prompts to finish the deletion. |
digital-twins | How To Set Up Instance Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-set-up-instance-cli.md | There are several optional parameters that can be added to the command to specif ### Create the instance with a managed identity -When you enable a [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) on your Azure Digital Twins instance, an identity is created for it in [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). That identity can then be used to authenticate to other services. You can enable a managed identity for an Azure Digital Twins instance while the instance is being created, or [later on an existing instance](#enabledisable-managed-identity-for-the-instance). +When you enable a [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) on your Azure Digital Twins instance, an identity is created for it in [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). That identity can then be used to authenticate to other services. You can enable a managed identity for an Azure Digital Twins instance while the instance is being created, or [later on an existing instance](#enabledisable-managed-identity-for-the-instance). Use the CLI command below for your chosen type of managed identity. You now have an Azure Digital Twins instance ready to go. Next, you will give th To give a user permission to manage an Azure Digital Twins instance, you must assign them the **Azure Digital Twins Data Owner** role within the instance. -Use the following command to assign the role (must be run by a user with [sufficient permissions](#prerequisites-permission-requirements) in the Azure subscription). The command requires you to pass in the *user principal name* on the Azure AD account for the user that should be assigned the role. In most cases, this value will match the user's email on the Azure AD account. +Use the following command to assign the role (must be run by a user with [sufficient permissions](#prerequisites-permission-requirements) in the Azure subscription). The command requires you to pass in the *user principal name* on the Microsoft Entra account for the user that should be assigned the role. In most cases, this value will match the user's email on the Microsoft Entra account. ```azurecli-interactive az dt role-assignment create --dt-name <your-Azure-Digital-Twins-instance> --assignee "<Azure-AD-user-principal-name-of-user-to-assign>" --role "Azure Digital Twins Data Owner" The result of this command is outputted information about the role assignment th > > Assign the role using the user's Object ID instead. This may happen for users on personal [Microsoft accounts (MSAs)](https://account.microsoft.com/account). >-> Use the [Azure portal page of Azure Active Directory users](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers) to select the user account and open its details. Copy the user's **Object ID**: +> Use the [Azure portal page of Microsoft Entra users](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers) to select the user account and open its details. Copy the user's **Object ID**: > > :::image type="content" source="media/includes/user-id.png" alt-text="Screenshot of the user page in Azure portal highlighting the GUID in the 'Object ID' field." lightbox="media/includes/user-id.png"::: > |
digital-twins | How To Set Up Instance Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-set-up-instance-portal.md | This version of this article goes through these steps manually, one by one, usin Here are the additional options you can configure during setup, using the other tabs in the **Create Resource** process. * **Networking**: In this tab, you can enable private endpoints with [Azure Private Link](../private-link/private-link-overview.md) to eliminate public network exposure to your instance. For instructions, see [Enable private access with Private Link](./how-to-enable-private-link.md?tabs=portal#add-a-private-endpoint-during-instance-creation).-* **Advanced**: In this tab, you can enable a system-assigned [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) for your instance. When this is enabled, Azure automatically creates an identity for the instance in [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md), which can be used to authenticate to other services. You can enable that system-assigned managed identity while you're creating the instance here, or [later on an existing instance](#enabledisable-managed-identity-for-the-instance). If you want to enable a user-assigned managed identity instead, you'll need to do it later on an existing instance. +* **Advanced**: In this tab, you can enable a system-assigned [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources) for your instance. When this is enabled, Azure automatically creates an identity for the instance in [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md), which can be used to authenticate to other services. You can enable that system-assigned managed identity while you're creating the instance here, or [later on an existing instance](#enabledisable-managed-identity-for-the-instance). If you want to enable a user-assigned managed identity instead, you'll need to do it later on an existing instance. * **Tags**: In this tab, you can add tags to your instance to help you organize it among your Azure resources. For more about Azure resource tags, see [Tag resources, resource groups, and subscriptions for logical organization](../azure-resource-manager/management/tag-resources.md). ### Verify success and collect important values Test out individual REST API calls on your instance using the Azure Digital Twin * [Azure Digital Twins CLI command set](concepts-cli.md) Or, see how to connect a client application to your instance with authentication code:-* [Write app authentication code](how-to-authenticate-client.md) +* [Write app authentication code](how-to-authenticate-client.md) |
digital-twins | How To Use Postman With Digital Twins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/how-to-use-postman-with-digital-twins.md | Otherwise, you can open an [Azure Cloud Shell](https://shell.azure.com) window i >[!NOTE]- > If you need to access your Azure Digital Twins instance using a service principal or user account that belongs to a different Azure Active Directory tenant from the instance, you'll need to request a token from the Azure Digital Twins instance's "home" tenant. For more information on this process, see [Write app authentication code](how-to-authenticate-client.md#authenticate-across-tenants). + > If you need to access your Azure Digital Twins instance using a service principal or user account that belongs to a different Microsoft Entra tenant from the instance, you'll need to request a token from the Azure Digital Twins instance's "home" tenant. For more information on this process, see [Write app authentication code](how-to-authenticate-client.md#authenticate-across-tenants). 3. Copy the value of `accessToken` in the result, and save it to use in the next section. This value is your **token value** that you'll provide to Postman to authorize your requests. You can also compare the response to the expected response data given in the ref ## Next steps -To learn more about the Digital Twins APIs, read [Azure Digital Twins APIs and SDKs](concepts-apis-sdks.md), or view the [reference documentation for the REST APIs](/rest/api/azure-digitaltwins/). +To learn more about the Digital Twins APIs, read [Azure Digital Twins APIs and SDKs](concepts-apis-sdks.md), or view the [reference documentation for the REST APIs](/rest/api/azure-digitaltwins/). |
digital-twins | Resources Customer Data Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/resources-customer-data-requests.md | -Azure Digital Twins is a developer platform for creating secure digital representations of business environments. It can be used to store information about people and places, and works with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) to identify users and administrators with access to the environment. To view, export, and delete personal data that may be referenced in a data subject request, an Azure Digital Twins administrator can use the [Azure portal](https://portal.azure.com/) for users and roles, or the [Azure Digital Twins REST APIs](/rest/api/azure-digitaltwins/) for digital twins. The Azure portal and REST APIs provide different methods for users to service such data subject requests. +Azure Digital Twins is a developer platform for creating secure digital representations of business environments. It can be used to store information about people and places, and works with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) to identify users and administrators with access to the environment. To view, export, and delete personal data that may be referenced in a data subject request, an Azure Digital Twins administrator can use the [Azure portal](https://portal.azure.com/) for users and roles, or the [Azure Digital Twins REST APIs](/rest/api/azure-digitaltwins/) for digital twins. The Azure portal and REST APIs provide different methods for users to service such data subject requests. [!INCLUDE [gdpr-intro-sentence](../../includes/gdpr-intro-sentence.md)] Azure Digital Twins is a developer platform for creating secure digital represen Azure Digital Twins considers *personal data* to be data associated with its administrators and users. -Azure Digital Twins stores the [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) **object ID** of users with access to the environment. Azure Digital Twins in the Azure portal displays user email addresses, but these email addresses aren't stored within Azure Digital Twins. They're dynamically looked up in Azure Active Directory, using the Azure Active Directory object ID. +Azure Digital Twins stores the [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) **object ID** of users with access to the environment. Azure Digital Twins in the Azure portal displays user email addresses, but these email addresses aren't stored within Azure Digital Twins. They're dynamically looked up in Microsoft Entra ID, using the Microsoft Entra object ID. The digital representations called *digital twins* in Azure Digital Twins represent entities in real-world environments, and are associated with identifiers. Microsoft maintains no information and has no access to data that would allow identifiers to be correlated to users. Many of the digital twins in Azure Digital Twins don't directly represent personal entitiesΓÇötypical objects represented might be an office meeting room, or a factory floor. However, users may consider some entities to be personally identifiable, and at their discretion may maintain their own asset or inventory tracking methods that tie digital twins to individuals. Azure Digital Twins manages and stores all data associated with digital twins as if it were personal data. Azure Digital Twins administrators can use the [Azure portal](https://portal.azu ## Links to more documentation -For a full list of the Azure Digital Twins service APIs, see the [Azure Digital Twins REST APIs documentation](/rest/api/azure-digitaltwins/). +For a full list of the Azure Digital Twins service APIs, see the [Azure Digital Twins REST APIs documentation](/rest/api/azure-digitaltwins/). |
digital-twins | Troubleshoot Error 403 Digital Twins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/troubleshoot-error-403-digital-twins.md | az dt role-assignment create --dt-name <your-Azure-Digital-Twins-instance> --ass For more information about this role requirement and the assignment process, see [Set up your user's access permissions](how-to-set-up-instance-CLI.md#set-up-user-access-permissions). -If you have this role assignment already and you're using an Azure AD app registration to authenticate a client app, you can continue to the next solution if this solution didn't resolve the 403 issue. +If you have this role assignment already and you're using a Microsoft Entra app registration to authenticate a client app, you can continue to the next solution if this solution didn't resolve the 403 issue. ### Solution #2 -If you're using an Azure AD app registration to authenticate a client app, the second possible solution is to verify that the app registration has permissions configured for the Azure Digital Twins service. If these aren't configured, set them up. +If you're using a Microsoft Entra app registration to authenticate a client app, the second possible solution is to verify that the app registration has permissions configured for the Azure Digital Twins service. If these aren't configured, set them up. #### Check current setup -To check whether the permissions have been configured correctly, navigate to the [Azure AD app registration overview page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) in the Azure portal. You can get to this page yourself by searching for *app registrations* in the portal search bar. +To check whether the permissions have been configured correctly, navigate to the [Microsoft Entra app registration overview page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) in the Azure portal. You can get to this page yourself by searching for *app registrations* in the portal search bar. Switch to the **All applications** tab to see all the app registrations that have been created in your subscription. You should see the app registration you created in the list. Select it to open u First, verify that the Azure Digital Twins permissions settings were properly set on the registration: Select **Manifest** from the menu bar to view the app registration's manifest code. Scroll to the bottom of the code window and look for these fields under `requiredResourceAccess`. The values should match the ones in the screenshot below: Next, select **API permissions** from the menu bar to verify that this app registration contains Read/Write permissions for Azure Digital Twins. You should see an entry like this: #### Fix issues Read the setup steps for creating and authenticating a new Azure Digital Twins i * [Set up an instance and authentication (CLI)](how-to-set-up-instance-cli.md) Read more about security and permissions on Azure Digital Twins:-* [Security for Azure Digital Twins solutions](concepts-security.md) +* [Security for Azure Digital Twins solutions](concepts-security.md) |
digital-twins | Troubleshoot Error 404 Digital Twins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/troubleshoot-error-404-digital-twins.md | This article describes causes and resolution steps for receiving a 404 error fro ## Symptoms -This error may occur when accessing an Azure Digital Twins instance using a service principal or user account that belongs to a different [Azure Active Directory (Azure AD) tenant](../active-directory/develop/quickstart-create-new-tenant.md) from the instance. The correct [roles](concepts-security.md) seem to be assigned to the identity, but API requests fail with an error status of `404 Sub-Domain not found`. +This error may occur when accessing an Azure Digital Twins instance using a service principal or user account that belongs to a different [Microsoft Entra tenant](../active-directory/develop/quickstart-create-new-tenant.md) from the instance. The correct [roles](concepts-security.md) seem to be assigned to the identity, but API requests fail with an error status of `404 Sub-Domain not found`. ## Causes ### Cause #1 -Azure Digital Twins requires that all authenticating users belong to the same Azure AD tenant as the Azure Digital Twins instance. +Azure Digital Twins requires that all authenticating users belong to the same Microsoft Entra tenant as the Azure Digital Twins instance. [!INCLUDE [digital-twins-tenant-limitation](../../includes/digital-twins-tenant-limitation.md)] |
digital-twins | Tutorial End To End | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/digital-twins/tutorial-end-to-end.md | The next step is setting up an [Azure Functions app](../azure-functions/function * *ProcessHubToDTEvents*: processes incoming IoT Hub data and updates Azure Digital Twins accordingly * *ProcessDTRoutedData*: processes data from digital twins, and updates the parent twins in Azure Digital Twins accordingly -In this section, you'll publish the pre-written function app, and ensure the function app can access Azure Digital Twins by assigning it an Azure Active Directory (Azure AD) identity. +In this section, you'll publish the pre-written function app, and ensure the function app can access Azure Digital Twins by assigning it a Microsoft Entra identity. The function app is part of the sample project you downloaded, located in the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp* folder. |
education-hub | Enroll Renew Subscription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/education-hub/azure-dev-tools-teaching/enroll-renew-subscription.md | This article describes the process for enrolling in Azure Dev Tools for Teaching ## Enroll a new subscription -1. Navigate to the [Azure Dev Tools for Teaching webpage](https://portal.azureforeducation.microsoft.com/). +1. Navigate to the [Azure Dev Tools for Teaching webpage](https://azureforeducation.microsoft.com/Order). 1. Select the **Sign up** button. 1. Select **Enroll or Renew** on the Azure Dev Tools for Teaching banner. 1. Select the type of subscription you're enrolling: |
education-hub | Create Assignment Allocate Credit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/education-hub/create-assignment-allocate-credit.md | policies before adding new users. When a work or school account (for example, student1@school.edu) is added by using Azure role-based access control (Azure RBAC) in the Educator Sponsor Portal or the [Azure portal](https://portal.azure.com), Azure automatically sends email to the recipient. This email requires the user to accept the new account and Azure role prior to receiving access to the subscription. If you're a course teaching assistant (TA) or professor, be sure to inform students of this so that their subscription displays in the Azure portal as expected. The email should look similar to this: ## Create an assignment and invite students to the course |
education-hub | Custom Tenant Set Up Classroom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/education-hub/custom-tenant-set-up-classroom.md | This article is meant for IT Admins utilizing Azure for Classroom. When signing This section walks you through how to create a new tenant and associate it with your university tenant using multi-tenant -1. Go to the Azure portal and search for "Azure Active Directory" +1. Go to the Azure portal and search for "Microsoft Entra ID" 2. Create a new tenant in the "Manage tenants" tab 3. Fill in and Finalize Tenant information 4. After the tenant has been created copy the Tenant ID of the new tenant |
frontdoor | Front Door Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-overview.md | Azure Front Door is MicrosoftΓÇÖs modern cloud Content Delivery Network (CDN) th ## Why use Azure Front Door? +> [!VIDEO https://www.youtube.com/embed/-4FQYxV9mAE] + Azure Front Door enables internet-facing application to: * **Build and operate modern internet-first architectures** that have dynamic, high-quality digital experiences with highly automated, secure, and reliable platforms. |
frontdoor | Subscription Offers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/subscription-offers.md | If you have made a payment and throttling hasn't been removed, you can request t ## Enterprise agreements -Enterprise Agreement subscriptions don't have any bandwidth restrictions. +Refer to the bandwidth limit in [Azure Front Door limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-front-door-standard-and-premium-service-limits) ## Other offer types |
governance | Effects | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/concepts/effects.md | Example: Deny any delete calls targeting database accounts that have a tag envir ] }, "then": {- "effect": "DenyAction", + "effect": "denyAction", "details": { "actionNames": [ "delete" ], "cascadeBehaviors": { "resourceGroup": "deny" } |
hdinsight-aks | Cluster Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/cluster-storage.md | For more information, see [Introduction to Azure Data Lake Storage Gen2](/azure/ ## Managed identities for secure file access -Azure HDInsight on AKS uses managed identities (MSI) to secure cluster access to files in Azure Data Lake Storage Gen2. Managed identity is a feature of Azure Active Directory that provides Azure services with a set of automatically managed credentials. These credentials can be used to authenticate to any service that supports Active Directory authentication. Moreover, managed identities don't require you to store credentials in code or configuration files. +Azure HDInsight on AKS uses managed identities (MSI) to secure cluster access to files in Azure Data Lake Storage Gen2. Managed identity is a feature of Microsoft Entra ID that provides Azure services with a set of automatically managed credentials. These credentials can be used to authenticate to any service that supports Active Directory authentication. Moreover, managed identities don't require you to store credentials in code or configuration files. In Azure HDInsight on AKS, once you select a managed identity and storage during cluster creation, the managed identity can seamlessly work with storage for data management, provided the **Storage Blob Data Owner** role is assigned to the user-assigned MSI. |
hdinsight-aks | Concept Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/concept-security.md | Title: Security in HDInsight on AKS -description: An introduction to security with managed identity from Azure Active Directory in HDInsight on AKS. +description: An introduction to security with managed identity from Microsoft Entra ID in HDInsight on AKS. Last updated 08/29/2023 Perimeter security in HDInsight on AKS is achieved through [virtual networks.](. ### Authentication -HDInsight on AKS provides Azure Active Directory-based authentication for cluster login and uses managed identities (MSI) to secure cluster access to files in Azure Data Lake Storage Gen2. Managed identity is a feature of Azure Active Directory that provides Azure services with a set of automatically managed credentials. With this setup, enterprise employees can sign into the cluster nodes by using their domain credentials. -A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault, Storage, SQL Server, and Database. The identity managed by the Azure platform and doesn't require you to provision or rotate any secrets. +HDInsight on AKS provides Microsoft Entra ID-based authentication for cluster login and uses managed identities (MSI) to secure cluster access to files in Azure Data Lake Storage Gen2. Managed identity is a feature of Microsoft Entra ID that provides Azure services with a set of automatically managed credentials. With this setup, enterprise employees can sign into the cluster nodes by using their domain credentials. +A managed identity from Microsoft Entra ID allows your app to easily access other Microsoft Entra protected resources such as Azure Key Vault, Storage, SQL Server, and Database. The identity managed by the Azure platform and doesn't require you to provision or rotate any secrets. This solution is a key for securing access to your HDInsight on AKS cluster and other dependent resources. Managed identities make your app more secure by eliminating secrets from your app, such as credentials in the connection strings. You create a user-assigned managed identity, which is a standalone Azure resource, as part of the cluster creation process, which manages the access to your dependent resources. |
hdinsight-aks | Azure Databricks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/flink/azure-databricks.md | Further, you can insert Kafka table into ADLSgen2 table on Flink SQL. ### Authentication of Azure Storage and Azure Databricks notebook -ADLS Gen2 provides OAuth 2.0 with your Azure AD application service principal for authentication from an Azure Databricks notebook and then mount into Azure Databricks DBFS. +ADLS Gen2 provides OAuth 2.0 with your Microsoft Entra application service principal for authentication from an Azure Databricks notebook and then mount into Azure Databricks DBFS. **Let's get service principle appid, tenant id and secret key.** |
hdinsight-aks | Flink Job Orchestration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/flink/flink-job-orchestration.md | It is recommended to rotate access keys or secrets periodically. 1. Azure Key Vault - You can follow [this tutorial to create a new Azure Key Vault](/azure/key-vault/general/quick-create-portal/) in case, if you don't have one. -1. Create [Azure AD Service Principal](/cli/azure/ad/sp/) to access Key Vault – Grant permission to access Azure Key Vault with the “Key Vault Secrets Officer” role, and make a note of ‘appId’, ‘password’, and ‘tenant’ from the response. We need to use the same for Airflow to use Key Vault storage as backends for storing sensitive information. +1. Create [Microsoft Entra service principal](/cli/azure/ad/sp/) to access Key Vault – Grant permission to access Azure Key Vault with the “Key Vault Secrets Officer” role, and make a note of ‘appId’, ‘password’, and ‘tenant’ from the response. We need to use the same for Airflow to use Key Vault storage as backends for storing sensitive information. ``` az ad sp create-for-rbac -n <sp name> --role “Key Vault Secrets Officer” --scopes <key vault Resource ID> It is recommended to rotate access keys or secrets periodically. :::image type="content" source="./media/flink-job-orchestration/airflow-configuration-environment-variable.png" alt-text="Screenshot shows airflow configuration and environment variables." lightbox="./media/flink-job-orchestration/airflow-configuration-environment-variable.png"::: -1. Create [Azure AD Service Principal](/cli/azure/ad/sp/) to access Azure – Grant permission to access HDInsight AKS Cluster with Contributor role, make a note of appId, password, and tenant from the response. +1. Create [Microsoft Entra service principal](/cli/azure/ad/sp/) to access Azure – Grant permission to access HDInsight AKS Cluster with Contributor role, make a note of appId, password, and tenant from the response. `az ad sp create-for-rbac -n <sp name> --role Contributor --scopes <Flink Cluster Resource ID>` The DAG expects to have setup for the Service Principal, as described during the Refer to the [sample code](https://github.com/Azure-Samples/hdinsight-aks/blob/main/flink/airflow-python-sample-code). - |
hdinsight-aks | Use Azure Pipelines To Run Flink Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/flink/use-azure-pipelines-to-run-flink-jobs.md | In this article, you'll learn how to use Azure Pipelines with HDInsight on AKS t ### Create a service principal for Azure Pipelines - Create [Azure AD Service Principal](/cli/azure/ad/sp/) to access Azure – Grant permission to access HDInsight on AKS Cluster with Contributor role, make a note of appId, password, and tenant from the response. + Create [Microsoft Entra service principal](/cli/azure/ad/sp/) to access Azure – Grant permission to access HDInsight on AKS Cluster with Contributor role, make a note of appId, password, and tenant from the response. ``` az ad sp create-for-rbac -n <service_principal_name> --role Contributor --scopes <Flink Cluster Resource ID>` ``` |
hdinsight-aks | Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/get-started.md | When you click on one of these templates, it launches Custom deployment page in |Cluster OSS Version |Provide the cluster type supported OSS version in three part naming format. For example: Trino - 0.410.0, Flink - 1.16.0, Spark - 3.3.1| |Custom VNet Name |Provide custom virtual network to be associated with the cluster pool. It should be in the same resource group as your cluster pool. | |Subnet Name in Custom Vnet |Provide subnet name defined in your custom virtual network. |-|User Object ID| Provide user alias object ID from Microsoft Entra ID [(Azure Active Directory)](https://www.microsoft.com/security/business/identity-access/azure-active-directory).| +|User Object ID| Provide user alias object ID from Microsoft Entra ID [(Microsoft Entra ID)](https://www.microsoft.com/security/business/identity-access/azure-active-directory).| ### Find Object ID of an identity When you click on one of these templates, it launches Custom deployment page in :::image type="content" source="./media/get-started/search-object-id.png" alt-text="Screenshot showing how to search object ID."::: - 2. From Azure Active Directory box, click on your user ID. + 2. From Microsoft Entra ID box, click on your user ID. :::image type="content" source="./media/get-started/view-object-id.png" alt-text="Screenshot showing how to view object ID."::: |
hdinsight-aks | Hdinsight Aks Support Help | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/hdinsight-aks-support-help.md | The following table lists the tags for HDInsight on AKS and related | [Azure storage accounts](/azure/storage/common/storage-account-overview) | [azure-storage-accounts](/answers/topics/azure-storage-accounts.html)| | [Azure Managed Identities](/azure/active-directory/managed-identities-azure-resources/overview) | [azure-managed-identity](/answers/topics/azure-managed-identity.html) | | [Azure RBAC](/azure/role-based-access-control/overview) | [azure-rbac](/answers/topics/azure-rbac.html)|-| [Azure Active Directory](/azure/active-directory/fundamentals/whatis) | [azure-active-directory](/answers/topics/azure-active-directory.html)| +| [Microsoft Entra ID](/azure/active-directory/fundamentals/whatis) | [Microsoft Entra ID](/answers/topics/azure-active-directory.html)| | [Azure Virtual Network](/azure/virtual-network/network-overview) | [azure-virtual-network](/answers/topics/azure-virtual-network.html)| ## Create an Azure support request |
hdinsight-aks | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/overview.md | The latest version of HDInsight is orchestrated using AKS, which enables the pla * Fast cluster creation and scaling. * Ease of maintenance and periodic security updates. * Cluster resiliency powered by modern cloud-native AKS.-* Native support for modern auth with OAuth, and Microsoft Entra ID (Azure Active Directory). +* Native support for modern auth with OAuth, and Microsoft Entra ID. * Deep integration with Azure Services ΓÇô Azure Data Factory (ADF), Power BI, Azure Monitor. ## Connectivity to HDInsight HDInsight on AKS can connect seamlessly with HDInsight. You can reap the benefit ## Security architecture -HDInsight on AKS is secure by default. It enables enterprises to protect enterprise data assets with Azure Virtual Network, encryption, and integration with Microsoft Entra ID (Azure Active Directory). It also meets the most popular industry and government compliance standards upholding the Azure standards. With over 30 certifications that help protect data along with periodic updates, health advisor notifications, service health analytics, along with best-in-class Azure security standards. HDInsight on AKS offers several methods to address your enterprise security needs by default. +HDInsight on AKS is secure by default. It enables enterprises to protect enterprise data assets with Azure Virtual Network, encryption, and integration with Microsoft Entra ID. It also meets the most popular industry and government compliance standards upholding the Azure standards. With over 30 certifications that help protect data along with periodic updates, health advisor notifications, service health analytics, along with best-in-class Azure security standards. HDInsight on AKS offers several methods to address your enterprise security needs by default. For more information, see [HDInsight on AKS security](./concept-security.md). :::image type="content" source="./media/overview/security-concept.png" alt-text="Diagram showing the security concept."::: |
hdinsight-aks | Prerequisites Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/prerequisites-resources.md | For example, if you provide resource prefix as ΓÇ£demoΓÇ¥ then, following resour #### [Create user-assigned managed identity (MSI)](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) - A managed identity is an identity registered in Microsoft Entra ID [(Azure Active Directory)](https://www.microsoft.com/security/business/identity-access/azure-active-directory) whose credentials managed by Azure. With managed identities, you need not register service principals in Azure AD to maintain credentials such as certificates. + A managed identity is an identity registered in Microsoft Entra ID [(Microsoft Entra ID)](https://www.microsoft.com/security/business/identity-access/azure-active-directory) whose credentials managed by Azure. With managed identities, you need not register service principals in Microsoft Entra ID to maintain credentials such as certificates. HDInsight on AKS relies on user-assigned MSI for communication among different components. |
hdinsight-aks | Configure Azure Active Directory Login For Superset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/configure-azure-active-directory-login-for-superset.md | Title: Configure Azure Active Directory OAuth2 login for Apache Superset -description: Learn how to configure Azure Active Directory OAuth2 login for Superset + Title: Configure Microsoft Entra ID OAuth2 login for Apache Superset +description: Learn how to configure Microsoft Entra ID OAuth2 login for Superset Last updated 08/29/2023 -# Configure Azure Active Directory OAuth2 login +# Configure Microsoft Entra ID OAuth2 login [!INCLUDE [feature-in-preview](../includes/feature-in-preview.md)] -This article describes how to allow users to use their Azure Active Directory (Azure AD) account ("Microsoft work or school account") to log in to Apache Superset. +This article describes how to allow users to use their Microsoft Entra account ("Microsoft work or school account") to log in to Apache Superset. -The following configuration allows users to have Superset accounts automatically created when they use their Azure AD login. Azure groups can be automatically mapped to Superset roles, which allow control over who can access Superset and what permissions are given. +The following configuration allows users to have Superset accounts automatically created when they use their Microsoft Entra login. Azure groups can be automatically mapped to Superset roles, which allow control over who can access Superset and what permissions are given. -1. Create an Azure Active Directory service principal. The steps to create Azure Active Directory are described [here](/azure/active-directory/develop/howto-create-service-principal-portal). +1. Create a Microsoft Entra service principal. The steps to create Microsoft Entra ID are described [here](/azure/active-directory/develop/howto-create-service-principal-portal). For testing, set the redirect URL to: `http://localhost:8088/oauth-authorized/azure` |
hdinsight-aks | Configure Ingress | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/configure-ingress.md | The following instructions add a second layer of authentication in the form of a |client-id|Your Azure service principal client ID. Oauth proxy requires this ID to be a secret.| |oauth2proxy-redis-password|Proxy cache password. The password used by the Oauth proxy to access the back end Redis deployment instance on Kubernetes. Generate a strong password.| |oauth2proxy-cookie-secret|Cookie secret, used to encrypt the cookie data. This cookie secret must be 32 characters long.|-1. Add these callbacks in your Azure AD application configuration. +1. Add these callbacks in your Microsoft Entra application configuration. * `https://{{YOUR_HOST_NAME}}/oauth2/callback` - for Oauth2 Proxy |
hdinsight-aks | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/role-based-access-control.md | Last updated 08/29/2023 [!INCLUDE [feature-in-preview](../includes/feature-in-preview.md)] -This article describes how to provide Role Based Access Control and auto assign users to Apache Superset roles. This Role Based Access Control enables you to manage user groups in Azure Active Directory but configure access permissions in Superset. +This article describes how to provide Role Based Access Control and auto assign users to Apache Superset roles. This Role Based Access Control enables you to manage user groups in Microsoft Entra ID but configure access permissions in Superset. For example, if you have a security group called `datateam`, you can propagate membership of this group to Superset, which means Superset can automatically deny access if a user is removed from this security group. 1. Create a role that forbids access to Superset. helm repo update helm upgrade --install --values values.yaml superset superset/superset ``` -1. Modify Azure Active Directory App Registration. +1. Modify Microsoft Entra App Registration. - Search for your application in Azure Active Directory and select your app under the "app registration" heading. + Search for your application in Microsoft Entra ID and select your app under the "app registration" heading. Edit your app registration's roles by selecting "App roles" from the left navigation, and add all of the Superset roles you would like to use. It's recommended you add at least the Admin and Public roles. |Value|Display Name|Description|Allowed Member Types| helm upgrade --install --values values.yaml superset superset/superset Example: - :::image type="content" source="./media/role-based-access-control/role-assignment.png" alt-text="Screenshot showing role assignments in Azure Active Directory app roles."::: + :::image type="content" source="./media/role-based-access-control/role-assignment.png" alt-text="Screenshot showing role assignments in Microsoft Entra app roles."::: 1. Assign User Roles in Enterprise App Registration. - 1. Search for your application again in Azure Active Directory but this time, select your application under the heading "enterprise applications." + 1. Search for your application again in Microsoft Entra ID but this time, select your application under the heading "enterprise applications." 1. Select "Users and groups" from the left navigation and add yourself to the admin role, and any other groups or users you want to assign at this time. |
hdinsight-aks | Trino Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/trino-authentication.md | Last updated 08/29/2023 [!INCLUDE [feature-in-preview](../includes/feature-in-preview.md)] -Azure HDInsight on AKS Trino provides tools such as CLI client, JDBC driver etc., to access the cluster, which is integrated with Azure Active Directory to simplify the authentication for users. -Supported tools or clients need to authenticate using Azure Active Directory OAuth2 standards that are, a JWT access token issued by Azure Active Directory must be provided to the cluster endpoint. +Azure HDInsight on AKS Trino provides tools such as CLI client, JDBC driver etc., to access the cluster, which is integrated with Microsoft Entra ID to simplify the authentication for users. +Supported tools or clients need to authenticate using Microsoft Entra ID OAuth2 standards that are, a JWT access token issued by Microsoft Entra ID must be provided to the cluster endpoint. This section describes common authentication flows supported by the tools. The following table describes the parameters that can be configured in environme |Variable name|Applicable authentication flows|Description |-|-|-|-|AZURE_TENANT_ID|All|Azure Active Directory tenant ID.| +|AZURE_TENANT_ID|All|Microsoft Entra tenant ID.| |AZURE_CLIENT_ID|AzureClientSecret, AzureClientCertificate, AzureManagedIdentity|Application/principal client ID.| |AZURE_CLIENT_SECRET|AzureClientSecret, AzureClientCertificate|Secret or password for service principal or certificate file.| |AZURE_CLIENT_CERTIFICATE_PATH|AzureClientCertificate|Path to certificate file.| |
hdinsight-aks | Trino Superset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/trino-superset.md | Now, you're ready to create datasets and charts. ## Next Steps -To expose Superset to the internet, allow user login using Azure Active Directory you need to accomplish the following general steps. These steps require an intermediate or greater experience with Kubernetes. +To expose Superset to the internet, allow user login using Microsoft Entra ID you need to accomplish the following general steps. These steps require an intermediate or greater experience with Kubernetes. -* [Configure Azure Active Directory OAuth2 login for Superset](./configure-azure-active-directory-login-for-superset.md) +* [Configure Microsoft Entra ID OAuth2 login for Superset](./configure-azure-active-directory-login-for-superset.md) |
hdinsight-aks | Trino Ui Command Line Interface | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/trino-ui-command-line-interface.md | rm -r $HOME/lib/trino-cli ``` ## Authentication-Trino CLI supports various methods of Azure Active Directory authentication using command line parameters. The following table describes the important parameters and authentication methods, for more information, see [Authentication](./trino-authentication.md). +Trino CLI supports various methods of Microsoft Entra authentication using command line parameters. The following table describes the important parameters and authentication methods, for more information, see [Authentication](./trino-authentication.md). Parameters description available in CLI as well: ```bash trino-cli --help |-|-|-|-| |auth|Name of authentication method|No|Determines how user credentials are provided. If not specified, uses `AzureDefault`.| |azure-client|Client ID|Yes for `AzureClientSecret, AzureClientCertificate`.|Client ID of service principal/application.|-|azure-tenant|Tenant ID|Yes for `AzureClientSecret, AzureClientCertificate`.|Azure Active Directory Tenant ID.| +|azure-tenant|Tenant ID|Yes for `AzureClientSecret, AzureClientCertificate`.|Microsoft Entra tenant ID.| |azure-certificate-path|File path to certificate|Yes for `AzureClientCertificate`.|Path to pfx/pem file with certificate.| |azure-use-token-cache|Use token cache or not|No|If provided, access token is cached and reused in `AzureDefault, AzureInteractive, AzureDeviceCode` modes.|-|azure-scope|Token scope|No|Azure Active Directory scope string to request a token with.| +|azure-scope|Token scope|No|Microsoft Entra scope string to request a token with.| |use-device-code|Use device code method or not|No|Equivalent to `--auth AzureDeviceCode`.| |password|Client secret for service principal|Yes for `AzureClientSecret`.|Secret/password for service principal when using `AzureClientSecret` mode.| |access-token|JWT access token|No|If access token obtained externally, can be provided using this parameter. In this case, `auth` parameter isn't allowed.| |
hdinsight-aks | Trino Ui Jdbc Driver | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/trino/trino-ui-jdbc-driver.md | Last updated 08/29/2023 [!INCLUDE [feature-in-preview](../includes/feature-in-preview.md)] -HDInsight on AKS Trino provides JDBC driver, which supports Azure Active Directory authentication and adds few parameters for it. +HDInsight on AKS Trino provides JDBC driver, which supports Microsoft Entra authentication and adds few parameters for it. ## Install JDBC driver jar is included in the Trino CLI package, [Install HDInsight on AKS > Linux: `~/lib/trino-cli` ## Authentication-Trino JDBC driver supports various methods of Azure Active Directory authentication. The following table describes the important parameters and authentication methods. For more information, see [Authentication](./trino-authentication.md). +Trino JDBC driver supports various methods of Microsoft Entra authentication. The following table describes the important parameters and authentication methods. For more information, see [Authentication](./trino-authentication.md). |Parameter|Meaning|Required|Description| |-|-|-|-| |auth|Name of authentication method|No|Determines how user credentials are provided. If not specified, uses `AzureDefault`.| |azureClient|Client ID of service principal/application|Yes for `AzureClientSecret, AzureClientCertificate`.|-|azureTenant|Azure Active Directory Tenant ID|Yes for `AzureClientSecret, AzureClientCertificate`.| +|azureTenant|Microsoft Entra tenant ID|Yes for `AzureClientSecret, AzureClientCertificate`.| |azureCertificatePath|File path to certificate|Yes for `AzureClientCertificate`.|Path to pfx/pem file with certificate.| |azureUseTokenCache|Use token cache or not|No|If provided, access token is cached and reused in `AzureDefault, AzureInteractive, AzureDeviceCode` modes.|-|azureScope|Token scope|No|Azure Active Directory scope string to request a token with.| +|azureScope|Token scope|No|Microsoft Entra scope string to request a token with.| |password|Client secret for service principal|Yes for `AzureClientSecret`.|Secret/password for service principal when using `AzureClientSecret` mode.| |accessToken|JWT access token|No|If access token obtained externally, can be provided using this parameter. In this case, `auth` parameter isn't allowed.| |
hdinsight | Hdinsight Hadoop Add Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-add-storage.md | description: Learn how to add additional Azure Storage accounts to an existing H Previously updated : 09/29/2022 Last updated : 10/11/2023 # Add additional storage accounts to HDInsight -Learn how to use script actions to add additional Azure Storage *accounts* to HDInsight. The steps in this document add a storage *account* to an existing HDInsight cluster. This article applies to storage *accounts* (not the default cluster storage account), and not additional storage such as [`Azure Data Lake Storage Gen1`](hdinsight-hadoop-use-data-lake-storage-gen1.md) and [`Azure Data Lake Storage Gen2`](hdinsight-hadoop-use-data-lake-storage-gen2.md). +Learn how to use script actions to add extra Azure Storage *accounts* to HDInsight. The steps in this document add a storage *account* to an existing HDInsight cluster. This article applies to storage *accounts* (not the default cluster storage account), and not additional storage such as [`Azure Data Lake Storage Gen1`](hdinsight-hadoop-use-data-lake-storage-gen1.md) and [`Azure Data Lake Storage Gen2`](hdinsight-hadoop-use-data-lake-storage-gen2.md). > [!IMPORTANT] > The information in this document is about adding additional storage account(s) to a cluster after it has been created. For information on adding storage accounts during cluster creation, see [Set up clusters in HDInsight with Apache Hadoop, Apache Spark, Apache Kafka, and more](hdinsight-hadoop-provision-linux-clusters.md). Learn how to use script actions to add additional Azure Storage *accounts* to HD * A Hadoop cluster on HDInsight. See [Get Started with HDInsight on Linux](./hadoop/apache-hadoop-linux-tutorial-get-started.md). * Storage account name and key. See [Manage storage account access keys](../storage/common/storage-account-keys-manage.md).-* If using PowerShell, you'll need the AZ module. See [Overview of Azure PowerShell](/powershell/azure/). +* If using PowerShell, you need the AZ module. See [Overview of Azure PowerShell](/powershell/azure/). ## How it works Use [Script Action](hdinsight-hadoop-customize-cluster-linux.md#script-action-to ## Verification -When viewing the HDInsight cluster in the Azure portal, selecting the __Storage Accounts__ entry under __Properties__ doesn't display storage accounts added through this script action. Azure PowerShell and Azure CLI don't display the additional storage account either. The storage information isn't displayed because the script only modifies the `core-site.xml` configuration for the cluster. This information isn't used when retrieving the cluster information using Azure management APIs. +When you view the HDInsight cluster in the Azure portal, select the __Storage Accounts__ entry under __Properties__ doesn't display storage accounts added through this script action. Azure PowerShell and Azure CLI don't display the additional storage account either. The storage information isn't displayed because the script only modifies the `core-site.xml` configuration for the cluster. This information isn't used when retrieving the cluster information using Azure management APIs. -To verify the additional storage use one of the methods shown below: +To verify the additional storage use one of the methods shown: ### PowerShell -The script will return the Storage Account name(s) associated with the given cluster. Replace `CLUSTERNAME` with the actual cluster name, and then run the script. +The script returns the Storage Account name(s) associated with the given cluster. Replace `CLUSTERNAME` with the actual cluster name, and then run the script. ```powershell # Update values foreach ($name in $value ) { $name.Name.Split(".")[4]} 1. Navigate to **HDFS** > **Configs** > **Advanced** > **Custom core-site**. -1. Observe the keys that begin with `fs.azure.account.key`. The account name will be a part of the key as seen in this sample image: +1. Observe the keys that begin with `fs.azure.account.key`. The account name is part of the key as seen in this sample image: :::image type="content" source="./media/hdinsight-hadoop-add-storage/apache-ambari-verification.png" alt-text="verification through Apache Ambari"::: |
hdinsight | Hdinsight Hadoop Use Data Lake Storage Gen1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-use-data-lake-storage-gen1.md | Adding a Data Lake Storage account as additional and adding more than one Data L ## Configure Data Lake Storage Gen1 access -To configure Azure Data Lake Storage Gen1 access from your HDInsight cluster, you must have an Azure Active directory (Azure AD) service principal. Only an Azure AD administrator can create a service principal. The service principal must be created with a certificate. For more information, see [Quickstart: Set up clusters in HDInsight](./hdinsight-hadoop-provision-linux-clusters.md), and [Create service principal with self-signed-certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-self-signed-certificate). +To configure Azure Data Lake Storage Gen1 access from your HDInsight cluster, you must have a Microsoft Entra service principal. Only a Microsoft Entra administrator can create a service principal. The service principal must be created with a certificate. For more information, see [Quickstart: Set up clusters in HDInsight](./hdinsight-hadoop-provision-linux-clusters.md), and [Create service principal with self-signed-certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-self-signed-certificate). > [!NOTE] > If you are going to use Azure Data Lake Storage Gen1 as additional storage for HDInsight cluster, we strongly recommend that you do this while you create the cluster as described in this article. Adding Azure Data Lake Storage Gen1 as additional storage to an existing HDInsight cluster is not a supported scenario. |
hdinsight | Hdinsight Hadoop Use Data Lake Storage Gen2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md | For more information about file permissions with ACLs, see [Access control lists ### How do I control access to my data in Data Lake Storage Gen2? -Your HDInsight cluster's ability to access files in Data Lake Storage Gen2 is controlled through managed identities. A managed identity is an identity registered in Azure Active Directory (Azure AD) whose credentials are managed by Azure. With managed identities, you don't need to register service principals in Azure AD. Or maintain credentials such as certificates. +Your HDInsight cluster's ability to access files in Data Lake Storage Gen2 is controlled through managed identities. A managed identity is an identity registered in Microsoft Entra whose credentials are managed by Azure. With managed identities, you don't need to register service principals in Microsoft Entra ID. Or maintain credentials such as certificates. -Azure services have two types of managed identities: system-assigned and user-assigned. HDInsight uses user-assigned managed identities to access Data Lake Storage Gen2. A `user-assigned managed identity` is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. +Azure services have two types of managed identities: system-assigned and user-assigned. HDInsight uses user-assigned managed identities to access Data Lake Storage Gen2. A `user-assigned managed identity` is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Microsoft Entra tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it's assigned. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). -### How do I set permissions for Azure AD users to query data in Data Lake Storage Gen2 by using Hive or other services? +<a name='how-do-i-set-permissions-for-azure-ad-users-to-query-data-in-data-lake-storage-gen2-by-using-hive-or-other-services'></a> -To set permissions for users to query data, use Azure AD security groups as the assigned principal in ACLs. Don't directly assign file-access permissions to individual users or service principals. With Azure AD security groups to control the flow of permissions, you can add and remove users or service principals without reapplying ACLs to an entire directory structure. You only have to add or remove the users from the appropriate Azure AD security group. ACLs aren't inherited, so reapplying ACLs requires updating the ACL on every file and subdirectory. +### How do I set permissions for Microsoft Entra users to query data in Data Lake Storage Gen2 by using Hive or other services? ++To set permissions for users to query data, use Microsoft Entra security groups as the assigned principal in ACLs. Don't directly assign file-access permissions to individual users or service principals. With Microsoft Entra security groups to control the flow of permissions, you can add and remove users or service principals without reapplying ACLs to an entire directory structure. You only have to add or remove the users from the appropriate Microsoft Entra security group. ACLs aren't inherited, so reapplying ACLs requires updating the ACL on every file and subdirectory. ## Access files from the cluster |
hdinsight | Hdinsight Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-managed-identities.md | Last updated 05/24/2023 # Managed identities in Azure HDInsight -A managed identity is an identity registered in Azure Active Directory (Azure AD) whose credentials are managed by Azure. With managed identities, you don't need to register service principals in Azure AD. Or maintain credentials such as certificates. +A managed identity is an identity registered in Microsoft Entra whose credentials are managed by Azure. With managed identities, you don't need to register service principals in Microsoft Entra ID. Or maintain credentials such as certificates. -Managed identities are used in Azure HDInsight to access Azure AD domain services or access files in Azure Data Lake Storage Gen2 when needed. +Managed identities are used in Azure HDInsight to access Microsoft Entra Domain Services or access files in Azure Data Lake Storage Gen2 when needed. -There are two types of managed identities: user-assigned and system-assigned. Azure HDInsight supports only user-assigned managed identities. HDInsight doesn't support system-assigned managed identities. A user-assigned managed identity is created as a standalone Azure resource, which you can then assign to one or more Azure service instances. In contrast, a system-assigned managed identity is created in Azure AD and then enabled directly on a particular Azure service instance automatically. The life of that system-assigned managed identity is then tied to the life of the service instance that it's enabled on. +There are two types of managed identities: user-assigned and system-assigned. Azure HDInsight supports only user-assigned managed identities. HDInsight doesn't support system-assigned managed identities. A user-assigned managed identity is created as a standalone Azure resource, which you can then assign to one or more Azure service instances. In contrast, a system-assigned managed identity is created in Microsoft Entra ID and then enabled directly on a particular Azure service instance automatically. The life of that system-assigned managed identity is then tied to the life of the service instance that it's enabled on. ## HDInsight managed identity implementation HDInsight will automatically renew the certificates for the managed identities y If you have already created a long running cluster with multiple different managed identities and are running into one of these issues: * In ESP clusters, cluster services starts failing or scale up and other operations start failing with authentications errors.- * In ESP clusters, when changing AAD-DS LDAPS cert, the LDAPS certificate does not automatically get updated and therefore LDAP sync and scale ups start failing. + * In ESP clusters, when changing Microsoft Entra Domain Services LDAPS cert, the LDAPS certificate does not automatically get updated and therefore LDAP sync and scale ups start failing. * MSI access to ADLS Gen2 start failing. * Encryption Keys can not be rotated in the CMK scenario. |
hdinsight | Hdinsight Migrate Granular Access Cluster Configurations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-migrate-granular-access-cluster-configurations.md | Cluster configurations are now behind granular role-based access control and req ### Why do I see "Insufficient privileges to complete the operation" when running the Azure CLI command to assign the HDInsight Cluster Operator role to another user or service principal? -In addition to having the Owner role, the user or service principal executing the command needs to have sufficient Azure AD permissions to look up the object IDs of the assignee. This message indicates insufficient Azure AD permissions. Try replacing the `-ΓÇôassignee` argument with `ΓÇôassignee-object-id` and provide the object ID of the assignee as the parameter instead of the name (or the principal ID in the case of a managed identity). See the optional parameters section of the [az role assignment create documentation](/cli/azure/role/assignment#az-role-assignment-create) for more info. +In addition to having the Owner role, the user or service principal executing the command needs to have sufficient Microsoft Entra permissions to look up the object IDs of the assignee. This message indicates insufficient Microsoft Entra permissions. Try replacing the `-ΓÇôassignee` argument with `ΓÇôassignee-object-id` and provide the object ID of the assignee as the parameter instead of the name (or the principal ID in the case of a managed identity). See the optional parameters section of the [az role assignment create documentation](/cli/azure/role/assignment#az-role-assignment-create) for more info. -If it still does not work, contact your Azure AD admin to acquire the correct permissions. +If it still does not work, contact your Microsoft Entra admin to acquire the correct permissions. ### What will happen if I take no action? |
hdinsight | Hdinsight Multiple Clusters Data Lake Store | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-multiple-clusters-data-lake-store.md | To enable this folder structure to be effectively used by HDInsight clusters, th In the table, - **admin** is the creator and administrator of the Data Lake Storage account.-- **Service principal** is the Azure Active Directory (AAD) service principal associated with the account.-- **FINGRP** is a user group created in AAD that contains users from the Finance organization.+- **Service principal** is the Microsoft Entra service principal associated with the account. +- **FINGRP** is a user group created in Microsoft Entra ID that contains users from the Finance organization. -For instructions on how to create an AAD application (that also creates a Service Principal), see [Create an AAD application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). For instructions on how to create a user group in AAD, see [Managing groups in Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +For instructions on how to create a Microsoft Entra application (that also creates a Service Principal), see [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). For instructions on how to create a user group in Microsoft Entra ID, see [Managing groups in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). Some key points to consider. - The two level folder structure (**/clusters/finance/**) must be created and provisioned with appropriate permissions by the Data Lake Storage admin **before** using the storage account for clusters. This structure isn't created automatically while creating clusters. - The example above recommends setting the owning group of **/clusters/finance** as **FINGRP** and permitting **r-x** access to FINGRP to the entire folder hierarchy starting from the root. This ensures that the members of FINGRP can navigate the folder structure starting from root.-- In the case when different AAD Service Principals can create clusters under **/clusters/finance**, the sticky-bit (when set on the **finance** folder) ensures that folders created by one Service Principal cannot be deleted by the other.+- In the case when different Microsoft Entra service principals can create clusters under **/clusters/finance**, the sticky-bit (when set on the **finance** folder) ensures that folders created by one Service Principal cannot be deleted by the other. - Once the folder structure and permissions are in place, HDInsight cluster creation process creates a cluster-specific storage location under **/clusters/finance/**. For example, the storage for a cluster with the name fincluster01 could be **/clusters/finance/fincluster01**. The ownership and permissions for the folders created by HDInsight cluster is shown in the table here. |Folder |Permissions |Owning user |Owning group | Named user | Named user permissions | Named group | Named group permissions | |
hdinsight | Hdinsight Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-overview.md | Azure HDInsight is a full-spectrum, managed cluster platform which simplifies ru ||| |Cloud native | Azure HDInsight enables you to create optimized clusters for Spark, [Interactive query (LLAP)](./interactive-query/apache-interactive-query-get-started.md), Kafka, HBase and Hadoop on Azure. HDInsight also provides an end-to-end SLA on all your production workloads. | |Low-cost and scalable | HDInsight enables you to scale workloads up or down. You can reduce costs by creating clusters on demand and paying only for what you use. You can also build data pipelines to operationalize your jobs. Decoupled compute and storage provide better performance and flexibility. |-|Secure and compliant | HDInsight enables you to protect your enterprise data assets with Azure Virtual Network, encryption, and integration with Azure Active Directory. HDInsight also meets the most popular industry and government compliance standards. | +|Secure and compliant | HDInsight enables you to protect your enterprise data assets with Azure Virtual Network, encryption, and integration with Microsoft Entra ID. HDInsight also meets the most popular industry and government compliance standards. | |Monitoring | Azure HDInsight integrates with Azure Monitor logs to provide a single interface with which you can monitor all your clusters. | |Global availability | HDInsight is available in more regions than any other [big data](#what-is-big-data) analytics offering. Azure HDInsight is also available in Azure Government, China, and Germany, which allows you to meet your enterprise needs in key sovereign areas. | |Productivity | Azure HDInsight enables you to use rich productive tools for Hadoop and Spark with your preferred development environments. These development environments include Visual Studio, VSCode, Eclipse, and IntelliJ for Scala, Python, Java, and .NET support. | |
hdinsight | Hdinsight Private Link | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-private-link.md | For more information on setting up a firewall, see [Control network traffic in A ## <a name="deployCluster"></a>Step 4: Deploy private link cluster -At this point, all prerequisites should be taken care of and you're ready to deploy the Private Link cluster. The following diagram shows an example of the networking configuration that's required before you create the cluster. In this example, all outbound traffic is forced to Azure Firewall through a user-defined route. The required outbound dependencies should be allowed on the firewall before cluster creation. For Enterprise Security Package clusters, virtual network peering can provide the network connectivity to Azure Active Directory Domain Services. +At this point, all prerequisites should be taken care of and you're ready to deploy the Private Link cluster. The following diagram shows an example of the networking configuration that's required before you create the cluster. In this example, all outbound traffic is forced to Azure Firewall through a user-defined route. The required outbound dependencies should be allowed on the firewall before cluster creation. For Enterprise Security Package clusters, virtual network peering can provide the network connectivity to Microsoft Entra Domain Services. :::image type="content" source="media/hdinsight-private-link/before-cluster-creation.png" alt-text="Diagram of the Private Link environment before cluster creation."::: |
hdinsight | Hdinsight Sync Aad Users To Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-sync-aad-users-to-cluster.md | Title: Synchronize Azure Active Directory users to HDInsight cluster -description: Synchronize authenticated users from Azure Active Directory to an HDInsight cluster. + Title: Synchronize Microsoft Entra users to HDInsight cluster +description: Synchronize authenticated users from Microsoft Entra ID to an HDInsight cluster. Last updated 02/27/2023 -# Synchronize Azure Active Directory users to an HDInsight cluster +# Synchronize Microsoft Entra users to an HDInsight cluster -[HDInsight clusters with Enterprise Security Package (ESP)](./domain-joined/hdinsight-security-overview.md) can use strong authentication with Azure Active Directory (Azure AD) users, and use *Azure role-based access control (Azure RBAC)* policies. As you add users and groups to Azure AD, you can synchronize the users who need access to your cluster. +[HDInsight clusters with Enterprise Security Package (ESP)](./domain-joined/hdinsight-security-overview.md) can use strong authentication with Microsoft Entra users, and use *Azure role-based access control (Azure RBAC)* policies. As you add users and groups to Microsoft Entra ID, you can synchronize the users who need access to your cluster. ## Prerequisites If you haven't already done so, [create a HDInsight cluster with Enterprise Security Package](./domain-joined/apache-domain-joined-configure-using-azure-adds.md). -## Add new Azure AD users +<a name='add-new-azure-ad-users'></a> ++## Add new Microsoft Entra users To view your hosts, open the Ambari Web UI. Each node is updated with new unattended upgrade settings. -1. From the [Azure portal](https://portal.azure.com), navigate to the Azure AD directory associated with your ESP cluster. +1. From the [Azure portal](https://portal.azure.com), navigate to the Microsoft Entra directory associated with your ESP cluster. 2. Select **All users** from the left-hand menu, then select **New user**. The following method uses POST with the Ambari REST API. For more information, s } ``` -1. This result shows that the status is **COMPLETE**, one new user was created, and the user was assigned a membership. In this example, the user is assigned to the "HiveUsers" synchronized LDAP group, since the user was added to that same group in Azure AD. +1. This result shows that the status is **COMPLETE**, one new user was created, and the user was assigned a membership. In this example, the user is assigned to the "HiveUsers" synchronized LDAP group, since the user was added to that same group in Microsoft Entra ID. > [!NOTE] - > The previous method only synchronizes the Azure AD groups specified in the **Access user group** property of the domain settings during cluster creation. For more information, see [create an HDInsight cluster](./domain-joined/apache-domain-joined-configure-using-azure-adds.md). + > The previous method only synchronizes the Microsoft Entra groups specified in the **Access user group** property of the domain settings during cluster creation. For more information, see [create an HDInsight cluster](./domain-joined/apache-domain-joined-configure-using-azure-adds.md). ++<a name='verify-the-newly-added-azure-ad-user'></a> -## Verify the newly added Azure AD user +## Verify the newly added Microsoft Entra user -Open the [Apache Ambari Web UI](hdinsight-hadoop-manage-ambari.md) to verify that the new Azure AD user was added. Access the Ambari Web UI by browsing to **`https://CLUSTERNAME.azurehdinsight.net`**. Enter the cluster administrator username and password. +Open the [Apache Ambari Web UI](hdinsight-hadoop-manage-ambari.md) to verify that the new Microsoft Entra user was added. Access the Ambari Web UI by browsing to **`https://CLUSTERNAME.azurehdinsight.net`**. Enter the cluster administrator username and password. 1. From the Ambari dashboard, select **Manage Ambari** under the **admin** menu. Open the [Apache Ambari Web UI](hdinsight-hadoop-manage-ambari.md) to verify tha 3. The new user should be listed within the Users table. The Type is set to `LDAP` rather than `Local`. - :::image type="content" source="./media/hdinsight-sync-aad-users-to-cluster/hdinsight-users-page.png" alt-text="HDInsight aad users page overview"::: + :::image type="content" source="./media/hdinsight-sync-aad-users-to-cluster/hdinsight-users-page.png" alt-text="HDInsight Microsoft Entra users page overview"::: ## Log in to Ambari as the new user -When the new user (or any other domain user) logs in to Ambari, they use their full Azure AD user name and domain credentials. Ambari displays a user alias, which is the display name of the user in Azure AD. +When the new user (or any other domain user) logs in to Ambari, they use their full Microsoft Entra user name and domain credentials. Ambari displays a user alias, which is the display name of the user in Microsoft Entra ID. The new example user has the user name `hiveuser3@contoso.com`. In Ambari, this new user shows up as `hiveuser3` but the user logs into Ambari as `hiveuser3@contoso.com`. ## See also |
hdinsight | Apache Hive Migrate Workloads | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/interactive-query/apache-hive-migrate-workloads.md | This step avoids the query failures, which fail with "Invalid column name" once ## Secure Hive across HDInsight versions -HDInsight optionally integrates with Azure Active Directory using HDInsight Enterprise Security Package (ESP). ESP uses Kerberos and Apache Ranger to manage the permissions of specific resources within the cluster. Ranger policies deployed against Hive in HDInsight 3.6 can be migrated to HDInsight 4.0 with the following steps: +HDInsight optionally integrates with Microsoft Entra ID using HDInsight Enterprise Security Package (ESP). ESP uses Kerberos and Apache Ranger to manage the permissions of specific resources within the cluster. Ranger policies deployed against Hive in HDInsight 3.6 can be migrated to HDInsight 4.0 with the following steps: 1. Navigate to the Ranger Service Manager panel in your HDInsight 3.6 cluster. 1. Navigate to the policy named **HIVE** and export the policy to a json file. |
hdinsight | Apache Hive Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/interactive-query/apache-hive-replication.md | In HDInsight Active Primary ΓÇô Standby Secondary is a common business continuit ### Hive replication with Enterprise Security Package -In cases where Hive replication is planned on HDInsight Hadoop clusters with Enterprise Security Package, you have to factor in replication mechanisms for Ranger metastore and Azure Active Directory Domain Services (AD DS). +In cases where Hive replication is planned on HDInsight Hadoop clusters with Enterprise Security Package, you have to factor in replication mechanisms for Ranger metastore and Microsoft Entra Domain Services. -Use the Azure AD DS replica sets feature to create more than one Azure AD DS replica set per Azure AD tenant across multiple regions. Each individual replica set needs to be peered with HDInsight VNets in their respective regions. In this configuration, changes to Azure AD DS, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using Azure AD DS replication. +Use the Microsoft Entra Domain Services replica sets feature to create more than one Microsoft Entra Domain Services replica set per Microsoft Entra tenant across multiple regions. Each individual replica set needs to be peered with HDInsight VNets in their respective regions. In this configuration, changes to Microsoft Entra Domain Services, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using Microsoft Entra Domain Services replication. Ranger policies can be periodically backed up and replicated from the primary to the secondary using Ranger Import-Export functionality. You can choose to replicate all or a subset of Ranger policies depending on the level of authorizations you are seeking to implement on the secondary cluster. |
hdinsight | Apache Kafka Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/kafka/apache-kafka-get-started.md | To create an Apache Kafka cluster on HDInsight, use the following steps: Select the **Security + networking** tab. -1. For this Quickstart, leave the default security settings. To learn more about Enterprise Security package, visit [Configure a HDInsight cluster with Enterprise Security Package by using Azure Active Directory Domain Services](../domain-joined/apache-domain-joined-configure-using-azure-adds.md). To learn how to use your own key for Apache Kafka Disk Encryption, visit [Customer-managed key disk encryption](../disk-encryption.md) +1. For this Quickstart, leave the default security settings. To learn more about Enterprise Security package, visit [Configure a HDInsight cluster with Enterprise Security Package by using Microsoft Entra Domain Services](../domain-joined/apache-domain-joined-configure-using-azure-adds.md). To learn how to use your own key for Apache Kafka Disk Encryption, visit [Customer-managed key disk encryption](../disk-encryption.md) If you would like to connect your cluster to a virtual network, select a virtual network from the **Virtual network** dropdown. |
hdinsight | Rest Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/kafka/rest-proxy.md | Creating an HDInsight Kafka cluster with REST proxy creates a new public endpoin ### Security -Access to the Kafka REST proxy managed with Azure Active Directory security groups. When creating the Kafka cluster, provide the Azure AD security group with REST endpoint access. Kafka clients that need access to the REST proxy should be registered to this group by the group owner. The group owner can register via the Portal or via PowerShell. +Access to the Kafka REST proxy managed with Microsoft Entra security groups. When creating the Kafka cluster, provide the Microsoft Entra security group with REST endpoint access. Kafka clients that need access to the REST proxy should be registered to this group by the group owner. The group owner can register via the Portal or via PowerShell. For REST proxy endpoint requests, client applications should get an OAuth token. The token uses to verify security group membership. Find a [Client application sample](#client-application-sample) shows how to get an OAuth token. The client application passes the OAuth token in the HTTPS request to the REST proxy. > [!NOTE]-> See [Manage app and resource access using Azure Active Directory groups](../../active-directory/fundamentals/active-directory-manage-groups.md), to learn more about AAD security groups. For more information on how OAuth tokens work, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md). +> See [Manage app and resource access using Microsoft Entra groups](../../active-directory/fundamentals/active-directory-manage-groups.md), to learn more about Microsoft Entra security groups. For more information on how OAuth tokens work, see [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md). ## Kafka REST proxy with Network Security Groups If you bring your own VNet and control network traffic with network security groups, allow **inbound** traffic on port **9400** in addition to port 443. This ensures that Kafka REST proxy server is reachable. ## Prerequisites -1. Register an application with Azure AD. The client applications that you write to interact with the Kafka REST proxy uses this application's ID and secret to authenticate to Azure. +1. Register an application with Microsoft Entra ID. The client applications that you write to interact with the Kafka REST proxy uses this application's ID and secret to authenticate to Azure. -1. Create an Azure AD security group. Add the application that you've registered with Azure AD to the security group as a **member** of the group. This security group will be used to control which applications allow to interact with the REST proxy. For more information on creating Azure AD groups, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +1. Create a Microsoft Entra security group. Add the application that you've registered with Microsoft Entra ID to the security group as a **member** of the group. This security group will be used to control which applications allow to interact with the REST proxy. For more information on creating Microsoft Entra groups, see [Create a basic group and add members using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). Validate the group is of type **Security**. :::image type="content" source="./media/rest-proxy/rest-proxy-group.png" alt-text="Security Group" border="true"::: You can use the Python code to interact with the REST proxy on your Kafka cluste This code does the following action: -1. Fetches an OAuth token from Azure AD. +1. Fetches an OAuth token from Microsoft Entra ID. 1. Shows how to make a request to Kafka REST proxy. For more information about getting OAuth tokens in Python, see [Python AuthenticationContext class](/python/api/adal/adal.authentication_context.authenticationcontext). You might see a delay while `topics` that isn't created or deleted through the Kafka REST proxy are reflected there. This delay is because of cache refresh. The **value** field of the Producer API has been enhanced. Now, it accepts JSON objects and any serialized form. |
hdinsight | Secure Spark Kafka Streaming Integration Scenario | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/kafka/secure-spark-kafka-streaming-integration-scenario.md | In this document, you'll learn how to execute a Spark job in a secure Spark clus **Pre-requisites** -* Create a secure Kafka cluster and secure spark cluster with the same Microsoft Azure Active Directory Domain Services (Azure AD DS) domain and same vnet. If you prefer not to create both clusters in the same vnet, you can create them in two separate vnets and pair the vnets also. If you prefer not to create both clusters in the same vnet. +* Create a secure Kafka cluster and secure spark cluster with the same Microsoft Entra Domain Services domain and same vnet. If you prefer not to create both clusters in the same vnet, you can create them in two separate vnets and pair the vnets also. If you prefer not to create both clusters in the same vnet. * If your clusters are in different vnets, see here [Connect virtual networks with virtual network peering using the Azure portal](../../virtual-network/tutorial-connect-virtual-networks-portal.md) * Create key tabs for two users. For example, `alicetest` and `bobadmin`. From Spark cluster, read from Kafka topic `bobtopic2` as user `bobadmin` is allo ## Next steps -* [Set up TLS encryption and authentication for Apache Kafka in Azure HDInsight](apache-kafka-ssl-encryption-authentication.md) +* [Set up TLS encryption and authentication for Apache Kafka in Azure HDInsight](apache-kafka-ssl-encryption-authentication.md) |
hdinsight | Tutorial Cli Rest Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/kafka/tutorial-cli-rest-proxy.md | If you don't have an Azure subscription, create a [free account](https://azure.m ## Prerequisites -* An application registered with Azure AD. The client applications that you write to interact with the Kafka REST proxy will use this application's ID and secret to authenticate to Azure. For more information, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). +* An application registered with Microsoft Entra ID. The client applications that you write to interact with the Kafka REST proxy will use this application's ID and secret to authenticate to Azure. For more information, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). -* An Azure AD security group with your registered application as a member. This security group will be used to control which applications are allowed to interact with the REST proxy. For more information on creating Azure AD groups, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +* A Microsoft Entra security group with your registered application as a member. This security group will be used to control which applications are allowed to interact with the REST proxy. For more information on creating Microsoft Entra groups, see [Create a basic group and add members using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). * Azure CLI. Ensure you have at least version 2.0.79. See [Install the Azure CLI](/cli/azure/install-azure-cli). If you don't have an Azure subscription, create a [free account](https://azure.m |storageAccount|Replace STORAGEACCOUNTNAME with a name for your new storage account.| |httpPassword|Replace PASSWORD with a password for the cluster login, **admin**.| |sshPassword|Replace PASSWORD with a password for the secure shell username, **sshuser**.|- |securityGroupName|Replace SECURITYGROUPNAME with the client AAD security group name for Kafka REST Proxy. The variable will be passed to the `--kafka-client-group-name` parameter for `az-hdinsight-create`.| - |securityGroupID|Replace SECURITYGROUPID with the client AAD security group ID for Kafka REST Proxy. The variable will be passed to the `--kafka-client-group-id` parameter for `az-hdinsight-create`.| + |securityGroupName|Replace SECURITYGROUPNAME with the client Microsoft Entra security group name for Kafka REST Proxy. The variable will be passed to the `--kafka-client-group-name` parameter for `az-hdinsight-create`.| + |securityGroupID|Replace SECURITYGROUPID with the client Microsoft Entra security group ID for Kafka REST Proxy. The variable will be passed to the `--kafka-client-group-id` parameter for `az-hdinsight-create`.| |storageContainer|Storage container the cluster will use, leave as-is for this tutorial. This variable will be set with the name of the cluster.| |workernodeCount|Number of worker nodes in the cluster, leave as-is for this tutorial. To guarantee high availability, Kafka requires a minimum of 3 worker nodes| |clusterType|Type of HDInsight cluster, leave as-is for this tutorial.| If you don't have an Azure subscription, create a [free account](https://azure.m |Parameter | Description| ||| |--kafka-management-node-size|The size of the node. This tutorial uses the value **Standard_D4_v2**.|- |--kafka-client-group-id|The client AAD security group ID for Kafka REST Proxy. The value is passed from the variable **$securityGroupID**.| - |--kafka-client-group-name|The client AAD security group name for Kafka REST Proxy. The value is passed from the variable **$securityGroupName**.| + |--kafka-client-group-id|The client Microsoft Entra security group ID for Kafka REST Proxy. The value is passed from the variable **$securityGroupID**.| + |--kafka-client-group-name|The client Microsoft Entra security group name for Kafka REST Proxy. The value is passed from the variable **$securityGroupName**.| |--version|The HDInsight cluster version must be at least 4.0. The value is passed from the variable **$clusterVersion**.| |--component-version|The Kafka version must be at least 2.1. The value is passed from the variable **$componentVersion**.| |
hdinsight | Network Virtual Appliance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/network-virtual-appliance.md | You can optionally enable one or more of the following service endpoints, which || | Azure SQL | | Azure Storage |-| Azure Active Directory | +| Microsoft Entra ID | ### IP address dependencies | **Endpoint** | **Details** | ||| | IPs published [here](hdinsight-management-ip-addresses.md) | These IPs are for HDInsight resource provider and should be included in the UDR to avoid asymmetric routing. This rule is only needed if the ResourceProviderConnection is set to *Inbound*. If the ResourceProviderConnection is set to *Outbound*, then these IPs are not needed in the UDR. |-| AAD-DS private IPs | Only need for ESP clusters, if the VNETs are not peered.| +| Microsoft Entra Domain Services private IPs | Only need for ESP clusters, if the VNETs are not peered.| ### FQDN HTTP/HTTPS dependencies |
hdinsight | Overview Data Lake Storage Gen1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/overview-data-lake-storage-gen1.md | Data Lake Storage Gen1 containers for data are essentially folders and files. Yo ## Data security in Data Lake Storage Gen1 -Data Lake Storage Gen1 uses Azure Active Directory for authentication and uses access control lists (ACLs) to manage access to your data. +Data Lake Storage Gen1 uses Microsoft Entra ID for authentication and uses access control lists (ACLs) to manage access to your data. | **Feature** | **Description** | | | |-| Authentication |Data Lake Storage Gen1 integrates with Azure Active Directory (Azure AD) for identity and access management for all the data stored in Data Lake Storage Gen1. Because of the integration, Data Lake Storage Gen1 benefits from all Azure AD features. These features include: multifactor authentication, Conditional Access, and Azure role-based access control. Also, application usage monitoring, security monitoring and alerting, and so on. Data Lake Storage Gen1 supports the OAuth 2.0 protocol for authentication within the REST interface. See [Authentication within Azure Data Lake Storage Gen1 using Azure Active Directory](../data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md)| +| Authentication |Data Lake Storage Gen1 integrates with Microsoft Entra ID for identity and access management for all the data stored in Data Lake Storage Gen1. Because of the integration, Data Lake Storage Gen1 benefits from all Microsoft Entra features. These features include: multifactor authentication, Conditional Access, and Azure role-based access control. Also, application usage monitoring, security monitoring and alerting, and so on. Data Lake Storage Gen1 supports the OAuth 2.0 protocol for authentication within the REST interface. See [Authentication within Azure Data Lake Storage Gen1 using Microsoft Entra ID](../data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md)| | Access control |Data Lake Storage Gen1 provides access control by supporting POSIX-style permissions that are exposed by the WebHDFS protocol. ACLs can be enabled on the root folder, on subfolders, and on individual files. For more information on how ACLs work in the context of Data Lake Storage Gen1, see [Access control in Data Lake Storage Gen1](../data-lake-store/data-lake-store-access-control.md). | | Encryption |Data Lake Storage Gen1 also provides encryption for data that is stored in the account. You specify the encryption settings while creating a Data Lake Storage Gen1 account. You can choose to have your data encrypted or opt for no encryption. For more information, see [Encryption in Data Lake Storage Gen1](../data-lake-store/data-lake-store-encryption.md). For instructions on how to provide an encryption-related configuration, see [Get started with Azure Data Lake Storage Gen1 using the Azure portal](../data-lake-store/data-lake-store-get-started-portal.md). | |
hdinsight | Overview Data Lake Storage Gen2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/overview-data-lake-storage-gen2.md | Last updated 06/08/2023 # Azure Data Lake Storage Gen2 overview in HDInsight -Azure Data Lake Storage Gen2 takes core features from Azure Data Lake Storage Gen1 and integrates them into Azure Blob storage. These features include a file system that is compatible with Hadoop, Azure Active Directory (Azure AD), and POSIX-based access control lists (ACLs). This combination allows you to take advantage of the performance of Azure Data Lake Storage Gen1. While also using the tiering and data life-cycle management of Blob storage. +Azure Data Lake Storage Gen2 takes core features from Azure Data Lake Storage Gen1 and integrates them into Azure Blob storage. These features include a file system that is compatible with Hadoop, Microsoft Entra ID, and POSIX-based access control lists (ACLs). This combination allows you to take advantage of the performance of Azure Data Lake Storage Gen1. While also using the tiering and data life-cycle management of Blob storage. For more information on Azure Data Lake Storage Gen2, see [Introduction to Azure Data Lake Storage Gen2](../storage/blobs/data-lake-storage-introduction.md). For more information on Azure Data Lake Storage Gen2, see [Introduction to Azure ### Managed identities for secure file access -Azure HDInsight uses managed identities to secure cluster access to files in Azure Data Lake Storage Gen2. Managed identities are a feature of Azure Active Directory that provides Azure services with a set of automatically managed credentials. These credentials can be used to authenticate to any service that supports Active Directory authentication. Using managed identities doesn't require you to store credentials in code or configuration files. +Azure HDInsight uses managed identities to secure cluster access to files in Azure Data Lake Storage Gen2. Managed identities are a feature of Microsoft Entra ID that provides Azure services with a set of automatically managed credentials. These credentials can be used to authenticate to any service that supports Active Directory authentication. Using managed identities doesn't require you to store credentials in code or configuration files. For more information, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). |
hdinsight | Apache Spark Run Machine Learning Automl | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/apache-spark-run-machine-learning-automl.md | You can use Zeppelin notebooks to use AutoML as well. ## Authentication for workspace -Workspace creation and experiment submission require an authentication token. This token can be generated using an [Azure AD application](../../active-directory/develop/app-objects-and-service-principals.md). An [Azure AD user](/azure/developer/python/sdk/authentication-overview) can also be used to generate the required authentication token, if multi-factor authentication isn't enabled on the account. +Workspace creation and experiment submission require an authentication token. This token can be generated using an [Microsoft Entra application](../../active-directory/develop/app-objects-and-service-principals.md). An [Microsoft Entra user](/azure/developer/python/sdk/authentication-overview) can also be used to generate the required authentication token, if multi-factor authentication isn't enabled on the account. -The following code snippet creates an authentication token using an **Azure AD application**. +The following code snippet creates an authentication token using an **Microsoft Entra application**. ```python from azureml.core.authentication import ServicePrincipalAuthentication auth_sp = ServicePrincipalAuthentication( ) ``` -The following code snippet creates an authentication token using an **Azure AD user**. +The following code snippet creates an authentication token using an **Microsoft Entra user**. ```python from azure.common.credentials import UserPassCredentials |
hdinsight | Troubleshoot Sqoop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/troubleshoot-sqoop.md | In the example, `/user/yourlongdomainuserna/.staging` displays the truncated 20 The length of the username exceeds 20 characters in length. -Refer to [How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain](../active-directory-domain-services/synchronization.md) for further details. +Refer to [How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain](../active-directory-domain-services/synchronization.md) for further details. ## Workaround |
healthcare-apis | Authentication Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/authentication-authorization.md | - Azure Health Data Services is a collection of secured managed services using [Azure Active Directory (Azure AD)](../active-directory/index.yml), a global identity provider that supports [OAuth 2.0](https://oauth.net/2/). + Azure Health Data Services is a collection of secured managed services using [Microsoft Entra ID](../active-directory/index.yml), a global identity provider that supports [OAuth 2.0](https://oauth.net/2/). For Azure Health Data Services to access Azure resources, such as storage accounts and event hubs, you must **enable the system managed identity**, and **grant proper permissions** to the managed identity. For more information, see [Azure managed identities](../active-directory/managed-identities-azure-resources/overview.md). Azure Health Data Services doesn't support other identity providers. However, you can use their own identity provider to secure applications, and enable them to interact with the Health Data Services by managing client applications and user data access controls. -The client applications are registered in the Azure AD and can be used to access the Azure Health Data Services. User data access controls are done in the applications or services that implement business logic. +The client applications are registered in the Microsoft Entra ID and can be used to access the Azure Health Data Services. User data access controls are done in the applications or services that implement business logic. ### Application roles The MedTech service doesn't require application roles, but it does rely on the " ## Authorization -After being granted with proper application roles, the authenticated users and client applications can access Azure Health Data Services by obtaining a **valid access token** issued by Azure AD, and perform specific operations defined by the application roles. +After being granted with proper application roles, the authenticated users and client applications can access Azure Health Data Services by obtaining a **valid access token** issued by Microsoft Entra ID, and perform specific operations defined by the application roles. * For FHIR service, the access token is specific to the service or resource. * For DICOM service, the access token is granted to the `dicom.healthcareapis.azure.com` resource, not a specific service. After being granted with proper application roles, the authenticated users and c ### Steps for authorization -There are two common ways to obtain an access token, outlined in detail by the Azure AD documentation: [authorization code flow](../active-directory/develop/v2-oauth2-auth-code-flow.md) and [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). +There are two common ways to obtain an access token, outlined in detail by the Microsoft Entra documentation: [authorization code flow](../active-directory/develop/v2-oauth2-auth-code-flow.md) and [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). Here's how an access token for Azure Health Data Services is obtained using **authorization code flow**: -1. **The client sends a request to the Azure AD authorization endpoint.** Azure AD redirects the client to a sign-in page where the user authenticates using appropriate credentials (for example: username and password, or a two-factor authentication). **Upon successful authentication, an authorization code is returned to the client.** Azure AD only allows this authorization code to be returned to a registered reply URL configured in the client application registration. +1. **The client sends a request to the Microsoft Entra authorization endpoint.** Microsoft Entra ID redirects the client to a sign-in page where the user authenticates using appropriate credentials (for example: username and password, or a two-factor authentication). **Upon successful authentication, an authorization code is returned to the client.** Microsoft Entra-only allows this authorization code to be returned to a registered reply URL configured in the client application registration. -2. **The client application exchanges the authorization code for an access token at the Azure AD token endpoint.** When the client application requests a token, the application may have to provide a client secret (which you can add during application registration). +2. **The client application exchanges the authorization code for an access token at the Microsoft Entra token endpoint.** When the client application requests a token, the application may have to provide a client secret (which you can add during application registration). 3. **The client makes a request to the Azure Health Data Services**, for example, a `GET` request to search all patients in the FHIR service. The request **includes the access token in an `HTTP` request header**, for example, **`Authorization: Bearer xxx`**. Use online tools such as [https://jwt.ms](https://jwt.ms/) to view the token con |**Claim type** |**Value** |**Notes** | |||-| |aud |https://xxx.fhir.azurehealthcareapis.com|Identifies the intended recipient of the token. In `id_tokens`, the audience is your app's Application ID, assigned to your app in the Azure portal. Your app should validate this value and reject the token if the value doesnΓÇÖt match.|-|iss |https://sts.windows.net/{tenantid}/|Identifies the security token service (STS) that constructs and returns the token, and the Azure AD tenant in which the user was authenticated. If the token was issued by the v2.0 endpoint, the URI ends in `/v2.0`. The GUID that indicates that the user is a consumer user from a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. Your app should use the GUID portion of the claim to restrict the set of tenants that can sign in to the app, if it's applicable.| +|iss |https://sts.windows.net/{tenantid}/|Identifies the security token service (STS) that constructs and returns the token, and the Microsoft Entra tenant in which the user was authenticated. If the token was issued by the v2.0 endpoint, the URI ends in `/v2.0`. The GUID that indicates that the user is a consumer user from a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. Your app should use the GUID portion of the claim to restrict the set of tenants that can sign in to the app, if it's applicable.| |iat |(time stamp) |"Issued At" indicates when the authentication for this token occurred.| |nbf |(time stamp) |The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.| |exp |(time stamp) |The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. Note that a resource may reject the token before this time, for example if a change in authentication is required, or a token revocation has been detected.|-|aio |E2ZgYxxx |An internal claim used by Azure AD to record data for token reuse. Should be ignored.| -|appid |e97e1b8c-xxx |The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Azure AD.| +|aio |E2ZgYxxx |An internal claim used by Microsoft Entra ID to record data for token reuse. Should be ignored.| +|appid |e97e1b8c-xxx |The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Microsoft Entra ID.| |appidacr |1 |Indicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2.|-|idp |https://sts.windows.net/{tenantid}/|Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account isnΓÇÖt in the same tenant as the issuer - guests, for instance. If the claim isnΓÇÖt present, it means that the value of iss can be used instead. For personal accounts being used in an organizational context (for instance, a personal account invited to an Azure AD tenant), the idp claim may be 'live.com' or an STS URI containing the Microsoft account tenant 9188040d-6c67-4c5b-b112-36a304b66dad.| +|idp |https://sts.windows.net/{tenantid}/|Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account isnΓÇÖt in the same tenant as the issuer - guests, for instance. If the claim isnΓÇÖt present, it means that the value of iss can be used instead. For personal accounts being used in an organizational context (for instance, a personal account invited to a Microsoft Entra tenant), the idp claim may be 'live.com' or an STS URI containing the Microsoft account tenant 9188040d-6c67-4c5b-b112-36a304b66dad.| |oid |For example, tenantid |The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user receives the same value in the oid claim. The Microsoft Graph returns this ID as the ID property for a given user account. Because the oid allows multiple apps to correlate users, the profile scope is required to receive this claim. Note: If a single user exists in multiple tenants, the user contains a different object ID in each tenant - theyΓÇÖre considered different accounts, even though the user logs into each account with the same credentials.| |rh |0.ARoxxx |An internal claim used by Azure to revalidate tokens. It should be ignored.| |sub |For example, tenantid |The principle about which the token asserts information, such as the user of an app. This value is immutable and canΓÇÖt be reassigned or reused. The subject is a pairwise identifier - itΓÇÖs unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps receive two different values for the subject claim. You may or may not desire this result depending on your architecture and privacy requirements.|-|tid |For example, tenantid |A GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim. +|tid |For example, tenantid |A GUID that represents the Microsoft Entra tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim. |uti |bY5glsxxx |An internal claim used by Azure to revalidate tokens. It should be ignored.| |ver |1 |Indicates the version of the token.| **The access token is valid for one hour by default. You can obtain a new token or renew it using the refresh token before it expires.** -To obtain an access token, you can use tools such as Postman, the REST Client extension in Visual Studio Code, PowerShell, CLI, curl, and the [Azure AD authentication libraries](../active-directory/develop/reference-v2-libraries.md). +To obtain an access token, you can use tools such as Postman, the REST Client extension in Visual Studio Code, PowerShell, CLI, curl, and the [Microsoft Entra authentication libraries](../active-directory/develop/reference-v2-libraries.md). ## Encryption |
healthcare-apis | Azure Active Directory Identity Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/azure-active-directory-identity-configuration.md | Title: Azure Active Directory identity configuration for Azure API for FHIR + Title: Microsoft Entra identity configuration for Azure API for FHIR description: Learn the principles of identity, authentication, and authorization for Azure FHIR servers. Last updated 9/27/2023 -# Azure Active Directory identity configuration for Azure API for FHIR +# Microsoft Entra identity configuration for Azure API for FHIR [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] -When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/) is secured using [Azure Active Directory](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. This article provides an overview of FHIR server authorization and the steps needed to obtain a token to access a FHIR server. While these steps apply to any FHIR server and any identity provider, we'll walk through Azure API for FHIR as the FHIR server and Azure Active Directory (Azure AD) as our identity provider in this article. +When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/) is secured using [Microsoft Entra ID](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. This article provides an overview of FHIR server authorization and the steps needed to obtain a token to access a FHIR server. While these steps apply to any FHIR server and any identity provider, we'll walk through Azure API for FHIR as the FHIR server and Microsoft Entra ID as our identity provider in this article. ## Access control overview For example like when you use [authorization code flow](../../active-directory/d ![FHIR Authorization](media/azure-ad-hcapi/fhir-authorization.png) -1. The client sends a request to the `/authorize` endpoint of Azure AD. Azure AD will redirect the client to a sign-in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Azure AD will only allow this authorization code to be returned to a registered reply URL configured in the client application registration. -1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Azure AD. When you request a token, the client application may have to provide a client secret (the applications password). See details on [obtaining an access token](../../active-directory/develop/v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). +1. The client sends a request to the `/authorize` endpoint of Microsoft Entra ID. Microsoft Entra ID will redirect the client to a sign-in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Microsoft Entra ID will only allow this authorization code to be returned to a registered reply URL configured in the client application registration. +1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Microsoft Entra ID. When you request a token, the client application may have to provide a client secret (the applications password). See details on [obtaining an access token](../../active-directory/develop/v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). 1. The client makes a request to Azure API for FHIR, for example `GET /Patient`, to search all patients. When the client makes the request, it includes the access token in an HTTP request header, for example `Authorization: Bearer eyJ0e...`, where `eyJ0e...` represents the Base64 encoded access token. 1. Azure API for FHIR validates that the token contains appropriate claims (properties in the token). If everything checks out, it will complete the request and return a FHIR bundle with results to the client. -It's important to note that Azure API for FHIR isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Azure AD. Azure API for FHIR simply validates that the token is signed correctly (it's authentic) and that it has appropriate claims. +It's important to note that Azure API for FHIR isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Microsoft Entra ID. Azure API for FHIR simply validates that the token is signed correctly (it's authentic) and that it has appropriate claims. ## Structure of an access token The token can be decoded and inspected with tools such as [https://jwt.ms](https ## Obtaining an access token -As mentioned, there are several ways to obtain a token from Azure AD. They're described in detail in the [Azure AD developer documentation](../../active-directory/develop/index.yml). +As mentioned, there are several ways to obtain a token from Microsoft Entra ID. They're described in detail in the [Microsoft Entra developer documentation](../../active-directory/develop/index.yml). Use either of the following authentication protocols: * [Authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md). * [Client credentials flow](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). -There are other variations (for example due to flow) for obtaining a token. Refer to the [Azure AD documentation](../../active-directory/index.yml) for details. When you use Azure API for FHIR, there are some shortcuts for obtaining an access token (such as for debugging purposes) [using the Azure CLI](get-healthcare-apis-access-token-cli.md). +There are other variations (for example due to flow) for obtaining a token. Refer to the [Microsoft Entra documentation](../../active-directory/index.yml) for details. When you use Azure API for FHIR, there are some shortcuts for obtaining an access token (such as for debugging purposes) [using the Azure CLI](get-healthcare-apis-access-token-cli.md). ## Next steps -In this document, you learned some of the basic concepts involved in securing access to the Azure API for FHIR using Azure AD. For information about how to deploy the Azure API for FHIR service, see +In this document, you learned some of the basic concepts involved in securing access to the Azure API for FHIR using Microsoft Entra ID. For information about how to deploy the Azure API for FHIR service, see >[!div class="nextstepaction"] >[Deploy Azure API for FHIR](fhir-paas-portal-quickstart.md) -FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. +FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. |
healthcare-apis | Azure Api Fhir Access Token Validation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/azure-api-fhir-access-token-validation.md | How Azure API for FHIR validates the access token will depend on implementation ## Validate token has no issues with identity provider -The first step in the token validation is to verify that the token was issued by the correct identity provider and that it hasn't been modified. The FHIR server will be configured to use a specific identity provider known as the authority `Authority`. The FHIR server will retrieve information about the identity provider from the `/.well-known/openid-configuration` endpoint. When you use Azure Active Directory (Azure AD), the full URL is: +The first step in the token validation is to verify that the token was issued by the correct identity provider and that it hasn't been modified. The FHIR server will be configured to use a specific identity provider known as the authority `Authority`. The FHIR server will retrieve information about the identity provider from the `/.well-known/openid-configuration` endpoint. When you use Microsoft Entra ID, the full URL is: ``` GET https://login.microsoftonline.com/<TENANT-ID>/.well-known/openid-configuration ``` -where `<TENANT-ID>` is the specific Azure AD tenant (either a tenant ID or a domain name). +where `<TENANT-ID>` is the specific Microsoft Entra tenant (either a tenant ID or a domain name). -Azure AD will return a document like this one to the FHIR server. +Microsoft Entra ID will return a document like this one to the FHIR server. ```json { When you use Azure API for FHIR, the server will validate: 1. The token has the right `Audience` (`aud` claim). 1. The user or principal that the token was issued for is allowed to access the FHIR server data plane. The `oid` claim of the token contains an identity object ID, which uniquely identifies the user or principal. -We recommend that the FHIR service be [configured to use Azure RBAC](configure-azure-rbac.md) to manage data plane role assignments. However, you can also [configure local RBAC](configure-local-rbac.md) if your FHIR service uses an external or secondary Azure AD tenant. +We recommend that the FHIR service be [configured to use Azure RBAC](configure-azure-rbac.md) to manage data plane role assignments. However, you can also [configure local RBAC](configure-local-rbac.md) if your FHIR service uses an external or secondary Microsoft Entra tenant. When you use the OSS Microsoft FHIR server for Azure, the server will validate: Now that you know how to walk through token validation, you can complete the tut >[!div class="nextstepaction"] >[Web application tutorial](tutorial-web-app-fhir-server.md) -FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. +FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. |
healthcare-apis | Azure Api For Fhir Additional Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/azure-api-for-fhir-additional-settings.md | For more information on how to change the default settings, see [configure datab ## Access control -Azure API for FHIR will only allow authorized users to access the FHIR API. You can configure authorized users through two different mechanisms. The primary and recommended way to configure access control is using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml), which is accessible through the **Access control (IAM)** blade. Azure RBAC only works if you want to secure data plane access using the Azure Active Directory tenant associated with your subscription. If you wish to use a different tenant, the Azure API for FHIR offers a local FHIR data plane access control mechanism. The configuration options aren't as rich when using the local RBAC mechanism. For details, choose one of the following options: +Azure API for FHIR will only allow authorized users to access the FHIR API. You can configure authorized users through two different mechanisms. The primary and recommended way to configure access control is using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml), which is accessible through the **Access control (IAM)** blade. Azure RBAC only works if you want to secure data plane access using the Microsoft Entra tenant associated with your subscription. If you wish to use a different tenant, the Azure API for FHIR offers a local FHIR data plane access control mechanism. The configuration options aren't as rich when using the local RBAC mechanism. For details, choose one of the following options: -* [Azure RBAC for FHIR data plane](configure-azure-rbac.md). This is the preferred option when you're using the Azure Active Directory tenant associated with your subscription. -* [Local FHIR data plane access control](configure-local-rbac.md). Use this option only when you need to use an external Azure Active Directory tenant for data plane access control. +* [Azure RBAC for FHIR data plane](configure-azure-rbac.md). This is the preferred option when you're using the Microsoft Entra tenant associated with your subscription. +* [Local FHIR data plane access control](configure-local-rbac.md). Use this option only when you need to use an external Microsoft Entra tenant for data plane access control. ## Enable diagnostic logging You may want to enable diagnostic logging as part of your setup to be able to monitor your service and have accurate reporting for compliance purposes. For details on how to set up diagnostic logging, see our [how-to-guide](enable-diagnostic-logging.md) on how to set up diagnostic logging, along with some sample queries. Next check out the series of tutorials to create a web application that reads FH >[!div class="nextstepaction"] >[Deploy JavaScript application](tutorial-web-app-fhir-server.md) -FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. +FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. |
healthcare-apis | Configure Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/configure-azure-rbac.md | -In this article, you'll learn how to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml) to assign access to the Azure API for FHIR data plane. Azure RBAC is the preferred methods for assigning data plane access when data plane users are managed in the Azure Active Directory tenant associated with your Azure subscription. If you're using an external Azure Active Directory tenant, refer to the [local RBAC assignment reference](configure-local-rbac.md). +In this article, you'll learn how to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml) to assign access to the Azure API for FHIR data plane. Azure RBAC is the preferred methods for assigning data plane access when data plane users are managed in the Microsoft Entra tenant associated with your Azure subscription. If you're using an external Microsoft Entra tenant, refer to the [local RBAC assignment reference](configure-local-rbac.md). ## Confirm Azure RBAC mode To use Azure RBAC, your Azure API for FHIR must be configured to use your Azure :::image type="content" source="media/rbac/confirm-azure-rbac-mode.png" alt-text="Confirm Azure RBAC mode"::: -The **Authority** should be set to the Azure Active directory tenant associated with your subscription and there should be no GUIDs in the box labeled **Allowed object IDs**. You'll also notice that the box is disabled and a label indicates that Azure RBAC should be used to assign data plane roles. +The **Authority** should be set to the Microsoft Entra tenant associated with your subscription and there should be no GUIDs in the box labeled **Allowed object IDs**. You'll also notice that the box is disabled and a label indicates that Azure RBAC should be used to assign data plane roles. ## Assign roles In this article, you learned how to assign Azure roles for the FHIR data plane. >[Configure Private Link](configure-private-link.md) FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. - |
healthcare-apis | Configure Local Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/configure-local-rbac.md | Title: Configure local role-based access control (local RBAC) for Azure API for FHIR -description: This article describes how to configure the Azure API for FHIR to use a secondary Azure AD tenant for data plane +description: This article describes how to configure the Azure API for FHIR to use a secondary Microsoft Entra tenant for data plane ms.devlang: azurecli [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] -This article explains how to configure the Azure API for FHIR to use a secondary Azure Active Directory (Azure AD) tenant for data access. Use this mode only if it isn't possible for you to use the Azure AD tenant associated with your subscription. +This article explains how to configure the Azure API for FHIR to use a secondary Microsoft Entra tenant for data access. Use this mode only if it isn't possible for you to use the Microsoft Entra tenant associated with your subscription. > [!NOTE]-> If your FHIR service is configured to use your primary Azure AD tenant associated with your subscription, [use Azure RBAC to assign data plane roles](configure-azure-rbac.md). +> If your FHIR service is configured to use your primary Microsoft Entra tenant associated with your subscription, [use Azure RBAC to assign data plane roles](configure-azure-rbac.md). ## Add a new service principal or use an existing one -Local RBAC allows you to use a service principal in the secondary Azure AD tenant with your FHIR server. You can create a new service principal through the Azure portal, PowerShell or CLI commands, or use an existing service principal. The process is also known as [application registration](../register-application.md). You can review and modify the service principals through Azure AD from the portal or using scripts. +Local RBAC allows you to use a service principal in the secondary Microsoft Entra tenant with your FHIR server. You can create a new service principal through the Azure portal, PowerShell or CLI commands, or use an existing service principal. The process is also known as [application registration](../register-application.md). You can review and modify the service principals through Microsoft Entra ID from the portal or using scripts. The PowerShell and CLI scripts below, which are tested and validated in Visual Studio Code, create a new service principal (or client application), and add a client secret. The service principal ID is used for local RBAC and the application ID and client secret will be used to access the FHIR service later. clientsecret=$(az ad app credential reset --id $appid --append --credential-desc ## Configure local RBAC -You can configure the Azure API for FHIR to use a secondary Azure Active Directory tenant in the **Authentication** blade: +You can configure the Azure API for FHIR to use a secondary Microsoft Entra tenant in the **Authentication** blade: ![Local RBAC assignments](media/rbac/local-rbac-guids.png) -In the authority box, enter a valid secondary Azure Active Directory tenant. Once the tenant has been validated, the **Allowed object IDs** box should be activated and you can enter one or a list of Azure AD service principal object IDs. These IDs can be the identity object IDs of: +In the authority box, enter a valid secondary Microsoft Entra tenant. Once the tenant has been validated, the **Allowed object IDs** box should be activated and you can enter one or a list of Microsoft Entra service principal object IDs. These IDs can be the identity object IDs of: -* An Azure Active Directory user. -* An Azure Active Directory service principal. -* An Azure Active directory security group. +* A Microsoft Entra user. +* A Microsoft Entra service principal. +* A Microsoft Entra security group. You can read the article on how to [find identity object IDs](find-identity-object-ids.md) for more details. -After entering the required Azure AD object IDs, select **Save** and wait for changes to be saved before trying to access the data plane using the assigned users, service principals, or groups. The object IDs are granted with all permissions, an equivalent of the "FHIR Data Contributor" role. +After entering the required Microsoft Entra object IDs, select **Save** and wait for changes to be saved before trying to access the data plane using the assigned users, service principals, or groups. The object IDs are granted with all permissions, an equivalent of the "FHIR Data Contributor" role. The local RBAC setting is only visible from the authentication blade; it isn't visible from the Access Control (IAM) blade. > [!NOTE]-> Only a single tenant is supported for RBAC or local RBAC. To disable the local RBAC function, you can change it back to the valid tenant (or primary tenant) associated with your subscription, and remove all Azure AD object IDs in the "Allowed object IDs" box. +> Only a single tenant is supported for RBAC or local RBAC. To disable the local RBAC function, you can change it back to the valid tenant (or primary tenant) associated with your subscription, and remove all Microsoft Entra object IDs in the "Allowed object IDs" box. ## Caching behavior The Azure API for FHIR will cache decisions for up to 5 minutes. If you grant a ## Next steps -In this article, you learned how to assign FHIR data plane access using an external (secondary) Azure Active Directory tenant. Next learn about additional settings for the Azure API for FHIR: +In this article, you learned how to assign FHIR data plane access using an external (secondary) Microsoft Entra tenant. Next learn about additional settings for the Azure API for FHIR: >[!div class="nextstepaction"] >[Configure CORS](configure-cross-origin-resource-sharing.md) In this article, you learned how to assign FHIR data plane access using an exter >[Configure Private Link](configure-private-link.md) FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.- |
healthcare-apis | Fhir App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/fhir-app-registration.md | Title: Register the Azure Active Directory apps for Azure API for FHIR + Title: Register the Microsoft Entra apps for Azure API for FHIR description: This tutorial explains which applications need to be registered for Azure API for FHIR and FHIR Server for Azure. -# Register the Azure Active Directory apps for Azure API for FHIR +# Register the Microsoft Entra apps for Azure API for FHIR [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] You have several configuration options to choose from when you're setting up the ## Application registrations -In order for an application to interact with Azure AD, it needs to be registered. In the context of the FHIR server, there are two kinds of application registrations to discuss: +In order for an application to interact with Microsoft Entra ID, it needs to be registered. In the context of the FHIR server, there are two kinds of application registrations to discuss: 1. Resource application registrations. 1. Client application registrations. -**Resource applications** are representations in Azure AD of an API or resource that is secured with Azure AD, specifically it would be the Azure API for FHIR. A resource application for Azure API for FHIR will be created automatically when you provision the service, but if you're using the open-source server, you'll need to [register a resource application](register-resource-azure-ad-client-app.md) in Azure AD. This resource application will have an identifier URI. It's recommended that this URI be the same as the URI of the FHIR server. This URI should be used as the `Audience` for the FHIR server. A client application can request access to this FHIR server when it requests a token. +**Resource applications** are representations in Microsoft Entra ID of an API or resource that is secured with Microsoft Entra ID, specifically it would be the Azure API for FHIR. A resource application for Azure API for FHIR will be created automatically when you provision the service, but if you're using the open-source server, you'll need to [register a resource application](register-resource-azure-ad-client-app.md) in Microsoft Entra ID. This resource application will have an identifier URI. It's recommended that this URI be the same as the URI of the FHIR server. This URI should be used as the `Audience` for the FHIR server. A client application can request access to this FHIR server when it requests a token. *Client applications* are registrations of the clients that will be requesting tokens. Often in OAuth 2.0, we distinguish between at least three different types of applications: -1. **Confidential clients**, also known as web apps in Azure AD. Confidential clients are applications that use [authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md) to obtain a token on behalf of a signed in user presenting valid credentials. They're called confidential clients because they're able to hold a secret and will present this secret to Azure AD when exchanging the authentication code for a token. Since confidential clients are able to authenticate themselves using the client secret, they're trusted more than public clients and can have longer lived tokens and be granted a refresh token. Read the details on how to [register a confidential client](register-confidential-azure-ad-client-app.md). Note it's important to register the reply URL at which the client will be receiving the authorization code. +1. **Confidential clients**, also known as web apps in Microsoft Entra ID. Confidential clients are applications that use [authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md) to obtain a token on behalf of a signed in user presenting valid credentials. They're called confidential clients because they're able to hold a secret and will present this secret to Microsoft Entra ID when exchanging the authentication code for a token. Since confidential clients are able to authenticate themselves using the client secret, they're trusted more than public clients and can have longer lived tokens and be granted a refresh token. Read the details on how to [register a confidential client](register-confidential-azure-ad-client-app.md). Note it's important to register the reply URL at which the client will be receiving the authorization code. 1. **Public clients**. These are clients that canΓÇÖt keep a secret. Typically this would be a mobile device application or a single page JavaScript application, where a secret in the client could be discovered by a user. Public clients also use authorization code flow, but they aren't allowed to present a secret when obtaining a token and they may have shorter lived tokens and no refresh token. Read the details on how to [register a public client](register-public-azure-ad-client-app.md). 1. Service clients. These clients obtain tokens on behalf of themselves (not on behalf of a user) using the [client credentials flow](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). They typically represent applications that access the FHIR server in a non-interactive way. An example would be an ingestion process. When using a service client, it isn't necessary to start the process of getting a token with a call to the `/authorize` endpoint. A service client can go straight to the `/token` endpoint and present client ID and client secret to obtain a token. Read the details on how to [register a service client](register-service-azure-ad-client-app.md) After you've registered your applications, you can deploy Azure API for FHIR. >[!div class="nextstepaction"] >[Deploy Azure API for FHIR](fhir-paas-portal-quickstart.md) -FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. +FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. |
healthcare-apis | Fhir Features Supported | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/fhir-features-supported.md | Azure Cosmos DB is a globally distributed multi-model (NoSQL, MongoDB, and other ## Role-based access control -The FHIR Server uses [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) for access control. Specifically, role-based access control (RBAC) is enforced, if the `FhirServer:Security:Enabled` configuration parameter is set to `true`, and all requests (except `/metadata`) to the FHIR Server must have `Authorization` request header set to `Bearer <TOKEN>`. The token must contain one or more roles as defined in the `roles` claim. A request will be allowed if the token contains a role that allows the specified action on the specified resource. +The FHIR Server uses [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) for access control. Specifically, role-based access control (RBAC) is enforced, if the `FhirServer:Security:Enabled` configuration parameter is set to `true`, and all requests (except `/metadata`) to the FHIR Server must have `Authorization` request header set to `Bearer <TOKEN>`. The token must contain one or more roles as defined in the `roles` claim. A request will be allowed if the token contains a role that allows the specified action on the specified resource. Currently, the allowed actions for a given role are applied *globally* on the API. |
healthcare-apis | Fhir Paas Portal Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/fhir-paas-portal-quickstart.md | Confirm creation and await FHIR API deployment. ## Additional settings (optional) -You can also select **Next: Additional settings** to view the authentication settings. The default configuration for the Azure API for FHIR is to [use Azure RBAC for assigning data plane roles](configure-azure-rbac.md). When configured in this mode, the "Authority" for the FHIR service will be set to the Azure Active Directory tenant of the subscription: +You can also select **Next: Additional settings** to view the authentication settings. The default configuration for the Azure API for FHIR is to [use Azure RBAC for assigning data plane roles](configure-azure-rbac.md). When configured in this mode, the "Authority" for the FHIR service will be set to the Microsoft Entra tenant of the subscription: :::image type="content" source="media/rbac/confirm-azure-rbac-mode-create.png" alt-text="Default Authentication settings"::: Notice that the box for entering allowed object IDs is grayed out, since we use Azure RBAC for configuring role assignments in this case. -If you wish to configure the FHIR service to use an external or secondary Azure Active Directory tenant, you can change the Authority and enter object IDs for user and groups that should be allowed access to the server. For more information, see the [local RBAC configuration](configure-local-rbac.md) guide. +If you wish to configure the FHIR service to use an external or secondary Microsoft Entra tenant, you can change the Authority and enter object IDs for user and groups that should be allowed access to the server. For more information, see the [local RBAC configuration](configure-local-rbac.md) guide. ## Fetch FHIR API capability statement In this quickstart guide, you've deployed the Azure API for FHIR into your subsc >[!div class="nextstepaction"] >[Configure Private Link](configure-private-link.md) -FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. +FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. |
healthcare-apis | Find Identity Object Ids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/find-identity-object-ids.md | az ad group show --group "mygroup" --query id --out tsv ## Next steps -In this article, you've learned how to find identity object IDs needed to configure the Azure API for FHIR to use an external or secondary Azure Active Directory tenant. Next read about how to use the object IDs to configure local RBAC settings: +In this article, you've learned how to find identity object IDs needed to configure the Azure API for FHIR to use an external or secondary Microsoft Entra tenant. Next read about how to use the object IDs to configure local RBAC settings: >[!div class="nextstepaction"] >[Configure local RBAC settings](configure-local-rbac.md) |
healthcare-apis | Get Started With Azure Api Fhir | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/get-started-with-azure-api-fhir.md | Refer to the steps in the [Quickstart guide](fhir-paas-portal-quickstart.md) for ## Accessing Azure API for FHIR -When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. Azure API for FHIR is secured using [Azure Active Directory (Azure AD)](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. [Azure AD identity configuration for Azure API for FHIR](././../azure-api-for-fhir/azure-active-directory-identity-configuration.md) provides an overview of FHIR server authorization, and the steps needed to obtain a token to access a FHIR server. While these steps apply to any FHIR server and any identity provider, this article will walk you through Azure API for FHIR as the FHIR server and Azure AD as our identity provider. For more information about accessing Azure API for FHIR, see [Access control overview](././../azure-api-for-fhir/azure-active-directory-identity-configuration.md#access-control-overview). +When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. Azure API for FHIR is secured using [Microsoft Entra ID](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. [Microsoft Entra identity configuration for Azure API for FHIR](././../azure-api-for-fhir/azure-active-directory-identity-configuration.md) provides an overview of FHIR server authorization, and the steps needed to obtain a token to access a FHIR server. While these steps apply to any FHIR server and any identity provider, this article will walk you through Azure API for FHIR as the FHIR server and Microsoft Entra ID as our identity provider. For more information about accessing Azure API for FHIR, see [Access control overview](././../azure-api-for-fhir/azure-active-directory-identity-configuration.md#access-control-overview). ### Access token validation How Azure API for FHIR validates the access token will depend on implementation ### Register a client application -For an application to interact with Azure AD, it needs to be registered. In the context of the FHIR server, there are two kinds of application registrations: +For an application to interact with Microsoft Entra ID, it needs to be registered. In the context of the FHIR server, there are two kinds of application registrations: - Resource application registrations - Client application registrations -For more information about the two kinds of application registrations, see [Register the Azure Active Directory apps for Azure API for FHIR](fhir-app-registration.md). +For more information about the two kinds of application registrations, see [Register the Microsoft Entra apps for Azure API for FHIR](fhir-app-registration.md). ## Configure Azure RBAC for FHIR -The article [Configure Azure RBAC for FHIR](configure-azure-rbac.md), describes how to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml) to assign access to the Azure API for FHIR data plane. Azure RBAC is the preferred method for assigning data plane access when data plane users are managed in the Azure AD tenant associated with your Azure subscription. If you're using an external Azure AD tenant, refer to the [local RBAC assignment reference](configure-local-rbac.md). +The article [Configure Azure RBAC for FHIR](configure-azure-rbac.md), describes how to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml) to assign access to the Azure API for FHIR data plane. Azure RBAC is the preferred method for assigning data plane access when data plane users are managed in the Microsoft Entra tenant associated with your Azure subscription. If you're using an external Microsoft Entra tenant, refer to the [local RBAC assignment reference](configure-local-rbac.md). ## Next steps |
healthcare-apis | Register Confidential Azure Ad Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/register-confidential-azure-ad-client-app.md | Title: Register a confidential client app in Azure AD - Azure API for FHIR -description: Register a confidential client application in Azure Active Directory that authenticates on a user's behalf and requests access to resource applications. + Title: Register a confidential client app in Microsoft Entra ID - Azure API for FHIR +description: Register a confidential client application in Microsoft Entra ID that authenticates on a user's behalf and requests access to resource applications. Last updated 09/27/2023 -# Register a confidential client application in Azure Active Directory for Azure API for FHIR +# Register a confidential client application in Microsoft Entra ID for Azure API for FHIR [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] -In this tutorial, you'll learn how to register a confidential client application in Azure Active Directory (Azure AD). +In this tutorial, you'll learn how to register a confidential client application in Microsoft Entra ID. -A client application registration is an Azure AD representation of an application that can be used to authenticate on behalf of a user and request access to [resource applications](register-resource-azure-ad-client-app.md). A confidential client application is an application that can be trusted to hold a secret and present that secret when requesting access tokens. Examples of confidential applications are server-side applications. +A client application registration is a Microsoft Entra representation of an application that can be used to authenticate on behalf of a user and request access to [resource applications](register-resource-azure-ad-client-app.md). A confidential client application is an application that can be trusted to hold a secret and present that secret when requesting access tokens. Examples of confidential applications are server-side applications. To register a new confidential client application, refer to the steps below. ## Register a new application -1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), select **Microsoft Entra ID**. 1. Select **App registrations**. Permissions for Azure API for FHIR are managed through RBAC. For more details, v ## Next steps -In this article, you were guided through the steps of how to register a confidential client application in the Azure AD. You were also guided through the steps of how to add API permissions in Azure AD for Azure API for FHIR. Lastly, you were shown how to create an application secret. Furthermore, you can learn how to access your FHIR server using Postman. +In this article, you were guided through the steps of how to register a confidential client application in the Microsoft Entra ID. You were also guided through the steps of how to add API permissions in Microsoft Entra ID for Azure API for FHIR. Lastly, you were shown how to create an application secret. Furthermore, you can learn how to access your FHIR server using Postman. >[!div class="nextstepaction"] >[Access the FHIR service using Postman](./../fhir/use-postman.md) |
healthcare-apis | Register Public Azure Ad Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/register-public-azure-ad-client-app.md | Title: Register a public client app in Azure AD - Azure API for FHIR -description: This article explains how to register a public client application in Azure Active Directory, in preparation for deploying FHIR API in Azure. + Title: Register a public client app in Microsoft Entra ID - Azure API for FHIR +description: This article explains how to register a public client application in Microsoft Entra ID, in preparation for deploying FHIR API in Azure. Last updated 09/27/2023 -# Register a public client application in Azure Active Directory for Azure API for FHIR +# Register a public client application in Microsoft Entra ID for Azure API for FHIR [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] -In this article, you'll learn how to register a public application in Azure Active Directory (Azure AD). +In this article, you'll learn how to register a public application in Microsoft Entra ID. -Client application registrations are Azure AD representations of applications that can authenticate and ask for API permissions on behalf of a user. Public clients are applications such as mobile applications and single page JavaScript applications that can't keep secrets confidential. The procedure is similar to [registering a confidential client](register-confidential-azure-ad-client-app.md), but since public clients can't be trusted to hold an application secret, there's no need to add one. +Client application registrations are Microsoft Entra representations of applications that can authenticate and ask for API permissions on behalf of a user. Public clients are applications such as mobile applications and single page JavaScript applications that can't keep secrets confidential. The procedure is similar to [registering a confidential client](register-confidential-azure-ad-client-app.md), but since public clients can't be trusted to hold an application secret, there's no need to add one. The quickstart provides general information about how to [register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). ## App registrations in Azure portal -1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, select **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, select **Microsoft Entra ID**. -2. In the **Azure Active Directory** blade, select **App registrations**: +2. In the **Microsoft Entra ID** blade, select **App registrations**: ![Azure portal. New App Registration.](media/add-azure-active-directory/portal-aad-new-app-registration.png) Permissions for Azure API for FHIR are managed through RBAC. For more details, v >Use grant_type of client_credentials when trying to otain an access token for Azure API for FHIR using tools such as Postman. For more details, visit [Testing the FHIR API on Azure API for FHIR](tutorial-web-app-test-postman.md). ## Validate FHIR server authority-If the application you registered in this article and your FHIR server are in the same Azure AD tenant, you're good to proceed to the next steps. +If the application you registered in this article and your FHIR server are in the same Microsoft Entra tenant, you're good to proceed to the next steps. -If you configure your client application in a different Azure AD tenant from your FHIR server, you'll need to update the **Authority**. In Azure API for FHIR, you do set the Authority under Settings --> Authentication. Set your Authority to ``https://login.microsoftonline.com/\<TENANT-ID>`. +If you configure your client application in a different Microsoft Entra tenant from your FHIR server, you'll need to update the **Authority**. In Azure API for FHIR, you do set the Authority under Settings --> Authentication. Set your Authority to ``https://login.microsoftonline.com/\<TENANT-ID>`. ## Next steps -In this article, you've learned how to register a public client application in Azure AD. Next, test access to your FHIR Server using Postman. +In this article, you've learned how to register a public client application in Microsoft Entra ID. Next, test access to your FHIR Server using Postman. >[!div class="nextstepaction"] >[Access the FHIR service using Postman](./../fhir/use-postman.md) |
healthcare-apis | Register Resource Azure Ad Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/register-resource-azure-ad-client-app.md | Title: Register a resource app in Azure AD - Azure API for FHIR -description: Register a resource (or API) app in Azure Active Directory, so that client applications can request access to the resource when authenticating. + Title: Register a resource app in Microsoft Entra ID - Azure API for FHIR +description: Register a resource (or API) app in Microsoft Entra ID, so that client applications can request access to the resource when authenticating. -# Register a resource application in Azure Active Directory for Azure API for FHIR +# Register a resource application in Microsoft Entra ID for Azure API for FHIR [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] -In this article, you'll learn how to register a resource (or API) application in Azure Active Directory (Azure AD). A resource application is an Azure AD representation of the FHIR server API itself and client applications can request access to the resource when authenticating. The resource application is also known as the *audience* in OAuth parlance. +In this article, you'll learn how to register a resource (or API) application in Microsoft Entra ID. A resource application is a Microsoft Entra representation of the FHIR server API itself and client applications can request access to the resource when authenticating. The resource application is also known as the *audience* in OAuth parlance. ## Azure API for FHIR -If you're using the Azure API for FHIR, a resource application is automatically created when you deploy the service. As long as you're using the Azure API for FHIR in the same Azure AD tenant as you're deploying your application, you can skip this how-to-guide and instead deploy your Azure API for FHIR to get started. +If you're using the Azure API for FHIR, a resource application is automatically created when you deploy the service. As long as you're using the Azure API for FHIR in the same Microsoft Entra tenant as you're deploying your application, you can skip this how-to-guide and instead deploy your Azure API for FHIR to get started. -If you're using a different Azure AD tenant (not associated with your subscription), you can import the Azure API for FHIR resource application into your tenant with +If you're using a different Microsoft Entra tenant (not associated with your subscription), you can import the Azure API for FHIR resource application into your tenant with PowerShell: ```azurepowershell-interactive If you're using the open source FHIR Server for Azure, follow the steps on the [ ## Next steps -In this article, you've learned how to register a resource application in Azure AD. Next, register your confidential client application. +In this article, you've learned how to register a resource application in Microsoft Entra ID. Next, register your confidential client application. >[!div class="nextstepaction"] >[Register Confidential Client Application](register-confidential-azure-ad-client-app.md) -FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. +FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7. |
healthcare-apis | Register Service Azure Ad Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/register-service-azure-ad-client-app.md | Title: Register a service app in Azure AD - Azure API for FHIR -description: Learn how to register a service client application in Azure Active Directory. + Title: Register a service app in Microsoft Entra ID - Azure API for FHIR +description: Learn how to register a service client application in Microsoft Entra ID. Last updated 09/27/2023 -# Register a service client application in Azure Active Directory for Azure API for FHIR +# Register a service client application in Microsoft Entra ID for Azure API for FHIR [!INCLUDE [retirement banner](../includes/healthcare-apis-azure-api-fhir-retirement.md)] -In this article, you'll learn how to register a service client application in Azure Active Directory (Azure AD). Client application registrations are Azure AD representations of applications that can be used to authenticate and obtain tokens. A service client is intended to be used by an application to obtain an access token without interactive authentication of a user. It will have certain application permissions and use an application secret (password) when obtaining access tokens. +In this article, you'll learn how to register a service client application in Microsoft Entra ID. Client application registrations are Microsoft Entra representations of applications that can be used to authenticate and obtain tokens. A service client is intended to be used by an application to obtain an access token without interactive authentication of a user. It will have certain application permissions and use an application secret (password) when obtaining access tokens. Follow these steps to create a new service client. ## App registrations in Azure portal -1. In the [Azure portal](https://portal.azure.com), navigate to **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), navigate to **Microsoft Entra ID**. 2. Select **App registrations**. The service client needs a secret (password) to obtain a token. ## Next steps -In this article, you've learned how to register a service client application in Azure AD. Next, test access to your FHIR server using Postman. +In this article, you've learned how to register a service client application in Microsoft Entra ID. Next, test access to your FHIR server using Postman. >[!div class="nextstepaction"] >[Access the FHIR service using Postman](./../fhir/use-postman.md) |
healthcare-apis | Smart On Fhir | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/smart-on-fhir.md | Below tutorials describe steps to enable SMART on FHIR applications with FHIR Se - An instance of the FHIR service - .NET SDK 6.0 - [Enable cross-origin resource sharing (CORS)](configure-cross-origin-resource-sharing.md)-- [Register public client application in Azure AD](/azure/healthcare-apis/azure-api-for-fhir/register-public-azure-ad-client-app)+- [Register public client application in Microsoft Entra ID](/azure/healthcare-apis/azure-api-for-fhir/register-public-azure-ad-client-app) - After registering the application, make note of the applicationId for client application. - Ensure you have access to Azure Subscription of FHIR service, to create resources and add role assignments. Follow the steps listed under section [Manage Users: Assign Users to Role](../.. [Follow the steps](https://aka.ms/azure-health-data-services-smart-on-fhir-sample) under Azure Health Data and AI Samples OSS. This will enable integration of FHIR server with other Azure Services (such as APIM, Azure functions and more). > [!NOTE]-> Samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate ONC (g)(10) compliance, using Azure Active Directory as the identity provider workflow. +> Samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate ONC (g)(10) compliance, using Microsoft Entra ID as the identity provider workflow. ## SMART on FHIR proxy If you do have administrative privileges, complete the following steps to grant To add yourself or another user as owner of an app: -1. In the Azure portal, go to Azure Active Directory. +1. In the Azure portal, go to Microsoft Entra ID. 2. In the left menu, select **App Registration**. 3. Search for the app registration you created, and then select it. 4. In the left menu, under **Manage**, select **Owners**. To enable the SMART on FHIR proxy in the **Authentication** settings for your Az ![Screenshot shows enabling the SMART on FHIR proxy.](media/tutorial-smart-on-fhir/enable-smart-on-fhir-proxy.png) -The SMART on FHIR proxy acts as an intermediary between the SMART on FHIR app and Azure AD. The authentication reply (the authentication code) must go to the SMART on FHIR proxy instead of the app itself. The proxy then forwards the reply to the app. +The SMART on FHIR proxy acts as an intermediary between the SMART on FHIR app and Microsoft Entra ID. The authentication reply (the authentication code) must go to the SMART on FHIR proxy instead of the app itself. The proxy then forwards the reply to the app. -Because of this two-step relay of the authentication code, you need to set the reply URL (callback) for your Azure AD client application to a URL that is a combination of the reply URL for the SMART on FHIR proxy and the reply URL for the SMART on FHIR app. The combined reply URL takes this form: +Because of this two-step relay of the authentication code, you need to set the reply URL (callback) for your Microsoft Entra client application to a URL that is a combination of the reply URL for the SMART on FHIR proxy and the reply URL for the SMART on FHIR app. The combined reply URL takes this form: ```http https://MYFHIRAPI.azurehealthcareapis.com/AadSmartOnFhirProxy/callback/aHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9zYW1wbGVhcHAvaW5kZXguaHRtbA $encodedText = $encodedText.Replace('+','-'); $newReplyUrl = $FhirServerUrl.TrimEnd('/') + "/AadSmartOnFhirProxy/callback/" + $encodedText ``` -Add the reply URL to the public client application that you created earlier for Azure AD: +Add the reply URL to the public client application that you created earlier for Microsoft Entra ID: ![Screenshot show how reply url can be configured for the public client.](media/tutorial-smart-on-fhir/configure-reply-url.png) |
healthcare-apis | Tutorial Web App Fhir Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/tutorial-web-app-fhir-server.md | In this tutorial, you'll deploy a small JavaScript app, which reads data from a Before starting this set of tutorials, you'll need the following items: 1. An Azure subscription-1. An Azure Active Directory tenant +1. A Microsoft Entra tenant 1. [Postman](https://www.getpostman.com/) installed > [!NOTE]-> For this tutorial, the FHIR service, Azure AD application, and Azure AD users are all in the same Azure AD tenant. If this is not the case, you can still follow along with this tutorial, but may need to dive into some of the referenced documents to do additional steps. +> For this tutorial, the FHIR service, Microsoft Entra application, and Microsoft Entra users are all in the same Microsoft Entra tenant. If this is not the case, you can still follow along with this tutorial, but may need to dive into some of the referenced documents to do additional steps. ## Deploy Azure API for FHIR |
healthcare-apis | Tutorial Web App Public App Reg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/tutorial-web-app-public-app-reg.md | Last updated 09/27/2023 In the previous tutorial, you deployed and set up your Azure API for FHIR. Now that you have your Azure API for FHIR setup, weΓÇÖll register a public client application. You can read through the full [register a public client app](register-public-azure-ad-client-app.md) how-to guide for more details or troubleshooting, but weΓÇÖve called out the major steps for this tutorial in this article. -1. Navigate to Azure Active Directory +1. Navigate to Microsoft Entra ID 1. Select **App Registration** --> **New Registration** 1. Name your application 1. Select **Public client/native (mobile & desktop)** and set the redirect URI to `https://www.getpostman.com/oauth2/callback`. |
healthcare-apis | Tutorial Web App Test Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/tutorial-web-app-test-postman.md | If you do the GET command to retrieve a patient again, you'll see James Tiberiou ## Troubleshooting access issues -If you ran into issues during any of these steps, review the documents we have put together on Azure Active Directory and the Azure API for FHIR. +If you ran into issues during any of these steps, review the documents we have put together on Microsoft Entra ID and the Azure API for FHIR. -* [Azure AD and Azure API for FHIR](azure-active-directory-identity-configuration.md) - This document outlines some of the basic principles of Azure Active Directory and how it interacts with the Azure API for FHIR. +* [Microsoft Entra ID and Azure API for FHIR](azure-active-directory-identity-configuration.md) - This document outlines some of the basic principles of Microsoft Entra ID and how it interacts with the Azure API for FHIR. * [Access token validation](azure-api-fhir-access-token-validation.md) - This how-to guide gives more specific details on access token validation and steps to take to resolve access issues. ## Next Steps Now that you can successfully connect to your client application, youΓÇÖre ready >[Write a web application](tutorial-web-app-write-web-app.md) FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.--- |
healthcare-apis | Tutorial Web App Write Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/tutorial-web-app-write-web-app.md | Once the web application is available, **Go to resource**. Select **App Service Included is the code that you can input into **https://docsupdatetracker.net/index.html**. YouΓÇÖll need to update the following items: * **clientId** - Update with your client application ID. This ID will be the same ID you pulled when retrieving your token-* **authority** - Update with your Azure AD tenant ID +* **authority** - Update with your Microsoft Entra tenant ID * **FHIRendpoint** - Update the FHIRendpoint to have your FHIR service name * **scopes** - Update to reflect the full URL for your audience YouΓÇÖve successfully deployed the Azure API for FHIR, registered a public clien >[Supported Features](fhir-features-supported.md) FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.----- |
healthcare-apis | Configure Azure Rbac Using Scripts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/configure-azure-rbac-using-scripts.md | The API requires the following values: - Scope for Azure Health Data Services to which you grant access permissions. It includes subscription ID, resource group name, and the FHIR or DICOM service instance name. - Role definition ID for roles such as "FHIR Data Contributor" or "DICOM Data Owner". Use `az role definition list --name "<role name>"` to list the role definition IDs. - Service principal ID for the user or the client application.-- Azure AD access token to the `https://management.azure.com/`, not Azure Health Data Services. You can get the access token using an existing tool or using Azure CLI command, `az account get-access-token --resource "https://management.azure.com/"`+- Microsoft Entra access token to the `https://management.azure.com/`, not Azure Health Data Services. You can get the access token using an existing tool or using Azure CLI command, `az account get-access-token --resource "https://management.azure.com/"` - For Azure Health Data Services, the scope includes workspace name and FHIR/DICOM service instance name. ```rest |
healthcare-apis | Configure Azure Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/configure-azure-rbac.md | -In this article, you'll learn how to use [Azure role-based access control (Azure RBAC role)](../role-based-access-control/index.yml) to assign access to the Azure Health Data Services data plane. Azure RBAC role is the preferred methods for assigning data plane access when data plane users are managed in the Azure Active Directory tenant associated with your Azure subscription. +In this article, you'll learn how to use [Azure role-based access control (Azure RBAC role)](../role-based-access-control/index.yml) to assign access to the Azure Health Data Services data plane. Azure RBAC role is the preferred methods for assigning data plane access when data plane users are managed in the Microsoft Entra tenant associated with your Azure subscription. You can complete role assignments through the Azure portal. Note that the FHIR service and DICOM service have defined different application roles. Add or remove one or more roles to manage user access controls. |
healthcare-apis | Deploy Healthcare Apis Using Bicep | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/deploy-healthcare-apis-using-bicep.md | You can continue to work with JSON ARM templates, or use Bicep to develop your A Using Bicep parameters and variables instead of hard coding names and other values allows you to debug and reuse your Bicep templates. -We first define parameters with the keyword *param* for workspace, FHIR service, DICOM service, MedTech service. Also, we define parameters for Azure subscription and Azure Active Directory (Azure AD) tenant. TheyΓÇÖre used in the CLI command line with the "--parameters" option. +We first define parameters with the keyword *param* for workspace, FHIR service, DICOM service, MedTech service. Also, we define parameters for Azure subscription and Microsoft Entra tenant. TheyΓÇÖre used in the CLI command line with the "--parameters" option. We then define variables for resources with the keyword *var*. Also, we define variables for properties such as the authority and the audience for the FHIR service. TheyΓÇÖre specified and used internally in the Bicep template, and can be used in combination of parameters, Bicep functions, and other variables. Unlike parameters, they arenΓÇÖt used in the CLI command line. |
healthcare-apis | Dicom Register Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicom-register-application.md | Title: Register a client application for the DICOM service in Azure Active Directory -description: How to register a client application for the DICOM service in Azure Active Directory. + Title: Register a client application for the DICOM service in Microsoft Entra ID +description: How to register a client application for the DICOM service in Microsoft Entra ID. In this article, you'll learn how to register a client application for the DICOM ## Register a new application -1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), select **Microsoft Entra ID**. 2. Select **App registrations**. [ ![Screen shot of new app registration window.](media/register-application-one.png) ](media/register-application-one.png#lightbox) 3. Select **New registration**. The following steps are required for the DICOM service. In addition, user access Your application registration is now complete. [!INCLUDE [DICOM trademark statement](../includes/healthcare-apis-dicom-trademark.md)]+ |
healthcare-apis | Get Started With Dicom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/get-started-with-dicom.md | Optionally, you can create a [FHIR service](../fhir/fhir-portal-quickstart.md) a ## Access the DICOM service -The DICOM service is secured by Azure Active Directory (Azure AD) that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Azure AD and grant it with the right permissions. +The DICOM service is secured by Microsoft Entra ID that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Microsoft Entra ID and grant it with the right permissions. ### Register a client application You can perform create, read (search), update and delete (CRUD) transactions aga #### Get an access token -You can obtain an Azure AD access token using PowerShell, Azure CLI, REST CLI, or .NET SDK. For more information, see [Get access token](../get-access-token.md). +You can obtain a Microsoft Entra access token using PowerShell, Azure CLI, REST CLI, or .NET SDK. For more information, see [Get access token](../get-access-token.md). #### Access using existing tools |
healthcare-apis | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/overview.md | The DICOM service enables organizations to manage medical imaging data with seve ## Prerequisites to deploy the DICOM service -Your organization needs an Azure subscription to configure and run the components required for the DICOM service. By default, the components are created inside of an Azure resource group to simplify management. Additionally, a Microsoft Entra ID account is required. For each instance of the DICOM service, Microsoft creates a combination of isolated and multitenant resources. +Your organization needs an Azure subscription to configure and run the components required for the DICOM service. By default, the components are created inside of an Azure resource group to simplify management. Additionally, a Microsoft Entra account is required. For each instance of the DICOM service, Microsoft creates a combination of isolated and multitenant resources. ## Next steps |
healthcare-apis | Azure Active Directory Identity Configuration Old | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/azure-active-directory-identity-configuration-old.md | Title: Azure Active Directory identity configuration for Azure Health Data Services for FHIR service + Title: Microsoft Entra identity configuration for Azure Health Data Services for FHIR service description: Learn the principles of identity, authentication, and authorization for FHIR service Last updated 06/03/2022 -# Azure Active Directory identity configuration for FHIR service +# Microsoft Entra identity configuration for FHIR service -When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. FHIR service in the Azure Health Data Services is secured using [Azure Active Directory](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. This article provides an overview of FHIR server authorization and the steps needed to obtain a token to access a FHIR server. While these steps will apply to any FHIR server and any identity provider, we'll walk through the FHIR service and Azure Active Directory (Azure AD) as our identity provider in this article. +When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. FHIR service in the Azure Health Data Services is secured using [Microsoft Entra ID](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. This article provides an overview of FHIR server authorization and the steps needed to obtain a token to access a FHIR server. While these steps will apply to any FHIR server and any identity provider, we'll walk through the FHIR service and Microsoft Entra ID as our identity provider in this article. ## Access control overview Using [authorization code flow](../../active-directory/develop/v2-oauth2-auth-co ![FHIR Authorization](media/azure-active-directory-fhir-service/fhir-authorization.png) -1. The client sends a request to the `/authorize` endpoint of Azure AD. Azure AD will redirect the client to a sign-in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Azure AD will only allow this authorization code to be returned to a registered reply URL configured in the client application registration (see below). -1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Azure AD. When requesting a token, the client application may have to provide a client secret (the applications password). See details on [obtaining an access token](../../active-directory/develop/v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). +1. The client sends a request to the `/authorize` endpoint of Microsoft Entra ID. Microsoft Entra ID will redirect the client to a sign-in page where the user will authenticate using appropriate credentials (for example username and password or two-factor authentication). See details on [obtaining an authorization code](../../active-directory/develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Microsoft Entra ID will only allow this authorization code to be returned to a registered reply URL configured in the client application registration (see below). +1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Microsoft Entra ID. When requesting a token, the client application may have to provide a client secret (the applications password). See details on [obtaining an access token](../../active-directory/develop/v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). 1. The client makes a request to the FHIR service, for example `GET /Patient` to search all patients. When making the request, it includes the access token in an HTTP request header, for example `Authorization: Bearer eyJ0e...`, where `eyJ0e...` represents the Base64 encoded access token. 1. The FHIR service validates that the token contains appropriate claims (properties in the token). If everything checks out, it will complete the request and return a FHIR bundle with results to the client. -It's important to note that the FHIR service isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Azure AD. The FHIR service simply validates that the token is signed correctly (it's authentic) and that it has appropriate claims. +It's important to note that the FHIR service isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Microsoft Entra ID. The FHIR service simply validates that the token is signed correctly (it's authentic) and that it has appropriate claims. ## Structure of an access token The token can be decoded and inspected with tools such as [https://jwt.ms](https ## Obtaining an access token -As mentioned above, there are several ways to obtain a token from Azure AD. They're described in detail in the [Azure AD developer documentation](../../active-directory/develop/index.yml). +As mentioned above, there are several ways to obtain a token from Microsoft Entra ID. They're described in detail in the [Microsoft Entra developer documentation](../../active-directory/develop/index.yml). Use either of the following authentication protocols: * [Authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md). * [Client credentials flow](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). -There are other variations (for example, on behalf of flow) for obtaining a token. Check the Azure AD documentation for details. When using the FHIR service, there are also some shortcuts for obtaining an access token (for debugging purposes) [using the Azure CLI](get-healthcare-apis-access-token-cli.md). +There are other variations (for example, on behalf of flow) for obtaining a token. Check the Microsoft Entra documentation for details. When using the FHIR service, there are also some shortcuts for obtaining an access token (for debugging purposes) [using the Azure CLI](get-healthcare-apis-access-token-cli.md). ## Next steps -In this document, you learned some of the basic concepts involved in securing access to FHIR service using Azure AD. For information about how to deploy FHIR service, see +In this document, you learned some of the basic concepts involved in securing access to FHIR service using Microsoft Entra ID. For information about how to deploy FHIR service, see >[!div class="nextstepaction"] >[Deploy FHIR service](fhir-portal-quickstart.md) |
healthcare-apis | Fhir Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/fhir-faq.md | In the managed service, you can't access the underlying data. This is to ensure ### What identity provider do you support? -We support Microsoft Azure Active Directory as the identity provider. +We support Microsoft Entra ID as the identity provider. ### Can I use Azure AD B2C with the FHIR service? |
healthcare-apis | Fhir Features Supported | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/fhir-features-supported.md | All the operations that are supported that extend the REST API. ## Role-based access control -FHIR service uses [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) for access control. +FHIR service uses [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) for access control. ## Service limits |
healthcare-apis | Fhir Portal Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/fhir-portal-quickstart.md | Before you select **Create**, review the properties of the **Basics** and **Addi ## Additional settings (optional) -You can also select the **Additional settings** tab to view the authentication settings. The default configuration for Azure API for FHIR is to **use Azure RBAC for assigning data plane roles**. When it's configured in this mode, the "Authority" for FHIR service will be set to the Azure Active Directory tenant of the subscription. +You can also select the **Additional settings** tab to view the authentication settings. The default configuration for Azure API for FHIR is to **use Azure RBAC for assigning data plane roles**. When it's configured in this mode, the "Authority" for FHIR service will be set to the Microsoft Entra tenant of the subscription. [ ![Additional settings FHIR service](media/fhir-service/additional-settings-tab.png) ](media/fhir-service/additional-settings-tab.png#lightbox) Notice that the box for entering **Allowed object IDs** is grayed out. This is because we use Azure RBAC for configuring role assignments in this case. -If you wish to configure the FHIR service to use an external or secondary Azure Active Directory tenant, you can change the Authority and enter object IDs for user and groups that should be allowed access to the server. +If you wish to configure the FHIR service to use an external or secondary Microsoft Entra tenant, you can change the Authority and enter object IDs for user and groups that should be allowed access to the server. ## Fetch FHIR API capability statement |
healthcare-apis | Fhir Service Access Token Validation Old | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/fhir-service-access-token-validation-old.md | How the FHIR service in Azure Health Data Services (hereby called FHIR service) ## Validate token has no issues with identity provider -The first step in the token validation is to verify that the token was issued by the correct identity provider and that it hasn't been modified. The FHIR server will be configured to use a specific identity provider known as the authority `Authority`. The FHIR server will retrieve information about the identity provider from the `/.well-known/openid-configuration` endpoint. When you use Azure AD, the full URL would be: +The first step in the token validation is to verify that the token was issued by the correct identity provider and that it hasn't been modified. The FHIR server will be configured to use a specific identity provider known as the authority `Authority`. The FHIR server will retrieve information about the identity provider from the `/.well-known/openid-configuration` endpoint. When you use Microsoft Entra ID, the full URL would be: ``` GET https://login.microsoftonline.com/<TENANT-ID>/.well-known/openid-configuration ``` -where `<TENANT-ID>` is the specific Azure AD tenant (either a tenant ID or a domain name). +where `<TENANT-ID>` is the specific Microsoft Entra tenant (either a tenant ID or a domain name). -Azure AD will return a document like the one below to the FHIR server. +Microsoft Entra ID will return a document like the one below to the FHIR server. ```json { When you use the FHIR service, the server will validate: 1. The token has the right `Audience` (`aud` claim). 1. The user or principal that the token was issued for is allowed to access the FHIR server data plane. The `oid` claim of the token contains an identity object ID, which uniquely identifies the user or principal. -We recommend that the FHIR service be configured to use Azure RBAC to manage data plane role assignments. But you can also configure local RBAC if your FHIR service uses an external or secondary Azure Active Directory tenant. +We recommend that the FHIR service be configured to use Azure RBAC to manage data plane role assignments. But you can also configure local RBAC if your FHIR service uses an external or secondary Microsoft Entra tenant. When using the OSS Microsoft FHIR server for Azure, the server will validate: |
healthcare-apis | Get Started With Fhir | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/get-started-with-fhir.md | Optionally, you can create a [DICOM service](../dicom/deploy-dicom-services-in-a ## Access the FHIR service -The FHIR service is secured by Azure Active Directory (Azure AD) that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Azure AD and grant it with the right permissions. +The FHIR service is secured by Microsoft Entra ID that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Microsoft Entra ID and grant it with the right permissions. ### Register a client application You can perform create, read (search), update, and delete (CRUD) transactions ag #### Get an access token -You can obtain an Azure AD access token using PowerShell, Azure CLI, REST CCI, or .NET SDK. For more information, see [Get access token](../get-access-token.md). +You can obtain a Microsoft Entra access token using PowerShell, Azure CLI, REST CCI, or .NET SDK. For more information, see [Get access token](../get-access-token.md). #### Access using existing tools |
healthcare-apis | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/overview.md | The FHIR service offers the following: - High performance, low latency - Secure management of Protected Health Information (PHI) in a compliant cloud environment - SMART on FHIR for mobile and web clients-- Controlled access to FHIR data at scale with Azure Active Directory Role-Based Access Control (RBAC)+- Controlled access to FHIR data at scale with Microsoft Entra role-Based Access Control (RBAC) - Audit log tracking for access, creation, and modification events within the FHIR service data store The FHIR service allows you to quickly create and deploy a FHIR server to leverage the elastic scale of the cloud for ingesting, persisting, and querying FHIR data. The Azure services that power the FHIR service are designed for high performance no matter how much data you're working with. The FHIR service enables connection with any health data system or application c ### Control Data Access at Scale -With the FHIR service, you control your data ΓÇô at scale. The FHIR service's Role-Based Access Control (RBAC) is rooted in Azure AD identities management, which means you can grant or deny access to health data based on the roles given to individuals in your organization. These RBAC settings for the FHIR service are configurable in Azure Health Data Services at the workspace level. This simplifies system management and guarantees your organization's PHI is safe within a HIPAA and HITRUST-compliant environment. +With the FHIR service, you control your data ΓÇô at scale. The FHIR service's Role-Based Access Control (RBAC) is rooted in Microsoft Entra identities management, which means you can grant or deny access to health data based on the roles given to individuals in your organization. These RBAC settings for the FHIR service are configurable in Azure Health Data Services at the workspace level. This simplifies system management and guarantees your organization's PHI is safe within a HIPAA and HITRUST-compliant environment. ### Secure your data As part of the Azure family of services, the FHIR service protects your organiza FHIR servers are essential for interoperability of health data. The FHIR service is designed as a managed FHIR server with a RESTful API for connecting to a broad range of client systems and applications. Some of the key use cases for the FHIR service are listed below: -- **Startup App Development:** Customers developing a patient- or provider-centric app (mobile or web) can leverage FHIR service as a fully managed backend for health data transactions. The FHIR service enables secure transfer of PHI, and with SMART on FHIR, app developers can take advantage of the robust identities management in Azure AD for authorization of FHIR RESTful API actions. +- **Startup App Development:** Customers developing a patient- or provider-centric app (mobile or web) can leverage FHIR service as a fully managed backend for health data transactions. The FHIR service enables secure transfer of PHI, and with SMART on FHIR, app developers can take advantage of the robust identities management in Microsoft Entra ID for authorization of FHIR RESTful API actions. - **Healthcare Ecosystems:** While EHRs exist as the primary ΓÇÿsource of truthΓÇÖ in many clinical settings, it isn't uncommon for providers to have multiple databases that arenΓÇÖt connected to one another (often because the data is stored in different formats). Utilizing the FHIR service as a conversion layer between these systems allows organizations to standardize data in the FHIR format. Ingesting and persisting in FHIR enables health data querying and exchange across multiple disparate systems. |
healthcare-apis | Smart On Fhir | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/smart-on-fhir.md | Below tutorials provide steps to enable SMART on FHIR applications with FHIR Ser - An instance of the FHIR Service - .NET SDK 6.0 - [Enable cross-origin resource sharing (CORS)](configure-cross-origin-resource-sharing.md)-- [Register public client application in Azure AD](/azure/healthcare-apis/azure-api-for-fhir/register-public-azure-ad-client-app)+- [Register public client application in Microsoft Entra ID](/azure/healthcare-apis/azure-api-for-fhir/register-public-azure-ad-client-app) - After registering the application, make note of the applicationId for client application. - Ensure you have access to Azure Subscription of FHIR service, to create resources and add role assignments. Follow the steps listed under section [Manage Users: Assign Users to Role](../.. **[Click on the link](https://github.com/Azure-Samples/azure-health-data-and-ai-samples/tree/main/samples/smartonfhir)** to navigate to Azure Health Data and AI Samples Open source solution. This step listed in the document enables integration of FHIR server with other Azure Services (such as APIM, Azure functions and more). > [!NOTE]-> Samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate [§170.315(g)(10) Standardized API for patient and population services criterion](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#ccg) compliance, using Azure Active Directory as the identity provider workflow. +> Samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate [§170.315(g)(10) Standardized API for patient and population services criterion](https://www.healthit.gov/test-method/standardized-api-patient-and-population-services#ccg) compliance, using Microsoft Entra ID as the identity provider workflow. ## SMART on FHIR Proxy <details> If you do have administrative privileges, complete the following steps to grant To add yourself or another user as owner of an app: -1. In the Azure portal, go to Azure Active Directory. +1. In the Azure portal, go to Microsoft Entra ID. 2. In the left menu, select **App Registration**. 3. Search for the app registration you created, and then select it. 4. In the left menu, under **Manage**, select **Owners**. SMART on FHIR requires that `Audience` has an identifier URI equal to the URI of To enable the SMART on FHIR proxy in the **Authentication** settings for your FHIR instance, select the **SMART on FHIR proxy** check box. -The SMART on FHIR proxy acts as an intermediary between the SMART on FHIR app and Azure AD. The authentication reply (the authentication code) must go to the SMART on FHIR proxy instead of the app itself. The proxy then forwards the reply to the app. +The SMART on FHIR proxy acts as an intermediary between the SMART on FHIR app and Microsoft Entra ID. The authentication reply (the authentication code) must go to the SMART on FHIR proxy instead of the app itself. The proxy then forwards the reply to the app. -Because of this two-step relay of the authentication code, you need to set the reply URL (callback) for your Azure AD client application to a URL that is a combination of the reply URL for the SMART on FHIR proxy and the reply URL for the SMART on FHIR app. The combined reply URL takes this form: +Because of this two-step relay of the authentication code, you need to set the reply URL (callback) for your Microsoft Entra client application to a URL that is a combination of the reply URL for the SMART on FHIR proxy and the reply URL for the SMART on FHIR app. The combined reply URL takes this form: ```http https://MYFHIRAPI.azurehealthcareapis.com/AadSmartOnFhirProxy/callback/aHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9zYW1wbGVhcHAvaW5kZXguaHRtbA $encodedText = $encodedText.Replace('+','-'); $newReplyUrl = $FhirServerUrl.TrimEnd('/') + "/AadSmartOnFhirProxy/callback/" + $encodedText ``` -Add the reply URL to the public client application that you created earlier for Azure AD +Add the reply URL to the public client application that you created earlier for Microsoft Entra ID <!![Reply URL configured for the public client](media/tutorial-smart-on-fhir/configure-reply-url.png)> |
healthcare-apis | Use Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/use-postman.md | In this article, we'll walk through the steps of accessing the Azure Health Data ## Prerequisites * FHIR service deployed in Azure. For information about how to deploy the FHIR service, see [Deploy a FHIR service](fhir-portal-quickstart.md).-* A registered client application to access the FHIR service. For information about how to register a client application, see [Register a service client application in Azure Active Directory](./../register-application.md). +* A registered client application to access the FHIR service. For information about how to register a client application, see [Register a service client application in Microsoft Entra ID](./../register-application.md). * Permissions granted to the client application and your user account, for example, "FHIR Data Contributor", to access the FHIR service. * Postman installed locally. For more information about Postman, see [Get Started with Postman](https://www.getpostman.com/). To access the FHIR service, we'll need to create or update the following variabl * **clientid** ΓÇô Application client registration ID. * **clientsecret** ΓÇô Application client registration secret. * **fhirurl** ΓÇô The FHIR service full URL. For example, `https://xxx.azurehealthcareapis.com`. It's located from the **FHIR service overview** menu option.-* **bearerToken** ΓÇô The variable to store the Azure Active Directory (Azure AD) access token in the script. Leave it blank. +* **bearerToken** ΓÇô The variable to store the Microsoft Entra access token in the script. Leave it blank. > [!NOTE] > Ensure that you've configured the redirect URL, `https://www.getpostman.com/oauth2/callback`, in the client application registration. Enter `{{fhirurl}}/metadata` in the `GET`request, and select `Send`. You should [ ![Screenshot of save request.](media/postman/postman-save-request.png) ](media/postman/postman-save-request.png#lightbox) -## Get Azure AD access token +<a name='get-azure-ad-access-token'></a> -The FHIR service is secured by Azure AD. The default authentication can't be disabled. To access the FHIR service, you must get an Azure AD access token first. For more information, see [Microsoft identity platform access tokens](../../active-directory/develop/access-tokens.md). +## Get Microsoft Entra access token ++The FHIR service is secured by Microsoft Entra ID. The default authentication can't be disabled. To access the FHIR service, you must get a Microsoft Entra access token first. For more information, see [Microsoft identity platform access tokens](../../active-directory/develop/access-tokens.md). Create a new `POST` request: Create a new `POST` request: 3. Select the **Test** tab and enter in the text section: `pm.environment.set("bearerToken", pm.response.json().access_token);` To make the value available to the collection, use the pm.collectionVariables.set method. For more information on the set method and its scope level, see [Using variables in scripts](https://learning.postman.com/docs/sending-requests/variables/#defining-variables-in-scripts). 4. Select **Save** to save the settings.-5. Select **Send**. You should see a response with the Azure AD access token, which is saved to the variable `bearerToken` automatically. You can then use it in all FHIR service API requests. +5. Select **Send**. You should see a response with the Microsoft Entra access token, which is saved to the variable `bearerToken` automatically. You can then use it in all FHIR service API requests. [ ![Screenshot of send button.](media/postman/postman-send-button.png) ](media/postman/postman-send-button.png#lightbox) You can examine the access token using online tools such as [https://jwt.ms](htt ## Get FHIR resource -After you've obtained an Azure AD access token, you can access the FHIR data. In a new `GET` request, enter `{{fhirurl}}/Patient`. +After you've obtained a Microsoft Entra access token, you can access the FHIR data. In a new `GET` request, enter `{{fhirurl}}/Patient`. Select **Bearer Token** as authorization type. Enter `{{bearerToken}}` in the **Token** section. Select **Send**. As a response, you should see a list of patients in your FHIR resource. Select **Bearer Token** as authorization type. Enter `{{bearerToken}}` in the * ## Create or update your FHIR resource -After you've obtained an Azure AD access token, you can create or update the FHIR data. For example, you can create a new patient or update an existing patient. +After you've obtained a Microsoft Entra access token, you can create or update the FHIR data. For example, you can create a new patient or update an existing patient. Create a new request, change the method to ΓÇ£PostΓÇ¥, and enter the value in the request section. Select **Send**. You should see a new patient in the JSON response. ## Export FHIR data -After you've obtained an Azure AD access token, you can export FHIR data to an Azure storage account. +After you've obtained a Microsoft Entra access token, you can export FHIR data to an Azure storage account. Create a new `GET` request: `{{fhirurl}}/$export?_container=export` |
healthcare-apis | Using Rest Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/using-rest-client.md | In your `test.http` file, include the following information obtained from regist @tenantid =xxx.... ``` -## Get Azure AD Access Token +<a name='get-azure-ad-access-token'></a> ++## Get Microsoft Entra access token After including the information below in your `test.http` file, hit `Send Request`. You'll see an HTTP response that contains your access token. |
healthcare-apis | Get Started With Health Data Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/get-started-with-health-data-services.md | To be guided through these steps, see [Deploy Azure Health Data Services workspa ## User access and permissions -Azure Health Data Services is a collection of secured managed services using Azure Active Directory (Azure AD). For Azure Health Data Services to access Azure resources, such as storage accounts and event hubs, you must enable the system managed identity, and grant proper permissions to the managed identity. Client applications are registered in the Azure AD and can be used to access the Azure Health Data Services. User data access controls are done in the applications or services that implement business logic. +Azure Health Data Services is a collection of secured managed services using Microsoft Entra ID. For Azure Health Data Services to access Azure resources, such as storage accounts and event hubs, you must enable the system managed identity, and grant proper permissions to the managed identity. Client applications are registered in the Microsoft Entra ID and can be used to access the Azure Health Data Services. User data access controls are done in the applications or services that implement business logic. -Authenticated users and client applications of the Azure Health Data Services must be granted with proper [application roles](./../healthcare-apis/authentication-authorization.md#application-roles). After being granted with proper application roles, the [authenticated users and client applications](./../healthcare-apis/authentication-authorization.md#authorization) can access Azure Health Data Services by obtaining a valid [access token](./../healthcare-apis/authentication-authorization.md#access-token) issued by Azure AD, and perform specific operations defined by the application roles. For more information, see [Authentication and Authorization for Azure Health Data Services](authentication-authorization.md). +Authenticated users and client applications of the Azure Health Data Services must be granted with proper [application roles](./../healthcare-apis/authentication-authorization.md#application-roles). After being granted with proper application roles, the [authenticated users and client applications](./../healthcare-apis/authentication-authorization.md#authorization) can access Azure Health Data Services by obtaining a valid [access token](./../healthcare-apis/authentication-authorization.md#access-token) issued by Microsoft Entra ID, and perform specific operations defined by the application roles. For more information, see [Authentication and Authorization for Azure Health Data Services](authentication-authorization.md). -Furthermore, to access Azure Health Data Services, you [register a client application](register-application.md) in the Azure AD. It's with these steps that you can find the [application (client) ID](./../healthcare-apis/register-application.md#application-id-client-id), and you can configure the [authentication setting](./../healthcare-apis/register-application.md#authentication-setting-confidential-vs-public) to allow public client flows or to a confidential client application. +Furthermore, to access Azure Health Data Services, you [register a client application](register-application.md) in the Microsoft Entra ID. It's with these steps that you can find the [application (client) ID](./../healthcare-apis/register-application.md#application-id-client-id), and you can configure the [authentication setting](./../healthcare-apis/register-application.md#authentication-setting-confidential-vs-public) to allow public client flows or to a confidential client application. As a requirement for the DICOM service (optional for the FHIR service), you configure the user access [API permissions](./../healthcare-apis/register-application.md#api-permissions) or role assignments for Azure Health Data Services that's managed through [Azure role-based access control (Azure RBAC)](configure-azure-rbac.md). As a requirement for the DICOM service (optional for the FHIR service), you conf FHIR service in Azure Health Data Services enables rapid exchange of data through FHIR APIs that's backed by a managed Platform-as-a Service (PaaS) offering in the cloud. It makes it easier for anyone working with health data to ingest, manage, and persist Protected Health Information (PHI) in the cloud. -The FHIR service is secured by Azure AD that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Azure AD and grant it with the right permissions. You can create or register a client application from the [Azure portal](register-application.md), or using PowerShell and Azure CLI scripts. This client application can be used for one or more FHIR service instances. It can also be used for other services in Azure Health Data Services. +The FHIR service is secured by Microsoft Entra ID that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Microsoft Entra ID and grant it with the right permissions. You can create or register a client application from the [Azure portal](register-application.md), or using PowerShell and Azure CLI scripts. This client application can be used for one or more FHIR service instances. It can also be used for other services in Azure Health Data Services. You can also do the following: - Grant access permissions For more information, see [Get started with FHIR service](./../healthcare-apis/f DICOM service is a managed service within Azure Health Data Services that ingests and persists DICOM objects at multiple thousands of images per second. It facilitates communication and transmission of imaging data with any DICOMwebΓäó enabled systems or applications via DICOMweb Standard APIs like [Store (STOW-RS)](./../healthcare-apis/dicom/dicom-services-conformance-statement.md#store-stow-rs), [Search (QIDO-RS)](./../healthcare-apis/dicom/dicom-services-conformance-statement.md#search-qido-rs), [Retrieve (WADO-RS)](./../healthcare-apis/dicom/dicom-services-conformance-statement.md#retrieve-wado-rs). -DICOM service is secured by Azure AD that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Azure AD and grant it with the right permissions. You can create or register a client application from the [Azure portal](register-application.md), or using PowerShell and Azure CLI scripts. This client application can be used for one or more DICOM service instances. It can also be used for other services in Azure Health Data Services. +DICOM service is secured by Microsoft Entra ID that can't be disabled. To access the service API, you must create a client application that's also referred to as a service principal in Microsoft Entra ID and grant it with the right permissions. You can create or register a client application from the [Azure portal](register-application.md), or using PowerShell and Azure CLI scripts. This client application can be used for one or more DICOM service instances. It can also be used for other services in Azure Health Data Services. You can also do the following: - Grant access permissions or assign roles from the [Azure portal](./../healthcare-apis/configure-azure-rbac.md), or using PowerShell and Azure CLI scripts. - Perform create, read (search), update, and delete (CRUD) transactions against the DICOM service in your applications or by using tools such as Postman, REST Client, cURL, and Python-- Obtain an Azure AD access token using PowerShell, Azure CLI, REST CLI, or .NET SDK+- Obtain a Microsoft Entra access token using PowerShell, Azure CLI, REST CLI, or .NET SDK - Access the DICOM service using tools such as .NET C#, cURL, Python, Postman, and REST Client For more information, see [Get started with the DICOM service](./../healthcare-apis/dicom/get-started-with-dicom.md). |
healthcare-apis | Device Messages Through Iot Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/iot/device-messages-through-iot-hub.md | To begin deployment in the Azure portal, select the **Deploy to Azure** button: - **Location**: A supported Azure region for Azure Health Data Services (the value can be the same as or different from the region your resource group is in). For a list of Azure regions where Health Data Services is available, see [Products available by regions](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=health-data-services). - - **Fhir Contributor Principal Id** (optional): An Azure Active Directory (Azure AD) user object ID to provide FHIR service read/write permissions. + - **Fhir Contributor Principal Id** (optional): A Microsoft Entra user object ID to provide FHIR service read/write permissions. - You can use this account to give access to the FHIR service to view the FHIR Observations that are generated in this tutorial. We recommend that you use your own Azure AD user object ID so you can access the messages in the FHIR service. If you choose not to use the **Fhir Contributor Principal Id** option, clear the text box. + You can use this account to give access to the FHIR service to view the FHIR Observations that are generated in this tutorial. We recommend that you use your own Microsoft Entra user object ID so you can access the messages in the FHIR service. If you choose not to use the **Fhir Contributor Principal Id** option, clear the text box. - To learn how to get an Azure AD user object ID, see [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id). The user object ID that's used in this tutorial is only an example. If you use this option, use your own user object ID or the object ID of another person who you want to be able to access the FHIR service. + To learn how to get a Microsoft Entra user object ID, see [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id). The user object ID that's used in this tutorial is only an example. If you use this option, use your own user object ID or the object ID of another person who you want to be able to access the FHIR service. - **Device mapping**: Leave the default values for this tutorial. For your MedTech service metrics, you can see that your MedTech service complete ## View test data in the FHIR service -If you provided your own Azure AD user object ID as the optional value for the **Fhir Contributor Principal ID** option in the deployment template, you can query FHIR resources in your FHIR service. +If you provided your own Microsoft Entra user object ID as the optional value for the **Fhir Contributor Principal ID** option in the deployment template, you can query FHIR resources in your FHIR service. -To learn how to get an Azure AD access token and view FHIR resources in your FHIR service, see [Access by using Postman](../fhir/use-postman.md). +To learn how to get a Microsoft Entra access token and view FHIR resources in your FHIR service, see [Access by using Postman](../fhir/use-postman.md). ## Next steps |
healthcare-apis | Frequently Asked Questions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/iot/frequently-asked-questions.md | To learn more about event hub message retention, see [What is the maximum retent \* FHIR destination is a child resource of the MedTech service. +## I'm receiving authentication errors with my MedTech service after moving my Azure subscription to a different Azure tenant. How do I fix this issue? ++If the Azure subscription that your MedTech service was provisioned in has since been moved to a different Azure tenant, you could see failing MedTech service HealthChecks for `ExternalEventHub:IsAuthenticated` and `FhirService:IsAuthenticated`. For guidance on how to view these failed HealthChecks, see [How to enable diagnostic settings for the MedTech service](how-to-enable-diagnostic-settings.md). There are two methods for fixing this issue based on the type of managed identity you're using with your MedTech service: ++1. System-assigned managed identity: If you're using a system-assigned managed identity with your MedTech service, a new identity is created for you through reprovisioning. +2. User-assigned managed identity: If you're using a user-assigned managed identity with your MedTech service, you need to first recreate the identity in the new tenant and update your MedTech service with the new identity **before** reprovisioning. ++In either case, you also need to update the Azure RBAC settings on your [FHIR service and event hub](deploy-manual-portal.md#grant-resource-access-to-the-medtech-service-system-managed-identity) with the new managed identity. For more information on transferring subscriptions to different tenants, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md). + ## Can I use the MedTech service with device messages from Apple®, Google®, or Fitbit® devices? Yes. The MedTech service supports device messages from all these vendors through the open-source version of the MedTech service. |
healthcare-apis | Logging | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/logging.md | -The Azure platform provides three types of logs, activity logs, resource logs and Azure Active Directory logs. For more information, see [activity logs](../azure-monitor/essentials/platform-logs-overview.md). In this article, youΓÇÖll learn about how logging works for the Azure Health Data Services. +The Azure platform provides three types of logs, activity logs, resource logs and Microsoft Entra logs. For more information, see [activity logs](../azure-monitor/essentials/platform-logs-overview.md). In this article, youΓÇÖll learn about how logging works for the Azure Health Data Services. ## AuditLogs While activity logs are available for each Azure resource from the Azure portal, Azure Health Data Services emits resource logs, which include two categories of logs, AuditLogs and DiagnosticLogs. For more information about service logs and metrics for the DICOM service and Me >[How to enable diagnostic settings for the MedTech service](./../healthcare-apis/iot/how-to-enable-diagnostic-settings.md) FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.-- |
healthcare-apis | Register Application Cli Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/register-application-cli-rest.md | Title: Register a client application in Azure AD using CLI and REST API - Azure Health Data Services -description: This article describes how to register a client application Azure AD using CLI and REST API. + Title: Register a client application in Microsoft Entra ID using CLI and REST API - Azure Health Data Services +description: This article describes how to register a client application Microsoft Entra ID using CLI and REST API. -In this article, you'll learn how to register a client application in the Azure Active Directory (Azure AD) using Azure Command-Line Interface (CLI) and REST API to access Azure Health Data Services. While you can register a client application using the Azure portal, the scripting approach enables you to test and deploy resources directly. For more information, see [Register a client application with the Azure portal](register-application.md). +In this article, you'll learn how to register a client application in the Microsoft Entra ID using Azure Command-Line Interface (CLI) and REST API to access Azure Health Data Services. While you can register a client application using the Azure portal, the scripting approach enables you to test and deploy resources directly. For more information, see [Register a client application with the Azure portal](register-application.md). You can create a confidential or public client application by following the steps, including some optional steps, one by one or in a combined form. Also, you can define the variables upfront instead of placing them in the middle of the scripts. For more information, see [Azure Health Data Services Samples](https://github.com/microsoft/healthcare-apis-samples/blob/main/src/scripts/appregistrationcli.http). Now that you've completed the application registration using CLI and REST API, y ## Next steps -In this article, you learned how to register a client application in Azure AD using CLI and REST API. For information on how to grant permissions for Azure Health Data Services, see +In this article, you learned how to register a client application in Microsoft Entra ID using CLI and REST API. For information on how to grant permissions for Azure Health Data Services, see >[!div class="nextstepaction"] >[Configure RBAC for Azure Health Data Services](configure-azure-rbac.md) |
healthcare-apis | Register Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/register-application.md | Title: Register a client application in Azure Active Directory for the Azure Health Data Services -description: How to register a client application in the Azure AD and how to add a secret and API permissions to the Azure Health Data Services + Title: Register a client application in Microsoft Entra ID for the Azure Health Data Services +description: How to register a client application in the Microsoft Entra ID and how to add a secret and API permissions to the Azure Health Data Services Last updated 09/02/2022 -# Register a client application in Azure Active Directory +# Register a client application in Microsoft Entra ID -In this article, you'll learn how to register a client application in Azure Active Directory (Azure AD) in order to access Azure Health Data Services. You can find more information on [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). +In this article, you'll learn how to register a client application in Microsoft Entra ID in order to access Azure Health Data Services. You can find more information on [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). ## Register a new application -1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), select **Microsoft Entra ID**. 2. Select **App registrations**. [ ![Screen shot of new app registration window.](media/register-application-one.png) ](media/register-application-one.png#lightbox) 3. Select **New registration**. Your application registration is now complete. ## Next steps -In this article, you learned how to register a client application in the Azure AD. Additionally, you learned how to add a secret and API permissions to Azure Health Data Services. For more information about Azure Health Data Services, see +In this article, you learned how to register a client application in the Microsoft Entra ID. Additionally, you learned how to add a secret and API permissions to Azure Health Data Services. For more information about Azure Health Data Services, see >[!div class="nextstepaction"] >[Overview of Azure Health Data Services](healthcare-apis-overview.md) |
healthcare-apis | Workspace Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/workspace-overview.md | One or more workspaces can be created in a resource group from the Azure portal, A workspace can't be deleted unless all child service instances within the workspace have been deleted. This feature helps prevent any accidental deletion of service instances. However, when a workspace resource group is deleted, all the workspaces and child service instances within the workspace resource group get deleted. -Workspace names can be reused in the same Azure subscription, but not in a different Azure subscription, after deletion. However, when the move operation is supported and enabled, workspaces and its child resources can be moved from one subscription to another subscription if certain requirements are met. One requirement is that the two subscriptions must be part of the same Azure Active Directory (Azure AD) tenant. Another requirement is that the Private Link configuration isn't enabled. Names for FHIR services, DICOM services, and MedTech services can be reused in the same or different subscription after deletion if there's no collision with the URLs of any existing services. +Workspace names can be reused in the same Azure subscription, but not in a different Azure subscription, after deletion. However, when the move operation is supported and enabled, workspaces and its child resources can be moved from one subscription to another subscription if certain requirements are met. One requirement is that the two subscriptions must be part of the same Microsoft Entra tenant. Another requirement is that the Private Link configuration isn't enabled. Names for FHIR services, DICOM services, and MedTech services can be reused in the same or different subscription after deletion if there's no collision with the URLs of any existing services. ## Workspace and Azure region selection |
iot-central | Concepts Iiot Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/concepts-iiot-architecture.md | Secure your IIoT solution by using the following IoT Central features: - Create private endpoints to limit and secure industrial assets/gateway connectivity to your Azure IoT Central application with Private Link. -- Ensure safe, secure data exports with Azure Active Directory managed identities.+- Ensure safe, secure data exports with Microsoft Entra managed identities. - Use audit logs to track activity in your IoT Central application. Industrial networks are crucial to the working of a manufacturing facility. With ## Next steps Now that you've learned about IIoT architecture patterns with Azure IoT Central, the suggested next step is to learn about [device connectivity](overview-iot-central-developer.md) in Azure IoT Central.- |
iot-central | Howto Authorize Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-authorize-rest-api.md | This article describes the types of token you can use in the authorization heade To access an IoT Central application using the REST API, you can use an: -- _Azure Active Directory bearer token_. A bearer token is associated with an Azure Active Directory user account or service principal. The token grants the caller the same permissions the user or service principal has in the IoT Central application. +- _Azure Active Directory bearer token_. A bearer token is associated with a Microsoft Entra user account or service principal. The token grants the caller the same permissions the user or service principal has in the IoT Central application. - IoT Central API token. An API token is associated with a role in your IoT Central application. Use a bearer token associated with your user account while you're developing and testing automation and scripts that use the REST API. Use a bearer token that's associated with a service principal for production automation and scripts. Use a bearer token in preference to an API token to reduce the risk of leaks and problems when tokens expire. To learn more about users and roles in IoT Central, see [Manage users and roles ## Get a bearer token -To get a bearer token for your Azure Active Directory user account, use the following Azure CLI commands: +To get a bearer token for your Microsoft Entra user account, use the following Azure CLI commands: ```azurecli az login |
iot-central | Howto Create And Manage Applications Csp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-create-and-manage-applications-csp.md | When you enter the name for your application, your application URL is autogenera ## Directory -Azure IoT Central knows the customer you selected in the Microsoft Partner Portal, so you see just the Azure Active Directory tenant for that customer in the **Directory** field. +Azure IoT Central knows the customer you selected in the Microsoft Partner Portal, so you see just the Microsoft Entra tenant for that customer in the **Directory** field. -An Azure Active Directory tenant contains user identities, credentials, and other organizational information. Multiple Azure subscriptions can be associated with a single Azure Active Directory tenant. +A Microsoft Entra tenant contains user identities, credentials, and other organizational information. Multiple Azure subscriptions can be associated with a single Microsoft Entra tenant. -To learn more, see [Azure Active Directory](../../active-directory/index.yml). +To learn more, see [Microsoft Entra ID](../../active-directory/index.yml). ## Azure subscription Choose the application template you want to use for your application. Now that you have learned how to create an Azure IoT Central application as a CSP, here's the suggested next step: > [!div class="nextstepaction"]-> [Administer your application](howto-administer.md) +> [Administer your application](howto-administer.md) |
iot-central | Howto Manage Devices In Bulk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-manage-devices-in-bulk.md | You can use Azure IoT Central to manage your connected devices at scale through To learn how to manage jobs by using the IoT Central REST API, see [How to use the IoT Central REST API to manage devices](../core/howto-manage-jobs-with-rest-api.md). > [!TIP]-> When you create a recurring job, sign in to your application using a Microsoft account or Azure Active Directory account. If you sign in using an Azure Active Directory group, it's possible that the Azure Active Directory token associated with the group will expire at some point in the future and cause the job to fail. +> When you create a recurring job, sign in to your application using a Microsoft account or Microsoft Entra account. If you sign in using a Microsoft Entra group, it's possible that the Microsoft Entra token associated with the group will expire at some point in the future and cause the job to fail. ## Create and run a job |
iot-central | Howto Manage Users Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-manage-users-roles.md | To learn how to manage users and roles by using the IoT Central REST API, see [H ## Add users -Every user must have a user account before they can sign in and access an application. IoT Central supports Microsoft user accounts, Azure Active Directory accounts, Azure Active Directory groups, and Azure Active Directory service principals. To learn more, see [Microsoft account help](https://support.microsoft.com/products/microsoft-account?category=manage-account) and [Quickstart: Add new users to Azure Active Directory](../../active-directory/fundamentals/add-users-azure-active-directory.md). +Every user must have a user account before they can sign in and access an application. IoT Central supports Microsoft user accounts, Microsoft Entra accounts, Microsoft Entra groups, and Microsoft Entra service principals. To learn more, see [Microsoft account help](https://support.microsoft.com/products/microsoft-account?category=manage-account) and [Quickstart: Add new users to Microsoft Entra ID](../../active-directory/fundamentals/add-users-azure-active-directory.md). 1. To add a user to an IoT Central application, go to the **Users** page in the **Permissions** section. :::image type="content" source="media/howto-manage-users-roles/manage-users.png" alt-text="Screenshot that shows the manage users page in IoT Central." lightbox="media/howto-manage-users-roles/manage-users.png"::: -1. To add a user on the **Users** page, choose **+ Assign user**. To add a service principal on the **Users** page, choose **+ Assign service principal**. To add an Azure Active Directory group on the **Users** page, choose **+ Assign group**. Start typing the name of the Active Directory group or service principal to auto-populate the form. +1. To add a user on the **Users** page, choose **+ Assign user**. To add a service principal on the **Users** page, choose **+ Assign service principal**. To add a Microsoft Entra group on the **Users** page, choose **+ Assign group**. Start typing the name of the Active Directory group or service principal to auto-populate the form. > [!NOTE]- > Service principals and Active Directory groups must belong to the same Azure Active Directory tenant as the Azure subscription associated with the IoT Central application. + > Service principals and Active Directory groups must belong to the same Microsoft Entra tenant as the Azure subscription associated with the IoT Central application. 1. If your application uses [organizations](howto-create-organizations.md), choose an organization to assign to the user from the **Organization** drop-down menu. Every user must have a user account before they can sign in and access an applic When you invite a new user, you need to share the application URL with them and ask them to sign in. After the user has signed in for the first time, the application appears on the user's [My apps](https://apps.azureiotcentral.com/myapps) page. > [!NOTE]- > If a user is deleted from Azure Active Directory and then added back, they won't be able to sign into the IoT Central application. To re-enable access, the application's administrator should delete and re-add the user in the application as well. + > If a user is deleted from Microsoft Entra ID and then added back, they won't be able to sign into the IoT Central application. To re-enable access, the application's administrator should delete and re-add the user in the application as well. -The following limitations apply to Azure Active Directory groups and service principals: +The following limitations apply to Microsoft Entra groups and service principals: -- Total number of Azure Active Directory groups for each IoT Central application can't be more than 20.-- Total number of unique Azure Active Directory groups from the same Azure Active Directory tenant can't be more than 200 across all IoT Central applications.-- Service principals that are part of an Azure Active Directory group aren't automatically granted access to the application. The service principals must be added explicitly.+- Total number of Microsoft Entra groups for each IoT Central application can't be more than 20. +- Total number of unique Microsoft Entra groups from the same Microsoft Entra tenant can't be more than 200 across all IoT Central applications. +- Service principals that are part of a Microsoft Entra group aren't automatically granted access to the application. The service principals must be added explicitly. ### Edit the roles and organizations that are assigned to users |
iot-central | Howto Migrate To Iot Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-migrate-to-iot-hub.md | The tool repository also includes [sample code](https://github.com/Azure/iotc-mi Complete the following setup tasks to prepare for the migration: -### Azure Active Directory application +<a name='azure-active-directory-application'></a> -The migrator tool requires an Azure Active Directory application registration to enable it to authenticate with your Azure subscription: +### Microsoft Entra application -1. Navigate to [Azure portal > Azure Active Directory > App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps). +The migrator tool requires a Microsoft Entra application registration to enable it to authenticate with your Azure subscription: ++1. Navigate to [Azure portal > Microsoft Entra ID > App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps). 1. Select **New Registration**. 1. Enter a name such as "IoTC Migrator app". -1. Select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. +1. Select **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. 1. Select **Single page application (SPA)**. The migrator tool requires an Azure Active Directory application registration to 1. Make a note of the **Application (client) ID** and **Directory (tenant) ID** values. You use these values later to configure the migrator app: - :::image type="content" source="media/howto-migrate-to-iot-hub/azure-active-directory-app.png" alt-text="Screenshot that shows the Azure Active Directory application in the Azure portal." lightbox="media/howto-migrate-to-iot-hub/azure-active-directory-app.png"::: + :::image type="content" source="media/howto-migrate-to-iot-hub/azure-active-directory-app.png" alt-text="Screenshot that shows the Microsoft Entra application in the Azure portal." lightbox="media/howto-migrate-to-iot-hub/azure-active-directory-app.png"::: 1. Navigate to the **Manifest** page in the registration and replace the contents of the `requiredResourceAccess` with the following configuration: Download or clone a copy of the migrator tool to your local machine: git clone https://github.com/Azure/iotc-migrator.git ``` -In the root of the downloaded repository, create a *.env* file. Update the `REACT_APP_AAD_APP_CLIENT_ID`, `REACT_APP_AAD_APP_TENANT_ID`, and `REACT_APP_AAD_APP_REDIRECT_URI` values with the values from the Azure Active Directory application registration you created previously. Then save the changes: +In the root of the downloaded repository, create a *.env* file. Update the `REACT_APP_AAD_APP_CLIENT_ID`, `REACT_APP_AAD_APP_TENANT_ID`, and `REACT_APP_AAD_APP_REDIRECT_URI` values with the values from the Microsoft Entra application registration you created previously. Then save the changes: ```txt PORT=3000 REACT_APP_AAD_APP_REDIRECT_URI=http://localhost:3000 ``` > [!TIP]-> Make sure the `REACT_APP_AAD_APP_REDIRECT_URI` matches the redirect URI you used in your Azure Active Directory application registration. +> Make sure the `REACT_APP_AAD_APP_REDIRECT_URI` matches the redirect URI you used in your Microsoft Entra application registration. In your command-line environment, navigate to the root of the `iotc-migrator` repository. Then run the following commands to install the required node.js packages and then run the tool: |
iot-central | Howto Use Audit Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/howto-use-audit-logs.md | The log records changes made by the following types of user: - IoT Central user - the log shows the user's email. - API token - the log shows the token name.-- Azure Active Directory user - the log shows the user email or ID.+- Microsoft Entra user - the log shows the user email or ID. - Service principal - the log shows the service principal name. The log stores data for 30 days, after which it's no longer available. |
iot-central | Iot Central Customer Data Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/iot-central-customer-data-requests.md | Azure IoT Central is a fully managed Internet of Things (IoT) software-as-a-serv ## Identifying customer data -Azure Active Directory Object-IDs are used to identify users and assign roles. The Azure IoT Central portal displays user email addresses for role assignments but only the Azure Active Directory Object-ID is stored, the email address is dynamically queried from Azure Active Directory. Azure IoT Central administrators can view, export, and delete application users in the user administration section of an Azure IoT Central application. +Microsoft Entra Object-IDs are used to identify users and assign roles. The Azure IoT Central portal displays user email addresses for role assignments but only the Microsoft Entra Object-ID is stored, the email address is dynamically queried from Microsoft Entra ID. Azure IoT Central administrators can view, export, and delete application users in the user administration section of an Azure IoT Central application. Within the application, email addresses can be configured to receive alerts. In this case, email addresses are stored within IoT Central and must be managed from the in-app account administration page. |
iot-central | Overview Iot Central Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/overview-iot-central-security.md | In IoT Central, you can configure and manage security in the following areas: ## Manage user access -Every user must have a user account before they can sign in and access an IoT Central application. IoT Central currently supports Microsoft accounts and Azure Active Directory accounts, but not Azure Active Directory groups. +Every user must have a user account before they can sign in and access an IoT Central application. IoT Central currently supports Microsoft accounts and Microsoft Entra accounts, but not Microsoft Entra groups. *Roles* enable you to control who within your organization is allowed to do various tasks in IoT Central. Each role has a specific set of permissions that determine what a user in the role can see and do in the application. There are three built-in roles you can assign to users of your application. You can also create custom roles with specific permissions if you require finer-grained control. Every IoT Central REST API call requires an authorization header that IoT Centra To access an IoT Central application using the REST API, you can use an: -- *Azure Active Directory bearer token*. A bearer token is associated with either an Azure Active Directory user account or a service principal. The token grants the caller the same permissions the user or service principal has in the IoT Central application.+- *Microsoft Entra bearer token*. A bearer token is associated with either a Microsoft Entra user account or a service principal. The token grants the caller the same permissions the user or service principal has in the IoT Central application. - IoT Central API token. An API token is associated with a role in your IoT Central application. To learn more, see [How to authenticate and authorize IoT Central REST API calls](howto-authorize-rest-api.md). Audit logs let administrators track activity within your IoT Central application ## Next steps Now that you've learned about security in your Azure IoT Central application, the suggested next step is to learn about [Manage users and roles](howto-manage-users-roles.md) in Azure IoT Central.- |
iot-central | Tutorial Industrial End To End | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-central/core/tutorial-industrial-end-to-end.md | In this tutorial, you learn how to: - If you need to build the **IoT Central Solution Builder** tool instead of using one of the prebuilt binaries, you need a local Git installation. - Text editor. If you want to edit the configuration file to customize your solution. -In this tutorial, you use the Azure CLI to create an app registration in Azure Active Directory: +In this tutorial, you use the Azure CLI to create an app registration in Microsoft Entra ID: [!INCLUDE [azure-cli-prepare-your-environment-no-header](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)] In this tutorial, you use the Azure CLI to create an app registration in Azure A Complete the following tasks to prepare the tool to deploy your solution: -- Create an Azure Active Directory app registration+- Create a Microsoft Entra app registration - Install the **IoT Central Solution Builder** tool - Configure the **IoT Central Solution Builder** tool |
key-vault | Rbac Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/rbac-guide.md | More about Azure Key Vault management guidelines, see: ## Azure built-in roles for Key Vault data plane operations > [!NOTE]-> The `Key Vault Contributor` role is for management plane operations to manage key vaults. It does not allow access to keys, secrets and certificates. +> The `Key Vault Contributor` role is for management plane operations only to manage key vaults. It does not allow access to keys, secrets and certificates. | Built-in role | Description | ID | | | | | More about Azure Key Vault management guidelines, see: For more information about Azure built-in roles definitions, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md). +### Managing built-in Key Vault data plane role assignments (preview) ++| Built-in role | Description | ID | +| | | | +| Key Vault Data Access Administrator (preview)| Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. | 8b54135c-b56d-4d72-a534-26097cfdc8d8 | + ## Using Azure RBAC secret, key, and certificate permissions with Key Vault The new Azure RBAC permission model for key vault provides alternative to the vault access policy permissions model. The new Azure RBAC permission model for key vault provides alternative to the va You must have an Azure subscription. If you don't, you can create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -To add role assignments, you must have `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../../role-based-access-control/built-in-roles.md#owner). +To add role assignments, you must have `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [Key Vault Data Access Administrator (preview)](../../role-based-access-control/built-in-roles.md#key-vault-data-access-administrator-preview), [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator),or [Owner](../../role-based-access-control/built-in-roles.md#owner). ### Enable Azure RBAC permissions on Key Vault |
logic-apps | Azure Arc Enabled Logic Apps Create Deploy Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md | This section describes the common prerequisites across all the approaches and to - [Set up an Azure Arc-enabled Kubernetes cluster to run App Service, Functions, and Logic Apps (Preview)](../app-service/manage-create-arc-environment.md) - [Change the default scaling behavior](#change-scaling) -- Your own Azure Active Directory (Azure AD) identity+- Your own Microsoft Entra identity - If your workflows need to use any Azure-hosted connections, such as Office 365 Outlook or Azure Storage, your logic app must use an Azure AD identity for authentication. Azure Arc-enabled Logic Apps can run on any infrastructure but requires an identity that has permissions to use Azure-hosted connections. To set up this identity, create an app registration in Azure AD that your logic app uses as the required identity. + If your workflows need to use any Azure-hosted connections, such as Office 365 Outlook or Azure Storage, your logic app must use a Microsoft Entra identity for authentication. Azure Arc-enabled Logic Apps can run on any infrastructure but requires an identity that has permissions to use Azure-hosted connections. To set up this identity, create an app registration in Microsoft Entra ID that your logic app uses as the required identity. > [!NOTE] > Managed identity support is currently unavailable for Azure Arc-enabled Logic Apps. - To create an Azure Active Directory (Azure AD) app registration using the Azure CLI, follow these steps: + To create a Microsoft Entra app registration using the Azure CLI, follow these steps: 1. Create an app registration by using the [`az ad sp create`](/cli/azure/ad/sp#az-ad-sp-create) command. This section describes the common prerequisites across all the approaches and to 1. From the output of both commands, find and save the client ID, object ID, tenant ID, and client secret values, which you need to keep for later use. - To create an Azure Active Directory (Azure AD) app registration using the Azure portal, follow these steps: + To create a Microsoft Entra app registration using the Azure portal, follow these steps: - 1. Create a new Azure AD app registration by using the [Azure portal](../active-directory/develop/quickstart-register-app.md). + 1. Create a new Microsoft Entra app registration by using the [Azure portal](../active-directory/develop/quickstart-register-app.md). 1. After creation finishes, find the new app registration in the portal. You can create, deploy, and monitor your logic app workflows from end to end in 1. Select or create a new Application Insights resource for storing application logs for your logic app. - 1. If you haven't done so, set up your Azure Active Directory (Azure AD) identity so that your logic app can authenticate managed API connections. For more information, see the top-level [Prerequisites](#prerequisites). + 1. If you haven't done so, set up your Microsoft Entra identity so that your logic app can authenticate managed API connections. For more information, see the top-level [Prerequisites](#prerequisites). - 1. Enter the client ID, tenant ID, object ID, and client secret for your Azure AD identity. + 1. Enter the client ID, tenant ID, object ID, and client secret for your Microsoft Entra identity. > [!NOTE] > You only have to complete this step once. Visual Studio Code updates your project's The portal-based designer's editing capability is currently under development fo Currently, Azure Arc-enabled Kubernetes clusters don't support using a logic app's managed identity to authenticate managed API connections. You create these Azure-hosted and managed connections when you use managed connectors in your workflows. -Instead, you have to create your own app registration in Azure Active Directory (Azure AD). You can then use this app registration as an identity for logic apps deployed and running in Azure Arc-enabled Logic Apps. For more information, review the [top-level prerequisites](#prerequisites). +Instead, you have to create your own app registration in Microsoft Entra ID. You can then use this app registration as an identity for logic apps deployed and running in Azure Arc-enabled Logic Apps. For more information, review the [top-level prerequisites](#prerequisites). -From your app registration, you need the client ID, object ID, tenant ID, and client secret. If you use Visual Studio Code to deploy, you have a built-in experience for setting up your logic app with an Azure AD identity. For more information, review [Create and deploy logic app workflows - Visual Studio Code](#create-and-deploy-logic-apps). +From your app registration, you need the client ID, object ID, tenant ID, and client secret. If you use Visual Studio Code to deploy, you have a built-in experience for setting up your logic app with a Microsoft Entra identity. For more information, review [Create and deploy logic app workflows - Visual Studio Code](#create-and-deploy-logic-apps). However, if you use Visual Studio Code for development, but you use Azure CLI or automated pipelines to deploy, follow these steps. In your Azure Resource Manager template (ARM template), include the following re | Parameter | Description | |--|-| | <*connection-name*> | The name for your managed API connection, for example `office365` |-| <*object-ID*> | The object ID for your Azure AD identity, previously saved from your app registration | -| <*tenant-ID*> | The tenant ID for your Azure AD identity, previously saved from your app registration | +| <*object-ID*> | The object ID for your Microsoft Entra identity, previously saved from your app registration | +| <*tenant-ID*> | The tenant ID for your Microsoft Entra identity, previously saved from your app registration | ||| ```json |
logic-apps | Biztalk Server To Azure Integration Services Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/biztalk-server-to-azure-integration-services-overview.md | BizTalk includes [Enterprise Single Sign-On (SSO)](/biztalk/core/enterprise-sing - Managed identities - Some connectors support using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) for authenticating access to resources protected by Azure Active Directory (Azure AD). When you use a managed identity to authenticate your connection, you don't have to provide credentials, secrets, or Azure AD tokens. + Some connectors support using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) for authenticating access to resources protected by Microsoft Entra ID. When you use a managed identity to authenticate your connection, you don't have to provide credentials, secrets, or Microsoft Entra tokens. ### Application management and access management For the latest information, see [Service Bus Premium and Standard messaging tier Azure API Management offers various pricing tiers so that you can choose the best tier that meets your needs. Each tier has its own capabilities and are named Consumption, Developer, Basic, Standard, and Premium. -The capabilities in these tiers range from Azure AD integration, Azure virtual network support, built-in cache, self-hosted gateways, and more. For more information about these tiers and their capabilities, see [Feature-based comparison of the Azure API Management tiers](../api-management/api-management-features.md). +The capabilities in these tiers range from Microsoft Entra integration, Azure virtual network support, built-in cache, self-hosted gateways, and more. For more information about these tiers and their capabilities, see [Feature-based comparison of the Azure API Management tiers](../api-management/api-management-features.md). ##### Azure Data Factory The following table and diagram roughly show how resources, artifacts, features, | EDI | - BizTalk Server out-of-the-box capabilities <br>- Parties, partners, agreements, AS2, X12, EDIFACT | Azure Logic Apps and Azure Integration Account (partners, agreements, AS2, X12, EDIFACT) | | HL7, RosettaNet, and SWIFT | BizTalk Server accelerators for HL7, RosettaNet, and SWIFT | - Azure Logic Apps, RosettaNet and SWIFT connectors, and Azure Integration Account <br>- Azure API Management for FHIR (HL7) <br>- Azure Blueprint, which enables SWIFT CSP compliance on Azure | | Secrets | Enterprise Single Sign-On (SSO) | - Azure Key Vault <br>- SQL Server <br>- Application configuration |-| Security and governance | - Enterprise Single Sign-On (SSO) <br>- SSO affiliate applications <br>- Active Directory <br>- Signing certificates <br>- IIS Security Authentication <br>- Network security | - Azure Active Directory <br>- Azure Network Security <br>- Azure role-based access control (Azure RBAC) <br>- Claims, tokens <br>- Shared Access Policies | +| Security and governance | - Enterprise Single Sign-On (SSO) <br>- SSO affiliate applications <br>- Active Directory <br>- Signing certificates <br>- IIS Security Authentication <br>- Network security | - Microsoft Entra ID <br>- Azure Network Security <br>- Azure role-based access control (Azure RBAC) <br>- Claims, tokens <br>- Shared Access Policies | | Data configuration | - Config files <br>- Enterprise SSO application configuration <br>- Custom cache components <br>- Custom database <br>- Business Rules Engine <br>- Windows registry | - Azure Key Vault <br>- Azure App Configuration <br>- Azure Cosmos DB <br>- Azure Table Storage <br>- Azure Logic Apps (Standard) configuration <br>- Azure Functions configuration <br>- Azure API Management named values and backends <br>- SQL Server <br>- Custom caching <br>- Custom database | | Deployment | - BizTalk Server binding file | - Azure DevOps pipelines <br>- Bicep scripts <br>- Terraform | | Tracking | - BizTalk Server tracking capabilities (Receive ports, Send ports, pipelines, orchestrations) <br>- IIS tracking <br>- Azure API Management built-in analytics (hybrid capabilities) | - Azure Logic Apps run history and tracked properties <br>- Azure Storage Account <br>- Azure Monitor (Application Insights) <br>- Azure API Management built-in analytics <br>- Custom solution, for example, Azure Event Hubs plus Azure Functions plus SQL Server plus Azure Data Explorer | |
logic-apps | Block Connections Across Tenants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/block-connections-across-tenants.md | Title: Block access to and from other tenants -description: Block connections between your tenant and other Azure Active Directory (Azure AD) tenants in Azure Logic Apps. +description: Block connections between your tenant and other Microsoft Entra tenants in Azure Logic Apps. ms.suite: integration Last updated 08/01/2022-# Customer intent: As a developer, I want to prevent access to and from other Azure Active Directory tenants. +# Customer intent: As a developer, I want to prevent access to and from other Microsoft Entra tenants. # Block connections to and from other tenants in Azure Logic Apps (Preview) Last updated 08/01/2022 > This capability is in preview and is subject to the > [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Azure Logic Apps includes many connectors for you to build integration apps and workflows and to access various data, apps, services, systems, and other resources. These connectors authorize your access to these resources by using Azure Active Directory (Azure AD) to authenticate your credentials. +Azure Logic Apps includes many connectors for you to build integration apps and workflows and to access various data, apps, services, systems, and other resources. These connectors authorize your access to these resources by using Microsoft Entra ID to authenticate your credentials. -When you create a connection from your workflow to access a resource, you can share that connection with others in the same Azure AD tenant or different tenant by sending a consent link. This shared connection provides access to same resource but creates a security vulnerability. +When you create a connection from your workflow to access a resource, you can share that connection with others in the same Microsoft Entra tenant or different tenant by sending a consent link. This shared connection provides access to same resource but creates a security vulnerability. -As a security measure to prevent this scenario, you can block access to and from your own Azure AD tenant through such shared connections. You can also permit but restrict connections only to specific tenants. By setting up a tenant isolation policy, you can better control data movement between your tenant and resources that require Azure AD authorized access. +As a security measure to prevent this scenario, you can block access to and from your own Microsoft Entra tenant through such shared connections. You can also permit but restrict connections only to specific tenants. By setting up a tenant isolation policy, you can better control data movement between your tenant and resources that require Microsoft Entra authorized access. ## Prerequisites As a security measure to prevent this scenario, you can block access to and from - Collect the following information: - - The tenant ID for your Azure AD tenant. + - The tenant ID for your Microsoft Entra tenant. - The choice whether to enforce two-way tenant isolation for connections that don't have a client tenant ID. As a security measure to prevent this scenario, you can block access to and from - The choice whether to allow outbound connections from your tenant to each allowed tenant. -- To test the tenant isolation policy, you need a second Azure AD tenant. From this tenant, you'll try connecting to and from the isolated tenant after the isolation policy takes effect.+- To test the tenant isolation policy, you need a second Microsoft Entra tenant. From this tenant, you'll try connecting to and from the isolated tenant after the isolation policy takes effect. ## Request an isolation policy for your tenant After the policy takes effect in a region, test the policy. You can try immediat ### Test inbound connections to your tenant -1. Sign in to your "other" Azure AD tenant. +1. Sign in to your "other" Microsoft Entra tenant. 1. Create logic app workflow with a connection, such as Office 365 Outlook. |
logic-apps | Block Connections Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/block-connections-connectors.md | For more information about Azure Policy definitions, see these topics: ## Create policy assignment -Next, you need to assign the policy definition where you want to enforce the policy, for example, to a single resource group, multiple resource groups, Azure Active Directory (Azure AD) tenant, or Azure subscription. For this task, follow these steps to create a policy assignment: +Next, you need to assign the policy definition where you want to enforce the policy, for example, to a single resource group, multiple resource groups, Microsoft Entra tenant, or Azure subscription. For this task, follow these steps to create a policy assignment: 1. In the [Azure portal](https://portal.azure.com), portal search box, enter **policy**, and select **Policy**. |
logic-apps | Create Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-managed-service-identity.md | Title: Authenticate connections with managed identities -description: Use a managed identity to authenticate workflow connections to Azure AD protected resources without credentials or secrets in Azure Logic Apps. +description: Use a managed identity to authenticate workflow connections to Microsoft Entra protected resources without credentials or secrets in Azure Logic Apps. ms.suite: integration -In logic app workflows, some triggers and actions support using a managed identity for authenticating access to resources protected by Azure Active Directory (Azure AD). When you use a managed identity to authenticate your connection, you don't have to provide credentials, secrets, or Azure AD tokens. Azure manages this identity and helps keep authentication information secure because you don't have to manage this sensitive information. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). +In logic app workflows, some triggers and actions support using a managed identity for authenticating access to resources protected by Microsoft Entra ID. When you use a managed identity to authenticate your connection, you don't have to provide credentials, secrets, or Microsoft Entra tokens. Azure manages this identity and helps keep authentication information secure because you don't have to manage this sensitive information. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). Azure Logic Apps supports the [*system-assigned* managed identity](../active-directory/managed-identities-azure-resources/overview.md) and the [*user-assigned* managed identity](../active-directory/managed-identities-azure-resources/overview.md). The following list describes some differences between these identity types: For more information about managed identity limits in Azure Logic Apps, review [ ## Where you can use a managed identity -Only specific built-in and managed connector operations that support Azure AD Open Authentication (Azure AD OAuth) can use a managed identity for authentication. The following table provides only a *sample selection*. For a more complete list, review [Authentication types for triggers and actions that support authentication](logic-apps-securing-a-logic-app.md#authentication-types-supported-triggers-actions) and [Azure services that support Azure AD authentication with managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +Only specific built-in and managed connector operations that support OAuth with Microsoft Entra ID can use a managed identity for authentication. The following table provides only a *sample selection*. For a more complete list, review [Authentication types for triggers and actions that support authentication](logic-apps-securing-a-logic-app.md#authentication-types-supported-triggers-actions) and [Azure services that support Microsoft Entra authentication with managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). ### [Consumption](#tab/consumption) The following table lists the connectors that support using a managed identity i | Connector type | Supported connectors | |-|-| | Built-in | - Azure API Management <br>- Azure App Services <br>- Azure Functions <br>- HTTP <br>- HTTP + Webhook <p>**Note**: HTTP operations can authenticate connections to Azure Storage accounts behind Azure firewalls with the system-assigned identity. However, they don't support the user-assigned managed identity for authenticating the same connections. |-| Managed | - Azure App Service <br>- Azure Automation <br>- Azure Blob Storage <br>- Azure Container Instance <br>- Azure Cosmos DB <br>- Azure Data Explorer <br>- Azure Data Factory <br>- Azure Data Lake <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure IoT Central V2 <br>- Azure IoT Central V3 <br>- Azure Key Vault <br>- Azure Log Analytics <br>- Azure Queues <br>- Azure Resource Manager <br>- Azure Service Bus <br>- Azure Sentinel <br>- Azure Table Storage <br>- Azure VM <br>- HTTP with Azure AD <br>- SQL Server | +| Managed | - Azure App Service <br>- Azure Automation <br>- Azure Blob Storage <br>- Azure Container Instance <br>- Azure Cosmos DB <br>- Azure Data Explorer <br>- Azure Data Factory <br>- Azure Data Lake <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure IoT Central V2 <br>- Azure IoT Central V3 <br>- Azure Key Vault <br>- Azure Log Analytics <br>- Azure Queues <br>- Azure Resource Manager <br>- Azure Service Bus <br>- Azure Sentinel <br>- Azure Table Storage <br>- Azure VM <br>- HTTP with Microsoft Entra ID <br>- SQL Server | ### [Standard](#tab/standard) The following table lists the connectors that support using a managed identity i | Connector type | Supported connectors | |-|-| | Built-in | - Azure Automation <br>- Azure Blob Storage <br>- Azure Event Hubs <br>- Azure Service Bus <br>- Azure Queues <br>- Azure Tables <br>- HTTP <br>- HTTP + Webhook <br>- SQL Server <br><br>**Note**: Except for the SQL Server and HTTP connectors, most [built-in, service provider-based connectors](/azure/logic-apps/connectors/built-in/reference/) currently don't support selecting user-assigned managed identities for authentication. Instead, you must use the system-assigned identity. HTTP operations can authenticate connections to Azure Storage accounts behind Azure firewalls with the system-assigned identity. |-| Managed | - Azure App Service <br>- Azure Automation <br>- Azure Blob Storage <br>- Azure Container Instance <br>- Azure Cosmos DB <br>- Azure Data Explorer <br>- Azure Data Factory <br>- Azure Data Lake <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure IoT Central V2 <br>- Azure IoT Central V3 <br>- Azure Key Vault <br>- Azure Log Analytics <br>- Azure Queues <br>- Azure Resource Manager <br>- Azure Service Bus <br>- Azure Sentinel <br>- Azure Table Storage <br>- Azure VM <br>- HTTP with Azure AD <br>- SQL Server | +| Managed | - Azure App Service <br>- Azure Automation <br>- Azure Blob Storage <br>- Azure Container Instance <br>- Azure Cosmos DB <br>- Azure Data Explorer <br>- Azure Data Factory <br>- Azure Data Lake <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure IoT Central V2 <br>- Azure IoT Central V3 <br>- Azure Key Vault <br>- Azure Log Analytics <br>- Azure Queues <br>- Azure Resource Manager <br>- Azure Service Bus <br>- Azure Sentinel <br>- Azure Table Storage <br>- Azure VM <br>- HTTP with Microsoft Entra ID <br>- SQL Server | The following table lists the connectors that support using a managed identity i * An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Both the managed identity and the target Azure resource where you need access must use the same Azure subscription. -* The target Azure resource that you want to access. On this resource, you'll add the necessary role for the managed identity to access that resource on your logic app's or connection's behalf. To add a role to a managed identity, you need [Azure AD administrator permissions](../active-directory/roles/permissions-reference.md) that can assign roles to identities in the corresponding Azure AD tenant. +* The target Azure resource that you want to access. On this resource, you'll add the necessary role for the managed identity to access that resource on your logic app's or connection's behalf. To add a role to a managed identity, you need [Microsoft Entra administrator permissions](../active-directory/roles/permissions-reference.md) that can assign roles to identities in the corresponding Microsoft Entra tenant. * The logic app resource and workflow where you want to use the [trigger or actions that support managed identities](logic-apps-securing-a-logic-app.md#authentication-types-supported-triggers-actions). The following table lists the connectors that support using a managed identity i > user-assigned identity. Before you can add the system-assigned identity, you have to first *remove* the user-assigned identity > from your logic app resource. - Your logic app resource can now use the system-assigned identity. This identity is registered with Azure AD and is represented by an object ID. + Your logic app resource can now use the system-assigned identity. This identity is registered with Microsoft Entra ID and is represented by an object ID. ![Screenshot showing Consumption logic app's "Identity" pane with the object ID for system-assigned identity.](./media/create-managed-service-identity/object-id-system-assigned-identity.png) | Property | Value | Description | |-|-|-|- | **Object (principal) ID** | <*identity-resource-ID*> | A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in an Azure AD tenant. | + | **Object (principal) ID** | <*identity-resource-ID*> | A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in a Microsoft Entra tenant. | 1. Now follow the [steps that give that identity access to the resource](#access-other-resources) later in this topic. On a **Logic App (Standard)** resource, the system-assigned identity is automati ![Screenshot showing Azure portal with Standard logic app's "Identity" pane and "System assigned" tab with "On" and "Save" selected.](./media/create-managed-service-identity/enable-system-assigned-identity-standard.png) - Your logic app resource can now use the system-assigned identity, which is registered with Azure AD and is represented by an object ID. + Your logic app resource can now use the system-assigned identity, which is registered with Microsoft Entra ID and is represented by an object ID. ![Screenshot showing Standard logic app's "Identity" pane with the object ID for system-assigned identity.](./media/create-managed-service-identity/object-id-system-assigned-identity.png) | Property | Value | Description | |-|-|-|- | **Object (principal) ID** | <*identity-resource-ID*> | A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in an Azure AD tenant. | + | **Object (principal) ID** | <*identity-resource-ID*> | A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in a Microsoft Entra tenant. | |||| 1. Now follow the [steps that give that identity access to the resource](#access-other-resources) later in this topic. When Azure creates your logic app resource definition, the `identity` object get | Property (JSON) | Value | Description | |--|-|-|-| `principalId` | <*principal-ID*> | The Globally Unique Identifier (GUID) of the service principal object for the managed identity that represents your logic app in the Azure AD tenant. This GUID sometimes appears as an "object ID" or `objectID`. | -| `tenantId` | <*Azure-AD-tenant-ID*> | The Globally Unique Identifier (GUID) that represents the Azure AD tenant where the logic app is now a member. Inside the Azure AD tenant, the service principal has the same name as the logic app instance. | +| `principalId` | <*principal-ID*> | The Globally Unique Identifier (GUID) of the service principal object for the managed identity that represents your logic app in the Microsoft Entra tenant. This GUID sometimes appears as an "object ID" or `objectID`. | +| `tenantId` | <*Azure-AD-tenant-ID*> | The Globally Unique Identifier (GUID) that represents the Microsoft Entra tenant where the logic app is now a member. Inside the Microsoft Entra tenant, the service principal has the same name as the logic app instance. | |||| <a name="azure-portal-user-identity"></a> When the template creates a logic app resource, the `identity` object includes t } ``` -The `principalId` property value is a unique identifier for the identity that's used for Azure AD administration. The `clientId` property value is a unique identifier for the logic app's new identity that's used for specifying which identity to use during runtime calls. For more information about Azure Resource Manager templates and managed identities for Azure Functions, review [ARM template - Azure Functions](../azure-functions/functions-create-first-function-resource-manager.md#review-the-template) and [Add a user-assigned identity using an ARM template for Azure Functions](../app-service/overview-managed-identity.md?tabs=arm%2Chttp#add-a-user-assigned-identity). +The `principalId` property value is a unique identifier for the identity that's used for Microsoft Entra administration. The `clientId` property value is a unique identifier for the logic app's new identity that's used for specifying which identity to use during runtime calls. For more information about Azure Resource Manager templates and managed identities for Azure Functions, review [ARM template - Azure Functions](../azure-functions/functions-create-first-function-resource-manager.md#review-the-template) and [Add a user-assigned identity using an ARM template for Azure Functions](../app-service/overview-managed-identity.md?tabs=arm%2Chttp#add-a-user-assigned-identity). To use a managed identity for authentication, some Azure resources, such as Azur > [!NOTE] > > If the **Add role assignment** option is disabled, you don't have permissions to assign roles. - > For more information, review [Azure AD built-in roles](../active-directory/roles/permissions-reference.md). + > For more information, review [Microsoft Entra built-in roles](../active-directory/roles/permissions-reference.md). 1. Now, assign the necessary role to your managed identity. On the **Role** tab, assign a role that gives your identity the required access to the current resource. The following example shows a sample HTTP action with all the previously describ > [!IMPORTANT] >- > Make sure that the target resource ID *exactly matches* the value that Azure Active Directory (AD) expects, + > Make sure that the target resource ID *exactly matches* the value that Microsoft Entra ID expects, > including any required trailing slashes. For example, the resource ID for all Azure Blob Storage accounts requires > a trailing slash. However, the resource ID for a specific storage account doesn't require a trailing slash. Check the - > [resource IDs for the Azure services that support Azure AD](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). + > [resource IDs for the Azure services that support Microsoft Entra ID](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). This example sets the **Audience** property to `https://storage.azure.com/` so that the access tokens used for authentication are valid for all storage accounts. However, you can also specify the root service URL, `https://<your-storage-account>.blob.core.windows.net`, for a specific storage account. ![Screenshot showing Consumption workflow with HTTP action and "Audience" property set to target resource ID.](./media/create-managed-service-identity/specify-audience-url-target-resource.png) - For more information about authorizing access with Azure AD for Azure Storage, review the following documentation: + For more information about authorizing access with Microsoft Entra ID for Azure Storage, review the following documentation: - * [Authorize access to Azure blobs and queues by using Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md) + * [Authorize access to Azure blobs and queues by using Microsoft Entra ID](../storage/blobs/authorize-access-azure-active-directory.md) - * [Authorize access to Azure Storage with Azure Active Directory](/rest/api/storageservices/authorize-with-azure-active-directory#use-oauth-access-tokens-for-authentication) + * [Authorize access to Azure Storage with Microsoft Entra ID](/rest/api/storageservices/authorize-with-azure-active-directory#use-oauth-access-tokens-for-authentication) 1. Continue building the workflow the way that you want. The following example shows a sample HTTP action with all the previously describ > [!IMPORTANT] >- > Make sure that the target resource ID *exactly matches* the value that Azure Active Directory (AD) expects, + > Make sure that the target resource ID *exactly matches* the value that Microsoft Entra ID expects, > including any required trailing slashes. For example, the resource ID for all Azure Blob Storage accounts requires > a trailing slash. However, the resource ID for a specific storage account doesn't require a trailing slash. Check the - > [resource IDs for the Azure services that support Azure AD](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). + > [resource IDs for the Azure services that support Microsoft Entra ID](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). This example sets the **Audience** property to `https://storage.azure.com/` so that the access tokens used for authentication are valid for all storage accounts. However, you can also specify the root service URL, `https://<your-storage-account>.blob.core.windows.net`, for a specific storage account. ![Screenshot showing the "Audience" property set to the target resource ID.](./media/create-managed-service-identity/specify-audience-url-target-resource-standard.png) - For more information about authorizing access with Azure AD for Azure Storage, review the following documentation: + For more information about authorizing access with Microsoft Entra ID for Azure Storage, review the following documentation: - * [Authorize access to Azure blobs and queues by using Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md) - * [Authorize access to Azure Storage with Azure Active Directory](/rest/api/storageservices/authorize-with-azure-active-directory#use-oauth-access-tokens-for-authentication) + * [Authorize access to Azure blobs and queues by using Microsoft Entra ID](../storage/blobs/authorize-access-azure-active-directory.md) + * [Authorize access to Azure Storage with Microsoft Entra ID](/rest/api/storageservices/authorize-with-azure-active-directory#use-oauth-access-tokens-for-authentication) 1. Continue building the workflow the way that you want. The Azure Resource Manager managed connector has an action named **Read a resour ### [Consumption](#tab/consumption) -1. After you add the action to your workflow and select your Azure AD tenant, select **Connect with managed identity**. +1. After you add the action to your workflow and select your Microsoft Entra tenant, select **Connect with managed identity**. ![Screenshot showing Azure Resource Manager action and "Connect with managed identity" selected.](./media/create-managed-service-identity/select-connect-managed-identity-consumption.png) The Azure Resource Manager managed connector has an action named **Read a resour ### [Standard](#tab/standard) -1. After you add the action to your workflow, on the action's **Create Connection** pane, select your Azure AD tenant, and then select **Connect with managed identity**. +1. After you add the action to your workflow, on the action's **Create Connection** pane, select your Microsoft Entra tenant, and then select **Connect with managed identity**. ![Screenshot showing Azure Resource Manager action and "Connect with managed identity" selected.](./media/create-managed-service-identity/select-connect-managed-identity-standard.png) The Azure Resource Manager managed connector has an action named **Read a resour ## Logic app resource definition and connections that use a managed identity -A connection that enables and uses a managed identity are a special connection type that works only with a managed identity. At runtime, the connection uses the managed identity that's enabled on the logic app resource. At runtime, the Azure Logic Apps service checks whether any managed connector trigger and actions in the logic app workflow are set up to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, Azure Logic Apps retrieves the Azure AD token that's associated with the managed identity and uses that identity to authenticate access to the target resource and perform the configured operation in trigger and actions. +A connection that enables and uses a managed identity are a special connection type that works only with a managed identity. At runtime, the connection uses the managed identity that's enabled on the logic app resource. At runtime, the Azure Logic Apps service checks whether any managed connector trigger and actions in the logic app workflow are set up to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, Azure Logic Apps retrieves the Microsoft Entra token that's associated with the managed identity and uses that identity to authenticate access to the target resource and perform the configured operation in trigger and actions. ### [Consumption](#tab/consumption) Following this `Microsoft.Web/connections` resource definition, make sure that y | Parameter | Description | |--|-| | <*connection-name*> | The name for your API connection, for example, `azureblob` |-| <*object-ID*> | The object ID for your Azure AD identity, previously saved from your app registration | -| <*tenant-ID*> | The tenant ID for your Azure AD identity, previously saved from your app registration | +| <*object-ID*> | The object ID for your Microsoft Entra identity, previously saved from your app registration | +| <*tenant-ID*> | The tenant ID for your Microsoft Entra identity, previously saved from your app registration | ```json { When you disable the managed identity on your logic app resource, you remove the > Try to avoid disabling the system-assigned identity as much as possible. If you want to remove > the identity's access to Azure resources, remove the identity's role assignment from the target > resource. If you delete your logic app resource, Azure automatically removes the managed identity -> from Azure AD. +> from Microsoft Entra ID. The steps in this section cover using the [Azure portal](#azure-portal-disable) and [Azure Resource Manager template (ARM template)](#template-disable). For Azure PowerShell, Azure CLI, and Azure REST API, review the following documentation: The following steps remove access to the target resource from the managed identi > > If the **Remove** option is disabled, you most likely don't have permissions. > For more information about the permissions that let you manage roles for resources, review - > [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md). + > [Administrator role permissions in Microsoft Entra ID](../active-directory/roles/permissions-reference.md). <a name="disable-identity-logic-app"></a> |
logic-apps | Create Integration Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/enterprise-integration/create-integration-account.md | To read artifacts and write any state information, your Premium integration acco |--|-|-| | **Scope** | **Storage** | For more information, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md). | | **Subscription** | <*Azure-subscription*> | The Azure subscription for the resource to access. |- | **Resource** | <*Azure-storage-account-name*> | The name for the Azure storage account to access. <br><br>**Note** If you get an error that you don't have permissions to add role assignments at this scope, you need to get those permissions. For more information, see [Azure AD built-in roles](../../active-directory/roles/permissions-reference.md). | + | **Resource** | <*Azure-storage-account-name*> | The name for the Azure storage account to access. <br><br>**Note** If you get an error that you don't have permissions to add role assignments at this scope, you need to get those permissions. For more information, see [Microsoft Entra built-in roles](../../active-directory/roles/permissions-reference.md). | | **Role** | - **Storage Account Contributor** <br><br>- **Storage Blob Data Contributor** <br><br>- **Storage Table Data Contributor** | The roles that your Premium integration account requires to access your storage account. | For more information, see [Assign Azure role to system-assigned managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.md) |
logic-apps | Ise Manage Integration Service Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/ise-manage-integration-service-environment.md | This table describes the ports that your ISE requires to be accessible and the p | * | * | Address space for the virtual network with ISE subnets | Address space for the virtual network with ISE subnets | Intersubnet communication within virtual network | Required for traffic to flow *between* the subnets in your virtual network. <br><br>**Important**: For traffic to flow between the *components* in each subnet, make sure that you open all the ports within each subnet. | | * | 443, 80 | **VirtualNetwork** | Internet | Communication from your logic app | This rule is required for Secure Socket Layer (SSL) certificate verification. This check is for various internal and external sites, which is the reason that the Internet is required as the destination. | | * | Varies based on destination | **VirtualNetwork** | Varies based on destination | Communication from your logic app | Destination ports vary based on the endpoints for the external services with which your logic app needs to communicate. <br><br>For example, the destination port is port 25 for an SMTP service, port 22 for an SFTP service, and so on. |-| * | 80, 443 | **VirtualNetwork** | **AzureActiveDirectory** | Azure Active Directory || +| * | 80, 443 | **VirtualNetwork** | **AzureActiveDirectory** | Microsoft Entra ID || | * | 80, 443, 445 | **VirtualNetwork** | **Storage** | Azure Storage dependency || | * | 443 | **VirtualNetwork** | **AppService** | Connection management || | * | 443 | **VirtualNetwork** | **AzureMonitor** | Publish diagnostic logs & metrics || |
logic-apps | Logic Apps Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-azure-functions.md | This how-to guide shows how to call an Azure function from a logic app workflow. * You can create a function directly from inside a Consumption logic app workflow, but not from a Standard logic app workflow. However, you can create functions in other ways. For more information, see [Create functions from inside logic app workflows](#create-function-designer). -* Only Consumption workflows support authenticating Azure function calls using a managed identity with Azure Active Directory (Azure AD) authentication. Standard workflows aren't currently supported in the section about [how to enable authentication for function calls](#enable-authentication-functions). +* Only Consumption workflows support authenticating Azure function calls using a managed identity with Microsoft Entra authentication. Standard workflows aren't currently supported in the section about [how to enable authentication for function calls](#enable-authentication-functions). * Azure Logic Apps doesn't support using Azure Functions with deployment slots enabled. Although this scenario might sometimes work, this behavior is unpredictable and might result in authorization problems when your workflow tries call the Azure function. To call existing functions from your logic app workflow, you can add functions l ## Enable authentication for function calls (Consumption workflows only) -Your Consumption workflow can authenticate function calls and access to resources protected by Azure Active Directory (Azure AD) by using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) (formerly known as Managed Service Identity or MSI). This managed identity can authenticate access without having to sign in and provide credentials or secrets. Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. You can set up the system-assigned identity or a manually created, user-assigned identity at the logic app resource level. The function that's called from your workflow can use the same identity for authentication. +Your Consumption workflow can authenticate function calls and access to resources protected by Microsoft Entra ID by using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) (formerly known as Managed Service Identity or MSI). This managed identity can authenticate access without having to sign in and provide credentials or secrets. Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. You can set up the system-assigned identity or a manually created, user-assigned identity at the logic app resource level. The function that's called from your workflow can use the same identity for authentication. > [!NOTE] > -> Currently, only Consumption workflows support authentication for Azure function calls using a managed identity and Azure Active Directory (Azure AD) authentication. Standard workflows currently don't include this support when using the Azure Functions connector. +> Currently, only Consumption workflows support authentication for Azure function calls using a managed identity and Microsoft Entra authentication. Standard workflows currently don't include this support when using the Azure Functions connector. For more information, review the following documentation: To set up your function app and function so they can use your Consumption logic 1. [Set up your function for anonymous authentication](#set-authentication-function-app). -1. [Find the required values to set up Azure AD authentication](#find-required-values). +1. [Find the required values to set up Microsoft Entra authentication](#find-required-values). 1. [Create an app registration for your function app](#create-app-registration). For your function to use your Consumption logic app's managed identity, you must <a name="find-required-values"></a> -### Find the required values to set up Azure AD authentication (Consumption workflows only) +<a name='find-the-required-values-to-set-up-azure-ad-authentication-consumption-workflows-only'></a> -Before you can set up your function app to use Azure AD authentication, you need to find and save the following values by following the steps in this section. +### Find the required values to set up Microsoft Entra authentication (Consumption workflows only) ++Before you can set up your function app to use Microsoft Entra authentication, you need to find and save the following values by following the steps in this section. 1. [Find the object (principal) ID for your logic app's managed identity](#find-object-id).-1. [Find the tenant ID for your Azure Active Directory (Azure AD)](#find-tenant-id). +1. [Find the tenant ID for your Microsoft Entra ID](#find-tenant-id). <a name="find-object-id"></a> Before you can set up your function app to use Azure AD authentication, you need <a name="find-tenant-id"></a> -#### Find the tenant ID for your Azure AD +<a name='find-the-tenant-id-for-your-azure-ad'></a> ++#### Find the tenant ID for your Microsoft Entra ID -To find your Azure AD tenant ID, either run the PowerShell command named [**Get-AzureAccount**](/powershell/module/servicemanagement/azure/get-azureaccount), or in the Azure portal, follow these steps: +To find your Microsoft Entra tenant ID, either run the PowerShell command named [**Get-AzureAccount**](/powershell/module/servicemanagement/azure/get-azureaccount), or in the Azure portal, follow these steps: -1. In the [Azure portal](https://portal.azure.com), open your Azure AD tenant. These steps use **Fabrikam** as the example tenant. +1. In the [Azure portal](https://portal.azure.com), open your Microsoft Entra tenant. These steps use **Fabrikam** as the example tenant. -1. On the Azure AD tenant menu, under **Manage**, select **Properties**. +1. On the Microsoft Entra tenant menu, under **Manage**, select **Properties**. 1. Copy and save your tenant ID for later use, for example: - ![Screenshot showing your Azure AD "Properties" pane with tenant ID's copy button selected.](./media/logic-apps-azure-functions/azure-active-directory-tenant-id.png) + ![Screenshot showing your Microsoft Entra ID "Properties" pane with tenant ID's copy button selected.](./media/logic-apps-azure-functions/azure-active-directory-tenant-id.png) <a name="create-app-registration"></a> ### Create app registration for your function app (Consumption workflows only) -After you find the object ID for your Consumption logic app's managed identity and tenant ID for your Azure AD, you can set up your function app to use Azure AD authentication by creating an app registration. For more information, review [Configure your App Service or Azure Functions app to use Azure AD login](../app-service/configure-authentication-provider-aad.md#-step-2-enable-azure-active-directory-in-your-app-service-app). +After you find the object ID for your Consumption logic app's managed identity and tenant ID for your Microsoft Entra ID, you can set up your function app to use Microsoft Entra authentication by creating an app registration. 1. In the [Azure portal](https://portal.azure.com), open your function app. After you find the object ID for your Consumption logic app's managed identity a |-|-|-|-| | **Application (client) ID** | Yes | <*object-ID*> | The unique identifier to use for this app registration. For this scenario, use the object ID from your logic app's managed identity. | | **Client secret** | Optional, but recommended | <*client-secret*> | The secret value that the app uses to prove its identity when requesting a token. The client secret is created and stored in your app's configuration as a slot-sticky [application setting](../app-service/configure-common.md#configure-app-settings) named **MICROSOFT_PROVIDER_AUTHENTICATION_SECRET**. To manage the secret in Azure Key Vault instead, you can update this setting later to use [Key Vault references](../app-service/app-service-key-vault-references.md). <br><br>- If you provide a client secret value, sign-in operations use the hybrid flow, returning both access and refresh tokens. <br><br>- If you don't provide a client secret, sign-in operations use the OAuth 2.0 implicit grant flow, returning only an ID token. <br><br>These tokens are sent by the provider and stored in the EasyAuth token store. |- | **Issuer URL** | No | **<*authentication-endpoint-URL*>/<*Azure-AD-tenant-ID*>/v2.0** | This URL redirects users to the correct Azure AD tenant and downloads the appropriate metadata to determine the appropriate token signing keys and token issuer claim value. For apps that use Azure AD v1, omit **/v2.0** from the URL. <br><br>For this scenario, use the following URL: **`https://sts.windows.net/`<*Azure-AD-tenant-ID*>** | - | **Allowed token audiences** | No | <*application-ID-URI*> | The application ID URI (resource ID) for the function app. For a cloud or server app where you want to allow authentication tokens from a web app, add the application ID URI for the web app. The configured client ID is always implicitly considered as an allowed audience. <br><br>For this scenario, the value is **`https://management.azure.com`**. Later, you can use the same URI in the **Audience** property when you [set up your function action in your workflow to use the managed identity](create-managed-service-identity.md#authenticate-access-with-identity). <p><p>**Important**: The application ID URI (resource ID) must exactly match the value that Azure AD expects, including any required trailing slashes. | + | **Issuer URL** | No | **<*authentication-endpoint-URL*>/<*Azure-AD-tenant-ID*>/v2.0** | This URL redirects users to the correct Microsoft Entra tenant and downloads the appropriate metadata to determine the appropriate token signing keys and token issuer claim value. For apps that use Azure AD v1, omit **/v2.0** from the URL. <br><br>For this scenario, use the following URL: **`https://sts.windows.net/`<*Azure-AD-tenant-ID*>** | + | **Allowed token audiences** | No | <*application-ID-URI*> | The application ID URI (resource ID) for the function app. For a cloud or server app where you want to allow authentication tokens from a web app, add the application ID URI for the web app. The configured client ID is always implicitly considered as an allowed audience. <br><br>For this scenario, the value is **`https://management.azure.com`**. Later, you can use the same URI in the **Audience** property when you [set up your function action in your workflow to use the managed identity](create-managed-service-identity.md#authenticate-access-with-identity). <p><p>**Important**: The application ID URI (resource ID) must exactly match the value that Microsoft Entra ID expects, including any required trailing slashes. | ||||| At this point, your version looks similar to this example: After you find the object ID for your Consumption logic app's managed identity a When you're done, the **Authentication** page now lists the identity provider and app ID (client ID) for the app registration. Your function app can now use this app registration for authentication. - For more information, review [Configure your App Service or Azure Functions app to use Azure AD login](../app-service/configure-authentication-provider-aad.md#-step-2-enable-azure-active-directory-in-your-app-service-app). - 1. Copy the app ID (client ID) for your function to use in the **Audience** property later in your workflow. 1. Return to the designer and follow the [steps to authenticate access with the managed identity](create-managed-service-identity.md#authenticate-access-with-identity) by using the built-in Azure Functions action. |
logic-apps | Logic Apps Azure Resource Manager Templates Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-azure-resource-manager-templates-overview.md | Here is an example that provides the account name and access key for an Azure Bl After deployment, your logic app works end-to-end with valid parameters. However, you must still authorize any OAuth connections to generate valid access tokens for [authenticating your credentials](../active-directory/develop/authentication-vs-authorization.md). For more information, see [Authorize OAuth connections](../logic-apps/logic-apps-deploy-azure-resource-manager-templates.md#authorize-oauth-connections). -Some connections support using an Azure Active Directory (Azure AD) [service principal](../active-directory/develop/app-objects-and-service-principals.md) to authorize connections for a logic app that's [registered in Azure AD](../active-directory/develop/quickstart-register-app.md). For example, this Azure Data Lake connection resource definition shows how to reference the template parameters that handle the service principal's information and how the template declares these parameters: +Some connections support using a Microsoft Entra [service principal](../active-directory/develop/app-objects-and-service-principals.md) to authorize connections for a logic app that's [registered in Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md). For example, this Azure Data Lake connection resource definition shows how to reference the template parameters that handle the service principal's information and how the template declares these parameters: **Connection resource definition** Some connections support using an Azure Active Directory (Azure AD) [service pri |--|-| | `token:clientId` | The application or client ID associated with your service principal | | `token:clientSecret` | The key value associated with your service principal |-| `token:TenantId` | The directory ID for your Azure AD tenant | +| `token:TenantId` | The directory ID for your Microsoft Entra tenant | | `token:grantType` | The requested grant type, which must be `client_credentials`. For more information, see [Microsoft identity platform and the OAuth 2.0 client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). | ||| |
logic-apps | Logic Apps Create Api App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-create-api-app.md | like custom APIs but also have these attributes: * Registered as Logic Apps Connector resources in Azure. * Appear with icons alongside Microsoft-managed connectors in the Logic Apps Designer. * Available only to the connectors' authors and logic app resource users who have the same -Azure Active Directory tenant and Azure subscription in the region where the +Microsoft Entra tenant and Azure subscription in the region where the logic apps are deployed. You can also nominate registered connectors for Microsoft certification. |
logic-apps | Logic Apps Custom Api Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-custom-api-authentication.md | Last updated 08/22/2022 # Add authentication when calling custom APIs from Azure Logic Apps -To improve security for calls to your APIs, you can set up Azure Active Directory (Azure AD) authentication through the Azure portal so you don't have to update your code. Or, you can require and enforce authentication through your API's code. +To improve security for calls to your APIs, you can set up Microsoft Entra authentication through the Azure portal so you don't have to update your code. Or, you can require and enforce authentication through your API's code. You can add authentication in the following ways: -* [No code changes](#no-code): Protect your API with [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) through the Azure portal, so you don't have to update your code or redeploy your API. +* [No code changes](#no-code): Protect your API with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) through the Azure portal, so you don't have to update your code or redeploy your API. > [!NOTE] >- > By default, the Azure AD authentication that you select in the Azure portal doesn't + > By default, the Microsoft Entra authentication that you select in the Azure portal doesn't > provide fine-grained authorization. For example, this authentication locks your API > to just a specific tenant, not to a specific user or app. -* [Update your API's code](#update-code): Protect your API by enforcing [certificate authentication](#certificate), [basic authentication](#basic), or [Azure AD authentication](#azure-ad-code) through code. +* [Update your API's code](#update-code): Protect your API by enforcing [certificate authentication](#certificate), [basic authentication](#basic), or [Microsoft Entra authentication](#azure-ad-code) through code. <a name="no-code"></a> You can add authentication in the following ways: Here are the general steps for this method: -1. Create two Azure Active Directory (Azure AD) application identities: one for your logic app resource and one for your web app (or API app). +1. Create two Microsoft Entra application identities: one for your logic app resource and one for your web app (or API app). -1. To authenticate calls to your API, use the credentials (client ID and secret) for the service principal that's associated with the Azure AD application identity for your logic app. +1. To authenticate calls to your API, use the credentials (client ID and secret) for the service principal that's associated with the Microsoft Entra application identity for your logic app. 1. Include the application IDs in your logic app's workflow definition. -### Part 1: Create an Azure AD application identity for your logic app +<a name='part-1-create-an-azure-ad-application-identity-for-your-logic-app'></a> -Your logic app resource uses this Azure AD application identity to authenticate against Azure AD. You only have to set up this identity one time for your directory. For example, you can choose to use the same identity for all your logic apps, even though you can create unique identities for each logic app. You can set up these identities in the Azure portal or use [PowerShell](#powershell). +### Part 1: Create a Microsoft Entra application identity for your logic app ++Your logic app resource uses this Microsoft Entra application identity to authenticate against Microsoft Entra ID. You only have to set up this identity one time for your directory. For example, you can choose to use the same identity for all your logic apps, even though you can create unique identities for each logic app. You can set up these identities in the Azure portal or use [PowerShell](#powershell). #### [Portal](#tab/azure-portal) -1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**. +1. In the [Azure portal](https://portal.azure.com), select **Microsoft Entra ID**. 1. Confirm that you're in the same directory as your web app or API app. Your logic app resource uses this Azure AD application identity to authenticate The **All registrations** list shows all the app registrations in your directory. To view only your app registrations, select **Owned applications**. - ![Screenshot showing Azure portal with Azure Active Directory instance, "App registration" pane, and "New application registration" selected.](./media/logic-apps-custom-api-authentication/new-app-registration-azure-portal.png) + ![Screenshot showing Azure portal with Microsoft Entra instance, "App registration" pane, and "New application registration" selected.](./media/logic-apps-custom-api-authentication/new-app-registration-azure-portal.png) 1. Provide a user-facing name for your logic app's application identity. Select the supported account types. For **Redirect URI**, select **Web**, provide a unique URL where to return the authentication response, and select **Register**. You can perform this task through Azure Resource Manager with PowerShell. In Pow 1. `New-AzADApplication -DisplayName "MyLogicAppID" -HomePage "http://mydomain.tld" -IdentifierUris "http://mydomain.tld" -Password $SecurePassword` -1. Make sure to copy the **Tenant ID** (GUID for your Azure AD tenant), the **Application ID**, and the password that you used. +1. Make sure to copy the **Tenant ID** (GUID for your Microsoft Entra tenant), the **Application ID**, and the password that you used. For more information, learn how to [create a service principal with PowerShell to access resources](../active-directory/develop/howto-authenticate-service-principal-powershell.md). -### Part 2: Create an Azure AD application identity for your web app or API app +<a name='part-2-create-an-azure-ad-application-identity-for-your-web-app-or-api-app'></a> ++### Part 2: Create a Microsoft Entra application identity for your web app or API app If your web app or API app is already deployed, you can turn on authentication and create the application identity in the Azure portal. Otherwise, you can [turn on authentication when you deploy with an Azure Resource Manager template](#authen-deploy). If your web app or API app is already deployed, you can turn on authentication a 1. Under **Settings**, select **Authentication** > **Add identity provider**. -1. After the **Add an identity provider** pane opens, on the **Basics** tab, from the **Identity provider** list, select **Microsoft** to use Azure Active Directory (Azure AD) identities, and then select **Add**. +1. After the **Add an identity provider** pane opens, on the **Basics** tab, from the **Identity provider** list, select **Microsoft** to use Microsoft Entra identities, and then select **Add**. 1. Now, create an application identity for your web app or API app as follows: Now you must find the application (client) ID and tenant ID for the application **Set up authentication when you deploy with an Azure Resource Manager template** -If you're using an Azure Resource Manager template (ARM template), you still have to create an Azure AD application identity for your web app or API app that differs from the app identity for your logic app. To create the application identity, and then find the client ID and tenant ID, follow the previous steps in Part 2 for the Azure portal. You'll use both the client ID and tenant ID in your app's deployment template and also for Part 3. +If you're using an Azure Resource Manager template (ARM template), you still have to create a Microsoft Entra application identity for your web app or API app that differs from the app identity for your logic app. To create the application identity, and then find the client ID and tenant ID, follow the previous steps in Part 2 for the Azure portal. You'll use both the client ID and tenant ID in your app's deployment template and also for Part 3. > [!IMPORTANT] >-> When you create the Azure AD application identity for your web app or API app, you must use the Azure portal, not PowerShell. The PowerShell commandlet doesn't set up the required permissions to sign users into a website. +> When you create the Microsoft Entra application identity for your web app or API app, you must use the Azure portal, not PowerShell. The PowerShell commandlet doesn't set up the required permissions to sign users into a website. After you get the client ID and tenant ID, include these IDs as a subresource of your web app or API app in your deployment template: After you get the client ID and tenant ID, include these IDs as a subresource of ] ``` -To automatically deploy a blank web app and a logic app together with Azure Active Directory authentication, [view the complete template here](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.logic/logic-app-custom-api), or select the following **Deploy to Azure** button: +To automatically deploy a blank web app and a logic app together with Microsoft Entra authentication, [view the complete template here](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.logic/logic-app-custom-api), or select the following **Deploy to Azure** button: [![Deploy to Azure](media/logic-apps-custom-api-authentication/deploybutton.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.logic%2Flogic-app-custom-api%2Fazuredeploy.json) The previous template already has this authorization section set up, but if you | Property | Required | Description | | -- | -- | -- |-| `tenant` | Yes | The GUID for the Azure AD tenant | +| `tenant` | Yes | The GUID for the Microsoft Entra tenant | | `audience` | Yes | The GUID for the target resource that you want to access, which is the client ID from the application identity for your web app or API app | | `clientId` | Yes | The GUID for the client requesting access, which is the client ID from the application identity for your logic app | | `secret` | Yes | The secret or password from the application identity for the client that's requesting the access token | In the **Authorization** section, include the following properties: <a name="azure-ad-code"></a> -### Azure Active Directory authentication through code +<a name='azure-active-directory-authentication-through-code'></a> ++### Microsoft Entra authentication through code -By default, the Azure AD authentication that you turn on in the Azure portal doesn't provide fine-grained authorization. For example, this authentication locks your API to just a specific tenant, not to a specific user or app. +By default, the Microsoft Entra authentication that you turn on in the Azure portal doesn't provide fine-grained authorization. For example, this authentication locks your API to just a specific tenant, not to a specific user or app. To restrict API access to your logic app through code, extract the header that has the JSON web token (JWT). Check the caller's identity, and reject requests that don't match. |
logic-apps | Logic Apps Deploy Azure Resource Manager Templates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-deploy-azure-resource-manager-templates.md | For more information, see these topics: ## Deploy with Azure DevOps -To deploy logic app templates and manage environments, teams commonly use a tool such as [Azure Pipelines](/azure/devops/pipelines/get-started/what-is-azure-pipelines) in [Azure DevOps](/azure/devops/user-guide/what-is-azure-devops-services). Azure Pipelines provides an [Azure Resource Group Deployment task](https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks/AzureResourceGroupDeploymentV2) that you can add to any build or release pipeline. For authorization to deploy and generate the release pipeline, you also need an Azure Active Directory (AD) [service principal](../active-directory/develop/app-objects-and-service-principals.md). Learn more about [using service principals with Azure Pipelines](/azure/devops/pipelines/library/connect-to-azure). +To deploy logic app templates and manage environments, teams commonly use a tool such as [Azure Pipelines](/azure/devops/pipelines/get-started/what-is-azure-pipelines) in [Azure DevOps](/azure/devops/user-guide/what-is-azure-devops-services). Azure Pipelines provides an [Azure Resource Group Deployment task](https://github.com/Microsoft/azure-pipelines-tasks/tree/master/Tasks/AzureResourceGroupDeploymentV2) that you can add to any build or release pipeline. For authorization to deploy and generate the release pipeline, you also need a Microsoft Entra [service principal](../active-directory/develop/app-objects-and-service-principals.md). Learn more about [using service principals with Azure Pipelines](/azure/devops/pipelines/library/connect-to-azure). For more information about continuous integration and continuous deployment (CI/CD) for Azure Resource Manager templates with Azure Pipelines, see these topics and samples: Here are a few suggestions to handle authorizing connections: * Unless your scenario involves services and systems that require multi-factor authentication, you can use a PowerShell script to provide consent for each OAuth connection by running a continuous integration worker as a normal user account on a virtual machine that has active browser sessions with the authorizations and consent already provided. For example, you can repurpose the sample script provided by the [LogicAppConnectionAuth project in the Logic Apps GitHub repo](https://github.com/logicappsio/LogicAppConnectionAuth). -* If you use an Azure Active Directory (Azure AD) [service principal](../active-directory/develop/app-objects-and-service-principals.md) instead to authorize connections, learn how to [specify service principal parameters in your logic app template](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md#authenticate-connections). +* If you use a Microsoft Entra [service principal](../active-directory/develop/app-objects-and-service-principals.md) instead to authorize connections, learn how to [specify service principal parameters in your logic app template](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md#authenticate-connections). ## Next steps |
logic-apps | Logic Apps Gateway Connection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-gateway-connection.md | In Azure Logic Apps, an on-premises data gateway supports [on-premises connector * [Apache Impala](/connectors/impala) * [BizTalk Server](/connectors/biztalk) * [File System](/connectors/filesystem)-* [HTTP with Azure AD](/connectors/webcontents) +* [HTTP with Microsoft Entra ID](/connectors/webcontents) * [IBM DB2](/connectors/db2) * [IBM Informix](/connectors/informix) * [IBM MQ](/connectors/mq) Azure Logic Apps supports read and write operations through the data gateway, bu * You already [installed an on-premises data gateway on a local computer](logic-apps-gateway-install.md). This gateway installation must exist before you can create a gateway resource that links to this installation. You can install only one data gateway per local computer. -* You have the [same Azure account and subscription](logic-apps-gateway-install.md#requirements) that you used for your gateway installation. This Azure account must belong only to a single [Azure Active Directory (Azure AD) tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology). You have to use the same Azure account and subscription to create your gateway resource in Azure because only the gateway administrator can create the gateway resource in Azure. Service principals currently aren't supported. +* You have the [same Azure account and subscription](logic-apps-gateway-install.md#requirements) that you used for your gateway installation. This Azure account must belong only to a single [Microsoft Entra tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology). You have to use the same Azure account and subscription to create your gateway resource in Azure because only the gateway administrator can create the gateway resource in Azure. Service principals currently aren't supported. * When you create a gateway resource in Azure, you select a gateway installation to link with your gateway resource and only that gateway resource. Each gateway resource can link to only one gateway installation. You can't select a gateway installation that's already associated with another gateway resource. - * Your logic app resource and gateway resource don't have to exist in the same Azure subscription. In triggers and actions where you use the gateway resource, you can select a different Azure subscription that has a gateway resource, but only if that subscription exists in the same Azure AD tenant or directory as your logic app resource. You also have to have administrator permissions on the gateway, which another administrator can set up for you. For more information, see [Data Gateway: Automation using PowerShell - Part 1](https://community.powerbi.com/t5/Community-Blog/Data-Gateway-Automation-using-PowerShell-Part-1/ba-p/1117330) and [PowerShell: Data Gateway - Add-DataGatewayClusterUser](/powershell/module/datagateway/add-datagatewayclusteruser). + * Your logic app resource and gateway resource don't have to exist in the same Azure subscription. In triggers and actions where you use the gateway resource, you can select a different Azure subscription that has a gateway resource, but only if that subscription exists in the same Microsoft Entra tenant or directory as your logic app resource. You also have to have administrator permissions on the gateway, which another administrator can set up for you. For more information, see [Data Gateway: Automation using PowerShell - Part 1](https://community.powerbi.com/t5/Community-Blog/Data-Gateway-Automation-using-PowerShell-Part-1/ba-p/1117330) and [PowerShell: Data Gateway - Add-DataGatewayClusterUser](/powershell/module/datagateway/add-datagatewayclusteruser). > [!NOTE] > Currently, you can't share a gateway resource or installation across multiple subscriptions. After you install a gateway on a local computer, create the Azure resource for y | **Resource group** | Select the [Azure resource group](../azure-resource-manager/management/overview.md) that you want to use. | | **Name** | Enter a name for your gateway resource that contains only letters, numbers, hyphens (`-`), underscores (`_`), parentheses (`(`, `)`), or periods (`.`). | | **Region** | Select the same region or location that you selected for the gateway cloud service during [gateway installation](logic-apps-gateway-install.md). Otherwise, your gateway installation doesn't appear in the **Installation Name** list. Your logic app resource location can differ from your gateway resource location. |- | **Installation Name** | Select a gateway installation, which appears in the list only when these conditions are met: <p><p>- The gateway installation uses the same region as the gateway resource that you want to create. <br>- The gateway installation isn't linked to another Azure gateway resource. <br>- The gateway installation is linked to the same Azure account that you're using to create the gateway resource. <br>- Your Azure account belongs to a single [Azure AD tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology) and is the same account that you used for the gateway installation. <p><p>For more information, see [Frequently asked questions](#frequently-asked-questions). | + | **Installation Name** | Select a gateway installation, which appears in the list only when these conditions are met: <p><p>- The gateway installation uses the same region as the gateway resource that you want to create. <br>- The gateway installation isn't linked to another Azure gateway resource. <br>- The gateway installation is linked to the same Azure account that you're using to create the gateway resource. <br>- Your Azure account belongs to a single [Microsoft Entra tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology) and is the same account that you used for the gateway installation. <p><p>For more information, see [Frequently asked questions](#frequently-asked-questions). | The following example shows a gateway installation that's in the same region as your gateway resource and is linked to the same Azure account: After you create your gateway resource and associate your Azure subscription wit Your logic app resource and gateway resource don't have to exist in the same Azure subscription. You can select from other Azure subscriptions that each have a gateway resource, but only if: - * These subscriptions exist in the same Azure AD tenant or directory as your logic app resource. + * These subscriptions exist in the same Microsoft Entra tenant or directory as your logic app resource. * You have administrator permissions on the gateway, which another administrator can set up for you. For more information, see [Data Gateway: Automation using PowerShell - Part 1](https://community.powerbi.com/t5/Community-Blog/Data-Gateway-Automation-using-PowerShell-Part-1/ba-p/1117330) and [PowerShell: Data Gateway - Add-DataGatewayClusterUser](/powershell/module/datagateway/add-datagatewayclusteruser). To create a different gateway resource, link your gateway installation to a diff * Your Azure account isn't the same account that you used for the gateway installation on your local computer. Check that you signed in to the Azure portal with the same identity that you used for the gateway installation. Only the gateway administrator can create the gateway resource in Azure. Service principals currently aren't supported. -* Your Azure account doesn't belong to only a single [Azure AD tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology). Check that you're using the same Azure AD tenant or directory that you used during gateway installation. +* Your Azure account doesn't belong to only a single [Microsoft Entra tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology). Check that you're using the same Microsoft Entra tenant or directory that you used during gateway installation. * Your gateway resource and gateway installation don't exist in the same region. Make sure that your gateway installation uses the same region where you want to create the gateway resource in Azure. However, your logic app resource's location can differ from your gateway resource location. |
logic-apps | Logic Apps Gateway Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-gateway-install.md | For information about how to use the gateway with these services, see these arti * Your Azure account needs to use either a work account or school account with the format `<username>@<organization>.com`. You can't use Azure B2B (guest) accounts or personal Microsoft accounts, such as accounts with hotmail.com or outlook.com domains. > [!NOTE]- > If you signed up for a Microsoft 365 offering and didn't provide your work email address, your address might have the format `username@domain.onmicrosoft.com`. In this case, your account is stored in an Azure Active Directory (Azure AD) tenant. In most cases, the user principal name (UPN) for your Azure account is the same as your email address. + > If you signed up for a Microsoft 365 offering and didn't provide your work email address, your address might have the format `username@domain.onmicrosoft.com`. In this case, your account is stored in a Microsoft Entra tenant. In most cases, the user principal name (UPN) for your Azure account is the same as your email address. - To use a [Visual Studio Standard subscription](https://visualstudio.microsoft.com/vs/pricing/) that's associated with a Microsoft account, first [create an Azure AD tenant](../active-directory/develop/quickstart-create-new-tenant.md) or use the default directory. Add a user with a password to the directory, and then give that user access to your Azure subscription. You can then sign in during gateway installation with this username and password. + To use a [Visual Studio Standard subscription](https://visualstudio.microsoft.com/vs/pricing/) that's associated with a Microsoft account, first [create a Microsoft Entra tenant](../active-directory/develop/quickstart-create-new-tenant.md) or use the default directory. Add a user with a password to the directory, and then give that user access to your Azure subscription. You can then sign in during gateway installation with this username and password. - * Your Azure account must belong only to a single [Azure AD tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology). You need to use that account when you install and administer the gateway on your local computer. + * Your Azure account must belong only to a single [Microsoft Entra tenant or directory](../active-directory/fundamentals/active-directory-whatis.md#terminology). You need to use that account when you install and administer the gateway on your local computer. - * When you install the gateway, you sign in with your Azure account, which links your gateway installation to your Azure account and only that account. You can't link the same gateway installation across multiple Azure accounts or Azure AD tenants. + * When you install the gateway, you sign in with your Azure account, which links your gateway installation to your Azure account and only that account. You can't link the same gateway installation across multiple Azure accounts or Microsoft Entra tenants. * Later in the Azure portal, you need to use the same Azure account to create an Azure gateway resource that's associated with your gateway installation. You can link only one gateway installation and one Azure gateway resource to each other. However, you can use your Azure account to set up different gateway installations that are each associated with an Azure gateway resource. Your logic app workflows can then use these gateway resources in triggers and actions that can access on-premises data sources. For information about how to use the gateway with these services, see these arti * If you plan to use Windows authentication, make sure that you install the gateway on a computer that's a member of the same Active Directory environment as your data sources. - * The region that you select for your gateway installation is the same location that you must select when you later create the Azure gateway resource for your logic app workflow. By default, this region is the same location as your Azure AD tenant that manages your Azure user account. However, you can change the location during gateway installation or later. + * The region that you select for your gateway installation is the same location that you must select when you later create the Azure gateway resource for your logic app workflow. By default, this region is the same location as your Microsoft Entra tenant that manages your Azure user account. However, you can change the location during gateway installation or later. > [!IMPORTANT] > During gateway setup, the **Change Region** command is unavailable if you signed in with your Azure Government account, which is associated with an - > Azure AD tenant in the [Azure Government cloud](../azure-government/compare-azure-government-global-azure.md). The gateway - > automatically uses the same region as your user account's Azure AD tenant. + > Microsoft Entra tenant in the [Azure Government cloud](../azure-government/compare-azure-government-global-azure.md). The gateway + > automatically uses the same region as your user account's Microsoft Entra tenant. > > To continue using your Azure Government account, but set up the gateway to work in the global multi-tenant Azure Commercial cloud instead, first sign > in during gateway installation with the `prod@microsoft.com` username. This solution forces the gateway to use the global multi-tenant Azure cloud, For information about how to use the gateway with these services, see these arti 1. Provide this information for your gateway installation: - * A gateway name that's unique across your Azure AD tenant + * A gateway name that's unique across your Microsoft Entra tenant * A recovery key that has at least eight characters * Confirmation of the recovery key For information about how to use the gateway with these services, see these arti Note the **Add to an existing gateway cluster** option. When you install additional gateways for [high-availability scenarios](#high-availability-support), you use this option. -1. Check the region for the gateway cloud service and [Azure Service Bus messaging instance](../service-bus-messaging/service-bus-messaging-overview.md) that your gateway installation uses. By default, this region is the same location as the Azure AD tenant for your Azure account. +1. Check the region for the gateway cloud service and [Azure Service Bus messaging instance](../service-bus-messaging/service-bus-messaging-overview.md) that your gateway installation uses. By default, this region is the same location as the Microsoft Entra tenant for your Azure account. :::image type="content" source="./media/logic-apps-gateway-install/confirm-gateway-region.png" alt-text="Screenshot of part of the gateway installer window. The gateway cloud service region is highlighted."::: If you must change your gateway's location, move your gateway installation to a ## Tenant-level administration -To get visibility into all the on-premises data gateways in an Azure AD tenant, global administrators in that tenant can sign in to the [Power Platform Admin center](https://powerplatform.microsoft.com) as a tenant administrator and select the **Data Gateways** option. For more information, see [Tenant-level administration for the on-premises data gateway](/data-integration/gateway/service-gateway-tenant-level-admin). +To get visibility into all the on-premises data gateways in a Microsoft Entra tenant, global administrators in that tenant can sign in to the [Power Platform Admin center](https://powerplatform.microsoft.com) as a tenant administrator and select the **Data Gateways** option. For more information, see [Tenant-level administration for the on-premises data gateway](/data-integration/gateway/service-gateway-tenant-level-admin). <a name="restart-gateway"></a> These steps describe what happens when you interact with an element that's conne A stored credential is used to connect from the gateway to on-premises data sources. Regardless of the user, the gateway uses the stored credential to connect. There might be authentication exceptions for specific services, such as DirectQuery and LiveConnect for Analysis Services in Power BI. -### Azure AD +<a name='azure-ad'></a> -Microsoft cloud services use [Azure AD](../active-directory/fundamentals/active-directory-whatis.md) to authenticate users. An Azure AD tenant contains usernames and security groups. Typically, the email address that you use for sign-in is the same as the UPN for your account. +### Microsoft Entra ID ++Microsoft cloud services use [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) to authenticate users. A Microsoft Entra tenant contains usernames and security groups. Typically, the email address that you use for sign-in is the same as the UPN for your account. ### What is my UPN? If you're not a domain admin, you might not know your UPN. To find the UPN for your account, run the `whoami /upn` command from your workstation. Although the result looks like an email address, the result is the UPN for your local domain account. -### Synchronize an on-premises Active Directory with Azure AD +<a name='synchronize-an-on-premises-active-directory-with-azure-ad'></a> ++### Synchronize an on-premises Active Directory with Microsoft Entra ID -You need to use the same UPN for your on-premises Active Directory accounts and Azure AD accounts. So, make sure that the UPN for each on-premises Active Directory account matches your Azure AD account UPN. The cloud services know only about accounts within Azure AD. So, you don't need to add an account to your on-premises Active Directory. If an account doesn't exist in Azure AD, you can't use that account. +You need to use the same UPN for your on-premises Active Directory accounts and Microsoft Entra accounts. So, make sure that the UPN for each on-premises Active Directory account matches your Microsoft Entra account UPN. The cloud services know only about accounts within Microsoft Entra ID. So, you don't need to add an account to your on-premises Active Directory. If an account doesn't exist in Microsoft Entra ID, you can't use that account. -Here are ways that you can match your on-premises Active Directory accounts with Azure AD. +Here are ways that you can match your on-premises Active Directory accounts with Microsoft Entra ID. -* Add accounts manually to Azure AD. +* Add accounts manually to Microsoft Entra ID. Create an account in the Azure portal or in the Microsoft 365 admin center. Make sure that the account name matches the UPN for the on-premises Active Directory account. -* Synchronize local accounts to your Azure AD tenant by using the Azure AD Connect tool. +* Synchronize local accounts to your Microsoft Entra tenant by using the Microsoft Entra Connect tool. - The Azure AD Connect tool provides options for directory synchronization and authentication setup. These options include password hash sync, pass-through authentication, and federation. If you're not a tenant admin or a local domain admin, contact your IT admin to get Azure AD Connect set up. Azure AD Connect ensures that your Azure AD UPN matches your local Active Directory UPN. This matching helps if you're using Analysis Services live connections with Power BI or single sign-on (SSO) capabilities. + The Microsoft Entra Connect tool provides options for directory synchronization and authentication setup. These options include password hash sync, pass-through authentication, and federation. If you're not a tenant admin or a local domain admin, contact your IT admin to get Microsoft Entra Connect set up. Microsoft Entra Connect ensures that your Microsoft Entra UPN matches your local Active Directory UPN. This matching helps if you're using Analysis Services live connections with Power BI or single sign-on (SSO) capabilities. > [!NOTE]- > Synchronizing accounts with the Azure AD Connect tool creates new accounts in your Azure AD tenant. + > Synchronizing accounts with the Microsoft Entra Connect tool creates new accounts in your Microsoft Entra tenant. <a name="faq"></a> |
logic-apps | Logic Apps Http Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-http-endpoint.md | Some scenarios might require that you create a workflow that you can call throug This how-to guide shows how to create a callable endpoint for your workflow by using the Request trigger and call that endpoint from another workflow. All principles identically apply to the other request-based trigger types that can receive inbound requests. -For information about security, authorization, and encryption for inbound calls to your workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), exposing your logic app with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](logic-apps-securing-a-logic-app.md#secure-inbound-requests). +For information about security, authorization, and encryption for inbound calls to your workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [OAuth with Microsoft Entra ID](../active-directory/develop/index.yml), exposing your logic app with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](logic-apps-securing-a-logic-app.md#secure-inbound-requests). ## Prerequisites To view the JSON definition for the Response action and your workflow's complete > * The shared access key appears in the URL. > * You can't manage security content policies due to shared domains across Azure Logic Apps customers. -For more information about security, authorization, and encryption for inbound calls to your workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), exposing your logic app workflow with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). +For more information about security, authorization, and encryption for inbound calls to your workflow, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth)](../active-directory/develop/index.yml), exposing your logic app workflow with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests). #### Q: Can I configure callable endpoints further? |
logic-apps | Logic Apps Limits And Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-limits-and-config.md | By default, the HTTP action and APIConnection actions follow the [standard async ### Authentication limits -The following table lists the values for a workflow that starts with a Request trigger and enables [Azure Active Directory Open Authentication](../active-directory/develop/index.yml) (Azure AD OAuth) for authorizing inbound calls to the Request trigger: +The following table lists the values for a workflow that starts with a Request trigger and enables [Microsoft Entra ID Open Authentication](../active-directory/develop/index.yml) (Microsoft Entra ID OAuth) for authorizing inbound calls to the Request trigger: | Name | Limit | Notes | | - | -- | -- |-| Azure AD authorization policies | 5 policies | | +| Microsoft Entra authorization policies | 5 policies | | | Claims per authorization policy | 10 claims | | | Claim value - Maximum number of characters | 150 characters | |
logic-apps | Logic Apps Securing A Logic App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-securing-a-logic-app.md | In the underlying trigger or action definition, add or update the `runtimeConfig If you deploy across different environments, consider parameterizing the values in your workflow definition that vary based on those environments. That way, you can avoid hard-coded data by using an [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) to deploy your logic app, protect sensitive data by defining secured parameters, and pass that data as separate inputs through the [template's parameters](../azure-resource-manager/templates/parameters.md) by using a [parameter file](../azure-resource-manager/templates/parameter-files.md). -For example, if you authenticate HTTP actions with [Azure Active Directory Open Authentication](#azure-active-directory-oauth-authentication) (Azure AD OAuth), you can define and obscure the parameters that accept the client ID and client secret that are used for authentication. To define these parameters in your logic app workflow, use the `parameters` section in your logic app's workflow definition and Resource Manager template for deployment. To help secure parameter values that you don't want shown when editing your logic app or viewing run history, define the parameters by using the `securestring` or `secureobject` type and use encoding as necessary. Parameters that have this type aren't returned with the resource definition and aren't accessible when viewing the resource after deployment. To access these parameter values during runtime, use the `@parameters('<parameter-name>')` expression inside your workflow definition. This expression is evaluated only at runtime and is described by the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md). +For example, if you authenticate HTTP actions with [OAuth with Microsoft Entra ID](#azure-active-directory-oauth-authentication), you can define and obscure the parameters that accept the client ID and client secret that are used for authentication. To define these parameters in your logic app workflow, use the `parameters` section in your logic app's workflow definition and Resource Manager template for deployment. To help secure parameter values that you don't want shown when editing your logic app or viewing run history, define the parameters by using the `securestring` or `secureobject` type and use encoding as necessary. Parameters that have this type aren't returned with the resource definition and aren't accessible when viewing the resource after deployment. To access these parameter values during runtime, use the `@parameters('<parameter-name>')` expression inside your workflow definition. This expression is evaluated only at runtime and is described by the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md). > [!NOTE] > If you use a parameter in a request header or body, that parameter might be visible The following table identifies the authentication types that are available on th | [Client Certificate](#client-certificate-authentication) | Azure API Management, Azure App Services, HTTP, HTTP + Swagger, HTTP Webhook | | [Active Directory OAuth](#azure-active-directory-oauth-authentication) | - **Consumption**: Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook <br><br>- **Standard**: Azure Automation, Azure Blob Storage, Azure Event Hubs, Azure Queues, Azure Service Bus, Azure Tables, HTTP, HTTP Webhook, SQL Server | | [Raw](#raw-authentication) | Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook |-| [Managed identity](#managed-identity-authentication) | **Built-in connectors**: <br><br>- **Consumption**: Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook <br><br>- **Standard**: Azure Automation, Azure Blob Storage, Azure Event Hubs, Azure Queues, Azure Service Bus, Azure Tables, HTTP, HTTP Webhook, SQL Server <br><br>**Note**: Currently, most [built-in, service provider-based connectors](/azure/logic-apps/connectors/built-in/reference/) don't support selecting user-assigned managed identities for authentication. <br><br>**Managed connectors**: Azure AD Identity Protection, Azure App Service, Azure Automation, Azure Blob Storage, Azure Container Instance, Azure Cosmos DB, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Event Hubs, Azure IoT Central V2, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Queues, Azure Resource Manager, Azure Service Bus, Azure Sentinel, Azure Table Storage, Azure VM, HTTP with Azure AD, SQL Server | +| [Managed identity](#managed-identity-authentication) | **Built-in connectors**: <br><br>- **Consumption**: Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook <br><br>- **Standard**: Azure Automation, Azure Blob Storage, Azure Event Hubs, Azure Queues, Azure Service Bus, Azure Tables, HTTP, HTTP Webhook, SQL Server <br><br>**Note**: Currently, most [built-in, service provider-based connectors](/azure/logic-apps/connectors/built-in/reference/) don't support selecting user-assigned managed identities for authentication. <br><br>**Managed connectors**: Microsoft Entra ID Protection, Azure App Service, Azure Automation, Azure Blob Storage, Azure Container Instance, Azure Cosmos DB, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Event Hubs, Azure IoT Central V2, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Queues, Azure Resource Manager, Azure Service Bus, Azure Sentinel, Azure Table Storage, Azure VM, HTTP with Microsoft Entra ID, SQL Server | <a name="secure-inbound-requests"></a> For inbound calls, use the following cipher suites: The following list includes more ways that you can limit access to triggers that receive inbound calls to your logic app so that only authorized clients can call your logic app: * [Generate shared access signatures (SAS)](#sas)-* [Enable Azure Active Directory Open Authentication (Azure AD OAuth)](#enable-oauth) +* [Enable OAuth with Microsoft Entra ID](#enable-oauth) * [Expose your logic app with Azure API Management](#azure-api-management) * [Restrict inbound IP addresses](#restrict-inbound-ip-addresses) Each URL contains the `sp`, `sv`, and `sig` query parameter as described in this | `sig` | Specifies the signature to use for authenticating access to the trigger. This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. This key is kept encrypted, stored with the logic app, and is never exposed or published. Your logic app authorizes only those triggers that contain a valid signature created with the secret key. | ||| -Inbound calls to a request endpoint can use only one authorization scheme, either SAS or [Azure Active Directory Open Authentication](#enable-oauth). Although using one scheme doesn't disable the other scheme, using both schemes at the same time causes an error because the service doesn't know which scheme to choose. +Inbound calls to a request endpoint can use only one authorization scheme, either SAS or [OAuth with Microsoft Entra ID](#enable-oauth). Although using one scheme doesn't disable the other scheme, using both schemes at the same time causes an error because the service doesn't know which scheme to choose. For more information about securing access with SAS, review these sections in this topic: In the body, include the `KeyType` property as either `Primary` or `Secondary`. <a name="enable-oauth"></a> -### Enable Azure Active Directory Open Authentication (Azure AD OAuth) +<a name='enable-azure-active-directory-open-authentication-azure-ad-oauth'></a> -In a Consumption logic app workflow that starts with a request-based trigger, you can authenticate inbound calls sent to the endpoint created by that trigger by enabling [Azure AD OAuth](../active-directory/develop/index.yml). To set up this authentication, [define or add an authorization policy at the logic app level](#enable-azure-ad-inbound). This way, inbound calls use [OAuth access tokens](../active-directory/develop/access-tokens.md) for authorization. +### Enable Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth) ++In a Consumption logic app workflow that starts with a request-based trigger, you can authenticate inbound calls sent to the endpoint created by that trigger by enabling [Microsoft Entra ID OAuth](../active-directory/develop/index.yml). To set up this authentication, [define or add an authorization policy at the logic app level](#enable-azure-ad-inbound). This way, inbound calls use [OAuth access tokens](../active-directory/develop/access-tokens.md) for authorization. When your logic app workflow receives an inbound request that includes an OAuth access token, Azure Logic Apps compares the token's claims against the claims specified by each authorization policy. If a match exists between the token's claims and all the claims in at least one policy, authorization succeeds for the inbound request. The token can have more claims than the number specified by the authorization policy. In a Standard logic app workflow that starts with the Request trigger (but not a webhook trigger), you can use the Azure Functions provision for authenticating inbound calls sent to the endpoint created by that trigger by using a managed identity. This provision is also known as "**Easy Auth**". For more information, review [Trigger workflows in Standard logic apps with Easy Auth](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/trigger-workflows-in-standard-logic-apps-with-easy-auth/ba-p/3207378). -#### Considerations before you enable Azure AD OAuth +<a name='considerations-before-you-enable-azure-ad-oauth'></a> ++#### Considerations before you enable Microsoft Entra ID OAuth -* An inbound call to the request endpoint can use only one authorization scheme, either Azure AD OAuth or [Shared Access Signature (SAS)](#sas). Although using one scheme doesn't disable the other scheme, using both schemes at the same time causes an error because Azure Logic Apps doesn't know which scheme to choose. +* An inbound call to the request endpoint can use only one authorization scheme, either OAuth with Microsoft Entra ID or [Shared Access Signature (SAS)](#sas). Although using one scheme doesn't disable the other scheme, using both schemes at the same time causes an error because Azure Logic Apps doesn't know which scheme to choose. -* Azure Logic Apps supports either the [bearer type](../active-directory/develop/active-directory-v2-protocols.md#tokens) or [proof-of-possession type (Consumption logic app only)](/entra/msal/dotnet/advanced/proof-of-possession-tokens) authorization schemes for Azure AD OAuth access tokens. However, the `Authorization` header for the access token must specify either the `Bearer` type or `PoP` type. For more information about how to get and use a PoP token, see [Get a Proof of Possession (PoP) token](#get-pop). +* Azure Logic Apps supports either the [bearer type](../active-directory/develop/active-directory-v2-protocols.md#tokens) or [proof-of-possession type (Consumption logic app only)](/entra/msal/dotnet/advanced/proof-of-possession-tokens) authorization schemes for Microsoft Entra ID OAuth access tokens. However, the `Authorization` header for the access token must specify either the `Bearer` type or `PoP` type. For more information about how to get and use a PoP token, see [Get a Proof of Possession (PoP) token](#get-pop). * Your logic app resource is limited to a maximum number of authorization policies. Each authorization policy also has a maximum number of [claims](../active-directory/develop/developer-glossary.md#claim). For more information, review [Limits and configuration for Azure Logic Apps](../logic-apps/logic-apps-limits-and-config.md#authentication-limits). -* An authorization policy must include at least the **Issuer** claim, which has a value that starts with either `https://sts.windows.net/` or `https://login.microsoftonline.com/` (OAuth V2) as the Azure AD issuer ID. +* An authorization policy must include at least the **Issuer** claim, which has a value that starts with either `https://sts.windows.net/` or `https://login.microsoftonline.com/` (OAuth V2) as the Microsoft Entra issuer ID. For example, suppose that your logic app resource has an authorization policy that requires two claim types, **Audience** and **Issuer**. This sample [payload section](../active-directory/develop/access-token-claims-reference.md#payload-claims) for a decoded access token includes both claim types where `aud` is the **Audience** value and `iss` is the **Issuer** value: In a Standard logic app workflow that starts with the Request trigger (but not a } ``` -#### Enable Azure AD OAuth as the only option to call a request endpoint +<a name='enable-azure-ad-oauth-as-the-only-option-to-call-a-request-endpoint'></a> ++#### Enable Microsoft Entra ID OAuth as the only option to call a request endpoint 1. Set up your Request or HTTP webhook trigger with the capability to check the OAuth access token by [following the steps to include the 'Authorization' header in the Request or HTTP webhook trigger outputs](#include-auth-header). The Microsoft Authentication Library (MSAL) libraries provide PoP tokens for you * [SignedHttpRequest aka PoP (Proof of Possession)](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/SignedHttpRequest-aka-PoP-(Proof-of-Possession)) -To use the PoP token with your Consumption logic app, follow the next section to [set up Azure AD OAuth](#enable-azure-ad-inbound). +To use the PoP token with your Consumption logic app, follow the next section to [set up OAuth with Microsoft Entra ID](#enable-azure-ad-inbound). <a name="enable-azure-ad-inbound"></a> -#### Enable Azure AD OAuth for your Consumption logic app resource +<a name='enable-azure-ad-oauth-for-your-consumption-logic-app-resource'></a> ++#### Enable Microsoft Entra ID OAuth for your Consumption logic app resource Follow these steps for either the Azure portal or your Azure Resource Manager template: In the [Azure portal](https://portal.azure.com), add one or more authorization p | Property | Required | Type | Description | |-|-||-| | **Policy name** | Yes | String | The name that you want to use for the authorization policy |- | **Policy type** | Yes | String | Either **AAD** for bearer type tokens or **AADPOP** for Proof-of-Possession type tokens. | - | **Claims** | Yes | String | A key-value pair that specifies the claim type and value that the workflow's Request trigger expects in the access token presented by each inbound call to the trigger. You can add any standard claim you want by selecting **Add standard claim**. To add a claim that's specific to a PoP token, select **Add custom claim**. <br><br>Available standard claim types: <br><br>- **Issuer** <br>- **Audience** <br>- **Subject** <br>- **JWT ID** (JSON Web Token identifier) <br><br>Requirements: <br><br>- At a minimum, the **Claims** list must include the **Issuer** claim, which has a value that starts with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Azure AD issuer ID. <br><br>- Each claim must be a single string value, not an array of values. For example, you can have a claim with **Role** as the type and **Developer** as the value. You can't have a claim that has **Role** as the type and the values set to **Developer** and **Program Manager**. <br><br>- The claim value is limited to a [maximum number of characters](logic-apps-limits-and-config.md#authentication-limits). <br><br>For more information about these claim types, review [Claims in Azure AD security tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). You can also specify your own claim type and value. | + | **Policy type** | Yes | String | Either **Microsoft Entra ID** for bearer type tokens or **AADPOP** for Proof-of-Possession type tokens. | + | **Claims** | Yes | String | A key-value pair that specifies the claim type and value that the workflow's Request trigger expects in the access token presented by each inbound call to the trigger. You can add any standard claim you want by selecting **Add standard claim**. To add a claim that's specific to a PoP token, select **Add custom claim**. <br><br>Available standard claim types: <br><br>- **Issuer** <br>- **Audience** <br>- **Subject** <br>- **JWT ID** (JSON Web Token identifier) <br><br>Requirements: <br><br>- At a minimum, the **Claims** list must include the **Issuer** claim, which has a value that starts with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Microsoft Entra issuer ID. <br><br>- Each claim must be a single string value, not an array of values. For example, you can have a claim with **Role** as the type and **Developer** as the value. You can't have a claim that has **Role** as the type and the values set to **Developer** and **Program Manager**. <br><br>- The claim value is limited to a [maximum number of characters](logic-apps-limits-and-config.md#authentication-limits). <br><br>For more information about these claim types, review [Claims in Microsoft Entra security tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). You can also specify your own claim type and value. | The following example shows the information for a PoP token: In your ARM template, define an authorization policy following these steps and s 1. Provide a name for authorization policy, set the policy type to `AAD`, and include a `claims` array where you specify one or more claim types. - At a minimum, the `claims` array must include the Issuer claim type where you set the claim's `name` property to `iss` and set the `value` to start with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Azure AD issuer ID. For more information about these claim types, review [Claims in Azure AD security tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). You can also specify your own claim type and value. + At a minimum, the `claims` array must include the Issuer claim type where you set the claim's `name` property to `iss` and set the `value` to start with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Microsoft Entra issuer ID. For more information about these claim types, review [Claims in Microsoft Entra security tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). You can also specify your own claim type and value. 1. To include the `Authorization` header from the access token in the request-based trigger outputs, review [Include 'Authorization' header in request trigger outputs](#include-auth-header). Here's the syntax to follow: #### Include 'Authorization' header in Request or HTTP webhook trigger outputs -For logic apps that [enable Azure Active Directory Open Authentication (Azure AD OAuth)](#enable-oauth) for authorizing inbound calls to access request-based triggers, you can enable the Request trigger or HTTP Webhook trigger outputs to include the `Authorization` header from the OAuth access token. In the trigger's underlying JSON definition, add and set the `operationOptions` property to `IncludeAuthorizationHeadersInOutputs`. Here's an example for the Request trigger: +For logic apps that [enable OAuth with Microsoft Entra ID](#enable-oauth) for authorizing inbound calls to access request-based triggers, you can enable the Request trigger or HTTP Webhook trigger outputs to include the `Authorization` header from the OAuth access token. In the trigger's underlying JSON definition, add and set the `operationOptions` property to `IncludeAuthorizationHeadersInOutputs`. Here's an example for the Request trigger: ```json "triggers": { For more information, review these topics: ### Expose your logic app with Azure API Management -For more authentication protocols and options, consider exposing your logic app workflow as an API by using Azure API Management. This service provides rich monitoring, security, policy, and documentation capabilities for any endpoint. API Management can expose a public or private endpoint for your logic app. To authorize access to this endpoint, you can use Azure Active Directory Open Authentication (Azure AD OAuth), client certificate, or other security standards. When API Management receives a request, the service sends the request to your logic app and makes any necessary transformations or restrictions along the way. To let only API Management call your logic app workflow, you can [restrict your logic app's inbound IP addresses](#restrict-inbound-ip). +For more authentication protocols and options, consider exposing your logic app workflow as an API by using Azure API Management. This service provides rich monitoring, security, policy, and documentation capabilities for any endpoint. API Management can expose a public or private endpoint for your logic app. To authorize access to this endpoint, you can use OAuth with Microsoft Entra ID, client certificate, or other security standards. When API Management receives a request, the service sends the request to your logic app and makes any necessary transformations or restrictions along the way. To let only API Management call your logic app workflow, you can [restrict your logic app's inbound IP addresses](#restrict-inbound-ip). For more information, review the following documentation: * [About API Management](../api-management/api-management-key-concepts.md)-* [Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Azure AD](../api-management/api-management-howto-protect-backend-with-aad.md) +* [Protect a web API backend in Azure API Management by using OAuth 2.0 authorization with Microsoft Entra ID](../api-management/api-management-howto-protect-backend-with-aad.md) * [Secure APIs using client certificate authentication in API Management](../api-management/api-management-howto-mutual-certificates-for-clients.md) * [API Management authentication policies](../api-management/api-management-authentication-policies.md) This list includes information about TLS/SSL self-signed certificates: * For Standard logic app workflows in the single-tenant Azure Logic Apps environment, HTTP operations support self-signed TLS/SSL certificates. However, you have to complete a few extra steps for this authentication type. Otherwise, the call fails. For more information, review [TLS/SSL certificate authentication for single-tenant Azure Logic Apps](../connectors/connectors-native-http.md#tlsssl-certificate-authentication). - If you want to use client certificate or Azure Active Directory Open Authentication (Azure AD OAuth) with the "Certificate" credential type instead, you still have to complete a few extra steps for this authentication type. Otherwise, the call fails. For more information, review [Client certificate or Azure Active Directory Open Authentication (Azure AD OAuth) with the "Certificate" credential type for single-tenant Azure Logic Apps](../connectors/connectors-native-http.md#client-certificate-authentication). + If you want to use client certificate or OAuth with Microsoft Entra ID with the "Certificate" credential type instead, you still have to complete a few extra steps for this authentication type. Otherwise, the call fails. For more information, review [Client certificate or OAuth with Microsoft Entra ID with the "Certificate" credential type for single-tenant Azure Logic Apps](../connectors/connectors-native-http.md#client-certificate-authentication). Here are more ways that you can help secure endpoints that handle calls sent from your logic app workflows: When you use [secured parameters](#secure-action-parameters) to handle and secur > [!IMPORTANT] > If you have a **Logic App (Standard)** resource in single-tenant Azure Logic Apps, > and you want to use an HTTP operation with a TSL/SSL certificate, client certificate, -> or Azure Active Directory Open Authentication (Azure AD OAuth) with the `Certificate` +> or Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth) with the `Certificate` > credential type, make sure to complete the extra setup steps for this authentication type. > Otherwise, the call fails. For more information, review > [Authentication in single-tenant environment](../connectors/connectors-native-http.md#single-tenant-authentication). For more information about securing services by using client certificate authent <a name="azure-active-directory-oauth-authentication"></a> -#### Azure Active Directory Open Authentication +<a name='azure-active-directory-open-authentication'></a> ++#### Microsoft identity platform -On Request triggers, you can use [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), for authenticating incoming calls after you [set up Azure AD authorization policies](#enable-oauth) for your logic app. For all other triggers and actions that provide the **Active Directory OAuth** authentication type for you to select, specify these property values: +On Request triggers, you can use [Microsoft identity platform](../active-directory/develop/index.yml), for authenticating incoming calls after you [set up Microsoft Entra authorization policies](#enable-oauth) for your logic app. For all other triggers and actions that provide the **Active Directory OAuth** authentication type for you to select, specify these property values: | Property (designer) | Property (JSON) | Required | Value | Description | ||--|-|-|-| | **Authentication** | `type` | Yes | **Active Directory OAuth** <br>or <br>`ActiveDirectoryOAuth` | The authentication type to use. Azure Logic Apps currently follows the [OAuth 2.0 protocol](../active-directory/develop/v2-overview.md). |-| **Authority** | `authority` | No | <*URL-for-authority-token-issuer*> | The URL for the authority that provides the access token, such as `https://login.microsoftonline.com/` for Azure global service regions. For other national clouds, review [Azure AD authentication endpoints - Choosing your identity authority](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints). | -| **Tenant** | `tenant` | Yes | <*tenant-ID*> | The tenant ID for the Azure AD tenant | +| **Authority** | `authority` | No | <*URL-for-authority-token-issuer*> | The URL for the authority that provides the access token, such as `https://login.microsoftonline.com/` for Azure global service regions. For other national clouds, review [Microsoft Entra authentication endpoints - Choosing your identity authority](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints). | +| **Tenant** | `tenant` | Yes | <*tenant-ID*> | The tenant ID for the Microsoft Entra tenant | | **Audience** | `audience` | Yes | <*resource-to-authorize*> | The resource that you want to use for authorization, for example, `https://management.core.windows.net/` | | **Client ID** | `clientId` | Yes | <*client-ID*> | The client ID for the app requesting authorization | | **Credential Type** | `credentialType` | Yes | Certificate <br>or <br>Secret | The credential type that the client uses for requesting authorization. This property and value don't appear in your logic app's underlying definition, but determines the properties that appear for the selected credential type. | When you use [secured parameters](#secure-action-parameters) to handle and secur > [!IMPORTANT] > If you have a **Logic App (Standard)** resource in single-tenant Azure Logic Apps, > and you want to use an HTTP operation with a TSL/SSL certificate, client certificate, -> or Azure Active Directory Open Authentication (Azure AD OAuth) with the `Certificate` +> or OAuth with Microsoft Entra ID with the `Certificate` > credential type, make sure to complete the extra setup steps for this authentication type. > Otherwise, the call fails. For more information, review > [Authentication in single-tenant environment](../connectors/connectors-native-http.md#single-tenant-authentication). When you use [secured parameters](#secure-action-parameters) to handle and secur #### Managed identity authentication -When the [managed identity](../active-directory/managed-identities-azure-resources/overview.md) option is available on the [trigger or action that supports managed identity authentication](#authentication-types-supported-triggers-actions), your logic app can use this identity for authenticating access to Azure resources that are protected by Azure Active Directory (Azure AD), rather than credentials, secrets, or Azure AD tokens. Azure manages this identity for you and helps you secure your credentials because you don't have to manage secrets or directly use Azure AD tokens. Learn more about [Azure services that support managed identities for Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +When the [managed identity](../active-directory/managed-identities-azure-resources/overview.md) option is available on the [trigger or action that supports managed identity authentication](#authentication-types-supported-triggers-actions), your logic app can use this identity for authenticating access to Azure resources that are protected by Microsoft Entra ID, rather than credentials, secrets, or Microsoft Entra tokens. Azure manages this identity for you and helps you secure your credentials because you don't have to manage secrets or directly use Microsoft Entra tokens. Learn more about [Azure services that support managed identities for Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). * The **Logic App (Consumption)** resource type can use the system-assigned identity or a *single* manually created user-assigned identity. When the [managed identity](../active-directory/managed-identities-azure-resourc ||--|-|-|-| | **Authentication** | `type` | Yes | **Managed Identity** <br>or <br>`ManagedServiceIdentity` | The authentication type to use | | **Managed Identity** | `identity` | No | <*user-assigned-identity-ID*> | The user-assigned managed identity to use. **Note**: Don't include this property when using the system-assigned managed identity. |- | **Audience** | `audience` | Yes | <*target-resource-ID*> | The resource ID for the target resource that you want to access. <p>For example, `https://storage.azure.com/` makes the [access tokens](../active-directory/develop/access-tokens.md) for authentication valid for all storage accounts. However, you can also specify a root service URL, such as `https://fabrikamstorageaccount.blob.core.windows.net` for a specific storage account. <p>**Note**: The **Audience** property might be hidden in some triggers or actions. To make this property visible, in the trigger or action, open the **Add new parameter** list, and select **Audience**. <p><p>**Important**: Make sure that this target resource ID *exactly matches* the value that Azure AD expects, including any required trailing slashes. So, the `https://storage.azure.com/` resource ID for all Azure Blob Storage accounts requires a trailing slash. However, the resource ID for a specific storage account doesn't require a trailing slash. To find these resource IDs, review [Azure services that support Azure AD](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). | + | **Audience** | `audience` | Yes | <*target-resource-ID*> | The resource ID for the target resource that you want to access. <p>For example, `https://storage.azure.com/` makes the [access tokens](../active-directory/develop/access-tokens.md) for authentication valid for all storage accounts. However, you can also specify a root service URL, such as `https://fabrikamstorageaccount.blob.core.windows.net` for a specific storage account. <p>**Note**: The **Audience** property might be hidden in some triggers or actions. To make this property visible, in the trigger or action, open the **Add new parameter** list, and select **Audience**. <p><p>**Important**: Make sure that this target resource ID *exactly matches* the value that Microsoft Entra ID expects, including any required trailing slashes. So, the `https://storage.azure.com/` resource ID for all Azure Blob Storage accounts requires a trailing slash. However, the resource ID for a specific storage account doesn't require a trailing slash. To find these resource IDs, review [Azure services that support Microsoft Entra ID](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). | When you use [secured parameters](#secure-action-parameters) to handle and secure sensitive information, for example, in an [Azure Resource Manager template for automating deployment](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md), you can use expressions to access these parameter values at runtime. For example, this HTTP action definition specifies the authentication `type` as `ManagedServiceIdentity` and uses the [parameters() function](../logic-apps/workflow-definition-language-functions-reference.md#parameters) to get the parameter values: |
logic-apps | Logic Apps Workflow Actions Triggers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-workflow-actions-triggers.md | You can change the default behavior for triggers and actions with the `operation | Operation option | Type | Description | Trigger or action | |||-|-| | `DisableAsyncPattern` | String | Run HTTP-based actions synchronously, rather than asynchronously. <p><p>To set this option, see [Run actions synchronously](#disable-asynchronous-pattern). | Actions: <p>[ApiConnection](#apiconnection-action), <br>[HTTP](#http-action), <br>[Response](#response-action) | -| `IncludeAuthorizationHeadersInOutputs` | String | For logic apps that [enable Azure Active Directory Open Authentication (Azure AD OAuth)](../logic-apps/logic-apps-securing-a-logic-app.md#enable-oauth) to authorize access for inbound calls to a request-based trigger endpoint, include the `Authorization` header from the OAuth access token in the trigger outputs. For more information, see [Include 'Authorization' header in request trigger outputs](../logic-apps/logic-apps-securing-a-logic-app.md#include-auth-header). | Triggers: <p>[Request](#request-trigger), <br>[HTTP Webhook](#http-webhook-trigger) | +| `IncludeAuthorizationHeadersInOutputs` | String | For logic apps that [enable OAuth with Microsoft Entra ID](../logic-apps/logic-apps-securing-a-logic-app.md#enable-oauth) to authorize access for inbound calls to a request-based trigger endpoint, include the `Authorization` header from the OAuth access token in the trigger outputs. For more information, see [Include 'Authorization' header in request trigger outputs](../logic-apps/logic-apps-securing-a-logic-app.md#include-auth-header). | Triggers: <p>[Request](#request-trigger), <br>[HTTP Webhook](#http-webhook-trigger) | | `Sequential` | String | Run "for each" loop iterations one at a time, rather than all at the same time in parallel. <p>This option works the same way as setting the `runtimeConfiguration.concurrency.repetitions` property to `1`. You can set either property, but not both. <p><p>To set this option, see [Run "for each" loops sequentially](#sequential-for-each).| Action: <p>[Foreach](#foreach-action) | | `SingleInstance` | String | Run the trigger for each logic app instance sequentially and wait for the previously active run to finish before triggering the next logic app instance. <p><p>This option works the same way as setting the `runtimeConfiguration.concurrency.runs` property to `1`. You can set either property, but not both. <p>To set this option, see [Trigger instances sequentially](#sequential-trigger). | All triggers | | `SuppressWorkflowHeaders` | String | Don't send `x-ms-*` metadata headers in outbound requests. By default, the Azure Logic Apps service includes extra metadata headers with the `x-ms-` prefix in the header name as part of outbound requests. However, some legacy services won't accept requests with extra unknown headers, resulting in failed requests. | Actions: <p>[HTTP](#http-action), <br>[Function](#function-action), <br>APIManagement | |
logic-apps | Monitor Workflows Collect Diagnostic Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/monitor-workflows-collect-diagnostic-data.md | This how-to guide shows how to complete the following tasks, based on whether yo * [Permission to purchase - Azure Marketplace purchasing](/marketplace/azure-purchasing-invoicing#permission-to-purchase) - * [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles) + * [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles) * The destination resource for where you want to send diagnostic data: |
logic-apps | Move Logic App Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/move-logic-app-resources.md | Some Azure resources, such as on-premises data gateway resources in Azure, can e For example, to link a logic app to an integration account, both resources must exist in the same region. In scenarios such as disaster recovery, you usually want integration accounts that have the same configuration and artifacts. In other scenarios, you might need integration accounts with different configurations and artifacts. -Custom connectors in Azure Logic Apps are visible to the connectors' authors and users who have the same Azure subscription and the same Azure Active Directory tenant. These connectors are available in the same region where logic apps are deployed. For more information, see [Share custom connectors in your organization](/connectors/custom-connectors/share). +Custom connectors in Azure Logic Apps are visible to the connectors' authors and users who have the same Azure subscription and the same Microsoft Entra tenant. These connectors are available in the same region where logic apps are deployed. For more information, see [Share custom connectors in your organization](/connectors/custom-connectors/share). The template that you get from Visual Studio includes only the resource definitions for your logic app and its connections. So, if your logic app uses other resources, for example, an integration account and B2B artifacts, such as partners, agreements, and schemas, you must export that integration account's template by using the Azure portal. This template includes the resource definitions for both the integration account and artifacts. However, the template isn't fully parameterized. So, you must manually parameterize the values that you want to use for deployment. |
logic-apps | Set Up Sql Db Storage Single Tenant Standard Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/set-up-sql-db-storage-single-tenant-standard-workflows.md | The following table describes some reasons why you might want to use SQL: 1. Set up permissions for your SQL server. - Currently, the SQL Storage Provider supports SQL authentication in connection strings. You can also use Windows Authentication for local development and testing. At this time, support for Azure Active Directory (Azure AD) and managed identities is not available. + Currently, the SQL Storage Provider supports SQL authentication in connection strings. You can also use Windows Authentication for local development and testing. At this time, support for Microsoft Entra ID and managed identities is not available. You must use an identity that has permissions to create and manage workflow-related artifacts in the target SQL database. For example, an administrator has all the required permissions to create and manage these artifacts. The following list describes the artifacts that the single-tenant Azure Logic Apps runtime tries to create using the SQL connection string that you provide. Make sure that the identity used in the SQL connection string has the necessary permissions to create the following artifacts: |
logic-apps | Single Tenant Overview Compare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/single-tenant-overview-compare.md | A **Standard** workflow can use many of the same built-in connectors as a Consum For example, a Standard workflow has both managed connectors and built-in connectors for Azure Blob, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, SQL Server, and others. Although a Consumption workflow doesn't have these same built-in connector versions, other built-in connectors such as Azure API Management, Azure App Services, and Batch, are available. -In single-tenant Azure Logic Apps, [built-in connectors with specific attributes are informally known as *service providers*](../connectors/built-in.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Azure Active Directory (Azure AD), or a managed identity. All built-in connectors run in the same process as the redesigned Azure Logic Apps runtime. For more information, review the [built-in connector list for Standard logic app workflows](../connectors/built-in.md#built-in-connectors). +In single-tenant Azure Logic Apps, [built-in connectors with specific attributes are informally known as *service providers*](../connectors/built-in.md#service-provider-interface-implementation). Some built-in connectors support only a single way to authenticate a connection to the underlying service. Other built-in connectors can offer a choice, such as using a connection string, Microsoft Entra ID, or a managed identity. All built-in connectors run in the same process as the redesigned Azure Logic Apps runtime. For more information, review the [built-in connector list for Standard logic app workflows](../connectors/built-in.md#built-in-connectors). <a name="limited-unavailable-unsupported"></a> For the **Standard** logic app workflow, these capabilities have changed, or the * **Authentication**: The following authentication types are currently unavailable for **Standard** workflows: - * Azure Active Directory Open Authentication (Azure AD OAuth) for inbound calls to request-based triggers, such as the Request trigger and HTTP Webhook trigger. + * Microsoft Entra ID Open Authentication (Microsoft Entra ID OAuth) for inbound calls to request-based triggers, such as the Request trigger and HTTP Webhook trigger. * Managed identity authentication: Both system-assigned and user-assigned managed identity support is available. By default, the system-assigned managed identity is automatically enabled. However, most [built-in, service provider-based connectors](/azure/logic-apps/connectors/built-in/reference/) don't currently support selecting user-assigned managed identities for authentication. |
logic-apps | Tutorial Process Email Attachments Workflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/tutorial-process-email-attachments-workflow.md | Now, connect Storage Explorer to your storage account so you can confirm that yo 1. In the browser window that appears, sign in with your Azure account. -1. Return to Storage Explorer and the **Account Management** window, and check that correct Azure Active Directory (Azure AD) tenant and subscription are selected. +1. Return to Storage Explorer and the **Account Management** window, and check that correct Microsoft Entra tenant and subscription are selected. 1. On the Storage Explorer activity bar, select **Open Connect Dialog**. When you no longer need this sample, delete the resource group that contains you In this tutorial, you created a logic app workflow that processes and stores email attachments by integrating Azure services, such as Azure Storage and Azure Functions. Now, learn more about other connectors that you can use to build logic app workflows. > [!div class="nextstepaction"]-> [Learn about connectors in Azure Logic Apps](../connectors/introduction.md) +> [Learn about connectors in Azure Logic Apps](../connectors/introduction.md) |
machine-learning | Concept Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-data.md | An Azure Machine Learning datastore serves as a *reference* to an *existing* Azu When you create a datastore with an existing Azure storage account, you can choose between two different authentication methods: - **Credential-based** - authenticate data access with a service principal, shared access signature (SAS) token, or account key. Users with *Reader* workspace access can access the credentials.-- **Identity-based** - use your Azure Active Directory identity or managed identity to authenticate data access.+- **Identity-based** - use your Microsoft Entra identity or managed identity to authenticate data access. The following table summarizes the Azure cloud-based storage services that an Azure Machine Learning datastore can create. Additionally, the table summarizes the authentication types that can access those A Uniform Resource Identifier (URI) represents a storage location on your local |Azure Data Lake (gen2) | `abfss://<file_system>@<account_name>.dfs.core.windows.net/<folder>/<file>.csv` | | Azure Data Lake (gen1) | `adl://<accountname>.azuredatalakestore.net/<folder1>/<folder2>` | -An Azure Machine Learning job maps URIs to the compute target filesystem. This mapping means that in a command that consumes or produces a URI, that URI works like a file or a folder. A URI uses **identity-based authentication** to connect to storage services, with either your Azure Active Directory ID (default), or Managed Identity. Azure Machine Learning [Datastore](#datastore) URIs can apply either identity-based authentication, or **credential-based** (for example, Service Principal, SAS token, account key), without exposure of secrets. +An Azure Machine Learning job maps URIs to the compute target filesystem. This mapping means that in a command that consumes or produces a URI, that URI works like a file or a folder. A URI uses **identity-based authentication** to connect to storage services, with either your Microsoft Entra ID (default), or Managed Identity. Azure Machine Learning [Datastore](#datastore) URIs can apply either identity-based authentication, or **credential-based** (for example, Service Principal, SAS token, account key), without exposure of secrets. A URI can serve as either *input* or an *output* to an Azure Machine Learning job, and it can map to the compute target filesystem with one of four different *mode* options: |
machine-learning | Concept Endpoints Batch | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-endpoints-batch.md | Batch endpoints reads and write data directly from storage. You can indicate Azu ## Security -Batch endpoints provide all the capabilities required to operate production level workloads in an enterprise setting. They support [private networking](how-to-secure-batch-endpoint.md) on secured workspaces and [Azure Active Directory authentication](how-to-authenticate-batch-endpoint.md), either using a user principal (like a user account) or a service principal (like a managed or unmanaged identity). Jobs generated by a batch endpoint run under the identity of the invoker which gives you flexibility to implement any scenario. See [How to authenticate to batch endpoints](how-to-authenticate-batch-endpoint.md) for details. +Batch endpoints provide all the capabilities required to operate production level workloads in an enterprise setting. They support [private networking](how-to-secure-batch-endpoint.md) on secured workspaces and [Microsoft Entra authentication](how-to-authenticate-batch-endpoint.md), either using a user principal (like a user account) or a service principal (like a managed or unmanaged identity). Jobs generated by a batch endpoint run under the identity of the invoker which gives you flexibility to implement any scenario. See [How to authenticate to batch endpoints](how-to-authenticate-batch-endpoint.md) for details. > [!div class="nextstepaction"] > [Configure network isolation in Batch Endpoints](how-to-secure-batch-endpoint.md) |
machine-learning | Concept Endpoints Online | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-endpoints-online.md | Use of managed online endpoints is the _recommended_ way to use online endpoints |Endpoint/deployment concept |Distinction between endpoint and deployment enables complex scenarios such as safe rollout of models |No concept of endpoint | |Diagnostics and Monitoring |- Local endpoint debugging possible with Docker and Visual Studio Code<br>ΓÇï - Advanced metrics and logs analysis with chart/query to compare between deploymentsΓÇï<br> - Cost breakdown down to deployment level |No easy local debugging | |Scalability |Limitless, elastic, and automatic scaling |- ACI is non-scalableΓÇï <br> - AKS (v1) supports in-cluster scale only and requires scalability configuration |-|Enterprise readiness |Private link, customer managed keys, Azure Active Directory, quota management, billing integration, SLA |Not supported | +|Enterprise readiness |Private link, customer managed keys, Microsoft Entra ID, quota management, billing integration, SLA |Not supported | |Advanced ML features |- Model data collection<br> - Model monitoringΓÇï<br> - Champion-challenger model, safe rollout, traffic mirroring<br> - Responsible AI extensibility |Not supported | Alternatively, if you prefer to use Kubernetes to deploy your models and serve endpoints, and you're comfortable with managing infrastructure requirements, you can use _Kubernetes online endpoints_. These endpoints allow you to deploy models and serve online endpoints at your fully configured and managed [Kubernetes cluster anywhere](./how-to-attach-kubernetes-anywhere.md), with CPUs or GPUs. |
machine-learning | Concept Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-endpoints.md | The following table shows a summary of the different features available to onlin | Deployment's routing | Traffic split | Switch to default | | Mirror traffic for safe rollout | Yes | No | | Swagger support | Yes | No |-| Authentication | Key and token | Azure AD | +| Authentication | Key and token | Microsoft Entra ID | | Private network support | Yes | Yes | | Managed network isolation | Yes | No | | Customer-managed keys | Yes | No | |
machine-learning | Concept Enterprise Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-enterprise-security.md | In this article, you learn about security and governance features available for ## Restrict access to resources and operations -[Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) is the identity service provider for Azure Machine Learning. It allows you to create and manage the security objects (user, group, service principal, and managed identity) that are used to _authenticate_ to Azure resources. Multi-factor authentication is supported if Azure AD is configured to use it. +[Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) is the identity service provider for Azure Machine Learning. It allows you to create and manage the security objects (user, group, service principal, and managed identity) that are used to _authenticate_ to Azure resources. Multi-factor authentication is supported if Microsoft Entra ID is configured to use it. -Here's the authentication process for Azure Machine Learning using multi-factor authentication in Azure AD: +Here's the authentication process for Azure Machine Learning using multi-factor authentication in Microsoft Entra ID: -1. The client signs in to Azure AD and gets an Azure Resource Manager token. +1. The client signs in to Microsoft Entra ID and gets an Azure Resource Manager token. 1. The client presents the token to Azure Resource Manager and to all Azure Machine Learning. 1. Azure Machine Learning provides a Machine Learning service token to the user compute target (for example, Azure Machine Learning compute cluster or [serverless compute](./how-to-use-serverless-compute.md)). This token is used by the user compute target to call back into the Machine Learning service after the job is complete. The scope is limited to the workspace. The system-assigned managed identity is used for internal service-to-service aut We don't recommend that admins revoke the access of the managed identity to the resources mentioned in the preceding table. You can restore access by using the [resync keys operation](how-to-change-storage-access-key.md). > [!NOTE]-> If your Azure Machine Learning workspaces has compute targets (compute cluster, compute instance, Azure Kubernetes Service, etc.) that were created __before May 14th, 2021__, you may also have an additional Azure Active Directory account. The account name starts with `Microsoft-AzureML-Support-App-` and has contributor-level access to your subscription for every workspace region. +> If your Azure Machine Learning workspaces has compute targets (compute cluster, compute instance, Azure Kubernetes Service, etc.) that were created __before May 14th, 2021__, you may also have an additional Microsoft Entra account. The account name starts with `Microsoft-AzureML-Support-App-` and has contributor-level access to your subscription for every workspace region. > -> If your workspace does not have an Azure Kubernetes Service (AKS) attached, you can safely delete this Azure AD account. +> If your workspace does not have an Azure Kubernetes Service (AKS) attached, you can safely delete this Microsoft Entra account. > -> If your workspace has attached AKS clusters, _and they were created before May 14th, 2021_, __do not delete this Azure AD account__. In this scenario, you must first delete and recreate the AKS cluster before you can delete the Azure AD account. +> If your workspace has attached AKS clusters, _and they were created before May 14th, 2021_, __do not delete this Microsoft Entra account__. In this scenario, you must first delete and recreate the AKS cluster before you can delete the Microsoft Entra account. You can provision the workspace to use user-assigned managed identity, and grant the managed identity additional roles, for example to access your own Azure Container Registry for base Docker images. You can also configure managed identities for use with Azure Machine Learning compute cluster. This managed identity is independent of workspace managed identity. With a compute cluster, the managed identity is used to access resources such as secured datastores that the user running the training job may not have access to. For more information, see [Use managed identities for access control](how-to-identity-based-service-authentication.md). > [!TIP]-> There are some exceptions to the use of Azure AD and Azure RBAC within Azure Machine Learning: -> * You can optionally enable __SSH__ access to compute resources such as Azure Machine Learning compute instance and compute cluster. SSH access is based on public/private key pairs, not Azure AD. SSH access is not governed by Azure RBAC. -> * You can authenticate to models deployed as online endpoints using __key__ or __token__-based authentication. Keys are static strings, while tokens are retrieved using an Azure AD security object. For more information, see [How to authenticate online endpoints](how-to-authenticate-online-endpoint.md). +> There are some exceptions to the use of Microsoft Entra ID and Azure RBAC within Azure Machine Learning: +> * You can optionally enable __SSH__ access to compute resources such as Azure Machine Learning compute instance and compute cluster. SSH access is based on public/private key pairs, not Microsoft Entra ID. SSH access is not governed by Azure RBAC. +> * You can authenticate to models deployed as online endpoints using __key__ or __token__-based authentication. Keys are static strings, while tokens are retrieved using a Microsoft Entra security object. For more information, see [How to authenticate online endpoints](how-to-authenticate-online-endpoint.md). For more information, see the following articles: * [Authentication for Azure Machine Learning workspace](how-to-setup-authentication.md) * [Manage access to Azure Machine Learning](how-to-assign-roles.md) * [Connect to storage services](how-to-access-data.md) * [Use Azure Key Vault for secrets when training](how-to-use-secrets-in-runs.md)-* [Use Azure AD managed identity with Azure Machine Learning](how-to-identity-based-service-authentication.md) +* [Use Microsoft Entra managed identity with Azure Machine Learning](how-to-identity-based-service-authentication.md) ## Network security and isolation |
machine-learning | Concept Secure Code Best Practice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-secure-code-best-practice.md | Development with Azure Machine Learning often involves web-based development env * [Cross site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) * __DOM injection__: This type of attack can modify the UI displayed in the browser. For example, by changing how the run button behaves in a Jupyter Notebook.- * __Access token/cookies__: XSS attacks can also access local storage and browser cookies. Your Azure Active Directory (Azure AD) authentication token is stored in local storage. An XSS attack could use this token to make API calls on your behalf, and then send the data to an external system or API. + * __Access token/cookies__: XSS attacks can also access local storage and browser cookies. Your Microsoft Entra authentication token is stored in local storage. An XSS attack could use this token to make API calls on your behalf, and then send the data to an external system or API. * [Cross site request forgery (CSRF)](https://owasp.org/www-community/attacks/csrf): This attack may replace the URL of an image or link with the URL of a malicious script or API. When the image is loaded, or link clicked, a call is made to the URL. Azure Machine Learning is eligible under the Microsoft Azure Bounty Program. For ## Next steps -* [Enterprise security for Azure Machine Learning](concept-enterprise-security.md) +* [Enterprise security for Azure Machine Learning](concept-enterprise-security.md) |
machine-learning | Concept Secure Network Traffic Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-secure-network-traffic-flow.md | This article assumes the following configuration: | __Scenario__ | __Required inbound__ | __Required outbound__ | __Additional configuration__ | | -- | -- | -- | -- |-| [Access workspace from studio](#scenario-access-workspace-from-studio) | NA | <ul><li>Azure Active Directory</li><li>Azure Front Door</li><li>Azure Machine Learning service</li></ul> | You may need to use a custom DNS server. For more information, see [Use your workspace with a custom DNS](how-to-custom-dns.md). | +| [Access workspace from studio](#scenario-access-workspace-from-studio) | NA | <ul><li>Microsoft Entra ID</li><li>Azure Front Door</li><li>Azure Machine Learning service</li></ul> | You may need to use a custom DNS server. For more information, see [Use your workspace with a custom DNS](how-to-custom-dns.md). | | [Use AutoML, designer, dataset, and datastore from studio](#scenario-use-automl-designer-dataset-and-datastore-from-studio) | NA | NA | <ul><li>Workspace service principal configuration</li><li>Allow access from trusted Azure services</li></ul>For more information, see [How to secure a workspace in a virtual network](how-to-secure-workspace-vnet.md#secure-azure-storage-accounts). | -| [Use compute instance and compute cluster](#scenario-use-compute-instance-and-compute-cluster) | <ul><li>Azure Machine Learning service on port 44224</li><li>Azure Batch Management service on ports 29876-29877</li></ul> | <ul><li>Azure Active Directory</li><li>Azure Resource Manager</li><li>Azure Machine Learning service</li><li>Azure Storage Account</li><li>Azure Key Vault</li></ul> | If you use a firewall, create user-defined routes. For more information, see [Configure inbound and outbound traffic](how-to-access-azureml-behind-firewall.md). | +| [Use compute instance and compute cluster](#scenario-use-compute-instance-and-compute-cluster) | <ul><li>Azure Machine Learning service on port 44224</li><li>Azure Batch Management service on ports 29876-29877</li></ul> | <ul><li>Microsoft Entra ID</li><li>Azure Resource Manager</li><li>Azure Machine Learning service</li><li>Azure Storage Account</li><li>Azure Key Vault</li></ul> | If you use a firewall, create user-defined routes. For more information, see [Configure inbound and outbound traffic](how-to-access-azureml-behind-firewall.md). | | [Use Azure Kubernetes Service](#scenario-use-azure-kubernetes-service) | NA | For information on the outbound configuration for AKS, see [How to secure Kubernetes inference](how-to-secure-kubernetes-inferencing-environment.md). | | | [Use Docker images managed by Azure Machine Learning](#scenario-use-docker-images-managed-by-azure-machine-learning) | NA | <ul><li>Microsoft Container Registry</li><li>`viennaglobal.azurecr.io` global container registry</li></ul> | If the Azure Container Registry for your workspace is behind the VNet, configure the workspace to use a compute cluster to build images. For more information, see [How to secure a workspace in a virtual network](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr). | |
machine-learning | Concept Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-workspace.md | Besides grouping your machine learning results, workspaces also host resource co For machine learning team leads and administrators, workspaces serve as containers for access management, cost management and data isolation. Below are some tips for organizing workspaces: + **Use [user roles](how-to-assign-roles.md)** for permission management in the workspace between users. For example a data scientist, a machine learning engineer or an admin.-+ **Assign access to user groups**: By using Azure Active Directory user groups, you don't have to add individual users to each workspace, and to other resources the same group of users requires access to. ++ **Assign access to user groups**: By using Microsoft Entra user groups, you don't have to add individual users to each workspace, and to other resources the same group of users requires access to. + **Create a workspace per project**: While a workspace can be used for multiple projects, limiting it to one project per workspace allows for cost reporting accrued to a project level. It also allows you to manage configurations like datastores in the scope of each project. + **Share Azure resources**: Workspaces require you to create several [associated resources](#associated-resources). Share these resources between workspaces to save repetitive setup steps. + **Enable self-serve**: Pre-create and secure [associated resources](#associated-resources) as an IT admin, and use [user roles](how-to-assign-roles.md) to let data scientists create workspaces on their own. |
machine-learning | Dsvm Common Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/data-science-virtual-machine/dsvm-common-identity.md | Title: Set up a common identity -description: Learn how to create common user accounts that can be used across multiple Data Science Virtual Machines. You can use Azure Active Directory or an on-premises Active Directory to authenticate users to the Data Science Virtual Machine. +description: Learn how to create common user accounts that can be used across multiple Data Science Virtual Machines. You can use Microsoft Entra ID or an on-premises Active Directory to authenticate users to the Data Science Virtual Machine. keywords: deep learning, AI, data science tools, data science virtual machine, geospatial analytics, team data science process Last updated 05/08/2018 On a Microsoft Azure virtual machine (VM), including a Data Science Virtual Machine (DSVM), you create local user accounts while provisioning the VM. Users then authenticate to the VM by using these credentials. If you have multiple VMs that your users need to access, managing credentials can get very cumbersome. An excellent solution is to deploy common user accounts and management through a standards-based identity provider. Through this approach, you can use a single set of credentials to access multiple resources on Azure, including multiple DSVMs. -Active Directory is a popular identity provider and is supported on Azure both as a cloud service and as an on-premises directory. You can use Azure Active Directory (Azure AD) or on-premises Active Directory to authenticate users on a standalone DSVM or a cluster of DSVMs in an Azure virtual machine scale set. You do this by joining the DSVM instances to an Active Directory domain. +Active Directory is a popular identity provider and is supported on Azure both as a cloud service and as an on-premises directory. You can use Microsoft Entra ID or on-premises Active Directory to authenticate users on a standalone DSVM or a cluster of DSVMs in an Azure virtual machine scale set. You do this by joining the DSVM instances to an Active Directory domain. -If you already have Active Directory, you can use it as your common identity provider. If you don't have Active Directory, you can run a managed Active Directory instance on Azure through [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) (Azure AD DS). +If you already have Active Directory, you can use it as your common identity provider. If you don't have Active Directory, you can run a managed Active Directory instance on Azure through [Microsoft Entra Domain Services](../../active-directory-domain-services/index.yml). -The documentation for [Azure AD](../../active-directory/index.yml) provides detailed [management instructions](../../active-directory/hybrid/whatis-hybrid-identity.md), including guidance about connecting Azure AD to your on-premises directory if you have one. +The documentation for [Microsoft Entra ID](../../active-directory/index.yml) provides detailed [management instructions](../../active-directory/hybrid/whatis-hybrid-identity.md), including guidance about connecting Microsoft Entra ID to your on-premises directory if you have one. -This article describes how to set up a fully managed Active Directory domain service on Azure by using Azure AD DS. You can then join your DSVMs to the managed Active Directory domain. This approach enables users to access a pool of DSVMs (and other Azure resources) through a common user account and credentials. +This article describes how to set up a fully managed Active Directory domain service on Azure by using Microsoft Entra Domain Services. You can then join your DSVMs to the managed Active Directory domain. This approach enables users to access a pool of DSVMs (and other Azure resources) through a common user account and credentials. ## Set up a fully managed Active Directory domain on Azure -Azure AD DS makes it simple to manage your identities by providing a fully managed service on Azure. On this Active Directory domain, you manage users and groups. To set up an Azure-hosted Active Directory domain and user accounts in your directory, follow these steps: +Microsoft Entra Domain Services makes it simple to manage your identities by providing a fully managed service on Azure. On this Active Directory domain, you manage users and groups. To set up an Azure-hosted Active Directory domain and user accounts in your directory, follow these steps: 1. In the Azure portal, add the user to Active Directory: 1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator. - 1. Browse to **Azure Active Directory** > **Users** > **All users**. + 1. Browse to **Microsoft Entra ID** > **Users** > **All users**. 1. Select **New user**. Azure AD DS makes it simple to manage your identities by providing a fully manag 1. Securely distribute the generated password to the new user so that they can sign in. -1. Create an Azure AD DS instance. Follow the instructions in [Enable Azure Active Directory Domain Services using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md) (the "Create an instance and configure basic settings" section). It's important to update the existing user passwords in Active Directory so that the password in Azure AD DS is synced. It's also important to add DNS to Azure AD DS, as described under "Complete the fields in the Basics window of the Azure portal to create an Azure AD DS instance" in that section. +1. Create a Microsoft Entra Domain Services instance. Follow the instructions in [Enable Microsoft Entra Domain Services using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md) (the "Create an instance and configure basic settings" section). It's important to update the existing user passwords in Active Directory so that the password in Microsoft Entra Domain Services is synced. It's also important to add DNS to Microsoft Entra Domain Services, as described under "Complete the fields in the Basics window of the Azure portal to create a Microsoft Entra Domain Services instance" in that section. 1. Create a separate DSVM subnet in the virtual network created in the "Create and configure the virtual network" section of the preceding step. 1. Create one or more DSVM instances in the DSVM subnet. Azure AD DS makes it simple to manage your identities by providing a fully manag 1. For example, assume that you mounted your Azure Files share in /data/workspace. Now, create directories for each of your users in the share: /data/workspace/user1, /data/workspace/user2, and so on. Create a `notebooks` directory in each user's workspace. 1. Create symbolic links for `notebooks` in `$HOME/userx/notebooks/remote`. -You now have the users in your Active Directory instance hosted in Azure. By using Active Directory credentials, users can sign in to any DSVM (SSH or JupyterHub) that's joined to Azure AD DS. Because the user workspace is on an Azure Files share, users have access to their notebooks and other work from any DSVM when they're using JupyterHub. +You now have the users in your Active Directory instance hosted in Azure. By using Active Directory credentials, users can sign in to any DSVM (SSH or JupyterHub) that's joined to Microsoft Entra Domain Services. Because the user workspace is on an Azure Files share, users have access to their notebooks and other work from any DSVM when they're using JupyterHub. For autoscaling, you can use a virtual machine scale set to create a pool of VMs that are all joined to the domain in this fashion and with the shared disk mounted. Users can sign in to any available machine in the virtual machine scale set and have access to the shared disk where their notebooks are saved. ## Next steps -* [Securely store credentials to access cloud resources](dsvm-secure-access-keys.md) +* [Securely store credentials to access cloud resources](dsvm-secure-access-keys.md) |
machine-learning | Dsvm Secure Access Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/data-science-virtual-machine/dsvm-secure-access-keys.md | Last updated 05/08/2018 It's common for the code in cloud applications to contain credentials for authenticating to cloud services. How to manage and secure these credentials is a well-known challenge in building cloud applications. Ideally, credentials should never appear on developer workstations or get checked in to source control. -The [managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md) feature makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication without having any credentials in your code. +The [managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md) feature makes solving this problem simpler by giving Azure services an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication without having any credentials in your code. One way to secure credentials is to use Windows Installer (MSI) in combination with [Azure Key Vault](../../key-vault/index.yml), a managed Azure service to store secrets and cryptographic keys securely. You can access a key vault by using the managed identity and then retrieve the authorized secrets and cryptographic keys from the key vault. |
machine-learning | How To Access Azureml Behind Firewall | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-access-azureml-behind-firewall.md | __Outbound traffic__ | Service tag(s) | Ports | Purpose | | -- |:--:| -- |-| `AzureActiveDirectory` | 80, 443 | Authentication using Azure AD. | +| `AzureActiveDirectory` | 80, 443 | Authentication using Microsoft Entra ID. | | `AzureMachineLearning` | 443, 8787, 18881<br>UDP: 5831 | Using Azure Machine Learning services. | | `BatchNodeManagement.<region>` | 443 | Communication Azure Batch. | | `AzureResourceManager` | 443 | Creation of Azure resources with Azure Machine Learning. | __General Azure hosts__ | __Required for__ | __Hosts__ | __Protocol__ | __Ports__ | | -- | -- | -- | - | -| Azure Active Directory | `login.microsoftonline.com` | TCP | 80, 443 | +| Microsoft Entra ID | `login.microsoftonline.com` | TCP | 80, 443 | | Azure portal | `management.azure.com` | TCP | 443 | | Azure Resource Manager | `management.azure.com` | TCP | 443 | __General Azure hosts__ | __Required for__ | __Hosts__ | __Protocol__ | __Ports__ | | -- | -- | -- | - |-| Azure Active Directory | `login.microsoftonline.us` | TCP | 80, 443 | +| Microsoft Entra ID | `login.microsoftonline.us` | TCP | 80, 443 | | Azure portal | `management.azure.us` | TCP | 443 | | Azure Resource Manager | `management.usgovcloudapi.net` | TCP | 443 | __General Azure hosts__ | __Required for__ | __Hosts__ | __Protocol__ | __Ports__ | | -- | -- | -- | -- |-| Azure Active Directory | `login.chinacloudapi.cn` | TCP | 80, 443 | +| Microsoft Entra ID | `login.chinacloudapi.cn` | TCP | 80, 443 | | Azure portal | `management.azure.cn` | TCP | 443 | | Azure Resource Manager | `management.chinacloudapi.cn` | TCP | 443 | |
machine-learning | How To Access Data Interactive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-access-data-interactive.md | An Azure Machine Learning datastore is a *reference* to an *existing* Azure stor > [!div class="checklist"] > * A common, easy-to-use API to interact with different storage types (Blob/Files/ADLS). > * Easy discovery of useful datastores in team operations.-> * Support of both credential-based (for example, SAS token) and identity-based (use Azure Active Directory or Manged identity) access, to access data. +> * Support of both credential-based (for example, SAS token) and identity-based (use Microsoft Entra ID or Manged identity) access, to access data. > * For credential-based access, the connection information is secured, to void key exposure in scripts. > * Browse data and copy-paste datastore URIs in the Studio UI. azcopy cp $SOURCE $DEST ## Next steps - [Interactive Data Wrangling with Apache Spark in Azure Machine Learning (preview)](interactive-data-wrangling-with-apache-spark-azure-ml.md)-- [Access data in a job](how-to-read-write-data-v2.md)+- [Access data in a job](how-to-read-write-data-v2.md) |
machine-learning | How To Add Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-add-users.md | If your labelers are outside of your organization, add them, so they can access To add a guest user, your organization's external collaboration settings need the correct configuration to allow you to invite guests. -1. In [Azure portal](https://portal.azure.com), in the top-left corner, expand the menu and select **Azure Active Directory**. +1. In [Azure portal](https://portal.azure.com), in the top-left corner, expand the menu and select **Microsoft Entra ID**. - :::image type="content" source="media/how-to-add-users/menu-active-directory.png" alt-text="Select Azure Active Directory from the menu."::: + :::image type="content" source="media/how-to-add-users/menu-active-directory.png" alt-text="Select Microsoft Entra ID from the menu."::: 1. On the left, select **Users**. 1. At the top, select **New user**. To add a guest user, your organization's external collaboration settings need th 1. Add a message for the new user. 1. At the bottom of the page, select **Invite**. - :::image type="content" source="media/how-to-add-users/invite-user.png" alt-text="Invite guest user from Azure Active Directory."::: + :::image type="content" source="media/how-to-add-users/invite-user.png" alt-text="Invite guest user from Microsoft Entra ID."::: Repeat these steps for each of your labelers. You can also use the link at the bottom of the **Invite user** box to invite multiple users in bulk. Send the following information to your labelers, after you fill in your workspac * Learn more about [working with a data labeling vendor company](how-to-outsource-data-labeling.md) * [Create an image labeling project and export labels](how-to-create-image-labeling-projects.md)-* [Create a text labeling project and export labels (preview)](how-to-create-text-labeling-projects.md) +* [Create a text labeling project and export labels (preview)](how-to-create-text-labeling-projects.md) |
machine-learning | How To Assign Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-assign-roles.md | monikerRange: 'azureml-api-1 || azureml-api-2' # Manage access to an Azure Machine Learning workspace -In this article, you learn how to manage access (authorization) to an Azure Machine Learning workspace. [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Users in your Azure Active Directory (Azure AD) are assigned specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles. +In this article, you learn how to manage access (authorization) to an Azure Machine Learning workspace. [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Users in your Microsoft Entra ID are assigned specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles. > [!TIP] > While this article focuses on Azure Machine Learning, individual services that Azure Machine Learning relies on provide their own RBAC settings. For example, using the information in this article, you can configure who can submit scoring requests to a model deployed as a web service on Azure Kubernetes Service. But Azure Kubernetes Service provides its own set of Azure roles. For service specific RBAC information that may be useful with Azure Machine Learning, see the following links: az role assignment create --role "Contributor" --assignee "joe@contoso.com" --re ``` -## Use Azure AD security groups to manage workspace access +<a name='use-azure-ad-security-groups-to-manage-workspace-access'></a> -You can use Azure AD security groups to manage access to workspaces. This approach has following benefits: +## Use Microsoft Entra security groups to manage workspace access ++You can use Microsoft Entra security groups to manage access to workspaces. This approach has following benefits: * Team or project leaders can manage user access to workspace as security group owners, without needing Owner role on the workspace resource directly. * You can organize, manage and revoke users' permissions on workspace and other resources as a group, without having to manage permissions on user-by-user basis.- * Using Azure AD groups helps you to avoid reaching the [subscription limit](/azure/role-based-access-control/troubleshoot-limits) on role assignments. + * Using Microsoft Entra groups helps you to avoid reaching the [subscription limit](/azure/role-based-access-control/troubleshoot-limits) on role assignments. -To use Azure AD security groups: +To use Microsoft Entra security groups: 1. [Create a security group](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal). 2. [Add a group owner](/azure/active-directory/fundamentals/how-to-manage-groups#add-or-remove-members-and-owners). This user has permissions to add or remove group members. Note that the group owner isn't required to be group member, or have direct RBAC role on the workspace. 3. Assign the group an RBAC role on the workspace, such as AzureML Data Scientist, Reader or Contributor. The following table is a summary of Azure Machine Learning activities and the pe | Publishing pipelines and endpoints (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/components/*"` | | Attach an AKS resource <sub>2</sub> | Not required | Owner or contributor on the resource group that contains AKS | | Deploying a registered model on an AKS/ACI resource | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/services/aks/write", "/workspaces/services/aci/write"` |-| Scoring against a deployed AKS endpoint | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action"` (when you are not using Azure Active Directory auth) OR `"/workspaces/read"` (when you are using token auth) | +| Scoring against a deployed AKS endpoint | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action"` (when you are not using Microsoft Entra auth) OR `"/workspaces/read"` (when you are using token auth) | | Accessing storage using interactive notebooks | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/computes/read", "/workspaces/notebooks/samples/read", "/workspaces/notebooks/storage/*", "/workspaces/listStorageAccountKeys/action", "/workspaces/listNotebookAccessToken/read"`| | Create new custom role | Owner, contributor, or custom role allowing `Microsoft.Authorization/roleDefinitions/write` | Not required | Owner, contributor, or custom role allowing: `/workspaces/computes/write` | | Create/manage online endpoints and deployments | Not required | Not required | Owner, contributor, or custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. If you use studio to create/manage online endpoints/deployments, you will need an additional permission "Microsoft.Resources/deployments/write" from the resource group owner. | Here are a few things to be aware of while you use Azure role-based access contr - In order to deploy on studio, you need "Microsoft.Resources/deployments/write" AND "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/write". For SDK/CLI deployments, you need "Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments/write". Contact your workspace/resource group owner for the additional permissions. -- When there are two role assignments to the same Azure Active Directory user with conflicting sections of Actions/NotActions, your operations listed in NotActions from one role might not take effect if they are also listed as Actions in another role. To learn more about how Azure parses role assignments, read [How Azure RBAC determines if a user has access to a resource](/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource)+- When there are two role assignments to the same Microsoft Entra user with conflicting sections of Actions/NotActions, your operations listed in NotActions from one role might not take effect if they are also listed as Actions in another role. To learn more about how Azure parses role assignments, read [How Azure RBAC determines if a user has access to a resource](/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource) [!INCLUDE [network-rbac](includes/network-rbac.md)] |
machine-learning | How To Authenticate Batch Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-authenticate-batch-endpoint.md | -Batch endpoints support Azure Active Directory authentication, or `aad_token`. That means that in order to invoke a batch endpoint, the user must present a valid Azure Active Directory authentication token to the batch endpoint URI. Authorization is enforced at the endpoint level. The following article explains how to correctly interact with batch endpoints and the security requirements for it. +Batch endpoints support Microsoft Entra authentication, or `aad_token`. That means that in order to invoke a batch endpoint, the user must present a valid Microsoft Entra authentication token to the batch endpoint URI. Authorization is enforced at the endpoint level. The following article explains how to correctly interact with batch endpoints and the security requirements for it. ## Prerequisites Batch endpoints support Azure Active Directory authentication, or `aad_token`. T ## How authorization works -To invoke a batch endpoint, the user must present a valid Azure Active Directory token representing a __security principal__. This principal can be a __user principal__ or a __service principal__. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. The identity needs the following permissions in order to successfully create a job: +To invoke a batch endpoint, the user must present a valid Microsoft Entra token representing a __security principal__. This principal can be a __user principal__ or a __service principal__. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. The identity needs the following permissions in order to successfully create a job: > [!div class="checklist"] > * Read batch endpoints/deployments. In this case, we want to execute a batch endpoint using the identity of the user # [REST](#tab/rest) -When working with REST, we recommend invoking batch endpoints using a service principal. However, if you want to test a particular deployment using REST with your own credentials, you can do it by generating an Azure AD token for your account. Follow these steps: +When working with REST, we recommend invoking batch endpoints using a service principal. However, if you want to test a particular deployment using REST with your own credentials, you can do it by generating a Microsoft Entra token for your account. Follow these steps: 1. The simplest way to get a valid token for your user account is to use the Azure CLI. In a console, run the following command: When working with REST, we recommend invoking batch endpoints using a service pr ### Running jobs using a service principal -In this case, we want to execute a batch endpoint using a service principal already created in Azure Active Directory. To complete the authentication, you will have to create a secret to perform the authentication. Follow these steps: +In this case, we want to execute a batch endpoint using a service principal already created in Microsoft Entra ID. To complete the authentication, you will have to create a secret to perform the authentication. Follow these steps: # [Azure CLI](#tab/cli) |
machine-learning | How To Create Compute Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-create-compute-instance.md | As an administrator, you can create a compute instance on behalf of a data scien * Studio, using the [Advanced settings](?tabs=azure-studio#advanced-settings) or [Security settings (preview)](?tabs=azure-studio-preview#security-settings) -* [Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/machine-learning-compute-create-computeinstance). For details on how to find the TenantID and ObjectID needed in this template, see [Find identity object IDs for authentication configuration](../healthcare-apis/azure-api-for-fhir/find-identity-object-ids.md). You can also find these values in the Azure Active Directory portal. +* [Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/machine-learning-compute-create-computeinstance). For details on how to find the TenantID and ObjectID needed in this template, see [Find identity object IDs for authentication configuration](../healthcare-apis/azure-api-for-fhir/find-identity-object-ids.md). You can also find these values in the Microsoft Entra admin center. ## Assign managed identity You can create compute instance with managed identity from Azure Machine Learnin Once the managed identity is created, grant the managed identity at least Storage Blob Data Reader role on the storage account of the datastore, see [Accessing storage services](how-to-identity-based-service-authentication.md?tabs=cli#accessing-storage-services). Then, when you work on the compute instance, the managed identity is used automatically to authenticate against datastores. > [!NOTE]-> The name of the created system managed identity will be in the format /workspace-name/computes/compute-instance-name in your Azure Active Directory. +> The name of the created system managed identity will be in the format /workspace-name/computes/compute-instance-name in your Microsoft Entra ID. You can also use the managed identity manually to authenticate against other Azure resources. The following example shows how to use it to get an Azure Resource Manager access token: |
machine-learning | How To Deploy Kubernetes Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-deploy-kubernetes-extension.md | In this article, you can learn: - [Disabling local accounts](../aks/manage-local-accounts-managed-azure-ad.md#disable-local-accounts) for AKS is **not supported** by Azure Machine Learning. When the AKS Cluster is deployed, local accounts are enabled by default. - If your AKS cluster has an [Authorized IP range enabled to access the API server](../aks/api-server-authorized-ip-ranges.md), enable the Azure Machine Learning control plane IP ranges for the AKS cluster. The Azure Machine Learning control plane is deployed across paired regions. Without access to the API server, the machine learning pods can't be deployed. Use the [IP ranges](https://www.microsoft.com/download/confirmation.aspx?id=56519) for both the [paired regions](../availability-zones/cross-region-replication-azure.md) when enabling the IP ranges in an AKS cluster. - Azure Machine Learning does not support attaching an AKS cluster cross subscription. If you have an AKS cluster in a different subscription, you must first [connect it to Azure-Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) and specify in the same subscription as your Azure Machine Learning workspace.-- Azure Machine Learning does not guarantee support for all preview stage features in AKS. For example, [Azure AD pod identity](../aks/use-azure-ad-pod-identity.md) is not supported.+- Azure Machine Learning does not guarantee support for all preview stage features in AKS. For example, [Microsoft Entra pod identity](../aks/use-azure-ad-pod-identity.md) is not supported. - If you've previously followed the steps from [Azure Machine Learning AKS v1 document](./v1/how-to-create-attach-kubernetes.md?view=azureml-api-1&preserve-view=true) to create or attach your AKS as inference cluster, use the following link to [clean up the legacy azureml-fe related resources](./v1/how-to-create-attach-kubernetes.md?view=azureml-api-1&preserve-view=true#delete-azureml-fe-related-resources) before you continue the next step. |
machine-learning | How To Deploy Online Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-deploy-online-endpoints.md | The following table describes the key attributes of a deployment: > [!NOTE] > - The model and container image (as defined in Environment) can be referenced again at any time by the deployment when the instances behind the deployment go through security patches and/or other recovery operations. If you used a registered model or container image in Azure Container Registry for deployment and removed the model or the container image, the deployments relying on these assets can fail when reimaging happens. If you removed the model or the container image, ensure the dependent deployments are re-created or updated with alternative model or container image.-> - The container registry that the environment refers to can be private only if the endpoint identity has the permission to access it via Azure Active Directory authentication and Azure RBAC. For the same reason, private Docker registries other than Azure Container Registry are not supported. +> - The container registry that the environment refers to can be private only if the endpoint identity has the permission to access it via Microsoft Entra authentication and Azure RBAC. For the same reason, private Docker registries other than Azure Container Registry are not supported. # [Azure CLI](#tab/azure-cli) You can use either the `invoke` command or a REST client of your choice to invok The following example shows how to get the key used to authenticate to the endpoint: > [!TIP]-> You can control which Azure Active Directory security principals can get the authentication key by assigning them to a custom role that allows `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/token/action` and `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/listkeys/action`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). +> You can control which Microsoft Entra security principals can get the authentication key by assigning them to a custom role that allows `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/token/action` and `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/listkeys/action`. For more information, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md). :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint.sh" ID="test_endpoint_using_curl_get_key"::: |
machine-learning | How To Enable Studio Virtual Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-enable-studio-virtual-network.md | Use the following steps to enable access to data stored in Azure Blob and File s For more information, see the [Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader) built-in role. -1. __Grant the workspace managed identity the 'Reader' role for storage private endpoints__. If your storage service uses a __private endpoint__, grant the workspace's managed identity __Reader__ access to the private endpoint. The workspace's managed identity in Azure AD has the same name as your Azure Machine Learning workspace. A private endpoint is necessary for both __blob and file__ storage types. +1. __Grant the workspace managed identity the 'Reader' role for storage private endpoints__. If your storage service uses a __private endpoint__, grant the workspace's managed identity __Reader__ access to the private endpoint. The workspace's managed identity in Microsoft Entra ID has the same name as your Azure Machine Learning workspace. A private endpoint is necessary for both __blob and file__ storage types. > [!TIP] > Your storage account may have multiple private endpoints. For example, one storage account may have separate private endpoint for blob, file, and dfs (Azure Data Lake Storage Gen2). Add the managed identity to all these endpoints. __To use ACLs__, the workspace's managed identity can be assigned access just li ## Datastore: Azure SQL Database -To access data stored in an Azure SQL Database with a managed identity, you must create a SQL contained user that maps to the managed identity. For more information on creating a user from an external provider, see [Create contained users mapped to Azure AD identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities). +To access data stored in an Azure SQL Database with a managed identity, you must create a SQL contained user that maps to the managed identity. For more information on creating a user from an external provider, see [Create contained users mapped to Microsoft Entra identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities). After you create a SQL contained user, grant permissions to it by using the [GRANT T-SQL command](/sql/t-sql/statements/grant-object-permissions-transact-sql). This article is part of a series on securing an Azure Machine Learning workflow. * [Use custom DNS](how-to-custom-dns.md) * [Use a firewall](how-to-access-azureml-behind-firewall.md) :::moniker-end- |
machine-learning | How To Identity Based Service Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-identity-based-service-authentication.md | During cluster creation or when editing compute cluster details, in the **Advanc ### Data storage -When you create a datastore that uses **identity-based data access**, your Azure account ([Azure Active Directory token](../active-directory/fundamentals/active-directory-whatis.md)) is used to confirm you have permission to access the storage service. In the **identity-based data access** scenario, no authentication credentials are saved. Only the storage account information is stored in the datastore. +When you create a datastore that uses **identity-based data access**, your Azure account ([Microsoft Entra token](../active-directory/fundamentals/active-directory-whatis.md)) is used to confirm you have permission to access the storage service. In the **identity-based data access** scenario, no authentication credentials are saved. Only the storage account information is stored in the datastore. In contrast, datastores that use **credential-based authentication** cache connection information, like your storage account key or SAS token, in the [key vault](https://azure.microsoft.com/services/key-vault/) that's associated with the workspace. This approach has the limitation that other workspace users with sufficient permissions can retrieve those credentials, which may be a security concern for some organization. The identity-based access allows you to use [role-based access controls (RBAC)]( You can connect to storage services via identity-based data access with[Azure Machine Learning datastores](how-to-datastore.md). -When you use identity-based data access, Azure Machine Learning prompts you for your Azure Active Directory token for data access authentication instead of keeping your credentials in the datastore. That approach allows for data access management at the storage level and keeps credentials confidential. +When you use identity-based data access, Azure Machine Learning prompts you for your Microsoft Entra token for data access authentication instead of keeping your credentials in the datastore. That approach allows for data access management at the storage level and keeps credentials confidential. The same behavior applies when you work with data interactively via a Jupyter Notebook on your local computer or [compute instance](concept-compute-instance.md). To access these storage services, you must have at least [Storage Blob Data Read ### Access data for training jobs on compute using managed identity -Certain machine learning scenarios involve working with private data. In such cases, data scientists may not have direct access to data as Azure AD users. In this scenario, the managed identity of a compute can be used for data access authentication. In this scenario, the data can only be accessed from a compute instance or a machine learning compute cluster executing a training job. With this approach, the admin grants the compute instance or compute cluster managed identity Storage Blob Data Reader permissions on the storage. The individual data scientists don't need to be granted access. +Certain machine learning scenarios involve working with private data. In such cases, data scientists may not have direct access to data as Microsoft Entra users. In this scenario, the managed identity of a compute can be used for data access authentication. In this scenario, the data can only be accessed from a compute instance or a machine learning compute cluster executing a training job. With this approach, the admin grants the compute instance or compute cluster managed identity Storage Blob Data Reader permissions on the storage. The individual data scientists don't need to be granted access. To enable authentication with compute managed identity: To enable authentication with compute managed identity: * Create any datastores with identity-based authentication enabled. See [Create datastores](how-to-datastore.md). > [!NOTE]-> The name of the created system managed identity for compute instance or cluster will be in the format /workspace-name/computes/compute-name in your Azure Active Directory. +> The name of the created system managed identity for compute instance or cluster will be in the format /workspace-name/computes/compute-name in your Microsoft Entra ID. Once the identity-based authentication is enabled, the compute managed identity is used by default when accessing data within your training jobs. Optionally, you can authenticate with user identity using the steps described in next section. For information on using configuring Azure RBAC for the storage, see [role-based [!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)] -When training on [Azure Machine Learning compute clusters](how-to-create-attach-compute-cluster.md#what-is-a-compute-cluster), you can authenticate to storage with your user Azure Active Directory token. +When training on [Azure Machine Learning compute clusters](how-to-create-attach-compute-cluster.md#what-is-a-compute-cluster), you can authenticate to storage with your user Microsoft Entra token. This authentication mode allows you to: * Set up fine-grained permissions, where different workspace users can have access to different storage accounts or folders within storage accounts. |
machine-learning | How To Integrate Azure Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-integrate-azure-policy.md | You can also assign policies by using [Azure PowerShell](../governance/policy/as ## Conditional access policies -To control who can access your Azure Machine Learning workspace, use Azure Active Directory [Conditional Access](../active-directory/conditional-access/overview.md). To use Conditional Access for Azure Machine Learning workspaces, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__. +To control who can access your Azure Machine Learning workspace, use Microsoft Entra [Conditional Access](../active-directory/conditional-access/overview.md). To use Conditional Access for Azure Machine Learning workspaces, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__. ## Enable self-service using landing zones |
machine-learning | How To Kubernetes Inference Routing Azureml Fe | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-kubernetes-inference-routing-azureml-fe.md | DNS resolution within an existing VNet is under your control. For example, a fir | `mcr.microsoft.com` | Microsoft Container Registry (MCR) | | `<ACR name>.azurecr.io` | Your Azure Container Registry (ACR) | | `<account>.blob.core.windows.net` | Azure Storage Account (blob storage) |-| `api.azureml.ms` | Azure Active Directory (Azure AD) authentication | +| `api.azureml.ms` | Microsoft Entra authentication | | `ingest-vienna<region>.kusto.windows.net` | Kusto endpoint for uploading telemetry | ### Connectivity requirements in chronological order: from cluster creation to model deployment Right after azureml-fe is deployed, it will attempt to start and this requires t Once azureml-fe is started, it requires the following connectivity to function properly: * Connect to Azure Storage to download dynamic configuration-* Resolve DNS for Azure AD authentication server api.azureml.ms and communicate with it when the deployed service uses Azure AD authentication. +* Resolve DNS for Microsoft Entra authentication server api.azureml.ms and communicate with it when the deployed service uses Microsoft Entra authentication. * Query AKS API server to discover deployed models * Communicate to deployed model PODs After the model is deployed and service starts, azureml-fe will automatically di - [Create and manage instance types](./how-to-manage-kubernetes-instance-types.md) - [Secure AKS inferencing environment](./how-to-secure-kubernetes-inferencing-environment.md)- |
machine-learning | How To Label Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-label-data.md | After your project administrator creates an Azure Machine Learning [image data l ## Prerequisites -* A [Microsoft account](https://account.microsoft.com/account), or an Azure Active Directory account, for the organization and project. +* A [Microsoft account](https://account.microsoft.com/account), or a Microsoft Entra account, for the organization and project. * Contributor-level access to the workspace that contains the labeling project. ## Sign in to the studio When you finish labeling, select your image inside a circle in the upper-right c ## Next steps -* Learn to [train image classification models in Azure](./tutorial-train-deploy-notebook.md) +* Learn to [train image classification models in Azure](./tutorial-train-deploy-notebook.md) |
machine-learning | How To Manage Registries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-manage-registries.md | You need to decide the following information carefully before proceeding to crea Consider the following factors before picking a name. * Registries are meant to facilitate sharing of ML assets across teams within your organization across all workspaces. Choose a name that is reflective of the sharing scope. The name should help identify your group, division or organization. -* Registry name is unique with your organization (Azure Active Directory tenant). It's recommended to prefix your team or organization name and avoid generic names. +* Registry name is unique with your organization (Microsoft Entra tenant). It's recommended to prefix your team or organization name and avoid generic names. * Registry names can't be changed once created because they're used in IDs of models, environments and components that are referenced in code. * Length can be 2-32 characters. * Alphanumerics, underscore, hyphen are allowed. No other special characters. No spaces - registry names are part of model, environment, and component IDs that can be referenced in code. |
machine-learning | How To Manage Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-manage-workspace.md | As your needs change or requirements for automation increase you can also manage [!notebook-python[](~/azureml-examples-main/sdk/python/resources/workspace/workspace.ipynb?name=ml_client)] - * (Optional) If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use into the `DefaultAzureCredential`. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Azure Active Directory, External Identities**. + * (Optional) If you have multiple accounts, add the tenant ID of the Microsoft Entra ID you wish to use into the `DefaultAzureCredential`. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Microsoft Entra ID, External Identities**. ```python DefaultAzureCredential(interactive_browser_tenant_id="<TENANT_ID>") |
machine-learning | How To Monitor Kubernetes Online Enpoint Inference Server Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-monitor-kubernetes-online-enpoint-inference-server-log.md | + + Title: Monitor Kubernetes Online Endpoint inference server logs ++description: Learn how to monitor inference server logs of Kubernetes online endpoint ++++++++ Last updated : 09/26/2023+++# Monitor Kubernetes Online Endpoint inference server logs ++++To diagnose online issues and monitor Azure Machine Learning model inference server metrics, we usually need to collect model inference server logs. +++## AKS cluster ++In AKS cluster, you can use the built-in ability to collect container logs. Follow the steps to collect inference server logs in AKS: ++1. Go to the AKS portal and select **Logs** tab ++ :::image type="content" source="./media/how-to-attach-kubernetes-to-workspace/aks-portal-monitor-logs.png" alt-text="Diagram illustrating how to configure Azure monitor in AKS." lightbox="./media/how-to-attach-kubernetes-to-workspace/aks-portal-monitor-logs.png"::: ++1. Click **Configure Monitoring** to enable Azure Monitor for your AKS. In the **Advanced Settings** section, you can specify an existing **Log Analytics** or create a new one for collecting logs. ++ :::image type="content" source="./media/how-to-attach-kubernetes-to-workspace/aks-portal-config-az-monitor.png" alt-text="Diagram illustrating how to configure container insight in AKS monitor." lightbox="./media/how-to-attach-kubernetes-to-workspace/aks-portal-config-az-monitor.png"::: ++1. After about 1 hour for it to take effect, you can query inference server logs from **AKS** or **Log Analytics** portal. ++ :::image type="content" source="./media/how-to-attach-kubernetes-to-workspace/aks-portal-query-inference-server-logs.png" alt-text="Example of query run in AKS monitor." lightbox="./media/how-to-attach-kubernetes-to-workspace/aks-portal-query-inference-server-logs.png"::: ++1. Query example: + ``` + let starttime = ago(1d); + ContainerLogV2 + | where TimeGenerated > starttime + | where PodName has "blue-sklearn-mnist" + | where ContainerName has "inference-server" + | project TimeGenerated, PodNamespace, PodName, ContainerName, LogMessage + | limit 100 + ``` ++## Azure Arc enabled cluster ++In Arc Kubernetes cluster, you can reference the [Azure Monitor](../azure-monitor/index.yml) document to upload logs to **Log Analytics** from your cluster by utilizing **Azure Monitor Agent** |
machine-learning | How To Move Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-move-workspace.md | Moving the workspace enables you to migrate the workspace and its contents as a * Workspace move isn't meant for replicating workspaces, or moving individual assets such as models or datasets from one workspace to another. * Workspace move doesn't support migration across Azure regions.-* Workspace move doesn't support migration across Azure Active Directory tenants. +* Workspace move doesn't support migration across Microsoft Entra tenants. > [!TIP]- > For information on manually moving tenants, see the [Transfer an Azure subscription to a different Azure Active Directory](/azure/role-based-access-control/transfer-subscription) article. + > For information on manually moving tenants, see the [Transfer an Azure subscription to a different Microsoft Entra ID](/azure/role-based-access-control/transfer-subscription) article. * The workspace mustn't be in use during the move operation. Verify that all experiment jobs, data profiling jobs, and labeling projects have completed. Also verify that inference endpoints aren't being invoked. * The workspace becomes unavailable during the move. |
machine-learning | How To Network Isolation Planning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-network-isolation-planning.md | If you want to remove the firewall requirement, you can use network security gro ### Using public workspace -You can use a public workspace if you're OK with Azure AD authentication and authorization with conditional access. A public workspace has some features to show data in your private storage account and we recommend using private workspace. +You can use a public workspace if you're OK with Microsoft Entra authentication and authorization with conditional access. A public workspace has some features to show data in your private storage account and we recommend using private workspace. ## Recommended architecture with data exfiltration prevention The following tables list the required outbound [Azure Service Tags](/azure/virt ### Using public workspace -You can use the public workspace if you're OK with Azure AD authentication and authorization with conditional access. A public workspace has some features to show data in your private storage account and we recommend using private workspace. +You can use the public workspace if you're OK with Microsoft Entra authentication and authorization with conditional access. A public workspace has some features to show data in your private storage account and we recommend using private workspace. ## Key considerations to understand details For more information on using an __Azure Virtual Network__, see the following ar * [Secure the training environment](how-to-secure-training-vnet.md) * [Secure the inference environment](how-to-secure-inferencing-vnet.md) * [Enable studio functionality](how-to-enable-studio-virtual-network.md)-* [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md) +* [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md) |
machine-learning | How To Prevent Data Loss Exfiltration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-prevent-data-loss-exfiltration.md | Azure Machine Learning has several inbound and outbound dependencies. Some of th * __Inbound__: If your compute instance or cluster uses a public IP address, you have an inbound on `azuremachinelearning` (port 44224) service tag. You can control this inbound traffic by using a network security group (NSG) and service tags. It's difficult to disguise Azure service IPs, so there's low data exfiltration risk. You can also configure the compute to not use a public IP, which removes inbound requirements. -* __Outbound__: If malicious agents don't have write access to outbound destination resources, they can't use that outbound for data exfiltration. Azure Active Directory, Azure Resource Manager, Azure Machine Learning, and Microsoft Container Registry belong to this category. On the other hand, Storage and AzureFrontDoor.frontend can be used for data exfiltration. +* __Outbound__: If malicious agents don't have write access to outbound destination resources, they can't use that outbound for data exfiltration. Microsoft Entra ID, Azure Resource Manager, Azure Machine Learning, and Microsoft Container Registry belong to this category. On the other hand, Storage and AzureFrontDoor.frontend can be used for data exfiltration. * __Storage Outbound__: This requirement comes from compute instance and compute cluster. A malicious agent can use this outbound rule to exfiltrate data by provisioning and saving data in their own storage account. You can remove data exfiltration risk by using an Azure Service Endpoint Policy and Azure Batch's simplified node communication architecture. |
machine-learning | How To Read Write Data V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-read-write-data-v2.md | Before you explore the detailed options available to you when accessing data, we ### Read data from Azure storage in an Azure Machine Learning job -In this example, you submit an Azure Machine Learning job that accesses data from a *public* blob storage account. However, you can adapt the snippet to access your own data in a private Azure Storage account, by updating the path (for details on how to specify paths, read [Paths](#paths)). Azure Machine Learning seamlessly handles authentication to cloud storage using Azure Active Directory passthrough. When you submit a job, you can choose: +In this example, you submit an Azure Machine Learning job that accesses data from a *public* blob storage account. However, you can adapt the snippet to access your own data in a private Azure Storage account, by updating the path (for details on how to specify paths, read [Paths](#paths)). Azure Machine Learning seamlessly handles authentication to cloud storage using Microsoft Entra passthrough. When you submit a job, you can choose: -- **User identity:** Passthrough your Azure Active Directory identity to access the data.+- **User identity:** Passthrough your Microsoft Entra identity to access the data. - **Managed identity:** Use the managed identity of the compute target to access data. - **None:** Don't specify an identity to access the data. Use None when using credential-based (key/SAS token) datastores or when accessing public data. az ml job create -f <file-name>.yml * [Train models](how-to-train-model.md) * [Tutorial: Create production ML pipelines with Python SDK v2](tutorial-pipeline-python-sdk.md)-* Learn more about [Data in Azure Machine Learning](concept-data.md) +* Learn more about [Data in Azure Machine Learning](concept-data.md) |
machine-learning | How To Registry Network Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-registry-network-isolation.md | This section describes the scenarios and required network configuration if you h ### Create assets in registry from local files -The identity (for example, a Data Scientist's Azure AD user identity) used to create assets in the registry must be assigned the __AzureML Registry User__, __owner__, or __contributor__ role in Azure role-based access control. For more information, see the [Manage access to Azure Machine Learning](how-to-assign-roles.md) article. +The identity (for example, a Data Scientist's Microsoft Entra user identity) used to create assets in the registry must be assigned the __AzureML Registry User__, __owner__, or __contributor__ role in Azure role-based access control. For more information, see the [Manage access to Azure Machine Learning](how-to-assign-roles.md) article. ### Share assets from workspace to registry |
machine-learning | How To Secure Training Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-secure-training-vnet.md | ms.devlang: azurecli Azure Machine Learning compute instance and compute cluster can be used to securely train models in an Azure Virtual Network. When planning your environment, you can configure the compute instance/cluster with or without a public IP address. The general differences between the two are: -* **No public IP**: Reduces costs as it doesn't have the same networking resource requirements. Improves security by removing the requirement for inbound traffic from the internet. However, there are additional configuration changes required to enable outbound access to required resources (Azure Active Directory, Azure Resource Manager, etc.). +* **No public IP**: Reduces costs as it doesn't have the same networking resource requirements. Improves security by removing the requirement for inbound traffic from the internet. However, there are additional configuration changes required to enable outbound access to required resources (Microsoft Entra ID, Azure Resource Manager, etc.). * **Public IP**: Works by default, but costs more due to additional Azure networking resources. Requires inbound communication from the Azure Machine Learning service over the public internet. The following table contains the differences between these configurations: |
machine-learning | How To Setup Access Control Feature Store | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-setup-access-control-feature-store.md | Last updated 05/23/2023 # Manage access control for managed feature store -In this article, you learn how to manage access (authorization) to an Azure Machine Learning managed feature store. [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Users in your Azure Active Directory (Azure AD) are assigned specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles. +In this article, you learn how to manage access (authorization) to an Azure Machine Learning managed feature store. [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Users in your Microsoft Entra ID are assigned specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles. [!INCLUDE [preview disclaimer](includes/machine-learning-preview-generic-disclaimer.md)] Azure Machine Learning supports role-based access control for the following mana - feature store entity - feature set -To control access to these resources, consider the user types below. For each user type, the identity can be either an Azure Active Directory identity, a service principal, or an Azure managed identity (both system managed and user assigned). +To control access to these resources, consider the user types below. For each user type, the identity can be either a Microsoft Entra identity, a service principal, or an Azure managed identity (both system managed and user assigned). - __Feature set developers__ (for example, data scientist, data engineers, and machine learning engineers): They work primarily with the feature store workspace and responsible for: - Managing lifecycle of features: From creation ton archival |
machine-learning | How To Setup Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-setup-authentication.md | -Learn how to set up authentication to your Azure Machine Learning workspace from the Azure CLI or Azure Machine Learning SDK v2. Authentication to your Azure Machine Learning workspace is based on __Azure Active Directory__ (Azure AD) for most things. In general, there are four authentication workflows that you can use when connecting to the workspace: +Learn how to set up authentication to your Azure Machine Learning workspace from the Azure CLI or Azure Machine Learning SDK v2. Authentication to your Azure Machine Learning workspace is based on __Microsoft Entra ID__ for most things. In general, there are four authentication workflows that you can use when connecting to the workspace: -* __Interactive__: You use your account in Azure Active Directory to either directly authenticate, or to get a token that is used for authentication. Interactive authentication is used during _experimentation and iterative development_. Interactive authentication enables you to control access to resources (such as a web service) on a per-user basis. +* __Interactive__: You use your account in Microsoft Entra ID to either directly authenticate, or to get a token that is used for authentication. Interactive authentication is used during _experimentation and iterative development_. Interactive authentication enables you to control access to resources (such as a web service) on a per-user basis. -* __Service principal__: You create a service principal account in Azure Active Directory, and use it to authenticate or get a token. A service principal is used when you need an _automated process to authenticate_ to the service without requiring user interaction. For example, a continuous integration and deployment script that trains and tests a model every time the training code changes. +* __Service principal__: You create a service principal account in Microsoft Entra ID, and use it to authenticate or get a token. A service principal is used when you need an _automated process to authenticate_ to the service without requiring user interaction. For example, a continuous integration and deployment script that trains and tests a model every time the training code changes. * __Azure CLI session__: You use an active Azure CLI session to authenticate. The Azure CLI extension for Machine Learning (the `ml` extension or CLI v2) is a command line tool for working with Azure Machine Learning. You can sign in to Azure via the Azure CLI on your local workstation, without storing credentials in Python code or prompting the user to authenticate. Similarly, you can reuse the same scripts as part of continuous integration and deployment pipelines, while authenticating the Azure CLI with a service principal identity. Learn how to set up authentication to your Azure Machine Learning workspace from Regardless of the authentication workflow used, Azure role-based access control (Azure RBAC) is used to scope the level of access (authorization) allowed to the resources. For example, an admin or automation process might have access to create a compute instance, but not use it, while a data scientist could use it, but not delete or create it. For more information, see [Manage access to Azure Machine Learning workspace](how-to-assign-roles.md). -Azure AD Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only. +Microsoft Entra Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only. ## Prerequisites Azure AD Conditional Access can be used to further control or restrict access to * Install the [Azure CLI](/cli/azure/install-azure-cli). -## Azure Active Directory +<a name='azure-active-directory'></a> -All the authentication workflows for your workspace rely on Azure Active Directory. If you want users to authenticate using individual accounts, they must have accounts in your Azure AD. If you want to use service principals, they must exist in your Azure AD. Managed identities are also a feature of Azure AD. +## Microsoft Entra ID -For more on Azure AD, see [What is Azure Active Directory authentication](..//active-directory/authentication/overview-authentication.md). +All the authentication workflows for your workspace rely on Microsoft Entra ID. If you want users to authenticate using individual accounts, they must have accounts in your Microsoft Entra ID. If you want to use service principals, they must exist in your Microsoft Entra ID. Managed identities are also a feature of Microsoft Entra ID. -Once you've created the Azure AD accounts, see [Manage access to Azure Machine Learning workspace](how-to-assign-roles.md) for information on granting them access to the workspace and other operations in Azure Machine Learning. +For more on Microsoft Entra ID, see [What is Microsoft Entra authentication](..//active-directory/authentication/overview-authentication.md). ++Once you've created the Microsoft Entra accounts, see [Manage access to Azure Machine Learning workspace](how-to-assign-roles.md) for information on granting them access to the workspace and other operations in Azure Machine Learning. ## Use interactive authentication You can use a service principal for Azure CLI commands. For more information, se -The service principal can also be used to authenticate to the Azure Machine Learning [REST API](/rest/api/azureml/). You use the Azure Active Directory [client credentials grant flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md), which allow service-to-service calls for headless authentication in automated workflows. +The service principal can also be used to authenticate to the Azure Machine Learning [REST API](/rest/api/azureml/). You use the Microsoft Entra ID [client credentials grant flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md), which allow service-to-service calls for headless authentication in automated workflows. > [!IMPORTANT] > If you are currently using Azure Active Directory Authentication Library (ADAL) to get credentials, we recommend that you [Migrate to the Microsoft Authentication Library (MSAL)](../active-directory/develop/msal-migration.md). ADAL support ended June 30, 2022. print(ml_client) ## Use Conditional Access -As an administrator, you can enforce [Azure AD Conditional Access policies](../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you +As an administrator, you can enforce [Microsoft Entra Conditional Access policies](../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you can require two-factor authentication, or allow sign in only from managed devices. To use Conditional Access for Azure Machine Learning workspaces specifically, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__. ## Next steps |
machine-learning | How To Setup Mlops Azureml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-setup-mlops-azureml.md | Before you can set up an MLOps project with Azure Machine Learning, you need to ![Screenshot of service principal setup.](./media/how-to-setup-mlops-azureml/SP-setup-ownership-tab.png) -1. Go through the process of creating a Service Principle (SP) selecting **Accounts in any organizational directory (Any Azure AD directory - Multitenant)** and name it **Azure-ARM-Dev-ProjectName**. Once created, repeat and create a new SP named **Azure-ARM-Prod-ProjectName**. Replace **ProjectName** with the name of your project so that the service principal can be uniquely identified. +1. Go through the process of creating a Service Principle (SP) selecting **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant)** and name it **Azure-ARM-Dev-ProjectName**. Once created, repeat and create a new SP named **Azure-ARM-Prod-ProjectName**. Replace **ProjectName** with the name of your project so that the service principal can be uniquely identified. 1. Go to **Certificates & Secrets** and add for each SP **New client secret**, then store the value and secret separately. |
machine-learning | How To Setup Mlops Github Azure Ml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-setup-mlops-github-azure-ml.md | Before you can set up an MLOps project with Machine Learning, you need to set up :::image type="content" source="./media/how-to-setup-mlops-azureml/SP-setup-ownership-tab.png" alt-text="Screenshot of service principal setup."::: -1. Go through the process of creating a Service Principal (SP) selecting **Accounts in any organizational directory (Any Azure AD directory - Multitenant)** and name it **Azure-ARM-Prod-ProjectName**. Replace **ProjectName** with the name of your project so that the service principal can be uniquely identified. +1. Go through the process of creating a Service Principal (SP) selecting **Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant)** and name it **Azure-ARM-Prod-ProjectName**. Replace **ProjectName** with the name of your project so that the service principal can be uniquely identified. 1. Go to **Certificates & Secrets** and add for each SP **New client secret**, then store the value and secret separately. |
machine-learning | How To Troubleshoot Batch Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-troubleshoot-batch-endpoints.md | __Solution__: To understand what may be happening, go to __Outputs + Logs__ and __Context__: When invoking a batch endpoint using its REST APIs. -__Reason__: The access token used to invoke the REST API for the endpoint/deployment is indicating a token that is issued for a different audience/service. Azure Active Directory tokens are issued for specific actions. +__Reason__: The access token used to invoke the REST API for the endpoint/deployment is indicating a token that is issued for a different audience/service. Microsoft Entra tokens are issued for specific actions. __Solution__: When generating an authentication token to be used with the Batch Endpoint REST API, ensure the `resource` parameter is set to `https://ml.azure.com`. Please notice that this resource is different from the resource you need to indicate to manage the endpoint using the REST API. All Azure resources (including batch endpoints) use the resource `https://management.azure.com` for managing them. Ensure you use the right resource URI on each case. Notice that if you want to use the management API and the job invocation API at the same time, you'll need two tokens. For details see: [Authentication on batch endpoints (REST)](how-to-authenticate-batch-endpoint.md?tabs=rest). |
machine-learning | How To Use Batch Azure Data Factory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-batch-azure-data-factory.md | Azure Data Factory allows the creation of pipelines that can orchestrate multipl ## Authenticating against batch endpoints -Azure Data Factory can invoke the REST APIs of batch endpoints by using the [Web Invoke](../data-factory/control-flow-web-activity.md) activity. Batch endpoints support Azure Active Directory for authorization and hence the request made to the APIs require a proper authentication handling. +Azure Data Factory can invoke the REST APIs of batch endpoints by using the [Web Invoke](../data-factory/control-flow-web-activity.md) activity. Batch endpoints support Microsoft Entra ID for authorization and hence the request made to the APIs require a proper authentication handling. You can use a service principal or a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) to authenticate against Batch Endpoints. We recommend using a managed identity as it simplifies the use of secrets. You can use a service principal or a [managed identity](../active-directory/mana # [Using a Service Principal](#tab/sp) -1. Create a service principal following the steps at [Register an application with Azure AD and create a service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). +1. Create a service principal following the steps at [Register an application with Microsoft Entra ID and create a service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). 1. Create a secret to use for authentication as explained at [Option 3: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret). 1. Take note of the client secret **Value** that is generated. This is only displayed once. 1. Take note of the `client ID` and the `tenant id` in the **Overview** pane of the application. |
machine-learning | How To Use Event Grid Batch | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-event-grid-batch.md | The workflow looks as follows: ## Authenticating against batch endpoints -Azure Logic Apps can invoke the REST APIs of batch endpoints by using the [HTTP](../connectors/connectors-native-http.md) activity. Batch endpoints support Azure Active Directory for authorization and hence the request made to the APIs require a proper authentication handling. +Azure Logic Apps can invoke the REST APIs of batch endpoints by using the [HTTP](../connectors/connectors-native-http.md) activity. Batch endpoints support Microsoft Entra ID for authorization and hence the request made to the APIs require a proper authentication handling. We recommend to using a service principal for authentication and interaction with batch endpoints in this scenario. -1. Create a service principal following the steps at [Register an application with Azure AD and create a service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). +1. Create a service principal following the steps at [Register an application with Microsoft Entra ID and create a service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). 1. Create a secret to use for authentication as explained at [Option 3: Create a new client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret). 1. Take note of the client secret **Value** that is generated. This is only displayed once. 1. Take note of the `client ID` and the `tenant id` in the **Overview** pane of the application. |
machine-learning | How To Use Serverless Compute | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-serverless-compute.md | When you [view your usage and quota in the Azure portal](how-to-manage-quotas.md ## Identity support and credential pass through -* **User credential pass through** : Serverless compute fully supports user credential pass through. The user token of the user who is submitting the job is used for storage access. These credentials are from your Azure Active directory. +* **User credential pass through** : Serverless compute fully supports user credential pass through. The user token of the user who is submitting the job is used for storage access. These credentials are from your Microsoft Entra ID. # [Python SDK](#tab/python) |
machine-learning | Monitor Resource Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/monitor-resource-reference.md | The following schemas are in use by Azure Machine Learning | CorrelationId | A GUID used to group together a set of related events, when applicable. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure Active Directory (Azure AD) tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlComputeInstanceName | "The name of the compute instance associated with the log entry. | ### AmlDataLabelEvent table The following schemas are in use by Azure Machine Learning | CorrelationId | A GUID used to group together a set of related events, when applicable. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlProjectId | The unique identifier of the Azure Machine Learning project. | | AmlProjectName | The name of the Azure Machine Learning project. | | AmlLabelNames | The label class names which are created for the project. | The following schemas are in use by Azure Machine Learning | AmlWorkspaceId | A GUID and unique ID of the Azure Machine Learning workspace. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlDatasetId | The ID of the Azure Machine Learning Data Set. | | AmlDatasetName | The name of the Azure Machine Learning Data Set. | The following schemas are in use by Azure Machine Learning | AmlWorkspaceId | A GUID and unique ID of the Azure Machine Learning workspace. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlDatastoreName | The name of the Azure Machine Learning Data Store. | ### AmlDeploymentEvent table The following schemas are in use by Azure Machine Learning | ResultType | The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlServiceName | The name of the Azure Machine Learning Service. | ### AmlInferencingEvent table The following schemas are in use by Azure Machine Learning | ResultType | The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlServiceName | The name of the Azure Machine Learning Service. | ### AmlModelsEvent table The following schemas are in use by Azure Machine Learning | ResultType | The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | ResultSignature | The HTTP status code of the event. Typical values include 200, 201, 202 etc. | | AmlModelName | The name of the Azure Machine Learning Model. | The following schemas are in use by Azure Machine Learning | AmlWorkspaceId | The name of the Azure Machine Learning workspace. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlModuleId | A GUID and unique ID of the module.| | AmlModelName | The name of the Azure Machine Learning Model. | | AmlPipelineId | The ID of the Azure Machine Learning pipeline. | The following schemas are in use by Azure Machine Learning | OperationName | The name of the operation associated with the log entry | | AmlWorkspaceId | A GUID and unique ID of the Azure Machine Learning workspace. | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | RunId | The unique ID of the run. | ### AmlEnvironmentEvent table The following schemas are in use by Azure Machine Learning | Level | The severity level of the event. Must be one of Informational, Warning, Error, or Critical. | | OperationName | The name of the operation associated with the log entry | | Identity | The identity of the user or application that performed the operation. |-| AadTenantId | The Azure AD tenant ID the operation was submitted for. | +| AadTenantId | The Microsoft Entra tenant ID the operation was submitted for. | | AmlEnvironmentName | The name of the Azure Machine Learning environment configuration. | | AmlEnvironmentVersion | The name of the Azure Machine Learning environment configuration version. | |
machine-learning | Reference Machine Learning Cloud Parity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/reference-machine-learning-cloud-parity.md | The information in the rest of this document provides information on what featur ||--|--| | Management plane | `https://management.azure.com/` | `https://management.chinacloudapi.cn/` | | Data plane | `https://{location}.experiments.azureml.net` | `https://{location}.experiments.ml.azure.cn` |- | Azure Active Directory | `https://login.microsoftonline.com` | `https://login.chinacloudapi.cn` | + | Microsoft Entra ID | `https://login.microsoftonline.com` | `https://login.chinacloudapi.cn` | * Sample notebook may not work, if it needs access to public data. * IP address ranges: The CLI command used in the [required public internet access](how-to-secure-training-vnet.md#required-public-internet-access-to-train-models) instructions does not return IP ranges. Use the [Azure IP ranges and service tags for Microsoft Azure operated by 21Vianet](https://www.microsoft.com//download/details.aspx?id=57062) instead. |
machine-learning | Reference Yaml Endpoint Batch | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/reference-yaml-endpoint-batch.md | The source JSON schema can be found at https://azuremlschemas.azureedge.net/late | `name` | string | **Required.** Name of the endpoint. Needs to be unique at the Azure region level. | | | | `description` | string | Description of the endpoint. | | | | `tags` | object | Dictionary of tags for the endpoint. | | |-| `auth_mode` | string | The authentication method for the endpoint. Currently only Azure Active Directory (Azure AD) token-based authentication is supported. | `aad_token` | `aad_token` | +| `auth_mode` | string | The authentication method for the endpoint. Currently only Microsoft Entra token-based authentication is supported. | `aad_token` | `aad_token` | | `defaults` | object | Default settings for the endpoint. | | | | `defaults.deployment_name` | string | Name of the deployment that will serve as the default deployment for the endpoint. | | | |
machine-learning | Troubleshooting Managed Feature Store | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/troubleshooting-managed-feature-store.md | Code: AuthorizationFailed #### Solution: 1. If the feature retrieval job is using a managed identity, assign the `AzureML Data Scientist` role on the feature store to the identity.-1. If it happens when user runs code in an Azure Machine Learning Spark notebook, which uses the user's own identity to access the Azure Machine Learning service, assign the `AzureML Data Scientist` role on the feature store to the user's Azure Active Directory identity. +1. If it happens when user runs code in an Azure Machine Learning Spark notebook, which uses the user's own identity to access the Azure Machine Learning service, assign the `AzureML Data Scientist` role on the feature store to the user's Microsoft Entra identity. `AzureML Data Scientist` is a recommended role. User can create their own custom role with the following actions - Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/action |
machine-learning | Tutorial Create Secure Workspace Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-create-secure-workspace-vnet.md | Use the following steps to create an Azure Virtual Machine to use as a jump box. A compute cluster is used by your training jobs. A compute instance provides a Jupyter Notebook experience on a shared compute resource attached to your workspace. 1. From an Azure Bastion connection to the jump box, open the __Microsoft Edge__ browser on the remote desktop.-1. In the remote browser session, go to __https://ml.azure.com__. When prompted, authenticate using your Azure AD account. +1. In the remote browser session, go to __https://ml.azure.com__. When prompted, authenticate using your Microsoft Entra account. 1. From the __Welcome to studio!__ screen, select the __Machine Learning workspace__ you created earlier and then select __Get started__. > [!TIP]- > If your Azure AD account has access to multiple subscriptions or directories, use the __Directory and Subscription__ dropdown to select the one that contains the workspace. + > If your Microsoft Entra account has access to multiple subscriptions or directories, use the __Directory and Subscription__ dropdown to select the one that contains the workspace. :::image type="content" source="./media/tutorial-create-secure-workspace-vnet/studio-select-workspace.png" alt-text="Screenshot of the select Machine Learning workspace form."::: |
machine-learning | Tutorial Enable Materialization Backfill Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-enable-materialization-backfill-data.md | This list summarizes the required setup steps: 1. In your feature store workspace, create an offline materialization store. Create an Azure Data Lake Storage Gen2 account and a container inside it, and attach it to the feature store. Optionally, you can use an existing storage container. 1. Create and assign a UAI to the feature store. Optionally, you can use an existing managed identity. The system-managed materialization jobs - in other words, the recurrent jobs - use the managed identity. The third tutorial in the series relies on it. 1. Grant required role-based access control (RBAC) permissions to the UAI.-1. Grant required RBAC permissions to your Azure Active Directory (Azure AD) identity. Users, including you, need read access to the sources and the materialization store. +1. Grant required RBAC permissions to your Microsoft Entra identity. Users, including you, need read access to the sources and the materialization store. ### Configure the Azure Machine Learning Spark notebook You can create a new notebook and execute the instructions in this tutorial step 1. Upload the *conda.yml* file that you [uploaded in the first tutorial](./tutorial-get-started-with-feature-store.md#prepare-the-notebook-environment). 1. Increase the session time-out (idle time) to avoid frequent prerequisite reruns. - [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=start-spark-session)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=start-spark-session)] ### Set up the root directory for the samples -[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=root-dir)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=root-dir)] 1. Set up the CLI. You can create a new notebook and execute the instructions in this tutorial step 1. Install the Azure Machine Learning extension. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=install-ml-ext-cli)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=install-ml-ext-cli)] 1. Authenticate. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=auth-cli)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=auth-cli)] 1. Set the default subscription. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=set-default-subs-cli)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=set-default-subs-cli)] You can create a new notebook and execute the instructions in this tutorial step This is the current workspace. You'll run the tutorial notebook from this workspace. - [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-ws-crud-client)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=init-ws-crud-client)] 1. Initialize the feature store properties. Be sure to update the `featurestore_name` and `featurestore_location` values to reflect what you created in the first tutorial. - [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-crud-client)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=init-fs-crud-client)] 1. Initialize the feature store core SDK client. - [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-core-sdk)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=init-fs-core-sdk)] 1. Set up the offline materialization store. You can create a new notebook and execute the instructions in this tutorial step You can optionally override the default settings. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=setup-utility-fns)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=setup-utility-fns)] # [Azure CLI](#tab/cli) You can create a new notebook and execute the instructions in this tutorial step The materialization store uses these values. You can optionally override the default settings. -[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=set-offline-store-params)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=set-offline-store-params)] 1. Create storage containers. The materialization store uses these values. You can optionally override the def # [Python SDK](#tab/python) - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=create-new-storage)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=create-new-storage)] # [Azure CLI](#tab/cli) The materialization store uses these values. You can optionally override the def # [Python SDK](#tab/python) - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=use-existing-storage)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=use-existing-storage)] # [Azure CLI](#tab/cli) The materialization store uses these values. You can optionally override the def ### Set the UAI values -[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=set-uai-params)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=set-uai-params)] ### Set up a UAI The first option is to create a new managed identity. -[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=create-new-uai)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=create-new-uai)] The second option is to reuse an existing managed identity. -[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=use-existing-uai)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=use-existing-uai)] ### Retrieve UAI properties The next CLI commands assign the first two roles to the UAI. In this example, th # [Python SDK](#tab/python) -[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai)] # [Azure CLI](#tab/cli) The next CLI commands assign the first two roles to the UAI. In this example, th If the feature data is materialized, you need the Storage Blob Data Reader role to read feature data from the offline materialization store. -Obtain your Azure AD object ID value from the Azure portal, as described in [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id). +Obtain your Microsoft Entra object ID value from the Azure portal, as described in [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id). To learn more about access control, see [Manage access control for managed feature store](./how-to-setup-access-control-feature-store.md). -[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-user-identity)] +[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-user-identity)] The following steps grant the Storage Blob Data Reader role access to your user account: The following steps grant the Storage Blob Data Reader role access to your user # [Python SDK](#tab/python) - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-store)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=enable-offline-store)] # [Azure CLI](#tab/cli) The following steps grant the Storage Blob Data Reader role access to your user # [Python SDK](#tab/python) - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)] # [Azure CLI](#tab/cli) The following steps grant the Storage Blob Data Reader role access to your user # [Python SDK](#tab/python) - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=dump-txn-fset-yaml)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=dump-txn-fset-yaml)] # [Azure CLI](#tab/cli) The following steps grant the Storage Blob Data Reader role access to your user > [!NOTE] > You might need to determine a backfill data window. The window must match the window of your training data. For example, to use two years of data for training, you need to retrieve features for the same window. This means you should backfill for a two-year window. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=backfill-txns-fset)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=backfill-txns-fset)] Next, print sample data from the feature set. The output information shows that the data was retrieved from the materialization store. The `get_offline_features()` method retrieved the training and inference data. It also uses the materialization store by default. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=sample-txns-fset-data)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/Enable materialization and backfill feature data.ipynb?name=sample-txns-fset-data)] ## Clean up |
machine-learning | Tutorial Network Isolation For Feature Store | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-network-isolation-for-feature-store.md | For this tutorial, you create three separate storage containers in the same ADLS [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/network_isolation/Network Isolation for Feature store.ipynb?name=uai-fs-role-cli)] - Follow these instructions to [get the Azure AD Object ID for your user identity](/partner-center/find-ids-and-domain-names#find-the-user-object-id). Then, use your Azure AD Object ID in the following command to assign **AzureML Data Scientist** role to your user identity on the created feature store. + Follow these instructions to [get the Microsoft Entra Object ID for your user identity](/partner-center/find-ids-and-domain-names#find-the-user-object-id). Then, use your Microsoft Entra Object ID in the following command to assign **AzureML Data Scientist** role to your user identity on the created feature store. [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/network_isolation/Network Isolation for Feature store.ipynb?name=aad-fs-role-cli)] We have reached the end of the tutorial. Your training data uses features from a ## Next steps * [Part 3: Experiment and train models using features](./tutorial-experiment-train-models-using-features.md)-* [Part 4: Enable recurrent materialization and run batch inference](./tutorial-enable-recurrent-materialization-run-batch-inference.md) +* [Part 4: Enable recurrent materialization and run batch inference](./tutorial-enable-recurrent-materialization-run-batch-inference.md) |
machine-learning | Tutorial Online Materialization Inference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-online-materialization-inference.md | To prepare the notebook environment for development: 1. Run the tutorial * Option 1: Create a new notebook, and execute the instructions in this document, step by step.- * Option 2: Open existing notebook `featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb`. You may keep this document open and refer to it for more explanation and documentation links. + * Option 2: Open existing notebook `featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb`. You may keep this document open and refer to it for more explanation and documentation links. 1. Select **Serverless Spark Compute** in the top navigation **Compute** dropdown. This operation might take one to two minutes. Wait for a status bar in the top to display **Configure session**. 1. Select **Configure session** in the top status bar. To prepare the notebook environment for development: 1. This code cell starts the Spark session. It needs about 10 minutes to install all dependencies and start the Spark session. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-spark-session)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=start-spark-session)] 1. Set up the root directory for the samples - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=root-dir)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=root-dir)] 1. Initialize the `MLClient` for the project workspace, where the tutorial notebook runs. The `MLClient` is used for the create, read, update, and delete (CRUD) operations. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-prj-ws-client)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=init-prj-ws-client)] 1. Initialize the `MLClient` for the feature store workspace, for the create, read, update, and delete (CRUD) operations on the feature store workspace. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-fs-ws-client)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=init-fs-ws-client)] > [!NOTE] > A **feature store workspace** supports feature reuse across projects. A **project workspace** - the current workspace in use - leverages features from a specific feature store, to train and inference models. Many project workspaces can share and reuse the same feature store workspace. 1. As mentioned earlier, this tutorial uses the Python feature store core SDK (`azureml-featurestore`). This initialized SDK client is used for create, read, update, and delete (CRUD) operations, on feature stores, feature sets, and feature store entities. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-fs-core-sdk)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=init-fs-core-sdk)] ## Prepare Azure Cache for Redis This tutorial uses Azure Cache for Redis as the online materialization store. Yo 1. Set values for the Azure Cache for Redis resource, to use as online materialization store. In this code cell, define the name of the Azure Cache for Redis resource to create or reuse. You can override other default settings. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=redis-settings)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=redis-settings)] 1. You can create a new Redis instance. You would select the Redis Cache tier (basic, standard, premium, or enterprise). Choose an SKU family available for the cache tier you select. For more information about tiers and cache performance, see [this resource](../azure-cache-for-redis/cache-best-practices-performance.md). For more information about SKU tiers and Azure cache families, see [this resource](https://azure.microsoft.com/pricing/details/cache/). Execute this code cell to create an Azure Cache for Redis with premium tier, SKU family `P`, and cache capacity 2. It may take from five to 10 minutes to prepare the Redis instance. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=provision-redis)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=provision-redis)] 1. Optionally, this code cell reuses an existing Redis instance with the previously defined name. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=reuse-redis)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=reuse-redis)] 1. Retrieve the user-assigned managed identity (UAI) that the feature store used for materialization. This code cell retrieves the principal ID, client ID, and ARM ID property values for the UAI used by the feature store for data materialization. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=retrieve-uai)] --1. Grant the `Contributor` role to the UAI on the Azure Cache for Redis. This role is required to write data into Redis during materialization. This code cell grants the `Contributor` role to the UAI on the Azure Cache for Redis. -- [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=uai-redis-rbac)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=retrieve-uai)] ## Attach online materialization store to the feature store The feature store needs the Azure Cache for Redis as an attached resource, for use as the online materialization store. This code cell handles that step. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=attach-online-store)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=attach-online-store)] ## Materialize the `accounts` feature set data to online store The feature store needs the Azure Cache for Redis as an attached resource, for u Earlier in this tutorial series, you did **not** materialize the accounts feature set because it had precomputed features, and only batch inference scenarios used it. This code cell enables online materialization so that the features become available in the online store, with low latency access. For consistency, it also enables offline materialization. Enabling offline materialization is optional. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=enable-accounts-material)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=enable-accounts-material)] ### Backfill the `account` feature set The `begin_backfill` function backfills data to all the materialization stores enabled for this feature set. Here offline and online materialization are both enabled. This code cell backfills the data to both online and offline materialization stores. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-accounts-backfill)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=start-accounts-backfill)] This code cell tracks completion of the backfill job. With the Azure Cache for Redis premium tier provisioned earlier, this step may take approximately 10 minutes to complete. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=track-accounts-backfill)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=track-accounts-backfill)] ## Materialize `transactions` feature set data to the online store Earlier in this tutorial series, you materialized `transactions` feature set dat 1. This code cell enables the `transactions` feature set online materialization. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=enable-transact-material)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=enable-transact-material)] 1. This code cell backfills the data to both the online and offline materialization store, to ensure that both stores have the latest data. The recurrent materialization job, which you set up in tutorial 2 of this series, now materializes data to both online and offline materialization stores. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-transact-material)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=start-transact-material)] This code cell tracks completion of the backfill job. Using the premium tier Azure Cache for Redis provisioned earlier, this step may take approximately five minutes to complete. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=track-transact-material)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=track-transact-material)] ## Test locally Now, use your development environment to look up features from the online materi This code cell parses the list of features from the existing feature retrieval specification. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=parse-feat-list)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=parse-feat-list)] This code retrieves feature values from the online materialization store. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-online-lookup)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=init-online-lookup)] Prepare some observation data for testing, and use that data to look up features from the online materialization store. During the online look-up, the keys (`accountID`) defined in the observation sample data might not exist in the Redis (due to `TTL`). In this case: Prepare some observation data for testing, and use that data to look up features 1. Open the console for the Redis instance, and check for existing keys with the `KEYS *` command. 1. Replace the `accountID` values in the sample observation data with the existing keys. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=online-feat-loockup)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=online-feat-loockup)] These steps looked up features from the online store. In the next step, you'll test online features using an Azure Machine Learning managed online endpoint. Visit [this resource](./how-to-deploy-online-endpoints.md?tabs=azure-cli) to lea This code cell defines the `fraud-model` managed online endpoint. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=define-endpoint)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=define-endpoint)] This code cell creates the managed online endpoint defined in the previous code cell. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=create-endpoint)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=create-endpoint)] ### Grant required RBAC permissions Here, you grant required RBAC permissions to the managed online endpoint on the This code cell retrieves the managed identity of the managed online endpoint: - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=get-endpoint-identity)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=get-endpoint-identity)] #### Grant the `Contributor` role to the online endpoint managed identity on the Azure Cache for Redis This code cell grants the `Contributor` role to the online endpoint managed identity on the Redis instance. This RBAC permission is needed to materialize data into the Redis online store. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=endpoint-redis-rbac)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=endpoint-redis-rbac)] #### Grant `AzureML Data Scientist` role to the online endpoint managed identity on the feature store This code cell grants the `AzureML Data Scientist` role to the online endpoint managed identity on the feature store. This RBAC permission is required for successful deployment of the model to the online endpoint. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=endpoint-fs-rbac)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=endpoint-fs-rbac)] #### Deploy the model to the online endpoint Review the scoring script `project/fraud_model/online_inference/src/scoring.py`. Next, execute this code cell to create a managed online deployment definition for model deployment. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=define-online-deployment)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=define-online-deployment)] Deploy the model to online endpoint with this code cell. The deployment may need four to five minutes. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=begin-online-deployment)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=begin-online-deployment)] ### Test online deployment with mock data Execute this code cell to test the online deployment with the mock data. You should see `0` or `1` as the output of this cell. - [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=test-online-deployment)] + [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable online store and run online inference.ipynb?name=test-online-deployment)] ## Next steps * [Network isolation with feature store (preview)](./tutorial-network-isolation-for-feature-store.md)-* [Azure Machine Learning feature stores samples repository](https://github.com/Azure/azureml-examples/tree/main/sdk/python/featurestore_sample) +* [Azure Machine Learning feature stores samples repository](https://github.com/Azure/azureml-examples/tree/main/sdk/python/featurestore_sample) |
machine-learning | Concept Network Data Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/concept-network-data-access.md | When using Azure Data Lake Storage Gen2 as a datastore, you can use both Azure R ## Azure SQL Database -To access data stored in an Azure SQL Database with a managed identity, you must create a SQL contained user that maps to the managed identity. For more information on creating a user from an external provider, see [Create contained users mapped to Azure AD identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities). +To access data stored in an Azure SQL Database with a managed identity, you must create a SQL contained user that maps to the managed identity. For more information on creating a user from an external provider, see [Create contained users mapped to Microsoft Entra identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities). After you create a SQL contained user, grant permissions to it by using the [GRANT T-SQL command](/sql/t-sql/statements/grant-object-permissions-transact-sql). |
machine-learning | How To Authenticate Web Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-authenticate-web-service.md | Azure Machine Learning allows you to deploy your trained machine learning models The model deployments created by Azure Machine Learning can be configured to use one of two authentication methods: * **key-based**: A static key is used to authenticate to the web service.-* **token-based**: A temporary token must be obtained from the Azure Machine Learning workspace (using Azure Active Directory) and used to authenticate to the web service. This token expires after a period of time, and must be refreshed to continue working with the web service. +* **token-based**: A temporary token must be obtained from the Azure Machine Learning workspace (using Microsoft Entra ID) and used to authenticate to the web service. This token expires after a period of time, and must be refreshed to continue working with the web service. > [!NOTE] > Token-based authentication is only available when deploying to Azure Kubernetes Service. print(token) > > We strongly recommend that you create your Azure Machine Learning workspace in the same region as your Azure Kubernetes Service cluster. >-> To authenticate with a token, the web service will make a call to the region in which your Azure Machine Learning workspace is created. If your workspace region is unavailable, you won't be able to fetch a token for your web service, even if your cluster is in a different region from your workspace. The result is that Azure AD Authentication is unavailable until your workspace region is available again. +> To authenticate with a token, the web service will make a call to the region in which your Azure Machine Learning workspace is created. If your workspace region is unavailable, you won't be able to fetch a token for your web service, even if your cluster is in a different region from your workspace. The result is that Microsoft Entra authentication is unavailable until your workspace region is available again. > > Also, the greater the distance between your cluster's region and your workspace region, the longer it will take to fetch a token. |
machine-learning | How To Deploy Azure Kubernetes Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-deploy-azure-kubernetes-service.md | DNS resolution within an existing VNet is under your control. For example, a fir | `<ACR name>.azurecr.io` | Your Azure Container Registry (ACR) | | `<account>.table.core.windows.net` | Azure Storage Account (table storage) | | `<account>.blob.core.windows.net` | Azure Storage Account (blob storage) |-| `api.azureml.ms` | Azure Active Directory (Azure AD) authentication | +| `api.azureml.ms` | Microsoft Entra authentication | | `ingest-vienna<region>.kusto.windows.net` | Kusto endpoint for uploading telemetry | | `<leaf-domain-label + auto-generated suffix>.<region>.cloudapp.azure.com` | Endpoint domain name, if you autogenerated by Azure Machine Learning. If you used a custom domain name, you don't need this entry. | Right after azureml-fe is deployed, it will attempt to start and this requires t Once azureml-fe is started, it requires the following connectivity to function properly: * Connect to Azure Storage to download dynamic configuration-* Resolve DNS for Azure AD authentication server api.azureml.ms and communicate with it when the deployed service uses Azure AD authentication. +* Resolve DNS for Microsoft Entra authentication server api.azureml.ms and communicate with it when the deployed service uses Microsoft Entra authentication. * Query AKS API server to discover deployed models * Communicate to deployed model PODs For more information on setting `autoscale_target_utilization`, `autoscale_max_r ## Web service authentication -When deploying to Azure Kubernetes Service, __key-based__ authentication is enabled by default. You can also enable __token-based__ authentication. Token-based authentication requires clients to use an Azure Active Directory account to request an authentication token, which is used to make requests to the deployed service. +When deploying to Azure Kubernetes Service, __key-based__ authentication is enabled by default. You can also enable __token-based__ authentication. Token-based authentication requires clients to use a Microsoft Entra account to request an authentication token, which is used to make requests to the deployed service. To __disable__ authentication, set the `auth_enabled=False` parameter when creating the deployment configuration. The following example disables authentication using the SDK: Microsoft Defender for Cloud provides unified security management and advanced t * [Use TLS to secure a web service through Azure Machine Learning](how-to-secure-web-service.md) * [Consume a ML Model deployed as a web service](how-to-consume-web-service.md) * [Monitor your Azure Machine Learning models with Application Insights](../how-to-enable-app-insights.md)-* [Collect data for models in production](how-to-enable-data-collection.md) +* [Collect data for models in production](how-to-enable-data-collection.md) |
machine-learning | How To Deploy Local Container Notebook Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-deploy-local-container-notebook-vm.md | An example notebook that demonstrates local deployments is included on your comp To submit sample data to the running service, use the following code. Replace the value of `service_url` with the URL of from the previous step: > [!NOTE]-> When authenticating to a deployment on the compute instance, the authentication is made using Azure Active Directory. The call to `interactive_auth.get_authentication_header()` in the example code authenticates you using AAD, and returns a header that can then be used to authenticate to the service on the compute instance. For more information, see [Set up authentication for Azure Machine Learning resources and workflows](how-to-setup-authentication.md#use-interactive-authentication). +> When authenticating to a deployment on the compute instance, the authentication is made using Microsoft Entra ID. The call to `interactive_auth.get_authentication_header()` in the example code authenticates you using Microsoft Entra ID, and returns a header that can then be used to authenticate to the service on the compute instance. For more information, see [Set up authentication for Azure Machine Learning resources and workflows](how-to-setup-authentication.md#use-interactive-authentication). > > When authenticating to a deployment on Azure Kubernetes Service or Azure Container Instances, a different authentication method is used. For more information on, see [Configure authentication for Azure Machine models deployed as web services](how-to-authenticate-web-service.md). |
machine-learning | How To Deploy Pipelines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-deploy-pipelines.md | All published pipelines have a REST endpoint. With the pipeline endpoint, you ca > [!IMPORTANT] > If you are using Azure role-based access control (Azure RBAC) to manage access to your pipeline, [set the permissions for your pipeline scenario (training or scoring)](../how-to-assign-roles.md#common-scenarios). -To invoke the run of the preceding pipeline, you need an Azure Active Directory authentication header token. Getting such a token is described in the [AzureCliAuthentication class](/python/api/azureml-core/azureml.core.authentication.azurecliauthentication) reference and in the [Authentication in Azure Machine Learning](https://aka.ms/pl-restep-auth) notebook. +To invoke the run of the preceding pipeline, you need a Microsoft Entra authentication header token. Getting such a token is described in the [AzureCliAuthentication class](/python/api/azureml-core/azureml.core.authentication.azurecliauthentication) reference and in the [Authentication in Azure Machine Learning](https://aka.ms/pl-restep-auth) notebook. ```python from azureml.pipeline.core import PublishedPipeline |
machine-learning | How To Identity Based Data Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-identity-based-data-access.md | -Typically, datastores use **credential-based authentication** to confirm you have permission to access the storage service. They keep connection information, like your subscription ID and token authorization, in the [key vault](https://azure.microsoft.com/services/key-vault/) that's associated with the workspace. When you create a datastore that uses **identity-based data access**, your Azure account ([Azure Active Directory token](../../active-directory/fundamentals/active-directory-whatis.md)) is used to confirm you have permission to access the storage service. In the **identity-based data access** scenario, no authentication credentials are saved. Only the storage account information is stored in the datastore. +Typically, datastores use **credential-based authentication** to confirm you have permission to access the storage service. They keep connection information, like your subscription ID and token authorization, in the [key vault](https://azure.microsoft.com/services/key-vault/) that's associated with the workspace. When you create a datastore that uses **identity-based data access**, your Azure account ([Microsoft Entra token](../../active-directory/fundamentals/active-directory-whatis.md)) is used to confirm you have permission to access the storage service. In the **identity-based data access** scenario, no authentication credentials are saved. Only the storage account information is stored in the datastore. To create datastores with **identity-based** data access via the Azure Machine Learning studio UI, see [Connect to data with the Azure Machine Learning studio](how-to-connect-data-ui.md#create-datastores). You can connect to storage services via identity-based data access with Azure Ma Your authentication credentials are kept in a datastore, which is used to ensure you have permission to access the storage service. When these credentials are registered via datastores, any user with the workspace Reader role can retrieve them. That scale of access can be a security concern for some organizations. [Learn more about the workspace Reader role.](../how-to-assign-roles.md#default-roles) -When you use identity-based data access, Azure Machine Learning prompts you for your Azure Active Directory token for data access authentication, instead of keeping your credentials in the datastore. That approach allows for data access management at the storage level and keeps credentials confidential. +When you use identity-based data access, Azure Machine Learning prompts you for your Microsoft Entra token for data access authentication, instead of keeping your credentials in the datastore. That approach allows for data access management at the storage level and keeps credentials confidential. The same behavior applies when you: When you register a storage service on Azure as a datastore, you automatically c See [Work with virtual networks](#work-with-virtual-networks) for details on how to connect to data storage behind virtual networks. -In the following code, notice the absence of authentication parameters like `sas_token`, `account_key`, `subscription_id`, and the service principal `client_id`. This omission indicates that Azure Machine Learning will use identity-based data access for authentication. Creation of datastores typically happens interactively in a notebook or via the studio. So your Azure Active Directory token is used for data access authentication. +In the following code, notice the absence of authentication parameters like `sas_token`, `account_key`, `subscription_id`, and the service principal `client_id`. This omission indicates that Azure Machine Learning will use identity-based data access for authentication. Creation of datastores typically happens interactively in a notebook or via the studio. So your Microsoft Entra token is used for data access authentication. > [!NOTE] > Datastore names should consist only of lowercase letters, numbers, and underscores. Identity-based data access supports connections to **only** the following storag To access these storage services, you must have at least [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader) access to the storage account. Only storage account owners can [change your access level via the Azure portal](../../storage/blobs/assign-azure-role-data-access.md). -If you prefer to not use your user identity (Azure Active Directory), you can also grant a workspace managed-system identity (MSI) permission to create the datastore. To do so, you must have Owner permissions to the storage account and add the `grant_workspace_access= True` parameter to your data register method. +If you prefer to not use your user identity (Microsoft Entra ID), you can also grant a workspace managed-system identity (MSI) permission to create the datastore. To do so, you must have Owner permissions to the storage account and add the `grant_workspace_access= True` parameter to your data register method. If you're training a model on a remote compute target and want to access the data for training, the compute identity must be granted at least the Storage Blob Data Reader role from the storage service. Learn how to [set up managed identity on a compute cluster](how-to-create-attach-compute-cluster.md#set-up-managed-identity). Another option is to skip datastore creation and create datasets directly from s blob_dset = Dataset.File.from_files('https://myblob.blob.core.windows.net/may/keras-mnist-fashion/') ``` -When you submit a training job that consumes a dataset created with identity-based data access, the managed identity of the training compute is used for data access authentication. Your Azure Active Directory token isn't used. For this scenario, ensure that the managed identity of the compute is granted at least the Storage Blob Data Reader role from the storage service. For more information, see [Set up managed identity on compute clusters](how-to-create-attach-compute-cluster.md#set-up-managed-identity). +When you submit a training job that consumes a dataset created with identity-based data access, the managed identity of the training compute is used for data access authentication. Your Microsoft Entra token isn't used. For this scenario, ensure that the managed identity of the compute is granted at least the Storage Blob Data Reader role from the storage service. For more information, see [Set up managed identity on compute clusters](how-to-create-attach-compute-cluster.md#set-up-managed-identity). ## Next steps * [Create an Azure Machine Learning dataset](how-to-create-register-datasets.md) * [Train with datasets](how-to-train-with-datasets.md)-* [Create a datastore with key-based data access](how-to-access-data.md) +* [Create a datastore with key-based data access](how-to-access-data.md) |
machine-learning | How To Manage Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-manage-workspace.md | You can create a workspace [directly in Azure Machine Learning studio](../quicks ``` Set `create_resource_group` to False if you have an existing Azure resource group that you want to use for the workspace. -* **Multiple tenants.** If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Azure Active Directory, External Identities**. +* **Multiple tenants.** If you have multiple accounts, add the tenant ID of the Microsoft Entra ID you wish to use. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Microsoft Entra ID, External Identities**. [!INCLUDE [sdk v1](../includes/machine-learning-sdk-v1.md)] from azureml.core import Workspace ws = Workspace.from_config() ``` -* **Multiple tenants.** If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Azure Active Directory, External Identities**. +* **Multiple tenants.** If you have multiple accounts, add the tenant ID of the Microsoft Entra ID you wish to use. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Microsoft Entra ID, External Identities**. [!INCLUDE [sdk v1](../includes/machine-learning-sdk-v1.md)] |
machine-learning | How To Secure Training Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-secure-training-vnet.md | In this article, you learn how to secure training environments with a virtual ne Azure Machine Learning compute instance and compute cluster can be used to securely train models in a virtual network. When planning your environment, you can configure the compute instance/cluster with or without a public IP address. The general differences between the two are: -* **No public IP**: Reduces costs as it doesn't have the same networking resource requirements. Improves security by removing the requirement for inbound traffic from the internet. However, there are additional configuration changes required to enable outbound access to required resources (Azure Active Directory, Azure Resource Manager, etc.). +* **No public IP**: Reduces costs as it doesn't have the same networking resource requirements. Improves security by removing the requirement for inbound traffic from the internet. However, there are additional configuration changes required to enable outbound access to required resources (Microsoft Entra ID, Azure Resource Manager, etc.). * **Public IP**: Works by default, but costs more due to additional Azure networking resources. Requires inbound communication from the Azure Machine Learning service over the public internet. The following table contains the differences between these configurations: The following configurations are in addition to those listed in the [Prerequisit | `*.table.core.windows.net` | TCP | 443 | Communication with Azure Table storage. | -+ Create either a firewall and outbound rules or a NAT gateway and network service groups to allow outbound traffic. Since the compute has no public IP address, it can't communicate with resources on the public internet without this configuration. For example, it wouldn't be able to communicate with Azure Active Directory or Azure Resource Manager. Installing Python packages from public sources would also require this configuration. ++ Create either a firewall and outbound rules or a NAT gateway and network service groups to allow outbound traffic. Since the compute has no public IP address, it can't communicate with resources on the public internet without this configuration. For example, it wouldn't be able to communicate with Microsoft Entra ID or Azure Resource Manager. Installing Python packages from public sources would also require this configuration. For more information on the outbound traffic that is used by Azure Machine Learning, see the following articles: - [Configure inbound and outbound network traffic](../how-to-access-azureml-behind-firewall.md). |
machine-learning | How To Setup Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-setup-authentication.md | -Learn how to set up authentication to your Azure Machine Learning workspace. Authentication to your Azure Machine Learning workspace is based on __Azure Active Directory__ (Azure AD) for most things. In general, there are four authentication workflows that you can use when connecting to the workspace: +Learn how to set up authentication to your Azure Machine Learning workspace. Authentication to your Azure Machine Learning workspace is based on __Microsoft Entra ID__ for most things. In general, there are four authentication workflows that you can use when connecting to the workspace: -* __Interactive__: You use your account in Azure Active Directory to either directly authenticate, or to get a token that is used for authentication. Interactive authentication is used during _experimentation and iterative development_. Interactive authentication enables you to control access to resources (such as a web service) on a per-user basis. +* __Interactive__: You use your account in Microsoft Entra ID to either directly authenticate, or to get a token that is used for authentication. Interactive authentication is used during _experimentation and iterative development_. Interactive authentication enables you to control access to resources (such as a web service) on a per-user basis. -* __Service principal__: You create a service principal account in Azure Active Directory, and use it to authenticate or get a token. A service principal is used when you need an _automated process to authenticate_ to the service without requiring user interaction. For example, a continuous integration and deployment script that trains and tests a model every time the training code changes. +* __Service principal__: You create a service principal account in Microsoft Entra ID, and use it to authenticate or get a token. A service principal is used when you need an _automated process to authenticate_ to the service without requiring user interaction. For example, a continuous integration and deployment script that trains and tests a model every time the training code changes. * __Azure CLI session__: You use an active Azure CLI session to authenticate. Azure CLI authentication is used during _experimentation and iterative development_, or when you need an _automated process to authenticate_ to the service using a pre-authenticated session. You can log in to Azure via the Azure CLI on your local workstation, without storing credentials in Python code or prompting the user to authenticate. Similarly, you can reuse the same scripts as part of continuous integration and deployment pipelines, while authenticating the Azure CLI with a service principal identity. Learn how to set up authentication to your Azure Machine Learning workspace. Aut Regardless of the authentication workflow used, Azure role-based access control (Azure RBAC) is used to scope the level of access (authorization) allowed to the resources. For example, an admin or automation process might have access to create a compute instance, but not use it, while a data scientist could use it, but not delete or create it. For more information, see [Manage access to Azure Machine Learning workspace](../how-to-assign-roles.md). -Azure AD Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only. +Microsoft Entra Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only. ## Prerequisites * Create an [Azure Machine Learning workspace](../how-to-manage-workspace.md). * [Configure your development environment](how-to-configure-environment.md) to install the Azure Machine Learning SDK, or use a [Azure Machine Learning compute instance](concept-azure-machine-learning-architecture.md#computes) with the SDK already installed. -## Azure Active Directory +<a name='azure-active-directory'></a> -All the authentication workflows for your workspace rely on Azure Active Directory. If you want users to authenticate using individual accounts, they must have accounts in your Azure AD. If you want to use service principals, they must exist in your Azure AD. Managed identities are also a feature of Azure AD. +## Microsoft Entra ID -For more on Azure AD, see [What is Azure Active Directory authentication](../../active-directory/authentication/overview-authentication.md). +All the authentication workflows for your workspace rely on Microsoft Entra ID. If you want users to authenticate using individual accounts, they must have accounts in your Microsoft Entra ID. If you want to use service principals, they must exist in your Microsoft Entra ID. Managed identities are also a feature of Microsoft Entra ID. -Once you've created the Azure AD accounts, see [Manage access to Azure Machine Learning workspace](../how-to-assign-roles.md) for information on granting them access to the workspace and other operations in Azure Machine Learning. +For more on Microsoft Entra ID, see [What is Microsoft Entra authentication](../../active-directory/authentication/overview-authentication.md). ++Once you've created the Microsoft Entra accounts, see [Manage access to Azure Machine Learning workspace](../how-to-assign-roles.md) for information on granting them access to the workspace and other operations in Azure Machine Learning. ## Configure a service principal For more information, see [Set up managed identity for compute cluster](../how-t ## Use interactive authentication > [!IMPORTANT]-> Interactive authentication uses your browser, and requires cookies (including 3rd party cookies). If you have disabled cookies, you may receive an error such as "we couldn't sign you in." This error may also occur if you have enabled [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md). +> Interactive authentication uses your browser, and requires cookies (including 3rd party cookies). If you have disabled cookies, you may receive an error such as "we couldn't sign you in." This error may also occur if you have enabled [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md). Most examples in the documentation and samples use interactive authentication. For example, when using the SDK there are two function calls that will automatically prompt you with a UI-based authentication flow: ws = Workspace(subscription_id="your-sub-id", ## Use Conditional Access -As an administrator, you can enforce [Azure AD Conditional Access policies](../../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you +As an administrator, you can enforce [Microsoft Entra Conditional Access policies](../../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you can require two-factor authentication, or allow sign in only from managed devices. To use Conditional Access for Azure Machine Learning workspaces specifically, [assign the Conditional Access policy](../../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__. ## Next steps |
machine-learning | How To Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-train-model.md | Azure Databricks is an Apache Spark-based environment in the Azure cloud. It can > [!IMPORTANT] > Azure Machine Learning cannot create an Azure Databricks compute target. Instead, you must create an Azure Databricks workspace, and then attach it to your Azure Machine Learning workspace. To create a workspace resource, see the [Run a Spark job on Azure Databricks](/azure/databricks/scenarios/quickstart-create-databricks-workspace-portal) document. > -> To attach an Azure Databricks workspace from a __different Azure subscription__, you (your Azure AD account) must be granted the **Contributor** role on the Azure Databricks workspace. Check your access in the [Azure portal](https://portal.azure.com/). +> To attach an Azure Databricks workspace from a __different Azure subscription__, you (your Microsoft Entra account) must be granted the **Contributor** role on the Azure Databricks workspace. Check your access in the [Azure portal](https://portal.azure.com/). To attach Azure Databricks as a compute target, provide the following information: |
managed-grafana | Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/faq.md | Customer data, including dashboards and data source configuration, created in Ma ## Does Managed Grafana support Grafana's built-in SAML and LDAP authentications? -No. Managed Grafana uses its implementation for Azure Active Directory authentication. +No. Managed Grafana uses its implementation for Microsoft Entra authentication. ## Can I install more plugins? |
managed-grafana | How To Api Calls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-api-calls.md | Title: 'Call Grafana APIs programmatically with Azure Managed Grafana' -description: Learn how to call Grafana APIs programmatically with Azure Active Directory and an Azure service principal +description: Learn how to call Grafana APIs programmatically with Microsoft Entra ID and an Azure service principal In this tutorial, you learn how to: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/). - An Azure Managed Grafana workspace. [Create an Azure Managed Grafana instance](./quickstart-managed-grafana-portal.md).-- An Azure Active Directory (Azure AD) application with a service principal. [Create an Azure AD application and service principal](../active-directory/develop/howto-create-service-principal-portal.md). For simplicity, use an application located in the same Azure AD tenant as your Azure Managed Grafana instance.+- A Microsoft Entra application with a service principal. [Create a Microsoft Entra application and service principal](../active-directory/develop/howto-create-service-principal-portal.md). For simplicity, use an application located in the same Microsoft Entra tenant as your Azure Managed Grafana instance. ## Sign in to Azure Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure. You now need to gather some information, which you'll use to get a Grafana API access token, and call Grafana APIs. 1. Find your tenant ID:- 1. In the Azure portal, enter *Azure Active Directory* in the **Search resources, services, and docs (G+ /)**. - 1. Select **Azure Active Directory**. + 1. In the Azure portal, enter *Microsoft Entra ID* in the **Search resources, services, and docs (G+ /)**. + 1. Select **Microsoft Entra ID**. 1. Select **Properties** from the left menu. 1. Locate the field **Tenant ID** and save its value. :::image type="content" source="./media/tutorial-api/tenant-id.png" alt-text="Screenshot of the Azure portal, getting tenant ID."::: 1. Find your client ID:- 1. In the Azure portal, in Azure Active Directory, select **App registrations** from the left menu. + 1. In the Azure portal, in Microsoft Entra ID, select **App registrations** from the left menu. 1. Select your app. 1. In **Overview**, find the **Application (client) ID** field and save its value. :::image type="content" source="./media/tutorial-api/client-id.png" alt-text="Screenshot of the Azure portal, getting client ID."::: 1. Create an application secret:- 1. In the Azure portal, in Azure Active Directory, select **App registrations** from the left menu. + 1. In the Azure portal, in Microsoft Entra ID, select **App registrations** from the left menu. 1. Select your app. 1. Select **Certificates & secrets** from the left menu. 1. Select **New client secret**. az grafana api-key create --key keyname --name <name> --resource-group <rg> --ro ### [POST request](#tab/post) -Follow the example below to call Azure AD and retrieve a token. Replace `<tenant-id>`, `<client-id>`, and `<client-secret>` with the tenant ID, application (client) ID, and client secret collected in the previous step. +Follow the example below to call Microsoft Entra ID and retrieve a token. Replace `<tenant-id>`, `<client-id>`, and `<client-secret>` with the tenant ID, application (client) ID, and client secret collected in the previous step. ```bash curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ If you're not going to continue to use these resources, delete them with the fol 1. Select **Delete**. 1. Enter the resource name to confirm deletion and select **Delete**. -1. Delete the Azure AD application: - 1. In the Azure portal, in Azure Active Directory, select **App registrations** from the left menu. +1. Delete the Microsoft Entra application: + 1. In the Azure portal, in Microsoft Entra ID, select **App registrations** from the left menu. 1. Select your app. 1. In the **Overview** tab, select **Delete**. 1. Select **Delete**. |
managed-grafana | How To Authentication Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-authentication-permissions.md | After your workspace has been created, you can still turn on or turn off system- ## Next steps > [!div class="nextstepaction"]-> [Sync Grafana teams with Azure Active Directory groups](./how-to-sync-teams-with-azure-ad-groups.md) +> [Sync Grafana teams with Microsoft Entra groups](./how-to-sync-teams-with-azure-ad-groups.md) |
managed-grafana | How To Data Source Plugins Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-data-source-plugins-managed-identity.md | The Azure Monitor data source is automatically added to all new Managed Grafana :::image type="content" source="media/data-sources/configure-Azure-Monitor.png" alt-text="Screenshot of the Azure Monitor page in data sources."::: -Authentication and authorization are made through the provided managed identity. Using managed identity, lets you assign permissions for your Managed Grafana instance to access Azure Monitor data without having to manually manage service principals in Azure Active Directory (Azure AD). +Authentication and authorization are made through the provided managed identity. Using managed identity, lets you assign permissions for your Managed Grafana instance to access Azure Monitor data without having to manually manage service principals in Microsoft Entra ID. ### [Azure CLI](#tab/azure-cli) az grafana data-source update --data-source 'Azure Monitor' --name <instance-nam ### Azure Data Explorer configuration -Azure Managed Grafana can also access data sources using a service principal set up in Azure Active Directory (Azure AD). +Azure Managed Grafana can also access data sources using a service principal set up in Microsoft Entra ID. ### [Portal](#tab/azure-portal) Azure Managed Grafana can also access data sources using a service principal set :::image type="content" source="media/data-sources/data-explorer-connection-settings.jpg" alt-text="Screenshot of the Connection details section for Data Explorer in data sources."::: - To complete this process, you need to have an Azure AD service principal and connect Azure AD with an Azure Data Explorer User. For more information, go to [Configuring the datasource in Grafana](https://github.com/grafana/azure-data-explorer-datasource#configuring-the-datasource-in-grafana). + To complete this process, you need to have a Microsoft Entra service principal and connect Microsoft Entra ID with an Azure Data Explorer User. For more information, go to [Configuring the datasource in Grafana](https://github.com/grafana/azure-data-explorer-datasource#configuring-the-datasource-in-grafana). -1. Select **Save & test** to validate the connection. "Success" is displayed on screen and confirms that Azure Managed Grafana is able to fetch the data source through the provided connection details, using the service principal in Azure AD. +1. Select **Save & test** to validate the connection. "Success" is displayed on screen and confirms that Azure Managed Grafana is able to fetch the data source through the provided connection details, using the service principal in Microsoft Entra ID. ### [Azure CLI](#tab/azure-cli) |
managed-grafana | How To Share Dashboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-share-dashboard.md | Last updated 03/01/2023 # Share a Grafana dashboard or panel -In this guide for Azure Managed Grafana, learn how to share a Grafana dashboard or a Grafana panel with internal and external stakeholders, whether they're registered in your Azure Active Directory tenant or not. You can choose to share a dashboard or panel with restricted access, or share it with public access to facilitate collaboration with partners or customers. +In this guide for Azure Managed Grafana, learn how to share a Grafana dashboard or a Grafana panel with internal and external stakeholders, whether they're registered in your Microsoft Entra tenant or not. You can choose to share a dashboard or panel with restricted access, or share it with public access to facilitate collaboration with partners or customers. You can share Grafana visualizations by generating: The **Snapshot** tab lets you share an interactive dashboard or panel publicly. 1. Optionally update the snapshot name, select an expiry date and change the value of the timeout. 1. Choose to publish the Grafana snapshot: - to snapshots.raintank.io to make it accessible publicly to anyone with the link.- - as a local snapshot, to restrict access to users who are registered in your Azure AD tenant. + - as a local snapshot, to restrict access to users who are registered in your Microsoft Entra tenant. 1. **Copy** the snapshot URL generated by Grafana. Select **Delete snapshot** if you no longer need it. > [!NOTE] |
managed-grafana | How To Share Grafana Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-share-grafana-workspace.md | Azure Managed Grafana supports the Grafana Admin, Grafana Editor, and Grafana Vi More details on Grafana roles can be found in the [Grafana documentation](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles). -Grafana user roles and assignments are fully [integrated within Azure Active Directory (Azure AD)](../role-based-access-control/built-in-roles.md#grafana-admin). You can assign a Grafana role to any Azure AD user, group, service principal or managed identity, and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign Grafana roles to users in the Azure portal. +Grafana user roles and assignments are fully [integrated within Microsoft Entra ID](../role-based-access-control/built-in-roles.md#grafana-admin). You can assign a Grafana role to any Microsoft Entra user, group, service principal or managed identity, and grant them access permissions associated with that role. You can manage these permissions from the Azure portal or the command line. This section explains how to assign Grafana roles to users in the Azure portal. > [!NOTE] > Azure Managed Grafana doesn't support personal Microsoft accounts (MSA) currently. Assign a role using the [az role assignment create](/cli/azure/role/assignment#a In the code below, replace the following placeholders: - `<assignee>`:- - For an Azure AD user, enter their email address or the user object ID. + - For a Microsoft Entra user, enter their email address or the user object ID. - For a group, enter the group object ID. - For a service principal, enter the service principal object ID. - For a managed identity, enter the object ID. |
managed-grafana | How To Sync Teams With Azure Ad Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/how-to-sync-teams-with-azure-ad-groups.md | Title: Sync Grafana teams with Azure Active Directory groups -description: Learn how to set up Grafana teams using Azure Active Directory groups in Azure Managed Grafana + Title: Sync Grafana teams with Microsoft Entra groups +description: Learn how to set up Grafana teams using Microsoft Entra groups in Azure Managed Grafana -# Sync Grafana teams with Azure Active Directory groups (preview) +# Sync Grafana teams with Microsoft Entra groups (preview) -In this guide, you learn how to use Azure Active Directory (Azure AD) groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) (Azure AD group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders). +In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) (Microsoft Entra group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders). -Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Azure AD. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Azure AD group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with an Azure AD group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Azure AD group. +Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Microsoft Entra ID. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Microsoft Entra group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with a Microsoft Entra group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Microsoft Entra group. > [!IMPORTANT]-> Azure AD group sync is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> Microsoft Entra group sync is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. -## Set up Azure AD group sync +<a name='set-up-azure-ad-group-sync'></a> -To use Azure AD group sync, you add a new team to your Grafana workspace and link it to an existing Azure AD group through its group ID. Follow these steps to set up an Azure AD-backed Grafana team. +## Set up Microsoft Entra group sync ++To use Microsoft Entra group sync, you add a new team to your Grafana workspace and link it to an existing Microsoft Entra group through its group ID. Follow these steps to set up a Microsoft Entra ID-backed Grafana team. 1. In the Azure portal, open your Grafana instance and select **Configuration** under *Settings*.-1. Select the **Azure AD Team Sync Settings** tab. +1. Select the **Microsoft Entra team Sync Settings** tab. 1. Select **+ Create new Grafana team**. - :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Azure AD team sync."::: + :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Microsoft Entra team sync."::: 1. Enter a name for the Grafana team and select **Add**. :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team."::: 1. In **Assign access to**, select the newly created Grafana team.-1. Select **+ Add an Azure AD Group**. +1. Select **+ Add a Microsoft Entra group**. - :::image type="content" source="media/azure-ad-group-sync/add-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Adding an Azure AD group to Grafana team."::: + :::image type="content" source="media/azure-ad-group-sync/add-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Adding a Microsoft Entra group to Grafana team."::: -1. In the **Select** search box, enter an Azure AD group name. +1. In the **Select** search box, enter a Microsoft Entra group name. 1. Select the group name in the search result and **Select**. - :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting an Azure AD group."::: + :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting a Microsoft Entra group."::: ++1. Repeat the previous three steps to add more Microsoft Entra groups to the Grafana team as appropriate. -1. Repeat the previous three steps to add more Azure AD groups to the Grafana team as appropriate. + :::image type="content" source="media/azure-ad-group-sync/view-grafana-team.png" alt-text="Screenshot of the Azure portal. Viewing a Grafana team and Microsoft Entra group(s) linked to it."::: - :::image type="content" source="media/azure-ad-group-sync/view-grafana-team.png" alt-text="Screenshot of the Azure portal. Viewing a Grafana team and Azure AD group(s) linked to it."::: +<a name='remove-azure-ad-group-sync'></a> -## Remove Azure AD group sync +## Remove Microsoft Entra group sync -If you no longer need a Grafana team, follow these steps to delete it, which also removes the link to the Azure AD group. +If you no longer need a Grafana team, follow these steps to delete it, which also removes the link to the Microsoft Entra group. 1. In the Azure portal, open your Azure Managed Grafana workspace. 1. Select **Administration > Teams**. If you no longer need a Grafana team, follow these steps to delete it, which als ## Next steps -In this how-to guide, you learned how to set up Grafana teams backed by Azure AD groups. To learn how to use teams to control access to dashboards in your workspace, see [Manage dashboard permissions](https://grafana.com/docs/grafana/latest/administration/user-management/manage-dashboard-permissions/). -+In this how-to guide, you learned how to set up Grafana teams backed by Microsoft Entra groups. To learn how to use teams to control access to dashboards in your workspace, see [Manage dashboard permissions](https://grafana.com/docs/grafana/latest/administration/user-management/manage-dashboard-permissions/). |
managed-grafana | Known Limitations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/known-limitations.md | Azure Managed Grafana delivers the native Grafana functionality in the highest p Azure Managed Grafana has the following known limitations: -* All users must have accounts in an Azure Active Directory. Microsoft (also known as MSA) and 3rd-party accounts aren't supported. As a workaround, use the default tenant of your Azure subscription with your Grafana instance and add other users as guests. +* All users must have accounts in Microsoft Entra ID. Microsoft (also known as MSA) and 3rd-party accounts aren't supported. As a workaround, use the default tenant of your Azure subscription with your Grafana instance and add other users as guests. * Installing, uninstalling and upgrading plugins from the Grafana Catalog isn't possible. Azure Managed Grafana has the following known limitations: ||::|::| | Private link | ❌ | ❌ | | Managed private endpoint | ❌ | ❌ |- | Team sync with Azure AD | ❌ | ❌ | + | Team sync with Microsoft Entra ID | ❌ | ❌ | | Enterprise plugins | ❌ | ❌ | ## Next steps |
managed-grafana | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/overview.md | Azure Managed Grafana is a data visualization platform built on top of the Grafa Azure Managed Grafana is optimized for the Azure environment. It works seamlessly with many Azure services and provides the following integration features: * Built-in support for [Azure Monitor](../azure-monitor/index.yml) and [Azure Data Explorer](/azure/data-explorer/)-* User authentication and access control using Azure Active Directory identities +* User authentication and access control using Microsoft Entra identities * Direct import of existing charts from the Azure portal To learn more about how Grafana works, visit the [Getting Started documentation](https://grafana.com/docs/grafana/latest/getting-started/) on the Grafana Labs website. As a fully managed service, Azure Managed Grafana lets you deploy Grafana withou You can share Grafana dashboards with people inside and outside of your organization and allow others to join in for monitoring or troubleshooting. -Managed Grafana uses Azure Active Directory (Azure AD)ΓÇÖs centralized identity management, which allows you to control which users can use a Grafana instance, and you can use managed identities to access Azure data stores, such as Azure Monitor. +Managed Grafana uses Microsoft Entra IDΓÇÖs centralized identity management, which allows you to control which users can use a Grafana instance, and you can use managed identities to access Azure data stores, such as Azure Monitor. You can create dashboards instantaneously by importing existing charts directly from the Azure portal or by using prebuilt dashboards. |
managed-grafana | Quickstart Managed Grafana Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/quickstart-managed-grafana-cli.md | Now let's check if you can access your new Managed Grafana instance. 1. Take note of the **endpoint** URL ending by `eus.grafana.azure.com`, listed in the CLI output. -1. Open a browser and enter the endpoint URL. Single sign-on via Azure Active Directory has been configured for you automatically. If prompted, enter your Azure account. You should now see your Azure Managed Grafana instance. From there, you can finish setting up your Grafana installation. +1. Open a browser and enter the endpoint URL. Single sign-on via Microsoft Entra ID has been configured for you automatically. If prompted, enter your Azure account. You should now see your Azure Managed Grafana instance. From there, you can finish setting up your Grafana installation. :::image type="content" source="media/quickstart-portal/grafana-ui.png" alt-text="Screenshot of a Managed Grafana instance."::: |
managed-grafana | Quickstart Managed Grafana Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/quickstart-managed-grafana-portal.md | Get started by creating an Azure Managed Grafana workspace using the Azure porta 1. Once the deployment is complete, select **Go to resource** to open your resource. -1. In the **Overview** tab's Essentials section, select the **Endpoint** URL. Single sign-on via Azure Active Directory has been configured for you automatically. If prompted, enter your Azure account. +1. In the **Overview** tab's Essentials section, select the **Endpoint** URL. Single sign-on via Microsoft Entra ID has been configured for you automatically. If prompted, enter your Azure account. :::image type="content" source="media/quickstart-portal/grafana-overview.png" alt-text="Screenshot of the Azure portal. Endpoint URL display."::: |
managed-grafana | Troubleshoot Managed Grafana | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-grafana/troubleshoot-managed-grafana.md | Enter a name that: The user has successfully created an Azure Managed Grafana instance but can't access their Managed Grafana instance, when going to the endpoint URL. -### Solution 1: use an Azure AD account +<a name='solution-1-use-an-azure-ad-account'></a> -Managed Grafana doesn't support Microsoft accounts. Sign in with an Azure AD account. +### Solution 1: use a Microsoft Entra account ++Managed Grafana doesn't support Microsoft accounts. Sign in with a Microsoft Entra account. ### Solution 2: check the provisioning state If you get a page with an error message such as "can't reach this page", stating 1. If you saw several browser redirects and then landed on a generic browser error page as shown above, then it means there's a failure in the backend. -1. If you have a firewall blocking outbound traffic, allow access to your instance, to your URL ending in grafana.azure.com, and Azure AD. +1. If you have a firewall blocking outbound traffic, allow access to your instance, to your URL ending in grafana.azure.com, and Microsoft Entra ID. ### Solution 3: fix access role issues This issue can happen if: ## Authorized users don't show up in Grafana Users configuration -After you add a user to a Managed Grafana's built-in RBAC role, such as Grafana Viewer, you don't see that user listed in the Grafana's **Configuration** UI page right away. This behavior is *by design*. Managed Grafana's RBAC roles are stored in the Azure AD (AAD). For performance reasons, Managed Grafana doesn't automatically synchronize users assigned to the built-in roles to every instance. There is no notification for changes in RBAC assignments. Querying AAD periodically to get current assignments adds much extra load to the AAD service. +After you add a user to a Managed Grafana's built-in RBAC role, such as Grafana Viewer, you don't see that user listed in the Grafana's **Configuration** UI page right away. This behavior is *by design*. Managed Grafana's RBAC roles are stored in Microsoft Entra ID. For performance reasons, Managed Grafana doesn't automatically synchronize users assigned to the built-in roles to every instance. There is no notification for changes in RBAC assignments. Querying Microsoft Entra ID periodically to get current assignments adds much extra load to the Microsoft Entra service. There's no "fix" for this in itself. After a user signs into your Grafana instance, the user shows up in the **Users** tab under Grafana **Configuration**. You can see the corresponding role that user has been assigned to. The Azure Data Explorer data source can't fetch data. :::image type="content" source="media/troubleshoot/troubleshoot-dashboard-data-explorer.png" alt-text="Screenshot of the Managed Grafana workspace: Checking dashboard information for Azure Data Explorer."::: -1. Check the Azure Data Explorer data source and see how authentication is set up. You can currently only set up authentication for Azure Data Explorer through Azure Active Directory (Azure AD). +1. Check the Azure Data Explorer data source and see how authentication is set up. You can currently only set up authentication for Azure Data Explorer through Microsoft Entra ID. 1. In your Grafana endpoint, go to **Configurations > Data Sources > Azure Data Explorer** 1. Check if the information listed for **Azure cloud**, **Cluster URL**, **Directory (tenant) ID**, **Application (client) ID**, and **Client secret** is correct. If needed, create a new key to add as a client secret.-1. At the top of the page, you can find instructions guiding you through the process to grant necessary permissions to this Azure AD app to read the Azure Data Explorer database. +1. At the top of the page, you can find instructions guiding you through the process to grant necessary permissions to this Microsoft Entra app to read the Azure Data Explorer database. 1. Make sure that your Azure Data Explorer instance doesn't have a firewall that blocks access to Managed Grafana. The Azure Data Explorer database needs to be exposed to the public internet. ## Dashboard import fails |
managed-instance-apache-cassandra | Monitor Clusters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/monitor-clusters.md | Use the [Azure Monitor REST API](/rest/api/monitor/diagnosticsettings/createorup ## Audit whitelist -> ![NOTE] +>[!NOTE] > This article contains references to a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article. By default, audit logging creates a record for every login attempt and CQL query. The result can be rather overwhelming and increase overhead. You can use the audit whitelist feature in Cassandra 3.11 to set what operations *don't* create an audit record. The audit whitelist feature is enabled by default in Cassandra 3.11. To learn how to configure your whitelist, see [Role-based whitelist management](https://github.com/Ericsson/ecaudit/blob/release/c2.2/doc/role_whitelist_management.md). |
migrate | Concepts Azure Spring Apps Assessment Calculation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/concepts-azure-spring-apps-assessment-calculation.md | + + Title: Azure Spring Apps assessments in Azure Migrate Discovery and assessment tool +description: Learn about Azure Spring Apps assessments in Azure Migrate Discovery and assessment tool ++++ Last updated : 09/05/2023++++# Assessment overview (migrate to Azure Spring Apps) (preview) ++This article provides an overview of assessments for migrating on-premises Spring Boot apps to Azure Spring Apps using the [Azure Migrate: Discovery and assessment tool](./migrate-services-overview.md#azure-migrate-discovery-and-assessment-tool). ++## What's an assessment? +An assessment with the Discovery and assessment tool is a point in time snapshot of data and measures the readiness and provides cost details to host on-premises servers, databases, and web apps to Azure. ++## Types of assessments ++The Azure Migrate: Discovery and assessment tool supports the following four types of assessments: ++**Assessment Type** | **Details** + | +**Azure VM** | Assessments to migrate your on-premises servers to Azure virtual machines. <br/><br/> You can assess your on-premises servers in [VMware environment](how-to-set-up-appliance-vmware.md), [Hyper-V environment](how-to-set-up-appliance-hyper-v.md), and [physical servers](how-to-set-up-appliance-physical.md) for migration to Azure VMs using this assessment type. +**Azure SQL** | Assessments to migrate your on-premises SQL servers from your VMware environment to Azure SQL Database or Azure SQL Managed Instance. +**Web apps on Azure** | Assessments to migrate your on-premises Spring Boot apps to Azure Spring Apps or ASP.NET web apps to Azure App Service. +**Azure VMware Solution (AVS)** | Assessments to migrate your on-premises [VMware VMs](how-to-set-up-appliance-vmware.md) to [Azure VMware Solution (AVS)](../azure-vmware/introduction.md). [Learn more](concepts-azure-vmware-solution-assessment-calculation.md). ++An Azure Spring Apps assessment provides the following sizing criteria: ++**Sizing criteria** | **Details** | **Data** + | | +**Performance-based** | Assessment that makes recommendations based on collected resource consumption data | The Azure Spring Apps assessment is calculated based on the memory consumption of your discovered workload, and an estimated consumption of CPU cores. ++## How do I assess my on-premises Spring Boot apps? ++You can assess your on-premises Spring Boot apps using the configuration data collected by a lightweight Azure Migrate appliance. The appliance discovers on-premises Spring Boot apps and sends the configuration data to Azure Migrate. [Learn more](how-to-set-up-appliance-vmware.md). ++## How do I assess with the appliance? ++If you're deploying an Azure Migrate appliance to discover on-premises servers, do the following steps: ++1. Set up Azure and your on-premises environment to work with Azure Migrate. +2. For your first assessment, create an Azure Migrate project. + > [!Note] + > The Azure Migrate: Discovery and assessment tool gets added to the project by default. +3. Deploy a lightweight Azure Migrate appliance. The appliance continuously discovers on-premises servers and sends configuration and performance data to Azure Migrate. Deploy the appliance as a VM or a physical server. You don't need to install anything on servers that you want to assess. ++After the appliance begins discovery, you can gather servers (hosting Spring Boot apps) that you want to assess into a group and run an assessment for the group with assessment type **Web apps on Azure**. ++[Learn more](how-to-create-azure-spring-apps-assessment.md) about Spring Boot apps assessments. ++## What properties are used to customize the assessment? ++The following are included in Azure Spring Apps assessment properties: ++| **Setting** | **Details** | +| | | +| **Target location** | The Azure region to which you want to migrate. Azure Spring Apps configuration and cost recommendations are based on the location that you specify. | +| **Environment type** | Specifies the environment to apply pricing applicable to Production or Dev/Test. | +| **Offer/Licensing program** | The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. The assessment estimates the cost for that offer. | +| **Currency** | The billing currency for your account. | +| **Discount (%)** | Any subscription-specific discounts that you receive on top of the Azure offer. The default setting is 0%. | +| **EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br/><br/> Retain the default settings for reserved instances and discount (%) properties. | +| **Savings options (compute)** | Specify the savings option that you want the assessment to consider. This helps to optimize your Azure Compute cost. <br><br> We recommend [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (one year or 3 years reserved) for the most consistently running resources.<br><br> [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (one year or 3 years savings plan) provide more flexibility and automated cost optimization. Ideally post-migration, you could use Azure reservation and savings plan at the same time (reservation is first), but in the Azure Migrate assessments, you can only see cost estimates of one savings option at a time. <br><br> When you select **None**, the Azure Compute cost is based on the Pay-as-you-go rate or based on actual usage.<br><br> You need to select **Pay-as-you-go** in **Offer/licensing program** to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than **None**, the **Discount (%)** setting isn't applicable. The monthly cost estimates are calculated by multiplying 744 hours with the hourly price of the recommended SKU.| ++## Calculate readiness ++Azure Spring Apps readiness for Spring Boot apps is based on feature compatibility checks between on-premises configuration of Spring Boot apps and Azure Spring Apps: ++1. The Azure Spring Apps assessment considers the Spring Boot apps configuration data to identify compatibility issues. +1. If there are no compatibility issues found, the readiness is marked as **Ready** for the target deployment type. +1. If there are non-critical compatibility issues, such as degraded or unsupported features that don't block the migration to a specific target deployment type, the readiness is marked as **Ready with conditions** (hyperlinked) with **warning** details and recommended remediation guidance. You may migrate such apps first and optimize later. +1. If there are any compatibility issues that may block the migration to a specific target deployment type, the readiness is marked as **Not ready** with **issue** details and recommended remediation guidance. +1. If the discovery is still in progress or there are any discovery issues for a Spring Boot app, the readiness is marked as **Unknown** as the assessment couldn't compute the readiness for that Spring Boot app. ++## Calculate sizing ++The assessment summary shows the estimated monthly costs for hosting your apps in Spring Apps. In Azure Spring Apps, you pay charges per Azure Spring Apps service instance and not per app. One or more apps can be configured to run on the same service instance. Whatever apps you put into this Azure Spring Apps service instance are all up to you. ++For the purpose of cost estimation, we assume you include all your accessed apps into the same Azure Spring Apps service instance. Learn more about the details of Azure Spring Apps pricing from the [pricing page](https://azure.microsoft.com/pricing/details/spring-apps/) and [pricing calculator](https://azure.microsoft.com/pricing/calculator/). The monthly cost on this card assumes each month has 744 hours instead of 730 hours. ++The estimated cost applies for both Azure Spring Apps Standard Tier and Enterprise Tier. For Enterprise Tier, there will be additional cost on [software IP](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/vmware-inc.azure-spring-cloud-vmware-tanzu-2?tab=PlansAndPrice) and resource consumption for Tanzu components, which are not included in cost estimation. ++## Next steps +- Learn how to run an [Azure Spring Apps assessment](how-to-create-azure-spring-apps-assessment.md). |
migrate | Discovered Metadata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/discovered-metadata.md | Here's the web apps configuration data that the appliance collects from each Win Web apps | Application Name <br/>Configuration Path <br/>Frontend Bindings <br/>Enabled Frameworks <br/>Hosting Web Server<br/>Sub-Applications and virtual applications <br/>Application Pool name <br/>Runtime version <br/>Managed pipeline mode Web server | Server Name <br/>Server Type (currently only IIS) <br/>Configuration Location <br/>Version <br/>FQDN <br/>Credentials used for discovery <br/>List of Applications +## Spring Boot web apps data ++The Azure Migrate appliance used for discovery can also collect data on Spring Boot web applications. ++Here's the web apps configuration data that the appliance collects from each Windows server discovered in your environment. ++**Entity** | **Data** + | +Web apps | Application name <br/>Maven artifact name <br/>JAR file location <br/>JAR file checksum <br/>JAR file size<br/>Spring Boot version<br/>Maven build JDK version <br/> Application property files <br/>Certificates file names <br/> Static content location <br/> Application port <br/> Binding ports (including app port) <br/> Logging configuration <br/> JAR file last modified time +OS runtime | OS installed JDK version <br/> JVM options <br/> JVM heap memory <br/> OS name <br/> OS version <br/> Environment variables ++ ## Application dependency data Azure Migrate appliance can collect data about inter-server dependencies for servers running in your VMware environment/Hyper-V environment/ physical servers or servers running on other clouds like AWS, GCP etc. |
migrate | How To Create Azure Spring Apps Assessment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-create-azure-spring-apps-assessment.md | + + Title: Create an Azure Spring Apps assessment +description: Learn how to assess apps for migration to Azure Spring Apps ++++ Last updated : 09/04/2023++++# Create an Azure Spring Apps assessment (preview) ++As part of your migration journey to Azure, you assess your on-premises workloads to measure cloud readiness, identify risks, and estimate costs and complexity. +This article shows you how to assess discovered Spring Boot apps for migration to Azure Spring Apps, using the Azure Migrate for Spring apps. ++> [!Note] +> Discovery and assessment of Spring Boot apps is now in preview. If you want to try out this feature in an existing project, ensure that you meet the [prerequisites](how-to-discover-sql-existing-project.md) in this article. ++## Before you start ++- Ensure you've [created](./create-manage-projects.md) an Azure Migrate project and have Azure Migrate for Spring apps added. +- Set up an Azure Migrate appliance. The [appliance](migrate-appliance.md) discovers on-premises servers and sends metadata and performance data to Azure Migrate. The same appliance discovers Spring Boot apps that are running in your environment. ++## Azure Spring Apps assessment overview ++An Azure Spring Apps assessment provides the following sizing criteria: ++**Sizing criteria** | **Details** | **Data** + | | +**Performance-based** | Assessment that makes recommendations based on collected resource consumption data | The Azure Spring Apps assessment is calculated based on the memory consumption of your discovered workload, and an estimated consumption of CPU cores. ++[Learn more](concepts-azure-spring-apps-assessment-calculation.md) about Azure Spring Apps assessments. ++## Run an assessment ++Run an assessment using the following steps: ++1. On the **Overview** page > **Servers, databases and web apps**, select **Discover, assess and migrate**. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/discover-assess-migrate.png" alt-text="Screenshot of Overview page for Azure Migrate." lightbox="./media/how-to-create-azure-spring-apps-assessment/discover-assess-migrate.png"::: ++2. On **Azure Migrate: Discovery and assessment**, select **Assess** and choose the assessment type as **Azure Spring Apps**. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/assess-inline.png" alt-text="Screenshot of dropdown to choose assessment type as Web apps on Azure." lightbox="./media/how-to-create-azure-spring-apps-assessment/assess-expanded.png"::: ++ In **Create assessment**, you'll see the assessment type pre-selected as **Web apps on Azure**, the scenario pre-selected as **Spring Boot to Azure Spring Apps**, and the discovery source defaulted to **Servers discovered from Azure Migrate appliance**. +4. Select **Edit** to review the assessment properties. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/assess-webapps-inline.png" alt-text="Screenshot of Edit button from where assessment properties can be customized." lightbox="./media/how-to-create-azure-spring-apps-assessment/assess-webapps-expanded.png"::: ++1. The following are included in Azure Spring Apps assessment properties: ++ | **Property** | **Details** | + | | | + | **Target location** | The Azure region to which you want to migrate. Azure Spring Apps configuration and cost recommendations are based on the location that you specify. | + | **Environment type** | Specifies the environment to apply pricing applicable to Production or Dev/Test. | + | **Offer/Licensing program** | The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. The assessment estimates the cost for that offer. | + | **Currency** | The billing currency for your account. | + | **Discount (%)** | Any subscription-specific discounts that you receive on top of the Azure offer. The default setting is 0%. | + | **EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br/><br/> Retain the settings for reserved instances, and discount (%) properties with their default settings. | + | **Savings options (compute)** | Specify the savings option that you want the assessment to consider, to help optimize your Azure Compute cost. <br><br> We recommend [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (1 year or 3 years reserved) for the most consistently running resources.<br><br> [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (1 year or 3 years savings plan) provide more flexibility and automated cost optimization. Ideally post migration, you could use Azure reservation and savings plan at the same time (reservation is first), but in the Azure Migrate assessments, you can only see cost estimates of one savings option at a time. <br><br> When you select **None**, the Azure Compute cost is based on the Pay-as-you-go rate or based on actual usage.<br><br> You need to select pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than **None**, the **Discount (%)** setting isn't applicable. The monthly cost estimates are calculated by multiplying 744 hours with the hourly price of the recommended SKU.| ++1. In **Create assessment**, select **Next**. +1. In **Select servers to assess** > **Assessment name** > specify a name for the assessment. +1. In **Select or create a group** > select **Create New** and specify a group name. +1. Select the appliance, and select the servers you want to add to the group. Select **Next**. +1. In **Review + create assessment**, review the assessment details, and select **Create Assessment** to create the group and run the assessment. +1. After the assessment is created, go to **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment** tile and refresh the tile data by selecting the **Refresh** option on top of the tile. Wait for data to get refreshed. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/tile-refresh-inline.png" alt-text="Screenshot of refreshed discovery and assessment tool data." lightbox="./media/how-to-create-azure-spring-apps-assessment/tile-refresh-expanded.png"::: ++1. Select the number next to **Azure Spring Apps** assessment. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/assessment-webapps-navigation-inline.png" alt-text="Screenshot of navigation to created assessment." lightbox="./media/how-to-create-azure-spring-apps-assessment/assessment-webapps-navigation-expanded.png"::: ++1. Select the assessment name that you want to view. ++## Review an assessment ++**To view an assessment**: ++1. In **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**, select the number next to Azure Spring Apps assessment. +2. Select the assessment name that you wish to view. +3. Review the assessment summary. You can also edit the assessment properties or recalculate the assessment. The assessment summary consists of the **Overview** and the **Azure Spring apps** sections. +++### Overview ++This card shows the distribution of assessed apps based on their readiness. In addition, it estimates the monthly costs for apps marked with **Ready** or **Ready with conditions** status. The cost estimation is based upon the current memory consumption and estimated CPU consumption of your apps. ++### Azure Spring Apps ++This card shows the list of assessed apps with the average memory consumption and estimated CPU consumption for each app instance. You can drill down to understand details around migration issues/warnings that you can remediate before migration to Azure Spring Apps. [Learn more](concepts-azure-spring-apps-assessment-calculation.md). ++### Review cost estimates ++The assessment summary shows the estimated monthly costs for hosting your apps in Spring Apps. In Azure Spring Apps, you pay charges per Azure Spring Apps service instance and not per app. One or more apps can be configured to run on the same service instance. You can choose the apps to be included in the Azure Spring apps service instance. ++For estimating cost, we assume you add all your assessed apps into the same Azure Spring Apps service instance. Learn more about the details of Azure Spring Apps pricing from the [pricing page](https://azure.microsoft.com/pricing/details/spring-apps/) and [pricing calculator](https://azure.microsoft.com/pricing/calculator/). The monthly cost on this card assumes each month has 744 hours instead of 730 hours. ++The estimated cost applies for both Azure Spring Apps Standard tier and Enterprise tier. For Enterprise tier, there is an additional cost on [software IP](https://azuremarketplace.microsoft.com/marketplace/apps/vmware-inc.azure-spring-cloud-vmware-tanzu-2?tab=PlansAndPrice) and resource consumption for Tanzu components, which aren't included in cost estimation. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/assessment-webapps-cost-inline.png" alt-text="Screenshot of Cost details." lightbox="./media/how-to-create-azure-spring-apps-assessment/assessment-webapps-cost-expanded.png"::: ++### Review readiness ++1. Select **Azure Spring Apps**. ++ :::image type="content" source="./media/how-to-create-azure-spring-apps-assessment/assessment-webapps-readiness-inline.png" alt-text="Screenshot of Azure Spring Apps readiness details." lightbox="./media/how-to-create-azure-spring-apps-assessment/assessment-webapps-readiness-expanded.png"::: ++1. Review Azure Spring Apps readiness column in table, for the assessed apps: + 1. If there are no compatibility issues found, the readiness is marked as **Ready** for the target deployment type. + 1. If there are non-critical compatibility issues, such as degraded or unsupported features that do not block the migration, the readiness is marked as **Ready with conditions** (hyperlinked) with **warning** details and recommended remediation guidance. You may migrate such apps first and optimize later. + 1. If there are any compatibility issues that may block the migration to a specific target deployment type, the readiness is marked as **Not ready** with **issue** details and recommended remediation guidance. + 1. If the discovery is still in progress or there are any discovery issues for a web app, the readiness is marked as **Unknown** as the assessment couldn't compute the readiness for that web app. ++## Next steps ++- [Learn more](concepts-azure-spring-apps-assessment-calculation.md) about how Azure Spring Apps assessments are calculated. |
migrate | How To Discover Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-discover-applications.md | -Performing software inventory helps identify and tailor a migration path to Azure for your workloads. Software inventory uses the Azure Migrate appliance to perform discovery, using server credentials. It's completely agentless - no agents are installed on the servers to collect this data. +Performing software inventory helps identify and tailor a migration path to Azure for your workloads. Software inventory uses the Azure Migrate appliance to perform discovery, using server credentials. It's completely agentless, that is, no agents are installed on the servers to collect this data. ## Before you start Once connected, the appliance gathers configuration and performance data of SQL - User can add both domain and non-domain credentials on appliance. Make sure that the account used has local admin privileges on source servers. Azure Migrate automatically maps credentials to the respective servers, so one doesnΓÇÖt have to map them manually. Most importantly, these credentials are never sent to Microsoft and remain on the appliance running in source environment. - After the appliance is connected, it gathers configuration data for IIS web server and ASP.NET web apps. Web apps configuration data is updated once every 24 hours. +## Discover Spring Boot apps (preview) ++- Software inventory identifies Spring Boot role existing on discovered servers. If a server has Spring Boot role enabled, Azure Migrate performs Spring Boot apps discovery on the server. +- Users can add both domain and non-domain credentials on the appliance. Ensure that the account used has local admin privileges on source servers. Azure Migrate automatically maps credentials to the respective servers, so one doesnΓÇÖt have to map them manually. + > [!Note] + > The credentials are never sent to Microsoft and remain on the appliance running in source environment. +- After the appliance is connected, it gathers configuration data for Spring Boot apps. Spring Boot apps configuration data is updated once every 24 hours. +- Discovery of Spring Boot apps requires SSH and SFTP access from the appliance to the respective servers. The Spring Boot apps that can be discovered depend on the SSH user identity and its corresponding file permissions. Ensure the credentials you provide have the necessary privileges for the apps you target to discover. +- Currently, Windows servers aren't supported for Spring Boot app discovery, only Linux servers are supported. +- Learn more about appliance requirements on [Azure Migrate appliance requirements](migrate-appliance.md) and [discovery support](migrate-support-matrix-vmware.md#dependency-analysis-requirements-agentless). + ## Next steps - [Create an assessment](how-to-create-assessment.md) for discovered servers. - [Assess web apps](how-to-create-azure-app-service-assessment.md) for migration to Azure App Service.+- [Assess Spring Boot apps](how-to-create-azure-spring-apps-assessment.md) for migration to Azure Spring Apps. |
migrate | How To Discover Sql Existing Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-discover-sql-existing-project.md | This discovery process is agentless that is, nothing is installed on the target 1. In your Azure Migrate project, either - Select **Not enabled** on the Hub tile, or- :::image type="content" source="./media/how-to-discover-sql-existing-project/hub-not-enabled.png" alt-text="Azure Migrate hub tile with SQL and web apps discovery not enabled"::: - - Select **Not enabled** on any entry in the Server discovery page under SQL instances or Web apps column - :::image type="content" source="./media/how-to-discover-sql-existing-project/discovery-not-enabled.png" alt-text="Azure Migrate discovered servers blade with SQL and web apps discovery not enabled"::: ++ :::image type="content" source="./media/how-to-discover-sql-existing-project/hub-not-enabled.png" alt-text="Screenshot of Azure Migrate hub tile with SQL and web apps discovery not enabled."::: ++ - Select **Not enabled** on any entry in the Server discovery page under SQL instances or Web apps column. ++ :::image type="content" source="./media/how-to-discover-sql-existing-project/discovery-not-enabled.png" alt-text="Screenshot of Azure Migrate discovered servers blade with SQL and web apps discovery not enabled."::: + 2. To discover web apps and SQL Server instances and databases follow the steps entailed: - Select **Upgrade**, to create the required resource.- :::image type="content" source="./media/how-to-discover-sql-existing-project/discovery-upgrade-appliance.png" alt-text="Button to upgrade the Azure Migrate appliance"::: ++ :::image type="content" source="./media/how-to-discover-sql-existing-project/discovery-upgrade-appliance.png" alt-text="Screenshot of button to upgrade the Azure Migrate appliance."::: + - Validate that the services running on the appliance are updated to the latest versions. To do so, launch the Appliance configuration manager from your appliance server and select view appliance services from the Setup prerequisites panel. - Appliance and its components are automatically updated- :::image type="content" source="./media/how-to-discover-sql-existing-project/appliance-services-version.png" alt-text="Check the appliance version"::: ++ :::image type="content" source="./media/how-to-discover-sql-existing-project/appliance-services-version.png" alt-text="Screenshot of the appliance version."::: + - In the manage credentials and discovery sources panel of the Appliance configuration manager, add Domain or SQL Server Authentication credentials that have Sysadmin access on the SQL Server instance and databases to be discovered or have [these permissions](migrate-support-matrix-vmware.md#configure-the-custom-login-for-sql-server-discovery) for each SQL Server instance. - Web apps discovery works with both domain and non-domain Windows OS credentials as long as the account used has local admin privileges on servers. You can leverage the automatic credential-mapping feature of the appliance, as highlighted [here](./tutorial-discover-vmware.md#start-continuous-discovery). Some points to note: - Ensure that software inventory is enabled already, or provide Domain or Non-domain credentials to enable the same. Software inventory must be performed to discover SQL Server instances and web apps.- - Appliance will attempt to validate the Domain credentials with AD, as they're added. Ensure that appliance server has network line of sight to the AD server associated with the credentials. Non-domain credentials and credentials associated with SQL Server Authentication aren't validated. + - The appliance attempts to validate the domain credentials with AD, as they're added. Ensure that appliance server has network line of sight to the AD server associated with the credentials. Non-domain credentials and credentials associated with SQL Server Authentication aren't validated. 3. Once the desired credentials are added, select Start Discovery, to begin the scan. This discovery process is agentless that is, nothing is installed on the target - Learn how to create an [Azure SQL assessment](./how-to-create-azure-sql-assessment.md). - Learn more about [Azure SQL assessments](./concepts-azure-sql-assessment-calculation.md). - Learn how to create an [Azure App Service assessment](./how-to-create-azure-app-service-assessment.md).-- Learn more about [Azure App Service assessments](./concepts-azure-webapps-assessment-calculation.md).+- Learn more about [Azure App Service assessments](./concepts-azure-webapps-assessment-calculation.md). +- Learn how to create an [Azure Spring Apps assessment](./how-to-create-azure-spring-apps-assessment.md). |
migrate | Prepare For Agentless Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/prepare-for-agentless-migration.md | The preparation script executes the following changes based on the OS type of th 1. If any of these drivers are missing, add the required drivers and regenerate the image for the corresponding kernel version. >[!NOTE]- >This step may not apply to Ubuntu and Debian VMs as the Hyper-V drivers are built-in by default. [Learn more about the changes.](../virtual-machines/linux/create-upload-generic.md#installing-kernel-modules-without-hyper-v) + >This step may not apply to Ubuntu and Debian VMs as the Hyper-V drivers are built-in by default. [Learn more about the changes.](../virtual-machines/linux/create-upload-generic.md#install-kernel-modules-without-hyper-v) An illustrative example for rebuilding initrd |
migrate | Troubleshoot Spring Boot Discovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-spring-boot-discovery.md | + + Title: Troubleshoot common issues during discovery and assessment of Spring Boot apps +description: Learn how to troubleshoot Azure Spring Apps issues in Azure Migrate +++ms. + Last updated : 09/28/2023+++++# Troubleshoot common issues during discovery and assessment of Spring Boot apps (preview) ++For errors related to the access policy on the Key Vault, follow these steps to find the Principal ID of the appliance extension running on the connected cluster. ++## Assigning required Key Vault permissions to Migrate appliance extension + +1. Go to your Azure Migrate project. +2. Navigate to Azure Migrate: Discovery and assessment> **Overview** > **Manage** > **Appliances** and find the name of the Kubernetes-based appliance whose service principal you need to find. + +3. You can also find the Key Vault associated with the appliance by selecting the appliance name and finding the Key Vault name in appliance properties. +4. Go to your workstation and open PowerShell as an administrator. +5. Install the [ARM Client](https://github.com/projectkudu/ARMClient/releases/download/v1.9/ARMClient.zip) zip folder. +6. Unzip the folder and on a PowerShell window, switch to the directory with the extracted folder. +7. Run the following command to sign in to your Azure subscription: `armclient login` +8. After successfully signing in, run the following command by adding the appliance name: + +``` +armclient get /subscriptions/<subscription>/resourceGroups/<resourceGroup> /providers/Microsoft.Kubernetes/connectedClusters/<applianceName>/Providers/Microsoft.KubernetesConfiguration/extensions/credential-sync-agent ?api-version=2022-03-01 +``` ++9. The response lists down the identity associated with the Appliance extension. Note down the `Principal ID` field in the response under the`identity` section. +10. Go to Azure portal and check if the Principal ID has the required access on the Azure Key Vault, chosen for secret processing. +11. Go to the Key Vault, go to access policies, select the Principal ID from list and check the permissions it has OR create a new access policy specifically for the Principal ID you found by running the command above. +12. Ensure that following permissions are assigned to the Principal ID: *Secret permission* and both *Secret Management Operations and Privileged Management Operations*. ++## Next steps +Set up an appliance for [VMware](how-to-set-up-appliance-vmware.md), [Hyper-V](how-to-set-up-appliance-hyper-v.md), or [physical servers](how-to-set-up-appliance-physical.md). + |
migrate | Tutorial Assess Spring Boot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-spring-boot.md | + + Title: Tutorial to assess Spring Boot apps for migration to Azure Spring Apps +description: Learn how to create assessment for Azure Spring Apps in Azure Migrate +++ Last updated : 09/28/2023+++++# Tutorial: Assess Spring Boot apps for migration to Azure Spring Apps (preview) ++As part of your migration journey to Azure, you assess your on-premises workloads to measure cloud readiness, identify risks, and estimate costs and complexity. This article shows you how to assess discovered Spring Boot web apps in preparation for migration to Azure Spring Apps, using the Azure Migrate: Discovery and assessment tool. ++In this tutorial, you learn how to: ++> [!div class="checklist"] +> * Run an assessment based on web apps configuration data. +> * Review an assessment. ++> [!NOTE] +> Tutorials show the quickest path for trying out a scenario, and use default options where possible. ++## Prerequisites ++- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin. +- Before you follow this tutorial to assess your web apps for migration to Azure Spring Apps, make sure you've discovered the web apps you want to assess using the Azure Migrate appliance, [follow this tutorial](tutorial-discover-vmware.md) +- If you want to try out this feature in an existing project, ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article. ++## Run an assessment ++Run an assessment as follows: ++1. On the **Overview** page > **Servers, databases and web apps**, select **Discover, assess and migrate**. ++2. On **Azure Migrate: Discovery and assessment**, select **Assess** and choose the assessment type as **Web apps on Azure**. +3. In **Create assessment**, you will be able to see the assessment type pre-selected as **Web apps on Azure** and the discovery source defaulted to **Servers discovered from Azure Migrate appliance**. Select the **Scenario** as **Spring Boot to Azure Apps**. ++4. Select **Edit** to review the assessment properties. ++5. The following are included in Azure Spring Apps assessment properties: ++ **Property** | **Details** + | + **Target location** | The Azure region to which you want to migrate. Azure Spring Apps configuration and cost recommendations are based on the location that you specify. + **Environment type** | Specifies the environment to apply pricing applicable to Production or Dev/Test. + **Offer/Licensing program** | The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. The assessment estimates the cost for that offer. + **Currency** | The billing currency for your account. + **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. + **EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br/><br/> Leave the settings for reserved instances, and discount (%) properties with their default settings. + **Savings options (compute)** | Specify the savings option that you want the assessment to consider to help optimize your Azure compute cost. <br><br> [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (1 year or 3 years reserved) are a good option for the most consistently running resources.<br><br> [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (1 year or 3 years savings plan) provide more flexibility and automated cost optimization. Ideally post migration, you could use Azure reservation and savings plan at the same time (reservation is first), but in the Azure Migrate assessments, you can only see cost estimates of one savings option at a time. <br><br> When you select **None**, the Azure compute cost is based on the Pay as you go rate or based on actual usage.<br><br> You need to select pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than **None**, the **Discount (%)** setting isn't applicable. The monthly cost estimates are calculated by multiplying 744 hours with the hourly price of the recommended SKU. ++1. Select **Save** if you made any changes. +1. In **Create assessment**, select **Next**. +1. In **Select servers to assess** > **Assessment name**, specify a name for the assessment. +1. In **Select or create a group**, select **Create New** and specify a group name. +1. Select the appliance and select the servers that you want to add to the group. Select **Next**. +1. In **Review + create assessment**, review the assessment details, and select **Create Assessment** to create the group and run the assessment. +1. After the assessment is created, go to **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**. Refresh the tile data by selecting the **Refresh** option on top of the tile. Wait for the data to refresh. +1. Select the number next to **Web apps on Azure** in the **Assessment** section. ++1. Select the assessment name, which you wish to view. ++## Review an assessment ++**To view an assessment**: ++1. In **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**, select the number next to the Web apps on Azure assessment. +2. Select the assessment name, which you wish to view. ++ The Overview screen contains 3 sections: Essentials, Assessed entities, and Migration scenario. ++ **Essentials** ++ The Essentials section displays the group the assessed entity belongs to, its status, the location, discovery source, and currency in US dollars. ++ **Assessed entities** ++ This section displays the number of servers selected for the assessments, number of Spring Boot runtimes in the selected servers, and the number of distinct Sprint Boot app instances that were assessed. ++ **Migration scenario** ++ This section provides a pictorial representation of the number of apps that are ready, ready with conditions, and not ready. In addition, it also lists the number of apps ready to migrate and the estimated cost for the migration. ++3. Review the assessment summary. You can also edit the assessment properties or recalculate the assessment. ++#### Azure Spring Apps readiness ++This indicates the distribution of the assessed web apps. You can drill down to understand the details around migration issues/warnings that you can remediate before migration. [Learn More](concepts-azure-webapps-assessment-calculation.md). ++### Review readiness ++1. In **Assessments**, select the name of the assessment that you want to view. ++1. Select Azure Spring Apps to view more details about each app and instances. Review the Azure Spring Apps readiness column in the table for the assessed web apps: + 1. If there are no compatibility issues found, the readiness is marked as **Ready** for the target deployment type. + 1. If there are non-critical compatibility issues, such as degraded or unsupported features that do not block the migration to a specific target deployment type, the readiness is marked as **Ready with conditions** (hyperlinked) with **warning** details and recommended remediation guidance. + 1. If there are any compatibility issues that may block the migration to a specific target deployment type, the readiness is marked as **Not ready** with **issue** details and recommended remediation guidance. + 1. If the discovery is still in progress or there are any discovery issues for a web app, the readiness is marked as **Unknown** as the assessment could not compute the readiness for that web app. +1. Review the recommended SKU for the web apps, which is determined as per the matrix below: ++ **Readiness** | **Determine size estimate** | **Determine cost estimates** + | | + Ready | Yes | Yes + Ready with conditions | Yes | Yes + Not ready | No | No + Unknown | No | No +++### Review cost estimates ++The assessment summary shows the estimated monthly costs for hosting you web apps. One or more apps can be configured to run on the same computing resources. ++## Next steps ++Find server dependencies using [dependency mapping](concepts-dependency-visualization.md). |
migrate | Tutorial Discover Spring Boot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-spring-boot.md | + + Title: Discover Spring Boot applications running in your datacenter with Azure Migrate Discovery and assessment +description: Learn how to Discover Spring Boot applications running in your datacenter by using the Azure Migrate Discovery and assessment tool. +++ms. + Last updated : 09/28/2023++++# Tutorial: Discover Spring Boot applications running in your datacenter (preview) ++This article describes how to discover Spring Boot applications running on servers in your datacenter, using Azure Migrate: Discovery and assessment tool. The discovery process is completely agentless; no agents are installed on the target servers. ++In this tutorial, you learn how to: +- Set up Kubernetes based appliance for discovery of Spring Boot applications +- Configure the appliance and initiate continuous discovery ++> [!Note] +> - A Kubernetes-based appliance is required to discover Spring Boot applications. [Learn more](migrate-appliance.md) about scenarios covered by a Windows-based appliance. +> - Tutorials show you the quickest path for trying out a scenario. They use default options where possible. ++If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin. ++## Prerequisites ++- Before you follow this tutorial to discover Spring Boot applications, make sure you've performed server discovery using the Azure Migrate appliance using the following tutorials: + - [Discover servers running in a VMware environment](tutorial-discover-vmware.md) + - [Discover servers running in Hyper-V environment](tutorial-discover-hyper-v.md) + - [Discover physical servers](tutorial-discover-physical.md) + - [Discover AWS instances](tutorial-discover-aws.md) + - [Discover GCP instances](tutorial-discover-gcp.md) +- Ensure that you have performed software inventory by providing the server credentials on the appliance configuration manager. [Learn more](how-to-discover-applications.md). +++## Set up Kubernetes-based appliance ++After you have performed server discovery and software inventory using the Azure Migrate appliance, you can enable discovery of Spring Boot applications by setting up a Kubernetes appliance as follows: ++### Onboard Kubernetes-based appliance ++1. Go to the [Azure portal](https://aka.ms/migrate/springboot). Sign in with your Azure account and search for Azure Migrate. +2. On the **Overview** page > **Servers, databases and web apps**, select **Discover, assess and migrate**. +1. Select the project where you have set up the Azure Migrate appliance as part of prerequisites above. +1. You would see a message above Azure Migrate: Discovery and assessment tile to onboard a Kubernetes-based appliance to enable discovery of Spring Boot applications. +5. You can proceed by selecting the link on the message, which will help you get started with onboarding Kubernetes-based appliance. +6. In Step 1: Set up an appliance, select **Bring your own Kubernetes cluster** - You must bring your own Kubernetes cluster running on-premises, connect it to Azure Arc and use the installer script to set up the appliance. ++**Support** | **Details** +- | - +**Validated Kubernetes distros** | See [Azure Arc-enabled Kubernetes validation](https://learn.microsoft.com/azure/azure-arc/kubernetes/validation-program). +**Hardware configuration required** | 6 GB RAM, with 30GB storage, 4 Core CPU +**Network Requirements** | Access to the following endpoints: <br/><br/> - api.snapcraft.io <br/><br/> - https://dc.services.visualstudio.com/v2/track <br/><br/> - [Azure Arc-enabled Kubernetes network requirements](https://learn.microsoft.com/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud) <br/><br/> - [Azure CLI endpoints for proxy bypass](https://learn.microsoft.com/cli/azure/azure-cli-endpoints?tabs=azure-cloud) ++#### Bring your own Kubernetes cluster (alternate option) ++1. In **Step 2: Choose connected cluster**, you need to select an existing Azure Arc connected cluster from your subscription. If you do not have an existing connected cluster, you can Arc enable a Kubernetes cluster running on-premises by following the steps [here](https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli). ++ > [!Note] + > You can only select an existing connected cluster, deployed in the same region as that of your Azure Migrate project ++2. In Step 3: Provide appliance details for Azure Migrate, the appliance name is pre-populated, but you can choose to provide your own friendly name to the appliance. ++3. You can select a key vault from the drop-down or **Create new** key vault. This key vault is used to process the credentials provided in the project to start discovery of Spring Boot applications. ++ > [!Note] + > The Key Vault can be chosen or created in the same subscription and region as that of the Azure Migrate project. When creating/selecting a key vault, make sure that purge protection is disabled else there be will issues in processing of credentials through the key vault. ++4. After providing the appliance name and key vault, select **Generate script** to generate an installer script that you can copy and paste on a Linux server on-premises. Before executing the script, ensure that you meet the following prerequisites on the Linux server: ++ **Support** | **Details** + - | - + **Supported Linux OS** | Ubuntu 20.04, RHEL 9 + **Hardware configuration required** | 6 GB RAM, with 30GB storage, 4 Core CPU + **Network Requirements** | Access to the following endpoints: <br/><br/> https://dc.services.visualstudio.com/v2/track <br/><br/> [Azure CLI endpoints for proxy bypass](https://learn.microsoft.com/cli/azure/azure-cli-endpoints?tabs=azure-cloud) ++5. After copying the script, go to your Linux server, save the script as *Deploy.sh* on the server. ++#### Execute the installer script ++After you have saved the script on the Linux server, follow these steps: ++> [!Note] +> - If you have chosen to deploy a packaged Kubernetes cluster and are running the installation script on any other Linux OS except Ubuntu, ensure to install the snap module by following the instructions [here](https://snapcraft.io/docs/installing-snap-on-red-hat), before executing the script. +> - Also, ensure that you have curl installed on the server. For Ubuntu, you can install it using the command `sudo apt-get install curl`, and for other OS (RHEL/Centos), you can use the `yum install curl` command. +++1. Open the terminal on the server and execute the following command to execute the script as a root user: +`sudo su -` +2. Change directory to where you have saved the script and execute the script using the `bash deploy.sh` command. +3. Follow the instructions in the script and sign in with your Azure user account when prompted. +4. The script performs the following steps: + 1. Installing required CLI extensions. + 2. Registering Azure Resource Providers. + 3. Checking for prerequisites like connectivity to required endpoints. + 4. Setting up MicroK8s Kubernetes cluster. + 5. Installing the required operators on the cluster. + 6. Creating the required Migrate resources. ++After the script is executed successfully, configure the appliance through the portal. ++> [!Note] +> If you encounter any issue during script execution, you need to run the script in *delete* mode by adding the following after line #19 in the `deploy.sh` script: +> +> export DELETE= ΓÇ£trueΓÇ¥ ++The *delete* mode helps to clean up any existing components installed on the server so that you can do a fresh installation. After running the script in *delete* mode, remove the line from the script and execute it again in the default mode. ++## Configure Kubernetes-based appliance ++After successfully setting up the appliance using the installer script, you need to configure the appliance by following these steps: +1. Go to the Azure Migrate project where you started onboarding the Kubernetes-based appliance. +2. On the **Azure Migrate: Discovery and assessment** tile, select the appliance count for **Pending action** under appliances summary. +3. In **Overview** > **Manage** > **Appliances**, a filtered list of appliances appears with actions pending. +4. Find the Kubernetes-based appliance that you have just set up and select **Credentials unavailable** status to configure the appliance. +5. In the **Manage credentials** page, add the credentials to initiate discovery of the Spring Boot applications running on your servers. +6. Select **Add credentials**, choose a credential type from Linux (non-domain) or Domain credentials, provide a friendly name, username, and password. Select **Save**. ++ >[!Note] + > - The credentials added on the portal are processed via the Azure Key Vault chosen in the initial steps of onboarding the Kubernetes-based appliance. The credentials are then synced (saved in an encrypted format) to the Kubernetes cluster on the appliance and removed from the Azure Key Vault. + > - After the credentials have been successfully synced, they would be used for discovery of the specific workload in the next discovery cycle. ++7. After adding a credential, you need to refresh the page to see the **Sync status** of the credential. If status is **Incomplete**, you can select the status to review the error encountered and take the recommended action. +After the credentials have been successfully synced, wait for 24 hours before you can review the discovered inventory by filtering for the specific workload in the **Discovered servers** page. ++> [!Note] +> You can add/update credentials any time by navigating to **Azure Migrate: Discovery and assessment** > **Overview** > **Manage** > **Appliances** page, selecting **Manage credentials** from the options available in the Kubernetes-based appliance. ++## Next steps +- [Assess Spring Boot](tutorial-assess-spring-boot.md) apps for migration. +- [Review the data](discovered-metadata.md#collected-data-for-physical-servers) that the appliance collects during discovery. |
migrate | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/whats-new.md | +## Update (September 2023) +- Azure Migrate now supports discovery and assessment of Spring Boot apps using the Azure Migrate: Discovery and assessment tool. [Learn more](how-to-create-azure-spring-apps-assessment.md). + ## Update (August 2023) - Azure Migrate now helps you gain deeper insights into the support posture of your IT estate by providing insights into Windows server and SQL Server license support information. You can stay ahead of license support deadlines with *Support ends in* information that helps to understand the time left until the end of support for respective servers and databases. - Azure Migrate also provides clear guidance regarding actionable steps that can be taken to secure servers and databases in extended support or out of support. |
mysql | Concepts Limitations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-limitations.md | For more details on GIPK and its use cases with [Data-in-Replication](./concepts mysql> SET sql_generate_invisible_primary_key=OFF; ``` +### lower_case_table_names ++For MySQL version 5.7, default value is 1 in Azure Database for MySQL - Flexible Server. It is important to note that while it is possible to change the supported value to 2, reverting from 2 back to 1 is not permitted is not allowed. Please contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value. +For [MySQl version 8.0+](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html) lower_case_table_names can only be configured when initializing the server. [Learn more](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html). Changing the lower_case_table_names setting after the server is initialized is prohibited. For MySQL version 8.0, default value is 1 in Azure Database for MySQL - Flexible Server. Supported value for MySQL version 8.0 are 1 and 2 Azure Database for MySQL - Flexible Server. Please contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value during server creation. ## Storage engines |
mysql | Concepts Server Parameters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-server-parameters.md | Refer to the following sections to learn more about the limits of the several co >* If you modify a static server parameter using the portal, you need to restart the server for the changes to take effect. In case you are using automation scripts (using tools like ARM templates , Terraform, Azure CLI etc) then your script should have a provision to restart the service for the settings to take effect even if you are changing the configurations as a part of create experience. >* If you want to modify a non-modifiable server parameter for your environment, please open a [UserVoice](https://feedback.azure.com/d365community/forum/47b1e71d-ee24-ec11-b6e6-000d3a4f0da0) item or vote if the feedback already exist which can help us prioritize. ++### lower_case_table_names ++For MySQL version 5.7, default value is 1 in Azure Database for MySQL - Flexible Server. It is important to note that while it is possible to change the supported value to 2, reverting from 2 back to 1 is not permitted is not allowed. Please contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value. +For [MySQl version 8.0+](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html) lower_case_table_names can only be configured when initializing the server. [Learn more](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html). Changing the lower_case_table_names setting after the server is initialized is prohibited. For MySQL version 8.0, default value is 1 in Azure Database for MySQL - Flexible Server. Supported value for MySQL version 8.0 are 1 and 2 Azure Database for MySQL - Flexible Server. Please contact our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance in changing the default value during server creation. ++ ### log_bin_trust_function_creators In Azure Database for MySQL - Flexible Server, binary logs are always enabled (that is, `log_bin` is set to ON). log_bin_trust_function_creators is set to ON by default in flexible servers. |
mysql | How To Restart Server Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/how-to-restart-server-portal.md | The time required to complete a restart depends on the MySQL recovery process. T To complete this how-to guide, you need: - An [Azure Database for MySQL - Flexible Server](quickstart-create-server-portal.md) ->[!Note] ->If the user restarting the server is part of [custom role](../../role-based-access-control/custom-roles.md) the user should have write privilege on the server. ## Perform server restart |
mysql | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/whats-new.md | This article summarizes new releases and features in Azure Database for MySQL - > This article references the term slave, which Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article. +## October 2023 ++- **Metrics computation for Azure Database for MySQL - Flexible Server** +"Host Memory Percent" metric will provide more accurate calculations of memory usage. It will now reflect the actual memory consumed by the server, excluding re-usable memory from the calculation. This improvement ensures that you have a more precise understanding of your server's memory utilization. After the completion of the [scheduled maintenance window](./concepts-maintenance.md), existing servers will benefit from this enhancement. + ## September 2023 - **Flexible Maintenance for Azure Database for MySQL - Flexible server(Public Preview)** |
mysql | Azure Pipelines Mysql Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/azure-pipelines-mysql-deploy.md | Title: Azure Pipelines task for Azure Database for MySQL single server -description: Enable Azure Database for MySQL Flexible Server CLI task for using with Azure Pipelines +description: Enable Azure Database for MySQL Single Server CLI task for using with Azure Pipelines -# Azure Pipelines for Azure Database for MySQL single server +# Azure Pipelines for Azure Database for MySQL - Single Server + Get started with Azure Database for MySQL by deploying a database update with Azure Pipelines. Azure Pipelines lets you build, test, and deploy with continuous integration (CI) and continuous delivery (CD) using [Azure DevOps](/azure/devops/). |
mysql | Concepts Connection Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/concepts-connection-libraries.md | Last updated 06/20/2022 [!INCLUDE[azure-database-for-mysql-single-server-deprecation](../includes/azure-database-for-mysql-single-server-deprecation.md)] + This article lists each library or driver that client programs can use when connecting to Azure Database for MySQL. ## Client interfaces |
mysql | Videos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/videos.md | - Title: Azure Database for MySQL Videos -description: This page lists video content relevant for learning Azure Database for MySQL, MicrosoftΓÇÖs managed MySQL offering in Azure. ----- Previously updated : 02/28/2018--# Azure Database for MySQL videos ---This page provides video content for learning about Azure Database for MySQL. --## Overview: Azure Database for PostgreSQL and MySQL -->[!VIDEO https://learn.microsoft.com/Events/Connect/2017/T147/player] -[Open in Channel 9](/Events/Connect/2017/T147) --Azure Database for PostgreSQL and Azure Database for MySQL bring together community edition database engines and capabilities of a fully managed serviceΓÇöso you can focus on your apps instead of having to manage a database. Tune in to get a quick overview of the advantages of using the service, and see some of the capabilities in action. --## Create a PostgreSQL or MySQL server -Azure Database for PostgreSQL and Azure Database for MySQL are managed services that you use to run, manage, and scale highly available community edition database engines in the cloud. These video tutorials show you how to create a PostgreSQL or MySQL server in about three minutes using the Azure portal. If you don't have an Azure subscription, [create a free Azure account](https://azure.microsoft.com/free/) before you begin. --* [PostgreSQL video tutorial](https://azure.microsoft.com/resources/videos/create-an-azure-database-for-postgresql-server-in-the-azure-portal) --* [MySQL video tutorial](https://azure.microsoft.com/resources/videos/create-an-azure-database-for-mysql-server-by-using-the-azure-portal) --## Deep dive on managed service capabilities for MySQL and PostgreSQL -->[!VIDEO https://learn.microsoft.com/Events/Connect/2017/T148/player] -[Open in Channel 9](/Events/Connect/2017/T148) --Azure Database for PostgreSQL and Azure Database for MySQL bring together community edition database engines and the capabilities of a fully managed service. Tune in to get a deep dive on how these services workΓÇöhow we ensure high availability and fast scaling (within seconds), so you can meet your customersΓÇÖ needs. You'll also learn about some of the underlying investments in security and worldwide availability. --## How to get started with the new Azure Database for MySQL service --In this video from the May 2017 Microsoft //Build conference, learn about MicrosoftΓÇÖs managed MySQL offering in Azure. The video walks through MicrosoftΓÇÖs strategy for supporting Open-Source database systems in Azure. The video discusses what it means to you as a developer to develop or deploy applications that use MySQL in Azure. This video shows an overview of the architecture of the service, and demonstrates Azure Database for MySQL is integrated with other Azure Services such as Web Apps. |
openshift | Built In Container Registry | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/built-in-container-registry.md | In this article, you'll configure the built-in container image registry for an A ## Before you begin -This article assumes you have an existing ARO cluster (see [Create an Azure Red Hat OpenShift 4 cluster](./tutorial-create-cluster.md)). If you would like to configure Azure AD integration, make sure to create the cluster with the `--pull-secret` argument to `az aro create`. +This article assumes you have an existing ARO cluster (see [Create an Azure Red Hat OpenShift 4 cluster](./tutorial-create-cluster.md)). If you would like to configure Microsoft Entra integration, make sure to create the cluster with the `--pull-secret` argument to `az aro create`. > [!NOTE]-> [Configuring Azure AD Authentication](./configure-azure-ad-ui.md#configure-openshift-openid-authentication) for your cluster is the easiest way to interact with the internal registry from outside the cluster. +> [Configuring Microsoft Entra authentication](./configure-azure-ad-ui.md#configure-openshift-openid-authentication) for your cluster is the easiest way to interact with the internal registry from outside the cluster. Once you have your cluster, [connect to the cluster](./tutorial-connect-cluster.md) by authenticating as the `kubeadmin` user. ## Configure authentication to the registry -For any identity (a cluster user, Azure AD user, or ServiceAccount) to access the internal registry, it must be granted permissions inside the cluster: +For any identity (a cluster user, Microsoft Entra user, or ServiceAccount) to access the internal registry, it must be granted permissions inside the cluster: As `kubeadmin`, execute the following commands: ```bash As `kubeadmin`, execute the following commands: ``` > [!Note]-> For cluster users and Azure AD users - this will be the same name you use to authenticate into the cluster. For OpenShift ServiceAccounts, format the name as `system:serviceaccount:<project>:<name>` +> For cluster users and Microsoft Entra users - this will be the same name you use to authenticate into the cluster. For OpenShift ServiceAccounts, format the name as `system:serviceaccount:<project>:<name>` ## Access the registry |
openshift | Configure Azure Ad Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/configure-azure-ad-cli.md | Title: Azure Red Hat OpenShift running OpenShift 4 - Configure Azure Active Directory authentication using the command line -description: Learn how to configure Azure Active Directory authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 using the command line + Title: Azure Red Hat OpenShift running OpenShift 4 - Configure Microsoft Entra authentication using the command line +description: Learn how to configure Microsoft Entra authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 using the command line Last updated 03/12/2020-#Customer intent: As an operator, I need to configure Azure Active Directory authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 +#Customer intent: As an operator, I need to configure Microsoft Entra authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 -# Configure Azure Active Directory authentication for an Azure Red Hat OpenShift 4 cluster (CLI) +# Configure Microsoft Entra authentication for an Azure Red Hat OpenShift 4 cluster (CLI) If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.30.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). -Retrieve your cluster-specific URLs that are going to be used to configure the Azure Active Directory application. +Retrieve your cluster-specific URLs that are going to be used to configure the Microsoft Entra application. Set the variables for resource group and cluster name. The format of the oauthCallbackURL is slightly different with custom domains: > [!NOTE] > The `AAD` section in the OAuth callback URL should match the OAuth identity provider name you'll setup later. -## Create an Azure Active Directory application for authentication +<a name='create-an-azure-active-directory-application-for-authentication'></a> ++## Create a Microsoft Entra application for authentication Replace **\<client_secret>** with a secure password for the application. Replace **\<client_secret>** with a secure password for the application. client_secret=<client_secret> ``` -Create an Azure Active Directory application and retrieve the created application identifier. +Create a Microsoft Entra application and retrieve the created application identifier. ```azurecli-interactive app_id=$(az ad app create \ tenant_id=$(az account show --query tenantId -o tsv) ## Create a manifest file to define the optional claims to include in the ID Token -Application developers can use [optional claims](../active-directory/develop/active-directory-optional-claims.md) in their Azure AD applications to specify which claims they want in tokens sent to their application. +Application developers can use [optional claims](../active-directory/develop/active-directory-optional-claims.md) in their Microsoft Entra applications to specify which claims they want in tokens sent to their application. You can use optional claims to: - Select additional claims to include in tokens for your application.-- Change the behavior of certain claims that Azure AD returns in tokens.+- Change the behavior of certain claims that Microsoft Entra ID returns in tokens. - Add and access custom claims for your application. -We'll configure OpenShift to use the `email` claim and fall back to `upn` to set the Preferred Username by adding the `upn` as part of the ID token returned by Azure Active Directory. +We'll configure OpenShift to use the `email` claim and fall back to `upn` to set the Preferred Username by adding the `upn` as part of the ID token returned by Microsoft Entra ID. -Create a **manifest.json** file to configure the Azure Active Directory application. +Create a **manifest.json** file to configure the Microsoft Entra application. ```bash cat > manifest.json<< EOF cat > manifest.json<< EOF EOF ``` -## Update the Azure Active Directory application's optionalClaims with a manifest +<a name='update-the-azure-active-directory-applications-optionalclaims-with-a-manifest'></a> ++## Update the Microsoft Entra application's optionalClaims with a manifest ```azurecli-interactive az ad app update \ az ad app update \ --id $app_id ``` -## Update the Azure Active Directory application scope permissions +<a name='update-the-azure-active-directory-application-scope-permissions'></a> -To be able to read the user information from Azure Active Directory, we need to define the proper scopes. +## Update the Microsoft Entra application scope permissions ++To be able to read the user information from Microsoft Entra ID, we need to define the proper scopes. Add permission for the **Azure Active Directory Graph.User.Read** scope to enable sign in and read user profile. az ad app permission add \ ``` > [!NOTE]-> You can safely ignore the message to grant the consent unless you are authenticated as a Global Administrator for this Azure Active Directory. Standard domain users will be asked to grant consent when they first login to the cluster using their AAD credentials. +> You can safely ignore the message to grant the consent unless you are authenticated as a Global Administrator for this Microsoft Entra ID. Standard domain users will be asked to grant consent when they first login to the cluster using their Microsoft Entra credentials. ## Assign users and groups to the cluster (optional) -Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully. Azure AD allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant. +Applications registered in a Microsoft Entra tenant are, by default, available to all users of the tenant who authenticate successfully. Microsoft Entra ID allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant. -Follow the instructions on the Azure Active Directory documentation to [assign users and groups to the app](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md). +Follow the instructions on the Microsoft Entra documentation to [assign users and groups to the app](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md). ## Configure OpenShift OpenID authentication Log in to the OpenShift cluster's API server using the following command. oc login $apiServer -u kubeadmin -p $kubeadmin_password ``` -Create an OpenShift secret to store the Azure Active Directory application secret. +Create an OpenShift secret to store the Microsoft Entra application secret. ```azurecli-interactive oc create secret generic openid-client-secret-azuread \ oc create secret generic openid-client-secret-azuread \ --from-literal=clientSecret=$client_secret ``` -Create a **oidc.yaml** file to configure OpenShift OpenID authentication against Azure Active Directory. +Create a **oidc.yaml** file to configure OpenShift OpenID authentication against Microsoft Entra ID. ```bash cat > oidc.yaml<< EOF You will get back a response similar to the following. oauth.config.openshift.io/cluster configured ``` -## Verify login through Azure Active Directory +<a name='verify-login-through-azure-active-directory'></a> ++## Verify login through Microsoft Entra ID -If you now logout of the OpenShift Web Console and try to log in again, you'll be presented with a new option to log in with **AAD**. You may need to wait for a few minutes. +If you now logout of the OpenShift Web Console and try to log in again, you'll be presented with a new option to log in with **Microsoft Entra ID**. You may need to wait for a few minutes. -![Log in screen with Azure Active Directory option](media/aro4-login-2.png) +![Log in screen with Microsoft Entra option](media/aro4-login-2.png) |
openshift | Configure Azure Ad Ui | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/configure-azure-ad-ui.md | Title: Azure Red Hat OpenShift running OpenShift 4 - Configure Azure Active Directory authentication using the Azure portal and the OpenShift web console -description: Learn how to configure Azure Active Directory authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 using the Azure portal and the OpenShift web console + Title: Azure Red Hat OpenShift running OpenShift 4 - Configure Microsoft Entra authentication using the Azure portal and the OpenShift web console +description: Learn how to configure Microsoft Entra authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 using the Azure portal and the OpenShift web console Last updated 03/12/2020-# Customer intent: As an operator, I need to configure Azure Active Directory authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 +# Customer intent: As an operator, I need to configure Microsoft Entra authentication for an Azure Red Hat OpenShift cluster running OpenShift 4 -# Configure Azure Active Directory authentication for an Azure Red Hat OpenShift 4 cluster (Portal) +# Configure Microsoft Entra authentication for an Azure Red Hat OpenShift 4 cluster (Portal) If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.6.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). location=$(az aro show -g aro-rg -n aro-cluster --query location -o tsv) echo "OAuth callback URL: https://oauth-openshift.apps.$domain.$location.aroapp.io/oauth2callback/AAD" ``` -## Create an Azure Active Directory application for authentication +<a name='create-an-azure-active-directory-application-for-authentication'></a> ++## Create a Microsoft Entra application for authentication Login to the Azure portal, and navigate to [App registrations blade](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade), then click on **New registration** to create a new application. Navigate to the **Overview** and make note of the **Application (client) ID** an ## Configure optional claims -Application developers can use [optional claims](../active-directory/develop/active-directory-optional-claims.md) in their Azure AD applications to specify which claims they want in tokens sent to their application. +Application developers can use [optional claims](../active-directory/develop/active-directory-optional-claims.md) in their Microsoft Entra applications to specify which claims they want in tokens sent to their application. You can use optional claims to: * Select additional claims to include in tokens for your application.-* Change the behavior of certain claims that Azure AD returns in tokens. +* Change the behavior of certain claims that Microsoft Entra ID returns in tokens. * Add and access custom claims for your application. -We'll configure OpenShift to use the `email` claim and fall back to `upn` to set the Preferred Username by adding the `upn` as part of the ID token returned by Azure Active Directory. +We'll configure OpenShift to use the `email` claim and fall back to `upn` to set the Preferred Username by adding the `upn` as part of the ID token returned by Microsoft Entra ID. Navigate to **Token configuration** and click on **Add optional claim**. Select **ID** then check the **email** and **upn** claims. Navigate to **Token configuration** and click on **Add optional claim**. Select ## Assign users and groups to the cluster (optional) -Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully. Azure AD allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant. +Applications registered in a Microsoft Entra tenant are, by default, available to all users of the tenant who authenticate successfully. Microsoft Entra ID allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant. -Follow the instructions on the Azure Active Directory documentation to [assign users and groups to the app](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md). +Follow the instructions on the Microsoft Entra documentation to [assign users and groups to the app](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md). ## Configure OpenShift OpenID authentication Navigate to **Administration**, click on **Cluster Settings**, then select the * Scroll down to select **Add** under **Identity Providers** and select **OpenID Connect**. ![Select OpenID Connect from the Identity Providers dropdown](media/aro4-oauth-idpdrop.png) -Fill in the name as **AAD**, the **Client ID** as the **Application ID** and the **Client Secret**. The **Issuer URL** is formatted as such: `https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0`. Replace the placeholder with the Tenant ID you retrieved earlier. +Fill in the name as **Microsoft Entra ID**, the **Client ID** as the **Application ID** and the **Client Secret**. The **Issuer URL** is formatted as such: `https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0`. Replace the placeholder with the Tenant ID you retrieved earlier. ![Fill in OAuth details](media/aro4-oauth-idp-1.png) Scroll down to the **Claims** section and update the **Preferred Username** to u ![Fill in claims details](media/aro4-oauth-idp-2.png) -## Verify login through Azure Active Directory +<a name='verify-login-through-azure-active-directory'></a> ++## Verify login through Microsoft Entra ID -If you now logout of the OpenShift Web Console and try to login again, you'll be presented with a new option to login with **AAD**. You may need to wait for a few minutes. +If you now logout of the OpenShift Web Console and try to login again, you'll be presented with a new option to login with **Microsoft Entra ID**. You may need to wait for a few minutes. -![Login screen with Azure Active Directory option](media/aro4-login-2.png) +![Login screen with Microsoft Entra option](media/aro4-login-2.png) |
openshift | Howto Create Private Cluster 4X | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/howto-create-private-cluster-4x.md | In this article, an Azure Red Hat OpenShift cluster running OpenShift 4 was depl > * Deploy a cluster > * Connect to the cluster using the `kubeadmin` user -Advance to the next article to learn how to configure the cluster for authentication using Azure Active Directory. +Advance to the next article to learn how to configure the cluster for authentication using Microsoft Entra ID. -* [Configure authentication with Azure Active Directory using the command line](configure-azure-ad-cli.md) +* [Configure authentication with Microsoft Entra ID using the command line](configure-azure-ad-cli.md) -* [Configure authentication with Azure Active Directory using the Azure portal and OpenShift web console](configure-azure-ad-cli.md) +* [Configure authentication with Microsoft Entra ID using the Azure portal and OpenShift web console](configure-azure-ad-cli.md) |
openshift | Howto Create Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/howto-create-service-principal.md | zone_pivot_groups: azure-red-hat-openshift-service-principal # Create and use a service principal to deploy an Azure Red Hat OpenShift cluster -To interact with Azure APIs, an Azure Red Hat OpenShift cluster requires an Azure Active Directory (AD) service principal. This service principal is used to dynamically create, manage, or access other Azure resources, such as an Azure load balancer or an Azure Container Registry (ACR). For more information, see [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md). +To interact with Azure APIs, an Azure Red Hat OpenShift cluster requires a Microsoft Entra service principal. This service principal is used to dynamically create, manage, or access other Azure resources, such as an Azure load balancer or an Azure Container Registry (ACR). For more information, see [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md). This article explains how to create and use a service principal to deploy your Azure Red Hat OpenShift clusters using the Azure command-line interface (Azure CLI) or the Azure portal. The output is similar to the following example: > [!IMPORTANT] > This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well. You also need to create your Azure Red Hat OpenShift cluster in the resource group you created above. -To grant permissions to an existing service principal with the Azure portal, see [Create an Azure AD app and service principal in the portal](../active-directory/develop/howto-create-service-principal-portal.md#configure-access-policies-on-resources). +To grant permissions to an existing service principal with the Azure portal, see [Create a Microsoft Entra app and service principal in the portal](../active-directory/develop/howto-create-service-principal-portal.md#configure-access-policies-on-resources). ::: zone-end To grant permissions to an existing service principal with the Azure portal, see ## Create a service principal with the Azure portal -To create a service principal for your Azure Red Hat OpenShift cluster via the Azure portal, see [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). **Be sure to save the Application (client) ID and the secret.** +To create a service principal for your Azure Red Hat OpenShift cluster via the Azure portal, see [Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). **Be sure to save the Application (client) ID and the secret.** |
openshift | Howto Deploy Java Jboss Enterprise Application Platform App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/howto-deploy-java-jboss-enterprise-application-platform-app.md | Use the following steps to get the pull secret. 1. Save the secret to a file so you can use it later. -## Create an Azure Active Directory service principal from the Azure portal +<a name='create-an-azure-active-directory-service-principal-from-the-azure-portal'></a> -The Azure Marketplace offer used in this article requires an Azure Active Directory (Azure AD) service principal to deploy your Azure Red Hat OpenShift cluster. The offer assigns the service principal with proper privileges during deployment time, with no role assignment needed. If you have a service principal ready to use, skip this section and move on to the next section, where you create a Red Hat Container Registry service account. +## Create a Microsoft Entra service principal from the Azure portal ++The Azure Marketplace offer used in this article requires a Microsoft Entra service principal to deploy your Azure Red Hat OpenShift cluster. The offer assigns the service principal with proper privileges during deployment time, with no role assignment needed. If you have a service principal ready to use, skip this section and move on to the next section, where you create a Red Hat Container Registry service account. Use the following steps to deploy a service principal and get its Application (client) ID and secret from the Azure portal. For more information, see [Create and use a service principal to deploy an Azure Red Hat OpenShift cluster](/azure/openshift/howto-create-service-principal?pivots=aro-azureportal). > [!NOTE]-> You must have sufficient permissions to register an application with your Azure AD tenant. If you run into a problem, check the required permissions to make sure your account can create the identity. For more information, see the [Permissions required for registering an app](/azure/active-directory/develop/howto-create-service-principal-portal#permissions-required-for-registering-an-app) section of [Use the portal to create an Azure AD application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal). +> You must have sufficient permissions to register an application with your Microsoft Entra tenant. If you run into a problem, check the required permissions to make sure your account can create the identity. For more information, see the [Permissions required for registering an app](/azure/active-directory/develop/howto-create-service-principal-portal#permissions-required-for-registering-an-app) section of [Use the portal to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal). 1. Sign in to your Azure account through the [Azure portal](https://portal.azure.com/).-1. Select **Azure Active Directory**. +1. Select **Microsoft Entra ID**. 1. Select **App registrations**. 1. Select **New registration**. 1. Name the application - for example, `jboss-eap-on-aro-app`. Select a supported account type, which determines who can use the application. After setting the values, select **Register**, as shown in the following screenshot. It takes several seconds to provision the application. Wait for the deployment to complete before proceeding. Use the following steps to deploy a service principal and get its Application (c 1. Provide a description of the secret and a duration. When you're done, select **Add**. 1. After the client secret is added, the value of the client secret is displayed. Copy this value because you can't retrieve it later. Be sure to copy the **Value** and not the **Secret ID**. -You've now created your Azure AD application, service principal, and client secret. +You've now created your Microsoft Entra application, service principal, and client secret. ## Create a Red Hat Container Registry service account The following steps show you how to fill out the **ARO** pane shown in the follo 1. Under **Provide information to create a new cluster**, for **Red Hat pull secret**, fill in the Red Hat pull secret that you obtained in the [Get a Red Hat pull secret](#get-a-red-hat-pull-secret) section. Use the same value for **Confirm secret**. -1. Fill in **Service principal client ID** with the service principal Application (client) ID that you obtained in the [Create an Azure Active Directory Service Principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. +1. Fill in **Service principal client ID** with the service principal Application (client) ID that you obtained in the [Create a Microsoft Entra service principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. -1. Fill in **Service principal client secret** with the service principal Application secret that you obtained in the [Create an Azure Active Directory Service Principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. Use the same value for **Confirm secret**. +1. Fill in **Service principal client secret** with the service principal Application secret that you obtained in the [Create a Microsoft Entra service principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. Use the same value for **Confirm secret**. 1. Select **Next EAP Application**. |
openshift | Howto Deploy Java Liberty App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/howto-deploy-java-liberty-app.md | The following content is an example that was copied from the Red Hat console por Save the secret to a file so you can use it later. -## Create an Azure Active Directory service principal from the Azure portal +<a name='create-an-azure-active-directory-service-principal-from-the-azure-portal'></a> -The Azure Marketplace offer you're going to use in this article requires an Azure Active Directory (Azure AD) service principal to deploy your Azure Red Hat OpenShift cluster. The offer assigns the service principal with proper privileges during deployment time, with no role assignment needed. If you have a service principal ready to use, skip this section and move on to the next section, where you'll deploy the offer. +## Create a Microsoft Entra service principal from the Azure portal ++The Azure Marketplace offer you're going to use in this article requires a Microsoft Entra service principal to deploy your Azure Red Hat OpenShift cluster. The offer assigns the service principal with proper privileges during deployment time, with no role assignment needed. If you have a service principal ready to use, skip this section and move on to the next section, where you'll deploy the offer. Use the following steps to deploy a service principal and get its Application (client) ID and secret from the Azure portal. For more information, see [Create and use a service principal to deploy an Azure Red Hat OpenShift cluster](/azure/openshift/howto-create-service-principal?pivots=aro-azureportal). > [!NOTE]-> You must have sufficient permissions to register an application with your Azure AD tenant. If you run into a problem, check the required permissions to make sure your account can create the identity. For more information, see the [Permissions required for registering an app](/azure/active-directory/develop/howto-create-service-principal-portal#permissions-required-for-registering-an-app) section of [Use the portal to create an Azure AD application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal). +> You must have sufficient permissions to register an application with your Microsoft Entra tenant. If you run into a problem, check the required permissions to make sure your account can create the identity. For more information, see the [Permissions required for registering an app](/azure/active-directory/develop/howto-create-service-principal-portal#permissions-required-for-registering-an-app) section of [Use the portal to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal). 1. Sign in to your Azure account through the [Azure portal](https://portal.azure.com/).-1. Select **Azure Active Directory**. +1. Select **Microsoft Entra ID**. 1. Select **App registrations**. 1. Select **New registration**. 1. Name the application, for example "liberty-on-aro-app". Select a supported account type, which determines who can use the application. After setting the values, select **Register**, as shown in the following screenshot. It takes several seconds to provision the application. Wait for the deployment to complete before proceeding. Use the following steps to deploy a service principal and get its Application (c 1. Provide a description of the secret and a duration. When you're done, select **Add**. 1. After the client secret is added, the value of the client secret is displayed. Copy this value because you won't be able to retrieve it later. -You've now created your Azure AD application, service principal, and client secret. +You've now created your Microsoft Entra application, service principal, and client secret. ## Deploy IBM WebSphere Liberty or Open Liberty on Azure Red Hat OpenShift The following steps show you how to fill out the **ARO** pane shown in the follo 1. Under **Provide information to create a new cluster**, for **Red Hat pull secret**, fill in the Red Hat pull secret that you obtained in the [Get a Red Hat pull secret](#get-a-red-hat-pull-secret) section. Use the same value for **Confirm secret**. -1. Fill in **Service principal client ID** with the service principal Application (client) ID that you obtained in the [Create an Azure Active Directory Service Principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. +1. Fill in **Service principal client ID** with the service principal Application (client) ID that you obtained in the [Create a Microsoft Entra service principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. -1. Fill in **Service principal client secret** with the service principal Application secret that you obtained in the [Create an Azure Active Directory Service Principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. Use the same value for **Confirm secret**. +1. Fill in **Service principal client secret** with the service principal Application secret that you obtained in the [Create a Microsoft Entra service principal from the Azure portal](#create-an-azure-active-directory-service-principal-from-the-azure-portal) section. Use the same value for **Confirm secret**. The following steps show you how to fill out the **Operator and application** pane shown in the following screenshot, and start the deployment. |
openshift | Howto Encrypt Data Disks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/howto-encrypt-data-disks.md | pvcUid="$(oc apply -f test-pvc.yaml -o jsonpath='{.items[0].metadata.uid}')" pvName="$(oc get pv pvc-$pvcUid -o jsonpath='{.spec.azureDisk.diskName}')" ``` > [!NOTE]-> On occasion there may be a slight delay when applying role assignments within Azure Active Directory. Depending upon the speed that these instructions are executed, the command to "Determine the full Azure Disk name" may not succeed. If this occurs, review the output of **oc describe pvc mypod-with-cmk-encryption-pvc** to ensure that the disk was successfully provisioned. If the role assignment propagation has not completed you may need to *delete* and re-*apply* the Pod & PVC YAML. +> On occasion there may be a slight delay when applying role assignments within Microsoft Entra ID. Depending upon the speed that these instructions are executed, the command to "Determine the full Azure Disk name" may not succeed. If this occurs, review the output of **oc describe pvc mypod-with-cmk-encryption-pvc** to ensure that the disk was successfully provisioned. If the role assignment propagation has not completed you may need to *delete* and re-*apply* the Pod & PVC YAML. ### Verify PVC disk is configured with "EncryptionAtRestWithCustomerKey" (Optional) The Pod should create a persistent volume claim that references the CMK storage class. Running the following command will validate that the PVC has been deployed as expected: |
openshift | Intro Openshift | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/intro-openshift.md | Azure Red Hat OpenShift extends [Kubernetes](https://kubernetes.io/). Running co Azure Red Hat OpenShift is jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated support experience. There are no virtual machines to operate, and no patching is required. Master, infrastructure, and application nodes are patched, updated, and monitored on your behalf by Red Hat and Microsoft. Your Azure Red Hat OpenShift clusters are deployed into your Azure subscription and are included on your Azure bill. -You can choose your own registry, networking, storage, and CI/CD solutions, or use the built-in solutions for automated source code management, container and application builds, deployments, scaling, health management, and more. Azure Red Hat OpenShift provides an integrated sign-on experience through Azure Active Directory. +You can choose your own registry, networking, storage, and CI/CD solutions, or use the built-in solutions for automated source code management, container and application builds, deployments, scaling, health management, and more. Azure Red Hat OpenShift provides an integrated sign-on experience through Microsoft Entra ID. To get started, complete the [Create an Azure Red Hat OpenShift cluster](tutorial-create-cluster.md) tutorial. ## Access, security, and monitoring -For improved security and management, Azure Red Hat OpenShift lets you integrate with Azure Active Directory (Azure AD) and use Kubernetes role-based access control (Kubernetes RBAC). You can also monitor the health of your cluster and resources. +For improved security and management, Azure Red Hat OpenShift lets you integrate with Microsoft Entra ID and use Kubernetes role-based access control (Kubernetes RBAC). You can also monitor the health of your cluster and resources. ## Cluster and node |
openshift | Openshift Service Definitions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/openshift-service-definitions.md | The following sections provide information about Azure OpenShift security. Azure Red Hat OpenShift clusters aren't configured with any authentication providers. -Customers need to configure their own providers, such as Azure Active Directory. For information about configuring providers, see the following articles: +Customers need to configure their own providers, such as Microsoft Entra ID. For information about configuring providers, see the following articles: -* [Azure Active Directory Authentication](./configure-azure-ad-cli.md) +* [Microsoft Entra authentication](./configure-azure-ad-cli.md) * [OpenShift identity providers](https://docs.openshift.com/container-platform/4.7/authentication/understanding-identity-provider.html) ### Regulatory compliance |
openshift | Quickstart Openshift Arm Bicep Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/quickstart-openshift-arm-bicep-template.md | Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy * An Azure account with an active subscription is required. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/). -* Ability to assign User Access Administrator and Contributor roles. If you lack this ability, contact your Azure Active Directory admin to manage roles. +* Ability to assign User Access Administrator and Contributor roles. If you lack this ability, contact your Microsoft Entra admin to manage roles. * A Red Hat account. If you don't have one, you'll have to [register for an account](https://www.redhat.com/wapps/ugc/register.html). The azuredeploy.json template is used to deploy an Azure Red Hat OpenShift clust | `domain` |The domain prefix for the cluster. | | none | | `pullSecret` | The pull secret that you obtained from the Red Hat OpenShift Cluster Manager web site. | `clusterName` | The name of the cluster. | |-| `aadClientId` | The application ID (a GUID) of an Azure Active Directory (Azure AD) client application. | | -| `aadObjectId` | The object ID (a GUID) of the service principal for the Azure AD client application. | | -| `aadClientSecret` | The client secret of the service principal for the Azure AD client application, as a secure string. | | +| `aadClientId` | The application ID (a GUID) of a Microsoft Entra client application. | | +| `aadObjectId` | The object ID (a GUID) of the service principal for the Microsoft Entra client application. | | +| `aadClientSecret` | The client secret of the service principal for the Microsoft Entra client application, as a secure string. | | | `rpObjectId` | The object ID (a GUID) of the resource provider service principal. | | The template parameters below have default values. They can be specified, but they aren't explicitly required. az provider register --namespace 'Microsoft.Authorization' --wait az group create --name $RESOURCEGROUP --location $LOCATION ``` -### Create a service principal for the new Azure AD application +<a name='create-a-service-principal-for-the-new-azure-ad-application'></a> ++### Create a service principal for the new Microsoft Entra application - Azure CLI ```azurecli-interactive az aro delete --resource-group $RESOURCEGROUP --name $CLUSTER In this article, you learned how to create an Azure Red Hat OpenShift cluster running OpenShift 4 using both ARM templates and Bicep. -Advance to the next article to learn how to configure the cluster for authentication using Azure Active Directory. +Advance to the next article to learn how to configure the cluster for authentication using Microsoft Entra ID. * [Rotate service principal credentials for your Azure Red Hat OpenShift (ARO) Cluster](howto-service-principal-credential-rotation.md) -* [Configure authentication with Azure Active Directory using the command line](configure-azure-ad-cli.md) +* [Configure authentication with Microsoft Entra ID using the command line](configure-azure-ad-cli.md) -* [Configure authentication with Azure Active Directory using the Azure portal and OpenShift web console](configure-azure-ad-cli.md)i +* [Configure authentication with Microsoft Entra ID using the Azure portal and OpenShift web console](configure-azure-ad-cli.md)i |
openshift | Quickstart Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/quickstart-portal.md | Azure Red Hat OpenShift is a managed OpenShift service that lets you quickly dep ## Prerequisites Sign in to the [Azure portal](https://portal.azure.com). -Create a service principal, as explained in [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). **Be sure to save the client ID and the appID.** +Create a service principal, as explained in [Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). **Be sure to save the client ID and the appID.** Register the `Microsoft.RedHatOpenShift` resource provider. For instructions on registering resource providers using Azure portal, see [Register resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider). |
openshift | Tutorial Create Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/openshift/tutorial-create-cluster.md | Azure Red Hat OpenShift requires a minimum of 40 cores to create and run an Open During this tutorial, you'll create a resource group, which contains the virtual network for the cluster. To do this, you'll need Contributor and User Access Administrator permissions or Owner permissions, either directly on the virtual network or on the resource group or subscription containing it. -You'll also need sufficient Azure Active Directory permissions (either a member user of the tenant, or a guest assigned with role **Application administrator**) for the tooling to create an application and service principal on your behalf for the cluster. See [Member and guests](../active-directory/fundamentals/users-default-permissions.md#member-and-guest-users) and [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) for more details. +You'll also need sufficient Microsoft Entra permissions (either a member user of the tenant, or a guest assigned with role **Application administrator**) for the tooling to create an application and service principal on your behalf for the cluster. See [Member and guests](../active-directory/fundamentals/users-default-permissions.md#member-and-guest-users) and [Assign administrator and non-administrator roles to users with Microsoft Entra ID](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) for more details. ### Register the resource providers |
operator-nexus | Howto Baremetal Bmc Ssh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-baremetal-bmc-ssh.md | The BMCs support a maximum number of 12 users. Users are defined on a per Cluste - The on-premises Cluster must have connectivity to Azure. - Get the Resource Group name for the `Cluster` resource. - The process applies keysets to all running bare metal machines.-- The users added must be part of an Azure Active Directory (Azure AD) group. For more information, see [How to Manage Groups](../active-directory/fundamentals/how-to-manage-groups.md).+- The users added must be part of a Microsoft Entra group. For more information, see [How to Manage Groups](../active-directory/fundamentals/how-to-manage-groups.md). - To restrict access for managing keysets, create a custom role. For more information, see [Azure Custom Roles](../role-based-access-control/custom-roles.md). In this instance, add or exclude permissions for `Microsoft.NetworkCloud/clusters/bmcKeySets`. The options are `/read`, `/write`, and `/delete`. > [!NOTE] |
operator-nexus | Howto Baremetal Bmm Ssh | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-baremetal-bmm-ssh.md | There's no limit to the number of users in a group. - The on-premises Cluster must have connectivity to Azure. - Get the Resource Group name for the `Cluster` resource. - The process applies keysets to all running bare metal machines.-- The added users must be part of an Azure Active Directory (Azure AD) group. For more information, see [How to Manage Groups](../active-directory/fundamentals/how-to-manage-groups.md).+- The added users must be part of a Microsoft Entra group. For more information, see [How to Manage Groups](../active-directory/fundamentals/how-to-manage-groups.md). - To restrict access for managing keysets, create a custom role. For more information, see [Azure Custom Roles](../role-based-access-control/custom-roles.md). In this instance, add or exclude permissions for `Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets`. The options are `/read`, `/write`, and `/delete`. > [!NOTE] |
operator-nexus | Howto Kubernetes Cluster Aad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-kubernetes-cluster-aad-rbac.md | -This article provides a comprehensive guide on how to manage access to Nexus Kubernetes clusters using Azure Active Directory (Azure AD). Specifically, we're focusing on role-based access control, which allows you to grant permissions to users based on their roles or responsibilities within your organization. +This article provides a comprehensive guide on how to manage access to Nexus Kubernetes clusters using Microsoft Entra ID. Specifically, we're focusing on role-based access control, which allows you to grant permissions to users based on their roles or responsibilities within your organization. ## Before you begin -1. To begin, create an Azure AD group for your cluster administrators and assign members to it. Azure AD allows access to be granted to the group as a whole, rather than managing permissions for each user individually. +1. To begin, create a Microsoft Entra group for your cluster administrators and assign members to it. Microsoft Entra ID allows access to be granted to the group as a whole, rather than managing permissions for each user individually. 2. Use the group ID you created as the value for 'adminGroupObjectIds' when creating the Nexus Kubernetes cluster to ensure that the members of the group get permissions to manage the cluster. Refer to the [QuickStart](./quickstarts-kubernetes-cluster-deployment-bicep.md) guide for instructions on how to create and access the Nexus Kubernetes cluster. ## Administrator access to the cluster -Nexus creates a Kubernetes cluster role binding with the default Kubernetes role ```cluster-admin``` and the Azure AD groups you specified as `adminGroupObjectIds`. The cluster administrators have full access to the cluster and can perform all operations on the cluster. The cluster administrators can also grant access to other users by assigning them to the appropriate Azure AD group. +Nexus creates a Kubernetes cluster role binding with the default Kubernetes role ```cluster-admin``` and the Microsoft Entra groups you specified as `adminGroupObjectIds`. The cluster administrators have full access to the cluster and can perform all operations on the cluster. The cluster administrators can also grant access to other users by assigning them to the appropriate Microsoft Entra group. [!INCLUDE [cluster-connect](./includes/kubernetes-cluster/cluster-connect.md)] ## Role-based access control-As an administrator, you can provide role-based access control to the cluster by creating a role binding with Azure AD group object ID. For users who only need 'view' permissions, you can accomplish the task by adding them to an Azure AD group that's tied to the 'view' role. +As an administrator, you can provide role-based access control to the cluster by creating a role binding with Microsoft Entra group object ID. For users who only need 'view' permissions, you can accomplish the task by adding them to a Microsoft Entra group that's tied to the 'view' role. -1. Create an Azure AD group for users who need 'view' access, referring to the default Kubernetes role called `view`. This role is just an example, and if necessary, you can create custom roles and use them instead. For more information on user-facing roles in Kubernetes, you can refer to the official documentation at [Kubernetes roll-based access roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). +1. Create a Microsoft Entra group for users who need 'view' access, referring to the default Kubernetes role called `view`. This role is just an example, and if necessary, you can create custom roles and use them instead. For more information on user-facing roles in Kubernetes, you can refer to the official documentation at [Kubernetes roll-based access roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). -2. Take note of the Azure AD group object ID generated upon creation. +2. Take note of the Microsoft Entra group object ID generated upon creation. -3. Use the kubectl command to create a clusterrolebinding with the 'view' role and associate it with the Azure AD group. Replace `AZURE_AD_GROUP_OBJECT_ID` with the object ID of your Azure AD group. +3. Use the kubectl command to create a clusterrolebinding with the 'view' role and associate it with the Microsoft Entra group. Replace `AZURE_AD_GROUP_OBJECT_ID` with the object ID of your Microsoft Entra group. ```bash kubectl create clusterrolebinding nexus-read-only-users --clusterrole view --group=AZURE_AD_GROUP_OBJECT_ID ```- This command creates a cluster role binding named `nexus-read-only-users` that assigns the `view` role to the members of the specified Azure AD group. + This command creates a cluster role binding named `nexus-read-only-users` that assigns the `view` role to the members of the specified Microsoft Entra group. 4. Verify that the role binding was created successfully. ```bash kubectl get clusterrolebinding nexus-read-only-users ``` -5. Now the users in the Azure AD group have 'view' access to the cluster. They can access the cluster using `az connectedk8s proxy` to view the resources, but can't make any changes +5. Now the users in the Microsoft Entra group have 'view' access to the cluster. They can access the cluster using `az connectedk8s proxy` to view the resources, but can't make any changes ## Next steps -You can further fine-tune access control by creating custom roles with specific permissions. The creation of these roles involves Kubernetes native RoleBinding or ClusterRoleBinding resources. You can check the official [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for detailed guidance on creating more custom roles and role bindings as per your requirements. +You can further fine-tune access control by creating custom roles with specific permissions. The creation of these roles involves Kubernetes native RoleBinding or ClusterRoleBinding resources. You can check the official [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for detailed guidance on creating more custom roles and role bindings as per your requirements. |
operator-nexus | Howto Run Instance Readiness Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-run-instance-readiness-testing.md | The `setup.sh` script is provided to aid with installing the listed dependencies If your workflow is incompatible with `all-in-one.sh`, each resource needed for IRT can be created manually with each supplemental script. Like `all-in-one.sh`, running these scripts writes key/value pairs to your `irt-input.yml` for you to use during your run. These four scripts make up the `all-in-one.sh`. -IRT makes commands against your resources, and needs permission to do so. IRT requires a managed identity and a service principal to execute. It also requires that the service principal is a member of the Azure AD Security Group that is also provided as input. +IRT makes commands against your resources, and needs permission to do so. IRT requires a managed identity and a service principal to execute. It also requires that the service principal is a member of the Microsoft Entra Security Group that is also provided as input. #### Create managed identity <details> |
operator-nexus | Quickstarts Kubernetes Cluster Deployment Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/quickstarts-kubernetes-cluster-deployment-cli.md | Before you run the commands, you need to set several variables to define the con | CUSTOM_LOCATION | This argument specifies a custom location of the Nexus instance. | | CSN_ARM_ID | CSN ID is the unique identifier for the cloud services network you want to use. | | CNI_ARM_ID | CNI ID is the unique identifier for the network interface to be used by the container runtime. |-| AAD_ADMIN_GROUP_OBJECT_ID | The object ID of the Azure Active Directory group that should have admin privileges on the cluster. | +| AAD_ADMIN_GROUP_OBJECT_ID | The object ID of the Microsoft Entra group that should have admin privileges on the cluster. | | CLUSTER_NAME | The name you want to give to your Nexus Kubernetes cluster. | | K8S_VERSION | The version of Kubernetes you want to use. | | ADMIN_USERNAME | The username for the cluster administrator. | |
operator-nexus | Quickstarts Kubernetes Cluster Deployment Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/quickstarts-kubernetes-cluster-deployment-powershell.md | Before you run the commands, you need to set several variables to define the con | CUSTOM_LOCATION | This argument specifies a custom location of the Nexus instance. | | CSN_ARM_ID | CSN ID is the unique identifier for the cloud services network you want to use. | | CNI_ARM_ID | CNI ID is the unique identifier for the network interface to be used by the container runtime. |-| AAD_ADMIN_GROUP_OBJECT_ID | The object ID of the Azure Active Directory group that should have admin privileges on the cluster. | +| AAD_ADMIN_GROUP_OBJECT_ID | The object ID of the Microsoft Entra group that should have admin privileges on the cluster. | | CLUSTER_NAME | The name you want to give to your Nexus Kubernetes cluster. | | K8S_VERSION | The version of Kubernetes you want to use. | | ADMIN_USERNAME | The username for the cluster administrator. | |
operator-nexus | Quickstarts Tenant Workload Deployment Ps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/quickstarts-tenant-workload-deployment-ps.md | Before you run the commands, you need to set several variables to define the con | NETWORK_INTERFACE_NAME | The name of the L3 network interface for the virtual machine. | | ADMIN_USERNAME | The username for the virtual machine administrator. | | SSH_PUBLIC_KEY | The SSH public key that is used for secure communication with the virtual machine. |-| CPU_CORES | The number of CPU cores for the virtual machine (even number, max 44 vCPUs) | +| CPU_CORES | The number of CPU cores for the virtual machine (even number, max 46 vCPUs) | | MEMORY_SIZE | The amount of memory (in GB, max 224 GB) for the virtual machine. | | VM_DISK_SIZE | The size (in GB) of the virtual machine disk. | | VM_IMAGE | The URL of the virtual machine image. | |
orbital | Concepts Contact | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/concepts-contact.md | Title: Ground station contact - Azure Orbital -description: Learn more about the contact object and how to schedule a contact. +description: Learn more about the contact resource and how to schedule a contact. Last updated 07/13/2022 -#Customer intent: As a satellite operator or user, I want to understand how to what the contact object is so I can manage my mission operations. +#Customer intent: As a satellite operator or user, I want to understand how to what the contact resource is so I can manage my mission operations. # Ground station contact A contact occurs when the spacecraft passes over a specified ground station. You can find available passes and schedule contacts for your spacecraft through the Azure Orbital Ground Station platform. A contact and ground station pass mean the same thing. -When you schedule a contact for a spacecraft, a contact object is created under your spacecraft object in your resource group. The contact is only associated with that particular spacecraft and can't be transferred to another spacecraft, resource group, or region. +When you schedule a contact for a spacecraft, a contact resource is created under your spacecraft resource in your resource group. The contact is only associated with that particular spacecraft and can't be transferred to another spacecraft, resource group, or region. -## Contact object +## Contact resource -The contact object contains the start time and end time of the pass and other parameters related to pass operations. The full list is below. +The contact resource contains the start time and end time of the pass and other parameters related to pass operations. The full list is below. | Parameter | Description | ||--| The contact object contains the start time and end time of the pass and other pa | Start Elevation | Starting elevation position of the spacecraft measured from the horizon up in degrees. | | End Elevation | Starting elevation position of the spacecraft measured from the horizon up in degrees. | -The RX and TX start/end times may differ depending on the individual station masks. Billing meters are engaged between the Reservation Start Time and Reservation End Time. +The RX and TX start/end times might differ depending on the individual station masks. Billing meters are engaged between the Reservation Start Time and Reservation End Time. -## Creating a contact +## Create a contact -In order to create a contact, you must have the following pre-requisites: +In order to create a contact, you must have the following prerequisites: -* An [authorized](register-spacecraft.md) spacecraft object. -* A [contact profile](contact-profile.md) with links in accordance with the spacecraft object above. +* An [authorized](register-spacecraft.md) spacecraft resource. +* A [contact profile](contact-profile.md) with links in accordance with the spacecraft resource above. -Contacts are created on a per-pass and per-site basis. If you already know the pass timings for your spacecraft and selected ground station, you can directly proceed to schedule the pass with these times. The service will succeed in creating the contact object if the window is available and fail if the window is unavailable. +Contacts are created on a per-pass and per-site basis. If you already know the pass timings for your spacecraft and selected ground station, you can directly proceed to schedule the pass with these times. The service will succeed in creating the contact resource if the window is available and fail if the window is unavailable. If you don't know the pass timings, or which sites are available, then you can use the Orbital portal or API to determine those details. Query the available passes and use the results to schedule your passes accordingly. |
orbital | Contact Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/contact-profile.md | -# Quickstart: Configure a contact profile +# Configure a contact profile Configure a contact profile with Azure Orbital Ground Station to save and reuse contact configurations. This is required before scheduling a contact to ingest data from a satellite into Azure. |
orbital | Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/get-started.md | -## Learn about resources +## Learn about Azure Orbital Ground Station resources -Azure Orbital Ground Station uses three different types of Azure resources: +Azure Orbital Ground Station uses three types of Azure resources: - [Spacecraft](spacecraft-object.md) - [Contact profile](concepts-contact-profile.md) - [Contact](concepts-contact.md) -You need to create each of these resources before you can successfully contact your satellite. Click the links to learn more about each of these resources. +You need to create each of these resources before you can successfully contact your satellite. ++A spacecraft object is a representation of your satellite in Azure and stores links, ephemeris, and licensing information. A contact profile stores pass requirements such as links, channels, and network endpoint details. -A spacecraft object is a representation of your satellite in Azure Orbital Ground Station and stores links, ephemeris, and licensing information. A contact profile stores pass requirements such as links, channels, and network endpoint details. Contacts are scheduled at a designated time for a particular combination of a spacecraft and contact profile. When you schedule a contact for a spacecraft, a contact object is created under your spacecraft object in your resource group. -## 1. Register a spacecraft +## Register a spacecraft -[Register a spacecraft](register-spacecraft.md) to add it to your subscription. This process includes creating the spacecraft resource and requesting authorization to use this spacecraft according to the spacecraft and ground station licenses. +[Register a spacecraft](register-spacecraft.md) resource to add it to your subscription. This process includes creating the spacecraft resource and requesting authorization to use this spacecraft according to the spacecraft and ground station licenses. > [!NOTE] > Before spacecraft resources can be created and authorized for private satellites, proper regulatory licenses for both satellites and relevant ground stations must be obtained. -## 2. Prepare the network --[Set up your network](prepare-network.md) by preparing your subnet for VNET injection, setting the endpoints, and ensuring your objects are configured correctly. --## 3. Integrate partner networks --If you're using one of Azure Orbital Ground Station's partner ground station networks, [integrate the partner network](partner-network-integration.md). --## 4. Configure the modem --[Configure the RF chain](modem-chain.md), choosing to utilize a managed modem or virtual RF. +## Configure a contact profile -## 5. Set up telemetry +[Configure a contact profile](contact-profile.md) resource for your spacecraft to store details such as channels, links, and endpoint details. -Use Azure Event Hubs to [set up real-time antenna telemetry](receive-real-time-telemetry.md). --## 6. Configure a contact profile --[Configure a contact profile](contact-profile.md) for your spacecraft. --## 7. Schedule a contact +## Schedule a contact [Schedule a contact](schedule-contact.md) for a particular spacecraft and contact profile.-If needed, you can [cancel a contact](delete-contact.md). --## 8. Update spacecraft TLE --[Update your spacecraft's TLE](update-tle.md) to ensure it remains current. |
orbital | Modem Chain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/modem-chain.md | Select 'Preset Named Modem Configuration'and chose a configuration as shown belo To use the virtual RF delivery feature, leave the modulationConfiguration or demodulationConfiguration parameters blank in the channel parameters. Azure Orbital Ground Station uses the [Digital Intermediate Frequency Interoperability](https://dificonsortium.org/) or DIFI format for transport of virtual RF. Refer to the [virtual RF tutorial](virtual-rf-tutorial.md) to learn more. >[!Note]->Azure Orbital Ground Station will provide an RF stream in accordance with the channel bandwidth setting to the endpoint for downlink. +>For downlink, Azure Orbital Ground Station will provide an RF stream in accordance with the channel bandwidth setting to the endpoint. >->Azure Orbital Ground Station expects an RF stream in accordance with the channel bandwidth setting from the endpoint for uplink. +>For uplink, Azure Orbital Ground Station expects an RF stream in accordance with the channel bandwidth setting from the endpoint. ## Next steps |
orbital | Prepare Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/prepare-network.md | -The Azure Orbital Ground Station platform interfaces with your resources using VNET injection, which is used in both uplink and downlink directions. This page describes how to ensure your Subnet and Azure Orbital Ground Station objects are configured correctly. +Azure Orbital Ground Station interfaces with your Azure resources using VNET injection, which is used in both uplink and downlink directions. This page describes how to ensure your Subnet and Azure Orbital Ground Station objects are configured correctly. Ensure the objects comply with the recommendations in this article. Note that these steps do not have to be followed in order. |
orbital | Register Spacecraft | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/register-spacecraft.md | -# Quickstart: Register and Authorize Spacecraft +# Register and Authorize Spacecraft To contact a satellite, it must be registered and authorized as a spacecraft resource with Azure Orbital Ground Station using required identifying information. |
orbital | Schedule Contact | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/schedule-contact.md | -# Quickstart: Schedule a contact +# Schedule a contact Schedule a contact with your satellite for data retrieval and delivery on Azure Orbital Ground Station. At the scheduled time, the selected ground station will contact the satellite and start data retrieval/delivery using the designated contact profile. |
orbital | Update Tle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/orbital/update-tle.md | Title: Update the spacecraft TLE on Azure Orbital Earth Observation service + Title: Update the spacecraft TLE description: Update the TLE of an existing spacecraft resource. -# Tutorial: Update the spacecraft TLE +# Update the spacecraft TLE Update the TLE of an existing spacecraft resource. |
partner-solutions | Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/manage.md | This article describes how to manage your instance of Apache Kafka for Confluent ## Single sign-on -To implement SSO for your organization, your tenant administrator can import the gallery application. This step is optional. For information importing an application, see [Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant](../../active-directory/manage-apps/add-application-portal.md). When the tenant administrator imports the application, users don't need to explicitly consent to allow access for the Confluent Cloud portal. +To implement SSO for your organization, your tenant administrator can import the gallery application. This step is optional. For information importing an application, see [Quickstart: Add an application to your Microsoft Entra tenant](../../active-directory/manage-apps/add-application-portal.md). When the tenant administrator imports the application, users don't need to explicitly consent to allow access for the Confluent Cloud portal. To enable SSO, follow these steps: To enable SSO, follow these steps: :::image type="content" source="media/manage/permissions-requested.png" alt-text="Grant permissions."::: -1. Choose an Azure AD account for single sign-on to the Confluent Cloud portal. +1. Choose a Microsoft Entra account for single sign-on to the Confluent Cloud portal. 1. After consent is provided, you're redirected to the Confluent Cloud portal. ## Set up cluster |
partner-solutions | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/overview.md | Now, you provision the Confluent Cloud resources through a resource provider nam The deep integration between Confluent Cloud and Azure enables the following capabilities: - Provision a new Confluent Cloud organization resource from the Azure portal with fully managed infrastructure or link to an existing Confluent Cloud organization.-- Streamline single sign-on (SSO) from Azure to Confluent Cloud with Azure Active Directory (Azure AD). No separate authentication is needed from the Confluent Cloud portal.+- Streamline single sign-on (SSO) from Azure to Confluent Cloud with Microsoft Entra ID. No separate authentication is needed from the Confluent Cloud portal. - Get unified billing of Confluent Cloud consumption through Azure subscription invoicing. - Manage Confluent Cloud resources from the Azure portal, and track them in the **All resources** page with your other Azure resources. For billing, each Confluent Cloud offer purchased in the Marketplace maps to a u ## Single sign-on -When you sign in to the Azure portal, your credentials are also used to sign in to the Confluent Cloud SaaS portal. The experience uses [Azure AD](../../active-directory/fundamentals/active-directory-whatis.md) and [Azure AD SSO](../../active-directory/manage-apps/what-is-single-sign-on.md) to provide a secure and convenient way for you to sign in. +When you sign in to the Azure portal, your credentials are also used to sign in to the Confluent Cloud SaaS portal. The experience uses [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) and [Microsoft Entra SSO](../../active-directory/manage-apps/what-is-single-sign-on.md) to provide a secure and convenient way for you to sign in. For more information, see [Single sign-on](manage.md#single-sign-on). |
partner-solutions | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/apache-kafka-confluent-cloud/troubleshoot.md | To find the offer in the Azure Marketplace, use the following steps: 1. Search for _Apache Kafka on Confluent Cloud_. 1. Select the application tile. -If the offer isn't displayed, contact [Confluent support](https://support.confluent.io). Your Azure Active Directory tenant ID must be on the list of allowed tenants. To learn how to find your tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name). +If the offer isn't displayed, contact [Confluent support](https://support.confluent.io). Your Microsoft Entra tenant ID must be on the list of allowed tenants. To learn how to find your tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name). ## Purchase errors If you have the correct permissions but still can't delete the resource, contact ## Unable to use single sign-on -If SSO isn't working for the Confluent Cloud SaaS portal, verify you're using the correct Azure Active Directory email. You must also have consented to allow access for the Confluent Cloud software as a service (SaaS) portal. For more information, see the [single sign-on guidance](manage.md#single-sign-on). +If SSO isn't working for the Confluent Cloud SaaS portal, verify you're using the correct Microsoft Entra ID email. You must also have consented to allow access for the Confluent Cloud software as a service (SaaS) portal. For more information, see the [single sign-on guidance](manage.md#single-sign-on). If the problem persists, contact [Confluent support](https://support.confluent.io). |
partner-solutions | Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/datadog/create.md | There are three types of logs that can be sent from Azure to Datadog. 1. **Azure resource logs** - Provide insight into operations that were taken on an Azure resource at the [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). For example, getting a secret from a Key Vault is a data plane operation. Or, making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type. -1. **Azure Active Directory logs** - As an IT administrator, you want to monitor your IT environment. The information about your system's health enables you to assess potential issues and decide how to respond. +1. **Microsoft Entra logs** - As an IT administrator, you want to monitor your IT environment. The information about your system's health enables you to assess potential issues and decide how to respond. -The Azure Active Directory portal gives you access to three activity logs: +The Microsoft Entra admin center gives you access to three activity logs: - [Sign-in](../../active-directory/reports-monitoring/concept-sign-ins.md) ΓÇô Information about sign-ins and how your resources are used by your users. - [Audit](../../active-directory/reports-monitoring/concept-audit-logs.md) ΓÇô Information about changes applied to your tenant such as users and group management or updates applied to your tenant's resources. To send subscription level logs to Datadog, select **Send subscription activity To send Azure resource logs to Datadog, select **Send Azure resource logs for all defined resources**. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](../../azure-monitor/essentials/resource-logs-categories.md). To filter the set of Azure resources sending logs to Datadog, use Azure resource tags. -You can request your IT Administrator to route Azure Active Directory Logs to Datadog. For more information, see [Azure AD activity logs in Azure Monitor](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md). +You can request your IT Administrator to route Microsoft Entra logs to Datadog. For more information, see [Microsoft Entra activity logs in Azure Monitor](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md). The logs sent to Datadog will be charged by Azure. For more information, see the [pricing of platform logs](https://azure.microsoft.com/pricing/details/monitor/) sent to Azure Marketplace partners. Once you have completed configuring metrics and logs, select **Next: Single sign ## Configure single sign-on -If your organization uses Azure Active Directory as its identity provider, you can establish single sign-on from the Azure portal to Datadog. If your organization uses a different identity provider or you don't want to establish single sign-on at this time, you can skip this section. +If your organization uses Microsoft Entra ID as its identity provider, you can establish single sign-on from the Azure portal to Datadog. If your organization uses a different identity provider or you don't want to establish single sign-on at this time, you can skip this section. -To establish single sign-on through Azure Active directory, select the checkbox for **Enable single sign-on through Azure Active Directory**. +To establish single sign-on through Microsoft Entra ID, select the checkbox for **Enable single sign-on through Microsoft Entra ID**. -The Azure portal retrieves the appropriate Datadog application from Azure Active Directory. The app matches the Enterprise app you provided in an earlier step. +The Azure portal retrieves the appropriate Datadog application from Microsoft Entra ID. The app matches the Enterprise app you provided in an earlier step. Select the Datadog app name. |
partner-solutions | Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/datadog/manage.md | To uninstall Datadog agents on the app service, go to **App Service Extension**. If you would like to reconfigure single sign-on, select **Single sign-on** in the left pane. -To establish single sign-on through Azure Active directory, select **Enable single sign-on through Azure Active Directory**. +To establish single sign-on through Microsoft Entra ID, select **Enable single sign-on through Microsoft Entra ID**. -The portal retrieves the appropriate Datadog application from Azure Active Directory. The app comes from the enterprise app name you selected when setting up integration. Select the Datadog app name: +The portal retrieves the appropriate Datadog application from Microsoft Entra ID. The app comes from the enterprise app name you selected when setting up integration. Select the Datadog app name: :::image type="content" source="media/manage/reconfigure-single-sign-on.png" alt-text="Reconfigure single sign-on application." border="true"::: |
partner-solutions | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/datadog/prerequisites.md | To use the Security Assertion Markup Language (SAML) single sign-on (SSO) featur Use the following steps to set up the enterprise application: -1. Go to [Azure portal](https://portal.azure.com). Select **Azure Active Directory**. +1. Go to [Azure portal](https://portal.azure.com). Select **Microsoft Entra ID**. 1. In the left pane, select **Enterprise applications**. 1. Select **New Application**. 1. In **Add from the gallery**, search for *Datadog*. Select the search result then select **Add**. - :::image type="content" source="media/prerequisites/datadog-azure-ad-app-gallery.png" alt-text="Datadog application in the Azure A D enterprise gallery." border="true"::: + :::image type="content" source="media/prerequisites/datadog-azure-ad-app-gallery.png" alt-text="Datadog application in the Microsoft Entra enterprise gallery." border="true"::: 1. Once the app is created, go to properties from the side panel. Set **User assignment required?** to **No**, and select **Save**. |
partner-solutions | Dynatrace Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/dynatrace/dynatrace-create.md | Use the Azure portal to find Azure Native Dynatrace Service application. - **Send Azure resource logs for all defined sources** - Azure resource logs provide insight into operations that were taken on an Azure resource at the [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). For example, getting a secret from a Key Vault is a data plane operation. Or, making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type. - - **Send Azure Active Directory logs** – Azure Active Directory logs allow you to route the audit, sign-in, and provisioning logs to Dynatrace. The details are listed in [Azure AD activity logs in Azure Monitor](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md). The global administrator or security administrator for your Azure Active Directory (AAD) tenant can enable AAD logs. + - **Send Microsoft Entra logs** – Microsoft Entra logs allow you to route the audit, sign-in, and provisioning logs to Dynatrace. The details are listed in [Microsoft Entra activity logs in Azure Monitor](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md). The global administrator or security administrator for your Microsoft Entra tenant can enable Microsoft Entra logs. 1. To send subscription level logs to Dynatrace, select **Send subscription activity logs**. If this option is left unchecked, none of the subscription level logs are sent to Dynatrace. Use the Azure portal to find Azure Native Dynatrace Service application. ### Configure single sign-on -1. You can establish single sign-on to Dynatrace from the Azure portal when your organization uses Azure Active Directory as its identity provider. If your organization uses a different identity provider or you don't want to establish single sign-on at this time, you can skip this section. +1. You can establish single sign-on to Dynatrace from the Azure portal when your organization uses Microsoft Entra ID as its identity provider. If your organization uses a different identity provider or you don't want to establish single sign-on at this time, you can skip this section. :::image type="content" source="media/dynatrace-create/dynatrace-single-sign-on.png" alt-text="Screenshot showing options for single sign-on."::: -1. To establish single sign-on through Azure Active directory, select the checkbox for **Enable single sign-on through Azure Active Directory**. +1. To establish single sign-on through Microsoft Entra ID, select the checkbox for **Enable single sign-on through Microsoft Entra ID**. - The Azure portal retrieves the appropriate Dynatrace application from Azure Active Directory. The app matches the Enterprise app you provided in an earlier step. + The Azure portal retrieves the appropriate Dynatrace application from Microsoft Entra ID. The app matches the Enterprise app you provided in an earlier step. ## Next steps |
partner-solutions | Dynatrace How To Configure Prereqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/dynatrace/dynatrace-how-to-configure-prereqs.md | Last updated 02/02/2023 # Configure pre-deployment -This article describes the prerequisites that must be completed in your Azure subscription or Azure Active Directory before you create your first Dynatrace resource in Azure. +This article describes the prerequisites that must be completed in your Azure subscription or Microsoft Entra ID before you create your first Dynatrace resource in Azure. ## Access control To set up Dynatrace for Azure, you must have **Owner** or **Contributor** access To use the Security Assertion Markup Language (SAML) based single sign-on (SSO) feature within the Dynatrace resource, you must set up an enterprise application. To add an enterprise application, you need one of these roles: Global administrator, Cloud Application Administrator, or Application Administrator. -1. Go to Azure portal. Select **Azure Active Directory,** then **Enterprise App** and then **New Application**. +1. Go to Azure portal. Select **Microsoft Entra ID,** then **Enterprise App** and then **New Application**. 1. Under **Add from the gallery**, type in `Dynatrace`. Select the search result then select **Create**. |
partner-solutions | Dynatrace How To Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/dynatrace/dynatrace-how-to-manage.md | If you would like to reconfigure single sign-on, select **Single sign-on** in th If single sign-on was already configured, you can disable it. -To establish single sign-on or change the application, select **Enable single sign-on through Azure Active Directory**. The portal retrieves Dynatrace application from Azure Active Directory. The app comes from the enterprise app name selected during the [pre-configuration steps](dynatrace-how-to-configure-prereqs.md). +To establish single sign-on or change the application, select **Enable single sign-on through Microsoft Entra ID**. The portal retrieves Dynatrace application from Microsoft Entra ID. The app comes from the enterprise app name selected during the [pre-configuration steps](dynatrace-how-to-configure-prereqs.md). ## Delete Dynatrace resource |
partner-solutions | Dynatrace Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/dynatrace/dynatrace-troubleshoot.md | This document contains information about troubleshooting your solutions that use - To set up the Azure Native Dynatrace Service, you must have **Owner** or **Contributor** access on the Azure subscription. Ensure you have the appropriate access before starting the setup. -- Create fails because Last Name is empty. The issue happens when the user info in Azure AD is incomplete and doesn't contain Last Name. Contact your Azure tenant's global administrator to rectify the issue and try again.+- Create fails because Last Name is empty. The issue happens when the user info in Microsoft Entra ID is incomplete and doesn't contain Last Name. Contact your Azure tenant's global administrator to rectify the issue and try again. ### Logs not being emitted or Limit reached issue |
partner-solutions | Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/logzio/create.md | Single sign-on (SSO) is an optional feature: - To opt out of SSO, skip this step. - To opt in to SSO, see [Set up Logz.io single sign-on](setup-sso.md). -After Azure AD is configured, from the **Single sign-on** tab, select your Logz.io SSO application. +After Microsoft Entra ID is configured, from the **Single sign-on** tab, select your Logz.io SSO application. :::image type="content" source="./media/create/sso.png" alt-text="Configure single sign-on."::: |
partner-solutions | Setup Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/logzio/setup-sso.md | -This article describes how to set up single sign-on (SSO) in Azure Active Directory. SSO for Logz.io integration is optional. +This article describes how to set up single sign-on (SSO) in Microsoft Entra ID. SSO for Logz.io integration is optional. ## Configure single sign-on To use the Security Assertion Markup Language (SAML) SSO feature within the Logz.io resource, you must set up an enterprise application. 1. Sign in to the [Azure portal](https://portal.azure.com).-1. From the portal menu, select **Azure Active Directory** or search for _Azure Active Directory_. +1. From the portal menu, select **Microsoft Entra ID** or search for _Azure Active Directory_. 1. Go to **Manage** > **Enterprise Applications** and select the **New Application** button.-1. Search for _Logz.io_ and select SAML application named **Logz.io - Azure AD Integration** and then select **Create**. +1. Search for _Logz.io_ and select SAML application named **Logz.io - Microsoft Entra Integration** and then select **Create**. - :::image type="content" source="./media/sso-setup/gallery.png" alt-text="Browse Azure Active Directory gallery."::: + :::image type="content" source="./media/sso-setup/gallery.png" alt-text="Browse Microsoft Entra gallery."::: 1. From the **Overview**, copy the **Application ID** of the SSO application. |
partner-solutions | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/overview.md | A list of features of any Azure Native ISV Service is listed below. - Integrated onboarding: Use ARM template, SDK, CLI and the Azure portal to create and manage services. - Unified management: Manage entire lifecycle of these ISV services through the Azure portal.-- Unified access: Use Single Sign-on (SSO) through Azure Active Directory--no need for separate ISV authentications for subscribing to the service.+- Unified access: Use Single Sign-on (SSO) through Microsoft Entra ID--no need for separate ISV authentications for subscribing to the service. ### Integrations - Logs and metrics: Seamlessly direct logs and metrics from Azure Monitor to the Azure Native ISV Service using just a few gestures. You can configure auto-discovery of resources to monitor, and set up automatic log forwarding and metrics shipping. You can easily do the setup in Azure, without needing to create additional infrastructure or write custom code. - VNet injection: Provides private data plane access to Azure Native ISV services from customersΓÇÖ virtual networks. - Unified billing: Engage with a single entity, Microsoft Azure Marketplace, for billing. No separate license purchase is required to use Azure Native ISV Services.-- |
partner-solutions | Qumulo How To Setup Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/qumulo/qumulo-how-to-setup-features.md | Key links to get started: ## Authentication Azure Native Qumulo Scalable File Service enables you to connect to:-- [Azure Active Directory](https://care.qumulo.com/hc/en-us/articles/115007276068-Join-your-Qumulo-Cluster-to-Active-Directory#in-this-article-0-0), or+- [Microsoft Entra ID](https://care.qumulo.com/hc/en-us/articles/115007276068-Join-your-Qumulo-Cluster-to-Active-Directory#in-this-article-0-0), or - [Active Directory Domain Services](https://care.qumulo.com/hc/en-us/articles/1500005254761-Qumulo-on-Azure-Connect-to-Azure-Active-Directory). ## Developer tools |
postgresql | Concepts Azure Ad Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-azure-ad-authentication.md | Title: Active Directory authentication - Azure Database for PostgreSQL - Flexible Server -description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for PostgreSQL - Flexible Server +description: Learn about the concepts of Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server -# Azure Active Directory Authentication with PostgreSQL Flexible Server +# Microsoft Entra authentication with PostgreSQL Flexible Server [!INCLUDE [applies-to-postgresql-Flexible-server](../includes/applies-to-postgresql-Flexible-server.md)] -Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for PostgreSQL using identities defined in Azure AD. -With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. +Microsoft Entra authentication is a mechanism of connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. +With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. -Benefits of using Azure AD include: +Benefits of using Microsoft Entra ID include: - Authentication of users across Azure Services in a uniform way - Management of password policies and password rotation in a single place-- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords-- Customers can manage database permissions using external (Azure AD) groups.-- Azure AD authentication uses PostgreSQL database roles to authenticate identities at the database level+- Multiple forms of authentication supported by Microsoft Entra ID, which can eliminate the need to store passwords +- Customers can manage database permissions using external (Microsoft Entra ID) groups. +- Microsoft Entra authentication uses PostgreSQL database roles to authenticate identities at the database level - Support of token-based authentication for applications connecting to Azure Database for PostgreSQL -## Azure Active Directory Authentication (Single Server VS Flexible Server) +<a name='azure-active-directory-authentication-single-server-vs-flexible-server'></a> -Azure Active Directory Authentication for Flexible Server is built using our experience and feedback we've collected from Azure Database for PostgreSQL Single Server, and supports the following features and improvements over single server: +## Microsoft Entra authentication (Single Server VS Flexible Server) -The following table provides a list of high-level Azure AD features and capabilities comparisons between Single Server and Flexible Server +Microsoft Entra authentication for Flexible Server is built using our experience and feedback we've collected from Azure Database for PostgreSQL Single Server, and supports the following features and improvements over single server: ++The following table provides a list of high-level Microsoft Entra features and capabilities comparisons between Single Server and Flexible Server | **Feature / Capability** | **Single Server** | **Flexible Server** | | | | |-| Multiple Azure AD Admins | No | Yes | +| Multiple Microsoft Entra Admins | No | Yes | | Managed Identities (System & User assigned) | Partial | Full | | Invited User Support | No | Yes | | Disable Password Authentication | Not Available | Available | | Service Principal can act as group member | No | Yes |-| Audit Azure AD Logins | No | Yes | +| Audit Microsoft Entra Logins | No | Yes | | PG bouncer support | No | Yes | -## How Azure AD Works In Flexible Server +<a name='how-azure-ad-works-in-flexible-server'></a> ++## How Microsoft Entra ID Works In Flexible Server -The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for PostgreSQL. The arrows indicate communication pathways. +The following high-level diagram summarizes how authentication works using Microsoft Entra authentication with Azure Database for PostgreSQL. The arrows indicate communication pathways. ![authentication flow][1] - Use these steps to configure Azure AD with Azure Database for PostgreSQL Flexible Server [Configure and sign in with Azure AD for Azure Database for PostgreSQL Flexible Server](how-to-configure-sign-in-azure-ad-authentication.md). + Use these steps to configure Microsoft Entra ID with Azure Database for PostgreSQL Flexible Server [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL Flexible Server](how-to-configure-sign-in-azure-ad-authentication.md). ## Manage PostgreSQL Access For AD Principals -When Azure AD authentication is enabled and Azure AD principal is added as an Azure AD administrator the account gets the same privileges as the original PostgreSQL administrator. Only Azure AD administrator can manage other Azure AD enabled roles on the server using Azure portal or Database API. The Azure AD administrator sign-in can be an Azure AD user, Azure AD group, Service Principal or Managed Identity. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the PostgreSQL server. Multiple Azure AD administrators can be configured at any time and you can optionally disable password authentication to an Azure Database for PostgreSQL Flexible Server for better auditing and compliance needs. +When Microsoft Entra authentication is enabled and Microsoft Entra principal is added as a Microsoft Entra administrator the account gets the same privileges as the original PostgreSQL administrator. Only Microsoft Entra administrator can manage other Microsoft Entra ID enabled roles on the server using Azure portal or Database API. The Microsoft Entra administrator sign-in can be a Microsoft Entra user, Microsoft Entra group, Service Principal or Managed Identity. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in the PostgreSQL server. Multiple Microsoft Entra administrators can be configured at any time and you can optionally disable password authentication to an Azure Database for PostgreSQL Flexible Server for better auditing and compliance needs. ![admin structure][2] > [!NOTE] - > Service Principal or Managed Identity can now act as fully functional Azure AD Administrator in Flexible Server and this was a limitation in our Single Server. + > Service Principal or Managed Identity can now act as fully functional Microsoft Entra Administrator in Flexible Server and this was a limitation in our Single Server. ++Microsoft Entra administrators that are created via Portal, API or SQL would have the same permissions as the regular admin user created during server provisioning. Additionally, database permissions for non-admin Microsoft Entra ID enabled roles are managed similar to regular roles. -Azure AD administrators that are created via Portal, API or SQL would have the same permissions as the regular admin user created during server provisioning. Additionally, database permissions for non-admin Azure AD enabled roles are managed similar to regular roles. +<a name='connect-using-azure-ad-identities'></a> -## Connect using Azure AD identities +## Connect using Microsoft Entra identities -Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities: +Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities: -- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA+- Microsoft Entra Password +- Microsoft Entra integrated +- Microsoft Entra Universal with MFA - Using Active Directory Application certificates or client secrets - [Managed Identity](how-to-connect-with-managed-identity.md) Once you've authenticated against the Active Directory, you then retrieve a token. This token is your password for logging in. > [!NOTE] -> Use these steps to configure Azure AD with Azure Database for PostgreSQL Flexible Server [Configure and sign in with Azure AD for Azure Database for PostgreSQL Flexible Server](how-to-configure-sign-in-azure-ad-authentication.md). +> Use these steps to configure Microsoft Entra ID with Azure Database for PostgreSQL Flexible Server [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL Flexible Server](how-to-configure-sign-in-azure-ad-authentication.md). ## Other considerations -- Multiple Azure AD principals (a user, group, service principal or managed identity) can be configured as Azure AD Administrator for an Azure Database for PostgreSQL server at any time.-- Only an Azure AD administrator for PostgreSQL can initially connect to the Azure Database for PostgreSQL using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users.-- If an Azure AD principal is deleted from Azure AD, it still remains as PostgreSQL role, but it will no longer be able to acquire new access token. In this case, although the matching role still exists in the database it won't be able to authenticate to the server. Database administrators need to transfer ownership and drop roles manually.+- Multiple Microsoft Entra principals (a user, group, service principal or managed identity) can be configured as Microsoft Entra Administrator for an Azure Database for PostgreSQL server at any time. +- Only a Microsoft Entra administrator for PostgreSQL can initially connect to the Azure Database for PostgreSQL using a Microsoft Entra account. The Active Directory administrator can configure subsequent Microsoft Entra database users. +- If a Microsoft Entra principal is deleted from Microsoft Entra ID, it still remains as PostgreSQL role, but it will no longer be able to acquire new access token. In this case, although the matching role still exists in the database it won't be able to authenticate to the server. Database administrators need to transfer ownership and drop roles manually. > [!NOTE] -> Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for PostgreSQL this access will be revoked immediately. +> Login with the deleted Microsoft Entra user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for PostgreSQL this access will be revoked immediately. -- Azure Database for PostgreSQL Flexible Server matches access tokens to the database role using the userΓÇÖs unique Azure Active Directory user ID, as opposed to using the username. If an Azure AD user is deleted and a new user is created with the same name, Azure Database for PostgreSQL Flexible Server considers that a different user. Therefore, if a user is deleted from Azure AD and a new user is added with the same name the new user won't be able to connect with the existing role.+- Azure Database for PostgreSQL Flexible Server matches access tokens to the database role using the userΓÇÖs unique Microsoft Entra user ID, as opposed to using the username. If a Microsoft Entra user is deleted and a new user is created with the same name, Azure Database for PostgreSQL Flexible Server considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and a new user is added with the same name the new user won't be able to connect with the existing role. ## Next steps -- To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for PostgreSQL, see [Configure and sign in with Azure AD for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md).-- To learn how to manage Azure AD users for Flexible Server, see [Manage Azure Active Directory users - Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md).+- To learn how to create and populate Microsoft Entra ID, and then configure Microsoft Entra ID with Azure Database for PostgreSQL, see [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). +- To learn how to manage Microsoft Entra users for Flexible Server, see [Manage Microsoft Entra users - Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md). <!--Image references--> |
postgresql | Concepts Compare Single Server Flexible Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-compare-single-server-flexible-server.md | The following table provides a list of high-level features and capabilities comp | pg_cron, lo, pglogical | No | Yes | | pgAudit | Preview | Yes | | **Security** | | |-| Azure Active Directory Support (AAD) | Yes | Yes | +| Microsoft Entra ID Support (Microsoft Entra ID) | Yes | Yes | | Customer managed encryption key (BYOK) | Yes | Yes | | SCRAM Authentication (SHA-256) | No | Yes | | Secure Sockets Layer support (SSL) | Yes | Yes | |
postgresql | Concepts Compute Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-compute-storage.md | To avoid this situation, the server is automatically switched to read-only mode We recommend that you actively monitor the disk space that's in use and increase the disk size before you run out of storage. You can set up an alert to notify you when your server storage is approaching an out-of-disk state. For more information, see [Use the Azure portal to set up alerts on metrics for Azure Database for PostgreSQL - Flexible Server](howto-alert-on-metrics.md). -### Storage auto-grow (preview) +### Storage auto-grow Storage auto-grow can help ensure that your server always has enough storage capacity and doesn't become read-only. When you turn on storage auto-grow, the storage will automatically expand without affecting the workload. This feature is currently in preview. Remember that storage can only be scaled up, not down. ## Limitations - Disk scaling operations are always online, except in specific scenarios that involve the 4,096-GiB boundary. These scenarios include reaching, starting at, or crossing the 4,096-GiB limit. An example is when you're scaling from 2,048 GiB to 8,192 GiB.+ +- Host Caching (ReadOnly and Read/Write) is supported on disk sizes less than 4 TiB. This means any disk that is provisioned up to 4095 GiB can take advantage of Host Caching. Host caching is not supported for disk sizes more than or equal to 4096 GiB. For example, a P50 premium disk provisioned at 4095 GiB can take advantage of Host caching and a P50 disk provisioned at 4096 GiB cannot take advantage of Host Caching. Customers moving from lower disk size to 4096 Gib or higher will lose disk caching ability. - This limitation is due to the underlying Azure managed disk, which needs a manual disk scaling operation. You receive an informational message in the portal when you approach this limit. + This limitation is due to the underlying Azure Managed disk, which needs a manual disk scaling operation. You receive an informational message in the portal when you approach this limit. -- Storage auto-grow currently doesn't work for high-availability or read-replica-enabled servers.+- Storage auto-grow currently doesn't work with read-replica-enabled servers. - Storage auto-grow isn't triggered when you have high WAL usage. |
postgresql | Concepts Data Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-data-encryption.md | The DEKs, encrypted with the KEKs, are stored separately. Only an entity with ac :::image type="content" source="./media/concepts-data-encryption/postgresql-data-encryption-overview.png" alt-text ="Diagram that shows an overview of Bring Your Own Key." ::: -Azure Active Directory [user- assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) will be used to connect and retrieve customer-managed key. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity. +Microsoft Entra [user- assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) will be used to connect and retrieve customer-managed key. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity. For a PostgreSQL server to use customer-managed keys stored in Key Vault for encryption of the DEK, a Key Vault administrator gives the following **access rights** to the managed identity created above: When the server is configured to use the customer-managed key stored in the key The following are requirements for configuring Key Vault: -- Key Vault and Azure Database for PostgreSQL Flexible Server must belong to the same Azure Active Directory (Azure AD) tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving the Key Vault resource afterward requires you to reconfigure the data encryption.+- Key Vault and Azure Database for PostgreSQL Flexible Server must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving the Key Vault resource afterward requires you to reconfigure the data encryption. - The key Vault must be set with 90 days for 'Days to retain deleted vaults'. If the existing key Vault has been configured with a lower number, you'll need to create a new key vault as it can't be modified after creation. It might happen that someone with sufficient access rights to Key Vault accident - Changing the Key Vault's firewall rules. -- Deleting the managed identity of the server in Azure AD.+- Deleting the managed identity of the server in Microsoft Entra ID. ## Monitor the customer-managed key in Key Vault Avoid issues while setting up customer-managed data encryption during restore or - Initiate the restore or read replica creation process from the primary Azure Database for PostgreSQL - Flexible Server. -- On the restored/replica server, you can change the customer-managed key and\or Azure Active Directory (Azure AD) identity used to access Azure Key Vault in the data encryption settings. Ensure that the newly created server is given list, wrap and unwrap permissions to the key stored in Key Vault.+- On the restored/replica server, you can change the customer-managed key and\or Microsoft Entra identity used to access Azure Key Vault in the data encryption settings. Ensure that the newly created server is given list, wrap and unwrap permissions to the key stored in Key Vault. - Don't revoke the original key after restoring, as at this time we don't support key revocation after restoring CMK enabled server to another server Some of the reasons why server state can become *Inaccessible* are: - If you delete the KeyVault, the Azure Database for PostgreSQL - Flexible Server will be unable to access the key and will move to *Inaccessible* state. [Recover the Key Vault](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the server *Available*. - If you delete the key from the KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state. [Recover the Key](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the server *Available*.-- If you delete [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) from Azure AD that is used to retrieve a key from KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state.[Recover the identity](../../active-directory/fundamentals/recover-from-deletions.md) and revalidate data encryption to make server *Available*. +- If you delete [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) from Microsoft Entra ID that is used to retrieve a key from KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state.[Recover the identity](../../active-directory/fundamentals/recover-from-deletions.md) and revalidate data encryption to make server *Available*. - If you revoke the Key Vault's list, get, wrapKey, and unwrapKey access policies from the [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) that is used to retrieve a key from KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state. [Add required access policies](../../key-vault/general/assign-access-policy.md) to the identity in KeyVault. - If you set up overly restrictive Azure KeyVault firewall rules that cause Azure Database for PostgreSQL- Flexible Server inability to communicate with Azure KeyVault to retrieve keys. If you enable [KeyVault firewall](../../key-vault/general/overview-vnet-service-endpoints.md#trusted-services), make sure you check an option to *'Allow Trusted Microsoft Services to bypass this firewall.'* The following are current limitations for configuring the customer-managed key i ## Next steps -- [Azure Active Directory](../../active-directory-domain-services/overview.md)+- [Microsoft Entra ID](../../active-directory-domain-services/overview.md) |
postgresql | Concepts Networking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-networking.md | Here are some concepts to be familiar with when you're using virtual networks wi Your flexible server must be in a subnet that's *delegated*. That is, only Azure Database for PostgreSQL - Flexible Server instances can use that subnet. No other Azure resource types can be in the delegated subnet. You delegate a subnet by assigning its delegation property as `Microsoft.DBforPostgreSQL/flexibleServers`. The smallest CIDR range you can specify for the subnet is /28, which provides sixteen IP addresses, however the first and last address in any network or subnet can't be assigned to any individual host. Azure reserves five IPs to be utilized internally by Azure networking, which include two IPs that cannot be assigned to host, mentioned above. This leaves you eleven available IP addresses for /28 CIDR range, whereas a single Flexible Server with High Availability features utilizes 4 addresses. - For Replication and Azure AD connections please make sure Route Tables do not affect traffic.A common pattern is route all outbound traffic via an Azure Firewall or a custom / on premise network filtering appliance. + For Replication and Microsoft Entra connections please make sure Route Tables do not affect traffic.A common pattern is route all outbound traffic via an Azure Firewall or a custom / on premise network filtering appliance. If the subnet has a Route Table associated with the rule to route all traffic to a virtual appliance: * Add a rule with Destination Service Tag ΓÇ£AzureActiveDirectoryΓÇ¥ and next hop ΓÇ£InternetΓÇ¥ * Add a rule with Destination IP range same as PostgreSQL subnet range and next hop ΓÇ£Virtual NetworkΓÇ¥ Here are some concepts to be familiar with when you're using virtual networks wi At this time, we don't support NSGs where an ASG is part of the rule with Azure Database for PostgreSQL - Flexible Server. We currently advise using [IP-based source or destination filtering](../../virtual-network/network-security-groups-overview.md#security-rules) in an NSG. > [!IMPORTANT]- > High availability and other Features of Azure Database for PostgreSQL - Flexible Server require ability to send\receive traffic to **destination port 5432** within Azure virtual network subnet where Azure Database for PostgreSQL - Flexible Server is deployed , as well as to **Azure storage** for log archival. If you create **[Network Security Groups (NSG)](../../virtual-network/network-security-groups-overview.md)** to deny traffic flow to or from your Azure Database for PostgreSQL - Flexible Server within the subnet where its deployed, please **make sure to allow traffic to destination port 5432** within the subnet, and also to Azure storage by using **[service tag](../../virtual-network/service-tags-overview.md) Azure Storage** as a destination. Also, if you elect to use [Azure Active Directory authentication](concepts-azure-ad-authentication.md) to authenticate logins to your Azure Database for PostgreSQL - Flexible Server please allow outbound traffic to Azure AD using Azure AD [service tag](../../virtual-network/service-tags-overview.md). + > High availability and other Features of Azure Database for PostgreSQL - Flexible Server require ability to send\receive traffic to **destination port 5432** within Azure virtual network subnet where Azure Database for PostgreSQL - Flexible Server is deployed , as well as to **Azure storage** for log archival. If you create **[Network Security Groups (NSG)](../../virtual-network/network-security-groups-overview.md)** to deny traffic flow to or from your Azure Database for PostgreSQL - Flexible Server within the subnet where its deployed, please **make sure to allow traffic to destination port 5432** within the subnet, and also to Azure storage by using **[service tag](../../virtual-network/service-tags-overview.md) Azure Storage** as a destination. Also, if you elect to use [Microsoft Entra authentication](concepts-azure-ad-authentication.md) to authenticate logins to your Azure Database for PostgreSQL - Flexible Server please allow outbound traffic to Microsoft Entra ID using Microsoft Entra [service tag](../../virtual-network/service-tags-overview.md). > When setting up [Read Replicas across Azure regions](./concepts-read-replicas.md) , Azure Database for PostgreSQL - Flexible Server requires ability to send\receive traffic to **destination port 5432** for both primary and replica, as well as to **[Azure storage](../../virtual-network/service-tags-overview.md#available-service-tags)** in primary and replica regions from both primary and replica servers. * **Private DNS zone integration**. Azure private DNS zone integration allows you to resolve the private DNS within the current virtual network or any in-region peered virtual network where the private DNS zone is linked. |
postgresql | Concepts Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-security.md | ALTER ROLE ## Next steps - Enable [firewall rules for IP addresses](concepts-firewall-rules.md) for public access networking. - Learn about [private access networking with Azure Database for PostgreSQL - Flexible Server](concepts-networking.md).-- Learn about [Azure Active Directory authentication](../concepts-aad-authentication.md) in Azure Database for PostgreSQL.+- Learn about [Microsoft Entra authentication](../concepts-aad-authentication.md) in Azure Database for PostgreSQL. |
postgresql | Connect Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/connect-java.md | This article demonstrates creating a sample application that uses Java and [JDBC JDBC is the standard Java API to connect to traditional relational databases. -In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and PostgreSQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the PostgreSQL authentication. +In this article, we'll include two authentication methods: Microsoft Entra authentication and PostgreSQL authentication. The **Passwordless** tab shows the Microsoft Entra authentication and the **Password** tab shows the PostgreSQL authentication. -Azure AD authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. +Microsoft Entra authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. PostgreSQL authentication uses accounts stored in PostgreSQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in PostgreSQL, you'll need to manage the rotation of the passwords by yourself. Replace the placeholders with the following values, which are used throughout th - `<YOUR_DATABASE_SERVER_NAME>`: The name of your PostgreSQL server, which should be unique across Azure. - `<YOUR_DATABASE_NAME>`: The database name of the PostgreSQL server, which should be unique within Azure. - `<YOUR_AZURE_REGION>`: The Azure region you'll use. You can use `eastus` by default, but we recommend that you configure a region closer to where you live. You can see the full list of available regions by entering `az account list-locations`.-- `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`: The username of your PostgreSQL database server. Make ensure the username is a valid user in your Azure AD tenant.+- `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`: The username of your PostgreSQL database server. Make ensure the username is a valid user in your Microsoft Entra tenant. - `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Spring Boot application. One convenient way to find it is to open [whatismyip.akamai.com](http://whatismyip.akamai.com/). > [!IMPORTANT]-> When setting `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`, the username must already exist in your Azure AD tenant or you will be unable to create an Azure AD user in your database. +> When setting `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`, the username must already exist in your Microsoft Entra tenant or you will be unable to create a Microsoft Entra user in your database. ### [Password](#tab/password) az postgres flexible-server create \ --output tsv ``` -To set up an Azure AD administrator after creating the server, follow the steps in [Manage Azure Active Directory roles in Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md). +To set up a Microsoft Entra administrator after creating the server, follow the steps in [Manage Microsoft Entra roles in Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md). > [!IMPORTANT]-> When setting up an administrator, a new user with full administrator privileges is added to the PostgreSQL Flexible Server's Azure database. You can create multiple Azure AD administrators per PostgreSQL Flexible Server. +> When setting up an administrator, a new user with full administrator privileges is added to the PostgreSQL Flexible Server's Azure database. You can create multiple Microsoft Entra administrators per PostgreSQL Flexible Server. #### [Password](#tab/password) az postgres flexible-server db create \ Next, create a non-admin user and grant all permissions to the database. > [!NOTE]-> You can read more detailed information about managing PostgreSQL users in [Manage Azure Active Directory users - Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md). +> You can read more detailed information about managing PostgreSQL users in [Manage Microsoft Entra users - Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md). #### [Passwordless (Recommended)](#tab/passwordless) select * from pgaadauth_create_principal('$AZ_POSTGRESQL_AD_NON_ADMIN_USERNAME', EOF ``` -Then, use the following command to run the SQL script to create the Azure AD non-admin user: +Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user: ```bash psql "host=$AZ_DATABASE_SERVER_NAME.postgres.database.azure.com user=$CURRENT_USERNAME dbname=postgres port=5432 password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) sslmode=require" < create_ad_user.sql GRANT ALL PRIVILEGES ON DATABASE $AZ_DATABASE_NAME TO "$AZ_POSTGRESQL_NON_ADMIN_ EOF ``` -Then, use the following command to run the SQL script to create the Azure AD non-admin user: +Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user: ```bash psql "host=$AZ_DATABASE_SERVER_NAME.postgres.database.azure.com user=$AZ_POSTGRESQL_ADMIN_USERNAME dbname=$AZ_DATABASE_NAME port=5432 password=$AZ_POSTGRESQL_ADMIN_PASSWORD sslmode=require" < create_user.sql |
postgresql | How To Configure Sign In Azure Ad Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-configure-sign-in-azure-ad-authentication.md | Title: Use Azure Active Directory for authentication with Azure Database for PostgreSQL - Flexible Server -description: Learn how to set up Azure Active Directory (Azure AD) for authentication with Azure Database for PostgreSQL - Flexible Server. + Title: Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server +description: Learn how to set up Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server. -# Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server +# Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server [!INCLUDE [applies-to-postgresql-Flexible-server](../includes/applies-to-postgresql-Flexible-server.md)] -In this article, you'll configure Azure Active Directory (Azure AD) access for authentication with Azure Database for PostgreSQL - Flexible Server. You'll also learn how to use an Azure AD token with Azure Database for PostgreSQL - Flexible Server. +In this article, you'll configure Microsoft Entra ID access for authentication with Azure Database for PostgreSQL - Flexible Server. You'll also learn how to use a Microsoft Entra token with Azure Database for PostgreSQL - Flexible Server. -You can configure Azure AD authentication for Azure Database for PostgreSQL - Flexible Server either during server provisioning or later. Only Azure AD administrator users can create or enable users for Azure AD-based authentication. We recommend not using the Azure AD administrator for regular database operations because that role has elevated user permissions (for example, CREATEDB). +You can configure Microsoft Entra authentication for Azure Database for PostgreSQL - Flexible Server either during server provisioning or later. Only Microsoft Entra administrator users can create or enable users for Microsoft Entra ID-based authentication. We recommend not using the Microsoft Entra administrator for regular database operations because that role has elevated user permissions (for example, CREATEDB). -You can have multiple Azure AD admin users with Azure Database for PostgreSQL - Flexible Server. Azure AD admin users can be a user, a group, or service principal. +You can have multiple Microsoft Entra admin users with Azure Database for PostgreSQL - Flexible Server. Microsoft Entra admin users can be a user, a group, or service principal. ## Prerequisites **Configure network requirements** -Azure AD is a multitenant application. It requires outbound connectivity to perform certain operations, like adding Azure AD admin groups. Additionally, you need network rules for Azure AD connectivity to work, depending on your network topology: +Microsoft Entra ID is a multitenant application. It requires outbound connectivity to perform certain operations, like adding Microsoft Entra admin groups. Additionally, you need network rules for Microsoft Entra connectivity to work, depending on your network topology: - **Public access (allowed IP addresses)**: No extra network rules are required. - **Private access (virtual network integration)**: Azure AD is a multitenant application. It requires outbound connectivity to perf - If you're using a route table, you need to create a rule with destination service tag `AzureActiveDirectory` and next hop `Internet`. - Optionally, if you're using a proxy, you can add a new firewall rule to allow HTTP/S traffic to reach only the `AzureActiveDirectory` service tag. -To set the Azure AD admin during server provisioning, follow these steps: +To set the Microsoft Entra admin during server provisioning, follow these steps: -1. In the Azure portal, during server provisioning, select either **PostgreSQL and Azure Active Directory authentication** or **Azure Active Directory authentication only** as the authentication method. -1. On the **Set admin** tab, select a valid Azure AD user, group, service principal, or managed identity in the customer tenant to be the Azure AD administrator. +1. In the Azure portal, during server provisioning, select either **PostgreSQL and Microsoft Entra authentication** or **Microsoft Entra authentication only** as the authentication method. +1. On the **Set admin** tab, select a valid Microsoft Entra user, group, service principal, or managed identity in the customer tenant to be the Microsoft Entra administrator. - You can optionally add a local PostgreSQL admin account if you prefer using the **PostgreSQL and Azure Active Directory authentication** method. + You can optionally add a local PostgreSQL admin account if you prefer using the **PostgreSQL and Microsoft Entra authentication** method. > [!NOTE] - > You can add only one Azure admin user during server provisioning. You can add multiple Azure AD admin users after the Server is created. + > You can add only one Azure admin user during server provisioning. You can add multiple Microsoft Entra admin users after the Server is created. - :::image type="content" source="media/how-to-configure-sign-in-Azure-ad-authentication/set-Azure-ad-admin-server-creation.png" alt-text="Screenshot that shows selections for setting an Azure AD admin during server provisioning.]"::: + :::image type="content" source="media/how-to-configure-sign-in-Azure-ad-authentication/set-Azure-ad-admin-server-creation.png" alt-text="Screenshot that shows selections for setting a Microsoft Entra admin during server provisioning.]"::: -To set the Azure AD administrator after server creation, follow these steps: +To set the Microsoft Entra administrator after server creation, follow these steps: -1. In the Azure portal, select the instance of Azure Database for PostgreSQL - Flexible Server that you want to enable for Azure AD. -1. Under **Security**, select **Authentication**. Then choose either **PostgreSQL and Azure Active Directory authentication** or **Azure Active Directory authentication only** as the authentication method, based on your requirements. -1. Select **Add Azure AD Admins**. Then select a valid Azure AD user, group, service principal, or managed identity in the customer tenant to be an Azure AD administrator. +1. In the Azure portal, select the instance of Azure Database for PostgreSQL - Flexible Server that you want to enable for Microsoft Entra ID. +1. Under **Security**, select **Authentication**. Then choose either **PostgreSQL and Microsoft Entra authentication** or **Microsoft Entra authentication only** as the authentication method, based on your requirements. +1. Select **Add Microsoft Entra Admins**. Then select a valid Microsoft Entra user, group, service principal, or managed identity in the customer tenant to be a Microsoft Entra administrator. 1. Select **Save**. - :::image type="content" source="media/how-to-configure-sign-in-Azure-ad-authentication/set-Azure-ad-admin.png" alt-text="Screenshot that shows selections for setting an Azure AD admin after server creation."::: + :::image type="content" source="media/how-to-configure-sign-in-Azure-ad-authentication/set-Azure-ad-admin.png" alt-text="Screenshot that shows selections for setting a Microsoft Entra admin after server creation."::: > [!IMPORTANT] > When setting the administrator, a new user is added to Azure Database for PostgreSQL - Flexible Server with full administrator permissions. -## Connect to Azure Database for PostgreSQL by using Azure AD +<a name='connect-to-azure-database-for-postgresql-by-using-azure-ad'></a> -The following high-level diagram summarizes the workflow of using Azure AD authentication with Azure Database for PostgreSQL: +## Connect to Azure Database for PostgreSQL by using Microsoft Entra ID - :::image type="content" source="media/how-to-configure-sign-in-Azure-ad-authentication/authentication-flow.png" alt-text="Diagram of authentication flow between Azure Active Directory, the user's computer, and the server."::: +The following high-level diagram summarizes the workflow of using Microsoft Entra authentication with Azure Database for PostgreSQL: -Azure AD integration works with standard PostgreSQL tools like psql, which aren't Azure AD aware and support only specifying the username and password when you're connecting to PostgreSQL. As shown in the preceding diagram, the Azure AD token is passed as the password. + :::image type="content" source="media/how-to-configure-sign-in-Azure-ad-authentication/authentication-flow.png" alt-text="Diagram of authentication flow between Microsoft Entra ID, the user's computer, and the server."::: ++Microsoft Entra integration works with standard PostgreSQL tools like psql, which aren't Microsoft Entra aware and support only specifying the username and password when you're connecting to PostgreSQL. As shown in the preceding diagram, the Microsoft Entra token is passed as the password. We've tested the following clients: We've tested the following clients: - **Other libpq-based clients**: Examples include common application frameworks and object-relational mappers (ORMs). - **PgAdmin**: Clear **Connect now** at server creation. -## Authenticate with Azure AD +<a name='authenticate-with-azure-ad'></a> ++## Authenticate with Microsoft Entra ID -Use the following procedures to authenticate with Azure AD as an Azure Database for PostgreSQL - Flexible Server user. You can follow along in Azure Cloud Shell, on an Azure virtual machine, or on your local machine. +Use the following procedures to authenticate with Microsoft Entra ID as an Azure Database for PostgreSQL - Flexible Server user. You can follow along in Azure Cloud Shell, on an Azure virtual machine, or on your local machine. ### Sign in to the user's Azure subscription -Start by authenticating with Azure AD by using the Azure CLI. This step isn't required in Azure Cloud Shell. +Start by authenticating with Microsoft Entra ID by using the Azure CLI. This step isn't required in Azure Cloud Shell. ```azurecli-interactive az login ``` -The command opens a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and password. +The command opens a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and password. ++<a name='retrieve-the-azure-ad-access-token'></a> -### Retrieve the Azure AD access token +### Retrieve the Microsoft Entra access token -Use the Azure CLI to acquire an access token for the Azure AD authenticated user to access Azure Database for PostgreSQL. Here's an example of the public cloud: +Use the Azure CLI to acquire an access token for the Microsoft Entra authenticated user to access Azure Database for PostgreSQL. Here's an example of the public cloud: ```azurecli-interactive az account get-access-token --resource https://ossrdbms-aad.database.windows.net For Azure CLI version 2.0.71 and later, you can specify the command in the follo az account get-access-token --resource-type oss-rdbms ``` -After authentication is successful, Azure AD returns an access token: +After authentication is successful, Microsoft Entra ID returns an access token: ```json { psql "host=mydb.postgres... user=user@tenant.onmicrosoft.com dbname=postgres ssl ### Use a token as a password for signing in with PgAdmin -To connect by using an Azure AD token with PgAdmin, follow these steps: +To connect by using a Microsoft Entra token with PgAdmin, follow these steps: 1. Clear the **Connect now** option at server creation. 1. Enter your server details on the **Connection** tab and save. To connect by using an Azure AD token with PgAdmin, follow these steps: Here are some essential considerations when you're connecting: -- `user@tenant.onmicrosoft.com` is the name of the Azure AD user.-- Be sure to use the exact way the Azure user is spelled. Azure AD user and group names are case-sensitive.+- `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra user. +- Be sure to use the exact way the Azure user is spelled. Microsoft Entra user and group names are case-sensitive. - If the name contains spaces, use a backslash (`\`) before each space to escape it. - The access token's validity is 5 minutes to 60 minutes. You should get the access token before initiating the sign-in to Azure Database for PostgreSQL. -You're now authenticated to your Azure Database for PostgreSQL server through Azure AD authentication. +You're now authenticated to your Azure Database for PostgreSQL server through Microsoft Entra authentication. -## Authenticate with Azure AD as a group member +<a name='authenticate-with-azure-ad-as-a-group-member'></a> -### Create Azure AD groups in Azure Database for PostgreSQL - Flexible Server +## Authenticate with Microsoft Entra ID as a group member -To enable an Azure AD group to access your database, use the same mechanism you used for users, but specify the group name instead. For example: +<a name='create-azure-ad-groups-in-azure-database-for-postgresqlflexible-server'></a> ++### Create Microsoft Entra groups in Azure Database for PostgreSQL - Flexible Server ++To enable a Microsoft Entra group to access your database, use the same mechanism you used for users, but specify the group name instead. For example: ```sql select * from pgaadauth_create_principal('Prod DB Readonly', false, false). When group members sign in, they use their access tokens but specify the group n ### Sign in to the user's Azure subscription -Authenticate with Azure AD by using the Azure CLI. This step isn't required in Azure Cloud Shell. The user needs to be a member of the Azure AD group. +Authenticate with Microsoft Entra ID by using the Azure CLI. This step isn't required in Azure Cloud Shell. The user needs to be a member of the Microsoft Entra group. ```azurecli-interactive az login ``` -### Retrieve the Azure AD access token +<a name='retrieve-the-azure-ad-access-token'></a> ++### Retrieve the Microsoft Entra access token -Use the Azure CLI to acquire an access token for the Azure AD authenticated user to access Azure Database for PostgreSQL. Here's an example of the public cloud: +Use the Azure CLI to acquire an access token for the Microsoft Entra authenticated user to access Azure Database for PostgreSQL. Here's an example of the public cloud: ```azurecli-interactive az account get-access-token --resource https://ossrdbms-aad.database.windows.net For Azure CLI version 2.0.71 and later, you can specify the command in the follo az account get-access-token --resource-type oss-rdbms ``` -After authentication is successful, Azure AD returns an access token: +After authentication is successful, Microsoft Entra ID returns an access token: ```json { After authentication is successful, Azure AD returns an access token: These considerations are essential when you're connecting as a group member: -- The group name is the name of the Azure AD group that you're trying to connect.-- Be sure to use the exact way the Azure AD group name is spelled. Azure AD user and group names are case-sensitive.+- The group name is the name of the Microsoft Entra group that you're trying to connect. +- Be sure to use the exact way the Microsoft Entra group name is spelled. Microsoft Entra user and group names are case-sensitive. - When you're connecting as a group, use only the group name and not the alias of a group member. - If the name contains spaces, use a backslash (`\`) before each space to escape it. - The access token's validity is 5 minutes to 60 minutes. We recommend you get the access token before initiating the sign-in to Azure Database for PostgreSQL. -You're now authenticated to your PostgreSQL server through Azure AD authentication. +You're now authenticated to your PostgreSQL server through Microsoft Entra authentication. ## Next steps -- Review the overall concepts for [Azure AD authentication with Azure Database for PostgreSQL - Flexible Server](concepts-azure-ad-authentication.md).-- Learn how to [Manage Azure Active Directory users - Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md).+- Review the overall concepts for [Microsoft Entra authentication with Azure Database for PostgreSQL - Flexible Server](concepts-azure-ad-authentication.md). +- Learn how to [Manage Microsoft Entra users - Azure Database for PostgreSQL - Flexible Server](how-to-manage-azure-ad-users.md). |
postgresql | How To Connect With Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-connect-with-managed-identity.md | -You can use both system-assigned and user-assigned managed identities to authenticate to Azure Database for PostgreSQL. This article shows you how to use a system-assigned managed identity for an Azure Virtual Machine (VM) to access an Azure Database for PostgreSQL server. Managed Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication without needing to insert credentials into your code. +You can use both system-assigned and user-assigned managed identities to authenticate to Azure Database for PostgreSQL. This article shows you how to use a system-assigned managed identity for an Azure Virtual Machine (VM) to access an Azure Database for PostgreSQL server. Managed Identities are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication without needing to insert credentials into your code. You learn how to: - Grant your VM access to an Azure Database for PostgreSQL Flexible server You learn how to: - If you're not familiar with the managed identities for Azure resources feature, see this [overview](../../../articles/active-directory/managed-identities-azure-resources/overview.md). If you don't have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue. - To do the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with a role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../../articles/role-based-access-control/role-assignments-portal.md). - You need an Azure VM (for example, running Ubuntu Linux) that you'd like to use to access your database using Managed Identity-- You need an Azure Database for PostgreSQL database server that has [Azure AD authentication](how-to-configure-sign-in-azure-ad-authentication.md) configured+- You need an Azure Database for PostgreSQL database server that has [Microsoft Entra authentication](how-to-configure-sign-in-azure-ad-authentication.md) configured - To follow the C# example, first, complete the guide on how to [Connect with C#](connect-csharp.md) ## Create a system-assigned managed identity for your VM az ad sp list --display-name vm-name --query [*].appId --out tsv ## Create a PostgreSQL user for your Managed Identity -Now, connect as the Azure AD administrator user to your PostgreSQL database, and run the following SQL statements, replacing `CLIENT_ID` with the client ID you retrieved for your system-assigned managed identity: +Now, connect as the Microsoft Entra administrator user to your PostgreSQL database, and run the following SQL statements, replacing `CLIENT_ID` with the client ID you retrieved for your system-assigned managed identity: ```sql select * from pgaadauth_create_principal('<identity_name>', false, false); ``` -For more information on managing Azure AD enabled database roles, see [how to manage Azure AD enabled PostgreSQL roles](./how-to-manage-azure-ad-users.md) +For more information on managing Microsoft Entra ID enabled database roles, see [how to manage Microsoft Entra ID enabled PostgreSQL roles](./how-to-manage-azure-ad-users.md) -The managed identity now has access when authenticating with the identity name as a role name and the Azure AD token as a password. +The managed identity now has access when authenticating with the identity name as a role name and the Microsoft Entra token as a password. ## Retrieve the access token from the Azure Instance Metadata service You're now connected to the database you configured earlier. ## Connect using Managed Identity in C# -This section shows how to get an access token using the VM's user-assigned managed identity and use it to call Azure Database for PostgreSQL. Azure Database for PostgreSQL natively supports Azure AD authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. When creating a connection to PostgreSQL, you pass the access token in the password field. +This section shows how to get an access token using the VM's user-assigned managed identity and use it to call Azure Database for PostgreSQL. Azure Database for PostgreSQL natively supports Microsoft Entra authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. When creating a connection to PostgreSQL, you pass the access token in the password field. -Here's a .NET code example of opening a connection to PostgreSQL using an access token. This code must run on the VM to use the system-assigned managed identity to obtain an access token from Azure AD. Replace the values of HOST, USER, DATABASE, and CLIENT_ID. +Here's a .NET code example of opening a connection to PostgreSQL using an access token. This code must run on the VM to use the system-assigned managed identity to obtain an access token from Microsoft Entra ID. Replace the values of HOST, USER, DATABASE, and CLIENT_ID. ```csharp using System; Postgres version: PostgreSQL 11.11, compiled by Visual C++ build 1800, 64-bit ## Next steps -- Review the overall concepts for [Azure Active Directory authentication with Azure Database for PostgreSQL](concepts-azure-ad-authentication.md)+- Review the overall concepts for [Microsoft Entra authentication with Azure Database for PostgreSQL](concepts-azure-ad-authentication.md) |
postgresql | How To Create Server Customer Managed Key Azure Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-create-server-customer-managed-key-azure-api.md | You can also programmatically fetch Key Vault Uri using [Azure REST API](/rest/a ## Next steps - [Flexible Server encryption with Customer Managed Key (CMK)](../flexible-server/concepts-data-encryption.md)-- [Azure Active Directory](../../active-directory-domain-services/overview.md)+- [Microsoft Entra ID](../../active-directory-domain-services/overview.md) |
postgresql | How To Create Server Customer Managed Key Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-create-server-customer-managed-key-portal.md | In this article, you learn how to create and manage Azure Database for PostgreSQ ## Setup Customer Managed Key during Server Creation Prerequisites: -- Azure Active Directory (Azure AD) user managed identity in region where Postgres Flex Server will be created. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity.+- Microsoft Entra user managed identity in region where Postgres Flex Server will be created. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity. - Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key. Follow [requirements section in concepts doc](concepts-data-encryption.md) for required Azure Key Vault settings Follow the steps below to enable CMK while creating Postgres Flexible Server usi 2. Provide required information on Basics and Networking tabs -3. Navigate to Security tab. On the screen, provide Azure Active Directory (Azure AD) identity that has access to the Key Vault and Key in Key Vault in the same region where you're creating this server +3. Navigate to Security tab. On the screen, provide Microsoft Entra ID identity that has access to the Key Vault and Key in Key Vault in the same region where you're creating this server 4. On Review Summary tab, make sure that you provided correct information in Security section and press Create button Follow the steps below to enable CMK while creating Postgres Flexible Server usi Prerequisites: -- Azure Active Directory (Azure AD) user-managed identity in region where Postgres Flex Server will be created. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity.+- Microsoft Entra user-managed identity in region where Postgres Flex Server will be created. Follow this [tutorial](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) to create identity. - Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key. Follow the steps below to update CMK on CMK enabled Flexible Server using Azure ## Next steps -- [Manage an Azure Database for PostgreSQL - Flexible Server by using Azure portal](how-to-manage-server-portal.md)+- [Manage an Azure Database for PostgreSQL - Flexible Server by using Azure portal](how-to-manage-server-portal.md) |
postgresql | How To Create Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-create-users.md | -> Azure Active Directory Authentication for PostgreSQL Flexible Server is currently in preview. +> Microsoft Entra authentication for PostgreSQL Flexible Server is currently in preview. Suppose you want to learn how to create and manage Azure subscription users and their privileges. In that case, you can visit the [Azure role-based access control (Azure RBAC) article](../../role-based-access-control/built-in-roles.md) or review [how to customize roles](../../role-based-access-control/custom-roles.md). |
postgresql | How To Manage Azure Ad Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/how-to-manage-azure-ad-users.md | Title: Manage Azure Active Directory Users - Azure Database for PostgreSQL - Flexible Server -description: This article describes how you can manage Azure AD enabled roles to interact with an Azure Database for PostgreSQL - Flexible Server. + Title: Manage Microsoft Entra users - Azure Database for PostgreSQL - Flexible Server +description: This article describes how you can manage Microsoft Entra ID enabled roles to interact with an Azure Database for PostgreSQL - Flexible Server. -# Manage Azure Active Directory roles in Azure Database for PostgreSQL - Flexible Server +# Manage Microsoft Entra roles in Azure Database for PostgreSQL - Flexible Server [!INCLUDE [applies-to-postgresql-Flexible-server](../includes/applies-to-postgresql-Flexible-server.md)] -This article describes how you can create an Azure Active Directory (Azure AD) enabled database roles within an Azure Database for PostgreSQL server. +This article describes how you can create a Microsoft Entra ID enabled database roles within an Azure Database for PostgreSQL server. > [!NOTE] -> This guide assumes you already enabled Azure Active Directory authentication on your PostgreSQL Flexible server. -> See [How to Configure Azure AD Authentication](./how-to-configure-sign-in-azure-ad-authentication.md) +> This guide assumes you already enabled Microsoft Entra authentication on your PostgreSQL Flexible server. +> See [How to Configure Microsoft Entra authentication](./how-to-configure-sign-in-azure-ad-authentication.md) If you like to learn about how to create and manage Azure subscription users and their privileges, you can visit the [Azure role-based access control (Azure RBAC) article](../../role-based-access-control/built-in-roles.md) or review [how to customize roles](../../role-based-access-control/custom-roles.md). -## Create or Delete Azure AD administrators using Azure portal or Azure Resource Manager (ARM) API +<a name='create-or-delete-azure-ad-administrators-using-azure-portal-or-azure-resource-manager-arm-api'></a> ++## Create or Delete Microsoft Entra administrators using Azure portal or Azure Resource Manager (ARM) API 1. Open **Authentication** page for your Azure Database for PostgreSQL Flexible Server in Azure portal-1. To add an administrator - select **Add Azure AD Admin** and select a user, group, application or a managed identity from the current Azure AD tenant. +1. To add an administrator - select **Add Microsoft Entra Admin** and select a user, group, application or a managed identity from the current Microsoft Entra tenant. 1. To remove an administrator - select **Delete** icon for the one to remove. 1. Select **Save** and wait for provisioning operation to completed. > [!div class="mx-imgBorder"]-> :::image type="content" source="./media/how-to-manage-azure-ad-users/add-aad-principal-via-portal.png" alt-text="Screenshot of managing Azure AD administrators via portal."::: +> :::image type="content" source="./media/how-to-manage-azure-ad-users/add-aad-principal-via-portal.png" alt-text="Screenshot of managing Microsoft Entra administrators via portal."::: > [!NOTE] -> Support for Azure AD Administrators management via Azure SDK, az cli and Azure PowerShell is coming soon. +> Support for Microsoft Entra Administrators management via Azure SDK, az cli and Azure PowerShell is coming soon. ++<a name='manage-azure-ad-roles-using-sql'></a> -## Manage Azure AD roles using SQL +## Manage Microsoft Entra roles using SQL -Once first Azure AD administrator is created from the Azure portal or API, you can use the administrator role to manage Azure AD roles in your Azure Database for PostgreSQL Flexible Server. +Once first Microsoft Entra administrator is created from the Azure portal or API, you can use the administrator role to manage Microsoft Entra roles in your Azure Database for PostgreSQL Flexible Server. -We recommend getting familiar with [Microsoft identity platform](../../active-directory/develop/v2-overview.md). for best use of Azure AD integration with Azure Database for PostgreSQL Flexible Servers. +We recommend getting familiar with [Microsoft identity platform](../../active-directory/develop/v2-overview.md). for best use of Microsoft Entra integration with Azure Database for PostgreSQL Flexible Servers. ### Principal Types Azure Database for PostgreSQL Flexible servers internally stores mapping between PostgreSQL database roles and unique identifiers of AzureAD objects.-Each PostgreSQL database role can be mapped to one of the following Azure AD object types: +Each PostgreSQL database role can be mapped to one of the following Microsoft Entra object types: 1. **User** - Including Tenant local and guest users. 1. **Service Principal**. Including [Applications and Managed identities](../../active-directory/develop/app-objects-and-service-principals.md)-1. **Group** When a PostgreSQL Role is linked to an Azure AD group, any user or service principal member of this group can connect to the Azure Database for PostgreSQL Flexible Server instance with the group role. +1. **Group** When a PostgreSQL Role is linked to a Microsoft Entra group, any user or service principal member of this group can connect to the Azure Database for PostgreSQL Flexible Server instance with the group role. ++<a name='list-azure-ad-roles-using-sql'></a> -### List Azure AD roles using SQL +### List Microsoft Entra roles using SQL ```sql select * from pgaadauth_list_principals(true); select * from pgaadauth_list_principals(true); **Parameters:** - *true* -will return Admin users.-- *false* -will return all AAD user both AAD admins and Non AAD admins.+- *false* -will return all Microsoft Entra user both Microsoft Entra admins and Non Microsoft Entra admins. -## Create a role using Azure AD principal name +<a name='create-a-role-using-azure-ad-principal-name'></a> ++## Create a role using Microsoft Entra principal name ```sql select * from pgaadauth_create_principal('<roleName>', <isAdmin>, <isMfa>); For example: select * from pgaadauth_create_principal('mary@contoso.com', false, ``` **Parameters:**-- *roleName* - Name of the role to be created. This **must match a name of Azure AD principal**:+- *roleName* - Name of the role to be created. This **must match a name of Microsoft Entra principal**: - For **users** use User Principal Name from Profile. For guest users, include the full name in their home domain with #EXT# tag. - For **groups** and **service principals** use display name. The name must be unique in the tenant. - *isAdmin* - Set to **true** if when creating an admin user and **false** for a regular user. Admin user created this way has the same privileges as one created via portal or API. - *isMfa* - Flag if Multi Factor Authentication must be enforced for this role. -## Create a role using Azure AD object identifier +<a name='create-a-role-using-azure-ad-object-identifier'></a> ++## Create a role using Microsoft Entra object identifier ```sql select * from pgaadauth_create_principal_with_oid('<roleName>', '<objectId>', '<objectType>', <isAdmin>, <isMfa>); For example: select * from pgaadauth_create_principal_with_oid('accounting_appli **Parameters:** - *roleName* - Name of the role to be created.-- *objectId* - Unique object identifier of the Azure AD object:- - For **Users**, **Groups** and **Managed Identities** the ObjectId can be found by searching for the object name in Azure AD page in Azure portal. [See this guide as example](/partner-center/find-ids-and-domain-names) +- *objectId* - Unique object identifier of the Microsoft Entra object: + - For **Users**, **Groups** and **Managed Identities** the ObjectId can be found by searching for the object name in Microsoft Entra ID page in Azure portal. [See this guide as example](/partner-center/find-ids-and-domain-names) - For **Applications**, Objectid of the corresponding **Service Principal** must be used. In Azure portal the required ObjectId can be found on **Enterprise Applications** page.-- *objectType* - Type of the Azure AD object to link to this role: service, user, group.+- *objectType* - Type of the Microsoft Entra object to link to this role: service, user, group. - *isAdmin* - Set to **true** if when creating an admin user and **false** for a regular user. Admin user created this way has the same privileges as one created via portal or API. - *isMfa* - Flag if Multi Factor Authentication must be enforced for this role. -## Enable Azure AD authentication for an existing PostgreSQL role using SQL +<a name='enable-azure-ad-authentication-for-an-existing-postgresql-role-using-sql'></a> ++## Enable Microsoft Entra authentication for an existing PostgreSQL role using SQL -Azure Database for PostgreSQL Flexible Servers uses Security Labels associated with database roles to store Azure AD mapping. +Azure Database for PostgreSQL Flexible Servers uses Security Labels associated with database roles to store Microsoft Entra ID mapping. You can use the following SQL to assign security label: SECURITY LABEL for "pgaadauth" on role "<roleName>" is 'aadauth,oid=<objectId>,t ``` **Parameters:**-- *roleName* - Name of an existing PostgreSQL role to which Azure AD authentication needs to be enabled.-- *objectId* - Unique object identifier of the Azure AD object.+- *roleName* - Name of an existing PostgreSQL role to which Microsoft Entra authentication needs to be enabled. +- *objectId* - Unique object identifier of the Microsoft Entra object. - *user* - End user principals. - *service* - Applications or Managed Identities connecting under their own service credentials.-- *group* - Name of Azure AD Group.+- *group* - Name of Microsoft Entra group. ## Next steps -- Review the overall concepts for [Azure Active Directory authentication with Azure Database for PostgreSQL - Flexible Server](concepts-azure-ad-authentication.md)+- Review the overall concepts for [Microsoft Entra authentication with Azure Database for PostgreSQL - Flexible Server](concepts-azure-ad-authentication.md) |
postgresql | Tutorial Django Aks Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/tutorial-django-aks-database.md | az group delete --name django-project --yes --no-wait ``` > [!NOTE]-> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal. +> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal. ## Next steps |
postgresql | Concepts Azure Ad Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/concepts-azure-ad-authentication.md | Title: Active Directory authentication - Azure Database for PostgreSQL - Single Server -description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for PostgreSQL - Single Server +description: Learn about the concepts of Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Single Server -# Use Azure Active Directory for authenticating with PostgreSQL +# Use Microsoft Entra ID for authenticating with PostgreSQL [!INCLUDE [applies-to-postgresql-single-server](../includes/applies-to-postgresql-single-server.md)] [!INCLUDE [azure-database-for-postgresql-single-server-deprecation](../includes/azure-database-for-postgresql-single-server-deprecation.md)] -Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for PostgreSQL using identities defined in Azure AD. -With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. +Microsoft Entra authentication is a mechanism of connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. +With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. -Benefits of using Azure AD include: +Benefits of using Microsoft Entra ID include: - Authentication of users across Azure Services in a uniform way - Management of password policies and password rotation in a single place-- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords-- Customers can manage database permissions using external (Azure AD) groups.-- Azure AD authentication uses PostgreSQL database roles to authenticate identities at the database level+- Multiple forms of authentication supported by Microsoft Entra ID, which can eliminate the need to store passwords +- Customers can manage database permissions using external (Microsoft Entra ID) groups. +- Microsoft Entra authentication uses PostgreSQL database roles to authenticate identities at the database level - Support of token-based authentication for applications connecting to Azure Database for PostgreSQL -To configure and use Azure Active Directory authentication, use the following process: +To configure and use Microsoft Entra authentication, use the following process: -1. Create and populate Azure Active Directory with user identities as needed. +1. Create and populate Microsoft Entra ID with user identities as needed. 2. Optionally associate or change the Active Directory currently associated with your Azure subscription.-3. Create an Azure AD administrator for the Azure Database for PostgreSQL server. -4. Create database users in your database mapped to Azure AD identities. -5. Connect to your database by retrieving a token for an Azure AD identity and logging in. +3. Create a Microsoft Entra administrator for the Azure Database for PostgreSQL server. +4. Create database users in your database mapped to Microsoft Entra identities. +5. Connect to your database by retrieving a token for a Microsoft Entra identity and logging in. > [!NOTE]-> To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for PostgreSQL, see [Configure and sign in with Azure AD for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). +> To learn how to create and populate Microsoft Entra ID, and then configure Microsoft Entra ID with Azure Database for PostgreSQL, see [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). ## Architecture -The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for PostgreSQL. The arrows indicate communication pathways. +The following high-level diagram summarizes how authentication works using Microsoft Entra authentication with Azure Database for PostgreSQL. The arrows indicate communication pathways. ![authentication flow][1] ## Administrator structure -When using Azure AD authentication, there are two Administrator accounts for the PostgreSQL server; the original PostgreSQL administrator and the Azure AD administrator. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the PostgreSQL server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the PostgreSQL server. Only one Azure AD administrator (a user or group) can be configured at any time. +When using Microsoft Entra authentication, there are two Administrator accounts for the PostgreSQL server; the original PostgreSQL administrator and the Microsoft Entra administrator. Only the administrator based on a Microsoft Entra account can create the first Microsoft Entra ID contained database user in a user database. The Microsoft Entra administrator login can be a Microsoft Entra user or a Microsoft Entra group. When the administrator is a group account, it can be used by any group member, enabling multiple Microsoft Entra administrators for the PostgreSQL server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in the PostgreSQL server. Only one Microsoft Entra administrator (a user or group) can be configured at any time. ![admin structure][2] >[!NOTE]- > Service Principal or Managed Identity cannot act as fully functional Azure AD Administrator in Single Server and this limitation is fixed in our Flexible Server + > Service Principal or Managed Identity cannot act as fully functional Microsoft Entra Administrator in Single Server and this limitation is fixed in our Flexible Server ## Permissions -To create new users that can authenticate with Azure AD, you must have the `azure_ad_admin` role in the database. This role is assigned by configuring the Azure AD Administrator account for a specific Azure Database for PostgreSQL server. +To create new users that can authenticate with Microsoft Entra ID, you must have the `azure_ad_admin` role in the database. This role is assigned by configuring the Microsoft Entra Administrator account for a specific Azure Database for PostgreSQL server. -To create a new Azure AD database user, you must connect as the Azure AD administrator. This is demonstrated in [Configure and Login with Azure AD for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). +To create a new Microsoft Entra database user, you must connect as the Microsoft Entra administrator. This is demonstrated in [Configure and Login with Microsoft Entra ID for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). -Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for PostgreSQL. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials. +Any Microsoft Entra authentication is only possible if the Microsoft Entra admin was created for Azure Database for PostgreSQL. If the Microsoft Entra admin was removed from the server, existing Microsoft Entra users created previously can no longer connect to the database using their Microsoft Entra credentials. -## Connecting using Azure AD identities +<a name='connecting-using-azure-ad-identities'></a> -Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities: +## Connecting using Microsoft Entra identities -- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA+Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities: ++- Microsoft Entra Password +- Microsoft Entra integrated +- Microsoft Entra Universal with MFA - Using Active Directory Application certificates or client secrets - [Managed Identity](how-to-connect-with-managed-identity.md) Once you have authenticated against the Active Directory, you then retrieve a token. This token is your password for logging in. -Please note that management operations, such as adding new users, are only supported for Azure AD user roles at this point. +Please note that management operations, such as adding new users, are only supported for Microsoft Entra user roles at this point. > [!NOTE]-> For more details on how to connect with an Active Directory token, see [Configure and sign in with Azure AD for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). +> For more details on how to connect with an Active Directory token, see [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). ## Additional considerations -- To enhance manageability, we recommend you provision a dedicated Azure AD group as an administrator.-- Only one Azure AD administrator (a user or group) can be configured for an Azure Database for PostgreSQL server at any time.-- Only an Azure AD administrator for PostgreSQL can initially connect to the Azure Database for PostgreSQL using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users.-- If a user is deleted from Azure AD, that user will no longer be able to authenticate with Azure AD, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching role will still be in the database, it will not be possible to connect to the server with that role.+- To enhance manageability, we recommend you provision a dedicated Microsoft Entra group as an administrator. +- Only one Microsoft Entra administrator (a user or group) can be configured for an Azure Database for PostgreSQL server at any time. +- Only a Microsoft Entra administrator for PostgreSQL can initially connect to the Azure Database for PostgreSQL using a Microsoft Entra account. The Active Directory administrator can configure subsequent Microsoft Entra database users. +- If a user is deleted from Microsoft Entra ID, that user will no longer be able to authenticate with Microsoft Entra ID, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching role will still be in the database, it will not be possible to connect to the server with that role. > [!NOTE]-> Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for PostgreSQL this access will be revoked immediately. -- If the Azure AD admin is removed from the server, the server will no longer be associated with an Azure AD tenant, and therefore all Azure AD logins will be disabled for the server. Adding a new Azure AD admin from the same tenant will reenable Azure AD logins.-- Azure Database for PostgreSQL matches access tokens to the Azure Database for PostgreSQL role using the userΓÇÖs unique Azure AD user ID, as opposed to using the username. This means that if an Azure AD user is deleted in Azure AD and a new user created with the same name, Azure Database for PostgreSQL considers that a different user. Therefore, if a user is deleted from Azure AD and then a new user with the same name added, the new user will not be able to connect with the existing role. To allow that, the Azure Database for PostgreSQL Azure AD admin must revoke and then grant the role ΓÇ£azure_ad_userΓÇ¥ to the user to refresh the Azure AD user ID.+> Login with the deleted Microsoft Entra user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for PostgreSQL this access will be revoked immediately. +- If the Microsoft Entra admin is removed from the server, the server will no longer be associated with a Microsoft Entra tenant, and therefore all Microsoft Entra logins will be disabled for the server. Adding a new Microsoft Entra admin from the same tenant will reenable Microsoft Entra logins. +- Azure Database for PostgreSQL matches access tokens to the Azure Database for PostgreSQL role using the userΓÇÖs unique Microsoft Entra user ID, as opposed to using the username. This means that if a Microsoft Entra user is deleted in Microsoft Entra ID and a new user created with the same name, Azure Database for PostgreSQL considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and then a new user with the same name added, the new user will not be able to connect with the existing role. To allow that, the Azure Database for PostgreSQL Microsoft Entra admin must revoke and then grant the role ΓÇ£azure_ad_userΓÇ¥ to the user to refresh the Microsoft Entra user ID. ## Next steps -- To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for PostgreSQL, see [Configure and sign in with Azure AD for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md).+- To learn how to create and populate Microsoft Entra ID, and then configure Microsoft Entra ID with Azure Database for PostgreSQL, see [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL](how-to-configure-sign-in-azure-ad-authentication.md). - For an overview of logins, users, and database roles Azure Database for PostgreSQL, see [Create users in Azure Database for PostgreSQL - Single Server](how-to-create-users.md). <!--Image references--> |
postgresql | Concepts Data Access And Security Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/concepts-data-access-and-security-vnet.md | You have the option of using [Azure role-based access control (Azure RBAC)][rbac > [!NOTE] > In some cases the Azure Database for PostgreSQL and the VNet-subnet are in different subscriptions. In these cases you must ensure the following configurations:-> - Both subscriptions must be in the same Azure Active Directory tenant. +> - Both subscriptions must be in the same Microsoft Entra tenant. > - The user has the required permissions to initiate operations, such as enabling service endpoints and adding a VNet-subnet to the given Server. > - Make sure that both the subscription have the **Microsoft.Sql** and **Microsoft.DBforPostgreSQL** resource provider registered. For more information refer [resource-manager-registration][resource-manager-portal] |
postgresql | Concepts Data Encryption Postgresql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/concepts-data-encryption-postgresql.md | When the server is configured to use the customer-managed key stored in the key The following are requirements for configuring Key Vault: -* Key Vault and Azure Database for PostgreSQL Single server must belong to the same Azure Active Directory (Azure AD) tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving the Key Vault resource afterwards requires you to reconfigure the data encryption. +* Key Vault and Azure Database for PostgreSQL Single server must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving the Key Vault resource afterwards requires you to reconfigure the data encryption. * The key vault must be set with 90 days for 'Days to retain deleted vaults'. If the existing key vault has been configured with a lower number, you will need to create a new key vault as it cannot be modified after creation. * Enable the soft-delete feature on the key vault, to protect from data loss if an accidental key (or Key Vault) deletion happens. Soft-deleted resources are retained for 90 days, unless the user recovers or purges them in the meantime. The recover and purge actions have their own permissions associated in a Key Vault access policy. The soft-delete feature is off by default, but you can enable it through PowerShell or the Azure CLI (note that you can't enable it through the Azure portal). * Enable Purge protection to enforce a mandatory retention period for deleted vaults and vault objects It might happen that someone with sufficient access rights to Key Vault accident * Deleting the key vault. * Changing the key vault's firewall rules. -* Deleting the managed identity of the server in Azure AD. +* Deleting the managed identity of the server in Microsoft Entra ID. ## Monitor the customer-managed key in Key Vault |
postgresql | Concepts Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/concepts-security.md | Private Link allows you to connect to your Azure Database for PostgreSQL Single While creating the Azure Database for PostgreSQL server, you provide credentials for an administrator role. This administrator role can be used to create additional [PostgreSQL roles](https://www.postgresql.org/docs/current/user-manag.html). -You can also connect to the server using [Azure Active Directory authentication](concepts-azure-ad-authentication.md). +You can also connect to the server using [Microsoft Entra authentication](concepts-azure-ad-authentication.md). ## Threat protection Oracle supports Transparent Data Encryption (TDE) to encrypt table and tablespac ## Next steps - Enable firewall rules for [IPs](concepts-firewall-rules.md) or [virtual networks](concepts-data-access-and-security-vnet.md)-- Learn about [Azure Active Directory authentication](concepts-azure-ad-authentication.md) in Azure Database for PostgreSQL+- Learn about [Microsoft Entra authentication](concepts-azure-ad-authentication.md) in Azure Database for PostgreSQL |
postgresql | Connect Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/connect-java.md | This article demonstrates how to create a sample application that uses Java and JDBC is the standard Java API to connect to traditional relational databases. -In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and PostgreSQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the PostgreSQL authentication. +In this article, we'll include two authentication methods: Microsoft Entra authentication and PostgreSQL authentication. The **Passwordless** tab shows the Microsoft Entra authentication and the **Password** tab shows the PostgreSQL authentication. -Azure AD authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. +Microsoft Entra authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. PostgreSQL authentication uses accounts stored in PostgreSQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in PostgreSQL, you'll need to manage the rotation of the passwords by yourself. Replace the placeholders with the following values, which are used throughout th - `<YOUR_DATABASE_SERVER_NAME>`: The name of your PostgreSQL server, which should be unique across Azure. - `<YOUR_AZURE_REGION>`: The Azure region you'll use. You can use `eastus` by default, but we recommend that you configure a region closer to where you live. You can see the full list of available regions by entering `az account list-locations`.-- `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`: The username of your PostgreSQL database server. Make ensure the username is a valid user in your Azure AD tenant.+- `<YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>`: The username of your PostgreSQL database server. Make ensure the username is a valid user in your Microsoft Entra tenant. - `<YOUR_LOCAL_IP_ADDRESS>`: The IP address of your local computer, from which you'll run your Spring Boot application. One convenient way to find it is to open [whatismyip.akamai.com](http://whatismyip.akamai.com/). > [!IMPORTANT]-> When setting <YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>, the username must already exist in your Azure AD tenant or you will be unable to create an Azure AD user in your database. +> When setting <YOUR_POSTGRESQL_AD_NON_ADMIN_USERNAME>, the username must already exist in your Microsoft Entra tenant or you will be unable to create a Microsoft Entra user in your database. ### [Password](#tab/password) az postgres server create \ --output tsv ``` -Now run the following command to set the Azure AD admin user: +Now run the following command to set the Microsoft Entra admin user: ```azurecli az postgres server ad-admin create \ az postgres server ad-admin create \ ``` > [!IMPORTANT]-> When setting the administrator, a new user is added to the Azure Database for PostgreSQL server with full administrator permissions. Only one Azure AD admin can be created per PostgreSQL server and selection of another one will overwrite the existing Azure AD admin configured for the server. +> When setting the administrator, a new user is added to the Azure Database for PostgreSQL server with full administrator permissions. Only one Microsoft Entra admin can be created per PostgreSQL server and selection of another one will overwrite the existing Microsoft Entra admin configured for the server. This command creates a small PostgreSQL server and sets the Active Directory admin to the signed-in user. GRANT ALL PRIVILEGES ON DATABASE $AZ_DATABASE_NAME TO "$AZ_POSTGRESQL_AD_NON_ADM EOF ``` -Then, use the following command to run the SQL script to create the Azure AD non-admin user: +Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user: ```bash psql "host=$AZ_DATABASE_SERVER_NAME.postgres.database.azure.com user=$CURRENT_USERNAME@$AZ_DATABASE_SERVER_NAME dbname=$AZ_DATABASE_NAME port=5432 password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) sslmode=require" < create_ad_user.sql GRANT ALL PRIVILEGES ON DATABASE $AZ_DATABASE_NAME TO "$AZ_POSTGRESQL_NON_ADMIN_ EOF ``` -Then, use the following command to run the SQL script to create the Azure AD non-admin user: +Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user: ```bash psql "host=$AZ_DATABASE_SERVER_NAME.postgres.database.azure.com user=$AZ_POSTGRESQL_ADMIN_USERNAME@$AZ_DATABASE_SERVER_NAME dbname=$AZ_DATABASE_NAME port=5432 password=$AZ_POSTGRESQL_ADMIN_PASSWORD sslmode=require" < create_user.sql |
postgresql | How To Configure Sign In Azure Ad Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/how-to-configure-sign-in-azure-ad-authentication.md | Title: Use Azure Active Directory - Azure Database for PostgreSQL - Single Server -description: Learn about how to set up Azure Active Directory (Azure AD) for authentication with Azure Database for PostgreSQL - Single Server + Title: Use Microsoft Entra ID - Azure Database for PostgreSQL - Single Server +description: Learn about how to set up Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Single Server -# Use Azure Active Directory for authentication with PostgreSQL +# Use Microsoft Entra ID for authentication with PostgreSQL [!INCLUDE [applies-to-postgresql-single-server](../includes/applies-to-postgresql-single-server.md)] [!INCLUDE [azure-database-for-postgresql-single-server-deprecation](../includes/azure-database-for-postgresql-single-server-deprecation.md)] -This article will walk you through the steps how to configure Azure Active Directory access with Azure Database for PostgreSQL, and how to connect using an Azure AD token. +This article will walk you through the steps how to configure Microsoft Entra ID access with Azure Database for PostgreSQL, and how to connect using a Microsoft Entra token. -## Setting the Azure AD Admin user +<a name='setting-the-azure-ad-admin-user'></a> -Only Azure AD administrator users can create/enable users for Azure AD-based authentication. We recommend not using the Azure AD administrator for regular database operations, as it has elevated user permissions (e.g. CREATEDB). +## Setting the Microsoft Entra Admin user -To set the Azure AD administrator (you can use a user or a group), please follow the following steps +Only Microsoft Entra administrator users can create/enable users for Microsoft Entra ID-based authentication. We recommend not using the Microsoft Entra administrator for regular database operations, as it has elevated user permissions (e.g. CREATEDB). -1. In the Azure portal, select the instance of Azure Database for PostgreSQL that you want to enable for Azure AD. +To set the Microsoft Entra administrator (you can use a user or a group), please follow the following steps ++1. In the Azure portal, select the instance of Azure Database for PostgreSQL that you want to enable for Microsoft Entra ID. 2. Under Settings, select Active Directory Admin: -![set azure ad administrator][2] +![set Microsoft Entra administrator][2] -3. Select a valid Azure AD user in the customer tenant to be Azure AD administrator. +3. Select a valid Microsoft Entra user in the customer tenant to be Microsoft Entra administrator. > [!IMPORTANT] > When setting the administrator, a new user is added to the Azure Database for PostgreSQL server with full administrator permissions. -> The Azure AD Admin user in Azure Database for PostgreSQL will have the role `azure_ad_admin`. -> Only one Azure AD admin can be created per PostgreSQL server and selection of another one will overwrite the existing Azure AD admin configured for the server. -> You can specify an Azure AD group instead of an individual user to have multiple administrators. +> The Microsoft Entra Admin user in Azure Database for PostgreSQL will have the role `azure_ad_admin`. +> Only one Microsoft Entra admin can be created per PostgreSQL server and selection of another one will overwrite the existing Microsoft Entra admin configured for the server. +> You can specify a Microsoft Entra group instead of an individual user to have multiple administrators. ++Only one Microsoft Entra admin can be created per PostgreSQL server and selection of another one will overwrite the existing Microsoft Entra admin configured for the server. You can specify a Microsoft Entra group instead of an individual user to have multiple administrators. Note that you will then sign in with the group name for administration purposes. -Only one Azure AD admin can be created per PostgreSQL server and selection of another one will overwrite the existing Azure AD admin configured for the server. You can specify an Azure AD group instead of an individual user to have multiple administrators. Note that you will then sign in with the group name for administration purposes. +<a name='connecting-to-azure-database-for-postgresql-using-azure-ad'></a> -## Connecting to Azure Database for PostgreSQL using Azure AD +## Connecting to Azure Database for PostgreSQL using Microsoft Entra ID -The following high-level diagram summarizes the workflow of using Azure AD authentication with Azure Database for PostgreSQL: +The following high-level diagram summarizes the workflow of using Microsoft Entra authentication with Azure Database for PostgreSQL: ![authentication flow][1] -We've designed the Azure AD integration to work with common PostgreSQL tools like psql, which are not Azure AD aware and only support specifying username and password when connecting to PostgreSQL. We pass the Azure AD token as the password as shown in the picture above. +We've designed the Microsoft Entra integration to work with common PostgreSQL tools like psql, which are not Microsoft Entra aware and only support specifying username and password when connecting to PostgreSQL. We pass the Microsoft Entra token as the password as shown in the picture above. We currently have tested the following clients: We currently have tested the following clients: - Other libpq based clients (e.g. common application frameworks and ORMs) - PgAdmin (uncheck connect now at server creation. See step 4 for more information) -These are the steps that a user/application will need to do authenticate with Azure AD described below: +These are the steps that a user/application will need to do authenticate with Microsoft Entra ID described below: ### Prerequisites You can follow along in Azure Cloud Shell, an Azure VM, or on your local machine. Make sure you have the [Azure CLI installed](/cli/azure/install-azure-cli). -## Authenticate with Azure AD as a single user +<a name='authenticate-with-azure-ad-as-a-single-user'></a> ++## Authenticate with Microsoft Entra ID as a single user ### Step 1: Login to the user's Azure subscription -Start by authenticating with Azure AD using the Azure CLI tool. This step is not required in Azure Cloud Shell. +Start by authenticating with Microsoft Entra ID using the Azure CLI tool. This step is not required in Azure Cloud Shell. ``` az login ``` -The command will launch a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and the password. +The command will launch a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and the password. -### Step 2: Retrieve Azure AD access token +<a name='step-2-retrieve-azure-ad-access-token'></a> -Invoke the Azure CLI tool to acquire an access token for the Azure AD authenticated user from step 1 to access Azure Database for PostgreSQL. +### Step 2: Retrieve Microsoft Entra access token ++Invoke the Azure CLI tool to acquire an access token for the Microsoft Entra authenticated user from step 1 to access Azure Database for PostgreSQL. Example (for Public Cloud): For Azure CLI version 2.0.71 and later, the command can be specified in the foll az account get-access-token --resource-type oss-rdbms ``` -After authentication is successful, Azure AD will return an access token: +After authentication is successful, Microsoft Entra ID will return an access token: ```json { psql "host=mydb.postgres... user=user@tenant.onmicrosoft.com@mydb dbname=postgre ``` ### Step 4: Use token as a password for logging in with PgAdmin -To connect using Azure AD token with pgAdmin you need to follow the next steps: +To connect using Microsoft Entra token with pgAdmin you need to follow the next steps: 1. Uncheck the connect now option at server creation. 2. Enter your server details in the connection tab and save. 3. From the browser menu, select connect to the Azure Database for PostgreSQL server To connect using Azure AD token with pgAdmin you need to follow the next steps: Important considerations when connecting: -* `user@tenant.onmicrosoft.com` is the name of the Azure AD user -* Make sure to use the exact way the Azure user is spelled - as the Azure AD user and group names are case sensitive. +* `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra user +* Make sure to use the exact way the Azure user is spelled - as the Microsoft Entra user and group names are case sensitive. * If the name contains spaces, use `\` before each space to escape it. * The access token validity is anywhere between 5 minutes to 60 minutes. We recommend you get the access token just before initiating the login to Azure Database for PostgreSQL. -You are now authenticated to your Azure Database for PostgreSQL server using Azure AD authentication. +You are now authenticated to your Azure Database for PostgreSQL server using Microsoft Entra authentication. ++<a name='authenticate-with-azure-ad-as-a-group-member'></a> ++## Authenticate with Microsoft Entra ID as a group member -## Authenticate with Azure AD as a group member +<a name='step-1-create-azure-ad-groups-in-azure-database-for-postgresql'></a> -### Step 1: Create Azure AD groups in Azure Database for PostgreSQL +### Step 1: Create Microsoft Entra groups in Azure Database for PostgreSQL -To enable an Azure AD group for access to your database, use the same mechanism as for users, but instead specify the group name: +To enable a Microsoft Entra group for access to your database, use the same mechanism as for users, but instead specify the group name: Example: When logging in, members of the group will use their personal access tokens, but ### Step 2: Login to the userΓÇÖs Azure Subscription -Authenticate with Azure AD using the Azure CLI tool. This step is not required in Azure Cloud Shell. The user needs to be member of the Azure AD group. +Authenticate with Microsoft Entra ID using the Azure CLI tool. This step is not required in Azure Cloud Shell. The user needs to be member of the Microsoft Entra group. ``` az login ``` -### Step 3: Retrieve Azure AD access token +<a name='step-3-retrieve-azure-ad-access-token'></a> -Invoke the Azure CLI tool to acquire an access token for the Azure AD authenticated user from step 2 to access Azure Database for PostgreSQL. +### Step 3: Retrieve Microsoft Entra access token ++Invoke the Azure CLI tool to acquire an access token for the Microsoft Entra authenticated user from step 2 to access Azure Database for PostgreSQL. Example (for Public Cloud): For Azure CLI version 2.0.71 and later, the command can be specified in the foll az account get-access-token --resource-type oss-rdbms ``` -After authentication is successful, Azure AD will return an access token: +After authentication is successful, Microsoft Entra ID will return an access token: ```json { After authentication is successful, Azure AD will return an access token: ### Step 4: Use token as password for logging in with psql or PgAdmin (see above steps for user connection) Important considerations when connecting as a group member:-* groupname@mydb is the name of the Azure AD group you are trying to connect as -* Always append the server name after the Azure AD user/group name (e.g. @mydb) -* Make sure to use the exact way the Azure AD group name is spelled. -* Azure AD user and group names are case sensitive +* groupname@mydb is the name of the Microsoft Entra group you are trying to connect as +* Always append the server name after the Microsoft Entra user/group name (e.g. @mydb) +* Make sure to use the exact way the Microsoft Entra group name is spelled. +* Microsoft Entra user and group names are case sensitive * When connecting as a group, use only the group name (e.g. GroupName@mydb) and not the alias of a group member. * If the name contains spaces, use \ before each space to escape it. * The access token validity is anywhere between 5 minutes to 60 minutes. We recommend you get the access token just before initiating the login to Azure Database for PostgreSQL. -You are now authenticated to your PostgreSQL server using Azure AD authentication. +You are now authenticated to your PostgreSQL server using Microsoft Entra authentication. ++<a name='creating-azure-ad-users-in-azure-database-for-postgresql'></a> -## Creating Azure AD users in Azure Database for PostgreSQL +## Creating Microsoft Entra users in Azure Database for PostgreSQL -To add an Azure AD user to your Azure Database for PostgreSQL database, perform the following steps after connecting (see later section on how to connect): +To add a Microsoft Entra user to your Azure Database for PostgreSQL database, perform the following steps after connecting (see later section on how to connect): -1. First ensure that the Azure AD user `<user>@yourtenant.onmicrosoft.com` is a valid user in Azure AD tenant. -2. Sign in to your Azure Database for PostgreSQL instance as the Azure AD Admin user. +1. First ensure that the Microsoft Entra user `<user>@yourtenant.onmicrosoft.com` is a valid user in Microsoft Entra tenant. +2. Sign in to your Azure Database for PostgreSQL instance as the Microsoft Entra Admin user. 3. Create role `<user>@yourtenant.onmicrosoft.com` in Azure Database for PostgreSQL.-4. Make `<user>@yourtenant.onmicrosoft.com` a member of role azure_ad_user. This must only be given to Azure AD users. +4. Make `<user>@yourtenant.onmicrosoft.com` a member of role azure_ad_user. This must only be given to Microsoft Entra users. **Example:** CREATE USER "user1@yourtenant.onmicrosoft.com" IN ROLE azure_ad_user; ``` > [!NOTE]-> Authenticating a user through Azure AD does not give the user any permissions to access objects within the Azure Database for PostgreSQL database. You must grant the user the required permissions manually. +> Authenticating a user through Microsoft Entra ID does not give the user any permissions to access objects within the Azure Database for PostgreSQL database. You must grant the user the required permissions manually. ## Token Validation -Azure AD authentication in Azure Database for PostgreSQL ensures that the user exists in the PostgreSQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed: +Microsoft Entra authentication in Azure Database for PostgreSQL ensures that the user exists in the PostgreSQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed: -- Token is signed by Azure AD and has not been tampered with-- Token was issued by Azure AD for the tenant associated with the server+- Token is signed by Microsoft Entra ID and has not been tampered with +- Token was issued by Microsoft Entra ID for the tenant associated with the server - Token has not expired - Token is for the Azure Database for PostgreSQL resource (and not another Azure resource) -## Migrating existing PostgreSQL users to Azure AD-based authentication +<a name='migrating-existing-postgresql-users-to-azure-ad-based-authentication'></a> ++## Migrating existing PostgreSQL users to Microsoft Entra ID-based authentication -You can enable Azure AD authentication for existing users. There are two cases to consider: +You can enable Microsoft Entra authentication for existing users. There are two cases to consider: -### Case 1: PostgreSQL username matches the Azure AD User Principal Name +<a name='case-1-postgresql-username-matches-the-azure-ad-user-principal-name'></a> -In the unlikely case that your existing users already match the Azure AD user names, you can grant the `azure_ad_user` role to them in order to enable them for Azure AD authentication: +### Case 1: PostgreSQL username matches the Microsoft Entra user Principal Name ++In the unlikely case that your existing users already match the Microsoft Entra user names, you can grant the `azure_ad_user` role to them in order to enable them for Microsoft Entra authentication: ```sql GRANT azure_ad_user TO "existinguser@yourtenant.onmicrosoft.com"; ``` -They will now be able to sign in with Azure AD credentials instead of using their previously configured PostgreSQL user password. +They will now be able to sign in with Microsoft Entra credentials instead of using their previously configured PostgreSQL user password. ++<a name='case-2-postgresql-username-is-different-than-the-azure-ad-user-principal-name'></a> -### Case 2: PostgreSQL username is different than the Azure AD User Principal Name +### Case 2: PostgreSQL username is different than the Microsoft Entra user Principal Name -If a PostgreSQL user either does not exist in Azure AD or has a different username, you can use Azure AD groups to authenticate as this PostgreSQL user. You can migrate existing Azure Database for PostgreSQL users to Azure AD by creating an Azure AD group with a name that matches the PostgreSQL user, and then granting role azure_ad_user to the existing PostgreSQL user: +If a PostgreSQL user either does not exist in Microsoft Entra ID or has a different username, you can use Microsoft Entra groups to authenticate as this PostgreSQL user. You can migrate existing Azure Database for PostgreSQL users to Microsoft Entra ID by creating a Microsoft Entra group with a name that matches the PostgreSQL user, and then granting role azure_ad_user to the existing PostgreSQL user: ```sql GRANT azure_ad_user TO <new_user>; ``` -This assumes you have created a group "DBReadUser" in your Azure AD. Users belonging to that group will now be able to sign in to the database as this user. +This assumes you have created a group "DBReadUser" in your Microsoft Entra ID. Users belonging to that group will now be able to sign in to the database as this user. ## Next steps -* Review the overall concepts for [Azure Active Directory authentication with Azure Database for PostgreSQL - Single Server](concepts-azure-ad-authentication.md) +* Review the overall concepts for [Microsoft Entra authentication with Azure Database for PostgreSQL - Single Server](concepts-azure-ad-authentication.md) <!--Image references--> |
postgresql | How To Connect With Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/how-to-connect-with-managed-identity.md | Last updated 06/24/2022 [!INCLUDE [azure-database-for-postgresql-single-server-deprecation](../includes/azure-database-for-postgresql-single-server-deprecation.md)] -You can use both system-assigned and user-assigned managed identities to authenticate to Azure Database for PostgreSQL. This article shows you how to use a system-assigned managed identity for an Azure Virtual Machine (VM) to access an Azure Database for PostgreSQL server. Managed Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert credentials into your code. +You can use both system-assigned and user-assigned managed identities to authenticate to Azure Database for PostgreSQL. This article shows you how to use a system-assigned managed identity for an Azure Virtual Machine (VM) to access an Azure Database for PostgreSQL server. Managed Identities are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication, without needing to insert credentials into your code. You learn how to: - Grant your VM access to an Azure Database for PostgreSQL server You learn how to: - If you're not familiar with the managed identities for Azure resources feature, see this [overview](../../../articles/active-directory/managed-identities-azure-resources/overview.md). If you don't have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue. - To do the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../../articles/role-based-access-control/role-assignments-portal.md). - You need an Azure VM (for example running Ubuntu Linux) that you'd like to use for access your database using Managed Identity-- You need an Azure Database for PostgreSQL database server that has [Azure AD authentication](how-to-configure-sign-in-azure-ad-authentication.md) configured+- You need an Azure Database for PostgreSQL database server that has [Microsoft Entra authentication](how-to-configure-sign-in-azure-ad-authentication.md) configured - To follow the C# example, first complete the guide how to [Connect with C#](connect-csharp.md) ## Creating a system-assigned managed identity for your VM az ad sp list --display-name vm-name --query [*].appId --out tsv ## Creating a PostgreSQL user for your Managed Identity -Now, connect as the Azure AD administrator user to your PostgreSQL database, and run the following SQL statements, replacing `CLIENT_ID` with the client ID you retrieved for your system-assigned managed identity: +Now, connect as the Microsoft Entra administrator user to your PostgreSQL database, and run the following SQL statements, replacing `CLIENT_ID` with the client ID you retrieved for your system-assigned managed identity: ```sql SET aad_validate_oids_in_tenant = off; You are now connected to the database you've configured earlier. ## Connecting using Managed Identity in C# -This section shows how to get an access token using the VM's user-assigned managed identity and use it to call Azure Database for PostgreSQL. Azure Database for PostgreSQL natively supports Azure AD authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. When creating a connection to PostgreSQL, you pass the access token in the password field. +This section shows how to get an access token using the VM's user-assigned managed identity and use it to call Azure Database for PostgreSQL. Azure Database for PostgreSQL natively supports Microsoft Entra authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. When creating a connection to PostgreSQL, you pass the access token in the password field. -Here's a .NET code example of opening a connection to PostgreSQL using an access token. This code must run on the VM to use the system-assigned managed identity to obtain an access token from Azure AD. Replace the values of HOST, USER, DATABASE, and CLIENT_ID. +Here's a .NET code example of opening a connection to PostgreSQL using an access token. This code must run on the VM to use the system-assigned managed identity to obtain an access token from Microsoft Entra ID. Replace the values of HOST, USER, DATABASE, and CLIENT_ID. ```csharp using System; Postgres version: PostgreSQL 11.11, compiled by Visual C++ build 1800, 64-bit ## Next steps -* Review the overall concepts for [Azure Active Directory authentication with Azure Database for PostgreSQL](concepts-azure-ad-authentication.md) +* Review the overall concepts for [Microsoft Entra authentication with Azure Database for PostgreSQL](concepts-azure-ad-authentication.md) |
postgresql | Overview Single Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/overview-single-server.md | The single server service uses the FIPS 140-2 validated cryptographic module for The service allows private access to the servers using private link and provides Advanced threat protection feature. Advanced threat protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. -In addition to native authentication, the single server service supports Azure Active Directory authentication. Azure AD authentication is a mechanism of connecting to the PostgreSQL servers using identities defined and managed in Azure AD. With Azure AD authentication, you can manage database user identities and other Azure services in a central location, which simplifies and centralizes access control. +In addition to native authentication, the single server service supports Microsoft Entra authentication. Microsoft Entra authentication is a mechanism of connecting to the PostgreSQL servers using identities defined and managed in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Azure services in a central location, which simplifies and centralizes access control. [Audit logging]() (in preview) is available to track all database level activity. |
private-5g-core | Enable Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/enable-azure-active-directory.md | If your deployment contains multiple sites, you can use the same two redirect UR | **Distributed tracing redirect URI root** | Make a note of the following part of the redirect URI: **https://*\<local monitoring domain\>***. | `redirect_uri_root` | | **Packet core dashboards redirect URI root** | Make a note of the following part of the packet core dashboards redirect URI: **https://*\<local monitoring domain\>*/grafana**. | `root_url` | +## Modify local access ++Go to the Azure portal and navigate to your site's **Packet Core Control Plane** resource. Select the blade's **Modify local access** tab. ++1. If the **Authentication type** is set to **Microsoft Entra ID**, continue to [Create Kubernetes Secret Objects](#create-kubernetes-secret-objects). +1. Otherwise: + 1. Select **Microsoft Entra ID** from the **Authentication type** dropdown. + 1. Select **Review**. + 1. Select **Submit**. + ## Create Kubernetes Secret Objects To support Microsoft Entra ID on Azure Private 5G Core applications, you'll need a YAML file containing Kubernetes secrets. |
private-5g-core | Reinstall Packet Core | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/reinstall-packet-core.md | To reinstall your packet core instance: 1. Select **Reinstall**. 1. Azure will now uninstall the packet core instance and redeploy it with the same configuration. You can check the status of the reinstall by selecting **Refresh** and looking at the **Packet core installation state** field. Once the process is complete, you'll receive a notification with information on whether the reinstall was successful.- + If the packet core reinstall failed, you can find more details about the reason for the failure by selecting the notifications icon and then **More events in the activity log**. :::image type="content" source="media/reinstall-packet-core/reinstall-packet-core-status.png" alt-text="Screenshot of the Azure portal showing the reinstall packet core status in the Notifications screen."::: To reinstall your packet core instance: Reconfigure your deployment using the information you gathered in [Back up deployment information](#back-up-deployment-information). 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):- - - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects). ++ - If you use Microsoft Entra ID, check that you can access distributed tracing and packet core dashboards using Microsoft Entra ID. If you cannot access either of these, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects). - If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them. |
private-5g-core | Upgrade Packet Core Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/upgrade-packet-core-azure-portal.md | If you determined in [Plan for your upgrade](#plan-for-your-upgrade) that you ne Reconfigure your deployment using the information you gathered in [Back up deployment information](#back-up-deployment-information). 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):- - - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects). ++ - If you use Microsoft Entra ID, check that you can access distributed tracing and packet core dashboards using Microsoft Entra ID. If you cannot access either of these, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects). - If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them. |
private-link | Private Link Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/private-link-overview.md | Azure Private Link provides the following benefits: - **Global reach**: Connect privately to services running in other regions. The consumer's virtual network could be in region A and it can connect to services behind Private Link in region B. -- **Extend to your own services**: Enable the same experience and functionality to render your service privately to consumers in Azure. By placing your service behind a standard Azure Load Balancer, you can enable it for Private Link. The consumer can then connect directly to your service using a private endpoint in their own virtual network. You can manage the connection requests using an approval call flow. Azure Private Link works for consumers and services belonging to different Azure Active Directory tenants. +- **Extend to your own services**: Enable the same experience and functionality to render your service privately to consumers in Azure. By placing your service behind a standard Azure Load Balancer, you can enable it for Private Link. The consumer can then connect directly to your service using a private endpoint in their own virtual network. You can manage the connection requests using an approval call flow. Azure Private Link works for consumers and services belonging to different Microsoft Entra tenants. > [!NOTE] > Azure Private Link, along with Azure Virtual Network, span across [Azure Availability Zones](../availability-zones/az-overview.md) and are therefore zone resilient. To provide high availability for the Azure resource using a private endpoint, ensure that resource is zone resilient. |
reliability | Asm Retirement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/asm-retirement.md | Below is a list of classic resources being retired, their retirement dates, and | Classic resource | Retirement date | Migration documentation | Support | ||||| |[VM (classic)](https://azure.microsoft.com/updates/classicvmretirment) | Sep 23 | [Migrate VM (classic) to ARM](/azure/virtual-machines/classic-vm-deprecation?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)| [Linux](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22cddd3eb5-1830-b494-44fd-782f691479dc%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%22e2542607-20ad-4425-e30d-eec8e2121f55%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D), [Windows](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%226f16735c-b0ae-b275-ad3a-03479cfa1396%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%228a82f77d-c3ab-7b08-d915-776b4ff64ff4%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D), [RedHat](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22de8937fc-74cc-daa7-2639-e1fe433dcb87%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%22b4991d30-6ff3-56aa-c832-0aa9f9e8f0c1%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D), [Ubuntu](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22240f5f1e-00c5-452d-6886-13429eddd6cf%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%229b8be6a3-1dca-0ca9-93bb-d259139a5cd5%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D), [SUSE](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%224a15f982-bfba-8ef2-a417-5fa383940392%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%2201d83b71-bc02-e38d-facd-43ce9df6da28%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D) |-|[Azure Active Directory Domain Services](/azure/active-directory-domain-services/migrate-from-classic-vnet?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) | Mar 23 | [Migrate Azure Active Directory Domain Services to ARM](/azure/active-directory-domain-services/migrate-from-classic-vnet?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)| [AAD Support](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22a69d6bc1-d1db-61e6-2668-451ae3784f86%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%22b437f1a6-38fe-550d-9b87-85c69d33faa7%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D) | +|[Microsoft Entra Domain Services](/azure/active-directory-domain-services/migrate-from-classic-vnet?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) | Mar 23 | [Migrate Microsoft Entra Domain Services to ARM](/azure/active-directory-domain-services/migrate-from-classic-vnet?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)| [Microsoft Entra ID Support](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22a69d6bc1-d1db-61e6-2668-451ae3784f86%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%22b437f1a6-38fe-550d-9b87-85c69d33faa7%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D) | |[Azure Batch Cloud Service Pools](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024) | Feb 24 |[Migrate Azure Batch Cloud Service Pools to ARM](/azure/batch/batch-pool-cloud-service-to-virtual-machine-configuration?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)| | |[Cloud Services (classic)](https://azure.microsoft.com/updates/cloud-services-retirement-announcement) | Aug 24 |[Migrate Cloud Services (classic) to ARM](/azure/cloud-services-extended-support/in-place-migration-overview?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)| [Cloud Services Support](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%22e79dcabe-5f77-3326-2112-74487e1e5f78%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%22fca528d2-48bd-7c9f-5806-ce5d5b1d226f%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D) | |[App Service Environment v1/v2](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement) | Aug 24 |[Migrate App Service Environment v1/v2 to ARM](/azure/app-service/environment/migrate?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) | [App Service Support](https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22pesId%22%3A+%222fd37acf-7616-eae7-546b-1a78a16d11b5%22%2C%09%0D%0A%09%22supportTopicId%22%3A+%22cfaf122c-93a9-a462-8b68-40ca78b60f32%22%2C%0D%0A%09%22contextInfo%22%3A+%22RDFE+Migration+to+ARM%22%2C%0D%0A%09%22severity%22%3A+%224%22%0D%0A+%7D) | Below is a list of classic resources being retired, their retirement dates, and ## Support We understand that you may have questions or concerns about this change, and we are here to help. If you have any questions or require further information, please do not hesitate to reach out to our [customer support team](https://azure.microsoft.com/support)-- |
reliability | Availability Service By Category | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/availability-service-by-category.md | Azure services are presented in the following tables by category. Note that some > | Azure Application Gateway | Azure API Management | > | Azure Backup | Azure App Configuration | > | Azure Cosmos DB | Azure App Service | -> | Azure Event Hubs | Azure Active Directory Domain Services | +> | Azure Event Hubs | Microsoft Entra Domain Services | > | Azure ExpressRoute | Azure Bastion | > | Azure Key Vault | Azure Batch | > | Azure Load Balancer | Azure Cache for Redis | |
reliability | Availability Zones Service Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/availability-zones-service-support.md | Azure offerings are grouped into three categories that reflect their _regional_ | **Products** | **Resiliency** | | | |-| [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) | +| [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) | | [Azure API Management](migrate-api-mgt.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) | | [Azure App Configuration](../azure-app-configuration/faq.yml#how-does-app-configuration-ensure-high-data-availability) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) | | [Azure App Service](migrate-app-service.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) | Azure offerings are grouped into three categories that reflect their _regional_ | **Products** | **Resiliency** | | | |-| Azure Active Directory | ![An icon that signifies this service is always available.](media/icon-always-available.svg) | +| Microsoft Entra ID | ![An icon that signifies this service is always available.](media/icon-always-available.svg) | | Microsoft Defender for Identity | ![An icon that signifies this service is always available.](media/icon-always-available.svg) | | Azure Advisor | ![An icon that signifies this service is always available.](media/icon-always-available.svg) | | Azure Blueprints | ![An icon that signifies this service is always available.](media/icon-always-available.svg) | You can access Azure availability zones by using your Azure subscription. To lea > [!div class="nextstepaction"] > [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview)-- |
reliability | Disaster Recovery Guidance Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/disaster-recovery-guidance-overview.md | The tables below lists each product that offers disaster recovery guidance and/o | **Products** | | | | [Azure API Management](../api-management/api-management-howto-disaster-recovery-backup-restore.md) |-| [Azure Active Directory Domain Services](../active-directory-domain-services/tutorial-create-replica-set.md) | +| [Microsoft Entra Domain Services](../active-directory-domain-services/tutorial-create-replica-set.md) | | [Azure App Configuration](../azure-app-configuration/concept-disaster-recovery.md?&tabs=core2x)| | [Azure App Service](reliability-app-service.md#cross-region-disaster-recovery-and-business-continuity)| | [Azure Backup](../backup/backup-overview.md) | |
reliability | Migrate Workload Aks Mysql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/migrate-workload-aks-mysql.md | Using the Application Gateway Ingress Controller add-on with your AKS cluster is *Zone-redundant*: Azure Cache for Redis supports zone-redundant configurations in the Premium and Enterprise tiers. A zone-redundant cache places its nodes across different availability zones in the same region. -#### Azure Active Directory (AD) +<a name='azure-active-directory-ad'></a> -*Global*: Azure AD is a global service with multiple levels of internal redundancy and automatic recoverability. Azure AD is deployed in over 30 datacenters around the world that provide availability zones where present. This number is growing rapidly as more regions are deployed. +#### Microsoft Entra ID ++*Global*: Microsoft Entra ID is a global service with multiple levels of internal redundancy and automatic recoverability. Microsoft Entra ID is deployed in over 30 datacenters around the world that provide availability zones where present. This number is growing rapidly as more regions are deployed. #### Azure Key Vault |
reliability | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/overview.md | Microsoft Azure services are available globally to drive your cloud operations a Azure services deployed to Azure regions are listed on the [Azure global infrastructure products](https://azure.microsoft.com/global-infrastructure/services/?products=all) page. To better understand regions and Availability Zones in Azure, see [Regions and Availability Zones in Azure](availability-zones-overview.md). -Azure services are built for reliability including high availability and disaster recovery. There are no services that are dependent on a single logical data center (to avoid single points of failure). Non-regional services listed on [Azure global infrastructure products](https://azure.microsoft.com/global-infrastructure/services/?products=all) are services for which there is no dependency on a specific Azure region. Non-regional services are deployed to two or more regions and if there is a regional failure, the instance of the service in another region continues servicing customers. Certain non-regional services enable customers to specify the region where the underlying virtual machine (VM) on which service runs will be deployed. For example, [Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) enables customers to specify the region location where the VM resides. All Azure services that store customer data allow the customer to specify the specific regions in which their data will be stored. The exception is [Azure Active Directory (Azure AD)](https://azure.microsoft.com/services/active-directory/), which has geo placement (such as Europe or North America). For more information about data storage residency, see the [Data residency map](https://azure.microsoft.com/global-infrastructure/data-residency/). +Azure services are built for reliability including high availability and disaster recovery. There are no services that are dependent on a single logical data center (to avoid single points of failure). Non-regional services listed on [Azure global infrastructure products](https://azure.microsoft.com/global-infrastructure/services/?products=all) are services for which there is no dependency on a specific Azure region. Non-regional services are deployed to two or more regions and if there is a regional failure, the instance of the service in another region continues servicing customers. Certain non-regional services enable customers to specify the region where the underlying virtual machine (VM) on which service runs will be deployed. For example, [Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) enables customers to specify the region location where the VM resides. All Azure services that store customer data allow the customer to specify the specific regions in which their data will be stored. The exception is [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/), which has geo placement (such as Europe or North America). For more information about data storage residency, see the [Data residency map](https://azure.microsoft.com/global-infrastructure/data-residency/). If you need to understand dependencies between Azure services to help better architect your applications and services, you can request the **Azure service dependency documentation** by contacting your Microsoft sales or customer representative. This document lists the dependencies for Azure services, including dependencies on any common major internal services such as control plane services. To obtain this documentation, you must be a Microsoft customer and have the appropriate non-disclosure agreement (NDA) with Microsoft. |
reliability | Reliability Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/reliability-functions.md | Azure Functions supports both [zone-redundant and zonal instances](availability- Zone-redundant Premium plans are available in the following regions: -| Americas | Europe | Middle East | Africa | Asia Pacific | -||-||--|-| -| Brazil South | France Central | Qatar Central | South Africa North | Australia East | -| Canada Central | Germany West Central | UAE North | | Central India | -| Central US | North Europe | | | China North 3 | -| East US | Norway East | | | East Asia | -| East US 2 | Sweden Central | | | Japan East | -| South Central US | Switzerland North | | | Southeast Asia | -| West US 2 | UK South | | | | -| West US 3 | West Europe | | | | +| Americas | Europe | Middle East | Africa | Asia Pacific | +||-|-|--|-| +| Brazil South | France Central | Israel Central | South Africa North | Australia East | +| Canada Central | Germany West Central | Qatar Central | | Central India | +| Central US | Italy North | UAE North | | China North 3 | +| East US | North Europe | | | East Asia | +| East US 2 | Norway East | | | Japan East | +| South Central US | Sweden Central | | | Southeast Asia | +| West US 2 | Switzerland North | | | | +| West US 3 | UK South | | | | +| | West Europe | | | | ### Prerequisites Read more on information and considerations for failover with [Service Bus](../s - [Create Azure Front Door](../frontdoor/quickstart-create-front-door.md) - [Event Hubs failover considerations](../event-hubs/event-hubs-geo-dr.md#considerations) - [Azure Architecture Center's guide on availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability)-- [Reliability in Azure](./overview.md)+- [Reliability in Azure](./overview.md) |
reliability | Reliability Hdinsight | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/reliability-hdinsight.md | Improving business continuity using cross region high availability disaster reco |Data Storage|Duplicating primary data/tables in a secondary region|Replicate only curated data| |Data Egress|Outbound cross region data transfers come at a price. Review Bandwidth pricing guidelines|Replicate only curated data to reduce the region egress footprint| |Cluster Compute|Additional HDInsight cluster/s in secondary region|Use automated scripts to deploy secondary compute after primary failure. Use Autoscaling to keep secondary cluster size to a minimum. Use cheaper VM SKUs. Create secondaries in regions where VM SKUs may be discounted.|-|Authentication |Multiuser scenarios in secondary region will incur additional Azure AD DS setups|Avoid multiuser setups in secondary region.| +|Authentication |Multiuser scenarios in secondary region will incur additional Microsoft Entra Domain Services setups|Avoid multiuser setups in secondary region.| ### Complexity optimizations functionality. Service incidents in one or more of the following services in a s - **Storage: Azure Data Lake Gen2 or Blob storage**. HDInsight recommends Azure Data Lake Storage Gen2 as the underlying storage layer. [Azure Storage](https://azure.microsoft.com/support/legal/sla/storage/v1_5/), including Azure Data Lake Storage Gen2, provides an SLA of 99.9%. HDInsight uses the LRS service in which three replicas of data persist within a data center, and replication is synchronous. When there is a replica loss, a replica is served seamlessly. -- **Authentication: Azure Active Directory, Azure Active Directory Domain Services, Enterprise Security Package**. - - [Azure Active Directory](https://azure.microsoft.com/support/legal/sla/active-directory/v1_0/) provides an SLA of 99.9%. Active Directory is a global service with multiple levels of internal redundancy and automatic recoverability. For more information, see how [Microsoft in continually improving the reliability of Azure Active Directory](https://azure.microsoft.com/blog/advancing-azure-active-directory-availability/). - - [Azure Active Directory Domain Services](https://azure.microsoft.com/support/legal/sl) to learn more. +- **Authentication: Microsoft Entra ID, Microsoft Entra Domain Services, Enterprise Security Package**. + - [Microsoft Entra ID](https://azure.microsoft.com/support/legal/sla/active-directory/v1_0/) provides an SLA of 99.9%. Active Directory is a global service with multiple levels of internal redundancy and automatic recoverability. For more information, see how [Microsoft in continually improving the reliability of Microsoft Entra ID](https://azure.microsoft.com/blog/advancing-azure-active-directory-availability/). + - [Microsoft Entra Domain Services](https://azure.microsoft.com/support/legal/sl) to learn more. - [Azure DNS](https://azure.microsoft.com/support/legal/sla/dns/v1_1/) provides an SLA of 100%. HDInsight uses Azure DNS in various places for domain name resolution. |
reliability | Sovereign Cloud China | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/sovereign-cloud-china.md | This section outlines variations and considerations when using Azure Bot Service | Azure AI Speech| See [Azure AI | Azure AI Speech|For feature variations and limitations, including API endpoints, see [Translator in sovereign clouds](../ai-services/translator/sovereign-clouds.md?tabs=china).| -### Azure AD External Identities +<a name='azure-ad-external-identities'></a> -This section outlines variations and considerations when using Azure AD External Identities B2B collaboration. +### Microsoft Entra External ID ++This section outlines variations and considerations when using Microsoft Entra External ID B2B collaboration. | Product | Unsupported, limited, and/or modified features | Notes | ||--||-| Azure AD External Identities | For Azure AD External Identities B2B feature variations in Microsoft Azure for customers in China, see [Azure AD B2B in national clouds](../active-directory/external-identities/b2b-government-national-clouds.md) and [Microsoft cloud settings (Preview)](../active-directory/external-identities/cross-cloud-settings.md). | +| Microsoft Entra External ID | For Microsoft Entra External ID B2B feature variations in Microsoft Azure for customers in China, see [Microsoft Entra B2B in national clouds](../active-directory/external-identities/b2b-government-national-clouds.md) and [Microsoft cloud settings (Preview)](../active-directory/external-identities/cross-cloud-settings.md). | ### Media The table below lists ways to connect to your Azure account in Azure Global vs. | Sign in description | Azure Global | Azure in China | |--|--|| | Sign into Azure with an authenticated account for use with Azure Resource Manager| Connect-AzureAccount | Connect-AzureAccount -Environment AzureChinaCloud|-| Sign into Azure Active Directory with Microsoft Graph PowerShell | Connect-MgGraph | Connect-MgGraph -AzureEnvironment China| +| Sign into Microsoft Entra ID with Microsoft Graph PowerShell | Connect-MgGraph | Connect-MgGraph -AzureEnvironment China| | Sign into your Azure classic portal account | Add-AzureAccount | Add-AzureAccount -Environment AzureChinaCloud | ## Azure in China REST endpoints For IP rangers for Azure in China, download [Azure Datacenter IP Ranges in China | Service category | Azure Global | Azure in China | |-|-|-| | Azure (in general) | \*.windows.net | \*.chinacloudapi.cn |-| Azure Active Directory | `https://login.microsoftonline.com` | `https://login.chinacloudapi.cn` | +| Microsoft Entra ID | `https://login.microsoftonline.com` | `https://login.chinacloudapi.cn` | | Azure App Configuration | \*.azconfig.io | \*.azconfig.azure.cn | | Azure compute | \*.cloudapp.net | \*.chinacloudapp.cn | | Azure data | `https://{location}.experiments.azureml.net` | `https://{location}.experiments.ml.azure`.cn | For IP rangers for Azure in China, download [Azure Datacenter IP Ranges in China | MySQL PaaS | | \*.mysqldb.chinacloudapi.cn | | Azure Service Fabric cluster | \*.cloudapp.azure.com | \*.chinaeast.chinacloudapp.cn | | Azure Spring Cloud| \*.azuremicroservices.io | \*.microservices.azure.cn |-| Azure Active Directory (Azure AD) | \*.onmicrosoft.com | \*.partner.onmschina.cn | -| Azure AD logon | [https://login.microsoftonline.com](https://login.windows.net/) | [https://login.partner.microsoftonline.cn](https://login.chinacloudapi.cn/) | +| Microsoft Entra ID | \*.onmicrosoft.com | \*.partner.onmschina.cn | +| Microsoft Entra logon | [https://login.microsoftonline.com](https://login.windows.net/) | [https://login.partner.microsoftonline.cn](https://login.chinacloudapi.cn/) | | Microsoft Graph | [https://graph.microsoft.com](https://graph.microsoft.com/) | [https://microsoftgraph.chinacloudapi.cn](https://microsoftgraph.chinacloudapi.cn/) | | Azure AI services | `https://api.projectoxford.ai/face/v1.0` | `https://api.cognitive.azure.cn/face/v1.0` | | Azure Bot Services | <\*.botframework.com> | <\*.botframework.azure.cn> | |
remote-rendering | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/how-tos/authentication.md | Azure Remote Rendering uses the same authentication mechanism as [Azure Spatial * **AccountDomain**: can be obtained in the "Overview" tab for the Remote Rendering account on the Azure portal. ![Account Domain](./media/azure-account-domain.png) -* **AuthenticationToken**: is an Azure AD token, which can be obtained by using the [MSAL library](../../active-directory/develop/msal-overview.md). There are multiple different flows available to accept user credentials and use those credentials to obtain an access token. +* **AuthenticationToken**: is a Microsoft Entra token, which can be obtained by using the [MSAL library](../../active-directory/develop/msal-overview.md). There are multiple different flows available to accept user credentials and use those credentials to obtain an access token. * **MRAccessToken**: is an MR token, which can be obtained from Azure Mixed Reality Security Token Service (STS). Retrieved from the `https://sts.<accountDomain>` endpoint using a REST call similar to the below: Azure Remote Rendering uses the same authentication mechanism as [Azure Spatial ## Authentication for deployed applications -Account keys are recommended for quick prototyping, during development only. It's recommended not to ship your application to production using an embedded account key in it. The recommended approach is to use a user-based or service-based Azure AD authentication approach. +Account keys are recommended for quick prototyping, during development only. It's recommended not to ship your application to production using an embedded account key in it. The recommended approach is to use a user-based or service-based Microsoft Entra authentication approach. -### Azure AD user authentication +<a name='azure-ad-user-authentication'></a> -Azure AD authentication is described in the [Azure Spatial Anchors documentation](../../spatial-anchors/concepts/authentication.md?tabs=csharp#azure-ad-user-authentication). +### Microsoft Entra user authentication -Follow the steps to configure Azure Active Directory user authentication in the Azure portal. +Microsoft Entra authentication is described in the [Azure Spatial Anchors documentation](../../spatial-anchors/concepts/authentication.md?tabs=csharp#azure-ad-user-authentication). -1. Register your application in Azure Active Directory. As part of registering, you will need to determine whether your application should be multitenant. You will also need to provide the redirect URLs allowed for your application in the Authentication blade. +Follow the steps to configure Microsoft Entra user authentication in the Azure portal. ++1. Register your application in Microsoft Entra ID. As part of registering, you will need to determine whether your application should be multitenant. You will also need to provide the redirect URLs allowed for your application in the Authentication blade. :::image type="content" source="./media/azure-active-directory-app-setup.png" alt-text="Authentication setup"::: 1. In the API permissions tab, request **Delegated Permissions** for **mixedreality.signin** scope under **mixedreality**. Follow the steps to configure Azure Active Directory user authentication in the :::image type="content" source="./media/azure-remote-rendering-add-role-assignment.png" alt-text="Add permissions"::: :::image type="content" source="./media/azure-remote-rendering-role-assignments.png" alt-text="Role assignments"::: -For information on using Azure AD user authentication in your application code, see the [Tutorial: Securing Azure Remote Rendering and model storage - Azure Active Directory authentication](../tutorials/unity/security/security.md#azure-active-directory-azure-ad-authentication) +For information on using Microsoft Entra user authentication in your application code, see the [Tutorial: Securing Azure Remote Rendering and model storage - Microsoft Entra authentication](../tutorials/unity/security/security.md#azure-active-directory-azure-ad-authentication) ## Azure role-based access control |
remote-rendering | Commercial Ready | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/tutorials/unity/commercial-ready/commercial-ready.md | For authentication, itΓÇÖs wise to move as much of the ARR authentication and se For more information: -* [Azure AD Service Authentication](../../../../spatial-anchors/concepts/authentication.md?tabs=csharp#azure-ad-service-authentication) +* [Microsoft Entra service Authentication](../../../../spatial-anchors/concepts/authentication.md?tabs=csharp#azure-ad-service-authentication) * [Strengthen Your Security Posture with Azure](https://azure.microsoft.com/overview/security/)-* [Cloud Security](https://azure.microsoft.com/product-categories/security/) +* [Cloud Security](https://azure.microsoft.com/product-categories/security/) |
remote-rendering | Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/tutorials/unity/security/security.md | In this tutorial, you learn how to: > [!div class="checklist"] > > * Secure Azure Blob Storage containing Azure Remote Rendering models-> * Authenticate with Azure AD to access your Azure Remote Rendering instance +> * Authenticate with Microsoft Entra ID to access your Azure Remote Rendering instance > * Use Azure credentials for Azure Remote Rendering authentication ## Prerequisites Now the current state of the application and its access to your Azure resources ![Better security](./media/security-two.png) -We have one more "password", the AccountKey, to remove from the local application. This can be done using Azure Active Directory (AAD) authentication. +We have one more "password", the AccountKey, to remove from the local application. This can be done using Microsoft Entra authentication. -## Azure Active Directory (Azure AD) authentication +<a name='azure-active-directory-azure-ad-authentication'></a> -AAD authentication allows you to determine which individuals or groups are using ARR in a more controlled way. ARR has built in support for accepting [Access Tokens](../../../../active-directory/develop/access-tokens.md) instead of using an Account Key. You can think of Access Tokens as a time-limited, user-specific key, that only unlocks certain parts of the specific resource it was requested for. +## Microsoft Entra authentication ++Microsoft Entra authentication allows you to determine which individuals or groups are using ARR in a more controlled way. ARR has built in support for accepting [Access Tokens](../../../../active-directory/develop/access-tokens.md) instead of using an Account Key. You can think of Access Tokens as a time-limited, user-specific key, that only unlocks certain parts of the specific resource it was requested for. The **RemoteRenderingCoordinator** script has a delegate named **ARRCredentialGetter**, which holds a method that returns a **SessionConfiguration** object, which is used to configure the remote session management. We can assign a different method to **ARRCredentialGetter**, allowing us to use an Azure sign in flow, generating a **SessionConfiguration** object that contains an Azure Access Token. This Access Token will be specific to the user that's signing in. -1. Follow the [How To: Configure authentication - Authentication for deployed applications](../../../how-tos/authentication.md#authentication-for-deployed-applications), which involves registering a new Azure Active Directory application and configuring access to your ARR instance. -1. After configuring the new AAD application, check your AAD application looks like the following images: +1. Follow the [How To: Configure authentication - Authentication for deployed applications](../../../how-tos/authentication.md#authentication-for-deployed-applications), which involves registering a new Microsoft Entra application and configuring access to your ARR instance. +1. After configuring the new Microsoft Entra application, check your Microsoft Entra application looks like the following images: - **AAD Application -> Authentication** + **Microsoft Entra Application -> Authentication** :::image type="content" source="./../../../how-tos/media/azure-active-directory-app-setup.png" alt-text="App authentication"::: - **AAD Application -> API Permissions** + **Microsoft Entra Application -> API Permissions** :::image type="content" source="./media/azure-active-directory-api-permissions-granted.png" alt-text="App APIs"::: 1. After configuring your Remote Rendering account, check your configuration looks like the following image: With this change, the current state of the application and its access to your Az Since the User Credentials aren't stored on the device (or in this case even entered on the device), their exposure risk is low. Now the device is using a user-specific, time-limited Access Token to access ARR, which uses access control (IAM) to access the Blob Storage. These two steps have removed the "passwords" from the source code and increased security considerably. However, this isn't the most security available, moving the model and session management to a web service will improve security further. Additional security considerations are discussed in the [Commercial Readiness](../commercial-ready/commercial-ready.md) chapter. -### Testing AAD Auth +<a name='testing-aad-auth'></a> ++### Testing Microsoft Entra auth -In the Unity Editor, when AAD Auth is active, you'll need to authenticate every time you launch the application. On device, the authentication step happens the first time and only be required again when the token expires or is invalidated. +In the Unity Editor, when Microsoft Entra auth is active, you'll need to authenticate every time you launch the application. On device, the authentication step happens the first time and only be required again when the token expires or is invalidated. -1. Add the **AAD Authentication** component to the **RemoteRenderingCoordinator** GameObject. +1. Add the **Microsoft Entra authentication** component to the **RemoteRenderingCoordinator** GameObject. - ![AAD auth component](./media/azure-active-directory-auth-component.png) + ![Microsoft Entra auth component](./media/azure-active-directory-auth-component.png) > [!NOTE]-> If you are using the completed project from the [ARR samples repository](https://github.com/Azure/azure-remote-rendering), make sure to enable the **AAD Authentication** component by clicking the checkbox next to its title. +> If you are using the completed project from the [ARR samples repository](https://github.com/Azure/azure-remote-rendering), make sure to enable the **Microsoft Entra authentication** component by clicking the checkbox next to its title. 1. Fill in your values for the Client ID and the Tenant ID. These values can be found in your App Registration's Overview Page: - * **Active Directory Application Client ID** is the *Application (client) ID* found in your AAD app registration (see image below). - * **Azure Tenant ID** is the *Directory (tenant) ID* found in your AAD app registration (see image below). + * **Active Directory Application Client ID** is the *Application (client) ID* found in your Microsoft Entra app registration (see image below). + * **Azure Tenant ID** is the *Directory (tenant) ID* found in your Microsoft Entra app registration (see image below). * **Azure Remote Rendering Domain** is the same domain you've been using in the **RemoteRenderingCoordinator**'s Remote Rendering Domain. * **Azure Remote Rendering Account ID** is the same **Account ID** you've been using for **RemoteRenderingCoordinator**. * **Azure Remote Rendering Account Domain** is the same **Account Domain** you've been using in the **RemoteRenderingCoordinator**. In the Unity Editor, when AAD Auth is active, you'll need to authenticate every :::image type="content" source="./media/azure-active-directory-app-overview.png" alt-text="Screenshot that highlights the Application (client) ID and Directory (tenant) ID."::: 1. Press Play in the Unity Editor and consent to running a session.- Since the **AAD Authentication** component has a view controller, it's automatically hooked up to display a prompt after the session authorization modal panel. + Since the **Microsoft Entra authentication** component has a view controller, it's automatically hooked up to display a prompt after the session authorization modal panel. 1. Follow the instructions found in the panel to the right of the **AppMenu**. You should see something similar to this: ![Illustration that shows the instruction panel that appears to the right of the AppMenu.](./media/device-flow-instructions.png) Follow the steps found in [Quickstart: Deploy Unity sample to HoloLens - Build t The remainder of this tutorial set contains conceptual articles for creating a production-ready application that uses Azure Remote Rendering. > [!div class="nextstepaction"]-> [Next: Commercial Readiness](../commercial-ready/commercial-ready.md) +> [Next: Commercial Readiness](../commercial-ready/commercial-ready.md) |
resource-mover | Common Questions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/common-questions.md | You can't select disks as resources to the moved across regions. However, disks Currently, Azure Resource Mover only supports move across regions within the same subscription. Move across subscriptions is not supported. -However, on the Azure Portal, Azure Resource mover has an entry point to enable the move across subscriptions. The capability to move across subscriptions is supported by Azure Resource Manager (ARM). [Learn more](../azure-resource-manager/management/move-resource-group-and-subscription.md). +However, on the Azure portal, Azure Resource mover has an entry point to enable the move across subscriptions. The capability to move across subscriptions is supported by Azure Resource Manager (ARM). [Learn more](../azure-resource-manager/management/move-resource-group-and-subscription.md). Moving across regions and across subscriptions is a two-step process: 1. Move resources across regions using Azure Resource Mover. 1. Use Azure Resource Manager (ARM) to move across subscriptions once resources are in the desired target region. -### What does it mean to move a resource group? --When a resource is selected for move, the corresponding resource group is added automatically for moving. This is so that the destination resource can be placed in a resource group. You can choose to customize and provide an existing resource group after it's added for move. Moving a resource group doesn't mean that all the resources in the source resource group will be moved. - ### Can I move resources across subscriptions when I move them across regions? You can change the subscription after moving resources to the destination region. [Learn more](../azure-resource-manager/management/move-resource-group-and-subscription.md) about moving resources to a different subscription. |
resource-mover | Tutorial Move Region Encrypted Virtual Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/tutorial-move-region-encrypted-virtual-machines.md | At this stage, the disk encryption set and key vault statuses are changed to *Co > After you've committed the move, the resource status changes to *Delete source pending*. -## Move the source resource group --Before you can prepare and move VMs, the VM resource group must be present in the target region. --### Prepare to move the source resource group --During the preparation process, Resource Mover generates Azure Resource Manager (ARM) templates from the resource group settings. The resources inside the resource group are unaffected. --To prepare to move the source resource group, do the following: --1. In the **Across regions** tab, select the source resource group, and select **Prepare**. -- :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/prepare-resource-group.png" alt-text="Screenshot of the 'Prepare' button on the 'Prepare resources' pane." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/prepare-resource-group.png"::: --1. In **Prepare resources**, select **Prepare**. --> [!NOTE] -> After you've prepared the move, the resource group status changes to *Initiate move pending*. -- -### Move the source resource group --**Begin moving the source resource group by doing the following:** --1. On the **Across regions** pane, select the resource group, and select **Initiate move**. -- :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/initiate-move-resource-group.png" alt-text="Screenshot of the 'Initiate move' button on the 'Across regions' pane." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/initiate-move-resource-group.png"::: --1. On the **Move resources** pane, select **Initiate move**. The resource group status changes to *Initiate move in progress*. -1. After you initiate the move, the target resource group is created, based on the generated ARM template. The source resource group status changes to *Commit move pending*. -- :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/resource-group-commit-move-pending.png" alt-text="Screenshot of the 'Move resources' pane showing the resource group status changed to 'Commit move pending'." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/resource-group-commit-move-pending.png"::: --**To commit the move and finish the process, do the following:** --1. On the **Across regions** pane, select the resource group, and select **Commit move**. -1. On the **Move Resources** pane, select **Commit**. --> [!NOTE] -> After you've committed the move, the source resource group status changes to *Delete source pending*. -> :::image type="content" source="./media/tutorial-move-region-encrypted-virtual-machines/resource-group-delete-move-pending.png" alt-text="Screenshot of the source resource group showing the status changed to 'Delete source pending'." lightbox="./media/tutorial-move-region-encrypted-virtual-machines/resource-group-delete-move-pending.png"::: - ## Prepare resources to move Now that the encryption resources and the source resource group are moved, you can prepare to move other resources whose current status is *Prepare pending*. |
resource-mover | Tutorial Move Region Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/tutorial-move-region-powershell.md | The MoveCollection object stores metadata and configuration information about th - Create the MoveCollection object with managed identity. For the MoveCollection object to access the subscription in which the Resource Mover service is located, it needs a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) (formerly known as Managed Service Identity (MSI)) that's trusted by the subscription. - Grant access to the Resource Mover subscription for the managed identity. -### Create the resource group --Create a resource group for the move collection metadata and configuration information, as follows: --```azurepowershell-interactive -New-AzResourceGroup -Name "RG-MoveCollection-demoRMS" -Location "East US 2" -``` --**Output**: --![Output text after creating resource group](./media/tutorial-move-region-powershell/create-metadata-resource-group.png) - ### Register the resource provider 1. Register the resource provider Microsoft.Migrate, so that the MoveCollection resource can be created, as follows: Check whether the resources you added have any dependencies on other resources, > [!NOTE] > If for any reason you want to remove resources from the resource collection, follow the instructions in [this article](remove-move-resources.md). -## Add the source resource group --Add the source resource group that contains resources you want to move to the move collection. --1. Retrieve the ID of the resource group. -- ```azurepowershell-interactive - Get-AzResourceMoverUnresolvedDependency -MoveCollectionName "PS-centralus-westcentralus-demoRMS" -ResourceGroupName "RG-MoveCollection-demoRMS" -DependencyLevel Direct - ``` -- **Output** - - ![Output text after retrieving the ID of the source resource group](./media/tutorial-move-region-powershell/source-resource-group-id.png) -- > [!NOTE] - > We're using a resource group that's already in the target region. --2. Use the retrieved ID to add the resource group to the collection. -- ```azurepowershell-interactive - Add-AzResourceMoverMoveResource -ResourceGroupName "RG-MoveCollection-demoRMS" -MoveCollectionName "PS-centralus-westcentralus-demoRMS" -SourceId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/psdemorm" -Name "psdemorm" -ExistingTargetId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/PSDemoRM-target" - ``` -- **Output** - - ![Output text after adding the source resource group to the move collection](./media/tutorial-move-region-powershell/add-source-resource-group.png) --3. Verify dependencies to make sure you haven't missed anything after adding the resource group. -- ```azurepowershell-interactive - Resolve-AzResourceMoverMoveCollectionDependency -ResourceGroupName "RG-MoveCollection-demoRMS" -MoveCollectionName "PS-centralus-westcentralus-demoRMS" - ``` --4. We see there are no outstanding dependencies. -- **Output** - - ![Output text after checking dependencies](./media/tutorial-move-region-powershell/all-dependencies-added.png) ## Prepare resources In this tutorial, since we're moving VMs, we need to prepare the source resource > [!NOTE] > If you have an existing target resource group, you can directly commit the move for the source resource group, and skip the prepare and initiate move stages. -### Prepare the source resource group --1. Prepare the resource group: -- ```azurepowershell-interactive - Invoke-AzResourceMoverPrepare -ResourceGroupName "RG-MoveCollection-demoRMS" -MoveCollectionName "PS-centralus-westcentralus-demoRMS" -MoveResource "PSDemoRM" - ``` -- **Output** - - ![Output text after preparing source resource group](./media/tutorial-move-region-powershell/prepare-source-resource-group.png) --2. Initiate the move of the source resource group. -- ```azurepowershell-interactive - Invoke-AzResourceMoverInitiateMove -ResourceGroupName "RG-MoveCollection-demoRMS" -MoveCollectionName "PS-centralus-westcentralus-demoRMS" -MoveResource "PSDemoRM" - ``` -- **Output**: -- ![Output text after initiating move of source resource group](./media/tutorial-move-region-powershell/initiate-move-source-resource-group.png) --3. Commit the move for the source resource group. -- ```azurepowershell-interactive - Invoke-AzResourceMoverCommit -ResourceGroupName "RG-MoveCollection-demoRMS" -MoveCollectionName "PS-centralus-westcentralus-demoRMS" -MoveResource "PSDemoRM" - ``` -- **Output** -- ![Output text after committing the source resource group](./media/tutorial-move-region-powershell/commit-move-source-resource-group.png) ### Prepare VM resources |
resource-mover | Tutorial Move Region Virtual Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/tutorial-move-region-virtual-machines.md | To resolve dependencies before the move, follow these steps: 4. Dependencies are validated in the background after you add them. If you see a **Validate dependencies** button, select it to trigger the manual validation. :::image type="content" source="./media/tutorial-move-region-virtual-machines/add-additional-dependencies.png" alt-text="Screenshot displays page to add additional dependencies." lightbox="./media/tutorial-move-region-virtual-machines/add-additional-dependencies.png"::: --## Move the source resource group --Before you can prepare and move the VMs, the VM resource group must be present in the target region. --### Prepare to move the source resource group --During the Prepare process, Resource Mover generates Azure Resource Manager (ARM) templates using the resource group settings. Resources inside the resource group aren't affected. --**To prepare to move a source resource group, follow these steps:** --1. On the **Across regions** pane, select the source resource group > **Prepare**. -2. On **Prepare resources** pane, select **Prepare** to start the process. -- :::image type="content" source="./media/tutorial-move-region-virtual-machines/prepare-resource-group.png" alt-text="Screenshot displays Prepare resource group." lightbox="./media/tutorial-move-region-virtual-machines/prepare-resource-group.png"::: --> [!NOTE] -> After preparing the resource group, it's in the *Initiate move pending* state. --### Move the source resource group --**To start the move, follows these steps:** --1. On the **Across regions** pane, select the resource group > **Initiate Move**. -2. On the **Move Resources** pane, select **Initiate move**. The resource group moves into an *Initiate move in progress* state. -3. After initiating the move, the target resource group is created, based on the generated ARM template. The source resource group moves into a *Commit move pending* state. -- :::image type="content" source="./media/tutorial-move-region-virtual-machines/commit-move-pending.png" alt-text="Screenshot displays select the initiate move button." lightbox="./media/tutorial-move-region-virtual-machines/commit-move-pending.png"::: --**To commit and finish the move process:** --1. On the **Across regions** pane, select the resource group > **Commit move**. -2. On the **Move Resources** pane select **Commit**. - > [!NOTE]-> After committing the move, the source resource group is in a *Delete source pending* state. +> The default name for the resource group follows `<sourceRGName-targetRegion>` convention. If you want to use an existing resource group name, you can find the option to choose the target resource group in the **Edit** section. +> <br> +> :::image type="content" source="./media/tutorial-move-region-virtual-machines/target-region.png" alt-text="Screenshot displays add target resource group." ::: ## Prepare resources to move |
route-server | Hub Routing Preference Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/route-server/hub-routing-preference-cli.md | + + Title: Configure routing preference - Azure CLI ++description: Learn how to configure routing preference (preview) in Azure Route Server using the Azure CLI to influence its route selection. ++++ Last updated : 10/12/2023+++#CustomerIntent: As an Azure administrator, I want learn how to use routing preference setting so that I can influence route selection in Azure Route Server by using the Azure CLI. +++# Configure routing preference to influence route selection using the Azure CLI ++Learn how to use routing preference setting in Azure Route Server to influence its route learning and selection. For more information, see [Routing preference (preview)](hub-routing-preference.md). ++> [!IMPORTANT] +> Routing preference is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- An Azure route server. If you need to create a Route Server, see [Create and configure Azure Route Server](quickstart-configure-route-server-cli.md). +- Azure Cloud Shell or Azure CLI installed locally. ++## View routing preference configuration ++Use [az network routeserver show](/cli/azure/network/routeserver#az-network-routeserver-show()) to view the current route server configuration including its routing preference setting. ++```azurecli-interactive +# Show the Route Server configuration. +az network routeserver show --resource-group 'myResourceGroup' --name 'myRouteServer' +``` ++In the output, you can see the current routing preference setting in front of **"HubRoutingPreference":**: ++```output +{ + "allowBranchToBranchTraffic": false, + "etag": "W/\"00000000-1111-2222-3333-444444444444\"", + "hubRoutingPreference": "ExpressRoute", + "id": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualHubs/myRouteServer", + "kind": "RouteServer", + "location": "eastus", + "name": "myRouteServer", + "provisioningState": "Succeeded", + "resourceGroup": "myResourceGroup", + "routeTable": { + "routes": [] + }, + "routingState": "Provisioned", + "sku": "Standard", + "tags": {}, + "type": "Microsoft.Network/virtualHubs", + "virtualHubRouteTableV2s": [], + "virtualRouterAsn": 65515, + "virtualRouterAutoScaleConfiguration": { + "minCapacity": 2 + }, + "virtualRouterIps": [ + "10.1.1.5", + "10.1.1.4" + ] +} +``` ++> [!NOTE] +> The default routing preference setting is **ExpressRoute**. ++## Configure routing preference ++Use [az network routeserver update](/cli/azure/network/routeserver#az-network-routeserver-update()) to update routing preference setting. ++```azurecli-interactive +# Change the routing preference to AS Path. +az network routeserver update --name 'myRouteServer' --hub-routing-preference 'ASPath' --resource-group 'myResourceGroup' +``` ++```azurecli-interactive +# Change the routing preference to VPN Gateway. +az network routeserver update --name 'myRouteServer' --hub-routing-preference 'VpnGateway' --resource-group 'myResourceGroup' +``` ++```azurecli-interactive +# Change the routing preference to ExpressRoute. +az network routeserver update --name 'myRouteServer' --hub-routing-preference 'ExpressRoute' --resource-group 'myResourceGroup' +``` ++## Related content ++- [Create and configure Route Server](quickstart-configure-route-server-cli.md) +- [Monitor Azure Route Server](monitor-route-server.md) +- [Azure Route Server FAQ](route-server-faq.md) |
route-server | Hub Routing Preference Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/route-server/hub-routing-preference-portal.md | + + Title: Configure routing preference - Azure portal ++description: Learn how to configure routing preference (preview) in Azure Route Server using the Azure portal to influence its route selection. ++++ Last updated : 10/11/2023++#CustomerIntent: As an Azure administrator, I want learn how to use routing preference setting so that I can influence route selection in Azure Route Server. +++# Configure routing preference to influence route selection using the Azure portal ++Learn how to use routing preference setting in Azure Route Server to influence its route learning and selection. For more information, see [Routing preference (preview)](hub-routing-preference.md). ++> [!IMPORTANT] +> Routing preference is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- An Azure route server. If you need to create a Route Server, see [Create and configure Azure Route Server](quickstart-configure-route-server-portal.md). ++## Configure routing preference ++1. Sign in to [Azure portal](https://portal.azure.com). ++1. In the search box at the top of the portal, enter ***route server***. Select **Route Servers** from the search results. ++ :::image type="content" source="./media/hub-routing-preference-portal/portal.png" alt-text="Screenshot of searching for Azure Route Server in the Azure portal." lightbox="./media/hub-routing-preference-portal/portal.png"::: ++1. Select the Route Server that you want to configure. ++1. Select **Configuration**. ++1. In the **Configuration** page, select **VPN**, **ASPath** or **ExpressRoute**. ++ :::image type="content" source="./media/hub-routing-preference-portal/routing-preference-configuration.png" alt-text="Screenshot of configuring routing preference of a Route Server in the Azure portal."::: ++ > [!NOTE] + > The default routing preference setting is **ExpressRoute**. ++1. Select **Save**. ++## Related content ++- [Create and configure Route Server](quickstart-configure-route-server-portal.md) +- [Monitor Azure Route Server](monitor-route-server.md) +- [Azure Route Server FAQ](route-server-faq.md) |
route-server | Hub Routing Preference Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/route-server/hub-routing-preference-powershell.md | Title: Configure routing preference (preview) to influence route selection - PowerShell + Title: Configure routing preference - PowerShell description: Learn how to configure routing preference (preview) in Azure Route Server using Azure PowerShell to influence its route selection. - Previously updated : 07/31/2023 Last updated : 10/12/2023+++#CustomerIntent: As an Azure administrator, I want learn how to use routing preference setting so that I can influence route selection in Azure Route Server by using Azure PowerShell. # Configure routing preference to influence route selection using PowerShell -Learn how to use [routing preference (preview)](hub-routing-preference.md) setting in Azure Route Server to influence its route selection. +Learn how to use routing preference setting in Azure Route Server to influence its route learning and selection. For more information, see [Routing preference (preview)](hub-routing-preference.md). > [!IMPORTANT]-> Routing preference is currently in PREVIEW. -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> Routing preference is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. ## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).+- An Azure route server. If you need to create a Route Server, see [Create and configure Azure Route Server](quickstart-configure-route-server-powershell.md). - Azure Cloud Shell or Azure PowerShell installed locally. -## Create a virtual network +## View routing preference configuration -Before you can create a virtual network, you have to create a resource group. Use [New-AzResourceGroup](/powershell/module/az.Resources/New-azResourceGroup) to create the resource group. This example creates a resource group named **myResourceGroup** in the **EastUS** region. --Use [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork) to create the virtual network. This example creates a virtual network named **myVirtualNetwork** in the **EastUS** region. You need a dedicated subnet called **RouteServerSubnet** for the Route Server. Use [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) to create the subnet configuration of RouteServerSubnet. +Use [Get-AzRouteServer](/powershell/module/az.network/get-azrouteserver) to view the current routing preference configuration. ```azurepowershell-interactive-# Create a resource group. -New-AzResourceGroup -Name 'myResourceGroup' -Location 'EastUS' --# Create RouteServerSubnet configuration and place it into a variable. -$subnet = New-AzVirtualNetworkSubnetConfig -Name 'RouteServerSubnet' -AddressPrefix '10.0.1.0/24' --# Create the virtual network and place it into a variable. -$vnet = New-AzVirtualNetwork -Name 'myVirtualNetwork' -ResourceGroupName 'myResourceGroup' -Location 'EastUS' -AddressPrefix '10.0.0.0/16' -Subnet $subnet --# Place the subnet ID into a variable. -$subnetId = (Get-AzVirtualNetworkSubnetConfig -Name RouteServerSubnet -VirtualNetwork $vnet).Id +# Get the Route Server. +Get-AzRouteServer -ResourceGroupName 'myResourceGroup' ``` -## Create the Route Server --Before you create the Route Server, create a standard public IP using [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress). Then use [New-AzRouteServer](/powershell/module/az.network/new-azrouteserver) to create the route server with a routing preference set to **VpnGateway**. When you choose VpnGateway as a routing preference, Route Server prefers routes learned through VPN/SD-WAN connections over routes learned through ExpressRoute. --```azurepowershell-interactive -# Create a standard public IP for the Route Server. -$publicIp = New-AzPublicIpAddress -Name 'RouteServerIP' -IpAddressVersion 'IPv4' -Sku 'Standard' -AllocationMethod 'Static' -ResourceGroupName 'myResourceGroup' -Location 'EastUS' +In the output, you can see the current routing preference setting under **HubRoutingPreference**: -# Create a Route Server with routing preference set to VpnGateway -New-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'VpnGateway' -HostedSubnet $subnetId -PublicIpAddress $publicIp -ResourceGroupName 'myResourceGroup' -Location 'EastUS' --# Create a Route Server with routing preference set to ExpressRoute -New-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'ExpressRoute' -HostedSubnet $subnetId -PublicIpAddress $publicIp -ResourceGroupName 'myResourceGroup' -Location 'EastUS' --# Create a Route Server with routing preference set to ASPath -New-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'ASPath' -HostedSubnet $subnetId -PublicIpAddress $publicIp -ResourceGroupName 'myResourceGroup' -Location 'EastUS' +```output +ResourceGroupName Name Location RouteServerAsn RouteServerIps ProvisioningState HubRoutingPreference +-- - -- -- -- -- -- +myResourceGroup myRouteServer eastus 65515 {10.1.1.5, 10.1.1.4} Succeeded ExpressRoute ``` -## Update routing preference +> [!NOTE] +> The default routing preference setting is **ExpressRoute**. ++## Configure routing preference -To update the routing preference of an existing Route Server, use [Update-AzRouteServer](/powershell/module/az.network/update-azrouteserver). This example updates the routing preference to AS Path. +Use [Update-AzRouteServer](/powershell/module/az.network/update-azrouteserver) to configure routing preference. ```azurepowershell-interactive # Change the routing preference to AS Path. Update-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'ASPath' -ResourceGroupName 'myResourceGroup'+``` +```azurepowershell-interactive # Change the routing preference to VPN Gateway.-Update-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'VPNGateway' -ResourceGroupName 'myResourceGroup' +Update-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'VpnGateway' -ResourceGroupName 'myResourceGroup' +``` +```azurepowershell-interactive # Change the routing preference to ExpressRoute. Update-AzRouteServer -RouteServerName 'myRouteServer' -HubRoutingPreference 'ExpressRoute' -ResourceGroupName 'myResourceGroup' ``` -## Next steps +> [!IMPORTANT] +> Include ***-AllowBranchToBranchTraffic*** parameter to enable **route exchange (branch-to-branch)** even if it was enabled before running the **Update-AzRouteServer** cmdlet. For more information, see [Configure route exchange](quickstart-configure-route-server-powershell.md#configure-route-exchange). ++## Related content -- To learn more about configuring Azure Route Servers, see [Create and configure Route Server using Azure PowerShell](quickstart-configure-route-server-powershell.md).-- To learn more about Azure Route Server, see [Azure Route Server FAQ](route-server-faq.md).+- [Create and configure Route Server](quickstart-configure-route-server-powershell.md) +- [Monitor Azure Route Server](monitor-route-server.md) +- [Azure Route Server FAQ](route-server-faq.md) |
sap | Configure Devops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/configure-devops.md | You can use Azure Repos to store your configuration files and use Azure Pipeline ## Sign up for Azure DevOps Services -To use Azure DevOps Services, you need an Azure DevOps organization. An organization is used to connect groups of related projects. Use your work or school account to automatically connect your organization to your Azure Active Directory. To create an account, open [Azure DevOps](https://azure.microsoft.com/services/devops/) and either sign in or create a new account. +To use Azure DevOps Services, you need an Azure DevOps organization. An organization is used to connect groups of related projects. Use your work or school account to automatically connect your organization to your Microsoft Entra ID. To create an account, open [Azure DevOps](https://azure.microsoft.com/services/devops/) and either sign in or create a new account. ## Configure Azure DevOps Services for SAP Deployment Automation Framework |
sap | Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/automation/get-started.md | You can use Azure Repos to store your configuration files. Use Azure Pipelines t ### Sign up for Azure DevOps Services -To use Azure DevOps Services, you need an Azure DevOps organization. An organization is used to connect groups of related projects. Use your work or school account to automatically connect your organization to your Azure Active Directory. To create an account, open [Azure DevOps](https://azure.microsoft.com/services/devops/) and either sign in or create a new account. +To use Azure DevOps Services, you need an Azure DevOps organization. An organization is used to connect groups of related projects. Use your work or school account to automatically connect your organization to your Microsoft Entra ID. To create an account, open [Azure DevOps](https://azure.microsoft.com/services/devops/) and either sign in or create a new account. To configure Azure DevOps for SAP Deployment Automation Framework, see [Configure Azure DevOps for SAP Deployment Automation Framework](configure-devops.md). |
sap | Get Sap Installation Media | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/get-sap-installation-media.md | In this how-to guide, you'll learn how to get the SAP software installation medi - A deployment of S/4HANA infrastructure. - The SSH private key for the virtual machines in the SAP system. You generated this key during the infrastructure deployment. - If you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. - - For more information, see [Use Azure CLI to create an Azure AD app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app). - - For an example, see the Red Hat documentation for [Creating an Azure Active Directory Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure). + - For more information, see [Use Azure CLI to create a Microsoft Entra app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app). + - For an example, see the Red Hat documentation for [Creating a Microsoft Entra Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure). - To avoid frequent password expiry, use the Azure Command-Line Interface (Azure CLI) to create the Service Principal identifier and password instead of the Azure portal. ## Required components |
sap | Install Software | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/install-software.md | Review the prerequisites for your preferred installation method: [through the Az - A [network set up for your SAP deployment](prepare-network.md). - A deployment of S/4HANA infrastructure. - If you are installing an SAP System through Azure Center for SAP solutions, you should have the SAP installation media available in a storage account. For more information, see [how to download the SAP installation media](get-sap-installation-media.md).-- If you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see [Use Azure CLI to create an Azure AD app and configure it to access Media Services API](/azure/sap/workloads/high-availability-guide-suse-pacemaker#using-service-principal). - - For an example, see the Red Hat documentation for [Creating an Azure Active Directory Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure). +- If you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see [Use Azure CLI to create a Microsoft Entra app and configure it to access Media Services API](/azure/sap/workloads/high-availability-guide-suse-pacemaker#using-service-principal). + - For an example, see the Red Hat documentation for [Creating a Microsoft Entra Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure). - To avoid frequent password expiry, use the Azure Command-Line Interface (Azure CLI) to create the Service Principal identifier and password instead of the Azure portal. ### Prerequisites for outside installation |
sap | Prepare Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/prepare-network.md | If internet connectivity isn't possible, allowlist the IP addresses for the foll - [SUSE or Red Hat endpoints](#allowlist-suse-or-red-hat-endpoints) - [Azure Storage accounts](#allowlist-storage-accounts) - [Allowlist Azure Key Vault](#allowlist-key-vault)-- [Allowlist Azure Active Directory (Azure AD)](#allowlist-azure-ad)+- [Allowlist Microsoft Entra ID](#allowlist-azure-ad) - [Allowlist Azure Resource Manager](#allowlist-azure-resource-manager) Then, make sure all resources within the virtual network can connect to each other. For example, [configure a network security group](../../virtual-network/manage-network-security-group.md#work-with-network-security-groups) to allow resources within the virtual network to communicate by listening on all ports. Azure Center for SAP solutions creates a key vault to store and access the secre - Configure a [**AzureKeyVault** service tag](../../virtual-network/service-tags-overview.md#available-service-tags) - Configure an [**AzureKeyVault** service tag](../../virtual-network/service-tags-overview.md#available-service-tags) with regional scope. Make sure to configure the tag in the region where you're deploying the infrastructure. -### Allowlist Azure AD +<a name='allowlist-azure-ad'></a> -Azure Center for SAP solutions uses Azure AD to get the authentication token for obtaining secrets from a managed key vault during SAP installation. To allow access to Azure AD, you can: +### Allowlist Microsoft Entra ID ++Azure Center for SAP solutions uses Microsoft Entra ID to get the authentication token for obtaining secrets from a managed key vault during SAP installation. To allow access to Microsoft Entra ID, you can: - Allow internet connectivity - Configure an [**AzureActiveDirectory** service tag](../../virtual-network/service-tags-overview.md#available-service-tags). The configuration process for an example network might include: | -- | - | -- | | -- | | | 110 | Any | Any | Any | SUSE or Red Hat endpoints | Allow | | 115 | Any | Any | Any | Azure Resource Manager | Allow |- | 116 | Any | Any | Any | Azure AD | Allow | + | 116 | Any | Any | Any | Microsoft Entra ID | Allow | | 117 | Any | Any | Any | Storage accounts | Allow | | 118 | 8080 | Any | Any | Key vault | Allow | | 119 | Any | Any | Any | virtual network | Allow | |
sap | Quickstart Install High Availability Namecustom Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/quickstart-install-high-availability-namecustom-cli.md | After you [deploy infrastructure](deploy-s4hana.md) and install SAP software wit - The SSH private key for the virtual machines in the SAP system. You generated this key during the infrastructure deployment. - You should have the SAP installation media available in a storage account. For more information, see [how to download the SAP installation media](get-sap-installation-media.md). - The *json* configuration file that you used to create infrastructure in the [previous step](tutorial-create-high-availability-name-custom.md) for SAP system using PowerShell or Azure CLI. -- As you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see [Use Azure CLI to create an Azure AD app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app). - - For an example, see the Red Hat documentation for [Creating an Azure Active Directory Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure). +- As you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see [Use Azure CLI to create a Microsoft Entra app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app). + - For an example, see the Red Hat documentation for [Creating a Microsoft Entra Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure). - To avoid frequent password expiry, use the Azure Command-Line Interface (Azure CLI) to create the Service Principal identifier and password instead of the Azure portal. [!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)] |
sap | Register Existing System | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/register-existing-system.md | When you register a system with Azure Center for SAP solutions, the following re ### Azure infrastructure level pre-requisites - Check that you're trying to register a [supported SAP system configuration](#supported-systems)-- Grant access to Azure Storage accounts, Azure resource manager (ARM) and Microsoft Entra ID services from the virtual network where the SAP system exists. Use one of these options:+- Grant access to Azure Storage accounts, Azure resource manager (ARM) and Microsoft Entra services from the virtual network where the SAP system exists. Use one of these options: - Allow outbound internet connectivity for the VMs. - Use a [**Service tags**](../../virtual-network/service-tags-overview.md) to allow connectivity - Use a [Service tags with regional scope](../../virtual-network/service-tags-overview.md) to allow connectivity to resources in the same region as the VMs. |
sap | Hana Know Terms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/large-instances/hana-know-terms.md | Several common definitions are widely used in the Architecture and Technical Dep - **SAP system**: The combination of DBMS layer and application layer of, for example, an SAP ERP development system, an SAP BW test system, and an SAP CRM production system. Azure deployments don't support dividing these two layers between on-premises and Azure. An SAP system is either deployed on-premises or it's deployed in Azure. You can deploy the different systems of an SAP landscape into either Azure or on-premises. For example, you can deploy the SAP CRM development and test systems in Azure while you deploy the SAP CRM production system on-premises. For SAP HANA on Azure (Large Instances), it's intended that you host the SAP application layer of SAP systems in VMs and the related SAP HANA instance on a unit in the SAP HANA on Azure (Large Instances) stamp. - **Large Instance stamp**: A hardware infrastructure stack that is SAP HANA TDI-certified and dedicated to run SAP HANA instances within Azure. - **SAP HANA on Azure (Large Instances):** Official name for the offer in Azure to run HANA instances in on SAP HANA TDI-certified hardware that's deployed in Large Instance stamps in different Azure regions. The related term *HANA Large Instance* is short for *SAP HANA on Azure (Large Instances)* and is widely used in this technical deployment guide.-- **Cross-premises**: Describes a scenario where VMs are deployed to an Azure subscription that has site-to-site, multi-site, or Azure ExpressRoute connectivity between on-premises data centers and Azure. In common Azure documentation, these kinds of deployments are also described as cross-premises scenarios. The reason for the connection is to extend on-premises domains, on-premises Azure Active Directory/OpenLDAP, and on-premises DNS into Azure. The on-premises landscape is extended to the Azure assets of the Azure subscriptions. With this extension, the VMs can be part of the on-premises domain. +- **Cross-premises**: Describes a scenario where VMs are deployed to an Azure subscription that has site-to-site, multi-site, or Azure ExpressRoute connectivity between on-premises data centers and Azure. In common Azure documentation, these kinds of deployments are also described as cross-premises scenarios. The reason for the connection is to extend on-premises domains, on-premises Microsoft Entra ID/OpenLDAP, and on-premises DNS into Azure. The on-premises landscape is extended to the Azure assets of the Azure subscriptions. With this extension, the VMs can be part of the on-premises domain. Domain users of the on-premises domain can access the servers and run services on those VMs (such as DBMS services). Communication and name resolution between VMs deployed on-premises and Azure-deployed VMs is possible. This scenario is typical of the way in which most SAP assets are deployed. For more information, see [Azure VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md) and [Create a virtual network with a site-to-site connection by using the Azure portal](../../vpn-gateway/tutorial-site-to-site-portal.md). - **Tenant**: A customer deployed in HANA Large Instance stamp gets isolated into a *tenant.* A tenant is isolated in the networking, storage, and compute layer from other tenants. Storage and compute units assigned to the different tenants can't see each other or communicate with each other on the HANA Large Instance stamp level. A customer can choose to have deployments into different tenants. Even then, there is no communication between tenants on the HANA Large Instance stamp level. Several common definitions are widely used in the Architecture and Technical Dep A variety of additional resources are available on how to deploy an SAP workload in the cloud. If you plan to execute a deployment of SAP HANA in Azure, you need to be experienced with and aware of the principles of Azure IaaS and the deployment of SAP workloads on Azure IaaS. Before you continue, see [Use SAP solutions on Azure virtual machines](../../virtual-machines/workloads/sap/get-started.md) for more information. ## Next steps-- Refer to [HLI Certification](hana-certification.md).+- Refer to [HLI Certification](hana-certification.md). |
sap | Sap On Azure Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/sap-on-azure-overview.md | For more information, see the [SAP on Azure VM workloads](workloads/get-started. ### SAP Integration with Microsoft Services -In addition to the capabilities to run SAP IaaS and SaaS workloads on Azure, Microsoft offers a variety of capabilities, scenarios, best-practice guides, and tutorials to integrate SAP workloads running anywhere with other Microsoft products and services. Among them are popular services such as Azure Active Directory, Exchange Online, Power Platform and Power BI, Azure Integration Services, Excel, SAP Business Technology Platform, SAP Analytics Cloud, SAP Data Warehouse Cloud, and SAP Success Factors to name a few. +In addition to the capabilities to run SAP IaaS and SaaS workloads on Azure, Microsoft offers a variety of capabilities, scenarios, best-practice guides, and tutorials to integrate SAP workloads running anywhere with other Microsoft products and services. Among them are popular services such as Microsoft Entra ID, Exchange Online, Power Platform and Power BI, Azure Integration Services, Excel, SAP Business Technology Platform, SAP Analytics Cloud, SAP Data Warehouse Cloud, and SAP Success Factors to name a few. For more information, see the [SAP Integration with Microsoft Services](workloads/integration-get-started.md) documentation. |
sap | Expose Sap Odata To Power Query | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/expose-sap-odata-to-power-query.md | Working with SAP datasets in Microsoft Excel or Power BI is a common requirement This article describes the required configurations and components to enable SAP dataset consumption via OData with [Power Query](/power-query/power-query-what-is-power-query). The SAP data integration is considered **"live"** because it can be refreshed from clients such as Microsoft Excel or Power BI on-demand, unlike data exports (like [SAP List Viewer (ALV)](https://help.sap.com/doc/saphelp_nw73ehp1/7.31.19/en-us/4e/c38f8788d22b90e10000000a42189d/content.htm) CSV exports) for instance. Those exports are **static** by nature and have no continuous relationship with the data origin. -The article puts emphasis on end-to-end user mapping between the known Azure AD identity in Power Query and the SAP backend user. This mechanism is often referred to as SAP Principal Propagation. +The article puts emphasis on end-to-end user mapping between the known Microsoft Entra identity in Power Query and the SAP backend user. This mechanism is often referred to as SAP Principal Propagation. The focus of the described configuration is on the [Azure API Management](../../api-management/index.yml), [SAP Gateway](https://help.sap.com/viewer/product/SAP_GATEWAY), [SAP OAuth 2.0 Server with AS ABAP](https://help.sap.com/docs/SAP_NETWEAVER_750/e815bb97839a4d83be6c4fca48ee5777/0b899f00477b4034b83aa31764361852.html), and OData sources, but the concepts used apply to any web-based resource. End users have a choice between local desktop or web-based clients (for instance [Azure API Management](../../api-management/index.yml) reflects local and web-based environment needs with different deployment modes that can be applied to Azure landscapes ([internal](../../api-management/api-management-using-with-internal-vnet.md?tabs=stv2) or [external](../../api-management/api-management-using-with-vnet.md?tabs=stv2)). `Internal` refers to instances that are fully restricted to a private virtual network whereas `external` retains public access to Azure API Management. On-premises installations require a hybrid deployment to apply the approach as is using the Azure API Management [self-hosted Gateway](../../api-management/self-hosted-gateway-overview.md). -Power Query requires matching API service URL and Azure AD application ID URL. Configure a [custom domain for Azure API Management](../../api-management/configure-custom-domain.md) to meet the requirement. +Power Query requires matching API service URL and Microsoft Entra application ID URL. Configure a [custom domain for Azure API Management](../../api-management/configure-custom-domain.md) to meet the requirement. [SAP Gateway](https://help.sap.com/docs/SAP_GATEWAY) needs to be configured to expose the desired target OData services. Discover and activate available services via SAP transaction code `/IWFND/MAINT_SERVICE`. For more information, see SAP's [OData configuration](https://help.sap.com/docs/SAP_GATEWAY). Complete the setup of your custom domain as per the domain requirements. For mor :::image type="content" source="media/expose-sap-odata-to-power-query/apim-custom-domain-setup.png" alt-text="Screenshot that shows custom domain mapping to Azure API Management domain."::: -The respective Azure AD application registration for the Azure API Management tenant would look like below. +The respective Microsoft Entra application registration for the Azure API Management tenant would look like below. > [!NOTE] > If custom domain for Azure API Management isn't an option for you, you need to use a [custom Power Query Connector](/power-query/startingtodevelopcustomconnectors) instead. Retrieve the Base URL and insert in your target application. Below example shows :::image type="content" source="media/expose-sap-odata-to-power-query/excel-odata-feed.png" alt-text="Screenshot that shows the OData configuration wizard in Excel Desktop."::: -Switch the login method to **Organizational account** and click Sign in. Supply the Azure AD account that is mapped to the named SAP user on the SAP Gateway using SAP Principal Propagation. For more information about the configuration, see [this Microsoft tutorial](../../active-directory/saas-apps/sap-netweaver-tutorial.md#configure-sap-netweaver-for-oauth). Learn more about SAP Principal Propagation from [this](https://blogs.sap.com/2021/08/12/.net-speaks-odata-too-how-to-implement-azure-app-service-with-sap-odata-gateway/) SAP community post and [this video series](https://github.com/MartinPankraz/SAP-MSTeams-Hero/blob/main/Towel-Bearer/103a-sap-principal-propagation-basics.md). +Switch the login method to **Organizational account** and click Sign in. Supply the Microsoft Entra account that is mapped to the named SAP user on the SAP Gateway using SAP Principal Propagation. For more information about the configuration, see [this Microsoft tutorial](../../active-directory/saas-apps/sap-netweaver-tutorial.md#configure-sap-netweaver-for-oauth). Learn more about SAP Principal Propagation from [this](https://blogs.sap.com/2021/08/12/.net-speaks-odata-too-how-to-implement-azure-app-service-with-sap-odata-gateway/) SAP community post and [this video series](https://github.com/MartinPankraz/SAP-MSTeams-Hero/blob/main/Towel-Bearer/103a-sap-principal-propagation-basics.md). Continue to choose at which level the authentication settings should be applied by Power Query on Excel. Below example shows a setting that would apply to all OData services hosted on the target SAP system (not only to the sample service GWSAMPLE_BASIC). Continue to choose at which level the authentication settings should be applied :::image type="content" source="media/expose-sap-odata-to-power-query/excel-odata-login.png" alt-text="Screenshot that shows the login flow within Excel for the Organizational Account option."::: > [!IMPORTANT]-> The above guidance focusses on the process of obtaining a valid authentication token from Azure AD via Power Query. This token needs to be further processed for SAP Principal Propagation. +> The above guidance focusses on the process of obtaining a valid authentication token from Microsoft Entra ID via Power Query. This token needs to be further processed for SAP Principal Propagation. ## Configure SAP Principal Propagation with Azure API Management Use [this](https://github.com/Azure/api-management-policy-snippets/blob/master/e > [!NOTE] > Learn more about SAP Principal Propagation from [this](https://blogs.sap.com/2021/08/12/.net-speaks-odata-too-how-to-implement-azure-app-service-with-sap-odata-gateway/) SAP community post and [this video series](https://github.com/MartinPankraz/SAP-MSTeams-Hero/blob/main/Towel-Bearer/103a-sap-principal-propagation-basics.md). -The policy relies on an established SSO setup between Azure AD and SAP Gateway (use [SAP NetWeaver from the Azure AD gallery](../../active-directory/saas-apps/sap-netweaver-tutorial.md#adding-sap-netweaver-from-the-gallery)). See below an example with the demo user Adele Vance. User mapping between Azure AD and the SAP system happens based on the user principal name (UPN) as the unique user identifier. +The policy relies on an established SSO setup between Microsoft Entra ID and SAP Gateway (use [SAP NetWeaver from the Microsoft Entra gallery](../../active-directory/saas-apps/sap-netweaver-tutorial.md#adding-sap-netweaver-from-the-gallery)). See below an example with the demo user Adele Vance. User mapping between Microsoft Entra ID and the SAP system happens based on the user principal name (UPN) as the unique user identifier. :::image type="content" source="media/expose-sap-odata-to-power-query/aad-enterprise-sap-registration-sso.png" alt-text="Screenshot that shows the SAML2 configuration for SAP Gateway with UPN claim."::: The UPN mapping is maintained on the SAP back end using transaction **SAML2**. :::image type="content" source="media/expose-sap-odata-to-power-query/saml2-config.png" alt-text="Screenshot that shows the email mapping mode in SAP SAML2 transaction."::: -According to this configuration **named SAP users** will be mapped to the respective Azure AD user. See below an example configuration from the SAP back end using transaction code **SU01**. +According to this configuration **named SAP users** will be mapped to the respective Microsoft Entra user. See below an example configuration from the SAP back end using transaction code **SU01**. :::image type="content" source="media/expose-sap-odata-to-power-query/sap-su01-config.png" alt-text="Screenshot of named SAP user in transaction SU01 with mapped email address."::: The highlighted button triggers a flow that forwards the OData PATCH request to [Understand Azure Application Gateway and Web Application Firewall for SAP](https://blogs.sap.com/2020/12/03/sap-on-azure-application-gateway-web-application-firewall-waf-v2-setup-for-internet-facing-sap-fiori-apps/) -[Automate API deployments with APIOps](/azure/architecture/example-scenario/devops/automated-api-deployments-apiops) +[Automate API deployments with APIOps](/azure/architecture/example-scenario/devops/automated-api-deployments-apiops) |
sap | Expose Sap Process Orchestration On Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/expose-sap-process-orchestration-on-azure.md | Compared to the scenarios for inbound and outbound connectivity, the introductio - [Throttling](../../api-management/api-management-sample-flexible-throttling.md). - [API governance](/azure/architecture/example-scenario/devops/automated-api-deployments-apiops). - Additional security options like [modern authentication flows](../../api-management/api-management-howto-protect-backend-with-aad.md).-- [Azure Active Directory](../../active-directory/develop/active-directory-v2-protocols.md) integration.+- [Microsoft Entra ID](../../active-directory/develop/active-directory-v2-protocols.md) integration. - The opportunity to add SAP APIs to a central API solution across the company. :::image type="content" source="media/expose-sap-process-orchestration-on-azure/inbound-api-management-2.png" alt-text="Diagram that shows an inbound scenario with Azure API Management and SAP Process Orchestration on Azure."::: |
sap | Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/get-started.md | We just announced our new services of Azure Center for SAP solutions and Azure For customers and partners who are focused on deploying and operating their assets in public cloud through Terraform and Ansible, use our SAP on Azure Deployment Automation Framework to jump start your SAP deployments into Azure using our public Terraform and Ansible modules on [github](https://github.com/Azure/sap-automation). -Hosting SAP workload scenarios in Azure also can create requirements of identity integration and single sign-on. This situation can occur when you use Azure Active Directory (Azure AD) to connect different SAP components and SAP software-as-a-service (SaaS) or platform-as-a-service (PaaS) offers. A list of such integration and single sign-on scenarios with Azure AD and SAP entities is described and documented in the section "Azure AD SAP identity integration and single sign-on." +Hosting SAP workload scenarios in Azure also can create requirements of identity integration and single sign-on. This situation can occur when you use Microsoft Entra ID to connect different SAP components and SAP software-as-a-service (SaaS) or platform-as-a-service (PaaS) offers. A list of such integration and single sign-on scenarios with Microsoft Entra ID and SAP entities is described and documented in the section "Microsoft Entra SAP identity integration and single sign-on." ## Changes to the SAP workload section Changes to documents in the SAP on Azure workload section are listed at the [end If you have specific questions, we're going to point you to specific documents or flows in this section of the start page. You want to know: - Is Azure accepting new customers for HANA Large Instances? HANA Large Instance service is in sunset mode and doesn't accept new customers anymore. Providing units for existing HANA Large Instance customers is still possible. For alternatives, check the offers of HANA certified Azure VMs in the [HANA Hardware Directory](https://www.sap.com/dmc/exp/2014-09-02-hana-hardware/enEN/#/solutions?filters=iaas;ve:24).-- Can Azure Active Directory accounts be used to run the SAP ABAP stack in Windows guest OS. No, due to shortcomings in feature set of AAD, it can't be used for running the ABAP stack within the Windows guest OS+- Can Microsoft Entra accounts be used to run the SAP ABAP stack in Windows guest OS. No, due to shortcomings in feature set of Microsoft Entra ID, it can't be used for running the ABAP stack within the Windows guest OS - What Azure Services, Azure VM types and Azure storage services are available in the different Azure regions, check the site [Products available by region](https://azure.microsoft.com/global-infrastructure/services/) - Are third-party HA frameworks, besides Windows and Pacemaker supported? Check bottom part of [SAP support note #1928533](https://launchpad.support.sap.com/#/notes/1928533) - What Azure storage is best for my scenario? Read [Azure Storage types for SAP workload](./planning-guide-storage.md) In the SAP workload documentation space, you can find the following areas: - February 21, 2023: Correct link to HANA hardware directory in [SAP HANA infrastructure configurations and operations on Azure](./hana-vm-operations.md) and fixed a bug in [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md) - February 17, 2023: Add support and Sentinel sections, few other minor updates in [RISE with SAP integration](rise-integration.md) - February 02, 2023: Add new HA provider susChkSrv for [SAP HANA Scale-out HA on SUSE](sap-hana-high-availability-scale-out-hsr-suse.md) and change from SAPHanaSR to SAPHanaSrMultiTarget provider, enabling HANA multi-target replication-- January 27, 2023: Mark Azure Active Directory Domain Services as supported AD solution in [SAP workload on Azure virtual machine supported scenarios](planning-supported-configurations.md) after successful testing+- January 27, 2023: Mark Microsoft Entra Domain Services as supported AD solution in [SAP workload on Azure virtual machine supported scenarios](planning-supported-configurations.md) after successful testing - December 28, 2022: Update documents [Azure Storage types for SAP workload](./planning-guide-storage.md) and [NFS v4.1 volumes on Azure NetApp Files for SAP HANA](./hana-vm-operations-netapp.md) to provide more details on ANF deployment processes to achieve proximity and low latency. Introduction of zonal deployment process of NFS shares on ANF - December 28, 2022: Updated the guide [SQL Server Azure Virtual Machines DBMS deployment for SAP NetWeaver](./dbms-guide-sqlserver.md) across all topics. Also added VM configuration examples for different sizes of databases - December 27, 2022: Introducing new configuration for SAP ASE on E96(d)s_v5 in [SAP ASE Azure Virtual Machines DBMS deployment for SAP workload](./dbms-guide-sapase.md) - December 23, 2022: Updating [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](./dbms-guide-general.md) by cutting references to Azure standard HDD and SSD. Introducing premium storage v2 and updating a few other sections to more recent functionalities-- December 20, 2022: Update article [SAP workload on Azure virtual machine supported scenarios](./planning-supported-configurations.md) with table around AD and AAD support. Deleting a few references to HANA Large Instances.+- December 20, 2022: Update article [SAP workload on Azure virtual machine supported scenarios](./planning-supported-configurations.md) with table around AD and Microsoft Entra ID support. Deleting a few references to HANA Large Instances. - December 19, 2022: Update article [SAP workload configurations with Azure Availability Zones](./high-availability-zones.md) related to new functionalities like zonal replication of Azure Premium Files - December 18, 2022: Add short description and link to intent option of PPG creation in [Azure proximity placement groups for optimal network latency with SAP applications](./proximity-placement-scenarios.md) - December 14, 2022: Fixes in recommendations of capacity for a few VM types in [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md) In the SAP workload documentation space, you can find the following areas: - October 20, 2022: Change in [HA for NFS on Azure VMs on SLES](./high-availability-guide-suse-nfs.md) and [HA for SAP NW on Azure VMs on SLES for SAP applications](./high-availability-guide-suse.md) to indicate that we're de-emphasizing SAP reference architectures, utilizing NFS clusters - October 18, 2022: Clarify some considerations around using Azure Availability Zones in [SAP workload configurations with Azure Availability Zones](./high-availability-zones.md) - October 17, 2022: Change in [HA for SAP HANA on Azure VMs on SLES](./sap-hana-high-availability.md) and [HA for SAP HANA on Azure VMs on RHEL](./sap-hana-high-availability-rhel.md) to add guidance for setting up parameter `AUTOMATED_REGISTER`-- September 29, 2022: Announcing HANA Large Instances being in sunset mode in [SAP workload on Azure virtual machine supported scenarios](./planning-supported-configurations.md) and [What is SAP HANA on Azure (Large Instances)?](../../virtual-machines/workloads/sap/hana-overview-architecture.md). Adding some statements around Azure VMware and Azure Active Directory support status in [SAP workload on Azure virtual machine supported scenarios](./planning-supported-configurations.md)+- September 29, 2022: Announcing HANA Large Instances being in sunset mode in [SAP workload on Azure virtual machine supported scenarios](./planning-supported-configurations.md) and [What is SAP HANA on Azure (Large Instances)?](../../virtual-machines/workloads/sap/hana-overview-architecture.md). Adding some statements around Azure VMware and Microsoft Entra ID support status in [SAP workload on Azure virtual machine supported scenarios](./planning-supported-configurations.md) - September 27, 2022: Minor changes in [HA for SAP ASCS/ERS with NFS simple mount](./high-availability-guide-suse-nfs-simple-mount.md) on SLES 15 for SAP Applications to adjust mount instructions - September 14, 2022 Release of updated SAP on Oracle guide with new and updated content [Azure Virtual Machines Oracle DBMS deployment for SAP workload](./dbms-guide-oracle.md) - September 8, 2022: Change in [SAP HANA scale-out HSR with Pacemaker on Azure VMs on SLES](./sap-hana-high-availability-scale-out-hsr-suse.md) to add instructions for deploying /hana/shared (only) on NFS on Azure Files |
sap | High Availability Guide Rhel Pacemaker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-rhel-pacemaker.md | Title: Setting up Pacemaker on RHEL in Azure | Microsoft Docs -description: Setting up Pacemaker on Red Hat Enterprise Linux in Azure + Title: Set up Pacemaker on RHEL in Azure | Microsoft Docs +description: Learn how to set up Pacemaker on Red Hat Enterprise Linux (RHEL) in Azure. -# Setting up Pacemaker on Red Hat Enterprise Linux in Azure +# Set up Pacemaker on Red Hat Enterprise Linux in Azure [planning-guide]:planning-guide.md [deployment-guide]:deployment-guide.md-The article describes how to configure basic Pacemaker cluster on Red Hat Enterprise Server(RHEL). The instructions cover RHEL 7, RHEL 8 and RHEL 9. +This article describes how to configure a basic Pacemaker cluster on Red Hat Enterprise Server (RHEL). The instructions cover RHEL 7, RHEL 8, and RHEL 9. ## Prerequisites Read the following SAP Notes and papers first: * SAP Note [1928533], which has:- * The list of Azure VM sizes that are supported for the deployment of SAP software. + * A list of Azure virtual machine (VM) sizes that are supported for the deployment of SAP software. * Important capacity information for Azure VM sizes.- * The supported SAP software, and operating system (OS) and database combinations. + * The supported SAP software and operating system (OS) and database combinations. * The required SAP kernel version for Windows and Linux on Microsoft Azure. * SAP Note [2015553] lists prerequisites for SAP-supported SAP software deployments in Azure.-* SAP Note [2002167] recommends OS settings for Red Hat Enterprise Linux -* SAP Note [3108316] recommends OS settings for Red Hat Enterprise Linux 9.x -* SAP Note [2009879] has SAP HANA Guidelines for Red Hat Enterprise Linux -* SAP Note [3108302] has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x +* SAP Note [2002167] recommends OS settings for Red Hat Enterprise Linux. +* SAP Note [3108316] recommends OS settings for Red Hat Enterprise Linux 9.x. +* SAP Note [2009879] has SAP HANA Guidelines for Red Hat Enterprise Linux. +* SAP Note [3108302] has SAP HANA Guidelines for Red Hat Enterprise Linux 9.x. * SAP Note [2178632] has detailed information about all monitoring metrics reported for SAP in Azure. * SAP Note [2191498] has the required SAP Host Agent version for Linux in Azure. * SAP Note [2243692] has information about SAP licensing on Linux in Azure.-* SAP Note [1999351] has additional troubleshooting information for the Azure Enhanced Monitoring Extension for SAP. +* SAP Note [1999351] has more troubleshooting information for the Azure Enhanced Monitoring Extension for SAP. * [SAP Community WIKI](https://wiki.scn.sap.com/wiki/display/HOME/SAPonLinuxNotes) has all required SAP Notes for Linux. * [Azure Virtual Machines planning and implementation for SAP on Linux][planning-guide] * [Azure Virtual Machines deployment for SAP on Linux (this article)][deployment-guide] * [Azure Virtual Machines DBMS deployment for SAP on Linux][dbms-guide]-* [SAP HANA system replication in pacemaker cluster](https://access.redhat.com/articles/3004101) -* General RHEL documentation - * [High Availability Add-On Overview](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_overview/index) - * [High Availability Add-On Administration](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_administration/index) - * [High Availability Add-On Reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/index) - * [Support Policies for RHEL High Availability Clusters - `sbd` and `fence_sbd`](https://access.redhat.com/articles/2800691) +* [SAP HANA system replication in Pacemaker cluster](https://access.redhat.com/articles/3004101) +* General RHEL documentation: + * [High Availability (HA) Add-On Overview](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_overview/index) + * [High-Availability Add-On Administration](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_administration/index) + * [High-Availability Add-On Reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/index) + * [Support Policies for RHEL High-Availability Clusters - `sbd` and `fence_sbd`](https://access.redhat.com/articles/2800691) * Azure-specific RHEL documentation:- * [Support Policies for RHEL High Availability Clusters - Microsoft Azure Virtual Machines as Cluster Members](https://access.redhat.com/articles/3131341) + * [Support Policies for RHEL High-Availability Clusters - Microsoft Azure Virtual Machines as Cluster Members](https://access.redhat.com/articles/3131341) * [Installing and Configuring a Red Hat Enterprise Linux 7.4 (and later) High-Availability Cluster on Microsoft Azure](https://access.redhat.com/articles/3252491)- * [Considerations in adopting RHEL 8 - High availability and clusters](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/high-availability-and-clusters_considerations-in-adopting-rhel-8) + * [Considerations in Adopting RHEL 8 - High Availability and Clusters](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/high-availability-and-clusters_considerations-in-adopting-rhel-8) * [Configure SAP S/4HANA ASCS/ERS with Standalone Enqueue Server 2 (ENSA2) in Pacemaker on RHEL 7.6](https://access.redhat.com/articles/3974941) * [RHEL for SAP Offerings on Azure](https://access.redhat.com/articles/5456301) ## Cluster installation -![Pacemaker on RHEL overview](./media/high-availability-guide-rhel-pacemaker/pacemaker-rhel.png) +![Diagram that shows an overview of Pacemaker on RHEL.](./media/high-availability-guide-rhel-pacemaker/pacemaker-rhel.png) > [!NOTE]-> Red Hat doesn't support software-emulated watchdog. Red Hat doesn't support SBD on cloud platforms. For details see [Support Policies for RHEL High Availability Clusters - sbd and fence_sbd](https://access.redhat.com/articles/2800691). +> Red Hat doesn't support a software-emulated watchdog. Red Hat doesn't support SBD on cloud platforms. For more information, see [Support Policies for RHEL High-Availability Clusters - sbd and fence_sbd](https://access.redhat.com/articles/2800691). >-> The only supported fencing mechanism for Pacemaker Red Hat Enterprise Linux clusters on Azure, is Azure fence agent. +> The only supported fencing mechanism for Pacemaker RHEL clusters on Azure is an Azure fence agent. -The following items are prefixed with either **[A]** - applicable to all nodes, **[1]** - only applicable to node 1 or **[2]** - only applicable to node 2. Differences in the commands or the configuration between RHEL 7 and RHEL 8/RHEL 9 are marked in the document. +The following items are prefixed with: -1. **[A]** Register - optional step. This step isn't required, if using RHEL SAP HA-enabled images. +- **[A]**: Applicable to all nodes +- **[1]**: Only applicable to node 1 +- **[2]**: Only applicable to node 2 - For example, if deploying on RHEL 7, register your virtual machine and attach it to a pool that contains repositories for RHEL 7. +Differences in the commands or the configuration between RHEL 7 and RHEL 8/RHEL 9 are marked in the document. ++1. **[A]** Register. This step is optional. If you're using RHEL SAP HA-enabled images, this step isn't required. ++ For example, if you're deploying on RHEL 7, register your VM and attach it to a pool that contains repositories for RHEL 7. ```bash sudo subscription-manager register The following items are prefixed with either **[A]** - applicable to all nodes, sudo subscription-manager attach --pool=<pool id> ``` - By attaching a pool to an Azure Marketplace PAYG RHEL image, you will be effectively double-billed for your RHEL usage: once for the PAYG image, and once for the RHEL entitlement in the pool you attach. To mitigate this situation, Azure now provides BYOS RHEL images. For more information, see [Red Hat Enterprise Linux bring-your-own-subscription Azure images](../../virtual-machines/workloads/redhat/byos.md). + When you attach a pool to an Azure Marketplace pay-as-you-go RHEL image, you're effectively double billed for your RHEL usage. You're billed once for the pay-as-you-go image and once for the RHEL entitlement in the pool you attach. To mitigate this situation, Azure now provides bring-your-own-subscription RHEL images. For more information, see [Red Hat Enterprise Linux bring-your-own-subscription Azure images](../../virtual-machines/workloads/redhat/byos.md). -1. **[A]** Enable RHEL for SAP repos - optional step. This step isn't required, if using RHEL SAP HA-enabled images. +1. **[A]** Enable RHEL for SAP repos. This step is optional. If you're using RHEL SAP HA-enabled images, this step isn't required. - In order to install the required packages on RHEL 7, enable the following repositories. + To install the required packages on RHEL 7, enable the following repositories: ```bash sudo subscription-manager repos --disable "*" The following items are prefixed with either **[A]** - applicable to all nodes, sudo subscription-manager repos --enable=rhel-ha-for-rhel-7-server-eus-rpms ``` -1. **[A]** Install RHEL HA Add-On +1. **[A]** Install the RHEL HA add-on. ```bash sudo yum install -y pcs pacemaker fence-agents-azure-arm nmap-ncat ``` > [!IMPORTANT]- > We recommend the following versions of Azure Fence agent (or later) for customers to benefit from a faster failover time, if a resource stop fails or the cluster nodes cannot communicate which each other anymore: + > We recommend the following versions of the Azure fence agent (or later) for customers to benefit from a faster failover time, if a resource stop fails or the cluster nodes can't communicate with each other anymore: > > RHEL 7.7 or higher use the latest available version of fence-agents package. > The following items are prefixed with either **[A]** - applicable to all nodes, > > RHEL 7.4: fence-agents-4.0.11-66.el7_4.12 >- > For more information, see [Azure VM running as a RHEL High Availability cluster member take a very long time to be fenced, or fencing fails / times-out before the VM shuts down](https://access.redhat.com/solutions/3408711). + > For more information, see [Azure VM running as a RHEL High-Availability cluster member takes a very long time to be fenced, or fencing fails/times out before the VM shuts down](https://access.redhat.com/solutions/3408711). > [!IMPORTANT]- > We recommend the following versions of Azure Fence agent (or later) for customers wishing to use Managed Identities for Azure resources instead of service principal names for the fence agent. + > We recommend the following versions of the Azure fence agent (or later) for customers who want to use managed identities for Azure resources instead of service principal names for the fence agent: > > RHEL 8.4: fence-agents-4.2.1-54.el8. > The following items are prefixed with either **[A]** - applicable to all nodes, > RHEL 7.9: fence-agents-4.2.1-41.el7_9.4. > [!IMPORTANT]- > On RHEL 9, we recommend the following package versions (or later) to avoid issues with Azure Fence agent: + > On RHEL 9, we recommend the following package versions (or later) to avoid issues with the Azure fence agent: > > fence-agents-4.10.0-20.el9_0.7 > The following items are prefixed with either **[A]** - applicable to all nodes, ``` > [!IMPORTANT]- > If you need to update the Azure Fence agent, and if using custom role, make sure to update the custom role to include action **powerOff**. For details see [Create a custom role for the fence agent](#1-create-a-custom-role-for-the-fence-agent). + > If you need to update the Azure fence agent, and if you're using a custom role, make sure to update the custom role to include the action **powerOff**. For more information, see [Create a custom role for the fence agent](#1-create-a-custom-role-for-the-fence-agent). -1. If deploying on RHEL 9, install also the resource agents for cloud deployment: +1. If you're deploying on RHEL 9, also install the resource agents for cloud deployment. ```bash sudo yum install -y resource-agents-cloud ``` -1. **[A]** Setup host name resolution +1. **[A]** Set up hostname resolution. - You can either use a DNS server or modify the /etc/hosts on all nodes. This example shows how to use the /etc/hosts file. - Replace the IP address and the hostname in the following commands. + You can either use a DNS server or modify the `/etc/hosts` file on all nodes. This example shows how to use the `/etc/hosts` file. Replace the IP address and the hostname in the following commands. > [!IMPORTANT]- > If using host names in the cluster configuration, it's vital to have reliable host name resolution. The cluster communication will fail, if the names are not available and that can lead to cluster failover delays. + > If you're using hostnames in the cluster configuration, it's vital to have reliable hostname resolution. The cluster communication fails if the names aren't available, which can lead to cluster failover delays. >- > The benefit of using /etc/hosts is that your cluster becomes independent of DNS, which could be a single point of failures too. + > The benefit of using `/etc/hosts` is that your cluster becomes independent of DNS, which could be a single point of failures too. ```bash sudo vi /etc/hosts ``` - Insert the following lines to /etc/hosts. Change the IP address and hostname to match your environment + Insert the following lines to `/etc/hosts`. Change the IP address and hostname to match your environment. ```text # IP address of the first cluster node The following items are prefixed with either **[A]** - applicable to all nodes, 10.0.0.7 prod-cl1-1 ``` -1. **[A]** Change hacluster password to the same password +1. **[A]** Change the `hacluster` password to the same password. ```bash sudo passwd hacluster ``` -1. **[A]** Add firewall rules for pacemaker +1. **[A]** Add firewall rules for Pacemaker. Add the following firewall rules to all cluster communication between the cluster nodes. The following items are prefixed with either **[A]** - applicable to all nodes, sudo firewall-cmd --add-service=high-availability ``` -1. **[A]** Enable basic cluster services +1. **[A]** Enable basic cluster services. Run the following commands to enable the Pacemaker service and start it. The following items are prefixed with either **[A]** - applicable to all nodes, sudo systemctl enable pcsd.service ``` -1. **[1]** Create Pacemaker cluster +1. **[1]** Create a Pacemaker cluster. - Run the following commands to authenticate the nodes and create the cluster. Set the token to 30000 to allow Memory preserving maintenance. For more information, see [this article for Linux][virtual-machines-linux-maintenance]. + Run the following commands to authenticate the nodes and create the cluster. Set the token to 30000 to allow memory preserving maintenance. For more information, see [this article for Linux][virtual-machines-linux-maintenance]. - If building a cluster on **RHEL 7.x**, use the following commands: + If you're building a cluster on **RHEL 7.x**, use the following commands: ```bash sudo pcs cluster auth prod-cl1-0 prod-cl1-1 -u hacluster The following items are prefixed with either **[A]** - applicable to all nodes, sudo pcs cluster start --all ``` - If building a cluster on **RHEL 8.x/RHEL 9.x**, use the following commands: + If you're building a cluster on **RHEL 8.x/RHEL 9.x**, use the following commands: ```bash sudo pcs host auth prod-cl1-0 prod-cl1-1 -u hacluster The following items are prefixed with either **[A]** - applicable to all nodes, sudo pcs cluster start --all ``` - Verify the cluster status, by executing the following command: + Verify the cluster status by running the following command: ```bash # Run the following command until the status of both nodes is online The following items are prefixed with either **[A]** - applicable to all nodes, # pcsd: active/enabled ``` -1. **[A]** Set Expected Votes. +1. **[A]** Set expected votes. ```bash # Check the quorum votes The following items are prefixed with either **[A]** - applicable to all nodes, ``` > [!TIP]- > If building multi-node cluster, that is cluster with more than two nodes, don't set the votes to 2. + > If you're building a multinode cluster, that is, a cluster with more than two nodes, don't set the votes to 2. -1. **[1]** Allow concurrent fence actions +1. **[1]** Allow concurrent fence actions. ```bash sudo pcs property set concurrent-fencing=true ``` -## Create fencing device +## Create a fencing device -The fencing device uses either a managed identity for Azure resource or service principal to authorize against Microsoft Azure. +The fencing device uses either a managed identity for Azure resource or a service principal to authorize against Azure. -### [Managed Identity](#tab/msi) +### [Managed identity](#tab/msi) -To create a managed identity (MSI), [create a system-assigned](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time. Fence device, based on managed identity is supported on RHEL 7.9 and RHEL 8.x/RHEL 9.x. +To create a managed identity (MSI), [create a system-assigned](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity) managed identity for each VM in the cluster. If a system-assigned managed identity already exists, it's used. Don't use user-assigned managed identities with Pacemaker at this time. A fence device, based on managed identity, is supported on RHEL 7.9 and RHEL 8.x/RHEL 9.x. -### [Service Principal](#tab/spn) +### [Service principal](#tab/spn) -Follow these steps to create a service principal, if not using managed identity. +Follow these steps to create a service principal, if you aren't using managed identity. 1. Go to the [Azure portal](https://portal.azure.com).-2. Open the Azure Active Directory blade. - Go to Properties and make a note of the Directory ID. This is the **tenant ID**. -3. Click App registrations. -4. Click New Registration. -5. Enter a Name, select "Accounts in this organization directory only". -6. Select Application Type "Web", enter a sign-on URL (for example http:\//localhost) and click Add. +1. Open the **Microsoft Entra ID** pane. + Go to **Properties** and make a note of the **Directory ID**. This is the **tenant ID**. +1. Select **App registrations**. +1. Select **New Registration**. +1. Enter a **Name** and select **Accounts in this organization directory only**. +1. Select **Application Type** as **Web**, enter a sign-on URL (for example, http:\//localhost), and select **Add**. The sign-on URL isn't used and can be any valid URL.-7. Select Certificates and Secrets, then click New client secret. -8. Enter a description for a new key, select "Two years" and click Add. -9. Make a note of the Value. It is used as the **password** for the service principal. -10. Select Overview. Make a note the Application ID. It's used as the username (**login ID** in the steps below) of the service principal. +1. Select **Certificates and Secrets**, and then select **New client secret**. +1. Enter a description for a new key, select **Two years**, and select **Add**. +1. Make a note of the **Value**. It's used as the **password** for the service principal. +1. Select **Overview**. Make a note of the **Application ID**. It's used as the username (**login ID** in the following steps) of the service principal. ### **[1]** Create a custom role for the fence agent -Neither managed identity nor service principal has permissions to access your Azure resources by default. You need to give the managed identity or service principal permissions to start and stop (power-off) all virtual machines of the cluster. If you didn't already create the custom role, you can create it using [PowerShell](../../role-based-access-control/custom-roles-powershell.md) or [Azure CLI](../../role-based-access-control/custom-roles-cli.md) +Both the managed identity and the service principal don't have permissions to access your Azure resources by default. You need to give the managed identity or service principal permissions to start and stop (power-off) all VMs of the cluster. If you haven't already created the custom role, you can create it by using [PowerShell](../../role-based-access-control/custom-roles-powershell.md) or the [Azure CLI](../../role-based-access-control/custom-roles-cli.md). -Use the following content for the input file. You need to adapt the content to your subscriptions that is, replace *xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx* and *yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy* with the Ids of your subscription. If you only have one subscription, remove the second entry in AssignableScopes. +Use the following content for the input file. You need to adapt the content to your subscriptions, that is, replace `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` and `yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy` with the IDs of your subscription. If you only have one subscription, remove the second entry in `AssignableScopes`. ```json { Use the following content for the input file. You need to adapt the content to y ### **[A]** Assign the custom role -#### [Managed Identity](#tab/msi) +Use managed identity or service principal. ++#### [Managed identity](#tab/msi) -Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to each managed identity of the cluster VMs. Each VM system-assigned managed identity needs the role assigned for every cluster VM's resource. For detailed steps, see [Assign a managed identity access to a resource by using the Azure portal](../../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Verify each VM's managed identity role assignment contains all cluster VMs. +Assign the custom role `Linux Fence Agent Role` that was created in the last section to each managed identity of the cluster VMs. Each VM system-assigned managed identity needs the role assigned for every cluster VM's resource. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Verify that each VM's managed identity role assignment contains all the cluster VMs. > [!IMPORTANT]-> Be aware assignment and removal of authorization with managed identities [can be delayed](../../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization) until effective. +> Be aware that assignment and removal of authorization with managed identities [can be delayed](../../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization) until effective. -#### [Service Principal](#tab/spn) +#### [Service principal](#tab/spn) -Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to the service principal. Don't use the Owner role anymore! For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). +Assign the custom role `Linux Fence Agent Role` that was created in the last section to the service principal. *Don't use the Owner role anymore.* For more information, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md). Make sure to assign the role for both cluster nodes. Make sure to assign the role for both cluster nodes. ### **[1]** Create the fencing devices -After you edited the permissions for the virtual machines, you can configure the fencing devices in the cluster. +After you edit the permissions for the VMs, you can configure the fencing devices in the cluster. ```bash sudo pcs property set stonith-timeout=900 ``` > [!NOTE]-> Option 'pcmk_host_map' is ONLY required in the command, if the RHEL host names and the Azure VM names are NOT identical. Specify the mapping in the format **hostname:vm-name**. -> Refer to the bold section in the command. For more information, see [What format should I use to specify node mappings to fencing devices in pcmk_host_map](https://access.redhat.com/solutions/2619961) +> The option `pcmk_host_map` is *only* required in the command if the RHEL hostnames and the Azure VM names are *not* identical. Specify the mapping in the format **hostname:vm-name**. +> Refer to the bold section in the command. For more information, see [What format should I use to specify node mappings to fencing devices in pcmk_host_map?](https://access.redhat.com/solutions/2619961). -#### [Managed Identity](#tab/msi) +#### [Managed identity](#tab/msi) For RHEL **7.x**, use the following command to configure the fence device: power_timeout=240 pcmk_reboot_timeout=900 pcmk_monitor_timeout=120 pcmk_monitor_ op monitor interval=3600 ``` -#### [Service Principal](#tab/spn) +#### [Service principal](#tab/spn) For RHEL **7.x**, use the following command to configure the fence device: op monitor interval=3600 -If you're using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration. +If you're using a fencing device based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters by using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration. > [!TIP] >-> * To avoid fence races within a two-node pacemaker cluster, you can configure "priority-fencing-delay" cluster property. This property introduces additional delay in fencing a node that has higher total resource priority when a split-brain scenario occurs. For additional details, see [Can Pacemaker fence the cluster node with the fewest running resources?](https://access.redhat.com/solutions/5110521) -> * The property "priority-fencing-delay" is applicable for pacemaker version 2.0.4-6.el8 or higher and on two-node cluster. If you configure the "priority-fencing-delay" cluster property, there is no need to set the "pcmk_delay_max" property. But if the pacemaker is less than 2.0.4-6.el8, you should set "pcmk_delay_max" property. -> * The instruction on setting "priority-fencing-delay" cluster property can be found in respective SAP ASCS/ERS and SAP HANA scale-up high availability document. +> * To avoid fence races within a two-node pacemaker cluster, you can configure the `priority-fencing-delay` cluster property. This property introduces additional delay in fencing a node that has higher total resource priority when a split-brain scenario occurs. For more information, see [Can Pacemaker fence the cluster node with the fewest running resources?](https://access.redhat.com/solutions/5110521). +> * The property `priority-fencing-delay` is applicable for Pacemaker version 2.0.4-6.el8 or higher and on a two-node cluster. If you configure the `priority-fencing-delay` cluster property, you don't need to set the `pcmk_delay_max` property. But if the Pacemaker version is less than 2.0.4-6.el8, you need to set the `pcmk_delay_max` property. +> * For instructions on how to set the `priority-fencing-delay` cluster property, see the respective SAP ASCS/ERS and SAP HANA scale-up HA documents. -> [!IMPORTANT] -> The monitoring and fencing operations are deserialized. As a result, if there is a longer running monitoring operation and simultaneous fencing event, there is no delay to the cluster failover, due to the already running monitoring operation. +The monitoring and fencing operations are deserialized. As a result, if there's a longer running monitoring operation and simultaneous fencing event, there's no delay to the cluster failover because the monitoring operation is already running. ### **[1]** Enable the use of a fencing device sudo pcs property set stonith-enabled=true ``` > [!TIP]->Azure Fence Agent requires outbound connectivity to public end points as documented, along with possible solutions, in [Public endpoint connectivity for VMs using standard ILB](./high-availability-guide-standard-load-balancer-outbound-connections.md). +>The Azure fence agent requires outbound connectivity to public endpoints. For more information along with possible solutions, see [Public endpoint connectivity for VMs using standard ILB](./high-availability-guide-standard-load-balancer-outbound-connections.md). ## Configure Pacemaker for Azure scheduled events -Azure offers [scheduled events](../../virtual-machines/linux/scheduled-events.md). Scheduled events are sent via the metadata service and allow time for the application to prepare for such events. Pacemaker resource agent azure-events-az monitors for scheduled Azure events. If events are detected and the resource agent determines that another cluster node is available, it sets a cluster health attribute. When the cluster health attribute is set for a node, the location constraint triggers and all resources, whose name doesnΓÇÖt start with ΓÇ£health-ΓÇ£ are migrated away from the node with scheduled event. Once the affected cluster node is free of running cluster resources, scheduled event is acknowledged and can execute its action, such as restart. +Azure offers [scheduled events](../../virtual-machines/linux/scheduled-events.md). Scheduled events are sent via the metadata service and allow time for the application to prepare for such events. ++The Pacemaker resource agent `azure-events-az` monitors for scheduled Azure events. If events are detected and the resource agent determines that another cluster node is available, it sets a cluster health attribute. ++When the cluster health attribute is set for a node, the location constraint triggers and all resources with names that don't start with `health-` are migrated away from the node with the scheduled event. After the affected cluster node is free of running cluster resources, the scheduled event is acknowledged and can execute its action, such as a restart. -1. **[A]** Make sure that the package for the azure-events-az agent is already installed and up to date. +1. **[A]** Make sure that the package for the `azure-events-az` agent is already installed and up to date. ```bash sudo dnf info resource-agents Azure offers [scheduled events](../../virtual-machines/linux/scheduled-events.md * RHEL 8.8 and newer: `resource-agents-4.9.0-40.1` * RHEL 9.0 and newer: `resource-agents-cloud-4.10.0-34.2` -2. **[1]** Configure the resources in Pacemaker. +1. **[1]** Configure the resources in Pacemaker. ```bash #Place the cluster in maintenance mode sudo pcs property set maintenance-mode=true -3. **[1]** Set the pacemaker cluster health node strategy and constraint +1. **[1]** Set the Pacemaker cluster health-node strategy and constraint. ```bash sudo pcs property set node-health-strategy=custom Azure offers [scheduled events](../../virtual-machines/linux/scheduled-events.md > [!IMPORTANT] >- > Don't define any other resources in the cluster starting with ΓÇ£health-ΓÇ¥, besides the resources described in the next steps of the documentation. + > Don't define any other resources in the cluster starting with `health-` besides the resources described in the next steps. -4. **[1]** Set initial value of the cluster attributes. - Run for each cluster node. For scale-out environments including majority maker VM. +1. **[1]** Set the initial value of the cluster attributes. Run for each cluster node and for scale-out environments including majority maker VM. ```bash sudo crm_attribute --node prod-cl1-0 --name '#health-azure' --update 0 sudo crm_attribute --node prod-cl1-1 --name '#health-azure' --update 0 ``` -5. **[1]** Configure the resources in Pacemaker. - Important: The resources must start with ΓÇÿhealth-azureΓÇÖ. +1. **[1]** Configure the resources in Pacemaker. Make sure the resources start with `health-azure`. ```bash sudo pcs resource create health-azure-events \ Azure offers [scheduled events](../../virtual-machines/linux/scheduled-events.md sudo pcs resource clone health-azure-events allow-unhealthy-nodes=true ``` -6. Take the Pacemaker cluster out of maintenance mode +1. Take the Pacemaker cluster out of maintenance mode. ```bash sudo pcs property set maintenance-mode=false ``` -7. Clear any errors during enablement and verify that the health-azure-events resources have started successfully on all cluster nodes. +1. Clear any errors during enablement and verify that the `health-azure-events` resources have started successfully on all cluster nodes. ```bash sudo pcs resource cleanup ``` - First time query execution for scheduled events [can take up to 2 minutes](../../virtual-machines/linux/scheduled-events.md#enabling-and-disabling-scheduled-events). Pacemaker testing with scheduled events can use reboot or redeploy actions for the cluster VMs. For more information, see [scheduled events](../../virtual-machines/linux/scheduled-events.md) documentation. + First-time query execution for scheduled events [can take up to two minutes](../../virtual-machines/linux/scheduled-events.md#enabling-and-disabling-scheduled-events). Pacemaker testing with scheduled events can use reboot or redeploy actions for the cluster VMs. For more information, see [Scheduled events](../../virtual-machines/linux/scheduled-events.md). ## Optional fencing configuration > [!TIP]-> This section is only applicable, if it is desired to configure special fencing device `fence_kdump`. +> This section is only applicable if you want to configure the special fencing device `fence_kdump`. -If there is a need to collect diagnostic information within the VM, it may be useful to configure additional fencing device, based on fence agent `fence_kdump`. The `fence_kdump` agent can detect that a node entered kdump crash recovery and can allow the crash recovery service to complete, before other fencing methods are invoked. Note that `fence_kdump` isn't a replacement for traditional fence mechanisms, like Azure Fence Agent when using Azure VMs. +If you need to collect diagnostic information within the VM, it might be useful to configure another fencing device based on the fence agent `fence_kdump`. The `fence_kdump` agent can detect that a node entered kdump crash recovery and can allow the crash recovery service to complete before other fencing methods are invoked. Note that `fence_kdump` isn't a replacement for traditional fence mechanisms, like the Azure fence agent, when you're using Azure VMs. > [!IMPORTANT]-> Be aware that when `fence_kdump` is configured as a first level fencing device, it will introduce delays in the fencing operations and respectively delays in the application resources failover. +> Be aware that when `fence_kdump` is configured as a first-level fencing device, it introduces delays in the fencing operations and, respectively, delays in the application resources failover. >-> If a crash dump is successfully detected, the fencing will be delayed until the crash recovery service completes. If the failed node is unreachable or if it doesn't respond, the fencing will be delayed by time determined by the configured number of iterations and the `fence_kdump` timeout. For more details, see [How do I configure fence_kdump in a Red Hat Pacemaker cluster](https://access.redhat.com/solutions/2876971). +> If a crash dump is successfully detected, the fencing is delayed until the crash recovery service completes. If the failed node is unreachable or if it doesn't respond, the fencing is delayed by time determined, the configured number of iterations, and the `fence_kdump` timeout. For more information, see [How do I configure fence_kdump in a Red Hat Pacemaker cluster?](https://access.redhat.com/solutions/2876971). >-> The proposed fence_kdump timeout may need to be adapted to the specific environment. +> The proposed `fence_kdump` timeout might need to be adapted to the specific environment. >-> We recommend to configure `fence_kdump` fencing only when necessary to collect diagnostics within the VM and always in combination with traditional fence method as Azure Fence Agent. +> We recommend that you configure `fence_kdump` fencing only when necessary to collect diagnostics within the VM and always in combination with traditional fence methods, such as the Azure fence agent. -The following Red Hat KBs contain important information about configuring `fence_kdump` fencing: +The following Red Hat KB articles contain important information about configuring `fence_kdump` fencing: -* [How do I configure fence_kdump in a Red Hat Pacemaker cluster](https://access.redhat.com/solutions/2876971) -* [How to configure/manage fencing levels in RHEL cluster with Pacemaker](https://access.redhat.com/solutions/891323) -* [fence_kdump fails with "timeout after X seconds" in a RHEL 6 or 7 HA cluster with kexec-tools older than 2.0.14](https://access.redhat.com/solutions/2388711) -* For information how to change the default timeout see [How do I configure kdump for use with the RHEL 6,7,8 HA Add-On](https://access.redhat.com/articles/67570) -* For information on how to reduce failover delay, when using `fence_kdump` see [Can I reduce the expected delay of failover when adding fence_kdump configuration](https://access.redhat.com/solutions/5512331) +* See [How do I configure fence_kdump in a Red Hat Pacemaker cluster?](https://access.redhat.com/solutions/2876971). +* See [How to configure/manage fencing levels in an RHEL cluster with Pacemaker](https://access.redhat.com/solutions/891323). +* See [fence_kdump fails with "timeout after X seconds" in an RHEL 6 or 7 HA cluster with kexec-tools older than 2.0.14](https://access.redhat.com/solutions/2388711). +* For information on how to change the default timeout, see [How do I configure kdump for use with the RHEL 6, 7, 8 HA Add-On?](https://access.redhat.com/articles/67570). +* For information on how to reduce failover delay when you use `fence_kdump`, see [Can I reduce the expected delay of failover when adding fence_kdump configuration?](https://access.redhat.com/solutions/5512331). -Execute the following optional steps to add `fence_kdump` as a first level fencing configuration, in addition to the Azure Fence Agent configuration. +Run the following optional steps to add `fence_kdump` as a first-level fencing configuration, in addition to the Azure fence agent configuration. -1. **[A]** Verify that kdump is active and configured. +1. **[A]** Verify that `kdump` is active and configured. ```bash systemctl is-active kdump Execute the following optional steps to add `fence_kdump` as a first level fenci # active ``` -2. **[A]** Install the `fence_kdump` fence agent. +1. **[A]** Install the `fence_kdump` fence agent. ```bash yum install fence-agents-kdump ``` -3. **[1]** Create `fence_kdump` fencing device in the cluster. +1. **[1]** Create a `fence_kdump` fencing device in the cluster. ```bash pcs stonith create rsc_st_kdump fence_kdump pcmk_reboot_action="off" pcmk_host_list="prod-cl1-0 prod-cl1-1" timeout=30 ``` -4. **[1]** Configure fencing levels, so that `fence_kdump` fencing mechanism is engaged first. +1. **[1]** Configure fencing levels so that the `fence_kdump` fencing mechanism is engaged first. ```bash pcs stonith create rsc_st_kdump fence_kdump pcmk_reboot_action="off" pcmk_host_list="prod-cl1-0 prod-cl1-1" Execute the following optional steps to add `fence_kdump` as a first level fenci # Level 2 - rsc_st_azure ``` -5. **[A]** Allow the required ports for `fence_kdump` through the firewall +1. **[A]** Allow the required ports for `fence_kdump` through the firewall. ```bash firewall-cmd --add-port=7410/udp firewall-cmd --add-port=7410/udp --permanent ``` -6. **[A]** Ensure that `initramfs` image file contains `fence_kdump` and `hosts` files. For details see [How do I configure fence_kdump in a Red Hat Pacemaker cluster](https://access.redhat.com/solutions/2876971). +1. **[A]** Ensure that the `initramfs` image file contains the `fence_kdump` and `hosts` files. For more information, see [How do I configure fence_kdump in a Red Hat Pacemaker cluster?](https://access.redhat.com/solutions/2876971). ```bash lsinitrd /boot/initramfs-$(uname -r)kdump.img | egrep "fence|hosts" Execute the following optional steps to add `fence_kdump` as a first level fenci # -rwxr-xr-x 1 root root 15560 Jun 17 14:59 usr/libexec/fence_kdump_send ``` -7. **[A]** Perform the `fence_kdump_nodes` configuration in `/etc/kdump.conf` to avoid `fence_kdump` failing with a timeout for some `kexec-tools` versions. For details see [fence_kdump times out when fence_kdump_nodes is not specified with kexec-tools version 2.0.15 or later](https://access.redhat.com/solutions/4498151) and [fence_kdump fails with "timeout after X seconds" in a RHEL 6 or 7 High Availability cluster with kexec-tools versions older than 2.0.14](https://access.redhat.com/solutions/2388711). The example configuration for a two node cluster is presented below. After making a change in `/etc/kdump.conf`, the kdump image must be regenerated. That can be achieved by restarting the `kdump` service. +1. **[A]** Perform the `fence_kdump_nodes` configuration in `/etc/kdump.conf` to avoid `fence_kdump` from failing with a timeout for some `kexec-tools` versions. For more information, see [fence_kdump times out when fence_kdump_nodes is not specified with kexec-tools version 2.0.15 or later](https://access.redhat.com/solutions/4498151) and [fence_kdump fails with "timeout after X seconds" in a RHEL 6 or 7 High Availability cluster with kexec-tools versions older than 2.0.14](https://access.redhat.com/solutions/2388711). The example configuration for a two-node cluster is presented here. After you make a change in `/etc/kdump.conf`, the kdump image must be regenerated. To regenerate, restart the `kdump` service. ```bash vi /etc/kdump.conf Execute the following optional steps to add `fence_kdump` as a first level fenci systemctl restart kdump ``` -8. Test the configuration by crashing a node. For details see [How do I configure fence_kdump in a Red Hat Pacemaker cluster](https://access.redhat.com/solutions/2876971). +1. Test the configuration by crashing a node. For more information, see [How do I configure fence_kdump in a Red Hat Pacemaker cluster?](https://access.redhat.com/solutions/2876971). > [!IMPORTANT]- > If the cluster is already in productive use, plan the test accordingly as crashing a node will have an impact on the application. + > If the cluster is already in productive use, plan the test accordingly because crashing a node has an impact on the application. ```bash echo c > /proc/sysrq-trigger Execute the following optional steps to add `fence_kdump` as a first level fenci ## Next steps -* [Azure Virtual Machines planning and implementation for SAP][planning-guide]. -* [Azure Virtual Machines deployment for SAP][deployment-guide]. -* [Azure Virtual Machines DBMS deployment for SAP][dbms-guide]. -* To learn how to establish high availability and plan for disaster recovery of SAP HANA on Azure VMs, see [High Availability of SAP HANA on Azure Virtual Machines (VMs)][sap-hana-ha]. +* See [Azure Virtual Machines planning and implementation for SAP][planning-guide]. +* See [Azure Virtual Machines deployment for SAP][deployment-guide]. +* See [Azure Virtual Machines DBMS deployment for SAP][dbms-guide]. +* To learn how to establish HA and plan for disaster recovery of SAP HANA on Azure VMs, see [High Availability of SAP HANA on Azure Virtual Machines][sap-hana-ha]. |
sap | High Availability Guide Suse Pacemaker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-suse-pacemaker.md | To create a managed identity (MSI), [create a system-assigned](../../active-dire To create a service principal, do the following: -1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** > **Properties**, and then write down the Directory ID. This is the **tenant ID**. +1. In the [Azure portal](https://portal.azure.com), select **Microsoft Entra ID** > **Properties**, and then write down the Directory ID. This is the **tenant ID**. 2. Select **App registrations**. 3. Select **New registration**. 4. Enter a name for the registration, and then select **Accounts in this organization directory only**. |
sap | High Availability Guide Windows Azure Files Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-windows-azure-files-smb.md | Distributing *transport*, *interface*, and *sapmnt* among separate storage accou Here are prerequisites for the installation of SAP NetWeaver HA systems on Azure Files premium SMB with Active Directory integration: * Join the SAP servers to an Active Directory domain.-* Replicate the Active Directory domain that contains the SAP servers to Azure Active Directory (Azure AD) by using Azure AD Connect. +* Replicate the Active Directory domain that contains the SAP servers to Microsoft Entra ID by using Microsoft Entra Connect. * Make sure that at least one Active Directory domain controller is in the Azure landscape, to avoid traversing Azure ExpressRoute to contact domain controllers on-premises. * Make sure that the Azure support team reviews the documentation for Azure Files SMB with [Active Directory integration](../../storage/files/storage-files-identity-auth-active-directory-enable.md#videos). The video shows extra configuration options, which were modified (DNS) and skipped (DFS-N) for simplification reasons. But these are valid configuration options. * Make sure that the user who's running the Azure Files PowerShell script has permission to create objects in Active Directory. The Active Directory administrator should create, in advance, three domain users ### Check Synchronization Service Manager -The Active Directory administrator or Azure administrator should check Synchronization Service Manager in Azure AD Connect. By default, it takes about 30 minutes to replicate to Azure AD. +The Active Directory administrator or Azure administrator should check Synchronization Service Manager in Microsoft Entra Connect. By default, it takes about 30 minutes to replicate to Microsoft Entra ID. ### Create a storage account, private endpoint, and file share The Azure administrator should complete the following tasks: This script creates either a computer account or a service account in Active Directory. It has the following requirements: * The user who's running the script must have permission to create objects in the Active Directory domain that contains the SAP servers. Typically, an organization uses a Domain Administrator account such as *SAPCONT_ADMIN@SAPCONTOSO.local*.- * Before the user runs the script, confirm that this Active Directory domain user account is synchronized with Azure AD. An example of this would be to open the Azure portal and go to Azure AD users, check that the user *SAPCONT_ADMIN@SAPCONTOSO.local* exists, and verify the Azure AD user account. - * Grant the Contributor role-based access control (RBAC) role to this Azure AD user account for the resource group that contains the storage account that holds the file share. In this example, the user *SAPCONT_ADMIN@SAPCONTOSO.onmicrosoft.com* is granted the Contributor role to the respective resource group. + * Before the user runs the script, confirm that this Active Directory domain user account is synchronized with Microsoft Entra ID. An example of this would be to open the Azure portal and go to Microsoft Entra users, check that the user *SAPCONT_ADMIN@SAPCONTOSO.local* exists, and verify the Microsoft Entra user account. + * Grant the Contributor role-based access control (RBAC) role to this Microsoft Entra user account for the resource group that contains the storage account that holds the file share. In this example, the user *SAPCONT_ADMIN@SAPCONTOSO.onmicrosoft.com* is granted the Contributor role to the respective resource group. * The user should run the script while logged on to a Windows Server instance by using an Active Directory domain user account with the permission as specified earlier. In this example scenario, the Active Directory administrator would log on to the Windows Server instance as *SAPCONT_ADMIN@SAPCONTOSO.local*. When the administrator is using the PowerShell command `Connect-AzAccount`, the administrator connects as user *SAPCONT_ADMIN@SAPCONTOSO.onmicrosoft.com*. Ideally, the Active Directory administrator and the Azure administrator should work together on this task. The Azure administrator should complete the following tasks: ![Screenshot of the Azure portal after successful PowerShell script execution.](media/virtual-machines-shared-sap-high-availability-guide/smb-config-1.png) > [!IMPORTANT]- > When a user is running the PowerShell script command `Connect-AzAccount`, we highly recommend entering the Azure AD user account that corresponds and maps to the Active Directory domain user account that was used to log on to a Windows Server instance. + > When a user is running the PowerShell script command `Connect-AzAccount`, we highly recommend entering the Microsoft Entra user account that corresponds and maps to the Active Directory domain user account that was used to log on to a Windows Server instance. After the script runs successfully, go to **Storage** > **File Shares** and verify that **Active Directory: Configured** appears. |
sap | High Availability Guide Windows Netapp Files Smb | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-guide-windows-netapp-files-smb.md | Read the following SAP Notes and papers first: ## Overview SAP developed a new approach, and an alternative to cluster shared disks, for clustering an SAP ASCS/SCS instance on a Windows failover cluster. Instead of using cluster shared disks, one can use an SMB file share to deploy SAP global host files. Azure NetApp Files supports SMBv3 (along with NFS) with NTFS ACL using Active Directory. Azure NetApp Files is automatically highly available (as it is a PaaS service). These features make Azure NetApp Files great option for hosting the SMB file share for SAP global. -Both [Azure Active Directory (AD) Domain Services](../../active-directory-domain-services/overview.md) and [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) are supported. You can use existing Active Directory domain controllers with Azure NetApp Files. Domain controllers can be in Azure as virtual machines, or on premises via ExpressRoute or S2S VPN. In this article, we will use Domain controller in an Azure VM. +Both [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md) and [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) are supported. You can use existing Active Directory domain controllers with Azure NetApp Files. Domain controllers can be in Azure as virtual machines, or on premises via ExpressRoute or S2S VPN. In this article, we will use Domain controller in an Azure VM. High availability(HA) for SAP Netweaver central services requires shared storage. To achieve that on Windows, so far it was necessary to build either SOFS cluster or use cluster shared disk s/w like SIOS. Now it is possible to achieve SAP Netweaver HA by using shared storage, deployed on Azure NetApp Files. Using Azure NetApp Files for the shared storage eliminates the need for either SOFS or SIOS. > [!NOTE] |
sap | Integration Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/integration-get-started.md | Also see the following SAP resources: ### Microsoft Entra ID (formerly Azure AD) -For more information about integration with Azure AD, see the following Azure documentation: +For more information about integration with Microsoft Entra ID, see the following Azure documentation: -- [Secure access with SAP Cloud Identity Services and Azure AD](../../active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md)+- [Secure access with SAP Cloud Identity Services and Microsoft Entra ID](../../active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md) - [SAP workload security - Microsoft Azure Well-Architected Framework](/azure/architecture/framework/sap/security) - [Provision users from SAP SuccessFactors to Active Directory](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)-- [Provision users from SAP SuccessFactors to Azure AD](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)-- [Write-back users from Azure AD to SAP SuccessFactors](../../active-directory/saas-apps/sap-successfactors-writeback-tutorial.md)+- [Provision users from SAP SuccessFactors to Microsoft Entra ID](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md) +- [Write-back users from Microsoft Entra ID to SAP SuccessFactors](../../active-directory/saas-apps/sap-successfactors-writeback-tutorial.md) - [Provision users to SAP Cloud Identity Services - Identity Authentication](../../active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) For how to configure single sign-on, see the following Azure documentation and tutorials: For how to configure single sign-on, see the following Azure documentation and t Also see the following SAP resources: - [Azure Application Gateway Setup for for Public and Internal SAP URLs](https://blogs.sap.com/2020/12/10/sap-on-azure-single-sign-on-configuration-using-saml-and-azure-active-directory-for-public-and-internal-urls/)-- [SAPGUI using Kerberos and Azure AD Domain Services](https://blogs.sap.com/2018/08/03/your-sap-on-azure-part-8-single-sign-on-using-azure-ad-domain-services/)+- [SAPGUI using Kerberos and Microsoft Entra Domain Services](https://blogs.sap.com/2018/08/03/your-sap-on-azure-part-8-single-sign-on-using-azure-ad-domain-services/) ### Azure Integration Services |
sap | Lama Installation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/lama-installation.md | The connector for Azure uses the Azure Resource Manager API to manage your Azure Follow these steps to create a service principal for the SAP LaMa connector for Azure: 1. Go to the [Azure portal](https://portal.azure.com).-1. Open the **Azure Active Directory** pane. +1. Open the **Microsoft Entra ID** pane. 1. Select **App registrations**. 1. Select **New registration**. 1. Enter a name, and then select **Register**. Open the SAP LaMa website and go to **Infrastructure**. On the **Cloud Managers* * **Monitoring Interval (Seconds)**: Enter an interval of at least 300. * **Use Managed Identity**: Select to enable SAP LaMa to use a system-assigned or user-assigned identity to authenticate against the Azure API. * **Subscription ID**: Enter the Azure subscription ID.-* **Azure Active Directory Tenant ID**: Enter the ID of the Active Directory tenant. +* **Microsoft Entra tenant ID**: Enter the ID of the Active Directory tenant. * **Proxy host**: Enter the host name of the proxy if SAP LaMa needs a proxy to connect to the internet. * **Proxy port**: Enter the TCP port of the proxy. * **Change Storage Type to save costs**: Enable this setting if the Azure adapter should change the storage type of the managed disks to save costs when the disks are not in use. |
sap | Planning Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-guide.md | Your network design should address several requirements for SAP deployment: - Network routing restrictions are enforced by [network security groups (NSGs)](/azure/virtual-network/network-security-groups-overview) on the subnet level. Group IPs of VMs into [application security groups (ASGs)](/azure/virtual-network/application-security-groups) that are maintained in the NSG rules, and provide role, tier, and SID groupings of permissions. - SAP application and database VMs run in the same virtual network, within the same or different subnets of a single virtual network. Use different subnets for application and database VMs. Alternatively, use dedicated application and DBMS ASGs to group rules that are applicable to each workload type within the same subnet. - Accelerated networking is enabled on all network cards of all VMs for SAP workloads where technically possible.-- Ensure secure access for dependency on central services, including for name resolution (DNS), identity management (Windows Server Active Directory domains/Azure Active Directory), and administrative access.+- Ensure secure access for dependency on central services, including for name resolution (DNS), identity management (Windows Server Active Directory domains/Microsoft Entra ID), and administrative access. - Provide access to and by public endpoints, as needed. Examples include for Azure management for ClusterLabs Pacemaker operations in high availability or for Azure services like Azure Backup. - Use multiple NICs only if they're necessary to create designated subnets that have their own routes and NSG rules. Operating an SAP landscape in Azure requires connectivity to and from SAP for su - [Deploy an SAP workload on Azure](deployment-guide.md) - [Considerations for Azure Virtual Machines DBMS deployment for SAP workloads](dbms-guide-general.md) - [SAP workloads on Azure: Planning and deployment checklist](deployment-checklist.md)-- [Virtual machine scale sets for SAP workload](./virtual-machine-scale-set-sap-deployment-guide.md)+- [Virtual machine scale sets for SAP workload](./virtual-machine-scale-set-sap-deployment-guide.md) |
sap | Planning Supported Configurations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/planning-supported-configurations.md | Designing SAP NetWeaver, Business one, `Hybris` or S/4HANA systems architecture ## General platform restrictions Azure has various platforms besides so called native Azure VMs that are offered as first party service. [HANA Large Instances](../large-instances/hana-overview-architecture.md), which is in sunset mode is one of those platforms. [Azure VMware Services](https://azure.microsoft.com/products/azure-VMware/) is another of these first party services. Azure VMware Services in general isn't supported by SAP for hosting SAP workload. Refer to [SAP support note #2138865 - SAP Applications on VMware Cloud: Supported Products and VM configurations](https://launchpad.support.sap.com/#/notes/2138865) for more details of VMware support on different platforms. -Besides the on-premises Active Directory, Azure offers a managed Active Directory SaaS service with [Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md) (traditional AD managed by Microsoft), and [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). SAP components hosted on Windows OS are often relying on the usage of Windows Active Directory. In this case the traditional Active Directory as it's hosted on-premises by you, or Azure Active Directory Domain Services (still in testing). But these SAP components can't function with the native Azure Active Directory. Reason is that there are still larger gaps in functionality between Active Directory in its on-premises form or its SaaS form (Azure Active Directory Domain Services) and the native Azure Active Directory. This dependency is the reason why Azure Active Directory accounts aren't supported for applications based on SAP NetWeaver and S/4 HANA on Windows OS. Traditional Active Directory accounts need to be used in such scenarios. +Besides the on-premises Active Directory, Azure offers a managed Active Directory SaaS service with [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md) (traditional AD managed by Microsoft), and [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md). SAP components hosted on Windows OS are often relying on the usage of Windows Active Directory. In this case the traditional Active Directory as it's hosted on-premises by you, or Microsoft Entra Domain Services (still in testing). But these SAP components can't function with the native Microsoft Entra ID. Reason is that there are still larger gaps in functionality between Active Directory in its on-premises form or its SaaS form (Microsoft Entra Domain Services) and the native Microsoft Entra ID. This dependency is the reason why Microsoft Entra accounts aren't supported for applications based on SAP NetWeaver and S/4 HANA on Windows OS. Traditional Active Directory accounts need to be used in such scenarios. | AD service | Supported applications based on SAP NetWeaver and S/4 HANA on Windows OS | | | | | | On-premises Windows Active Directory | Supported | -| Azure Active Directory Domain Services | Supported| -| Azure Active Directory | Not supported | +| Microsoft Entra Domain Services | Supported| +| Microsoft Entra ID | Not supported | -The above doesn't affect the usage of Azure Active Directory accounts for single-sign-on (SSO) scenarios with SAP applications. +The above doesn't affect the usage of Microsoft Entra accounts for single-sign-on (SSO) scenarios with SAP applications. ## 2-Tier configuration An SAP 2-Tier configuration is considered to be built up out of a combined layer of the SAP DBMS and application layer that run on the same server or VM unit. The second tier is considered to be the user interface layer. For a 2-Tier configuration, the DBMS, and SAP application layer share the resources of the Azure VM. As a result, you need to configure the different components in a way that these components don't compete for resources. You also need to be careful to not oversubscribe the resources of the VM. Such a configuration doesn't provide any high availability, beyond the [Azure Service Level agreements](https://azure.microsoft.com/support/legal/sla/) of the different Azure components involved. |
sap | Rise Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/rise-integration.md | SAP managed workload should run in the same [Azure region](https://azure.microso This diagram shows a typical SAP customer's hub and spoke virtual networks. Cross-tenant virtual network peering connects SAP RISE vnet to customer's hub vnet. :::image-end::: -Since SAP RISE/ECS runs in SAPΓÇÖs Azure tenant and subscriptions, set up the virtual network peering between [different tenants](../../virtual-network/create-peering-different-subscriptions.md). You accomplish this by setting up the peering with the SAP provided networkΓÇÖs Azure resource ID and have SAP approve the peering. Add a user from the opposite Azure AD tenant as a guest user, accept the guest user invitation and follow process documented at [Create a vnet peering - different subscriptions](../../virtual-network/create-peering-different-subscriptions.md). Contact your SAP representative for the exact steps required. Engage the respective team(s) within your organization that deal with network, user administration and architecture to enable this process to be completed swiftly. +Since SAP RISE/ECS runs in SAPΓÇÖs Azure tenant and subscriptions, set up the virtual network peering between [different tenants](../../virtual-network/create-peering-different-subscriptions.md). You accomplish this by setting up the peering with the SAP provided networkΓÇÖs Azure resource ID and have SAP approve the peering. Add a user from the opposite Microsoft Entra tenant as a guest user, accept the guest user invitation and follow process documented at [Create a vnet peering - different subscriptions](../../virtual-network/create-peering-different-subscriptions.md). Contact your SAP representative for the exact steps required. Engage the respective team(s) within your organization that deal with network, user administration and architecture to enable this process to be completed swiftly. ### Connectivity during migration to ECS/RISE SAP RISE/ECS exposes the communication ports for these applications to use but h ### Single sign-on for SAP -Single sign-On (SSO) is configured for many SAP environments. With SAP workloads running in ECS/RISE, steps identical to a natively run SAP system can be followed. The integration steps with Azure Active Directory (Azure AD) based SSO are available for typical ECS/RISE managed workloads: -- [Tutorial: Azure Active Directory Single sign-on (SSO) integration with SAP NetWeaver](../../active-directory/saas-apps/sap-netweaver-tutorial.md)-- [Tutorial: Azure Active Directory single sign-on (SSO) integration with SAP Fiori](../../active-directory/saas-apps/sap-fiori-tutorial.md)-- [Tutorial: Azure Active Directory integration with SAP HANA](../../active-directory/saas-apps/saphana-tutorial.md)+Single sign-On (SSO) is configured for many SAP environments. With SAP workloads running in ECS/RISE, steps identical to a natively run SAP system can be followed. The integration steps with Microsoft Entra ID based SSO are available for typical ECS/RISE managed workloads: +- [Tutorial: Microsoft Entra Single sign-on (SSO) integration with SAP NetWeaver](../../active-directory/saas-apps/sap-netweaver-tutorial.md) +- [Tutorial: Microsoft Entra single sign-on (SSO) integration with SAP Fiori](../../active-directory/saas-apps/sap-fiori-tutorial.md) +- [Tutorial: Microsoft Entra integration with SAP HANA](../../active-directory/saas-apps/saphana-tutorial.md) | SSO method | Identity Provider | Typical use case | Implementation | | : | :-: | :- | : |-| SAML/OAuth | Azure AD | SAP Fiori, Web GUI, Portal, HANA | Customer configuration | -| SNC | Azure AD | SAP GUI | Customer configuration | +| SAML/OAuth | Microsoft Entra ID | SAP Fiori, Web GUI, Portal, HANA | Customer configuration | +| SNC | Microsoft Entra ID | SAP GUI | Customer configuration | | SPNEGO | Active Directory (AD) | Web GUI, Portal | Customer configuration | SSO against Active Directory (AD) of your Windows domain for ECS/RISE managed SAP environment, with SAP SSO Secure Login Client requires AD integration for end user devices. With SAP RISE, any Windows systems are not integrated with the customer's active directory domain. This isn't necessary for SSO with AD/Kerberos as the domain security token is read on the client device and exchanged securely with SAP system. Contact SAP if you require any changes to integrate AD based SSO or using third party products other than SAP SSO Secure Login Client, as some configuration on RISE managed systems might be required. The [SAP RISE certified](https://www.sap.com/dmc/exp/2013_09_adpd/enEN/#/solutio The solution allows you to gain visibility to user activities on SAP RISE/ECS and the SAP business logic layers and apply SentinelΓÇÖs built-in content. - Use a single console to monitor all your enterprise estate including SAP instances in SAP RISE/ECS on Azure and other clouds, SAP Azure native and on-premises estate - Detect and automatically respond to threats: detect suspicious activity including privilege escalation, unauthorized changes, sensitive transactions, data exfiltration and more with out-of-the-box detection capabilities-- Correlate SAP activity with other signals: more accurately detect SAP threats by cross-correlating across endpoints, Azure AD data and more+- Correlate SAP activity with other signals: more accurately detect SAP threats by cross-correlating across endpoints, Microsoft Entra data and more - Customize based on your needs - build your own detections to monitor sensitive transactions and other business risks - Visualize the data with built-in workbooks Note for running Microsoft Sentinel in an SAP RISE/ECS environment: - The following log fields/source require an SAP transport change request: Client IP address information from SAP security audit log, DB table logs (preview), spool output log. Sentinel's built-in content (detections, workbooks and playbooks) provides extensive coverage and correlation without those log sources. - SAP infrastructure and operating system logs aren't available to Sentinel in RISE, including VMs running SAP, SAPControl data sources, network resources placed within ECS. SAP monitors elements of the Azure infrastructure and operation system independently. -Use pre-built playbooks for security, orchestration, automation and response capabilities (SOAR) to react to threats quickly. A popular first scenario is SAP user blocking with intervention option from Microsoft Teams. The integration pattern can be applied to any incident type and target service spanning towards SAP Business Technology Platform (BTP) or Azure AD with regard to reducing the attack surface. +Use pre-built playbooks for security, orchestration, automation and response capabilities (SOAR) to react to threats quickly. A popular first scenario is SAP user blocking with intervention option from Microsoft Teams. The integration pattern can be applied to any incident type and target service spanning towards SAP Business Technology Platform (BTP) or Microsoft Entra ID with regard to reducing the attack surface. For more information on Microsoft Sentinel and SOAR for SAP, see the blog series [From zero to hero security coverage with Microsoft Sentinel for your critical SAP security signals](https://blogs.sap.com/2023/05/22/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your-critical-sap-security-signals-blog-series/). :::image type="complex" source="./media/sap-rise-integration/sap-rise-sentinel-adaptive-card.png" alt-text="Using Sentinel SOAR capability with SAP RISE/ECS":::- This image shows an SAP incident detected by Sentinel offering the option to block the suspicious user on the SAP ERP, SAP Business Technology Platform or Azure AD. + This image shows an SAP incident detected by Sentinel offering the option to block the suspicious user on the SAP ERP, SAP Business Technology Platform or Microsoft Entra ID. :::image-end::: For more information on Microsoft Sentinel and SAP, including a deployment guide, see [Sentinel product documentation](../../sentinel/sap/deployment-overview.md). |
sap | Sap Ascs Ha Multi Sid Wsfc Azure Shared Disk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-ascs-ha-multi-sid-wsfc-azure-shared-disk.md | Title: SAP ASCS/SCS multi-SID HA with WSFC and Azure shared disk | Microsoft Docs -description: Multi-SID high availability for an SAP ASCS/SCS instance with WSFC and Azure shared disk +description: Learn about multi-SID high availability for an SAP ASCS/SCS instance with Windows Server Failover Clustering and an Azure shared disk. documentationcenter: saponazure Last updated 12/16/2022 -# SAP ASCS/SCS instance multi-SID high availability with Windows server failover clustering and Azure shared disk +# SAP ASCS/SCS instance multi-SID high availability with Windows Server Failover Clustering and Azure shared disk > ![Windows OS][Logo_Windows] Windows -This article focuses on how to move from a single ASCS/SCS installation to an SAP multi-SID configuration by installing additional SAP ASCS/SCS clustered instances into an existing Windows Server Failover Clustering (WSFC) cluster with Azure shared disk. When this process is completed, you have configured an SAP multi-SID cluster. +This article focuses on how to move from a single SAP ASCS/SCS installation to configuration of multiple SAP system IDs (SIDs) by installing additional SAP ASCS/SCS clustered instances into an existing Windows Server Failover Clustering (WSFC) cluster with an Azure shared disk. When you complete this process, you've configured an SAP multi-SID cluster. ## Prerequisites and limitations -Currently you can use Azure Premium SSD disks as an Azure shared disk for the SAP ASCS/SCS instance. The following limitations are currently in place: +You can use Azure Premium SSD disks as Azure shared disks for the SAP ASCS/SCS instance. The following limitations are currently in place: -- [Azure Ultra disk](../../virtual-machines/disks-types.md#ultra-disks) and [Standard SSD disks](../../virtual-machines/disks-types.md#standard-ssds) are not supported as Azure Shared Disk for SAP workloads.-- [Azure Shared disk](../../virtual-machines/disks-shared.md) with [Premium SSD disks](../../virtual-machines/disks-types.md#premium-ssds) is supported for SAP deployment in availability set and availability zones.-- Azure shared disk with Premium SSD disks comes with two storage SKUs.- - Locally redundant storage (LRS) for premium shared disk (skuName - Premium_LRS) is supported with deployment in availability set. - - Zone-redundant storage (ZRS) for premium shared disk (skuName - Premium_ZRS) is supported with deployment in availability zones. -- Azure shared disk value [maxShares](../../virtual-machines/disks-shared-enable.md?tabs=azure-cli#disk-sizes) determines how many cluster nodes can use the shared disk. Typically for SAP ASCS/SCS instance you will configure two nodes in Windows Failover Cluster, therefore the value for `maxShares` must be set to two.-- [Azure proximity placement group](../../virtual-machines/windows/proximity-placement-groups.md) is not required for Azure shared disk. But for SAP deployment with PPG, follow below guidelines:- - If you are using PPG for SAP system deployed in a region then all virtual machines sharing a disk must be part of the same PPG. - - If you are using PPG for SAP system deployed across zones like described in the document [Proximity placement groups with zonal deployments](proximity-placement-scenarios.md#proximity-placement-groups-with-zonal-deployments), you can attach Premium_ZRS storage to virtual machines sharing a disk. +- [Azure Ultra Disk Storage disks](../../virtual-machines/disks-types.md#ultra-disks) and [Azure Standard SSD disks](../../virtual-machines/disks-types.md#standard-ssds) are not supported as Azure shared disks for SAP workloads. +- [Azure shared disks](../../virtual-machines/disks-shared.md) with [Premium SSD disks](../../virtual-machines/disks-types.md#premium-ssds) are supported for SAP deployment in availability sets and availability zones. +- Azure shared disks with Premium SSD disks come with two storage options: + - Locally redundant storage (LRS) for Premium SSD shared disks (`skuName` value of `Premium_LRS`) is supported with deployment in availability sets. + - Zone-redundant storage (ZRS) for Premium SSD shared disks (`skuName` value of `Premium_ZRS`) is supported with deployment in availability zones. +- The Azure shared disk value [maxShares](../../virtual-machines/disks-shared-enable.md?tabs=azure-cli#disk-sizes) determines how many cluster nodes can use the shared disk. For an SAP ASCS/SCS instance, you typically configure two nodes in WSFC. You then set the value for `maxShares` to `2`. +- An [Azure proximity placement group (PPG)](../../virtual-machines/windows/proximity-placement-groups.md) is not required for Azure shared disks. But for SAP deployment with PPGs, follow these guidelines: + - If you're using PPGs for an SAP system deployed in a region, all virtual machines that share a disk must be part of the same PPG. + - If you're using PPGs for an SAP system deployed across zones, as described in [Proximity placement groups with zonal deployments](proximity-placement-scenarios.md#proximity-placement-groups-with-zonal-deployments), you can attach `Premium_ZRS` storage to virtual machines that share a disk. -For further details on limitations for Azure shared disk, please review carefully the [limitations](../../virtual-machines/disks-shared.md#limitations) section of Azure Shared Disk documentation. +For more information, review the [Limitations](../../virtual-machines/disks-shared.md#limitations) section of the documentation for Azure shared disks. -#### Important consideration for Premium shared disk +### Important considerations for Premium SSD shared disks -Following are some of the important points to consider with respect to Azure Premium shared disk: +Consider these important points about Azure Premium SSD shared disks: -- LRS for Premium shared disk- - SAP deployment with LRS for premium shared disk will be operating with a single Azure shared disk on one storage cluster. Your SAP ASCS/SCS instance would be impacted, in case of issues with the storage cluster, where the Azure shared disk is deployed. +- LRS for Premium SSD shared disks: + - SAP deployment with LRS for Premium SSD shared disks operates with a single Azure shared disk on one storage cluster. If there's a problem with the storage cluster where the Azure shared disk is deployed, it affects your SAP ASCS/SCS instance. -- ZRS for Premium shared disk- - Write latency for ZRS is higher than that of LRS due to cross-zonal copy of data. - - The distance between availability zones in different region varies and with that ZRS disk latency across availability zones as well. [Benchmark your disks](../../virtual-machines/disks-benchmarks.md) to identify the latency of ZRS disk in your region. - - ZRS for Premium shared disk synchronously replicates data across three availability zones in the region. In case of any issue in one of the storage clusters, your SAP ASCS/SCS will continue to run as storage failover is transparent to the application layer. - - Review the [limitations](../../virtual-machines/disks-redundancy.md#limitations) section of ZRS for managed disks for more details. +- ZRS for Premium SSD shared disks: + - Write latency for ZRS is higher than that of LRS because cross-zonal copying of data. + - The distance between availability zones in different regions varies, and so does ZRS disk latency across availability zones. [Benchmark your disks](../../virtual-machines/disks-benchmarks.md) to identify the latency of ZRS disks in your region. + - ZRS for Premium SSD shared disks synchronously replicates data across three availability zones in the region. If there's a problem in one of the storage clusters, your SAP ASCS/SCS instance continues to run because storage failover is transparent to the application layer. + - For more information, review the [Limitations](../../virtual-machines/disks-redundancy.md#limitations) section of the documentation about ZRS for managed disks. > [!IMPORTANT] > The setup must meet the following conditions:-> * Each database management system (DBMS) SID must have its own dedicated WSFC cluster. -> * SAP application servers that belong to one SAP system SID must have their own dedicated VMs. -> * A mix of Enqueue Replication Server 1 and Enqueue Replication Server 2 in the same cluster is not supported. -+> +> - The SID for each database management system (DBMS) must have its own dedicated WSFC cluster. +> - SAP application servers that belong to one SAP SID must have their own dedicated virtual machines (VMs). +> - A mix of Enqueue Replication Server 1 (ERS1) and Enqueue Replication Server 2 (ERS2) in the same cluster is not supported. ## Supported OS versions -Windows Servers 2016, 2019 and higher are supported (use the latest data center images). +Windows Server 2016, 2019, and later are supported. Use the latest datacenter images. ++We strongly recommend using at least Windows Server 2019 Datacenter, for these reasons: -We strongly recommend using at least **Windows Server 2019 Datacenter**, as: -- Windows 2019 Failover Cluster Service is Azure aware-- There is added integration and awareness of Azure Host Maintenance and improved experience by monitoring for Azure schedule events.-- It is possible to use Distributed network name(it is the default option). Therefore, there is no need to have a dedicated IP address for the cluster network name. Also, there is no need to configure this IP address on Azure Internal Load Balancer. +- WSFC in Windows Server 2019 is Azure aware. +- Windows Server 2019 Datacenter includes integration and awareness of Azure host maintenance and improved experience by monitoring for Azure scheduled events. +- You can use distributed network names. (It's the default option.) There's no need to have a dedicated IP address for the cluster network name. Also, you don't need to configure an IP address on an Azure internal load balancer. ## Architecture -Both Enqueue replication server 1 (ERS1) and Enqueue replication server 2 (ERS2) are supported in multi-SID configuration. A mix of ERS1 and ERS2 is not supported in the same cluster. +Both ERS1 and ERS2 are supported in a multi-SID configuration. A mix of ERS1 and ERS2 is not supported in the same cluster. ++The following example shows two SAP SIDs. Both have an ERS1 architecture where: ++- SAP SID1 is deployed on a shared disk with ERS1. The ERS instance is installed on a local host and on a local drive. ++ SAP SID1 has its own virtual IP address (SID1 (A)SCS IP1), which is configured on the Azure internal load balancer. -1. The first example shows two SAP SIDs, both with ERS1 architecture where: +- SAP SID2 is deployed on a shared disk with ERS1. The ERS instance is installed on a local host and on a local drive. - - SAP SID1 is deployed on shared disk, with ERS1. The ERS instance is installed on local host and on local drive. - SAP SID1 has its own (virtual) IP address (SID1 (A)SCS IP1), which is configured on the Azure Internal Load balancer. + SAP SID2 has own virtual IP address (SID2 (A)SCS IP2), which is configured on the Azure internal load balancer. - - SAP SID2 is deployed on shared disk, with ERS1. The ERS instance is installed on local host and on local drive. - SAP SID2 has own (virtual) IP address (SID2 (A)SCS IP2), which is configured also on the Azure Internal Load balancer. +![Diagram of two high-availability SAP ASCS/SCS instances with an ERS1 configuration.][sap-ha-guide-figure-6007] -![High-availability SAP ASCS/SCS instance - two instances with ERS1 configuration][sap-ha-guide-figure-6007] +The next example also shows two SAP SIDs. Both have an ERS2 architecture where: -2. The second example shows two SAP SIDs, both with ERS2 architecture where: +- SAP SID1 is deployed on a shard disk with ERS2, which is clustered and is deployed on a local drive. - - SAP SID1 with ERS2, is which also clustered and is deployed on local drive. - SAP SID1 has own (virtual) IP address (SID1 (A)SCS IP1), which is configured on the Azure Internal Load balancer. - SAP ERS2, used by SAP SID1 system has its own (virtual) IP address (SID1 ERS2 IP2), which is configured on the Azure Internal Load balancer. + SAP SID1 has its own virtual IP address (SID1 (A)SCS IP1), which is configured on the Azure internal load balancer. - - SAP SID2 with ERS2, is which also clustered and is deployed on local drive. - SAP SID2 has own (virtual) IP address (SID2 (A)SCS IP3), which is configured on the Azure Internal Load balancer. - SAP ERS2, used by SAP SID2 system has its own (virtual) IP address (SID2 ERS2 IP4), which is configured on the Azure Internal Load balancer. + SAP ERS2 has its own virtual IP address (SID1 ERS2 IP2), which is configured on the Azure internal load balancer. - Here we have a total of four virtual IP addresses: - - SID1 (A)SCS IP1 - - SID2 ERS2 IP2 - - SID2 (A)SCS IP3 - - SID2 ERS2 IP4 +- SAP SID2 is deployed on a shard disk with ERS2, which is clustered and is deployed on a local drive. -![High-availability SAP ASCS/SCS instance - two instances with ERS1 and ERS2 configuration][sap-ha-guide-figure-6008] + SAP SID2 has own virtual IP address (SID2 (A)SCS IP3), which is configured on the Azure internal load balancer. ++ SAP ERS2 has its own virtual IP address (SID2 ERS2 IP4), which is configured on the Azure internal load balancer. ++- There's a total of four virtual IP addresses: ++ - SID1 (A)SCS IP1 + - SID2 ERS2 IP2 + - SID2 (A)SCS IP3 + - SID2 ERS2 IP4 ++![Diagram of two high-availability SAP ASCS/SCS instances with an ERS1 and ERS2 configuration.][sap-ha-guide-figure-6008] ## Infrastructure preparation -We'll install a new SAP SID **PR2**, in addition to the **existing clustered** SAP **PR1** ASCS/SCS instance. +You'll install a new SAP SID PR2 instance, in addition to the existing clustered SAP PR1 ASCS/SCS instance. ### Host names and IP addresses -Based on your deployment type, the host names and the IP addresses of the scenario would be like: +Based on your deployment type, the host names and the IP addresses of the scenario should be like the following examples. -**SAP deployment in Azure availability set** +Here are the details for an SAP deployment in an Azure availability set: -| Host name role | Host name | Static IP address | Availability set | Disk SkuName | +| Host name role | Host name | Static IP address | Availability set | Disk `SkuName` value | | -- | -- | - | - | |-| 1st cluster node ASCS/SCS cluster | pr1-ascs-10 | 10.0.0.4 | pr1-ascs-avset | Premium_LRS | -| 2nd cluster node ASCS/SCS cluster | pr1-ascs-11 | 10.0.0.5 | pr1-ascs-avset | | -| Cluster Network Name | pr1clust | 10.0.0.42(**only** for Win 2016 cluster) | n/a | | -| **SID1** ASCS cluster network name | pr1-ascscl | 10.0.0.43 | n/a | | -| **SID1** ERS cluster network name (**only** for ERS2) | pr1-erscl | 10.0.0.44 | n/a | | -| **SID2** ASCS cluster network name | pr2-ascscl | 10.0.0.45 | n/a | | -| **SID2** ERS cluster network name (**only** for ERS2) | pr1-erscl | 10.0.0.46 | n/a | | +| First cluster node ASCS/SCS cluster | pr1-ascs-10 | 10.0.0.4 | pr1-ascs-avset | `Premium_LRS` | +| Second cluster node ASCS/SCS cluster | pr1-ascs-11 | 10.0.0.5 | pr1-ascs-avset | | +| Cluster network name | pr1clust | 10.0.0.42 (only for a Windows Server 2016 cluster) | Not applicable | | +| SID1 ASCS cluster network name | pr1-ascscl | 10.0.0.43 | Not applicable | | +| SID1 ERS cluster network name (only for ERS2) | pr1-erscl | 10.0.0.44 | Not applicable | | +| SID2 ASCS cluster network name | pr2-ascscl | 10.0.0.45 | Not applicable | | +| SID2 ERS cluster network name (only for ERS2) | pr1-erscl | 10.0.0.46 | Not applicable | | -**SAP deployment in Azure availability zones** +Here are the details for an SAP deployment in Azure availability zones: -| Host name role | Host name | Static IP address | Availability zone | Disk SkuName | +| Host name role | Host name | Static IP address | Availability zone | Disk `SkuName` value | | -- | -- | - | -- | |-| 1st cluster node ASCS/SCS cluster | pr1-ascs-10 | 10.0.0.4 | AZ01 | Premium_ZRS | -| 2nd cluster node ASCS/SCS cluster | pr1-ascs-11 | 10.0.0.5 | AZ02 | | -| Cluster Network Name | pr1clust | 10.0.0.42(**only** for Win 2016 cluster) | n/a | | -| **SID1** ASCS cluster network name | pr1-ascscl | 10.0.0.43 | n/a | | -| **SID2** ERS cluster network name (**only** for ERS2) | pr1-erscl | 10.0.0.44 | n/a | | -| **SID2** ASCS cluster network name | pr2-ascscl | 10.0.0.45 | n/a | | -| **SID2** ERS cluster network name (**only** for ERS2) | pr1-erscl | 10.0.0.46 | n/a | | --The steps mentioned in the document remain same for both deployment type. But if your cluster is running in availability set, you need to deploy LRS for Azure premium shared disk (Premium_LRS) and if cluster is running in availability zone deploy ZRS for Azure premium shared disk (Premium_ZRS). --### Create Azure internal load balancer --SAP ASCS, SAP SCS, and the new SAP ERS2, use virtual hostname and virtual IP addresses. On Azure a [load balancer](../../load-balancer/load-balancer-overview.md) is required to use a virtual IP address. -We strongly recommend using [Standard load balancer](../../load-balancer/quickstart-load-balancer-standard-public-portal.md). --You will need to add configuration to the existing load balancer for the second SAP SID ASCS/SCS/ERS instance **PR2**. The configuration for the first SAP SID **PR1** should be already in place. --**(A)SCS PR2 [instance number 02]** -- Frontend configuration- - Static ASCS/SCS IP address **10.0.0.45** -- Backend configuration - Already be in place - the VMs were already added to the backend pool, while configuring for SAP SID **PR1** -- Probe Port- - Port 620**nr** [**62002**] - Leave the default option for Protocol (TCP), Interval (5), Unhealthy threshold (2) -- Load-balancing rules- - If using Standard Load Balancer, select HA ports - - If using Basic Load Balancer, create Load-balancing rules for the following ports - - 32**nr** TCP [**3202**] - - 36**nr** TCP [**3602**] - - 39**nr** TCP [**3902**] - - 81**nr** TCP [**8102**] - - 5**nr**13 TCP [**50213**] - - 5**nr**14 TCP [**50214**] - - 5**nr**16 TCP [**50216**] - - Associate with the **PR2** ASCS Frontend IP, health probe, and the existing backend pool. -- - Make sure that Idle timeout (minutes) is set to the maximum value 30, and that Floating IP (direct server return) is Enabled. --**ERS2 PR2 [instance number 12]** --As Enqueue Replication Server 2 (ERS2) is also clustered, ERS2 virtual IP address must be also configured on Azure ILB in addition to above SAP ASCS/SCS IP. This section only applies, if using Enqueue replication server 2 architecture for **PR2**. -- New Frontend configuration- - Static SAP ERS2 IP address **10.0.0.46** --- Backend configuration - The VMs were already added to the ILB backend pool. --- New Probe Port- - Port 621**nr** [**62112**] - Leave the default option for Protocol (TCP), Interval (5), Unhealthy threshold (2) --- New Load-balancing rules- - If using Standard Load Balancer, select HA ports - - If using Basic Load Balancer, create Load-balancing rules for the following ports - - 32**nr** TCP [**3212**] - - 33**nr** TCP [**3312**] - - 5**nr**13 TCP [**51212**] - - 5**nr**14 TCP [**51212**] - - 5**nr**16 TCP [**51212**] - - Associate with the **PR2** ERS2 Frontend IP, health probe and the existing backend pool. -- - Make sure that Idle timeout (minutes) is set to max value, e.g., 30, and that Floating IP (direct server return) is Enabled. ---### Create and attach second Azure shared disk --Run this command on one of the cluster nodes. You will need to adjust the values for your resource group, Azure region, SAPSID, and so on. +| First cluster node ASCS/SCS cluster | pr1-ascs-10 | 10.0.0.4 | AZ01 | `Premium_ZRS` | +| Second cluster node ASCS/SCS cluster | pr1-ascs-11 | 10.0.0.5 | AZ02 | | +| Cluster network name | pr1clust | 10.0.0.42 (only for a Windows Server 2016 cluster) | Not applicable | | +| SID1 ASCS cluster network name | pr1-ascscl | 10.0.0.43 | Not applicable | | +| SID2 ERS cluster network name (only for ERS2) | pr1-erscl | 10.0.0.44 | Not applicable | | +| SID2 ASCS cluster network name | pr2-ascscl | 10.0.0.45 | Not applicable | | +| SID2 ERS cluster network name (only for ERS2) | pr1-erscl | 10.0.0.46 | Not applicable | | ++The steps in this article remain the same for both deployment types. But if your cluster is running in an availability set, you need to deploy LRS for Azure Premium SSD shared disks (`Premium_LRS`). If your cluster is running in an availability zone, you need to deploy ZRS for Azure Premium SSD shared disks (`Premium_ZRS`). ++### Create an Azure internal load balancer ++SAP ASCS, SAP SCS, and SAP ERS2 use virtual host names and virtual IP addresses. On Azure, a [load balancer](../../load-balancer/load-balancer-overview.md) is required to use a virtual IP address. +We strongly recommend using a [standard load balancer](../../load-balancer/quickstart-load-balancer-standard-public-portal.md). ++You need to add configuration to the existing load balancer for the second SAP SID instance, PR2, for ASCS, SCS, or ERS. The configuration for the first SAP SID, PR1, should be already in place. ++#### (A)SCS PR2 [instance number 02] ++- Front-end configuration: + - Static ASCS/SCS IP address 10.0.0.45. +- Back-end configuration: + - Already in place. The VMs were added to the back-end pool during configuration of SAP SID PR1. +- Probe port: + - Port 620*nr* [62002]. Leave the default options for protocol (TCP), interval (5), and unhealthy threshold (2). +- Load-balancing rules: + - If you're using a standard load balancer, select high-availability (HA) ports. + - If you're using a basic load balancer, create load-balancing rules for the following ports: + - 32*nr* TCP [3202] + - 36*nr* TCP [3602] + - 39*nr* TCP [3902] + - 81*nr* TCP [8102] + - 5*nr*13 TCP [50213] + - 5*nr*14 TCP [50214] + - 5*nr*16 TCP [50216] ++ - Associate load-balancing rules with the PR2 ASCS front-end IP address, the health probe, and the existing back-end pool. ++ - Make sure that idle timeout is set to the maximum value of 30 minutes, and that floating IP (direct server return) is enabled. ++#### ERS2 PR2 [instance number 12] ++Because ERS2 is clustered, you must configure the ERS2 virtual IP address on an Azure internal load balancer in addition to the preceding SAP ASCS/SCS IP address. This section applies only if you're using the ERS2 architecture for PR2. ++- New front-end configuration: + - Static SAP ERS2 IP address 10.0.0.46. ++- Back-end configuration: + - The VMs were already added to the internal load balancer's back-end pool. ++- New probe port: + - Port 621*nr* [62112]. Leave the default options for protocol (TCP), interval (5), and unhealthy threshold (2). ++- New load-balancing rules: + - If you're using a standard load balancer, select HA ports. + - If you're using a basic load balancer, create load-balancing rules for the following ports: + - 32*nr* TCP [3212] + - 33*nr* TCP [3312] + - 5*nr*13 TCP [51212] + - 5*nr*14 TCP [51212] + - 5*nr*16 TCP [51212] + + - Associate load-balancing rules with the PR2 ERS2 front-end IP address, the health probe, and the existing back-end pool. ++ - Make sure that idle timeout is set to the maximum value of 30 minutes, and that floating IP (direct server return) is enabled. ++### Create and attach a second Azure shared disk ++Run this command on one of the cluster nodes. Adjust the values for details like your resource group, Azure region, and SAP SID. ```powershell $ResourceGroupName = "MyResourceGroup" $DiskSizeInGB = 512 $DiskName = "$($SAPSID)ASCSSharedDisk" $NumberOfWindowsClusterNodes = 2 -# For SAP deployment in availability set, use below storage SkuName +# For SAP deployment in an availability set, use this storage SkuName value $SkuName = "Premium_LRS"-# For SAP deployment in availability zone, use below storage SkuName +# For SAP deployment in an availability zone, use this storage SkuName value $SkuName = "Premium_ZRS" $diskConfig = New-AzDiskConfig -Location $location -SkuName $SkuName -CreateOption Empty -DiskSizeGB $DiskSizeInGB -MaxSharesCount $NumberOfWindowsClusterNodes $dataDisk = New-AzDisk -ResourceGroupName $ResourceGroupName -DiskName $DiskName ################################## ## Attach the disk to cluster VMs ##################################-# ASCS Cluster VM1 +# ASCS cluster VM1 $ASCSClusterVM1 = "pr1-ascs-10"-# ASCS Cluster VM2 +# ASCS cluster VM2 $ASCSClusterVM2 = "pr1-ascs-11"-# next free LUN number +# Next free LUN $LUNNumber = 1 -# Add the Azure Shared Disk to Cluster Node 1 +# Add the Azure shared disk to Cluster Node 1 $vm = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $ASCSClusterVM1 $vm = Add-AzVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $dataDisk.Id -Lun $LUNNumber Update-AzVm -VM $vm -ResourceGroupName $ResourceGroupName -Verbose -# Add the Azure Shared Disk to Cluster Node 2 +# Add the Azure shared disk to Cluster Node 2 $vm = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $ASCSClusterVM2 $vm = Add-AzVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $dataDisk.Id -Lun $LUNNumber Update-AzVm -VM $vm -ResourceGroupName $ResourceGroupName -Verbose ``` -### Format the shared disk with PowerShell -1. Get the disk number. Run the PowerShell commands on one of the cluster nodes: +### Format the shared disk by using PowerShell ++1. Get the disk number. Run these PowerShell commands on one of the cluster nodes: ```powershell Get-Disk | Where-Object PartitionStyle -Eq "RAW" | Format-Table -AutoSize Update-AzVm -VM $vm -ResourceGroupName $ResourceGroupName -Verbose # 3 Msft Virtual Disk Healthy Online 512 GB RAW ```-2. Format the disk. In this example, it is disk number 3. ++2. Format the disk. In this example, it's disk number 3: ```powershell- # Format SAP ASCS Disk number '3', with drive letter 'S' + # Format SAP ASCS disk number 3, with drive letter S $SAPSID = "PR2" $DiskNumber = 3 $DriveLetter = "S" Update-AzVm -VM $vm -ResourceGroupName $ResourceGroupName -Verbose # S PR2SAP ReFS Fixed Healthy OK 504.98 GB 511.81 GB ``` -3. Verify that the disk is now visible as a cluster disk. +3. Verify that the disk is now visible as a cluster disk: + ```powershell # List all disks Get-ClusterAvailableDisk -All Update-AzVm -VM $vm -ResourceGroupName $ResourceGroupName -Verbose # Partitions : {\\?\GLOBALROOT\Device\Harddisk3\Partition2\} ``` -4. Register the disk in the cluster. +4. Register the disk in the cluster: + ```powershell- # Add the disk to cluster + # Add the disk to the cluster Get-ClusterAvailableDisk -All | Add-ClusterDisk # Example output # Name State OwnerGroup ResourceType Update-AzVm -VM $vm -ResourceGroupName $ResourceGroupName -Verbose ## Create a virtual host name for the clustered SAP ASCS/SCS instance 1. Create a DNS entry for the virtual host name for new the SAP ASCS/SCS instance in the Windows DNS manager. - The IP address you assign to the virtual host name in DNS must be the same as the IP address you assigned in Azure Load Balancer. - ![_Define the DNS entry for the SAP ASCS/SCS cluster virtual name and IP address][sap-ha-guide-figure-6009] - - _Define the DNS entry for the SAP ASCS/SCS cluster virtual name and IP address_ + The IP address that you assign to the virtual host name in DNS must be the same as the IP address that you assigned in Azure Load Balancer. -2. If using SAP Enqueue Replication Server 2, which is also clustered instance, then you need to reserve in DNS a virtual host name for ERS2 as well. - The IP address you assign to the virtual host name for ERS2 in DNS must be the same as the IP address you assigned in Azure Load Balancer. + ![Screenshot that shows options for defining a DNS entry for the SAP ASCS/SCS cluster virtual name and IP address.][sap-ha-guide-figure-6009] - ![_Define the DNS entry for the SAP ERS2 cluster virtual name and IP address][sap-ha-guide-figure-6010] - - _Define the DNS entry for the SAP ERS2 cluster virtual name and IP address_ +2. If you're using a clustered instance of SAP ERS2, you need to reserve in DNS a virtual host name for ERS2. -3. To define the IP address that's assigned to the virtual host name, select **DNS Manager** > **Domain**. + The IP address that you assign to the virtual host name for ERS2 in DNS must be the same as the IP address that you assigned in Azure Load Balancer. - ![New virtual name and IP address for SAP ASCS/SCS and ERS2 cluster configuration][sap-ha-guide-figure-6011] + ![Screenshot that shows options for defining a DNS entry for the SAP ERS2 cluster virtual name and IP address.][sap-ha-guide-figure-6010] ++3. To define the IP address that's assigned to the virtual host name, select **DNS Manager** > **Domain**. - _New virtual name and TCP/IP address for SAP ASCS/SCS and ERS2 cluster configuration_ + ![Screenshot that shows a new virtual name and IP address for SAP ASCS/SCS and ERS2 cluster configuration.][sap-ha-guide-figure-6011] -## SAP Installation +## SAP installation ### Install the SAP first cluster node -Follow the SAP described installation procedure. Make sure in the start installation option "First Cluster Node", and to choose "Cluster Shared Disk" as configuration option. -Choose the newly create shared disk. +Follow the SAP-described installation procedure. Be sure to select **First Cluster Node** as the option for starting installation. Select **Cluster Shared Disk** as the configuration option. Choose the newly created shared disk. ### Modify the SAP profile of the ASCS/SCS instance -If you are running Enqueue Replication Server 1, add SAP profile parameter `enque/encni/set_so_keepalive` as described below. The profile parameter prevents connections between SAP work processes and the enqueue server from closing when they are idle for too long. The SAP parameter is not required for ERS2. +If you're running ERS1, add the SAP profile parameter `enque/encni/set_so_keepalive`. The profile parameter prevents connections between SAP work processes and the enqueue server from closing when they're idle for too long. The SAP parameter is not required for ERS2. -1. Add this profile parameter to the SAP ASCS/SCS instance profile, if using ERS1. +1. Add this profile parameter to the SAP ASCS/SCS instance profile, if you're using ERS1: - ``` + ```powershell enque/encni/set_so_keepalive = true ```- - For both ERS1 and ERS2, make sure that the `keepalive` OS parameters are set as described in SAP note [1410736](https://launchpad.support.sap.com/#/notes/1410736). -2. To apply the SAP profile parameter changes, restart the SAP ASCS/SCS instance. + For both ERS1 and ERS2, make sure that the `keepalive` OS parameters are set as described in SAP note [1410736](https://launchpad.support.sap.com/#/notes/1410736). ++2. To apply the changes to the SAP profile parameter, restart the SAP ASCS/SCS instance. -### Configure probe port on the cluster resource +### Configure a probe port on the cluster resource Use the internal load balancer's probe functionality to make the entire cluster configuration work with Azure Load Balancer. The Azure internal load balancer usually distributes the incoming workload equally between participating virtual machines. -However, this won't work in some cluster configurations because only one instance is active. The other instance is passive and can't accept any of the workload. A probe functionality helps when the Azure internal load balancer detects which instance is active, and only target the active instance. +However, this approach won't work in some cluster configurations because only one instance is active. The other instance is passive and can't accept any of the workload. A probe functionality helps when the Azure internal load balancer detects which instance is active and targets only the active instance. > [!IMPORTANT]-> In this example configuration, the **ProbePort** is set to 620**Nr**. For SAP ASCS instance with number **02** it is 620**02**. -> You will need to adjust the configuration to match your SAP instance numbers and your SAP SID. +> In this example configuration, the probe port is set to 620*nr*. For SAP ASCS with instance number 02, it's 62002. +> +> You need to adjust the configuration to match your SAP instance numbers and your SAP SID. -To add a probe port, run this PowerShell Module on one of the cluster VMs: +To add a probe port, run this PowerShell module on one of the cluster VMs: ++- If you're using SAP ASC/SCS with instance number 02: -- In the case of SAP ASC/SCS Instance with instance number **02** ```powershell Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID PR2 -ProbePort 62002 ``` -- If using ERS2, with instance number **12**, which is clustered. There is no need to configure probe port for ERS1, as it is not clustered. +- If you're using ERS2 with instance number 12, configure a probe port. There's no need to configure a probe port for ERS1. ERS2 with instance number 12 is clustered, whereas ERS1 isn't clustered. + ```powershell Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID PR2 -ProbePort 62012 -IsSAPERSClusteredInstance $True ``` - The code for function `Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource` would look like: - ```powershell - function Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource { - <# - .SYNOPSIS - Set-AzureLoadBalancerHealthProbePortOnSAPClusterIPResource will set a new Azure Load Balancer Health Probe Port on 'SAP $SAPSID IP' cluster resource. +The code for the function `Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource` looks like this example: ++```powershell + function Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource { + <# + .SYNOPSIS + Set-AzureLoadBalancerHealthProbePortOnSAPClusterIPResource will set a new Azure Load Balancer health probe port on the SAP $SAPSID IP cluster resource. - .DESCRIPTION - Set-AzureLoadBalancerHealthProbePortOnSAPClusterIPResource will set a new Azure Load Balancer Health Probe Port on 'SAP $SAPSID IP' cluster resource. - It will also restart SAP Cluster group (default behavior), to activate the changes. + .DESCRIPTION + Set-AzureLoadBalancerHealthProbePortOnSAPClusterIPResource will set a new Azure Load Balancer health probe port on the SAP $SAPSID IP cluster resource. + It will also restart the SAP cluster group (default behavior), to activate the changes. - You need to run it on one of the SAP ASCS/SCS Windows cluster nodes. + You need to run it on one of the SAP ASCS/SCS Windows cluster nodes. - Expectation is that SAP group is installed with official SWPM installation tool, which will set default expected naming convention for: - - SAP Cluster Group: 'SAP $SAPSID' - - SAP Cluster IP Address Resource: 'SAP $SAPSID IP' + The expectation is that the SAP group is installed with the official SWPM installation tool, which will set the default expected naming convention for: + - SAP cluster group: SAP $SAPSID + - SAP cluster IP address resource: SAP $SAPSID IP - .PARAMETER SAPSID - SAP SID - 3 characters staring with letter. + .PARAMETER SAPSID + SAP SID - three characters, starting with a letter. - .PARAMETER ProbePort - Azure Load Balancer Health Check Probe Port. + .PARAMETER ProbePort + Azure Load Balancer health check probe port. - .PARAMETER RestartSAPClusterGroup - Optional parameter. Default value is '$True', so SAP cluster group will be restarted to activate the changes. + .PARAMETER RestartSAPClusterGroup + Optional parameter. Default value is $True, so the SAP cluster group will be restarted to activate the changes. - .PARAMETER IsSAPERSClusteredInstance - Optional parameter.Default value is '$False'. - If set to $True , then handle clsutered new SAP ERS2 instance. + .PARAMETER IsSAPERSClusteredInstance + Optional parameter. Default value is $False. + If it's set to $True, then handle the clustered new SAP ERS2 instance. - .EXAMPLE - # Set probe port to 62000, on SAP cluster resource 'SAP AB1 IP', and restart the SAP cluster group 'SAP AB1', to activate the changes. - Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID AB1 -ProbePort 62000 + .EXAMPLE + # Set the probe port to 62000 on SAP cluster resource SAP AB1 IP, and restart the SAP cluster group SAP AB1 to activate the changes. + Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID AB1 -ProbePort 62000 - .EXAMPLE - # Set probe port to 62000, on SAP cluster resource 'SAP AB1 IP'. SAP cluster group 'SAP AB1' IS NOT restarted, therefore changes are NOT active. - # To activate the changes you need to manually restart 'SAP AB1' cluster group. - Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID AB1 -ProbePort 62000 -RestartSAPClusterGroup $False + .EXAMPLE + # Set the probe port to 62000 on SAP cluster resource SAP AB1 IP. SAP cluster group SAP AB1 is not restarted, so the changes are not active. + # To activate the changes, you need to manually restart the SAP AB1 cluster group. + Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID AB1 -ProbePort 62000 -RestartSAPClusterGroup $False - .EXAMPLE - # Set probe port to 62001, on SAP cluster resource 'SAP AB1 ERS IP'. SAP cluster group 'SAP AB1 ERS' IS restarted, to activate the changes. - Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID AB1 -ProbePort 62000 -IsSAPERSClusteredInstance $True + .EXAMPLE + # Set the probe port to 62001 on SAP cluster resource SAP AB1 ERS IP. SAP cluster group SAP AB1 ERS is restarted to activate the changes. + Set-AzureLoadBalancerHealthCheckProbePortOnSAPClusterIPResource -SAPSID AB1 -ProbePort 62000 -IsSAPERSClusteredInstance $True - #> + #> - [CmdletBinding()] - param( + [CmdletBinding()] + param( - [Parameter(Mandatory=$True)] - [ValidateNotNullOrEmpty()] - [ValidateLength(3,3)] - [string]$SAPSID, -- [Parameter(Mandatory=$True)] - [ValidateNotNullOrEmpty()] - [int] $ProbePort, + [Parameter(Mandatory=$True)] + [ValidateNotNullOrEmpty()] + [ValidateLength(3,3)] + [string]$SAPSID, ++ [Parameter(Mandatory=$True)] + [ValidateNotNullOrEmpty()] + [int] $ProbePort, - [Parameter(Mandatory=$False)] - [bool] $RestartSAPClusterGroup = $True, + [Parameter(Mandatory=$False)] + [bool] $RestartSAPClusterGroup = $True, - [Parameter(Mandatory=$False)] - [bool] $IsSAPERSClusteredInstance = $False + [Parameter(Mandatory=$False)] + [bool] $IsSAPERSClusteredInstance = $False + + ) + + BEGIN{} - ) - - BEGIN{} - - PROCESS{ - try{ + PROCESS{ + try{ - if($IsSAPERSClusteredInstance){ - #Handle clustered SAP ERS Instance - $SAPClusterRoleName = "SAP $SAPSID ERS" - $SAPIPresourceName = "SAP $SAPSID ERS IP" - }else{ - #Handle clustered SAP ASCS/SCS Instance - $SAPClusterRoleName = "SAP $SAPSID" - $SAPIPresourceName = "SAP $SAPSID IP" - } -- $SAPIPResourceClusterParameters = Get-ClusterResource $SAPIPresourceName | Get-ClusterParameter - $IPAddress = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "Address" }).Value - $NetworkName = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "Network" }).Value - $SubnetMask = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "SubnetMask" }).Value - $OverrideAddressMatch = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "OverrideAddressMatch" }).Value - $EnableDhcp = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "EnableDhcp" }).Value - $OldProbePort = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "ProbePort" }).Value - - $var = Get-ClusterResource | Where-Object { $_.name -eq $SAPIPresourceName } + if($IsSAPERSClusteredInstance){ + #Handle clustered SAP ERS instance + $SAPClusterRoleName = "SAP $SAPSID ERS" + $SAPIPresourceName = "SAP $SAPSID ERS IP" + }else{ + #Handle clustered SAP ASCS/SCS instance + $SAPClusterRoleName = "SAP $SAPSID" + $SAPIPresourceName = "SAP $SAPSID IP" + } ++ $SAPIPResourceClusterParameters = Get-ClusterResource $SAPIPresourceName | Get-ClusterParameter + $IPAddress = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "Address" }).Value + $NetworkName = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "Network" }).Value + $SubnetMask = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "SubnetMask" }).Value + $OverrideAddressMatch = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "OverrideAddressMatch" }).Value + $EnableDhcp = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "EnableDhcp" }).Value + $OldProbePort = ($SAPIPResourceClusterParameters | Where-Object {$_.Name -eq "ProbePort" }).Value - #Write-Host "Current configuration parameters for SAP IP cluster resource '$SAPIPresourceName' are:" -ForegroundColor Cyan - Write-Output "Current configuration parameters for SAP IP cluster resource '$SAPIPresourceName' are:" + $var = Get-ClusterResource | Where-Object { $_.name -eq $SAPIPresourceName } - Get-ClusterResource -Name $SAPIPresourceName | Get-ClusterParameter - - Write-Output " " - Write-Output "Current probe port property of the SAP cluster resource '$SAPIPresourceName' is '$OldProbePort'." - Write-Output " " - Write-Output "Setting the new probe port property of the SAP cluster resource '$SAPIPresourceName' to '$ProbePort' ..." - Write-Output " " + #Write-Host "Current configuration parameters for SAP IP cluster resource '$SAPIPresourceName' are:" -ForegroundColor Cyan + Write-Output "Current configuration parameters for SAP IP cluster resource '$SAPIPresourceName' are:" + + Get-ClusterResource -Name $SAPIPresourceName | Get-ClusterParameter - $var | Set-ClusterParameter -Multiple @{"Address"=$IPAddress;"ProbePort"=$ProbePort;"Subnetmask"=$SubnetMask;"Network"=$NetworkName;"OverrideAddressMatch"=$OverrideAddressMatch;"EnableDhcp"=$EnableDhcp} + Write-Output " " + Write-Output "Current probe port property of the SAP cluster resource '$SAPIPresourceName' is '$OldProbePort'." + Write-Output " " + Write-Output "Setting the new probe port property of the SAP cluster resource '$SAPIPresourceName' to '$ProbePort' ..." + Write-Output " " - Write-Output " " + $var | Set-ClusterParameter -Multiple @{"Address"=$IPAddress;"ProbePort"=$ProbePort;"Subnetmask"=$SubnetMask;"Network"=$NetworkName;"OverrideAddressMatch"=$OverrideAddressMatch;"EnableDhcp"=$EnableDhcp} - #$ActivateChanges = Read-Host "Do you want to take restart SAP cluster role '$SAPClusterRoleName', to activate the changes (yes/no)?" + Write-Output " " - if($RestartSAPClusterGroup){ - Write-Output "" - Write-Output "Activating changes..." + #$ActivateChanges = Read-Host "Do you want to take restart SAP cluster role '$SAPClusterRoleName', to activate the changes (yes/no)?" - Write-Output " " - Write-Output "Taking SAP cluster IP resource '$SAPIPresourceName' offline ..." - Stop-ClusterResource -Name $SAPIPresourceName - sleep 5 + if($RestartSAPClusterGroup){ + Write-Output "" + Write-Output "Activating changes..." - Write-Output "Starting SAP cluster role '$SAPClusterRoleName' ..." - Start-ClusterGroup -Name $SAPClusterRoleName + Write-Output " " + Write-Output "Taking SAP cluster IP resource '$SAPIPresourceName' offline ..." + Stop-ClusterResource -Name $SAPIPresourceName + sleep 5 - Write-Output "New ProbePort parameter is active." - Write-Output " " + Write-Output "Starting SAP cluster role '$SAPClusterRoleName' ..." + Start-ClusterGroup -Name $SAPClusterRoleName - Write-Output "New configuration parameters for SAP IP cluster resource '$SAPIPresourceName':" - Write-Output " " - Get-ClusterResource -Name $SAPIPresourceName | Get-ClusterParameter - }else - { - Write-Output "SAP cluster role '$SAPClusterRoleName' is not restarted, therefore changes are not activated." - } - } - catch{ - Write-Error $_.Exception.Message - } + Write-Output "New ProbePort parameter is active." + Write-Output " " + Write-Output "New configuration parameters for SAP IP cluster resource '$SAPIPresourceName':" + Write-Output " " + Get-ClusterResource -Name $SAPIPresourceName | Get-ClusterParameter + }else + { + Write-Output "SAP cluster role '$SAPClusterRoleName' is not restarted, therefore changes are not activated." + } + } + catch{ + Write-Error $_.Exception.Message } - END {} - } - ``` + } + + END {} + } +``` ### Continue with the SAP installation -1. Install the database instance, by following the process that's described in the SAP installation guide. +1. Install the database instance by following the process that's described in the SAP installation guide. 2. Install SAP on the second cluster node by following the steps that are described in the SAP installation guide. -3. Install the SAP Primary Application Server (PAS) instance on the virtual machine that you've designated to host the PAS. +3. Install the SAP Primary Application Server (PAS) instance on the virtual machine that you've designated to host the PAS. ++ Follow the process described in the SAP installation guide. There are no dependencies on Azure. +4. Install additional SAP application servers on the virtual machines that are designated to host SAP application server instances. + Follow the process described in the SAP installation guide. There are no dependencies on Azure.-4. Install additional SAP application servers on the virtual machines, designated to host SAP Application server instances. - Follow the process described in the SAP installation guide. There are no dependencies on Azure. -## Test the SAP ASCS/SCS instance failover -For the outlined failover tests, we assume that SAP ASCS is active on node A. +## Test SAP ASCS/SCS instance failover ++The outlined failover tests assume that SAP ASCS is active on node A. ++1. Verify that the SAP system can successfully fail over from node A to node B. In this example, the test is for SAP SID PR2. -1. Verify that the SAP system can successfully fail over from node A to node B. In this example, the test is done for SAPSID **PR2**. - Make sure that each of SAPSID can successfully move to the other cluster node. - Choose one of these options to initiate a failover of the SAP \<SID\> cluster group from cluster node A to cluster node B: - - Failover Cluster Manager - - Failover Cluster PowerShell + Make sure that each SAP SID can successfully move to the other cluster node. Choose one of these options to initiate a failover of the SAP \<SID\> cluster group from cluster node A to cluster node B: ++ - Failover Cluster Manager + - PowerShell commands for failover clusters ```powershell $SAPSID = "PR2" # SAP <SID> For the outlined failover tests, we assume that SAP ASCS is active on node A. Move-ClusterGroup -Name $SAPClusterGroup ```-2. Restart cluster node A within the Windows guest operating system. This initiates an automatic failover of the SAP \<SID\> cluster group from node A to node B. -3. Restart cluster node A from the Azure portal. This initiates an automatic failover of the SAP \<SID\> cluster group from node A to node B. -4. Restart cluster node A by using Azure PowerShell. This initiates an automatic failover of the SAP \<SID\> cluster group from node A to node B. -## Next steps +2. Restart cluster node A within the Windows guest operating system. This step initiates an automatic failover of the SAP \<SID\> cluster group from node A to node B. +3. Restart cluster node A from the Azure portal. This step initiates an automatic failover of the SAP \<SID\> cluster group from node A to node B. +4. Restart cluster node A by using Azure PowerShell. This step initiates an automatic failover of the SAP \<SID\> cluster group from node A to node B. -* [Prepare the Azure infrastructure for SAP HA by using a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-infrastructure-wsfc-shared-disk] -* [Install SAP NetWeaver HA on a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-installation-wsfc-shared-disk] ---[1928533]:https://launchpad.support.sap.com/#/notes/1928533 -[1999351]:https://launchpad.support.sap.com/#/notes/1999351 -[2015553]:https://launchpad.support.sap.com/#/notes/2015553 -[2178632]:https://launchpad.support.sap.com/#/notes/2178632 -[2243692]:https://launchpad.support.sap.com/#/notes/2243692 -[1869038]:https://launchpad.support.sap.com/#/notes/1869038 -[2287140]:https://launchpad.support.sap.com/#/notes/2287140 -[2492395]:https://launchpad.support.sap.com/#/notes/2492395 --[sap-installation-guides]:http://service.sap.com/instguides --[azure-resource-manager/management/azure-subscription-service-limits]:../../azure-resource-manager/management/azure-subscription-service-limits.md -[azure-resource-manager/management/azure-subscription-service-limits-subscription]:../../azure-resource-manager/management/azure-subscription-service-limits.md -[networking-limits-azure-resource-manager]:../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits -[load-balancer-multivip-overview]:../../load-balancer/load-balancer-multivip-overview.md ---[sap-net-weaver-ports]:https://help.sap.com/viewer/ports -[sap-high-availability-architecture-scenarios]:sap-high-availability-architecture-scenarios.md -[sap-high-availability-guide-wsfc-shared-disk]:sap-high-availability-guide-wsfc-shared-disk.md -[sap-high-availability-guide-wsfc-file-share]:sap-high-availability-guide-wsfc-file-share.md -[sap-ascs-high-availability-multi-sid-wsfc]:sap-ascs-high-availability-multi-sid-wsfc.md -[sap-high-availability-infrastructure-wsfc-shared-disk]:sap-high-availability-infrastructure-wsfc-shared-disk.md -[sap-high-availability-installation-wsfc-shared-disk]:sap-high-availability-installation-wsfc-shared-disk.md -[sap-hana-ha]:sap-hana-high-availability.md -[sap-suse-ascs-ha]:high-availability-guide-suse.md -[sap-net-weaver-ports-ascs-scs-ports]:sap-high-availability-infrastructure-wsfc-shared-disk.md#fe0bd8b5-2b43-45e3-8295-80bee5415716 --[dbms-guide]:../../virtual-machines-windows-sap-dbms-guide-general.md --[deployment-guide]:deployment-guide.md --[dr-guide-classic]:https://go.microsoft.com/fwlink/?LinkID=521971 --[getting-started]:get-started.md --[planning-guide]:planning-guide.md -[planning-guide-11]:planning-guide.md -[planning-guide-2.1]:planning-guide.md#1625df66-4cc6-4d60-9202-de8a0b77f803 -[planning-guide-2.2]:planning-guide.md#f5b3b18c-302c-4bd8-9ab2-c388f1ab3d10 +## Next steps -[planning-guide-microsoft-azure-networking]:planning-guide.md#61678387-8868-435d-9f8c-450b2424f5bd -[planning-guide-storage-microsoft-azure-storage-and-data-disks]:planning-guide.md#a72afa26-4bf4-4a25-8cf7-855d6032157f +- [Prepare the Azure infrastructure for SAP HA by using a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-infrastructure-wsfc-shared-disk] +- [Install SAP NetWeaver HA on a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-installation-wsfc-shared-disk] -[sap-high-availability-architecture-scenarios]:sap-high-availability-architecture-scenarios.md -[sap-high-availability-guide-wsfc-shared-disk]:sap-high-availability-guide-wsfc-shared-disk.md -[sap-high-availability-guide-wsfc-file-share]:sap-high-availability-guide-wsfc-file-share.md -[sap-ascs-high-availability-multi-sid-wsfc]:sap-ascs-high-availability-multi-sid-wsfc.md [sap-high-availability-infrastructure-wsfc-shared-disk]:sap-high-availability-infrastructure-wsfc-shared-disk.md-[sap-high-availability-infrastructure-wsfc-file-share]:sap-high-availability-infrastructure-wsfc-file-share.md - [sap-high-availability-installation-wsfc-shared-disk]:sap-high-availability-installation-wsfc-shared-disk.md-[sap-high-availability-installation-wsfc-shared-disk-install-ascs]:sap-high-availability-installation-wsfc-shared-disk.md#31c6bd4f-51df-4057-9fdf-3fcbc619c170 -[sap-high-availability-installation-wsfc-shared-disk-modify-ascs-profile]:sap-high-availability-installation-wsfc-shared-disk.md#e4caaab2-e90f-4f2c-bc84-2cd2e12a9556 -[sap-high-availability-installation-wsfc-shared-disk-add-probe-port]:sap-high-availability-installation-wsfc-shared-disk.md#10822f4f-32e7-4871-b63a-9b86c76ce761 -[sap-high-availability-installation-wsfc-shared-disk-win-firewall-probe-port]:sap-high-availability-installation-wsfc-shared-disk.md#4498c707-86c0-4cde-9c69-058a7ab8c3ac -[sap-high-availability-installation-wsfc-shared-disk-change-ers-service-startup-type]:sap-high-availability-installation-wsfc-shared-disk.md#094bc895-31d4-4471-91cc-1513b64e406a -[sap-high-availability-installation-wsfc-shared-disk-test-ascs-failover-and-sios-repl]:sap-high-availability-installation-wsfc-shared-disk.md#18aa2b9d-92d2-4c0e-8ddd-5acaabda99e9 --[sap-high-availability-installation-wsfc-file-share]:sap-high-availability-installation-wsfc-file-share.md -[sap-high-availability-infrastructure-wsfc-shared-disk-install-sios]:sap-high-availability-infrastructure-wsfc-shared-disk.md#5c8e5482-841e-45e1-a89d-a05c0907c868 --[Logo_Linux]:media/virtual-machines-shared-sap-shared/Linux.png [Logo_Windows]:media/virtual-machines-shared-sap-shared/Windows.png -[sap-ha-guide-figure-1000]:./media/virtual-machines-shared-sap-high-availability-guide/1000-wsfc-for-sap-ascs-on-azure.png -[sap-ha-guide-figure-1001]:./media/virtual-machines-shared-sap-high-availability-guide/1001-wsfc-on-azure-ilb.png -[sap-ha-guide-figure-1002]:./media/virtual-machines-shared-sap-high-availability-guide/1002-wsfc-sios-on-azure-ilb.png -[sap-ha-guide-figure-2000]:./media/virtual-machines-shared-sap-high-availability-guide/2000-wsfc-sap-as-ha-on-azure.png -[sap-ha-guide-figure-2001]:./media/virtual-machines-shared-sap-high-availability-guide/2001-wsfc-sap-ascs-ha-on-azure.png -[sap-ha-guide-figure-2003]:./media/virtual-machines-shared-sap-high-availability-guide/2003-wsfc-sap-dbms-ha-on-azure.png -[sap-ha-guide-figure-2004]:./media/virtual-machines-shared-sap-high-availability-guide/2004-wsfc-sap-ha-e2e-archit-template1-on-azure.png -[sap-ha-guide-figure-2005]:./media/virtual-machines-shared-sap-high-availability-guide/2005-wsfc-sap-ha-e2e-arch-template2-on-azure.png --[sap-ha-guide-figure-3000]:./media/virtual-machines-shared-sap-high-availability-guide/3000-template-parameters-sap-ha-arm-on-azure.png -[sap-ha-guide-figure-3001]:./media/virtual-machines-shared-sap-high-availability-guide/3001-configuring-dns-servers-for-Azure-vnet.png -[sap-ha-guide-figure-3002]:./media/virtual-machines-shared-sap-high-availability-guide/3002-configuring-static-IP-address-for-network-card-of-each-vm.png -[sap-ha-guide-figure-3003]:./media/virtual-machines-shared-sap-high-availability-guide/3003-setup-static-ip-address-ilb-for-ascs-instance.png -[sap-ha-guide-figure-3004]:./media/virtual-machines-shared-sap-high-availability-guide/3004-default-ascs-scs-ilb-balancing-rules-for-azure-ilb.png -[sap-ha-guide-figure-3005]:./media/virtual-machines-shared-sap-high-availability-guide/3005-changing-ascs-scs-default-ilb-rules-for-azure-ilb.png -[sap-ha-guide-figure-3006]:./media/virtual-machines-shared-sap-high-availability-guide/3006-adding-vm-to-domain.png -[sap-ha-guide-figure-3007]:./media/virtual-machines-shared-sap-high-availability-guide/3007-config-wsfc-1.png -[sap-ha-guide-figure-3008]:./media/virtual-machines-shared-sap-high-availability-guide/3008-config-wsfc-2.png -[sap-ha-guide-figure-3009]:./media/virtual-machines-shared-sap-high-availability-guide/3009-config-wsfc-3.png -[sap-ha-guide-figure-3010]:./media/virtual-machines-shared-sap-high-availability-guide/3010-config-wsfc-4.png -[sap-ha-guide-figure-3011]:./media/virtual-machines-shared-sap-high-availability-guide/3011-config-wsfc-5.png -[sap-ha-guide-figure-3012]:./media/virtual-machines-shared-sap-high-availability-guide/3012-config-wsfc-6.png -[sap-ha-guide-figure-3013]:./media/virtual-machines-shared-sap-high-availability-guide/3013-config-wsfc-7.png -[sap-ha-guide-figure-3014]:./media/virtual-machines-shared-sap-high-availability-guide/3014-config-wsfc-8.png -[sap-ha-guide-figure-3015]:./media/virtual-machines-shared-sap-high-availability-guide/3015-config-wsfc-9.png -[sap-ha-guide-figure-3016]:./media/virtual-machines-shared-sap-high-availability-guide/3016-config-wsfc-10.png -[sap-ha-guide-figure-3017]:./media/virtual-machines-shared-sap-high-availability-guide/3017-config-wsfc-11.png -[sap-ha-guide-figure-3018]:./media/virtual-machines-shared-sap-high-availability-guide/3018-config-wsfc-12.png -[sap-ha-guide-figure-3019]:./media/virtual-machines-shared-sap-high-availability-guide/3019-assign-permissions-on-share-for-cluster-name-object.png -[sap-ha-guide-figure-3020]:./media/virtual-machines-shared-sap-high-availability-guide/3020-change-object-type-include-computer-objects.png -[sap-ha-guide-figure-3021]:./media/virtual-machines-shared-sap-high-availability-guide/3021-check-box-for-computer-objects.png -[sap-ha-guide-figure-3022]:./media/virtual-machines-shared-sap-high-availability-guide/3022-set-security-attributes-for-cluster-name-object-on-file-share-quorum.png -[sap-ha-guide-figure-3023]:./media/virtual-machines-shared-sap-high-availability-guide/3023-call-configure-cluster-quorum-setting-wizard.png -[sap-ha-guide-figure-3024]:./media/virtual-machines-shared-sap-high-availability-guide/3024-selection-screen-different-quorum-configurations.png -[sap-ha-guide-figure-3025]:./media/virtual-machines-shared-sap-high-availability-guide/3025-selection-screen-file-share-witness.png -[sap-ha-guide-figure-3026]:./media/virtual-machines-shared-sap-high-availability-guide/3026-define-file-share-location-for-witness-share.png -[sap-ha-guide-figure-3027]:./media/virtual-machines-shared-sap-high-availability-guide/3027-successful-reconfiguration-cluster-file-share-witness.png -[sap-ha-guide-figure-3028]:./media/virtual-machines-shared-sap-high-availability-guide/3028-install-dot-net-framework-35.png -[sap-ha-guide-figure-3029]:./media/virtual-machines-shared-sap-high-availability-guide/3029-install-dot-net-framework-35-progress.png -[sap-ha-guide-figure-3030]:./media/virtual-machines-shared-sap-high-availability-guide/3030-sios-installer.png -[sap-ha-guide-figure-3031]:./media/virtual-machines-shared-sap-high-availability-guide/3031-first-screen-sios-data-keeper-installation.png -[sap-ha-guide-figure-3032]:./media/virtual-machines-shared-sap-high-availability-guide/3032-data-keeper-informs-service-be-disabled.png -[sap-ha-guide-figure-3033]:./media/virtual-machines-shared-sap-high-availability-guide/3033-user-selection-sios-data-keeper.png -[sap-ha-guide-figure-3034]:./media/virtual-machines-shared-sap-high-availability-guide/3034-domain-user-sios-data-keeper.png -[sap-ha-guide-figure-3035]:./media/virtual-machines-shared-sap-high-availability-guide/3035-provide-sios-data-keeper-license.png -[sap-ha-guide-figure-3036]:./media/virtual-machines-shared-sap-high-availability-guide/3036-data-keeper-management-config-tool.png -[sap-ha-guide-figure-3037]:./media/virtual-machines-shared-sap-high-availability-guide/3037-tcp-ip-address-first-node-data-keeper.png -[sap-ha-guide-figure-3038]:./media/virtual-machines-shared-sap-high-availability-guide/3038-create-replication-sios-job.png -[sap-ha-guide-figure-3039]:./media/virtual-machines-shared-sap-high-availability-guide/3039-define-sios-replication-job-name.png -[sap-ha-guide-figure-3040]:./media/virtual-machines-shared-sap-high-availability-guide/3040-define-sios-source-node.png -[sap-ha-guide-figure-3041]:./media/virtual-machines-shared-sap-high-availability-guide/3041-define-sios-target-node.png -[sap-ha-guide-figure-3042]:./media/virtual-machines-shared-sap-high-availability-guide/3042-define-sios-synchronous-replication.png -[sap-ha-guide-figure-3043]:./media/virtual-machines-shared-sap-high-availability-guide/3043-enable-sios-replicated-volume-as-cluster-volume.png -[sap-ha-guide-figure-3044]:./media/virtual-machines-shared-sap-high-availability-guide/3044-data-keeper-synchronous-mirroring-for-SAP-gui.png -[sap-ha-guide-figure-3045]:./media/virtual-machines-shared-sap-high-availability-guide/3045-replicated-disk-by-data-keeper-in-wsfc.png -[sap-ha-guide-figure-3046]:./media/virtual-machines-shared-sap-high-availability-guide/3046-dns-entry-sap-ascs-virtual-name-ip.png -[sap-ha-guide-figure-3047]:./media/virtual-machines-shared-sap-high-availability-guide/3047-dns-manager.png -[sap-ha-guide-figure-3048]:./media/virtual-machines-shared-sap-high-availability-guide/3048-default-cluster-probe-port.png -[sap-ha-guide-figure-3049]:./media/virtual-machines-shared-sap-high-availability-guide/3049-cluster-probe-port-after.png -[sap-ha-guide-figure-3050]:./media/virtual-machines-shared-sap-high-availability-guide/3050-service-type-ers-delayed-automatic.png -[sap-ha-guide-figure-5000]:./media/virtual-machines-shared-sap-high-availability-guide/5000-wsfc-sap-sid-node-a.png -[sap-ha-guide-figure-5001]:./media/virtual-machines-shared-sap-high-availability-guide/5001-sios-replicating-local-volume.png -[sap-ha-guide-figure-5002]:./media/virtual-machines-shared-sap-high-availability-guide/5002-wsfc-sap-sid-node-b.png -[sap-ha-guide-figure-5003]:./media/virtual-machines-shared-sap-high-availability-guide/5003-sios-replicating-local-volume-b-to-a.png --[sap-ha-guide-figure-6001]:media/virtual-machines-shared-sap-high-availability-guide/6001-sap-multi-sid-ascs-scs-sid1.png -[sap-ha-guide-figure-6002]:media/virtual-machines-shared-sap-high-availability-guide/6002-sap-multi-sid-ascs-scs.png -[sap-ha-guide-figure-6003]:media/virtual-machines-shared-sap-high-availability-guide/6003-sap-multi-sid-full-landscape.png -[sap-ha-guide-figure-6004]:media/virtual-machines-shared-sap-high-availability-guide/6004-sap-multi-sid-dns.png -[sap-ha-guide-figure-6005]:media/virtual-machines-shared-sap-high-availability-guide/6005-sap-multi-sid-azure-portal.png -[sap-ha-guide-figure-6006]:media/virtual-machines-shared-sap-high-availability-guide/6006-sap-multi-sid-sios-replication.png - [sap-ha-guide-figure-6007]:media/virtual-machines-shared-sap-high-availability-guide/6007-sap-multi-sid-ascs-azure-shared-disk-sid-1.png [sap-ha-guide-figure-6008]:media/virtual-machines-shared-sap-high-availability-guide/6008-sap-multi-sid-ascs-azure-shared-disk-sid-2.png [sap-ha-guide-figure-6009]:media/virtual-machines-shared-sap-high-availability-guide/6009-sap-multi-sid-ascs-azure-shared-disk-dns1.png [sap-ha-guide-figure-6010]:media/virtual-machines-shared-sap-high-availability-guide/6010-sap-multi-sid-ascs-azure-shared-disk-dns2.png [sap-ha-guide-figure-6011]:media/virtual-machines-shared-sap-high-availability-guide/6011-sap-multi-sid-ascs-azure-shared-disk-dns3.png--[sap-ha-guide-figure-8001]:./media/virtual-machines-shared-sap-high-availability-guide/8001.png -[sap-ha-guide-figure-8002]:./media/virtual-machines-shared-sap-high-availability-guide/8002.png -[sap-ha-guide-figure-8003]:./media/virtual-machines-shared-sap-high-availability-guide/8003.png -[sap-ha-guide-figure-8004]:./media/virtual-machines-shared-sap-high-availability-guide/8004.png -[sap-ha-guide-figure-8005]:./media/virtual-machines-shared-sap-high-availability-guide/8005.png -[sap-ha-guide-figure-8006]:./media/virtual-machines-shared-sap-high-availability-guide/8006.png -[sap-ha-guide-figure-8007]:./media/virtual-machines-shared-sap-high-availability-guide/8007.png -[sap-ha-guide-figure-8008]:./media/virtual-machines-shared-sap-high-availability-guide/8008.png -[sap-ha-guide-figure-8009]:./media/virtual-machines-shared-sap-high-availability-guide/8009.png -[sap-ha-guide-figure-8010]:./media/virtual-machines-shared-sap-high-availability-guide/8010.png -[sap-ha-guide-figure-8011]:./media/virtual-machines-shared-sap-high-availability-guide/8011.png -[sap-ha-guide-figure-8012]:./media/virtual-machines-shared-sap-high-availability-guide/8012.png -[sap-ha-guide-figure-8013]:./media/virtual-machines-shared-sap-high-availability-guide/8013.png -[sap-ha-guide-figure-8014]:./media/virtual-machines-shared-sap-high-availability-guide/8014.png -[sap-ha-guide-figure-8015]:./media/virtual-machines-shared-sap-high-availability-guide/8015.png -[sap-ha-guide-figure-8016]:./media/virtual-machines-shared-sap-high-availability-guide/8016.png -[sap-ha-guide-figure-8017]:./media/virtual-machines-shared-sap-high-availability-guide/8017.png -[sap-ha-guide-figure-8018]:./media/virtual-machines-shared-sap-high-availability-guide/8018.png -[sap-ha-guide-figure-8019]:./media/virtual-machines-shared-sap-high-availability-guide/8019.png -[sap-ha-guide-figure-8020]:./media/virtual-machines-shared-sap-high-availability-guide/8020.png -[sap-ha-guide-figure-8021]:./media/virtual-machines-shared-sap-high-availability-guide/8021.png -[sap-ha-guide-figure-8022]:./media/virtual-machines-shared-sap-high-availability-guide/8022.png -[sap-ha-guide-figure-8023]:./media/virtual-machines-shared-sap-high-availability-guide/8023.png -[sap-ha-guide-figure-8024]:./media/virtual-machines-shared-sap-high-availability-guide/8024.png -[sap-ha-guide-figure-8025]:./media/virtual-machines-shared-sap-high-availability-guide/8025.png ---[sap-templates-3-tier-multisid-xscs-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image-multi-sid-xscs%2Fazuredeploy.json -[sap-templates-3-tier-multisid-xscs-marketplace-image-md]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-xscs-md%2Fazuredeploy.json -[sap-templates-3-tier-multisid-db-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image-multi-sid-db%2Fazuredeploy.json -[sap-templates-3-tier-multisid-db-marketplace-image-md]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-db-md%2Fazuredeploy.json -[sap-templates-3-tier-multisid-apps-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image-multi-sid-apps%2Fazuredeploy.json -[sap-templates-3-tier-multisid-apps-marketplace-image-md]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-apps-md%2Fazuredeploy.json --[virtual-machines-azure-resource-manager-architecture-benefits-arm]:../../azure-resource-manager/management/overview.md#the-benefits-of-using-resource-manager --[virtual-machines-manage-availability]:../../virtual-machines/availability.md |
sap | Sap Hana Availability One Region | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-hana-availability-one-region.md | In this scenario, data that's replicated to the HANA instance in the second VM i ### SAP HANA system replication with automatic failover -In the standard and most common availability configuration within one Azure region, two Azure VMs running Linux with HA packages have a failover cluster defined. The HA Linux cluster is based on the `Pacemaker` framework using [SLES](./high-availability-guide-suse-pacemaker.md) or [RHEL](./high-availability-guide-rhel-pacemaker.md) with a `fencing device` [SLES](./high-availability-guide-suse-pacemaker.md#create-an-azure-fence-agent-device) or [RHEL](./high-availability-guide-rhel-pacemaker.md#create-fencing-device) as an example. +In the standard and most common availability configuration within one Azure region, two Azure VMs running Linux with HA packages have a failover cluster defined. The HA Linux cluster is based on the `Pacemaker` framework using [SLES](./high-availability-guide-suse-pacemaker.md) or [RHEL](./high-availability-guide-rhel-pacemaker.md) with a `fencing device` [SLES](./high-availability-guide-suse-pacemaker.md#create-an-azure-fence-agent-device) or [RHEL](./high-availability-guide-rhel-pacemaker.md#create-a-fencing-device) as an example. From an SAP HANA perspective, the replication mode that's used is synced and an automatic failover is configured. In the second VM, the SAP HANA instance acts as a hot standby node. The standby node receives a synchronous stream of change records from the primary SAP HANA instance. As transactions are committed by the application at the HANA primary node, the primary HANA node waits to confirm the commit to the application until the secondary SAP HANA node confirms that it received the commit record. SAP HANA offers two synchronous replication modes. For details and for a description of differences between these two synchronous replication modes, see the SAP article [Replication modes for SAP HANA system replication](https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/2.0.02/en-US/c039a1a5b8824ecfa754b55e0caffc01.html). |
sap | Sap High Availability Guide Wsfc Shared Disk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/sap-high-availability-guide-wsfc-shared-disk.md | Title: Cluster SAP ASCS/SCS instance on WSFC using shared disk in Azure | Microsoft Docs -description: Learn how to cluster an SAP ASCS/SCS instance on a Windows failover cluster by using a cluster shared disk. +description: Learn how to cluster an SAP ASCS/SCS instance on a Windows failover cluster by using a shared disk. documentationcenter: saponazure -# Cluster an SAP ASCS/SCS instance on a Windows failover cluster by using a cluster shared disk in Azure +# Cluster an SAP ASCS/SCS instance on a Windows failover cluster by using a shared disk in Azure > ![Windows OS][Logo_Windows] Windows > -Windows Server failover clustering is the foundation of a high-availability SAP ASCS/SCS installation and DBMS in Windows. +Windows Server Failover Clustering (WSFC) is the foundation of a high-availability (HA) SAP ASCS/SCS installation and database management systems (DBMSs) in Windows. -A failover cluster is a group of 1+n-independent servers (nodes) that work together to increase the availability of applications and services. If a node failure occurs, Windows Server failover clustering calculates the number of failures that can occur and still maintain a healthy cluster to provide applications and services. You can choose from different quorum modes to achieve failover clustering. +A failover cluster is a group of 1+n independent servers (nodes) that work together to increase the availability of applications and services. If a node failure occurs, WSFC calculates the number of failures that can occur and still maintain a healthy cluster to provide applications and services. You can choose from various quorum modes to achieve failover clustering. ## Prerequisites-Before you begin the tasks in this article, review the following article: -* [Azure Virtual Machines high-availability architecture and scenarios for SAP NetWeaver][sap-high-availability-architecture-scenarios] +Before you begin the tasks in this article, review the article [High-availability architecture and scenarios for SAP NetWeaver][sap-high-availability-architecture-scenarios]. +## Windows Server Failover Clustering in Azure -## Windows Server failover clustering in Azure --Windows Server failover clustering with Azure Virtual Machines requires additional configuration steps. When you build a cluster, you need to set several IP addresses and virtual host names for the SAP ASCS/SCS instance. +WSFC with Azure virtual machines (VMs) requires additional configuration steps. When you build a cluster, you need to set several IP addresses and virtual host names for the SAP ASCS/SCS instance. ### Name resolution in Azure and the cluster virtual host name -The Azure cloud platform doesn't offer the option to configure virtual IP addresses, such as floating IP addresses. You need an alternative solution to set up a virtual IP address to reach the cluster resource in the cloud. +The Azure cloud platform doesn't offer the option to configure virtual IP addresses, such as floating IP addresses. You need an alternative solution to set up a virtual IP address to reach the cluster resource in the cloud. -The Azure Load Balancer service provides an *internal load balancer* for Azure. With the internal load balancer, clients reach the cluster over the cluster virtual IP address. +The Azure Load Balancer service provides an *internal load balancer* for Azure. With the internal load balancer, clients reach the cluster over the cluster's virtual IP address. -Deploy the internal load balancer in the resource group that contains the cluster nodes. Then, configure all necessary port forwarding rules by using the probe ports of the internal load balancer. Clients can connect via the virtual host name. The DNS server resolves the cluster IP address, and the internal load balancer handles port forwarding to the active node of the cluster. +Deploy the internal load balancer in the resource group that contains the cluster nodes. Then, configure all necessary port-forwarding rules by using the probe ports of the internal load balancer. Clients can connect via the virtual host name. The DNS server resolves the cluster IP address, and the internal load balancer handles port forwarding to the active node of the cluster. > [!IMPORTANT]-> Floating IP is not supported on a NIC secondary IP configuration in load-balancing scenarios. For details see [Azure Load balancer Limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need additional IP address for the VM, deploy a second NIC. --![Figure 1: Windows failover clustering configuration in Azure without a shared disk][sap-ha-guide-figure-1001] +> Floating IP addresses are not supported on a secondary IP configuration for a network adapter (NIC) in load-balancing scenarios. For details, see [Azure Load Balancer limitations](../../load-balancer/load-balancer-multivip-overview.md#limitations). If you need an additional IP address for the VM, deploy a second NIC. -_Windows Server failover clustering configuration in Azure without a shared disk_ +![Diagram of a Windows Server Failover Clustering configuration in Azure without a shared disk.][sap-ha-guide-figure-1001] ### SAP ASCS/SCS HA with cluster shared disks+ In Windows, an SAP ASCS/SCS instance contains SAP central services, the SAP message server, enqueue server processes, and SAP global host files. SAP global host files store central files for the entire SAP system. An SAP ASCS/SCS instance has the following components: -* SAP central - * Two processes, a message and enqueue server, and an \<ASCS/SCS virtual host name>, which is used to access these two processes. - * File structure: S:\usr\sap\\<SID>\ASCS/SCS\<instance number\> -+- SAP central + - Two processes (for a message server and an enqueue server) and an ASCS/SCS virtual host name that's used to access the two processes + - File structure: *S:\usr\sap\\<SID>\ASCS/SCS\<instance number\>* -* SAP global host files: - * File structure: S:\usr\sap\\<SID>\SYS\... - * The sapmnt file share, which enables access to these global S:\usr\sap\\<SID>\SYS\... files by using the following UNC path: +- SAP global host files: + - File structure: *S:\usr\sap\\<SID>\SYS\...* + - The *sapmnt* file share, which enables access to these global *S:\usr\sap\\<SID>\SYS\...* files by using the following UNC path: - \\\\<ASCS/SCS virtual host name\>\sapmnt\\<SID>\SYS\... + *\\\\<ASCS/SCS virtual host name\>\sapmnt\\<SID>\SYS\...* +![Diagram of processes, file structure, and global host file share of an SAP ASCS/SCS instance.][sap-ha-guide-figure-8001] -![Figure 2: Processes, file structure, and global host sapmnt file share of an SAP ASCS/SCS instance][sap-ha-guide-figure-8001] +In a high-availability setting, you cluster SAP ASCS/SCS instances. You use cluster shared disks (drive S in this article's example) to place the SAP ASCS/SCS and SAP global host files. -_Processes, file structure, and global host sapmnt file share of an SAP ASCS/SCS instance_ +![Diagram that shows an SAP ASCS/SCS high-availability architecture with shared disks.][sap-ha-guide-figure-8002] -In a high-availability setting, you cluster SAP ASCS/SCS instances. We use *clustered shared disks* (drive S, in our example), to place the SAP ASCS/SCS and SAP global host files. +With an Enqueue Replication Server 1 (ERS1) architecture: -![Figure 3: SAP ASCS/SCS HA architecture with shared disk][sap-ha-guide-figure-8002] +- The same ASCS/SCS virtual host name is used to access the SAP message server and enqueue server processes, in addition to the SAP global host files via the *sapmnt* file share. +- The same cluster shared disk (drive S) is shared between them. -_SAP ASCS/SCS HA architecture with shared disk_ +With Enqueue Replication Server 2 (ERS2) architecture: +- The same ASCS/SCS virtual host name is used to access the SAP message server process, in addition to the SAP global host files via the *sapmnt* file share. +- The same cluster shared disk (drive S) is shared between them. +- There's a separate ERS virtual host name to access the enqueue server process. -With Enqueue server replication 1 architecture: -* The same \<ASCS/SCS virtual host name> is used to access the SAP message and enqueue server processes, and the SAP global host files via the sapmnt file share. -* The same cluster shared disk drive S is shared between them. +![Diagram of an SAP ASCS/SCS high-availability architecture with a shared disk.][sap-ha-guide-figure-8003] -With Enqueue server replication 2 architecture: -* The same \<ASCS/SCS virtual host name> is used to access the SAP message server process, and the SAP global host files via the sapmnt file share. -* The same cluster shared disk drive S is shared between them. -* There is separate \<ERS virtual host name> to access the enqueue server process +#### Shared disks and Enqueue Replication Server -![Figure 4: SAP ASCS/SCS HA architecture with shared disk][sap-ha-guide-figure-8003] +Shared disks are supported with an ERS1 architecture, where the ERS1 instance: -_SAP ASCS/SCS HA architecture with shared disk_ +- Is not clustered. +- Uses a `localhost` name. +- Is deployed on local disks on each of the cluster nodes. -#### Shared Disk and Enqueue Replication Server +Shared disks are also supported with an ERS2 architecture, where the ERS2 instance: -1. Shared disk is supported with Enqueue server replication 1 architecture, where Enqueue Replication Server (ERS) instance: +- Is clustered. +- Uses a dedicated virtual or network host name. +- Needs the IP address of ERS virtual host name to be configured on an Azure internal load balancer, in addition to the (A)SCS IP address. +- Is deployed on local disks on each of the clustered nodes, so there's no need for a shared disk. - - is not clustered - - uses `localhost` name - - is deployed on local disks on each of the cluster nodes +For more information about ERS1 and ERS2, see [Enqueue Replication Server in a Microsoft Failover Cluster](https://help.sap.com/viewer/3741bfe0345f4892ae190ee7cfc53d4c/CURRENT_VERSION_SWPM20/en-US/8abd4b52902d4b17a105c2fabdf5c0cf.html) and [New Enqueue Replicator in Failover Cluster environments](https://blogs.sap.com/2019/03/19/new-enqueue-replicator-in-failover-cluster-environments/) on the SAP website. -2. Shared disk is also supported with Enqueue server replication 2 architecture, where the Enqueue Replication Server 2 (ERS2) instance: +#### Options for shared disks in Azure for SAP workloads - - is clustered - - uses dedicated virtual/network host name - - needs the IP address of ERS virtual hostname to be configured on Azure Internal Load Balancer, in addition to the (A)SCS IP address - - is deployed on **local disks** on each of the clustered nodes, therefore there is no need for shared disk +There are two options for shared disks in a Windows failover cluster in Azure: - > [!TIP] - > You can find more information about Enqueue Replication Server 1 and 2 (ERS1 and ERS2) here: - > [Enqueue Replication Server in a Microsoft Failover Cluster](https://help.sap.com/viewer/3741bfe0345f4892ae190ee7cfc53d4c/CURRENT_VERSION_SWPM20/en-US/8abd4b52902d4b17a105c2fabdf5c0cf.html) - > [New Enqueue Replicator in Failover Cluster environments](https://blogs.sap.com/2019/03/19/new-enqueue-replicator-in-failover-cluster-environments/) +- Use [Azure shared disks](../../virtual-machines/disks-shared.md) to attach Azure managed disks to multiple VMs simultaneously. +- Use [SIOS DataKeeper Cluster Edition](https://us.sios.com/products/sios-datakeeper/) to create a mirrored storage that simulates cluster shared storage. -#### Options for shared disk in Azure for SAP workloads +When you're selecting the technology for shared disks, keep in mind the following considerations about Azure shared disks for SAP workloads: -There are two options for shared disk in a windows failover cluster in Azure: +- Use of Azure shared disks with [Azure Premium SSD](../../virtual-machines/disks-types.md#premium-ssds) disks is supported for SAP deployment in availability sets and availability zones. +- [Azure Ultra Disk Storage disks](../../virtual-machines/disks-types.md#ultra-disks) and [Azure Standard SSD disks](../../virtual-machines/disks-types.md#standard-ssds) are not supported as Azure shared disks for SAP workloads. +- Be sure to provision Azure Premium SSD disks with a minimum disk size, as specified in [Premium SSD ranges](../../virtual-machines/disks-shared.md#disk-sizes), to be able to attach to the required number of VMs simultaneously. You typically need two VMs for SAP ASCS Windows failover clusters. -- [Azure shared disks](../../virtual-machines/disks-shared.md) - feature, that allows to attach Azure managed disk to multiple VMs simultaneously. -- Using 3rd-party software [SIOS DataKeeper Cluster Edition](https://us.sios.com/products/sios-datakeeper/) to create a mirrored storage that simulates cluster shared storage. +Keep in mind the following considerations about SIOS: -When selecting the technology for shared disk, keep in mind the following considerations: +- The SIOS solution provides real-time synchronous data replication between two disks. +- With the SIOS solution, you operate with two managed disks. If you're using either availability sets or availability zones, the managed disks are on different storage clusters. +- Deployment in availability zones is supported. +- The SIOS solution requires installing and operating third-party software, which you need to purchase separately. -**Azure shared disk for SAP workloads** +### Azure shared disks -- Allows you to attach Azure managed disk to multiple VMs simultaneously without the need for additional software to maintain and operate.-- [Azure shared disk](../../virtual-machines/disks-shared.md) with [Premium SSD](../../virtual-machines/disks-types.md#premium-ssds) disks is supported for SAP deployment in availability set and availability zones.-- [Azure Ultra disk](../../virtual-machines/disks-types.md#ultra-disks) and [Azure Standard disks](../../virtual-machines/disks-types.md#standard-ssds) is not supported as Azure shared disk for SAP workloads.-- Make sure to provision Azure Premium disk with a minimum disk size as specified in [Premium SSD ranges](../../virtual-machines/disks-shared.md#disk-sizes) to be able to attach to the required number of VMs simultaneously (typically 2 for SAP ASCS Windows Failover cluster).- -**SIOS** -- The SIOS solution provides real-time synchronous data replication between two disks-- With the SIOS solution you operate with two managed disks, and if using either Availability sets or Availability zones, the managed disks will land on different storage clusters. -- Deployment in Availability zones is supported-- Requires installing and operating third-party software, which you will need to purchase additionally--### Shared Disk using Azure shared disk --Microsoft is offering [Azure shared disks](../../virtual-machines/disks-shared.md), which can be used to implement SAP ASCS/SCS High Availability with a shared disk option. +You can implement SAP ASCS/SCS HA with [Azure shared disks](../../virtual-machines/disks-shared.md). #### Prerequisites and limitations -Currently you can use Azure Premium SSD disks as an Azure shared disk for the SAP ASCS/SCS instance. The following limitations are currently in place: +Currently, you can use Azure Premium SSD disks as Azure shared disks for the SAP ASCS/SCS instance. The following limitations are currently in place: -- [Azure Ultra disk](../../virtual-machines/disks-types.md#ultra-disks) and [Standard SSD disks](../../virtual-machines/disks-types.md#standard-ssds) is not supported as Azure Shared Disk for SAP workloads.-- [Azure Shared disk](../../virtual-machines/disks-shared.md) with [Premium SSD disks](../../virtual-machines/disks-types.md#premium-ssds) is supported for SAP deployment in availability set and availability zones.-- Azure shared disk with Premium SSD disks comes with two storage SKUs.- - Locally redundant storage (LRS) for premium shared disk (skuName - Premium_LRS) is supported with deployment in Azure availability set. - - Zone-redundant storage (ZRS) for premium shared disk (skuName - Premium_ZRS) is supported with deployment in Azure availability zones. -- Azure shared disk value [maxShares](../../virtual-machines/disks-shared-enable.md?tabs=azure-cli#disk-sizes) determines how many cluster nodes can use the shared disk. Typically for SAP ASCS/SCS instance you will configure two nodes in Windows Failover Cluster, therefore the value for `maxShares` must be set to two.-- [Azure proximity placement group](../../virtual-machines/windows/proximity-placement-groups.md) is not required for Azure shared disk. But for SAP deployment with PPG, follow below guidelines:- - If you are using PPG for SAP system deployed in a region then all virtual machines sharing a disk must be part of the same PPG. - - If you are using PPG for SAP system deployed across zones like described in the document [Proximity placement groups with zonal deployments](proximity-placement-scenarios.md#proximity-placement-groups-with-zonal-deployments), you can attach Premium_ZRS storage to virtual machines sharing a disk. +- [Azure Ultra Disk Storage disks](../../virtual-machines/disks-types.md#ultra-disks) and [Standard SSD disks](../../virtual-machines/disks-types.md#standard-ssds) are not supported as Azure shared disks for SAP workloads. +- [Azure Shared disks](../../virtual-machines/disks-shared.md) with [Premium SSD disks](../../virtual-machines/disks-types.md#premium-ssds) are supported for SAP deployment in availability sets and availability zones. +- Azure shared disks with Premium SSD disks come with two storage options: + - Locally redundant storage (LRS) for Premium SSD shared disks (`skuName` value of `Premium_LRS`) is supported with deployment in availability sets. + - Zone-redundant storage (ZRS) for Premium SSD shared disks (`skuName` value of `Premium_ZRS`) is supported with deployment in availability zones. +- The Azure shared disk value [maxShares](../../virtual-machines/disks-shared-enable.md?tabs=azure-cli#disk-sizes) determines how many cluster nodes can use the shared disk. For an SAP ASCS/SCS instance, you typically configure two nodes in WSFC. You then set the value for `maxShares` to `2`. +- An [Azure proximity placement group (PPG)](../../virtual-machines/windows/proximity-placement-groups.md) is not required for Azure shared disks. But for SAP deployment with PPGs, follow these guidelines: + - If you're using PPGs for an SAP system deployed in a region, all virtual machines that share a disk must be part of the same PPG. + - If you're using PPGs for an SAP system deployed across zones, as described in [Proximity placement groups with zonal deployments](proximity-placement-scenarios.md#proximity-placement-groups-with-zonal-deployments), you can attach `Premium_ZRS` storage to virtual machines that share a disk. -For further details on limitations for Azure shared disk, please review carefully the [limitations](../../virtual-machines/disks-shared.md#limitations) section of Azure Shared Disk documentation. +For more information, review the [Limitations](../../virtual-machines/disks-shared.md#limitations) section of the documentation for Azure shared disks. -#### Important consideration for Premium shared disk +#### Important considerations for Premium SSD shared disks -Following are some of the important points to consider for Azure Premium shared disk: +Consider these important points about Azure Premium SSD shared disks: -- LRS for Premium shared disk- - SAP deployment with LRS for Premium shared disk will be operating with a single Azure shared disk on one storage cluster. Your SAP ASCS/SCS instance would be impacted, in case of issues with the storage cluster, where the Azure shared disk is deployed. +- LRS for Premium SSD shared disks: + - SAP deployment with LRS for Premium SSD shared disks operates with a single Azure shared disk on one storage cluster. If there's a problem with the storage cluster where the Azure shared disk is deployed, it affects your SAP ASCS/SCS instance. -- ZRS for Premium shared disk- - Write latency for ZRS is higher than that of LRS due to cross-zonal copy of data. - - The distance between availability zones in different region varies and with that ZRS disk latency across availability zones as well. [Benchmark your disks](../../virtual-machines/disks-benchmarks.md) to identify the latency of ZRS disk in your region. - - ZRS for Premium shared disk synchronously replicates data across three availability zones in the region. In case of any issue in one of the storage clusters, your SAP ASCS/SCS will continue to run as storage failover is transparent to the application layer. - - Review the [limitations](../../virtual-machines/disks-redundancy.md#limitations) section of ZRS for managed disks for more details. +- ZRS for Premium SSD shared disks: + - Write latency for ZRS is higher than that of LRS because of cross-zonal copying of data. + - The distance between availability zones in different regions varies, and so does ZRS disk latency across availability zones. [Benchmark your disks](../../virtual-machines/disks-benchmarks.md) to identify the latency of ZRS disks in your region. + - ZRS for Premium SSD shared disks synchronously replicates data across three availability zones in the region. If there's a problem in one of the storage clusters, your SAP ASCS/SCS instance continues to run because storage failover is transparent to the application layer. + - For more information, review the [Limitations](../../virtual-machines/disks-redundancy.md#limitations) section of the documentation about ZRS for managed disks. -> [!TIP] -> Review the [SAP Netweaver on Azure planning guide](./planning-guide.md) and the [Azure Storage guide for SAP workloads](./planning-guide-storage.md) for important considerations, when planning your SAP deployment. +For other important considerations about planning your SAP deployment, review [Plan and implement an SAP deployment on Azure](./planning-guide.md) and [Azure Storage types for SAP workloads](./planning-guide-storage.md). ### Supported OS versions -Windows Servers 2016, 2019 and higher are supported (use the latest data center images). +Windows Server 2016, 2019, and later are supported. Use the latest datacenter images. -We strongly recommend using at least **Windows Server 2019 Datacenter**, as: -- Windows 2019 Failover Cluster Service is Azure aware-- There is added integration and awareness of Azure Host Maintenance and improved experience by monitoring for Azure schedule events.-- It is possible to use Distributed network name(it is the default option). Therefore, there is no need to have a dedicated IP address for the cluster network name. Also, there is no need to configure this IP address on Azure Internal Load Balancer. +We strongly recommend using at least Windows Server 2019 Datacenter, for these reasons: ++- WSFC in Windows Server 2019 is Azure aware. +- Windows Server 2019 Datacenter includes integration and awareness of Azure host maintenance and improved experience by monitoring for Azure scheduled events. +- You can use distributed network names. (It's the default option.) There's no need to have a dedicated IP address for the cluster network name. Also, you don't need to configure an IP address on an Azure internal load balancer. ### Shared disks in Azure with SIOS DataKeeper -Another option for shared disk is to use third-party software SIOS DataKeeper Cluster Edition to create a mirrored storage that simulates cluster shared storage. The SIOS solution provides real-time synchronous data replication. +Another option for shared disks is to use [SIOS DataKeeper](https://us.sios.com/products/sios-datakeeper/) Cluster Edition to create a mirrored storage that simulates cluster shared storage. The SIOS solution provides real-time synchronous data replication. To create a shared disk resource for a cluster: 1. Attach an additional disk to each of the virtual machines in a Windows cluster configuration. 2. Run SIOS DataKeeper Cluster Edition on both virtual machine nodes.-3. Configure SIOS DataKeeper Cluster Edition so that it mirrors the content of the additional disk attached volume from the source virtual machine to the additional disk attached volume of the target virtual machine. SIOS DataKeeper abstracts the source and target local volumes, and then presents them to Windows Server failover clustering as one shared disk. --Get more information about [SIOS DataKeeper](https://us.sios.com/products/sios-datakeeper/). +3. Configure SIOS DataKeeper Cluster Edition so that it mirrors the content of the additional disk-attached volume from the source virtual machine to the additional disk-attached volume of the target virtual machine. SIOS DataKeeper abstracts the source and target local volumes, and then presents them to WSFC as one shared disk. -![Figure 5: Windows Server failover clustering configuration in Azure with SIOS DataKeeper][sap-ha-guide-figure-1002] --_Windows failover clustering configuration in Azure with SIOS DataKeeper_ +![Diagram of a Windows Server Failover Clustering configuration in Azure with SIOS DataKeeper.][sap-ha-guide-figure-1002] > [!NOTE] > You don't need shared disks for high availability with some DBMS products, like SQL Server. SQL Server Always On replicates DBMS data and log files from the local disk of one cluster node to the local disk of another cluster node. In this case, the Windows cluster configuration doesn't need a shared disk.-> + ## Optional configurations -The following diagrams show multiple SAP instances on Azure VMs running Microsoft Windows Failover Cluster to reduce the total number of VMs. +The following diagrams show multiple SAP instances on Azure VMs running Windows Server Failover Clustering to reduce the total number of VMs. -This can either be local SAP Application Servers on a SAP ASCS/SCS cluster or a SAP ASCS/SCS Cluster Role on Microsoft SQL Server Always On nodes. +This configuration can be either local SAP application servers on an SAP ASCS/SCS cluster or an SAP ASCS/SCS cluster role on Microsoft SQL Server Always On nodes. > [!IMPORTANT]-> Installing a local SAP Application Server on a SQL Server Always On node is not supported. -> --Both, SAP ASCS/SCS and the Microsoft SQL Server database, are single points of failure (SPOF). To protect these SPOFs in a Windows environment WSFC is used. --While the resource consumption of the SAP ASCS/SCS is fairly small, a reduction of the memory configuration for either SQL Server or the SAP Application Server by 2 GB is recommended. --### SAP Application Servers on WSFC nodes using SIOS DataKeeper +> Installing a local SAP application server on a SQL Server Always On node is not supported. -![Figure 6: Windows Server failover clustering configuration in Azure with SIOS DataKeeper and locally installed SAP Application Server][sap-ha-guide-figure-1003] +Both SAP ASCS/SCS and the Microsoft SQL Server database are single points of failure (SPOFs). WSFC helps protect these SPOFs in a Windows environment. -> [!NOTE] -> Since the SAP Application Servers are installed locally, there is no need for setting up any synchronization as the picture shows. -> -### SAP ASCS/SCS on SQL Server Always On nodes using SIOS DataKeeper --![Figure 7: SAP ASCS/SCS on SQL Server Always On nodes using SIOS DataKeeper][sap-ha-guide-figure-1005] --[Optional configuration for SAP Application Servers on WSFC nodes using Windows SOFS][optional-fileshare] +Although the resource consumption of the SAP ASCS/SCS is fairly small, we recommend a reduction of the memory configuration for either SQL Server or the SAP application server by 2 GB. -[Optional configuration for SAP Application Servers on WSFC nodes using NetApp Files SMB][optional-smb] +This diagram illustrates SAP application servers on WSFC nodes with the use of SIOS DataKeeper: -[Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using Windows SOFS][optional-fileshare-sql] +![Diagram of a Windows Server Failover Clustering configuration in Azure with SIOS DataKeeper and locally installed SAP application servers.][sap-ha-guide-figure-1003] -[Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using NetApp Files SMB][optional-smb-sql] +Because the SAP application servers are installed locally, there's no need to set up any synchronization. -## Next steps --* [Prepare the Azure infrastructure for SAP HA by using a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-infrastructure-wsfc-shared-disk] +This diagram illustrates SAP ASCS/SCS on SQL Server Always On nodes with the use of SIOS DataKeeper: -* [Install SAP NetWeaver HA on a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-installation-wsfc-shared-disk] +![Diagram of SAP ASCS/SCS on SQL Server Always On nodes with SIOS DataKeeper.][sap-ha-guide-figure-1005] +For information about other configurations, see the following resources: -[1928533]:https://launchpad.support.sap.com/#/notes/1928533 -[1999351]:https://launchpad.support.sap.com/#/notes/1999351 -[2015553]:https://launchpad.support.sap.com/#/notes/2015553 -[2178632]:https://launchpad.support.sap.com/#/notes/2178632 -[2243692]:https://launchpad.support.sap.com/#/notes/2243692 +- [Optional configuration for SAP application servers on WSFC nodes using Windows Scale-Out File Server][optional-fileshare] -[sap-installation-guides]:http://service.sap.com/instguides +- [Optional configuration for SAP application servers on WSFC nodes using Server Message Block in Azure NetApp Files][optional-smb] -[azure-resource-manager/management/azure-subscription-service-limits]:../../azure-resource-manager/management/azure-subscription-service-limits.md -[azure-resource-manager/management/azure-subscription-service-limits-subscription]:../../azure-resource-manager/management/azure-subscription-service-limits.md +- [Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using Windows Scale-Out File Server][optional-fileshare-sql] -[dbms-guide]:../../virtual-machines-windows-sap-dbms-guide-general.md +- [Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using Server Message Block in Azure NetApp Files][optional-smb-sql] -[deployment-guide]:deployment-guide.md +## Next steps -[dr-guide-classic]:https://go.microsoft.com/fwlink/?LinkID=521971 +- [Prepare the Azure infrastructure for SAP HA by using a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-infrastructure-wsfc-shared-disk] -[getting-started]:get-started.md +- [Install SAP NetWeaver HA on a Windows failover cluster and shared disk for an SAP ASCS/SCS instance][sap-high-availability-installation-wsfc-shared-disk] [sap-high-availability-architecture-scenarios]:sap-high-availability-architecture-scenarios.md [sap-high-availability-infrastructure-wsfc-shared-disk]:sap-high-availability-infrastructure-wsfc-shared-disk.md [sap-high-availability-installation-wsfc-shared-disk]:sap-high-availability-installation-wsfc-shared-disk.md -[planning-guide]:planning-guide.md -[planning-guide-11]:planning-guide.md -[planning-guide-2.1]:planning-guide.md#1625df66-4cc6-4d60-9202-de8a0b77f803 -[planning-guide-2.2]:planning-guide.md#f5b3b18c-302c-4bd8-9ab2-c388f1ab3d10 --[planning-guide-microsoft-azure-networking]:planning-guide.md#61678387-8868-435d-9f8c-450b2424f5bd -[planning-guide-storage-microsoft-azure-storage-and-data-disks]:planning-guide.md#a72afa26-4bf4-4a25-8cf7-855d6032157f ---[sap-ha-guide-2]:#42b8f600-7ba3-4606-b8a5-53c4f026da08 -[sap-ha-guide-4]:#8ecf3ba0-67c0-4495-9c14-feec1a2255b7 -[sap-ha-guide-8]:#78092dbe-165b-454c-92f5-4972bdbef9bf -[sap-ha-guide-8.1]:#c87a8d3f-b1dc-4d2f-b23c-da4b72977489 -[sap-ha-guide-8.9]:#fe0bd8b5-2b43-45e3-8295-80bee5415716 -[sap-ha-guide-8.11]:#661035b2-4d0f-4d31-86f8-dc0a50d78158 -[sap-ha-guide-8.12]:#0d67f090-7928-43e0-8772-5ccbf8f59aab -[sap-ha-guide-8.12.1]:#5eecb071-c703-4ccc-ba6d-fe9c6ded9d79 -[sap-ha-guide-8.12.3]:#5c8e5482-841e-45e1-a89d-a05c0907c868 -[sap-ha-guide-8.12.3.1]:#1c2788c3-3648-4e82-9e0d-e058e475e2a3 -[sap-ha-guide-8.12.3.2]:#dd41d5a2-8083-415b-9878-839652812102 -[sap-ha-guide-8.12.3.3]:#d9c1fc8e-8710-4dff-bec2-1f535db7b006 -[sap-ha-guide-9]:#a06f0b49-8a7a-42bf-8b0d-c12026c5746b -[sap-ha-guide-9.1]:#31c6bd4f-51df-4057-9fdf-3fcbc619c170 -[sap-ha-guide-9.1.1]:#a97ad604-9094-44fe-a364-f89cb39bf097 ----[Logo_Linux]:media/virtual-machines-shared-sap-shared/Linux.png [Logo_Windows]:media/virtual-machines-shared-sap-shared/Windows.png -[sap-ha-guide-figure-1000]:./media/virtual-machines-shared-sap-high-availability-guide/1000-wsfc-for-sap-ascs-on-azure.png [sap-ha-guide-figure-1001]:./media/virtual-machines-shared-sap-high-availability-guide/1001-wsfc-on-azure-ilb.png [sap-ha-guide-figure-1003]:./media/virtual-machines-shared-sap-high-availability-guide/ha-sios-as.png [sap-ha-guide-figure-1005]:./media/virtual-machines-shared-sap-high-availability-guide/ha-sql-ascs-sios.png [sap-ha-guide-figure-1002]:./media/virtual-machines-shared-sap-high-availability-guide/ha-sios.png-[sap-ha-guide-figure-2000]:./media/virtual-machines-shared-sap-high-availability-guide/2000-wsfc-sap-as-ha-on-azure.png -[sap-ha-guide-figure-2001]:./media/virtual-machines-shared-sap-high-availability-guide/2001-wsfc-sap-ascs-ha-on-azure.png -[sap-ha-guide-figure-2003]:./media/virtual-machines-shared-sap-high-availability-guide/2003-wsfc-sap-dbms-ha-on-azure.png -[sap-ha-guide-figure-2004]:./media/virtual-machines-shared-sap-high-availability-guide/2004-wsfc-sap-ha-e2e-archit-template1-on-azure.png -[sap-ha-guide-figure-2005]:./media/virtual-machines-shared-sap-high-availability-guide/2005-wsfc-sap-ha-e2e-arch-template2-on-azure.png --[sap-ha-guide-figure-3000]:./media/virtual-machines-shared-sap-high-availability-guide/3000-template-parameters-sap-ha-arm-on-azure.png -[sap-ha-guide-figure-3001]:./media/virtual-machines-shared-sap-high-availability-guide/3001-configuring-dns-servers-for-Azure-vnet.png -[sap-ha-guide-figure-3002]:./media/virtual-machines-shared-sap-high-availability-guide/3002-configuring-static-IP-address-for-network-card-of-each-vm.png -[sap-ha-guide-figure-3003]:./media/virtual-machines-shared-sap-high-availability-guide/3003-setup-static-ip-address-ilb-for-ascs-instance.png -[sap-ha-guide-figure-3004]:./media/virtual-machines-shared-sap-high-availability-guide/3004-default-ascs-scs-ilb-balancing-rules-for-azure-ilb.png -[sap-ha-guide-figure-3005]:./media/virtual-machines-shared-sap-high-availability-guide/3005-changing-ascs-scs-default-ilb-rules-for-azure-ilb.png -[sap-ha-guide-figure-3006]:./media/virtual-machines-shared-sap-high-availability-guide/3006-adding-vm-to-domain.png -[sap-ha-guide-figure-3007]:./media/virtual-machines-shared-sap-high-availability-guide/3007-config-wsfc-1.png -[sap-ha-guide-figure-3008]:./media/virtual-machines-shared-sap-high-availability-guide/3008-config-wsfc-2.png -[sap-ha-guide-figure-3009]:./media/virtual-machines-shared-sap-high-availability-guide/3009-config-wsfc-3.png -[sap-ha-guide-figure-3010]:./media/virtual-machines-shared-sap-high-availability-guide/3010-config-wsfc-4.png -[sap-ha-guide-figure-3011]:./media/virtual-machines-shared-sap-high-availability-guide/3011-config-wsfc-5.png -[sap-ha-guide-figure-3012]:./media/virtual-machines-shared-sap-high-availability-guide/3012-config-wsfc-6.png -[sap-ha-guide-figure-3013]:./media/virtual-machines-shared-sap-high-availability-guide/3013-config-wsfc-7.png -[sap-ha-guide-figure-3014]:./media/virtual-machines-shared-sap-high-availability-guide/3014-config-wsfc-8.png -[sap-ha-guide-figure-3015]:./media/virtual-machines-shared-sap-high-availability-guide/3015-config-wsfc-9.png -[sap-ha-guide-figure-3016]:./media/virtual-machines-shared-sap-high-availability-guide/3016-config-wsfc-10.png -[sap-ha-guide-figure-3017]:./media/virtual-machines-shared-sap-high-availability-guide/3017-config-wsfc-11.png -[sap-ha-guide-figure-3018]:./media/virtual-machines-shared-sap-high-availability-guide/3018-config-wsfc-12.png -[sap-ha-guide-figure-3019]:./media/virtual-machines-shared-sap-high-availability-guide/3019-assign-permissions-on-share-for-cluster-name-object.png -[sap-ha-guide-figure-3020]:./media/virtual-machines-shared-sap-high-availability-guide/3020-change-object-type-include-computer-objects.png -[sap-ha-guide-figure-3021]:./media/virtual-machines-shared-sap-high-availability-guide/3021-check-box-for-computer-objects.png -[sap-ha-guide-figure-3022]:./media/virtual-machines-shared-sap-high-availability-guide/3022-set-security-attributes-for-cluster-name-object-on-file-share-quorum.png -[sap-ha-guide-figure-3023]:./media/virtual-machines-shared-sap-high-availability-guide/3023-call-configure-cluster-quorum-setting-wizard.png -[sap-ha-guide-figure-3024]:./media/virtual-machines-shared-sap-high-availability-guide/3024-selection-screen-different-quorum-configurations.png -[sap-ha-guide-figure-3025]:./media/virtual-machines-shared-sap-high-availability-guide/3025-selection-screen-file-share-witness.png -[sap-ha-guide-figure-3026]:./media/virtual-machines-shared-sap-high-availability-guide/3026-define-file-share-location-for-witness-share.png -[sap-ha-guide-figure-3027]:./media/virtual-machines-shared-sap-high-availability-guide/3027-successful-reconfiguration-cluster-file-share-witness.png -[sap-ha-guide-figure-3028]:./media/virtual-machines-shared-sap-high-availability-guide/3028-install-dot-net-framework-35.png -[sap-ha-guide-figure-3029]:./media/virtual-machines-shared-sap-high-availability-guide/3029-install-dot-net-framework-35-progress.png -[sap-ha-guide-figure-3030]:./media/virtual-machines-shared-sap-high-availability-guide/3030-sios-installer.png -[sap-ha-guide-figure-3031]:./media/virtual-machines-shared-sap-high-availability-guide/3031-first-screen-sios-data-keeper-installation.png -[sap-ha-guide-figure-3032]:./media/virtual-machines-shared-sap-high-availability-guide/3032-data-keeper-informs-service-be-disabled.png -[sap-ha-guide-figure-3033]:./media/virtual-machines-shared-sap-high-availability-guide/3033-user-selection-sios-data-keeper.png -[sap-ha-guide-figure-3034]:./media/virtual-machines-shared-sap-high-availability-guide/3034-domain-user-sios-data-keeper.png -[sap-ha-guide-figure-3035]:./media/virtual-machines-shared-sap-high-availability-guide/3035-provide-sios-data-keeper-license.png -[sap-ha-guide-figure-3036]:./media/virtual-machines-shared-sap-high-availability-guide/3036-data-keeper-management-config-tool.png -[sap-ha-guide-figure-3037]:./media/virtual-machines-shared-sap-high-availability-guide/3037-tcp-ip-address-first-node-data-keeper.png -[sap-ha-guide-figure-3038]:./media/virtual-machines-shared-sap-high-availability-guide/3038-create-replication-sios-job.png -[sap-ha-guide-figure-3039]:./media/virtual-machines-shared-sap-high-availability-guide/3039-define-sios-replication-job-name.png -[sap-ha-guide-figure-3040]:./media/virtual-machines-shared-sap-high-availability-guide/3040-define-sios-source-node.png -[sap-ha-guide-figure-3041]:./media/virtual-machines-shared-sap-high-availability-guide/3041-define-sios-target-node.png -[sap-ha-guide-figure-3042]:./media/virtual-machines-shared-sap-high-availability-guide/3042-define-sios-synchronous-replication.png -[sap-ha-guide-figure-3043]:./media/virtual-machines-shared-sap-high-availability-guide/3043-enable-sios-replicated-volume-as-cluster-volume.png -[sap-ha-guide-figure-3044]:./media/virtual-machines-shared-sap-high-availability-guide/3044-data-keeper-synchronous-mirroring-for-SAP-gui.png -[sap-ha-guide-figure-3045]:./media/virtual-machines-shared-sap-high-availability-guide/3045-replicated-disk-by-data-keeper-in-wsfc.png -[sap-ha-guide-figure-3046]:./media/virtual-machines-shared-sap-high-availability-guide/3046-dns-entry-sap-ascs-virtual-name-ip.png -[sap-ha-guide-figure-3047]:./media/virtual-machines-shared-sap-high-availability-guide/3047-dns-manager.png -[sap-ha-guide-figure-3048]:./media/virtual-machines-shared-sap-high-availability-guide/3048-default-cluster-probe-port.png -[sap-ha-guide-figure-3049]:./media/virtual-machines-shared-sap-high-availability-guide/3049-cluster-probe-port-after.png -[sap-ha-guide-figure-3050]:./media/virtual-machines-shared-sap-high-availability-guide/3050-service-type-ers-delayed-automatic.png -[sap-ha-guide-figure-5000]:./media/virtual-machines-shared-sap-high-availability-guide/5000-wsfc-sap-sid-node-a.png -[sap-ha-guide-figure-5001]:./media/virtual-machines-shared-sap-high-availability-guide/5001-sios-replicating-local-volume.png -[sap-ha-guide-figure-5002]:./media/virtual-machines-shared-sap-high-availability-guide/5002-wsfc-sap-sid-node-b.png -[sap-ha-guide-figure-5003]:./media/virtual-machines-shared-sap-high-availability-guide/5003-sios-replicating-local-volume-b-to-a.png --[sap-ha-guide-figure-6003]:./media/virtual-machines-shared-sap-high-availability-guide/6003-sap-multi-sid-full-landscape.png - [sap-ha-guide-figure-8001]:./media/virtual-machines-shared-sap-high-availability-guide/8001.png [sap-ha-guide-figure-8002]:./media/virtual-machines-shared-sap-high-availability-guide/8002.png [sap-ha-guide-figure-8003]:./media/virtual-machines-shared-sap-high-availability-guide/8003.png-[sap-ha-guide-figure-8004]:./media/virtual-machines-shared-sap-high-availability-guide/8004.png -[sap-ha-guide-figure-8005]:./media/virtual-machines-shared-sap-high-availability-guide/8005.png -[sap-ha-guide-figure-8006]:./media/virtual-machines-shared-sap-high-availability-guide/8006.png -[sap-ha-guide-figure-8007]:./media/virtual-machines-shared-sap-high-availability-guide/8007.png -[sap-ha-guide-figure-8008]:./media/virtual-machines-shared-sap-high-availability-guide/8008.png -[sap-ha-guide-figure-8009]:./media/virtual-machines-shared-sap-high-availability-guide/8009.png -[sap-ha-guide-figure-8010]:./media/virtual-machines-shared-sap-high-availability-guide/8010.png -[sap-ha-guide-figure-8011]:./media/virtual-machines-shared-sap-high-availability-guide/8011.png -[sap-ha-guide-figure-8012]:./media/virtual-machines-shared-sap-high-availability-guide/8012.png -[sap-ha-guide-figure-8013]:./media/virtual-machines-shared-sap-high-availability-guide/8013.png -[sap-ha-guide-figure-8014]:./media/virtual-machines-shared-sap-high-availability-guide/8014.png -[sap-ha-guide-figure-8015]:./media/virtual-machines-shared-sap-high-availability-guide/8015.png -[sap-ha-guide-figure-8016]:./media/virtual-machines-shared-sap-high-availability-guide/8016.png -[sap-ha-guide-figure-8017]:./media/virtual-machines-shared-sap-high-availability-guide/8017.png -[sap-ha-guide-figure-8018]:./media/virtual-machines-shared-sap-high-availability-guide/8018.png -[sap-ha-guide-figure-8019]:./media/virtual-machines-shared-sap-high-availability-guide/8019.png -[sap-ha-guide-figure-8020]:./media/virtual-machines-shared-sap-high-availability-guide/8020.png -[sap-ha-guide-figure-8021]:./media/virtual-machines-shared-sap-high-availability-guide/8021.png -[sap-ha-guide-figure-8022]:./media/virtual-machines-shared-sap-high-availability-guide/8022.png -[sap-ha-guide-figure-8023]:./media/virtual-machines-shared-sap-high-availability-guide/8023.png -[sap-ha-guide-figure-8024]:./media/virtual-machines-shared-sap-high-availability-guide/8024.png -[sap-ha-guide-figure-8025]:./media/virtual-machines-shared-sap-high-availability-guide/8025.png ---[sap-templates-3-tier-multisid-xscs-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image-multi-sid-xscs%2Fazuredeploy.json -[sap-templates-3-tier-multisid-xscs-marketplace-image-md]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-xscs-md%2Fazuredeploy.json -[sap-templates-3-tier-multisid-db-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image-multi-sid-db%2Fazuredeploy.json -[sap-templates-3-tier-multisid-db-marketplace-image-md]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-db-md%2Fazuredeploy.json -[sap-templates-3-tier-multisid-apps-marketplace-image]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsap-3-tier-marketplace-image-multi-sid-apps%2Fazuredeploy.json -[sap-templates-3-tier-multisid-apps-marketplace-image-md]:https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fapplication-workloads%2Fsap%2Fsap-3-tier-marketplace-image-multi-sid-apps-md%2Fazuredeploy.json --[virtual-machines-azure-resource-manager-architecture-benefits-arm]:../../azure-resource-manager/management/overview.md#the-benefits-of-using-resource-manager --[virtual-machines-manage-availability]:../../virtual-machines-windows-manage-availability.md -[optional-smb]:high-availability-guide-windows-netapp-files-smb.md#5121771a-7618-4f36-ae14-ccf9ee5f2031 (Optional configuration for SAP Application Servers on WSFC nodes using NetApp Files SMB) -[optional-fileshare]:sap-high-availability-guide-wsfc-file-share.md#86cb3ee0-2091-4b74-be77-64c2e6424f50 (Optional configuration for SAP Application Servers on WSFC nodes using Windows SOFS) -[optional-smb-sql]:high-availability-guide-windows-netapp-files-smb.md#01541cf2-0a03-48e3-971e-e03575fa7b4f (Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using NetApp Files SMB) -[optional-fileshare-sql]:sap-high-availability-guide-wsfc-file-share.md#db335e0d-09b4-416b-b240-afa18505f503 (Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using Windows SOFS) ++[optional-smb]:high-availability-guide-windows-netapp-files-smb.md#5121771a-7618-4f36-ae14-ccf9ee5f2031 (Optional configuration for SAP Application Servers on WSFC nodes using Server Message Block in Azure NetApp Files) +[optional-fileshare]:sap-high-availability-guide-wsfc-file-share.md#86cb3ee0-2091-4b74-be77-64c2e6424f50 (Optional configuration for SAP Application Servers on WSFC nodes using Windows Scale-Out File Server) +[optional-smb-sql]:high-availability-guide-windows-netapp-files-smb.md#01541cf2-0a03-48e3-971e-e03575fa7b4f (Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using Server Message Block in Azure NetApp Files) +[optional-fileshare-sql]:sap-high-availability-guide-wsfc-file-share.md#db335e0d-09b4-416b-b240-afa18505f503 (Optional configuration for SAP ASCS/SCS on SQL Server Always On nodes using Windows Scale-Out File Server) |
sap | Vm Extension For Sap New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/vm-extension-for-sap-new.md | Before deploying the VM Extension for SAP, please make sure to assign a user or * [Configure managed identities for Azure resources on an Azure VM using templates](../../active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md) * [Terraform VM Identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#identity) -After assigning an identity to the virtual machine, give the VM read access to either the resource group or the individual resources associated to the virtual machine (VM, Network Interfaces, OS Disks and Data Disks). It is recommended to use the built-in Reader role to grant the access to these resources. You can also grant this access by adding the VM identity to an Azure Active Directory group that already has read access to the required resources. It is then no longer needed to have Owner privileges when deploying the VM Extension for SAP if you use a user assigned identity that already has the required permissions. +After assigning an identity to the virtual machine, give the VM read access to either the resource group or the individual resources associated to the virtual machine (VM, Network Interfaces, OS Disks and Data Disks). It is recommended to use the built-in Reader role to grant the access to these resources. You can also grant this access by adding the VM identity to a Microsoft Entra group that already has read access to the required resources. It is then no longer needed to have Owner privileges when deploying the VM Extension for SAP if you use a user assigned identity that already has the required permissions. There are different ways how to deploy the VM Extension for SAP manually. Please find a few examples in the next chapters. |
security | Secure Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/secure-design.md | Modeling the application design and enumerating [STRIDE](https://docs.google.com | Repudiation | Non-repudiation | Enable Azure [monitoring and diagnostics](/azure/architecture/best-practices/monitoring).| | Information Disclosure | Confidentiality | Encrypt sensitive data [at rest](../fundamentals/encryption-atrest.md) and [in transit](../fundamentals/data-encryption-best-practices.md#protect-data-in-transit). | | Denial of Service | Availability | Monitor performance metrics for potential denial of service conditions. Implement connection filters. [Azure DDoS protection](../../ddos-protection/ddos-protection-overview.md), combined with application design best practices, provides defense against DDoS attacks.|-| Elevation of Privilege | Authorization | Use Azure Active Directory <span class="underline"> </span> [Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md).| +| Elevation of Privilege | Authorization | Use Microsoft Entra ID <span class="underline"> </span> [Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md).| ### Reduce your attack surface web applications: #### Enforce multifactor authentication for users -Use two-factor authentication. Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses that are inherent in username and password types of authentication. Access to the Azure management interfaces (Azure portal/remote PowerShell) and to customer-facing services should be designed and configured to use [Azure AD Multifactor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md). +Use two-factor authentication. Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses that are inherent in username and password types of authentication. Access to the Azure management interfaces (Azure portal/remote PowerShell) and to customer-facing services should be designed and configured to use [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md). #### Use strong authentication and authorization platforms -Use platform-supplied authentication and authorization mechanisms instead of custom code. This is because developing custom authentication code can be prone to error. Commercial code (for example, from Microsoft) often is extensively reviewed for security. [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) is the Azure solution for identity and access management. These Azure AD tools and services help with secure development: +Use platform-supplied authentication and authorization mechanisms instead of custom code. This is because developing custom authentication code can be prone to error. Commercial code (for example, from Microsoft) often is extensively reviewed for security. [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) (Microsoft Entra ID) is the Azure solution for identity and access management. These Microsoft Entra tools and services help with secure development: * [Microsoft identity platform](../../active-directory/develop/index.yml) is a set of components that developers use to build apps that securely sign in users. The platform assists developers who are building single-tenant, line-of-business (LOB) apps and developers who are looking to develop multitenant apps. In addition to basic sign-in, apps built by using the Microsoft identity platform can call Microsoft APIs and custom APIs. The Microsoft identity platform supports industry-standard protocols like OAuth 2.0 and OpenID Connect. Ensure that your application enforces [least privilege](/windows-server/identity #### Implement just-in-time access -Implement *just-in-time* (JIT) access to further lower the exposure time of privileges. Use [Azure AD Privileged Identity Management](../../active-directory/roles/security-planning.md#stage-3-take-control-of-administrator-activity) +Implement *just-in-time* (JIT) access to further lower the exposure time of privileges. Use [Microsoft Entra Privileged Identity Management](../../active-directory/roles/security-planning.md#stage-3-take-control-of-administrator-activity) to: * Give users the permissions they need only JIT. |
security | Secure Dev Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/secure-dev-overview.md | applications and to help secure your applications on Azure: [Pushing Left, Like a Boss](https://wehackpurple.com/pushing-left-like-a-boss-part-1/) - A series of online articles that outline different types of application security activities that developers should complete to create more secure code. -[Microsoft identity platform](../../active-directory/develop/index.yml) - The Microsoft identity platform is an evolution of the Azure AD identity service and developer platform. It's a full-featured platform that consists of an authentication service, open-source libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry-standard protocols like OAuth 2.0 and OpenID Connect. +[Microsoft identity platform](../../active-directory/develop/index.yml) - The Microsoft identity platform is an evolution of the Microsoft Entra identity service and developer platform. It's a full-featured platform that consists of an authentication service, open-source libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry-standard protocols like OAuth 2.0 and OpenID Connect. [Azure security best practices and patterns](../fundamentals/best-practices-and-patterns.md) - A collection of security best practices to use when you design, deploy, and manage cloud solutions by using Azure. Guidance is intended to be a resource for IT pros. This might include designers, architects, developers, and testers who build and deploy secure Azure solutions. |
security | Threat Modeling Tool Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/threat-modeling-tool-authentication.md | -| **Database** | <ul><li>[When possible, use Windows Authentication for connecting to SQL Server](#win-authn-sql)</li><li>[When possible use Azure Active Directory Authentication for Connecting to SQL Database](#aad-authn-sql)</li><li>[When SQL authentication mode is used, ensure that account and password policy are enforced on SQL server](#authn-account-pword)</li><li>[Don't use SQL Authentication in contained databases](#autn-contained-db)</li></ul> | +| **Database** | <ul><li>[When possible, use Windows Authentication for connecting to SQL Server](#win-authn-sql)</li><li>[When possible use Microsoft Entra authentication for Connecting to SQL Database](#aad-authn-sql)</li><li>[When SQL authentication mode is used, ensure that account and password policy are enforced on SQL server](#authn-account-pword)</li><li>[Don't use SQL Authentication in contained databases](#autn-contained-db)</li></ul> | | **Azure Event Hub** | <ul><li>[Use per device authentication credentials using SaS tokens](#authn-sas-tokens)</li></ul> |-| **Azure Trust Boundary** | <ul><li>[Enable Azure AD Multi-Factor Authentication for Azure Administrators](#multi-factor-azure-admin)</li></ul> | -| **Service Fabric Trust Boundary** | <ul><li>[Restrict anonymous access to Service Fabric Cluster](#anon-access-cluster)</li><li>[Ensure that Service Fabric client-to-node certificate is different from node-to-node certificate](#fabric-cn-nn)</li><li>[Use AAD to authenticate clients to service fabric clusters](#aad-client-fabric)</li><li>[Ensure that service fabric certificates are obtained from an approved Certificate Authority (CA)](#fabric-cert-ca)</li></ul> | +| **Azure Trust Boundary** | <ul><li>[Enable Microsoft Entra multifactor authentication for Azure Administrators](#multi-factor-azure-admin)</li></ul> | +| **Service Fabric Trust Boundary** | <ul><li>[Restrict anonymous access to Service Fabric Cluster](#anon-access-cluster)</li><li>[Ensure that Service Fabric client-to-node certificate is different from node-to-node certificate](#fabric-cn-nn)</li><li>[Use Microsoft Entra ID to authenticate clients to service fabric clusters](#aad-client-fabric)</li><li>[Ensure that service fabric certificates are obtained from an approved Certificate Authority (CA)](#fabric-cert-ca)</li></ul> | | **Identity Server** | <ul><li>[Use standard authentication scenarios supported by Identity Server](#standard-authn-id)</li><li>[Override the default Identity Server token cache with a scalable alternative](#override-token)</li></ul> | | **Machine Trust Boundary** | <ul><li>[Ensure that deployed application's binaries are digitally signed](#binaries-signed)</li></ul> | | **WCF** | <ul><li>[Enable authentication when connecting to MSMQ queues in WCF](#msmq-queues)</li><li>[WCF-Do not set Message clientCredentialType to none](#message-none)</li><li>[WCF-Do not set Transport clientCredentialType to none](#transport-none)</li></ul> | | **Web API** | <ul><li>[Ensure that standard authentication techniques are used to secure Web APIs](#authn-secure-api)</li></ul> |-| **Azure AD** | <ul><li>[Use standard authentication scenarios supported by Azure Active Directory](#authn-aad)</li><li>[Override the default MSAL token cache with a distributed cache](#msal-distributed-cache)</li><li>[Ensure that TokenReplayCache is used to prevent the replay of inbound authentication tokens](#tokenreplaycache-msal)</li><li>[Use MSAL libraries to manage token requests from OAuth2 clients to AAD (or on-premises AD)](#msal-oauth2)</li></ul> | +| **Microsoft Entra ID** | <ul><li>[Use standard authentication scenarios supported by Microsoft Entra ID](#authn-aad)</li><li>[Override the default MSAL token cache with a distributed cache](#msal-distributed-cache)</li><li>[Ensure that TokenReplayCache is used to prevent the replay of inbound authentication tokens](#tokenreplaycache-msal)</li><li>[Use MSAL libraries to manage token requests from OAuth2 clients to Microsoft Entra ID (or on-premises AD)](#msal-oauth2)</li></ul> | | **IoT Field Gateway** | <ul><li>[Authenticate devices connecting to the Field Gateway](#authn-devices-field)</li></ul> | | **IoT Cloud Gateway** | <ul><li>[Ensure that devices connecting to Cloud gateway are authenticated](#authn-devices-cloud)</li><li>[Use per-device authentication credentials](#authn-cred)</li></ul> | | **Azure Storage** | <ul><li>[Ensure that only the required containers and blobs are given anonymous read access](#req-containers-anon)</li><li>[Grant limited access to objects in Azure storage using SAS or SAP](#limited-access-sas)</li></ul> |-| Details | <p>Authentication is the process where an entity proves its identity, typically through credentials, such as a user name and password. There are multiple authentication protocols available which may be considered. Some of them are listed below:</p><ul><li>Client certificates</li><li>Windows based</li><li>Forms based</li><li>Federation - ADFS</li><li>Federation - Azure AD</li><li>Federation - Identity Server</li></ul><p>Consider using a standard authentication mechanism to identify the source process</p>| +| Details | <p>Authentication is the process where an entity proves its identity, typically through credentials, such as a user name and password. There are multiple authentication protocols available which may be considered. Some of them are listed below:</p><ul><li>Client certificates</li><li>Windows based</li><li>Forms based</li><li>Federation - ADFS</li><li>Federation - Microsoft Entra ID</li><li>Federation - Identity Server</li></ul><p>Consider using a standard authentication mechanism to identify the source process</p>| ## <a id="handle-failed-authn"></a>Applications must handle failed authentication scenarios securely -| Details | <p>Verify the application has additional authorization (such as step up or adaptive authentication, via multi-factor authentication such as sending OTP in SMS, email etc. or prompting for re-authentication) so the user is challenged before being granted access to sensitive information. This rule also applies for making critical changes to an account or action</p><p>This also means that the adaptation of authentication has to be implemented in such a manner that the application correctly enforces context-sensitive authorization so as to not allow unauthorized manipulation by means of in example, parameter tampering</p>| +| Details | <p>Verify the application has additional authorization (such as step up or adaptive authentication, via multifactor authentication such as sending OTP in SMS, email etc. or prompting for re-authentication) so the user is challenged before being granted access to sensitive information. This rule also applies for making critical changes to an account or action</p><p>This also means that the adaptation of authentication has to be implemented in such a manner that the application correctly enforces context-sensitive authorization so as to not allow unauthorized manipulation by means of in example, parameter tampering</p>| ## <a id="admin-interface-lockdown"></a>Ensure that administrative interfaces are appropriately locked down -## <a id="aad-authn-sql"></a>When possible use Azure Active Directory Authentication for Connecting to SQL Database +## <a id="aad-authn-sql"></a>When possible use Microsoft Entra authentication for Connecting to SQL Database | Title | Details | | -- | |-| **References** | [Connecting to SQL Database By Using Azure Active Directory Authentication](/azure/azure-sql/database/authentication-aad-overview) | -| **Steps** | **Minimum version:** Azure SQL Database V12 required to allow Azure SQL Database to use AAD Authentication against the Microsoft Directory | +| **References** | [Connecting to SQL Database By Using Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview) | +| **Steps** | **Minimum version:** Azure SQL Database V12 required to allow Azure SQL Database to use Microsoft Entra authentication against the Microsoft Directory | ## <a id="authn-account-pword"></a>When SQL authentication mode is used, ensure that account and password policy are enforced on SQL server -## <a id="multi-factor-azure-admin"></a>Enable Azure AD Multi-Factor Authentication for Azure Administrators +## <a id="multi-factor-azure-admin"></a>Enable Microsoft Entra multifactor authentication for Azure Administrators | Title | Details | | -- | |-| **References** | [What is Azure AD Multi-Factor Authentication?](../../active-directory/authentication/concept-mfa-howitworks.md) | -| **Steps** | <p>Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:</p><ul><li>Something you know (typically a password)</li><li>Something you have (a trusted device that isn't easily duplicated, like a phone)</li><li>Something you are (biometrics)</li><ul>| +| **References** | [What is Microsoft Entra multifactor authentication?](../../active-directory/authentication/concept-mfa-howitworks.md) | +| **Steps** | <p>multifactor authentication (MFA) is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:</p><ul><li>Something you know (typically a password)</li><li>Something you have (a trusted device that isn't easily duplicated, like a phone)</li><li>Something you are (biometrics)</li><ul>| ## <a id="anon-access-cluster"></a>Restrict anonymous access to Service Fabric Cluster -## <a id="aad-client-fabric"></a>Use AAD to authenticate clients to service fabric clusters +## <a id="aad-client-fabric"></a>Use Microsoft Entra ID to authenticate clients to service fabric clusters | Title | Details | | -- | |-| **Steps** | Clusters running on Azure can also secure access to the management endpoints using Azure Active Directory (AAD), apart from client certificates. For Azure clusters, it is recommended that you use AAD security to authenticate clients and certificates for node-to-node security.| +| **Steps** | Clusters running on Azure can also secure access to the management endpoints using Microsoft Entra ID, apart from client certificates. For Azure clusters, it is recommended that you use Microsoft Entra security to authenticate clients and certificates for node-to-node security.| ## <a id="fabric-cert-ca"></a>Ensure that service fabric certificates are obtained from an approved Certificate Authority (CA) The `<netMsmqBinding/>` element of the WCF configuration file below instructs WC | **Applicable Technologies** | Generic | | **Attributes** | N/A | | **References** | [Authentication and Authorization in ASP.NET Web API](https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api), [External Authentication Services with ASP.NET Web API (C#)](https://www.asp.net/web-api/overview/security/external-authentication-services) |-| **Steps** | <p>Authentication is the process where an entity proves its identity, typically through credentials, such as a user name and password. There are multiple authentication protocols available which may be considered. Some of them are listed below:</p><ul><li>Client certificates</li><li>Windows based</li><li>Forms based</li><li>Federation - ADFS</li><li>Federation - Azure AD</li><li>Federation - Identity Server</li></ul><p>Links in the references section provide low-level details on how each of the authentication schemes can be implemented to secure a Web API.</p>| +| **Steps** | <p>Authentication is the process where an entity proves its identity, typically through credentials, such as a user name and password. There are multiple authentication protocols available which may be considered. Some of them are listed below:</p><ul><li>Client certificates</li><li>Windows based</li><li>Forms based</li><li>Federation - ADFS</li><li>Federation - Microsoft Entra ID</li><li>Federation - Identity Server</li></ul><p>Links in the references section provide low-level details on how each of the authentication schemes can be implemented to secure a Web API.</p>| -## <a id="authn-aad"></a>Use standard authentication scenarios supported by Azure Active Directory +## <a id="authn-aad"></a>Use standard authentication scenarios supported by Microsoft Entra ID | Title | Details | | -- | |-| **Component** | Azure AD | +| **Component** | Microsoft Entra ID | | **SDL Phase** | Build | | **Applicable Technologies** | Generic | | **Attributes** | N/A |-| **References** | [Authentication Scenarios for Azure AD](../../active-directory/develop/authentication-vs-authorization.md), [Azure Active Directory Code Samples](../../active-directory/azuread-dev/sample-v1-code.md), [Azure Active Directory developer's guide](../../active-directory/develop/index.yml) | -| **Steps** | <p>Azure Active Directory (Azure AD) simplifies authentication for developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect. Below are the five primary application scenarios supported by Azure AD:</p><ul><li>Web Browser to Web Application: A user needs to sign in to a web application that is secured by Azure AD</li><li>Single Page Application (SPA): A user needs to sign in to a single page application that is secured by Azure AD</li><li>Native Application to Web API: A native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD</li><li>Web Application to Web API: A web application needs to get resources from a web API secured by Azure AD</li><li>Daemon or Server Application to Web API: A daemon application or a server application with no web user interface needs to get resources from a web API secured by Azure AD</li></ul><p>Please refer to the links in the references section for low-level implementation details</p>| +| **References** | [Authentication Scenarios for Microsoft Entra ID](../../active-directory/develop/authentication-vs-authorization.md), [Microsoft Entra code Samples](../../active-directory/azuread-dev/sample-v1-code.md), [Microsoft Entra developer's guide](../../active-directory/develop/index.yml) | +| **Steps** | <p>Microsoft Entra ID simplifies authentication for developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect. Below are the five primary application scenarios supported by Microsoft Entra ID:</p><ul><li>Web Browser to Web Application: A user needs to sign in to a web application that is secured by Microsoft Entra ID</li><li>Single Page Application (SPA): A user needs to sign in to a single page application that is secured by Microsoft Entra ID</li><li>Native Application to Web API: A native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Microsoft Entra ID</li><li>Web Application to Web API: A web application needs to get resources from a web API secured by Microsoft Entra ID</li><li>Daemon or Server Application to Web API: A daemon application or a server application with no web user interface needs to get resources from a web API secured by Microsoft Entra ID</li></ul><p>Please refer to the links in the references section for low-level implementation details</p>| ## <a id="msal-distributed-cache"></a>Override the default MSAL token cache with a distributed cache | Title | Details | | -- | |-| **Component** | Azure AD | +| **Component** | Microsoft Entra ID | | **SDL Phase** | Build | | **Applicable Technologies** | Generic | | **Attributes** | N/A | The `<netMsmqBinding/>` element of the WCF configuration file below instructs WC | Title | Details | | -- | |-| **Component** | Azure AD | +| **Component** | Microsoft Entra ID | | **SDL Phase** | Build | | **Applicable Technologies** | Generic | | **Attributes** | N/A |-| **References** | [Modern Authentication with Azure Active Directory for Web Applications](/archive/blogs/microsoft_press/new-book-modern-authentication-with-azure-active-directory-for-web-applications) | +| **References** | [Modern Authentication with Microsoft Entra ID for Web Applications](/archive/blogs/microsoft_press/new-book-modern-authentication-with-azure-active-directory-for-web-applications) | | **Steps** | <p>The TokenReplayCache property allows developers to define a token replay cache, a store that can be used for saving tokens for the purpose of verifying that no token can be used more than once.</p><p>This is a measure against a common attack, the aptly called token replay attack: an attacker intercepting the token sent at sign-in might try to send it to the app again (ΓÇ£replayΓÇ¥ it) for establishing a new session. E.g., In OIDC code-grant flow, after successful user authentication, a request to "/signin-oidc" endpoint of the relying party is made with "id_token", "code" and "state" parameters.</p><p>The relying party validates this request and establishes a new session. If an adversary captures this request and replays it, he/she can establish a successful session and spoof the user. The presence of the nonce in OpenID Connect can limit but not fully eliminate the circumstances in which the attack can be successfully enacted. To protect their applications, developers can provide an implementation of ITokenReplayCache and assign an instance to TokenReplayCache.</p>| ### Example OpenIdConnectOptions openIdConnectOptions = new OpenIdConnectOptions Please note that to test the effectiveness of this configuration, login into your local OIDC-protected application and capture the request to `"/signin-oidc"` endpoint in fiddler. When the protection is not in place, replaying this request in fiddler will set a new session cookie. When the request is replayed after the TokenReplayCache protection is added, the application will throw an exception as follows: `SecurityTokenReplayDetectedException: IDX10228: The securityToken has previously been validated, securityToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ1......` -## <a id="msal-oauth2"></a>Use MSAL libraries to manage token requests from OAuth2 clients to AAD (or on-premises AD) +## <a id="msal-oauth2"></a>Use MSAL libraries to manage token requests from OAuth2 clients to Microsoft Entra ID (or on-premises AD) | Title | Details | | -- | |-| **Component** | Azure AD | +| **Component** | Microsoft Entra ID | | **SDL Phase** | Build | | **Applicable Technologies** | Generic | | **Attributes** | N/A | MSAL also maintains a token cache and refreshes tokens for you when they're clos | **Applicable Technologies** | Generic, C#, Node.JS, | | **Attributes** | N/A, Gateway choice - Azure IoT Hub | | **References** | N/A, [Azure IoT hub with .NET](../../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp), [Getting Started with IoT hub and Node JS](../../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-nodejs), [Securing IoT with SAS and certificates](../../iot-hub/iot-hub-dev-guide-sas.md), [Git repository](https://github.com/Azure/azure-iot-sdks/) |-| **Steps** | <ul><li>**Generic:** Authenticate the device using Transport Layer Security (TLS) or IPSec. Infrastructure should support using pre-shared key (PSK) on those devices that cannot handle full asymmetric cryptography. Leverage Azure AD, Oauth.</li><li>**C#:** When creating a DeviceClient instance, by default, the Create method creates a DeviceClient instance that uses the AMQP protocol to communicate with IoT Hub. To use the HTTPS protocol, use the override of the Create method that enables you to specify the protocol. If you use the HTTPS protocol, you should also add the `Microsoft.AspNet.WebApi.Client` NuGet package to your project to include the `System.Net.Http.Formatting` namespace.</li></ul>| +| **Steps** | <ul><li>**Generic:** Authenticate the device using Transport Layer Security (TLS) or IPSec. Infrastructure should support using pre-shared key (PSK) on those devices that cannot handle full asymmetric cryptography. Leverage Microsoft Entra ID, Oauth.</li><li>**C#:** When creating a DeviceClient instance, by default, the Create method creates a DeviceClient instance that uses the AMQP protocol to communicate with IoT Hub. To use the HTTPS protocol, use the override of the Create method that enables you to specify the protocol. If you use the HTTPS protocol, you should also add the `Microsoft.AspNet.WebApi.Client` NuGet package to your project to include the `System.Net.Http.Formatting` namespace.</li></ul>| ### Example ```csharp |
security | Threat Modeling Tool Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/threat-modeling-tool-authorization.md | Please note that RLS as an out-of-the-box database feature is applicable only to | **Applicable Technologies** | Generic | | **Attributes** | N/A | | **References** | [How to secure your storage account with Azure role-based access control (Azure RBAC)](../../storage/blobs/security-recommendations.md) |-| **Steps** | <p>When you create a new storage account, you select a deployment model of Classic or Azure Resource Manager. The Classic model of creating resources in Azure only allows all-or-nothing access to the subscription, and in turn, the storage account.</p><p>With the Azure Resource Manager model, you put the storage account in a resource group and control access to the management plane of that specific storage account using Azure Active Directory. For example, you can give specific users the ability to access the storage account keys, while other users can view information about the storage account, but cannot access the storage account keys.</p>| +| **Steps** | <p>When you create a new storage account, you select a deployment model of Classic or Azure Resource Manager. The Classic model of creating resources in Azure only allows all-or-nothing access to the subscription, and in turn, the storage account.</p><p>With the Azure Resource Manager model, you put the storage account in a resource group and control access to the management plane of that specific storage account using Microsoft Entra ID. For example, you can give specific users the ability to access the storage account keys, while other users can view information about the storage account, but cannot access the storage account keys.</p>| ## <a id="rooting-detection"></a>Implement implicit jailbreak or rooting detection return result; | **Component** | Web API | | **SDL Phase** | Build | | **Applicable Technologies** | Generic, MVC5 |-| **Attributes** | N/A, Identity Provider - ADFS, Identity Provider - Azure AD | +| **Attributes** | N/A, Identity Provider - ADFS, Identity Provider - Microsoft Entra ID | | **References** | [Authentication and Authorization in ASP.NET Web API](https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api) |-| **Steps** | <p>Role information for the application users can be derived from Azure AD or ADFS claims if the application relies on them as Identity provider or the application itself might provided it. In any of these cases, the custom authorization implementation should validate the user role information.</p><p>Role information for the application users can be derived from Azure AD or ADFS claims if the application relies on them as Identity provider or the application itself might provided it. In any of these cases, the custom authorization implementation should validate the user role information.</p> +| **Steps** | <p>Role information for the application users can be derived from Microsoft Entra ID or ADFS claims if the application relies on them as Identity provider or the application itself might provided it. In any of these cases, the custom authorization implementation should validate the user role information.</p><p>Role information for the application users can be derived from Microsoft Entra ID or ADFS claims if the application relies on them as Identity provider or the application itself might provided it. In any of these cases, the custom authorization implementation should validate the user role information.</p> ### Example ```csharp |
security | Threat Modeling Tool Configuration Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/threat-modeling-tool-configuration-management.md | To disable CORS for a controller or action, use the [DisableCors] attribute. | **Applicable Technologies** | Generic | | **Attributes** | N/A | | **References** | [Azure Storage security guide - Managing Your Storage Account Keys](../../storage/blobs/security-recommendations.md#identity-and-access-management) |-| **Steps** | <p>Key Storage: It is recommended to store the Azure Storage access keys in Azure Key Vault as a secret and have the applications retrieve the key from key vault. This is recommended due to the following reasons:</p><ul><li>The application will never have the storage key hardcoded in a configuration file, which removes that avenue of somebody getting access to the keys without specific permission</li><li>Access to the keys can be controlled using Azure Active Directory. This means an account owner can grant access to the handful of applications that need to retrieve the keys from Azure Key Vault. Other applications will not be able to access the keys without granting them permission specifically</li><li>Key Regeneration: It is recommended to have a process in place to regenerate Azure storage access keys for security reasons. Details on why and how to plan for key regeneration are documented in the Azure Storage Security Guide reference article</li></ul>| +| **Steps** | <p>Key Storage: It is recommended to store the Azure Storage access keys in Azure Key Vault as a secret and have the applications retrieve the key from key vault. This is recommended due to the following reasons:</p><ul><li>The application will never have the storage key hardcoded in a configuration file, which removes that avenue of somebody getting access to the keys without specific permission</li><li>Access to the keys can be controlled using Microsoft Entra ID. This means an account owner can grant access to the handful of applications that need to retrieve the keys from Azure Key Vault. Other applications will not be able to access the keys without granting them permission specifically</li><li>Key Regeneration: It is recommended to have a process in place to regenerate Azure storage access keys for security reasons. Details on why and how to plan for key regeneration are documented in the Azure Storage Security Guide reference article</li></ul>| ## <a id="cors-storage"></a>Ensure that only trusted origins are allowed if CORS is enabled on Azure storage ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = false; smb.HttpGetUrl = new Uri(EndPointAddress); Host.Description.Behaviors.Add(smb);-``` +``` |
security | Threat Modeling Tool Sensitive Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/threat-modeling-tool-sensitive-data.md | public override void OnActionExecuting(ActionExecutingContext filterContext) | **Component** | Web API | | **SDL Phase** | Build | | **Applicable Technologies** | MVC 5, MVC 6 |-| **Attributes** | Identity Provider - ADFS, Identity Provider - Azure AD | +| **Attributes** | Identity Provider - ADFS, Identity Provider - Microsoft Entra ID | | **References** | N/A |-| **Steps** | <p>In certain implementations, sensitive artifacts relevant to Web API's authentication are stored in browser's local storage. E.g., Azure AD authentication artifacts like adal.idtoken, adal.nonce.idtoken, adal.access.token.key, adal.token.keys, adal.state.login, adal.session.state, adal.expiration.key etc.</p><p>All these artifacts are available even after sign out or browser is closed. If an adversary gets access to these artifacts, he/she can reuse them to access the protected resources (APIs). Ensure that all sensitive artifacts related to Web API is not stored in browser's storage. In cases where client-side storage is unavoidable (e.g., Single Page Applications (SPA) that leverage Implicit OpenIdConnect/OAuth flows need to store access tokens locally), use storage choices with do not have persistence. e.g., prefer SessionStorage to LocalStorage.</p>| +| **Steps** | <p>In certain implementations, sensitive artifacts relevant to Web API's authentication are stored in browser's local storage. E.g., Microsoft Entra authentication artifacts like adal.idtoken, adal.nonce.idtoken, adal.access.token.key, adal.token.keys, adal.state.login, adal.session.state, adal.expiration.key etc.</p><p>All these artifacts are available even after sign out or browser is closed. If an adversary gets access to these artifacts, he/she can reuse them to access the protected resources (APIs). Ensure that all sensitive artifacts related to Web API is not stored in browser's storage. In cases where client-side storage is unavoidable (e.g., Single Page Applications (SPA) that leverage Implicit OpenIdConnect/OAuth flows need to store access tokens locally), use storage choices with do not have persistence. e.g., prefer SessionStorage to LocalStorage.</p>| ### Example The below JavaScript snippet is from a custom authentication library which stores authentication artifacts in local storage. Such implementations should be avoided. |
security | Threat Modeling Tool Session Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/develop/threat-modeling-tool-session-management.md | -| **Azure AD** | <ul><li>[Implement proper logout using MSAL methods when using Azure AD](#logout-msal)</li></ul> | +| **Microsoft Entra ID** | <ul><li>[Implement proper logout using MSAL methods when using Microsoft Entra ID](#logout-msal)</li></ul> | | **IoT Device** | <ul><li>[Use finite lifetimes for generated SaS tokens](#finite-tokens)</li></ul> | | **Azure Document DB** | <ul><li>[Use minimum token lifetimes for generated Resource tokens](#resource-tokens)</li></ul> | | **ADFS** | <ul><li>[Implement proper logout using WsFederation methods when using ADFS](#wsfederation-logout)</li></ul> |-## <a id="logout-msal"></a>Implement proper sign-out using MSAL methods when using Azure AD +## <a id="logout-msal"></a>Implement proper sign-out using MSAL methods when using Microsoft Entra ID | Title | Details | | -- | |-| **Component** | Azure AD | +| **Component** | Microsoft Entra ID | | **SDL Phase** | Build | | **Applicable Technologies** | Generic | | **Attributes** | N/A |-| **References** | [Enable your Web app to sign-in users using the Microsoft Identity Platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) | +| **References** | [Enable your Web app to sign-in users using the Microsoft identity platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) | | **Steps** | The ASP.NET Core OpenIdConnect middleware enables your app to intercept the call to the Microsoft identity platform logout endpoint by providing an OpenIdConnect event named `OnRedirectToIdentityProviderForSignOut` | ### Example Assuming all is well, the request goes through as normal. But if not, then an au | **Component** | Web API | | **SDL Phase** | Build | | **Applicable Technologies** | MVC5, MVC6 |-| **Attributes** | Identity Provider - ADFS, Identity Provider - Azure AD | +| **Attributes** | Identity Provider - ADFS, Identity Provider - Microsoft Entra ID | | **References** | [Secure a Web API with Individual Accounts and Local Login in ASP.NET Web API 2.2](https://www.asp.net/web-api/overview/security/individual-accounts-in-web-api) | | **Steps** | If the Web API is secured using OAuth 2.0, then it expects a bearer token in Authorization request header and grants access to the request only if the token is valid. Unlike cookie based authentication, browsers do not attach the bearer tokens to requests. The requesting client needs to explicitly attach the bearer token in the request header. Therefore, for ASP.NET Web APIs protected using OAuth 2.0, bearer tokens are considered as a defense against CSRF attacks. Please note that if the MVC portion of the application uses forms authentication (i.e., uses cookies), anti-forgery tokens have to be used by the MVC web app. | |
security | Azure CA Details | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/azure-CA-details.md | This article provides the details of the root and subordinate Certificate Author ## Certificate Authority details -Any entity trying to access Azure Active Directory (Azure AD) identity services via the TLS/SSL protocols will be presented with certificates from the CAs listed in this article. Different services may use different root or intermediate CAs. The following root and subordinate CAs are relevant to entities that use [certificate pinning](certificate-pinning.md). +Any entity trying to access Microsoft Entra identity services via the TLS/SSL protocols will be presented with certificates from the CAs listed in this article. Different services may use different root or intermediate CAs. The following root and subordinate CAs are relevant to entities that use [certificate pinning](certificate-pinning.md). **How to read the certificate details:** - The Serial Number (top string in the table) contains the hexadecimal value of the certificate serial number. |
security | Azure Domains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/azure-domains.md | This page is a partial list of the Azure domains in use. Some of them are REST A |Service |Subdomain | ||| |[Azure Access Control Service](https://azure.microsoft.com/blog/one-month-retirement-notice-access-control-service/) (retired)|*.accesscontrol.windows.net|-|[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md)|*.graph.windows.net / *.onmicrosoft.com| +|[Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md)|*.graph.windows.net / *.onmicrosoft.com| |[Azure API Management](https://azure.microsoft.com/services/api-management/)|*.azure-api.net| |[Azure BizTalk Services](https://azure.microsoft.com/pricing/details/biztalk-services/) (retired)|*.biztalk.windows.net| |[Azure Blob storage](../../storage/blobs/storage-blobs-introduction.md)|*.blob.core.windows.net| This page is a partial list of the Azure domains in use. Some of them are REST A |[Azure Table Storage](../../storage/tables/table-storage-overview.md)|*.table.core.windows.net| |[Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md)|*.trafficmanager.net| |Azure Websites|*.azurewebsites.net|-|[GitHub Codespaces](https://visualstudio.microsoft.com/services/github-codespaces/)|*.visualstudio.com| +|[GitHub Codespaces](https://visualstudio.microsoft.com/services/github-codespaces/)|*.visualstudio.com| |
security | Backup Plan To Protect Against Ransomware | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/backup-plan-to-protect-against-ransomware.md | Ransomware can attack while you are planning for an attack so your first priorit In our experience, the five most important applications to customers fall into the following categories in this priority order: -- Identity systems ΓÇô required for users to access any systems (including all others described below) such as Active Directory, [Azure AD Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md), AD domain controllers+- Identity systems ΓÇô required for users to access any systems (including all others described below) such as Active Directory, [Microsoft Entra Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md), AD domain controllers - Human life ΓÇô any system that supports human life or could put it at risk such as medical or life support systems, safety systems (ambulance, dispatch systems, traffic light control), large machinery, chemical/biological systems, production of food or personal products, and others - Financial systems ΓÇô systems that process monetary transactions and keep the business operating, such as payment systems and related databases, financial system for quarterly reporting - Product or service enablement ΓÇô any systems that are required to provide the business services or produce/deliver physical products that your customers pay you for, factory control systems, product delivery/dispatch systems, and similar |
security | Customer Lockbox Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/customer-lockbox-overview.md | The following steps outline a typical workflow for a Customer Lockbox request. The request is now in a **Customer Notified** state, waiting for the customer's approval before granting access. 1. The approver(s) at the customer organization for a given Lockbox request are determined as follows: - For Subscription scoped requests (requests to access specific resources contained within a subscription), users who have been assigned the Owner role on the associated subscription. - - For Tenant scope requests (requests to access the Azure Active Directory Tenant), users who have been assigned the Global Administrator role on the Tenant. + - For Tenant scope requests (requests to access the Microsoft Entra tenant), users who have been assigned the Global Administrator role on the Tenant. > [!NOTE]- > Role assignments must be in place before Lockbox starts to process a request. Any role assignments made after Lockbox starts to process a given request will not be recognized by Lockbox. Because of this, to use PIM eligible assignments for the Subscription Owner role, users are required to activate the role before the Customer Lockbox request is initiated. Refer to [Activate Azure AD roles in PIM](../../active-directory/privileged-identity-management/pim-how-to-activate-role.md) / [Activate Azure resource roles in PIM](../../active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md#activate-a-role) for more information on activating PIM eligible roles. + > Role assignments must be in place before Lockbox starts to process a request. Any role assignments made after Lockbox starts to process a given request will not be recognized by Lockbox. Because of this, to use PIM eligible assignments for the Subscription Owner role, users are required to activate the role before the Customer Lockbox request is initiated. Refer to [Activate Microsoft Entra roles in PIM](../../active-directory/privileged-identity-management/pim-how-to-activate-role.md) / [Activate Azure resource roles in PIM](../../active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md#activate-a-role) for more information on activating PIM eligible roles. > > **Role assignments scoped to management groups are not supported in Lockbox at this time.**-1. At the customer organization, designated lockbox approvers ([Azure Subscription Owner](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles)/[Azure AD Global admin](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-ad-roles) receive an email from Microsoft to notify them about the pending access request. +1. At the customer organization, designated lockbox approvers ([Azure Subscription Owner](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles)/[Microsoft Entra Global admin](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-ad-roles) receive an email from Microsoft to notify them about the pending access request. Example email: |
security | Data Encryption Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/data-encryption-best-practices.md | You want to control and secure email, documents, and sensitive data that you sha Classification is identifiable at all times, regardless of where the data is stored or with whom it's shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action. -The protection technology uses Azure Rights Management (Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Microsoft 365 and Azure Active Directory. This protection technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS stays with the documents and emails, independently of the location-inside or outside your organization, networks, file servers, and applications. +The protection technology uses Azure Rights Management (Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Microsoft 365 and Microsoft Entra ID. This protection technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS stays with the documents and emails, independently of the location-inside or outside your organization, networks, file servers, and applications. This information protection solution keeps you in control of your data, even when it's shared with other people. You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud. |
security | Database Security Checklist | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/database-security-checklist.md | We recommend that you read the [Azure Database Security Best Practices](/azure/a | <br> Encryption in Motion/Transit| <ul><li>[Transport Layer Security](/windows-server/security/tls/transport-layer-security-protocol), for data encryption when data is moving to the networks.</li><li>Database requires secure communication from clients based on the [TDS(Tabular Data Stream)](/openspecs/windows_protocols/ms-tds/893fcc7e-8a39-4b3c-815a-773b7b982c50) protocol over TLS (Transport Layer Security).</li></ul> | |<br>Encryption at rest| <ul><li>[Transparent Data Encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview), when inactive data is stored physically in any digital form.</li></ul>| |**Control Access**|| -|<br> Database Access | <ul><li>[Authentication](/azure/azure-sql/database/logins-create-manage) (Azure Active Directory Authentication) AD authentication uses identities managed by Azure Active Directory.</li><li>[Authorization](/azure/azure-sql/database/logins-create-manage) grant users the least privileges necessary.</li></ul> | +|<br> Database Access | <ul><li>[Authentication](/azure/azure-sql/database/logins-create-manage) (Microsoft Entra authentication) AD authentication uses identities managed by Microsoft Entra ID.</li><li>[Authorization](/azure/azure-sql/database/logins-create-manage) grant users the least privileges necessary.</li></ul> | |<br>Application Access| <ul><li>[Row level Security](/sql/relational-databases/security/row-level-security) (Using Security Policy, at the same time restricting row-level access based on a user's identity,role, or execution context).</li><li>[Dynamic Data Masking](/azure/azure-sql/database/dynamic-data-masking-overview) (Using Permission & Policy, limits sensitive data exposure by masking it to non-privileged users)</li></ul>| |**Proactive Monitoring**|| | <br>Tracking & Detecting| <ul><li>[Auditing](/azure/azure-sql/database/auditing-overview) tracks database events and writes them to an Audit log/ Activity log in your [Azure Storage account](../../storage/common/storage-account-create.md).</li><li>Track Azure Database health using [Azure Monitor Activity Logs](../../azure-monitor/essentials/platform-logs-overview.md).</li><li>[Threat Detection](/azure/azure-sql/database/threat-detection-configure) detects anomalous database activities indicating potential security threats to the database. </li></ul> | |
security | Encryption Atrest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/encryption-atrest.md | As described previously, the goal of encryption at rest is that data that is per The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. The keys need to be highly secured but manageable by specified users and available to specific services. For Azure services, Azure Key Vault is the recommended key storage solution and provides a common management experience across services. Keys are stored and managed in key vaults, and access to a key vault can be given to users or services. Azure Key Vault supports customer creation of keys or import of customer keys for use in customer-managed encryption key scenarios. -### Azure Active Directory +<a name='azure-active-directory'></a> -Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts. +### Microsoft Entra ID ++Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Microsoft Entra accounts. ### Envelope Encryption with a Key Hierarchy |
security | Encryption Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/encryption-models.md | Loss of key encryption keys means loss of data. For this reason, keys should not ### Key Access -The server-side encryption model with customer-managed keys in Azure Key Vault involves the service accessing the keys to encrypt and decrypt as needed. Encryption at rest keys are made accessible to a service through an access control policy. This policy grants the service identity access to receive the key. An Azure service running on behalf of an associated subscription can be configured with an identity in that subscription. The service can perform Azure Active Directory authentication and receive an authentication token identifying itself as that service acting on behalf of the subscription. That token can then be presented to Key Vault to obtain a key it has been given access to. +The server-side encryption model with customer-managed keys in Azure Key Vault involves the service accessing the keys to encrypt and decrypt as needed. Encryption at rest keys are made accessible to a service through an access control policy. This policy grants the service identity access to receive the key. An Azure service running on behalf of an associated subscription can be configured with an identity in that subscription. The service can perform Microsoft Entra authentication and receive an authentication token identifying itself as that service acting on behalf of the subscription. That token can then be presented to Key Vault to obtain a key it has been given access to. For operations using encryption keys, a service identity can be granted access to any of the following operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, and restore. The Azure services that support each encryption model: | Azure Databricks | Yes | Yes | - | | Azure Database Migration Service | Yes | N/A\* | - | | **Identity** | | | |-| Azure Active Directory | Yes | - | - | -| Azure Active Directory Domain Services | Yes | Yes | - | +| Microsoft Entra ID | Yes | - | - | +| Microsoft Entra Domain Services | Yes | Yes | - | | **Integration** | | | | | Service Bus | Yes | Yes | Yes | | Event Grid | Yes | - | - | |
security | Encryption Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/encryption-overview.md | To learn more about encryption of data in transit in Data Lake, see [Encryption ## Key management with Key Vault -Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts. +Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Microsoft Entra accounts. Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications donΓÇÖt have direct access to them. You can also import or generate keys in HSMs. |
security | End To End | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/end-to-end.md | The [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) ||--| | [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md)| A unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises. | | **Identity & Access Management** | |-| [Azure Active Directory (AD)](../../active-directory/fundamentals/active-directory-whatis.md)| MicrosoftΓÇÖs cloud-based identity and access management service. | -| | [Conditional Access](../../active-directory/conditional-access/overview.md) is the tool used by Azure AD to bring identity signals together, to make decisions, and enforce organizational policies. | -| | [Domain Services](../../active-directory-domain-services/overview.md) is the tool used by Azure AD to provide managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. | -| | [Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization. | -| | [Multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) is the tool used by Azure AD to help safeguard access to data and applications by requiring a second form of authentication. | -| [Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) | A tool that allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis. | +| [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md)| MicrosoftΓÇÖs cloud-based identity and access management service. | +| | [Conditional Access](../../active-directory/conditional-access/overview.md) is the tool used by Microsoft Entra ID to bring identity signals together, to make decisions, and enforce organizational policies. | +| | [Domain Services](../../active-directory-domain-services/overview.md) is the tool used by Microsoft Entra ID to provide managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. | +| | [Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. | +| | [Multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) is the tool used by Microsoft Entra ID to help safeguard access to data and applications by requiring a second form of authentication. | +| [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) | A tool that allows organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to third-party utilities for further analysis. | | **Infrastructure & Network** | | | [VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md) | A virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet and to send encrypted traffic between Azure virtual networks over the Microsoft network. | | [Azure DDoS Protection](../../ddos-protection/ddos-protection-overview.md) | Provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. | The [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) | [Azure confidential computing](../../confidential-computing/overview.md) | Allows you to isolate your sensitive data while it's being processed in the cloud. | | [Azure DevOps](/azure/devops/user-guide/what-is-azure-devops) | Your development projects benefit from multiple layers of security and governance technologies, operational practices, and compliance policies when stored in Azure DevOps. | | **Customer Access** | |-| [Azure AD External Identities](../../active-directory/external-identities/external-identities-overview.md) | With External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. | -| | You can share your apps and resources with external users via [Azure AD B2B](../../active-directory/external-identities/what-is-b2b.md) collaboration. | +| [Microsoft Entra External ID](../../active-directory/external-identities/external-identities-overview.md) | With External Identities in Microsoft Entra ID, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. | +| | You can share your apps and resources with external users via [Microsoft Entra B2B](../../active-directory/external-identities/what-is-b2b.md) collaboration. | | | [Azure AD B2C](../../active-directory-b2c/overview.md) lets you support millions of users and billions of authentications per day, monitoring and automatically handling threats like denial-of-service, password spray, or brute force attacks. | ## Detect threats The [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) | [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) | A unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. | | | [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. | | | [Microsoft Defender for Identity](/defender-for-identity/what-is) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. |-| [Azure AD Identity Protection](../../active-directory/identity-protection/howto-identity-protection-configure-notifications.md) | Sends two types of automated notification emails to help you manage user risk and risk detections: Users at risk detected email and Weekly digest email. | +| [Microsoft Entra ID Protection](../../active-directory/identity-protection/howto-identity-protection-configure-notifications.md) | Sends two types of automated notification emails to help you manage user risk and risk detections: Users at risk detected email and Weekly digest email. | | **Infrastructure & Network** | | | [Azure Firewall](../../firewall/premium-features.md#idps) | Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. | | [Microsoft Defender for IoT](../../defender-for-iot/overview.md) | A unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations. | The [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) | [Microsoft Sentinel](../../sentinel/hunting.md) | Powerful search and query tools to hunt for security threats across your organization's data sources. | | [Azure Monitor logs and metrics](../../azure-monitor/overview.md) | Delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor [collects and aggregates data](../../azure-monitor/data-platform.md#observability-data-in-azure-monitor) from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting. | | **Identity & Access Management** | |-| [Azure AD reports and monitoring](../../active-directory/reports-monitoring/index.yml) | [Azure AD reports](../../active-directory/reports-monitoring/overview-reports.md) provide a comprehensive view of activity in your environment. | -| | [Azure AD monitoring](../../active-directory/reports-monitoring/overview-monitoring.md) lets you route your Azure AD activity logs to different endpoints.| -| [Azure AD PIM audit history](../../active-directory/privileged-identity-management/pim-how-to-use-audit-log.md) | Shows all role assignments and activations within the past 30 days for all privileged roles. | +| [Azure AD reports and monitoring](../../active-directory/reports-monitoring/index.yml) | [Microsoft Entra reports](../../active-directory/reports-monitoring/overview-reports.md) provide a comprehensive view of activity in your environment. | +| | [Microsoft Entra monitoring](../../active-directory/reports-monitoring/overview-monitoring.md) lets you route your Microsoft Entra activity logs to different endpoints.| +| [Microsoft Entra PIM audit history](../../active-directory/privileged-identity-management/pim-how-to-use-audit-log.md) | Shows all role assignments and activations within the past 30 days for all privileged roles. | | **Data & Application** | | | [Microsoft Defender for Cloud Apps](/cloud-app-security/investigate) | Provides tools to gain a deeper understanding of what's happening in your cloud environment. | |
security | Feature Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/feature-availability.md | For more information about Azure Government, see [What is Azure Government?](../ ## Microsoft 365 integration -Integrations between products rely on interoperability between Azure and Office platforms. Offerings hosted in the Azure environment are accessible from the Microsoft 365 Enterprise and Microsoft 365 Government platforms. Office 365 and Office 365 GCC are paired with Azure Active Directory (Azure AD) in Azure. Office 365 GCC High and Office 365 DoD are paired with Azure AD in Azure Government. +Integrations between products rely on interoperability between Azure and Office platforms. Offerings hosted in the Azure environment are accessible from the Microsoft 365 Enterprise and Microsoft 365 Government platforms. Office 365 and Office 365 GCC are paired with Microsoft Entra ID in Azure. Office 365 GCC High and Office 365 DoD are paired with Microsoft Entra ID in Azure Government. The following diagram displays the hierarchy of Microsoft clouds and how they relate to each other. AIP is part of the Microsoft Purview Information Protection (MIP) solution, and For more information, see the [Azure Information Protection product documentation](/azure/information-protection/). -- Office 365 GCC is paired with Azure Active Directory (Azure AD) in Azure. Office 365 GCC High and Office 365 DoD are paired with Azure AD in Azure Government. Make sure to pay attention to the Azure environment to understand where [interoperability is possible](#microsoft-365-integration). In the following table, interoperability that is *not* possible is marked with a dash (-) to indicate that support is not relevant.+- Office 365 GCC is paired with Microsoft Entra ID in Azure. Office 365 GCC High and Office 365 DoD are paired with Microsoft Entra ID in Azure Government. Make sure to pay attention to the Azure environment to understand where [interoperability is possible](#microsoft-365-integration). In the following table, interoperability that is *not* possible is marked with a dash (-) to indicate that support is not relevant. - Extra configurations are required for GCC-High and DoD customers. For more information, see [Azure Information Protection Premium Government Service Description](/enterprise-mobility-security/solutions/ems-aip-premium-govt-service-description). For Microsoft Sentinel feature availability in Azure, Azure Government, and Azur ### Microsoft Purview Data Connectors -Office 365 GCC is paired with Azure Active Directory (Azure AD) in Azure. Office 365 GCC High and Office 365 DoD are paired with Azure AD in Azure Government. +Office 365 GCC is paired with Microsoft Entra ID in Azure. Office 365 GCC High and Office 365 DoD are paired with Microsoft Entra ID in Azure Government. > [!TIP] > Make sure to pay attention to the Azure environment to understand where [interoperability is possible](#microsoft-365-integration). In the following table, interoperability that is *not* possible is marked with a dash (-) to indicate that support is not relevant. |
security | Iaas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/iaas.md | In most infrastructure as a service (IaaS) scenarios, [Azure virtual machines (V The first step in protecting your VMs is to ensure that only authorized users can set up new VMs and access VMs. > [!NOTE]-> To improve the security of Linux VMs on Azure, you can integrate with Azure AD authentication. When you use [Azure AD authentication for Linux VMs](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md), you centrally control and enforce policies that allow or deny access to the VMs. +> To improve the security of Linux VMs on Azure, you can integrate with Microsoft Entra authentication. When you use [Microsoft Entra authentication for Linux VMs](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md), you centrally control and enforce policies that allow or deny access to the VMs. > > We recommend that you encrypt your virtual hard disks (VHDs) to help protect you Following are best practices for using Azure Disk Encryption: **Best practice**: Enable encryption on VMs. -**Detail**: Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Azure AD authentication. Create an Azure AD application for this purpose. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Azure AD authentication](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md). +**Detail**: Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Microsoft Entra authentication. Create a Microsoft Entra application for this purpose. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Microsoft Entra authentication](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md). **Best practice**: Use a key encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key vault. **Detail**: Use the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises hardware security module (HSM) for key management. For more information, see the [Key Vault documentation](../../key-vault/keys/hsm-protected-keys.md). When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault. Keeping an escrow copy of this key in an on-premises key management HSM offers additional protection against accidental deletion of keys. See [Azure security best practices and patterns](best-practices-and-patterns.md) The following resources are available to provide more general information about Azure security and related Microsoft * [Azure Security Team Blog](/archive/blogs/azuresecurity/) - for up to date information on the latest in Azure Security-* [Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to secure@microsoft.com +* [Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to secure@microsoft.com |
security | Identity Management Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/identity-management-best-practices.md | -In this article, we discuss a collection of Azure identity management and access control security best practices. These best practices are derived from our experience with [Azure AD](../../active-directory/fundamentals/active-directory-whatis.md) and the experiences of customers like yourself. +In this article, we discuss a collection of Azure identity management and access control security best practices. These best practices are derived from our experience with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) and the experiences of customers like yourself. For each best practice, we explain: Azure identity management and access control security best practices discussed i * Turn on Conditional Access * Plan for routine security improvements * Enable password management-* Enforce multi-factor verification for users +* Enforce multifactor verification for users * Use role-based access control * Lower exposure of privileged accounts * Control locations where resources are located-* Use Azure AD for storage authentication +* Use Microsoft Entra ID for storage authentication ## Treat identity as the primary security perimeter Many consider identity to be the primary perimeter for security. This is a shift from the traditional focus on network security. Network perimeters keep getting more porous, and that perimeter defense canΓÇÖt be as effective as it was before the explosion of [BYOD](/mem/intune/fundamentals/byod-technology-decisions) devices and cloud applications. -[Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md) is the Azure solution for identity and access management. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution. +[Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) is the Azure solution for identity and access management. Microsoft Entra ID is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution. -The following sections list best practices for identity and access security using Azure AD. +The following sections list best practices for identity and access security using Microsoft Entra ID. **Best practice**: Center security controls and detections around user and service identities.-**Detail**: Use Azure AD to collocate controls and identities. +**Detail**: Use Microsoft Entra ID to collocate controls and identities. ## Centralize identity management In a hybrid identity scenario we recommend that you integrate your on-premises and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where an account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources. -**Best practice**: Establish a single Azure AD instance. Consistency and a single authoritative source will increase clarity and reduce security risks from human errors and configuration complexity. -**Detail**: Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts. +**Best practice**: Establish a single Microsoft Entra instance. Consistency and a single authoritative source will increase clarity and reduce security risks from human errors and configuration complexity. +**Detail**: Designate a single Microsoft Entra directory as the authoritative source for corporate and organizational accounts. -**Best practice**: Integrate your on-premises directories with Azure AD. -**Detail**: Use [Azure AD Connect](../../active-directory/hybrid/whatis-hybrid-identity.md) to synchronize your on-premises directory with your cloud directory. +**Best practice**: Integrate your on-premises directories with Microsoft Entra ID. +**Detail**: Use [Microsoft Entra Connect](../../active-directory/hybrid/whatis-hybrid-identity.md) to synchronize your on-premises directory with your cloud directory. > [!Note]-> There are [factors that affect the performance of Azure AD Connect](../../active-directory/hybrid/plan-connect-performance-factors.md). Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the [recommendations](../../active-directory/hybrid/whatis-hybrid-identity.md) to optimize their Azure AD Connect implementation. +> There are [factors that affect the performance of Microsoft Entra Connect](../../active-directory/hybrid/plan-connect-performance-factors.md). Ensure Microsoft Entra Connect has enough capacity to keep underperforming systems from impeding security and productivity. Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the [recommendations](../../active-directory/hybrid/whatis-hybrid-identity.md) to optimize their Microsoft Entra Connect implementation. -**Best practice**: DonΓÇÖt synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance. -**Detail**: DonΓÇÖt change the default [Azure AD Connect configuration](../../active-directory/hybrid/how-to-connect-sync-configure-filtering.md) that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident). +**Best practice**: DonΓÇÖt synchronize accounts to Microsoft Entra ID that have high privileges in your existing Active Directory instance. +**Detail**: DonΓÇÖt change the default [Microsoft Entra Connect configuration](../../active-directory/hybrid/how-to-connect-sync-configure-filtering.md) that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident). **Best practice**: Turn on password hash synchronization. -**Detail**: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks. +**Detail**: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance. This sync helps to protect against leaked credentials being replayed from previous attacks. -Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren't connected to Azure AD. +Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren't connected to Microsoft Entra ID. -For more information, see [Implement password hash synchronization with Azure AD Connect sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md). +For more information, see [Implement password hash synchronization with Microsoft Entra Connect Sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md). -**Best practice**: For new application development, use Azure AD for authentication. +**Best practice**: For new application development, use Microsoft Entra ID for authentication. **Detail**: Use the correct capabilities to support authentication: - - Azure AD for employees - - [Azure AD B2B](../../active-directory/external-identities/index.yml) for guest users and external partners + - Microsoft Entra ID for employees + - [Microsoft Entra B2B](../../active-directory/external-identities/index.yml) for guest users and external partners - [Azure AD B2C](../../active-directory-b2c/index.yml) to control how customers sign up, sign in, and manage their profiles when they use your applications Organizations that donΓÇÖt integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. This overhead increases the likelihood of mistakes and security breaches. > [!Note]-> You need to choose which directories critical accounts will reside in and whether the admin workstation used is managed by new cloud services or existing processes. Using existing management and identity provisioning processes can decrease some risks but can also create the risk of an attacker compromising an on-premises account and pivoting to the cloud. You might want to use a different strategy for different roles (for example, IT admins vs. business unit admins). You have two options. First option is to create Azure AD Accounts that arenΓÇÖt synchronized with your on-premises Active Directory instance. Join your admin workstation to Azure AD, which you can manage and patch by using Microsoft Intune. Second option is to use existing admin accounts by synchronizing to your on-premises Active Directory instance. Use existing workstations in your Active Directory domain for management and security. +> You need to choose which directories critical accounts will reside in and whether the admin workstation used is managed by new cloud services or existing processes. Using existing management and identity provisioning processes can decrease some risks but can also create the risk of an attacker compromising an on-premises account and pivoting to the cloud. You might want to use a different strategy for different roles (for example, IT admins vs. business unit admins). You have two options. First option is to create Microsoft Entra accounts that arenΓÇÖt synchronized with your on-premises Active Directory instance. Join your admin workstation to Microsoft Entra ID, which you can manage and patch by using Microsoft Intune. Second option is to use existing admin accounts by synchronizing to your on-premises Active Directory instance. Use existing workstations in your Active Directory domain for management and security. ## Manage connected tenants-Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via [Azure ExpressRoute](../../expressroute/expressroute-introduction.md) or [site-to-site VPN](../../vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal.md)). A [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) in Azure AD can elevate their access to the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role and see all subscriptions and managed groups connected to your environment. +Your security organization needs visibility to assess risk and to determine whether the policies of your organization, and any regulatory requirements, are being followed. You should ensure that your security organization has visibility into all subscriptions connected to your production environment and network (via [Azure ExpressRoute](../../expressroute/expressroute-introduction.md) or [site-to-site VPN](../../vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal.md)). A [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) in Microsoft Entra ID can elevate their access to the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role and see all subscriptions and managed groups connected to your environment. See [elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md) to ensure that you and your security group can view all subscriptions or management groups connected to your environment. You should remove this elevated access after youΓÇÖve assessed risks. In a mobile-first, cloud-first world, you want to enable single sign-on (SSO) to By using the same identity solution for all your apps and resources, you can achieve SSO. And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud. **Best practice**: Enable SSO. -**Detail**: Azure AD [extends on-premises Active Directory](../../active-directory/hybrid/whatis-hybrid-identity.md) to the cloud. Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. Users donΓÇÖt have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. And you can control that access for gallery apps or for your own on-premises apps that youΓÇÖve developed and published through the [Azure AD Application Proxy](../../active-directory/app-proxy/application-proxy.md). +**Detail**: Microsoft Entra ID [extends on-premises Active Directory](../../active-directory/hybrid/whatis-hybrid-identity.md) to the cloud. Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. Users donΓÇÖt have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. And you can control that access for gallery apps or for your own on-premises apps that youΓÇÖve developed and published through the [Microsoft Entra application proxy](../../active-directory/app-proxy/application-proxy.md). -Use SSO to enable users to access their [SaaS applications](../../active-directory/manage-apps/what-is-single-sign-on.md) based on their work or school account in Azure AD. This is applicable not only for Microsoft SaaS apps, but also other apps, such as [Google Apps](../../active-directory/saas-apps/google-apps-tutorial.md) and [Salesforce](../../active-directory/saas-apps/salesforce-tutorial.md). You can configure your application to use Azure AD as a [SAML-based identity](../../active-directory/fundamentals/active-directory-whatis.md) provider. As a security control, Azure AD does not issue a token that allows users to sign in to the application unless they have been granted access through Azure AD. You can grant access directly, or through a group that users are a member of. +Use SSO to enable users to access their [SaaS applications](../../active-directory/manage-apps/what-is-single-sign-on.md) based on their work or school account in Microsoft Entra ID. This is applicable not only for Microsoft SaaS apps, but also other apps, such as [Google Apps](../../active-directory/saas-apps/google-apps-tutorial.md) and [Salesforce](../../active-directory/saas-apps/salesforce-tutorial.md). You can configure your application to use Microsoft Entra ID as a [SAML-based identity](../../active-directory/fundamentals/active-directory-whatis.md) provider. As a security control, Microsoft Entra ID does not issue a token that allows users to sign in to the application unless they have been granted access through Microsoft Entra ID. You can grant access directly, or through a group that users are a member of. Organizations that donΓÇÖt create a common identity to establish SSO for their users and applications are more exposed to scenarios where users have multiple passwords. These scenarios increase the likelihood of users reusing passwords or using weak passwords. Organizations that donΓÇÖt create a common identity to establish SSO for their u Users can access your organization's resources by using a variety of devices and apps from anywhere. As an IT admin, you want to make sure that these devices meet your standards for security and compliance. Just focusing on who can access a resource is not sufficient anymore. -To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. With Azure AD Conditional Access, you can address this requirement. With Conditional Access, you can make automated access control decisions based on conditions for accessing your cloud apps. +To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. With Microsoft Entra Conditional Access, you can address this requirement. With Conditional Access, you can make automated access control decisions based on conditions for accessing your cloud apps. **Best practice**: Manage and control access to corporate resources. -**Detail**: Configure common Azure AD [Conditional Access policies](../../active-directory/conditional-access/concept-conditional-access-policy-common.md) based on a group, location, and application sensitivity for SaaS apps and Azure ADΓÇôconnected apps. +**Detail**: Configure common Microsoft Entra [Conditional Access policies](../../active-directory/conditional-access/concept-conditional-access-policy-common.md) based on a group, location, and application sensitivity for SaaS apps and Microsoft Entra IDΓÇôconnected apps. **Best practice**: Block legacy authentication protocols. **Detail**: Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to [block legacy protocols](../../active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md). Identity Secure Score is a set of recommended security controls that Microsoft p If you have multiple tenants or you want to enable users to [reset their own passwords](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e), itΓÇÖs important that you use appropriate security policies to prevent abuse. **Best practice**: Set up self-service password reset (SSPR) for your users. -**Detail**: Use the Azure AD [self-service password reset](../../active-directory/authentication/tutorial-enable-sspr.md) feature. +**Detail**: Use the Microsoft Entra ID [self-service password reset](../../active-directory/authentication/tutorial-enable-sspr.md) feature. **Best practice**: Monitor how or if SSPR is really being used. -**Detail**: Monitor the users who are registering by using the Azure AD [Password Reset Registration Activity report](../../active-directory/authentication/howto-sspr-reporting.md). The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports. If you're appropriately licensed, you can also create custom queries. +**Detail**: Monitor the users who are registering by using the Microsoft Entra ID [Password Reset Registration Activity report](../../active-directory/authentication/howto-sspr-reporting.md). The reporting feature that Microsoft Entra ID provides helps you answer questions by using prebuilt reports. If you're appropriately licensed, you can also create custom queries. **Best practice**: Extend cloud-based password policies to your on-premises infrastructure. -**Detail**: Enhance password policies in your organization by performing the same checks for on-premises password changes as you do for cloud-based password changes. Install [Azure AD password protection](../../active-directory/authentication/concept-password-ban-bad.md) for Windows Server Active Directory agents on-premises to extend banned password lists to your existing infrastructure. Users and admins who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users. +**Detail**: Enhance password policies in your organization by performing the same checks for on-premises password changes as you do for cloud-based password changes. Install [Microsoft Entra password protection](../../active-directory/authentication/concept-password-ban-bad.md) for Windows Server Active Directory agents on-premises to extend banned password lists to your existing infrastructure. Users and admins who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users. -## Enforce multi-factor verification for users +<a name='enforce-multi-factor-verification-for-users'></a> ++## Enforce multifactor verification for users We recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers). -There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Azure AD edition youΓÇÖre running, and your licensing program. See [How to require two-step verification for a user](../../active-directory/authentication/howto-mfa-userstates.md) to determine the best option for you. See the [Azure AD](https://azure.microsoft.com/pricing/details/active-directory/) and [Azure AD Multi-Factor Authentication](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) pricing pages for more information about licenses and pricing. +There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Microsoft Entra edition youΓÇÖre running, and your licensing program. See [How to require two-step verification for a user](../../active-directory/authentication/howto-mfa-userstates.md) to determine the best option for you. See the [Microsoft Entra ID](https://azure.microsoft.com/pricing/details/active-directory/) and [Microsoft Entra multifactor Authentication](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) pricing pages for more information about licenses and pricing. Following are options and benefits for enabling two-step verification: -**Option 1**: Enable MFA for all users and login methods with Azure AD Security Defaults +**Option 1**: Enable MFA for all users and login methods with Microsoft Entra Security Defaults **Benefit**: This option enables you to easily and quickly enforce MFA for all users in your environment with a stringent policy to: * Challenge administrative accounts and administrative logon mechanisms * Require MFA challenge via Microsoft Authenticator for all users * Restrict legacy authentication protocols. -This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. You can find more information in [Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) +This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. You can find more information in [Microsoft Entra Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) -**Option 2**: [Enable Multi-Factor Authentication by changing user state](../../active-directory/authentication/howto-mfa-userstates.md). -**Benefit**: This is the traditional method for requiring two-step verification. It works with both [Azure AD Multi-Factor Authentication in the cloud and Azure AD Multi-Factor Authentication Server](../../active-directory/authentication/concept-mfa-howitworks.md). Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies. +**Option 2**: [Enable multifactor authentication by changing user state](../../active-directory/authentication/howto-mfa-userstates.md). +**Benefit**: This is the traditional method for requiring two-step verification. It works with both [Microsoft Entra multifactor authentication in the cloud and Azure Multi-Factor Authentication Server](../../active-directory/authentication/concept-mfa-howitworks.md). Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies. -To determine where Multi-Factor Authentication needs to be enabled, see [Which version of Azure AD MFA is right for my organization?](../../active-directory/authentication/concept-mfa-howitworks.md). +To determine where multifactor authentication needs to be enabled, see [Which version of Microsoft Entra multifactor authentication is right for my organization?](../../active-directory/authentication/concept-mfa-howitworks.md). -**Option 3**: [Enable Multi-Factor Authentication with Conditional Access policy](../../active-directory/authentication/howto-mfa-getstarted.md). +**Option 3**: [Enable multifactor authentication with Conditional Access policy](../../active-directory/authentication/howto-mfa-getstarted.md). **Benefit**: This option allows you to prompt for two-step verification under specific conditions by using [Conditional Access](../../active-directory/conditional-access/concept-conditional-access-policy-common.md). Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience. -This is the most flexible way to enable two-step verification for your users. Enabling a Conditional Access policy works only for Azure AD Multi-Factor Authentication in the cloud and is a premium feature of Azure AD. You can find more information on this method in [Deploy cloud-based Azure AD Multi-Factor Authentication](../../active-directory/authentication/howto-mfa-getstarted.md). +This is the most flexible way to enable two-step verification for your users. Enabling a Conditional Access policy works only for Microsoft Entra multifactor authentication in the cloud and is a premium feature of Microsoft Entra ID. You can find more information on this method in [Deploy cloud-based Microsoft Entra multifactor authentication](../../active-directory/authentication/howto-mfa-getstarted.md). -**Option 4**: Enable Multi-Factor Authentication with Conditional Access policies by evaluating [Risk-based Conditional Access policies](../../active-directory/conditional-access/howto-conditional-access-policy-risk.md). +**Option 4**: Enable multifactor authentication with Conditional Access policies by evaluating [Risk-based Conditional Access policies](../../active-directory/conditional-access/howto-conditional-access-policy-risk.md). **Benefit**: This option enables you to: * Detect potential vulnerabilities that affect your organizationΓÇÖs identities. * Configure automated responses to detected suspicious actions that are related to your organizationΓÇÖs identities. * Investigate suspicious incidents and take appropriate action to resolve them. -This method uses the Azure AD Identity Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing. You can find more information on this method in [Azure Active Directory Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md). +This method uses the Microsoft Entra ID Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. This method requires Microsoft Entra ID P2 licensing. You can find more information on this method in [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md). > [!Note]-> Option 2, enabling Multi-Factor Authentication by changing the user state, overrides Conditional Access policies. Because options 3 and 4 use Conditional Access policies, you cannot use option 2 with them. +> Option 2, enabling multifactor authentication by changing the user state, overrides Conditional Access policies. Because options 3 and 4 use Conditional Access policies, you cannot use option 2 with them. Organizations that donΓÇÖt add extra layers of identity protection, such as two-step verification, are more susceptible for credential theft attack. A credential theft attack can lead to data compromise. You can use [Azure RBAC](../../role-based-access-control/overview.md) to assign **Detail**: Use [Azure built-in roles](../../role-based-access-control/built-in-roles.md) in Azure to assign privileges to users. > [!Note]-> Specific permissions create unneeded complexity and confusion, accumulating into a ΓÇ£legacyΓÇ¥ configuration thatΓÇÖs difficult to fix without fear of breaking something. Avoid resource-specific permissions. Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. Avoid user-specific permissions. Instead, assign access to groups in Azure AD. +> Specific permissions create unneeded complexity and confusion, accumulating into a ΓÇ£legacyΓÇ¥ configuration thatΓÇÖs difficult to fix without fear of breaking something. Avoid resource-specific permissions. Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. Avoid user-specific permissions. Instead, assign access to groups in Microsoft Entra ID. **Best practice**: Grant security teams with Azure responsibilities access to see Azure resources so they can assess and remediate risk. **Detail**: Grant security teams the Azure RBAC [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader) role. You can use the root management group or the segment management group, depending on the scope of responsibilities: Securing privileged access is a critical first step to protecting business asset Privileged accounts are accounts that administer and manage IT systems. Cyber attackers target these accounts to gain access to an organizationΓÇÖs data and systems. To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user. -We recommend that you develop and follow a roadmap to secure privileged access against cyber attackers. For information about creating a detailed roadmap to secure identities and access that are managed or reported in Azure AD, Microsoft Azure, Microsoft 365, and other cloud services, review [Securing privileged access for hybrid and cloud deployments in Azure AD](../../active-directory/roles/security-planning.md). +We recommend that you develop and follow a roadmap to secure privileged access against cyber attackers. For information about creating a detailed roadmap to secure identities and access that are managed or reported in Microsoft Entra ID, Microsoft Azure, Microsoft 365, and other cloud services, review [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](../../active-directory/roles/security-planning.md). -The following summarizes the best practices found in [Securing privileged access for hybrid and cloud deployments in Azure AD](../../active-directory/roles/security-planning.md): +The following summarizes the best practices found in [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](../../active-directory/roles/security-planning.md): **Best practice**: Manage, control, and monitor access to privileged accounts. -**Detail**: Turn on [Azure AD Privileged Identity Management](../../active-directory/roles/security-planning.md). After you turn on Privileged Identity Management, youΓÇÖll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory. +**Detail**: Turn on [Microsoft Entra Privileged Identity Management](../../active-directory/roles/security-planning.md). After you turn on Privileged Identity Management, youΓÇÖll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory. -**Best practice**: Ensure all critical admin accounts are managed Azure AD accounts. +**Best practice**: Ensure all critical admin accounts are managed Microsoft Entra accounts. **Detail**: Remove any consumer accounts from critical admin roles (for example, Microsoft accounts like hotmail.com, live.com, and outlook.com). **Best practice**: Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges. **Detail**: Create a separate admin account thatΓÇÖs assigned the privileges needed to perform the administrative tasks. Block the use of these administrative accounts for daily productivity tools like Microsoft 365 email or arbitrary web browsing. **Best practice**: Identify and categorize accounts that are in highly privileged roles. -**Detail**: After turning on Azure AD Privileged Identity Management, view the users who are in the global administrator, privileged role administrator, and other highly privileged roles. Remove any accounts that are no longer needed in those roles, and categorize the remaining accounts that are assigned to admin roles: +**Detail**: After turning on Microsoft Entra Privileged Identity Management, view the users who are in the global administrator, privileged role administrator, and other highly privileged roles. Remove any accounts that are no longer needed in those roles, and categorize the remaining accounts that are assigned to admin roles: * Individually assigned to administrative users, and can be used for non-administrative purposes (for example, personal email) * Individually assigned to administrative users and designated for administrative purposes only The following summarizes the best practices found in [Securing privileged access * For external users **Best practice**: Implement ΓÇ£just in timeΓÇ¥ (JIT) access to further lower the exposure time of privileges and increase your visibility into the use of privileged accounts. -**Detail**: Azure AD Privileged Identity Management lets you: +**Detail**: Microsoft Entra Privileged Identity Management lets you: * Limit users to only taking on their privileges JIT. * Assign roles for a shortened duration with confidence that the privileges are revoked automatically. **Best practice**: Define at least two emergency access accounts. -**Detail**: Emergency access accounts help organizations restrict privileged access in an existing Azure Active Directory environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts canΓÇÖt be used. Organizations must limit the emergency account's usage to only the necessary amount of time. +**Detail**: Emergency access accounts help organizations restrict privileged access in an existing Microsoft Entra environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts canΓÇÖt be used. Organizations must limit the emergency account's usage to only the necessary amount of time. -Evaluate the accounts that are assigned or eligible for the global admin role. If you donΓÇÖt see any cloud-only accounts by using the `*.onmicrosoft.com` domain (intended for emergency access), create them. For more information, see [Managing emergency access administrative accounts in Azure AD](../../active-directory/roles/security-emergency-access.md). +Evaluate the accounts that are assigned or eligible for the global admin role. If you donΓÇÖt see any cloud-only accounts by using the `*.onmicrosoft.com` domain (intended for emergency access), create them. For more information, see [Managing emergency access administrative accounts in Microsoft Entra ID](../../active-directory/roles/security-emergency-access.md). **Best practice**: Have a ΓÇ£break glass" process in place in case of an emergency. -**Detail**: Follow the steps in [Securing privileged access for hybrid and cloud deployments in Azure AD](../../active-directory/roles/security-planning.md). +**Detail**: Follow the steps in [Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID](../../active-directory/roles/security-planning.md). -**Best practice**: Require all critical admin accounts to be password-less (preferred), or require Multi-Factor Authentication. -**Detail**: Use the [Microsoft Authenticator app](../../active-directory/authentication/howto-authentication-passwordless-phone.md) to sign in to any Azure AD account without using a password. Like [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification), the Microsoft Authenticator uses key-based authentication to enable a user credential thatΓÇÖs tied to a device and uses biometric authentication or a PIN. +**Best practice**: Require all critical admin accounts to be password-less (preferred), or require multifactor authentication. +**Detail**: Use the [Microsoft Authenticator app](../../active-directory/authentication/howto-authentication-passwordless-phone.md) to sign in to any Microsoft Entra account without using a password. Like [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification), the Microsoft Authenticator uses key-based authentication to enable a user credential thatΓÇÖs tied to a device and uses biometric authentication or a PIN. -Require Azure AD Multi-Factor Authentication at sign-in for all individual users who are permanently assigned to one or more of the Azure AD admin roles: Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator. Enable [Multi-Factor Authentication for your admin accounts](../../active-directory/authentication/howto-mfa-userstates.md) and ensure that admin account users have registered. +Require Microsoft Entra multifactor authentication at sign-in for all individual users who are permanently assigned to one or more of the Microsoft Entra admin roles: Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator. Enable [multifactor authentication for your admin accounts](../../active-directory/authentication/howto-mfa-userstates.md) and ensure that admin account users have registered. **Best practice**: For critical admin accounts, have an admin workstation where production tasks arenΓÇÖt allowed (for example, browsing and email). This will protect your admin accounts from attack vectors that use browsing and email and significantly lower your risk of a major incident. **Detail**: Use an admin workstation. Choose a level of workstation security: Require Azure AD Multi-Factor Authentication at sign-in for all individual users [Turn on password hash synchronization](../../active-directory/roles/security-planning.md#turn-on-password-hash-synchronization) -[Require Multi-Factor Authentication for users in all privileged roles as well as exposed users](../../active-directory/roles/security-planning.md#require-multi-factor-authentication-for-users-in-privileged-roles-and-exposed-users) +[Require multifactor authentication for users in all privileged roles as well as exposed users](../../active-directory/roles/security-planning.md#require-multi-factor-authentication-for-users-in-privileged-roles-and-exposed-users) [Obtain your Microsoft 365 Secure Score (if using Microsoft 365)](../../active-directory/roles/security-planning.md#obtain-your-microsoft-365-secure-score-if-using-microsoft-365) Organizations that are not controlling how resources are created are more suscep ## Actively monitor for suspicious activities -An active identity monitoring system can quickly detect suspicious behavior and trigger an alert for further investigation. The following table lists Azure AD capabilities that can help organizations monitor their identities: +An active identity monitoring system can quickly detect suspicious behavior and trigger an alert for further investigation. The following table lists Microsoft Entra capabilities that can help organizations monitor their identities: **Best practice**: Have a method to identify: An active identity monitoring system can quickly detect suspicious behavior and - Sign-ins from [infected devices](../../active-directory/reports-monitoring/howto-access-activity-logs.md). - Suspicious IP addresses. -**Detail**: Use Azure AD Premium [anomaly reports](../../active-directory/reports-monitoring/overview-reports.md). Have processes and procedures in place for IT admins to run these reports on a daily basis or on demand (usually in an incident response scenario). +**Detail**: Use Microsoft Entra ID P1 or P2 [anomaly reports](../../active-directory/reports-monitoring/overview-reports.md). Have processes and procedures in place for IT admins to run these reports on a daily basis or on demand (usually in an incident response scenario). **Best practice**: Have an active monitoring system that notifies you of risks and can adjust risk level (high, medium, or low) to your business requirements. -**Detail**: Use [Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md), which flags the current risks on its own dashboard and sends daily summary notifications via email. To help protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level is reached. +**Detail**: Use [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md), which flags the current risks on its own dashboard and sends daily summary notifications via email. To help protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level is reached. Organizations that donΓÇÖt actively monitor their identity systems are at risk of having user credentials compromised. Without knowledge that suspicious activities are taking place through these credentials, organizations canΓÇÖt mitigate this type of threat. -## Use Azure AD for storage authentication -[Azure Storage](../../storage/blobs/authorize-access-azure-active-directory.md) supports authentication and authorization with Azure AD for Blob storage and Queue storage. With Azure AD authentication, you can use the Azure role-based access control to grant specific permissions to users, groups, and applications down to the scope of an individual blob container or queue. +<a name='use-azure-ad-for-storage-authentication'></a> ++## Use Microsoft Entra ID for storage authentication +[Azure Storage](../../storage/blobs/authorize-access-azure-active-directory.md) supports authentication and authorization with Microsoft Entra ID for Blob storage and Queue storage. With Microsoft Entra authentication, you can use the Azure role-based access control to grant specific permissions to users, groups, and applications down to the scope of an individual blob container or queue. -We recommend that you use [Azure AD for authenticating access to storage](https://azure.microsoft.com/blog/azure-storage-support-for-azure-ad-based-access-control-now-generally-available/). +We recommend that you use [Microsoft Entra ID for authenticating access to storage](https://azure.microsoft.com/blog/azure-storage-support-for-azure-ad-based-access-control-now-generally-available/). ## Next step |
security | Identity Management Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/identity-management-overview.md | - Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud. Such protection enables additional levels of validation, such as Multi-Factor Authentication and Conditional Access policies. Monitoring suspicious activity through advanced security reporting, auditing, and alerting helps mitigate potential security issues. [Azure Active Directory Premium](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) provides single sign-on (SSO) to thousands of cloud software as a service (SaaS) apps and access to web apps that you run on-premises. + Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud. Such protection enables additional levels of validation, such as multifactor authentication and Conditional Access policies. Monitoring suspicious activity through advanced security reporting, auditing, and alerting helps mitigate potential security issues. [Microsoft Entra ID P1 or P2](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) provides single sign-on (SSO) to thousands of cloud software as a service (SaaS) apps and access to web apps that you run on-premises. -By taking advantage of the security benefits of Azure Active Directory (Azure AD), you can: +By taking advantage of the security benefits of Microsoft Entra ID, you can: * Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and devices in sync. * Provide SSO access to your applications, including thousands of pre-integrated SaaS apps.-* Enable application access security by enforcing rules-based Multi-Factor Authentication for both on-premises and cloud applications. -* Provision secure remote access to on-premises web applications through Azure AD Application Proxy. +* Enable application access security by enforcing rules-based multifactor authentication for both on-premises and cloud applications. +* Provision secure remote access to on-premises web applications through Microsoft Entra application proxy. The goal of this article is to provide an overview of the core Azure security features that help with identity management. We also provide links to articles that give details of each feature so you can learn more. The article focuses on the following core Azure Identity management capabilities * Single sign-on * Reverse proxy-* Multi-Factor Authentication +* Multifactor authentication * Azure role-based access control (Azure RBAC) * Security monitoring, alerts, and machine learning-based reports * Consumer identity and access management The article focuses on the following core Azure Identity management capabilities * Privileged identity management * Identity protection * Hybrid identity management/Azure AD connect-* Azure AD access reviews +* Microsoft Entra access reviews ## Single sign-on SSO means being able to access all the applications and resources that you need Many organizations rely upon SaaS applications such as Microsoft 365, Box, and Salesforce for user productivity. Historically, IT staff needed to individually create and update user accounts in each SaaS application, and users had to remember a password for each SaaS application. -Azure AD extends on-premises Active Directory environments into the cloud, enabling users to use their primary organizational account to sign in not only to their domain-joined devices and company resources, but also to all the web and SaaS applications they need for their jobs. +Microsoft Entra ID extends on-premises Active Directory environments into the cloud, enabling users to use their primary organizational account to sign in not only to their domain-joined devices and company resources, but also to all the web and SaaS applications they need for their jobs. -Not only do users not have to manage multiple sets of usernames and passwords, you can provision or de-provision application access automatically, based on their organizational groups and their employee status. Azure AD introduces security and access governance controls with which you can centrally manage users' access across SaaS applications. +Not only do users not have to manage multiple sets of usernames and passwords, you can provision or de-provision application access automatically, based on their organizational groups and their employee status. Microsoft Entra ID introduces security and access governance controls with which you can centrally manage users' access across SaaS applications. Learn more: Learn more: ## Reverse proxy -Azure AD Application Proxy lets you publish on-premises applications, such as [SharePoint](https://support.office.com/article/What-is-SharePoint-97b915e6-651b-43b2-827d-fb25777f446f?ui=en-US&rs=en-US&ad=US) sites, [Outlook Web App](/Exchange/clients/outlook-on-the-web/outlook-on-the-web), and [IIS](https://www.iis.net/)-based apps inside your private network and provides secure access to users outside your network. Application Proxy provides remote access and SSO for many types of on-premises web applications with the thousands of SaaS applications that Azure AD supports. Employees can sign in to your apps from home on their own devices and authenticate through this cloud-based proxy. +Microsoft Entra application proxy lets you publish on-premises applications, such as [SharePoint](https://support.office.com/article/What-is-SharePoint-97b915e6-651b-43b2-827d-fb25777f446f?ui=en-US&rs=en-US&ad=US) sites, [Outlook Web App](/Exchange/clients/outlook-on-the-web/outlook-on-the-web), and [IIS](https://www.iis.net/)-based apps inside your private network and provides secure access to users outside your network. Application Proxy provides remote access and SSO for many types of on-premises web applications with the thousands of SaaS applications that Microsoft Entra ID supports. Employees can sign in to your apps from home on their own devices and authenticate through this cloud-based proxy. Learn more: -* [Enabling Azure AD Application Proxy](../../active-directory/app-proxy/application-proxy-add-on-premises-application.md) -* [Publish applications using Azure AD Application Proxy](../../active-directory/app-proxy/application-proxy-add-on-premises-application.md) +* [Enabling Microsoft Entra application proxy](../../active-directory/app-proxy/application-proxy-add-on-premises-application.md) +* [Publish applications using Microsoft Entra application proxy](../../active-directory/app-proxy/application-proxy-add-on-premises-application.md) * [Single sign-on with Application Proxy](../../active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.md) * [Working with Conditional Access](../../active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server.md) -## Multi-Factor Authentication +<a name='multi-factor-authentication'></a> -Azure AD Multi-Factor Authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification options: phone calls, text messages, or mobile app notifications or verification codes and third-party OAuth tokens. +## Multifactor authentication -Learn more: [How Azure AD Multi-Factor Authentication works](../../active-directory/authentication/concept-mfa-howitworks.md) +Microsoft Entra multifactor authentication is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. Multifactor authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification options: phone calls, text messages, or mobile app notifications or verification codes and third-party OAuth tokens. ++Learn more: [How Microsoft Entra multifactor authentication works](../../active-directory/authentication/concept-mfa-howitworks.md) ## Azure RBAC Learn more: ## Security monitoring, alerts, and machine learning-based reports -Security monitoring, alerts, and machine learning-based reports that identify inconsistent access patterns can help you protect your business. You can use Azure AD access and usage reports to gain visibility into the integrity and security of your organization's directory. With this information, a directory administrator can better determine where possible security risks might lie so that they can adequately plan to mitigate those risks. +Security monitoring, alerts, and machine learning-based reports that identify inconsistent access patterns can help you protect your business. You can use Microsoft Entra ID access and usage reports to gain visibility into the integrity and security of your organization's directory. With this information, a directory administrator can better determine where possible security risks might lie so that they can adequately plan to mitigate those risks. In the Azure portal, reports fall into the following categories: * **Anomaly reports**: Contain sign-in events that we found to be anomalous. Our goal is to make you aware of such activity and enable you to determine whether an event is suspicious.-* **Integrated Application reports**: Provide insights into how cloud applications are being used in your organization. Azure AD offers integration with thousands of cloud applications. +* **Integrated Application reports**: Provide insights into how cloud applications are being used in your organization. Microsoft Entra ID offers integration with thousands of cloud applications. * **Error reports**: Indicate errors that might occur when you provision accounts to external applications. * **User-specific reports**: Display device sign-in activity data for a specific user. * **Activity logs**: Contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, and group activity changes and password reset and registration activity. -Learn more: [Azure Active Directory reporting guide](../../active-directory/reports-monitoring/overview-reports.md) +Learn more: [Microsoft Entra ID reporting guide](../../active-directory/reports-monitoring/overview-reports.md) ## Consumer identity and access management Learn more: ## Device registration -Azure AD device registration is the foundation for device-based [Conditional Access](../../active-directory/devices/manage-device-identities.md) scenarios. When a device is registered, Azure AD device registration provides the device with an identity that it uses to authenticate the device when a user signs in. The authenticated device and the attributes of the device can then be used to enforce Conditional Access policies for applications that are hosted in the cloud and on-premises. +Microsoft Entra device registration is the foundation for device-based [Conditional Access](../../active-directory/devices/manage-device-identities.md) scenarios. When a device is registered, Microsoft Entra device registration provides the device with an identity that it uses to authenticate the device when a user signs in. The authenticated device and the attributes of the device can then be used to enforce Conditional Access policies for applications that are hosted in the cloud and on-premises. -When combined with a mobile device management solution such as Intune, the device attributes in Azure AD are updated with additional information about the device. You can then create Conditional Access rules that enforce access from devices to meet your standards for security and compliance. +When combined with a mobile device management solution such as Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. You can then create Conditional Access rules that enforce access from devices to meet your standards for security and compliance. Learn more: -* [Get started with Azure AD device registration](../../active-directory/devices/manage-device-identities.md) -* [Automatic device registration with Azure AD for Windows domain-joined devices](../../active-directory/devices/hybrid-join-plan.md#review-supported-devices) +* [Get started with Microsoft Entra device registration](../../active-directory/devices/manage-device-identities.md) +* [Automatic device registration with Microsoft Entra ID for Windows domain-joined devices](../../active-directory/devices/hybrid-join-plan.md#review-supported-devices) ## Privileged identity management -With Azure AD Privileged Identity Management, you can manage, control, and monitor your privileged identities and access to resources in Azure AD as well as other Microsoft online services, such as Microsoft 365 and Microsoft Intune. +With Microsoft Entra Privileged Identity Management, you can manage, control, and monitor your privileged identities and access to resources in Microsoft Entra ID as well as other Microsoft online services, such as Microsoft 365 and Microsoft Intune. -Users sometimes need to carry out privileged operations in Azure or Microsoft 365 resources, or in other SaaS apps. This need often means that organizations have to give users permanent privileged access in Azure AD. Such access is a growing security risk for cloud-hosted resources, because organizations can't sufficiently monitor what the users are doing with their administrator privileges. Additionally, if a user account with privileged access is compromised, that one breach could affect the organization's overall cloud security. Azure AD Privileged Identity Management helps to mitigate this risk. +Users sometimes need to carry out privileged operations in Azure or Microsoft 365 resources, or in other SaaS apps. This need often means that organizations have to give users permanent privileged access in Microsoft Entra ID. Such access is a growing security risk for cloud-hosted resources, because organizations can't sufficiently monitor what the users are doing with their administrator privileges. Additionally, if a user account with privileged access is compromised, that one breach could affect the organization's overall cloud security. Microsoft Entra Privileged Identity Management helps to mitigate this risk. -With Azure AD Privileged Identity Management, you can: +With Microsoft Entra Privileged Identity Management, you can: -* See which users are Azure AD administrators. +* See which users are Microsoft Entra administrators. * Enable on-demand, just-in-time (JIT) administrative access to Microsoft services such as Microsoft 365 and Intune. * Get reports about administrator access history and changes in administrator assignments. * Get alerts about access to a privileged role. Learn more: -* [What is Azure AD Privileged Identity Management?](../../active-directory/privileged-identity-management/pim-configure.md) -* [Assign Azure AD directory roles in PIM](../../active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md) +* [What is Microsoft Entra Privileged Identity Management?](../../active-directory/privileged-identity-management/pim-configure.md) +* [Assign Microsoft Entra directory roles in PIM](../../active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md) ## Identity protection -Azure AD Identity Protection is a security service that provides a consolidated view into risk detections and potential vulnerabilities that affect your organization's identities. Identity Protection takes advantage of existing Azure AD anomaly-detection capabilities, which are available through Azure AD Anomalous Activity reports. Identity Protection also introduces new risk detection types that can detect anomalies in real time. +Microsoft Entra ID Protection is a security service that provides a consolidated view into risk detections and potential vulnerabilities that affect your organization's identities. Identity Protection takes advantage of existing Microsoft Entra anomaly-detection capabilities, which are available through Microsoft Entra Anomalous Activity reports. Identity Protection also introduces new risk detection types that can detect anomalies in real time. -Learn more: [Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) +Learn more: [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) -## Hybrid identity management/Azure AD connect +## Hybrid identity management (Microsoft Entra Connect) -Microsoft's identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity. Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. This allows you to provide a common identity for your users for Microsoft 365, Azure, and SaaS applications integrated with Azure AD. It provides the following features: +Microsoft's identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity. Microsoft Entra Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. This allows you to provide a common identity for your users for Microsoft 365, Azure, and SaaS applications integrated with Microsoft Entra ID. It provides the following features: * Synchronization * AD FS and federation integration Microsoft's identity solutions span on-premises and cloud-based capabilities, cr Learn more: * [Hybrid identity white paper](https://download.microsoft.com/download/D/B/A/DBA9E313-B833-48EE-998A-240AA799A8AB/Hybrid_Identity_White_Paper.pdf)-* [Azure Active Directory](../../active-directory/index.yml) +* [Microsoft Entra ID](../../active-directory/index.yml) ++<a name='azure-ad-access-reviews'></a> -## Azure AD access reviews +## Microsoft Entra access reviews -Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and privileged role assignments. +Microsoft Entra access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and privileged role assignments. -Learn more: [Microsoft Entra access reviews](../../active-directory/governance/access-reviews-overview.md) +Learn more: [Microsoft Entra access reviews](../../active-directory/governance/access-reviews-overview.md) |
security | Infrastructure Components | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/infrastructure-components.md | Various engineering groups, known as service teams, manage the support of the Az The service teams are: - Application Platform-- Azure Active Directory+- Microsoft Entra ID - Azure Compute - Azure Net - Cloud Engineering Services |
security | Infrastructure Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/infrastructure-operations.md | To ensure the secure execution of services running in the Azure environment, the If any anomalies occur, the incident response process followed by the Azure incident triage team is activated. The appropriate Azure support personnel are notified to respond to the incident. Issue tracking and resolution are documented and managed in a centralized ticketing system. System uptime metrics are available under the non-disclosure agreement (NDA) and upon request. ## Corporate network and multi-factor access to production-The corporate network user base includes Azure support personnel. The corporate network supports internal corporate functions and includes access to internal applications that are used for Azure customer support. The corporate network is both logically and physically separated from the Azure production network. Azure personnel access the corporate network by using Azure workstations and laptops. All users must have an Azure Active Directory (Azure AD) account, including a username and password, to access corporate network resources. Corporate network access uses Azure AD accounts, which are issued to all Microsoft personnel, contractors, and vendors and managed by Microsoft Information Technology. Unique user identifiers distinguish personnel based on their employment status at Microsoft. +The corporate network user base includes Azure support personnel. The corporate network supports internal corporate functions and includes access to internal applications that are used for Azure customer support. The corporate network is both logically and physically separated from the Azure production network. Azure personnel access the corporate network by using Azure workstations and laptops. All users must have a Microsoft Entra account, including a username and password, to access corporate network resources. Corporate network access uses Microsoft Entra accounts, which are issued to all Microsoft personnel, contractors, and vendors and managed by Microsoft Information Technology. Unique user identifiers distinguish personnel based on their employment status at Microsoft. Access to internal Azure applications is controlled through authentication with Active Directory Federation Services (AD FS). AD FS is a service hosted by Microsoft Information Technology that provides authentication of corporate network users through applying a secure token and user claims. AD FS enables internal Azure applications to authenticate users against the Microsoft corporate active directory domain. To access the production network from the corporate network environment, users must authenticate by using multi-factor authentication. |
security | Isolation Choices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/isolation-choices.md | This article outlines how Azure provides isolation against both malicious and no One of the primary benefits of cloud computing is concept of a shared, common infrastructure across numerous customers simultaneously, leading to economies of scale. This concept is called multi-tenancy. Microsoft works continuously to ensure that the multi-tenant architecture of Microsoft Cloud Azure supports security, confidentiality, privacy, integrity, and availability standards. -In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a specific instance of that cloud service. With the identity platform provided by Microsoft Azure, a tenant is simply a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when it signs up for a Microsoft cloud service. +In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a specific instance of that cloud service. With the identity platform provided by Microsoft Azure, a tenant is simply a dedicated instance of Microsoft Entra ID that your organization receives and owns when it signs up for a Microsoft cloud service. -Each Azure AD directory is distinct and separate from other Azure AD directories. Just like a corporate office building is a secure asset specific to only your organization, an Azure AD directory was also designed to be a secure asset for use by only your organization. The Azure AD architecture isolates customer data and identity information from co-mingling. This means that users and administrators of one Azure AD directory can't accidentally or maliciously access data in another directory. +Each Microsoft Entra directory is distinct and separate from other Microsoft Entra directories. Just like a corporate office building is a secure asset specific to only your organization, a Microsoft Entra directory was also designed to be a secure asset for use by only your organization. The Microsoft Entra architecture isolates customer data and identity information from co-mingling. This means that users and administrators of one Microsoft Entra directory can't accidentally or maliciously access data in another directory. ### Azure Tenancy -Azure tenancy (Azure Subscription) refers to a ΓÇ£customer/billingΓÇ¥ relationship and a unique [tenant](../../active-directory/develop/quickstart-create-new-tenant.md) in [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). Tenant level isolation in Microsoft Azure is achieved using Azure Active Directory and [Azure role-based access control](../../role-based-access-control/overview.md) offered by it. Each Azure subscription is associated with one Azure Active Directory (AD) directory. +Azure tenancy (Azure Subscription) refers to a ΓÇ£customer/billingΓÇ¥ relationship and a unique [tenant](../../active-directory/develop/quickstart-create-new-tenant.md) in [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md). Tenant level isolation in Microsoft Azure is achieved using Microsoft Entra ID and [Azure role-based access control](../../role-based-access-control/overview.md) offered by it. Each Azure subscription is associated with one Microsoft Entra directory. -Users, groups, and applications from that directory can manage resources in the Azure subscription. You can assign these access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. An Azure AD tenant is logically isolated using security boundaries so that no customer can access or compromise co-tenants, either maliciously or accidentally. Azure AD runs on ΓÇ£bare metalΓÇ¥ servers isolated on a segregated network segment, where host-level packet filtering and Windows Firewall block unwanted connections and traffic. +Users, groups, and applications from that directory can manage resources in the Azure subscription. You can assign these access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. A Microsoft Entra tenant is logically isolated using security boundaries so that no customer can access or compromise co-tenants, either maliciously or accidentally. Microsoft Entra ID runs on ΓÇ£bare metalΓÇ¥ servers isolated on a segregated network segment, where host-level packet filtering and Windows Firewall block unwanted connections and traffic. :::image type="content" source="media/isolation-choices/azure-isolation-fig-1.svg" alt-text="Diagram showing Azure tenancy." border="false"::: -- Access to data in Azure AD requires user authentication via a security token service (STS). Information on the userΓÇÖs existence, enabled state, and role is used by the authorization system to determine whether the requested access to the target tenant is authorized for this user in this session.+- Access to data in Microsoft Entra ID requires user authentication via a security token service (STS). Information on the userΓÇÖs existence, enabled state, and role is used by the authorization system to determine whether the requested access to the target tenant is authorized for this user in this session. - Tenants are discrete containers and there's no relationship between these. - No access across tenants unless tenant admin grants it through federation or provisioning user accounts from other tenants. -- Physical access to servers that comprise the Azure AD service, and direct access to Azure ADΓÇÖs back-end systems, is restricted.+- Physical access to servers that comprise the Microsoft Entra service, and direct access to Microsoft Entra IDΓÇÖs back-end systems, is restricted. -- Azure AD users have no access to physical assets or locations, and therefore it isn't possible for them to bypass the logical Azure RBAC policy checks stated following.+- Microsoft Entra users have no access to physical assets or locations, and therefore it isn't possible for them to bypass the logical Azure RBAC policy checks stated following. -For diagnostics and maintenance needs, an operational model that employs a just-in-time privilege elevation system is required and used. Azure AD Privileged Identity Management (PIM) introduces the concept of an eligible admin. [Eligible admins](../../active-directory/privileged-identity-management/pim-configure.md) should be users that need privileged access now and then, but not every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time. +For diagnostics and maintenance needs, an operational model that employs a just-in-time privilege elevation system is required and used. Microsoft Entra Privileged Identity Management (PIM) introduces the concept of an eligible admin. [Eligible admins](../../active-directory/privileged-identity-management/pim-configure.md) should be users that need privileged access now and then, but not every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time. -![Azure AD Privileged Identity Management](./media/isolation-choices/azure-isolation-fig2.png) +![Microsoft Entra Privileged Identity Management](./media/isolation-choices/azure-isolation-fig2.png) -Azure Active Directory hosts each tenant in its own protected container, with policies and permissions to and within the container solely owned and managed by the tenant. +Microsoft Entra ID hosts each tenant in its own protected container, with policies and permissions to and within the container solely owned and managed by the tenant. The concept of tenant containers is deeply ingrained in the directory service at all layers, from portals all the way to persistent storage. -Even when metadata from multiple Azure Active Directory tenants is stored on the same physical disk, there's no relationship between the containers other than what is defined by the directory service, which in turn is dictated by the tenant administrator. +Even when metadata from multiple Microsoft Entra tenants is stored on the same physical disk, there's no relationship between the containers other than what is defined by the directory service, which in turn is dictated by the tenant administrator. ### Azure role-based access control (Azure RBAC) The rest of the Azure roles in Azure allow management of specific Azure resource [Azure built-in roles](../../role-based-access-control/built-in-roles.md) list the roles available in Azure. It specifies the operations and scope that each built-in role grants to users. If you're looking to define your own roles for even more control, see how to build [Custom roles in Azure RBAC](../../role-based-access-control/custom-roles.md). -Some other capabilities for Azure Active Directory include: +Some other capabilities for Microsoft Entra ID include: -- Azure AD enables SSO to SaaS applications, regardless of where they're hosted. Some applications are federated with Azure AD, and others use password SSO. Federated applications can also support user provisioning and [password vaulting](https://www.techopedia.com/definition/31415/password-vault).+- Microsoft Entra ID enables SSO to SaaS applications, regardless of where they're hosted. Some applications are federated with Microsoft Entra ID, and others use password SSO. Federated applications can also support user provisioning and [password vaulting](https://www.techopedia.com/definition/31415/password-vault). - Access to data in [Azure Storage](https://azure.microsoft.com/services/storage/) is controlled via authentication. Each storage account has a primary key ([storage account key](../../storage/common/storage-account-create.md), or SAK) and a secondary secret key (the shared access signature, or SAS). -- Azure AD provides Identity as a Service through federation by using [Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs), synchronization, and replication with on-premises directories.+- Microsoft Entra ID provides Identity as a Service through federation by using [Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs), synchronization, and replication with on-premises directories. -- [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) requires users to verify sign-ins by using a mobile app, phone call, or text message. It can be used with Azure AD to help secure on-premises resources with the Multi-Factor Authentication Server, and also with custom applications and directories using the SDK.+- [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) requires users to verify sign-ins by using a mobile app, phone call, or text message. It can be used with Microsoft Entra ID to help secure on-premises resources with the Multi-Factor Authentication Server, and also with custom applications and directories using the SDK. -- [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) lets you join Azure virtual machines to an Active Directory domain without deploying domain controllers. You can sign in to these virtual machines with your corporate Active Directory credentials and administer domain-joined virtual machines by using Group Policy to enforce security baselines on all your Azure virtual machines.+- [Microsoft Entra Domain Services](https://azure.microsoft.com/services/active-directory-ds/) lets you join Azure virtual machines to an Active Directory domain without deploying domain controllers. You can sign in to these virtual machines with your corporate Active Directory credentials and administer domain-joined virtual machines by using Group Policy to enforce security baselines on all your Azure virtual machines. - [Azure Active Directory B2C](https://azure.microsoft.com/services/active-directory-b2c/) provides a highly available global-identity management service for consumer-facing applications that scales to hundreds of millions of identities. It can be integrated across mobile and web platforms. Your consumers can sign in to all your applications through customizable experiences by using their existing social accounts or by creating credentials. Azure deployment has multiple layers of network isolation. The following diagram - Learn about [Network Isolation Options for Machines in Windows Azure Virtual Networks](https://azure.microsoft.com/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/). This includes the classic front-end and back-end scenario where machines in a particular back-end network or subnetwork may only allow certain clients or other computers to connect to a particular endpoint based on an allowlist of IP addresses. -- Learn about [virtual machine isolation in Azure](../../virtual-machines/isolation.md). Azure Compute offers virtual machine sizes that are isolated to a specific hardware type and dedicated to a single customer.+- Learn about [virtual machine isolation in Azure](../../virtual-machines/isolation.md). Azure Compute offers virtual machine sizes that are isolated to a specific hardware type and dedicated to a single customer. |
security | Key Management Choose | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/key-management-choose.md | The chart refers to these common requirements: It also refers to these various key management use cases: -- _Encryption at rest_ is typically enabled for Azure IaaS, PaaS, and SaaS models. Applications such as Microsoft 365; Microsoft Purview Information Protection; platform services in which the cloud is used for storage, analytics, and service bus functionality; and infrastructure services in which operating systems and applications are hosted and deployed in the cloud use encryption at rest. _Customer managed keys for encryption at rest_ is used with Azure Storage and Azure AD. For highest security, keys should be HSM-backed, 3k or 4k RSA keys. For more information about encryption at rest, see [Azure Data Encryption at Rest](encryption-atrest.md).+- _Encryption at rest_ is typically enabled for Azure IaaS, PaaS, and SaaS models. Applications such as Microsoft 365; Microsoft Purview Information Protection; platform services in which the cloud is used for storage, analytics, and service bus functionality; and infrastructure services in which operating systems and applications are hosted and deployed in the cloud use encryption at rest. _Customer managed keys for encryption at rest_ is used with Azure Storage and Microsoft Entra ID. For highest security, keys should be HSM-backed, 3k or 4k RSA keys. For more information about encryption at rest, see [Azure Data Encryption at Rest](encryption-atrest.md). - _SSL/TLS Offload_ is supported on Azure Managed HSM and Azure Dedicated HSM. Customers have improved high availability, security, and best price point on Azure Managed HSM for F5 and Nginx. - _Lift and shift_ refer to scenarios where a PKCS11 application on-premises is migrated to Azure Virtual Machines and running software such as Oracle TDE in Azure Virtual Machines. Lift and shift requiring payment PIN processing is supported by Azure Payment HSM. All other scenarios are supported by Azure Dedicated HSM. Legacy APIs and libraries such as PKCS11, JCA/JCE, and CNG/KSP are only supported by Azure Dedicated HSM. - _Payment PIN processing_ includes allowing card and mobile payment authorization and 3D-Secure authentication; PIN generation, management, and validation; payment credential issuing for cards, wearables, and connected devices; securing keys and authentication data; and sensitive data protection for point-to-point encryption, security tokenization, and EMV payment tokenization. This also includes certifications such as PCI DSS, PCI 3DS, and PCI PIN. These are supported by Azure Payment HSM. |
security | Log Audit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/log-audit.md | The following table lists the most important types of logs available in Azure: | | -- | | -- | |[Activity logs](../../azure-monitor/essentials/platform-logs-overview.md)|Control-plane events on Azure Resource Manager resources| Provides insight into the operations that were performed on resources in your subscription.| REST API, [Azure Monitor](../../azure-monitor/essentials/platform-logs-overview.md)| |[Azure Resource logs](../../azure-monitor/essentials/platform-logs-overview.md)|Frequent data about the operation of Azure Resource Manager resources in subscription| Provides insight into operations that your resource itself performed.| Azure Monitor|-|[Azure Active Directory reporting](../../active-directory/reports-monitoring/overview-reports.md)|Logs and reports | Reports user sign-in activities and system activity information about users and group management.|[Microsoft Graph](/graph/overview)| +|[Microsoft Entra ID reporting](../../active-directory/reports-monitoring/overview-reports.md)|Logs and reports | Reports user sign-in activities and system activity information about users and group management.|[Microsoft Graph](/graph/overview)| |[Virtual machines and cloud services](../../azure-monitor/vm/monitor-virtual-machine.md)|Windows Event Log service and Linux Syslog| Captures system data and logging data on the virtual machines and transfers that data into a storage account of your choice.| Windows (using [Azure Diagnostics](../../azure-monitor/agents/diagnostics-extension-overview.md)] storage) and Linux in Azure Monitor| |[Azure Storage Analytics](/rest/api/storageservices/fileservices/storage-analytics)|Storage logging, provides metrics data for a storage account|Provides insight into trace requests, analyzes usage trends, and diagnoses issues with your storage account.| REST API or the [client library](/dotnet/api/overview/azure/storage)| |[Network security group (NSG) flow logs](../../network-watcher/network-watcher-nsg-flow-logging-overview.md)|JSON format, shows outbound and inbound flows on a per-rule basis|Displays information about ingress and egress IP traffic through a Network Security Group.|[Azure Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md)| |
security | Management Monitoring Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/management-monitoring-overview.md | Learn more: * [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](antimalware.md) * [New Antimalware Options for Protecting Azure Virtual Machines](https://azure.microsoft.com/blog/new-antimalware-options-for-protecting-azure-virtual-machines/) -## Multi-Factor Authentication +<a name='multi-factor-authentication'></a> -Azure Active Directory Multi-Factor Authentication is a method of authentication that requires the use of more than one verification method. It adds a critical second layer of security to user sign-ins and transactions. +## Multifactor authentication -Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification options (phone call, text message, or mobile app notification or verification code) and third-party OATH tokens. +Microsoft Entra multifactor authentication is a method of authentication that requires the use of more than one verification method. It adds a critical second layer of security to user sign-ins and transactions. ++Multifactor authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification options (phone call, text message, or mobile app notification or verification code) and third-party OATH tokens. Learn more: -* [Multi-Factor Authentication](../../active-directory/authentication/overview-authentication.md#azure-ad-multi-factor-authentication) -* [How Azure AD Multi-Factor Authentication works](../../active-directory/authentication/concept-mfa-howitworks.md) +* [Multifactor authentication](../../active-directory/authentication/overview-authentication.md#azure-ad-multi-factor-authentication) +* [How Microsoft Entra multifactor authentication works](../../active-directory/authentication/concept-mfa-howitworks.md) ## ExpressRoute Learn more: ## Privileged Identity Management -Sometimes users need to carry out privileged operations in Azure resources or other SaaS applications. This often means organizations give them permanent privileged access in Azure Active Directory (Azure AD). +Sometimes users need to carry out privileged operations in Azure resources or other SaaS applications. This often means organizations give them permanent privileged access in Microsoft Entra ID. -This is a growing security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with their privileged access. Additionally, if a user account with privileged access is compromised, that one breach can affect an organization's overall cloud security. Azure AD Privileged Identity Management helps to resolve this risk by lowering the exposure time of privileges and increasing visibility into usage. +This is a growing security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with their privileged access. Additionally, if a user account with privileged access is compromised, that one breach can affect an organization's overall cloud security. Microsoft Entra Privileged Identity Management helps to resolve this risk by lowering the exposure time of privileges and increasing visibility into usage. -Privileged Identity Management introduces the concept of a temporary admin for a role or ΓÇ£just in timeΓÇ¥ administrator access. This kind of admin is a user who needs to complete an activation process for that assigned role. The activation process changes the assignment of the user to a role in Azure AD from inactive to active, for a specified time period. +Privileged Identity Management introduces the concept of a temporary admin for a role or ΓÇ£just in timeΓÇ¥ administrator access. This kind of admin is a user who needs to complete an activation process for that assigned role. The activation process changes the assignment of the user to a role in Microsoft Entra ID from inactive to active, for a specified time period. Learn more: -* [Azure AD Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md) +* [Microsoft Entra Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md) * [Start using Privileged Identity Management](../../active-directory/privileged-identity-management/pim-getting-started.md) ## Identity Protection -Azure AD Identity Protection provides a consolidated view of suspicious sign-in activities and potential vulnerabilities to help protect your business. Identity Protection detects suspicious activities for users and privileged (admin) identities, based on signals like: +Microsoft Entra ID Protection provides a consolidated view of suspicious sign-in activities and potential vulnerabilities to help protect your business. Identity Protection detects suspicious activities for users and privileged (admin) identities, based on signals like: * Brute-force attacks. * Leaked credentials. By providing notifications and recommended remediation, Identity Protection help Learn more: -* [Azure Active Directory Identity Protection](../../active-directory/identity-protection/concept-identity-protection-security-overview.md) +* [Microsoft Entra ID Protection](../../active-directory/identity-protection/concept-identity-protection-security-overview.md) ## Defender for Cloud |
security | Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/management.md | On a hardened workstation, the administrator runs a standard user account (which You can enforce all this by using [Group Policy Objects](../../active-directory-domain-services/manage-group-policy.md) (GPOs) in Active Directory Domain Services (AD DS) and applying them through your (local) management domain to all management accounts. ### Managing services, applications, and data-Azure cloud services configuration is performed through either the Azure portal or SMAPI, via the Windows PowerShell command-line interface or a custom-built application that takes advantage of these RESTful interfaces. Services using these mechanisms include Azure Active Directory (Azure AD), Azure Storage, Azure Websites, and Azure Virtual Network, and others. +Azure cloud services configuration is performed through either the Azure portal or SMAPI, via the Windows PowerShell command-line interface or a custom-built application that takes advantage of these RESTful interfaces. Services using these mechanisms include Microsoft Entra ID, Azure Storage, Azure Websites, and Azure Virtual Network, and others. Virtual Machine deployed applications provide their own client tools and interfaces as needed, such as the Microsoft Management Console (MMC), an enterprise management console (such as Microsoft System Center or Windows Intune), or another management application Microsoft SQL Server Management Studio, for example. These tools typically reside in an enterprise environment or client network. They may depend on specific network protocols, such as Remote Desktop Protocol (RDP), that require direct, stateful connections. Some may have web-enabled interfaces that shouldn't be openly published or accessible via the Internet. In general, helping to secure administrator workstations for use with the cloud ### Authentication You can use Azure logon restrictions to constrain source IP addresses for accessing administrative tools and audit access requests. To help Azure identify management clients (workstations and/or applications), you can configure both SMAPI (via customer-developed tools such as Windows PowerShell cmdlets) and the Azure portal to require client-side management certificates to be installed, in addition to TLS/SSL certificates. We also recommend that administrator access require multi-factor authentication. -Some applications or services that you deploy into Azure may have their own authentication mechanisms for both end-user and administrator access, whereas others take full advantage of Azure AD. Depending on whether you're federating credentials via Active Directory Federation Services (AD FS), using directory synchronization or maintaining user accounts solely in the cloud, using [Microsoft Identity Manager](/microsoft-identity-manager/) (part of Azure AD Premium) helps you manage identity lifecycles between the resources. +Some applications or services that you deploy into Azure may have their own authentication mechanisms for both end-user and administrator access, whereas others take full advantage of Microsoft Entra ID. Depending on whether you're federating credentials via Active Directory Federation Services (AD FS), using directory synchronization or maintaining user accounts solely in the cloud, using [Microsoft Identity Manager](/microsoft-identity-manager/) (part of Microsoft Entra ID P1 or P2) helps you manage identity lifecycles between the resources. ### Connectivity Several mechanisms are available to help secure client connections to your Azure virtual networks. Two of these mechanisms, site-to-site VPN (S2S) and [point-to-site VPN](../../vpn-gateway/vpn-gateway-howto-point-to-site-classic-azure-portal.md) (P2S), enable the use of industry standard IPsec (S2S) for encryption and tunneling. When Azure is connecting to public-facing Azure services management such as the Azure portal, Azure requires Hypertext Transfer Protocol Secure (HTTPS). |
security | Network Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/network-best-practices.md | Networks need to evolve from traditional defenses because networks might be vuln Best practices are: **Best practice**: Give Conditional Access to resources based on device, identity, assurance, network location, and more. -**Detail**: [Azure AD Conditional Access](../../active-directory/conditional-access/overview.md) lets you apply the right access controls by implementing automated access control decisions based on the required conditions. For more information, see [Manage access to Azure management with Conditional Access](../../active-directory/conditional-access/howto-conditional-access-policy-azure-management.md). +**Detail**: [Microsoft Entra Conditional Access](../../active-directory/conditional-access/overview.md) lets you apply the right access controls by implementing automated access control decisions based on the required conditions. For more information, see [Manage access to Azure management with Conditional Access](../../active-directory/conditional-access/howto-conditional-access-policy-azure-management.md). **Best practice**: Enable port access only after workflow approval. **Detail**: You can use [just-in-time VM access in Microsoft Defender for Cloud](../../security-center/security-center-just-in-time.md) to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. **Best practice**: Grant temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. -**Detail**: Use just-in-time access in Azure AD Privileged Identity Management or in a third-party solution to grant permissions to perform privileged tasks. +**Detail**: Use just-in-time access in Microsoft Entra Privileged Identity Management or in a third-party solution to grant permissions to perform privileged tasks. Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the "assume breach" mindset, but this approach shouldn't be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace by using technologies that empower employees to be productive anytime, anywhere, in any way. Azure Private Link provides the following benefits: - **Access from On-premises and peered networks**: Access services running in Azure from on-premises over ExpressRoute private peering, VPN tunnels, and peered virtual networks using private endpoints. There's no need to configure ExpressRoute Microsoft peering or traverse the internet to reach the service. Private Link provides a secure way to migrate workloads to Azure. - **Protection against data leakage**: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked. This mechanism provides protection against data leakage risks. - **Global reach**: Connect privately to services running in other regions. The consumer's virtual network could be in region A and it can connect to services in region B.-- **Simple to set up and manage**: You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through an IP firewall. There are no NAT or gateway devices required to set up the private endpoints. Private endpoints are configured through a simple workflow. On service side, you can also manage the connection requests on your Azure service resource with ease. Azure Private Link works for consumers and services belonging to different Azure Active Directory tenants too. +- **Simple to set up and manage**: You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through an IP firewall. There are no NAT or gateway devices required to set up the private endpoints. Private endpoints are configured through a simple workflow. On service side, you can also manage the connection requests on your Azure service resource with ease. Azure Private Link works for consumers and services belonging to different Microsoft Entra tenants too. To learn more about private endpoints and the Azure services and regions that private endpoints are available for, see [Azure Private Link](../../private-link/private-link-overview.md). |
security | Operational Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/operational-best-practices.md | The best practices are based on a consensus of opinion, and they work with curre ## Define and deploy strong operational security practices Azure operational security refers to the services, controls, and features available to users for protecting their data, applications, and other assets in Azure. Azure operational security is built on a framework that incorporates the knowledge gained through capabilities that are unique to Microsoft, including the [Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl), the [Microsoft Security Response Center](https://www.microsoft.com/msrc?rtc=1) program, and deep awareness of the cybersecurity threat landscape. -## Enforce multi-factor verification for users +<a name='enforce-multi-factor-verification-for-users'></a> ++## Enforce multifactor verification for users We recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised (for example, financial officers). -There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Azure AD edition you're running, and your licensing program. See [How to require two-step verification for a user](../../active-directory/authentication/howto-mfa-userstates.md) to determine the best option for you. See the [Azure AD](https://azure.microsoft.com/pricing/details/active-directory/) and [Azure AD Multi-Factor Authentication](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) pricing pages for more information about licenses and pricing. +There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Microsoft Entra edition you're running, and your licensing program. See [How to require two-step verification for a user](../../active-directory/authentication/howto-mfa-userstates.md) to determine the best option for you. See the [Microsoft Entra ID](https://azure.microsoft.com/pricing/details/active-directory/) and [Microsoft Entra multifactor Authentication](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) pricing pages for more information about licenses and pricing. Following are options and benefits for enabling two-step verification: -**Option 1**: Enable MFA for all users and login methods with Azure AD Security Defaults +**Option 1**: Enable MFA for all users and login methods with Microsoft Entra Security Defaults **Benefit**: This option enables you to easily and quickly enforce MFA for all users in your environment with a stringent policy to: * Challenge administrative accounts and administrative logon mechanisms * Require MFA challenge via Microsoft Authenticator for all users * Restrict legacy authentication protocols. -This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. You can find more information in [Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) +This method is available to all licensing tiers but is not able to be mixed with existing Conditional Access policies. You can find more information in [Microsoft Entra Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) -**Option 2**: [Enable Multi-Factor Authentication by changing user state](../../active-directory/authentication/howto-mfa-userstates.md). -**Benefit**: This is the traditional method for requiring two-step verification. It works with both [Azure AD Multi-Factor Authentication in the cloud and Azure AD Multi-Factor Authentication Server](../../active-directory/authentication/concept-mfa-howitworks.md). Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies. +**Option 2**: [Enable multifactor authentication by changing user state](../../active-directory/authentication/howto-mfa-userstates.md). +**Benefit**: This is the traditional method for requiring two-step verification. It works with both [Microsoft Entra multifactor authentication in the cloud and Azure Multi-Factor Authentication Server](../../active-directory/authentication/concept-mfa-howitworks.md). Using this method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies. -To determine where Multi-Factor Authentication needs to be enabled, see [Which version of Azure AD MFA is right for my organization?](../../active-directory/authentication/concept-mfa-howitworks.md). +To determine where multifactor authentication needs to be enabled, see [Which version of Microsoft Entra multifactor authentication is right for my organization?](../../active-directory/authentication/concept-mfa-howitworks.md). -**Option 3**: [Enable Multi-Factor Authentication with Conditional Access policy](../../active-directory/authentication/howto-mfa-getstarted.md). +**Option 3**: [Enable multifactor authentication with Conditional Access policy](../../active-directory/authentication/howto-mfa-getstarted.md). **Benefit**: This option allows you to prompt for two-step verification under specific conditions by using [Conditional Access](../../active-directory/conditional-access/concept-conditional-access-policy-common.md). Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience. -This is the most flexible way to enable two-step verification for your users. Enabling a Conditional Access policy works only for Azure AD Multi-Factor Authentication in the cloud and is a premium feature of Azure AD. You can find more information on this method in [Deploy cloud-based Azure AD Multi-Factor Authentication](../../active-directory/authentication/howto-mfa-getstarted.md). +This is the most flexible way to enable two-step verification for your users. Enabling a Conditional Access policy works only for Microsoft Entra multifactor authentication in the cloud and is a premium feature of Microsoft Entra ID. You can find more information on this method in [Deploy cloud-based Microsoft Entra multifactor authentication](../../active-directory/authentication/howto-mfa-getstarted.md). -**Option 4**: Enable Multi-Factor Authentication with Conditional Access policies by evaluating [Risk-based Conditional Access policies](../../active-directory/conditional-access/howto-conditional-access-policy-risk.md). +**Option 4**: Enable multifactor authentication with Conditional Access policies by evaluating [Risk-based Conditional Access policies](../../active-directory/conditional-access/howto-conditional-access-policy-risk.md). **Benefit**: This option enables you to: * Detect potential vulnerabilities that affect your organization's identities. * Configure automated responses to detected suspicious actions that are related to your organization's identities. * Investigate suspicious incidents and take appropriate action to resolve them. -This method uses the Azure AD Identity Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing. You can find more information on this method in [Azure Active Directory Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md). +This method uses the Microsoft Entra ID Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. This method requires Microsoft Entra ID P2 licensing. You can find more information on this method in [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md). > [!Note]-> Option 2, enabling Multi-Factor Authentication by changing the user state, overrides Conditional Access policies. Because options 3 and 4 use Conditional Access policies, you cannot use option 2 with them. +> Option 2, enabling multifactor authentication by changing the user state, overrides Conditional Access policies. Because options 3 and 4 use Conditional Access policies, you cannot use option 2 with them. Organizations that don't add extra layers of identity protection, such as two-step verification, are more susceptible for credential theft attack. A credential theft attack can lead to data compromise. Organizations that don't add extra layers of identity protection, such as two-st The following table lists some best practices related to managing user passwords: **Best practice**: Ensure you have the proper level of password protection in the cloud. -**Detail**: Follow the guidance in [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/), which is scoped to users of the Microsoft identity platforms (Azure Active Directory, Active Directory, and Microsoft account). +**Detail**: Follow the guidance in [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/), which is scoped to users of the Microsoft identity platforms (Microsoft Entra ID, Active Directory, and Microsoft account). **Best practice**: Monitor for suspicious actions related to your user accounts. -**Detail**: Monitor for [users at risk](../../active-directory/identity-protection/overview-identity-protection.md) and [risky sign-ins](../../active-directory/identity-protection/overview-identity-protection.md) by using Azure AD security reports. +**Detail**: Monitor for [users at risk](../../active-directory/identity-protection/overview-identity-protection.md) and [risky sign-ins](../../active-directory/identity-protection/overview-identity-protection.md) by using Microsoft Entra security reports. **Best practice**: Automatically detect and remediate high-risk passwords. -**Detail**: [Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a feature of the Azure AD Premium P2 edition that enables you to: +**Detail**: [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a feature of the Microsoft Entra ID P2 edition that enables you to: - Detect potential vulnerabilities that affect your organizationΓÇÖs identities - Configure automated responses to detected suspicious actions that are related to your organizationΓÇÖs identities For more information, see [Create and manage policies to enforce compliance](../ **Best practice**: Azure Policy is a technical representation of an organization's written policies. Map all Azure Policy definitions to organizational policies to reduce confusion and increase consistency. **Detail**: Document mapping in your organization's documentation or in the Azure Policy definition itself by adding a reference to the organizational policy in the [policy definition](../../governance/policy/concepts/definition-structure.md#display-name-and-description) or the [initiative definition](../../governance/policy/concepts/initiative-definition-structure.md#metadata) description. -## Monitor Azure AD risk reports -The vast majority of security breaches take place when attackers gain access to an environment by stealing a userΓÇÖs identity. Discovering compromised identities is no easy task. Azure AD uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user accounts. Each detected suspicious action is stored in a record called a [risk detection](../../active-directory/identity-protection/overview-identity-protection.md). Risk detections are recorded in Azure AD security reports. For more information, read about the [users at risk security report](../../active-directory/identity-protection/overview-identity-protection.md) and the [risky sign-ins security report](../../active-directory/identity-protection/overview-identity-protection.md). +<a name='monitor-azure-ad-risk-reports'></a> ++## Monitor Microsoft Entra risk reports +The vast majority of security breaches take place when attackers gain access to an environment by stealing a userΓÇÖs identity. Discovering compromised identities is no easy task. Microsoft Entra ID uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user accounts. Each detected suspicious action is stored in a record called a [risk detection](../../active-directory/identity-protection/overview-identity-protection.md). Risk detections are recorded in Microsoft Entra security reports. For more information, read about the [users at risk security report](../../active-directory/identity-protection/overview-identity-protection.md) and the [risky sign-ins security report](../../active-directory/identity-protection/overview-identity-protection.md). ## Next steps See [Azure security best practices and patterns](best-practices-and-patterns.md) for more security best practices to use when youΓÇÖre designing, deploying, and managing your cloud solutions by using Azure. |
security | Operational Checklist | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/operational-checklist.md | This checklist is intended to help enterprises think through various operational | [<br>Security Roles & Access Controls](../../defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md)|<ul><li>Use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md) to provide user-specific that used to assign permissions to users, groups, and applications at a certain scope.</li></ul> | | [<br>Data Protection & Storage](../../storage/blobs/security-recommendations.md)|<ul><li>Use Management Plane Security to secure your Storage Account using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md).</li><li>Data Plane Security to Securing Access to your Data using [Shared Access Signatures (SAS)](../../storage/common/storage-sas-overview.md) and Stored Access Policies.</li><li>Use Transport-Level Encryption ΓÇô Using HTTPS and the encryption used by [SMB (Server message block protocols) 3.0](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) for [Azure File Shares](../../storage/files/storage-dotnet-how-to-use-files.md).</li><li>Use [Client-side encryption](../../storage/common/storage-client-side-encryption.md) to secure data that you send to storage accounts when you require sole control of encryption keys. </li><li>Use [Storage Service Encryption (SSE)](../../storage/common/storage-service-encryption.md) to automatically encrypt data in Azure Storage, and [Azure Disk Encryption for Linux VMs](../../virtual-machines/linux/disk-encryption-overview.md) and [Azure Disk Encryption for Windows VMs](../../virtual-machines/linux/disk-encryption-overview.md) to encrypt virtual machine disk files for the OS and data disks.</li><li>Use Azure [Storage Analytics](/rest/api/storageservices/storage-analytics) to monitor authorization type; like with Blob Storage, you can see if users have used a Shared Access Signature or the storage account keys.</li><li>Use [Cross-Origin Resource Sharing (CORS)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) to access storage resources from different domains.</li></ul> | |[<br>Security Policies & Recommendations](../../defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md#security-policies-and-recommendations)|<ul><li>Use [Microsoft Defender for Cloud](../../defender-for-cloud/integration-defender-for-endpoint.md) to deploy endpoint solutions.</li><li>Add a [web application firewall (WAF)](../../web-application-firewall/ag/ag-overview.md) to secure web applications.</li><li>Use [Azure Firewall](../../firewall/overview.md) to increase your security protections. </li><li>Apply security contact details for your Azure subscription. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn528958.aspx) (MSRC) contacts you if it discovers that your customer data has been accessed by an unlawful or unauthorized party.</li></ul> |-| [<br>Identity & Access Management](identity-management-best-practices.md)|<ul><li>[Synchronize your on-premises directory with your cloud directory using Azure AD](../../active-directory/hybrid/whatis-hybrid-identity.md).</li><li>Use [single sign-on](../../active-directory/manage-apps/what-is-single-sign-on.md) to enable users to access their SaaS applications based on their organizational account in Azure AD.</li><li>Use the [Password Reset Registration Activity](../../active-directory/authentication/howto-sspr-reporting.md) report to monitor the users that are registering.</li><li>Enable [multi-factor authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md) for users.</li><li>Developers to use secure identity capabilities for apps like [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/download/details.aspx?id=12379).</li><li>Actively monitor for suspicious activities by using Azure AD Premium anomaly reports and [Azure AD identity protection capability](../../active-directory/identity-protection/overview-identity-protection.md).</li></ul> | +| [<br>Identity & Access Management](identity-management-best-practices.md)|<ul><li>[Synchronize your on-premises directory with your cloud directory using Microsoft Entra ID](../../active-directory/hybrid/whatis-hybrid-identity.md).</li><li>Use [single sign-on](../../active-directory/manage-apps/what-is-single-sign-on.md) to enable users to access their SaaS applications based on their organizational account in Azure AD.</li><li>Use the [Password Reset Registration Activity](../../active-directory/authentication/howto-sspr-reporting.md) report to monitor the users that are registering.</li><li>Enable [multi-factor authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md) for users.</li><li>Developers to use secure identity capabilities for apps like [Microsoft Security Development Lifecycle (SDL)](https://www.microsoft.com/download/details.aspx?id=12379).</li><li>Actively monitor for suspicious activities by using Microsoft Entra ID P1 or P2 anomaly reports and [Microsoft Entra ID Protection capability](../../active-directory/identity-protection/overview-identity-protection.md).</li></ul> | |[<br>Ongoing Security Monitoring](../../defender-for-cloud/defender-for-cloud-introduction.md)|<ul><li>Use Malware Assessment Solution [Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) to report on the status of antimalware protection in your infrastructure.</li><li>Use [Update Management](../../automation/update-management/overview.md) to determine the overall exposure to potential security problems, and whether or how critical these updates are for your environment.</li><li>The [Microsoft Entra admin center](https://entra.microsoft.com) provides visibility into the integrity and security of your organization's directory. | | [<br>Microsoft Defender for Cloud detection capabilities](../../security-center/security-center-alerts-overview.md#detect-threats)|<ul><li>Use [Cloud Security Posture Management](../../defender-for-cloud/concept-cloud-security-posture-management.md) (CSPM) for hardening guidance that helps you efficiently and effectively improve your security.</li><li>Use [alerts](../../defender-for-cloud/alerts-overview.md) to be notified when threats are identified in your cloud, hybrid, or on-premises environment. </li><li>Use [security policies, initiatives, and recommendations](../../defender-for-cloud/security-policy-concept.md) to improve your security posture.</li></ul> | |
security | Operational Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/operational-overview.md | For more information, see the [Azure Backup components table](../../backup/backu [Azure Site Recovery](../../site-recovery/index.yml) provides business continuity by orchestrating the replication of on-premises virtual and physical machines to Azure, or to a secondary site. If your primary site is unavailable, you fail over to the secondary location so that users can keep working. You fail back when systems return to working order. Use Microsoft Defender for Cloud to perform more intelligent and effective threat detection. -## Azure Active Directory +<a name='azure-active-directory'></a> -[Azure Active Directory (Azure AD)](../../active-directory/manage-apps/what-is-application-management.md) is a comprehensive identity service that: +## Microsoft Entra ID ++[Microsoft Entra ID](../../active-directory/manage-apps/what-is-application-management.md) is a comprehensive identity service that: - Enables identity and access management (IAM) as a cloud service. - Provides central access management, single sign-on (SSO), and reporting. - Supports integrated access management for [thousands of applications](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.AzureActiveDirectory) in the Azure Marketplace, including Salesforce, Google Apps, Box, and Concur. -Azure AD also includes a full suite of [identity management capabilities](./identity-management-overview.md#security-monitoring-alerts-and-machine-learning-based-reports), including these: +Microsoft Entra ID also includes a full suite of [identity management capabilities](./identity-management-overview.md#security-monitoring-alerts-and-machine-learning-based-reports), including these: - [Multi-factor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) - [Self-service password management](https://azure.microsoft.com/resources/videos/self-service-password-reset-azure-ad/) Azure AD also includes a full suite of [identity management capabilities](./iden - [Rich auditing](../../active-directory/reports-monitoring/concept-audit-logs.md) - [Security monitoring and alerting](../../security-center/security-center-managing-and-responding-alerts.md) -With Azure Active Directory, all applications that you publish for your partners and customers (business or consumer) have the same identity and access management capabilities. This enables you to significantly reduce your operational costs. +With Microsoft Entra ID, all applications that you publish for your partners and customers (business or consumer) have the same identity and access management capabilities. This enables you to significantly reduce your operational costs. ## Microsoft Defender for Cloud |
security | Operational Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/operational-security.md | This white paper outlines MicrosoftΓÇÖs approach to Azure Operational Security w 5. [Azure Storage analytics](/rest/api/storageservices/fileservices/storage-analytics) -6. [Azure Active directory](../../active-directory/fundamentals/active-directory-whatis.md) +6. [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) ## Microsoft Azure Monitor logs The following types of authenticated and anonymous requests are logged. | Requests to analytics data | Failed GET requests with error code 304 (Not Modified) | | Requests made by Storage Analytics itself, such as log creation or deletion, are not logged. A full list of the logged data is documented in the [Storage Analytics Logged Operations and Status Messages](/rest/api/storageservices/fileservices/storage-analytics-logged-operations-and-status-messages) and [Storage Analytics Log Format](/rest/api/storageservices/fileservices/storage-analytics-log-format) topics. | All other failed anonymous requests are not logged. A full list of the logged data is documented in the [Storage Analytics Logged Operations and Status Messages](/rest/api/storageservices/fileservices/storage-analytics-logged-operations-and-status-messages) and [Storage Analytics Log Format](/rest/api/storageservices/fileservices/storage-analytics-log-format). | -## Azure Active Directory +<a name='azure-active-directory'></a> -Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role-based access control, application usage monitoring, rich auditing,and security monitoring and alerting. +## Microsoft Entra ID -- Improve application security with Azure AD multifactor authentication and Conditional Access.+Microsoft Entra ID also includes a full suite of identity management capabilities including multifactor authentication, device registration, self-service password management, self-service group management, privileged account management, role-based access control, application usage monitoring, rich auditing,and security monitoring and alerting. ++- Improve application security with Microsoft Entra multifactor authentication and Conditional Access. - Monitor application usage and protect your business from advanced threats with security reporting and monitoring. -Azure Active Directory (Azure AD) includes security, activity, and audit reports for your directory. [The Azure Active Directory Audit Report](../../active-directory/reports-monitoring/overview-reports.md) helps customers to identify privileged actions that occurred in their Azure Active Directory. Privileged actions include elevation changes (for example, role creation or password resets), changing policy configurations (for example password policies), or changes to directory configuration (for example, changes to domain federation settings). +Microsoft Entra ID includes security, activity, and audit reports for your directory. [The Microsoft Entra audit Report](../../active-directory/reports-monitoring/overview-reports.md) helps customers to identify privileged actions that occurred in their Microsoft Entra ID. Privileged actions include elevation changes (for example, role creation or password resets), changing policy configurations (for example password policies), or changes to directory configuration (for example, changes to domain federation settings). -The reports provide the audit record for the event name, the actor who performed the action, the target resource affected by the change, and the date and time (in UTC). Customers are able to retrieve the list of audit events for their Azure Active Directory via the [Azure portal](https://portal.azure.com/), as described in [View your Audit Logs](../../active-directory/reports-monitoring/overview-reports.md). Here's a list of the reports included: +The reports provide the audit record for the event name, the actor who performed the action, the target resource affected by the change, and the date and time (in UTC). Customers are able to retrieve the list of audit events for their Microsoft Entra ID via the [Azure portal](https://portal.azure.com/), as described in [View your Audit Logs](../../active-directory/reports-monitoring/overview-reports.md). Here's a list of the reports included: | Security reports | Activity reports| Audit reports | | :- | :-| :-| The reports provide the audit record for the event name, the actor who performed -The data of these reports can be useful to your applications, such as SIEM systems, audit, and business intelligence tools. The Azure AD reporting [APIs](../../active-directory/reports-monitoring/concept-reporting-api.md) provide programmatic access to the data through a set of REST-based APIs. You can call these APIs from various programming languages and tools. +The data of these reports can be useful to your applications, such as SIEM systems, audit, and business intelligence tools. The Microsoft Entra ID reporting [APIs](../../active-directory/reports-monitoring/concept-reporting-api.md) provide programmatic access to the data through a set of REST-based APIs. You can call these APIs from various programming languages and tools. -Events in the Azure AD Audit report are retained for 180 days. +Events in the Microsoft Entra audit report are retained for 180 days. > [!Note]-> For more information about retention on reports, see [Azure Active Directory Report Retention Policies](../../active-directory/reports-monitoring/reference-reports-data-retention.md). +> For more information about retention on reports, see [Microsoft Entra report retention Policies](../../active-directory/reports-monitoring/reference-reports-data-retention.md). For customers interested in storing their [audit events](../../active-directory/reports-monitoring/concept-audit-logs.md) for longer retention periods, the Reporting API can be used to regularly pull audit events into a separate data store. Microsoft designs its services and software with security in mind to help ensure Use Microsoft security data and analysis to perform more intelligent and effective threat detection. - [Microsoft Defender for Cloud planning and operations](../../defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md)-A set of steps and tasks that you can follow to optimize your use of Defender for Cloud based on your organizationΓÇÖs security requirements and cloud management model. +A set of steps and tasks that you can follow to optimize your use of Defender for Cloud based on your organizationΓÇÖs security requirements and cloud management model. |
security | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/overview.md | The spectrum of option ranges from enabling "lift and shift" scenarios of existi With Azure IaaS, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats. [Microsoft Antimalware](antimalware.md) for Azure Cloud Services and Virtual Machines is a protection capability that helps identify and remove viruses, spyware, and other malicious software. Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. Microsoft Antimalware can also be deployed using Microsoft Defender for Cloud ### Hardware Security Module-Encryption and authentication do not improve security unless the keys themselves are protected. You can simplify the management and security of your critical secrets and keys by storing them in [Azure Key Vault](../../key-vault/general/overview.md). Key Vault provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption) can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through [Azure Active Directory](../../active-directory/index.yml). +Encryption and authentication do not improve security unless the keys themselves are protected. You can simplify the management and security of your critical secrets and keys by storing them in [Azure Key Vault](../../key-vault/general/overview.md). Key Vault provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption) can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through [Microsoft Entra ID](../../active-directory/index.yml). ### Virtual machine backup [Azure Backup](../../backup/backup-overview.md) is a solution that protects your application data with zero capital investment and minimal operating costs. Application errors can corrupt your data, and human errors can introduce bugs into your applications that can lead to security issues. With Azure Backup, your virtual machines running Windows and Linux are protected. Microsoft uses multiple security practices and technologies across its products - [Multi-Factor Authentication](https://azure.microsoft.com/services/multi-factor-authentication/) requires users to use multiple methods for access, on-premises and in the cloud. It provides strong authentication with a range of easy verification options, while accommodating users with a simple sign-in process. -- [Microsoft Authenticator](https://aka.ms/authenticator) provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals.+- [Microsoft Authenticator](https://aka.ms/authenticator) provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Entra ID and Microsoft accounts, and includes support for wearables and fingerprint-based approvals. - [Password policy enforcement](../../active-directory/authentication/concept-sspr-policy.md) increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts. -- [Token-based authentication](../../active-directory/develop/authentication-vs-authorization.md) enables authentication via Azure Active Directory.+- [Token-based authentication](../../active-directory/develop/authentication-vs-authorization.md) enables authentication via Microsoft Entra ID. - [Azure role-based access control (Azure RBAC)](../../role-based-access-control/built-in-roles.md) enables you to grant access based on the userΓÇÖs assigned role, making it easy to give users only the amount of access they need to perform their job duties. You can customize Azure RBAC per your organizationΓÇÖs business model and risk tolerance. - [Integrated identity management (hybrid identity)](../../active-directory/hybrid/plan-hybrid-identity-design-considerations-overview.md) enables you to maintain control of usersΓÇÖ access across internal datacenters and cloud platforms, creating a single user identity for authentication and authorization to all resources. ### Secure Apps and data-[Azure Active Directory](https://azure.microsoft.com/services/active-directory/), a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management, and makes it easy for developers to build policy-based identity management into their apps. To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions. +[Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/), a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups. It combines core directory services, advanced identity governance, security, and application access management, and makes it easy for developers to build policy-based identity management into their apps. To enhance your Microsoft Entra ID, you can add paid capabilities using the Microsoft Entra Basic, Premium P1, and Premium P2 editions. -| Free / Common Features | Basic Features |Premium P1 Features |Premium P2 Features | Azure Active Directory Join ΓÇô Windows 10 only related features| +| Free / Common Features | Basic Features |Premium P1 Features |Premium P2 Features | Microsoft Entra join ΓÇô Windows 10 only related features| | :- | :- |:- |:- |:- |-| [Directory Objects](../../active-directory/fundamentals/active-directory-whatis.md), [User/Group Management (add/update/delete)/ User-based provisioning, Device registration](../../active-directory/fundamentals/active-directory-whatis.md), [single sign-on (SSO)](../../active-directory/fundamentals/active-directory-whatis.md), [Self-Service Password Change for cloud users](../../active-directory/fundamentals/active-directory-whatis.md), [Connect (Sync engine that extends on-premises directories to Azure Active Directory)](../../active-directory/fundamentals/active-directory-whatis.md), [Security / Usage Reports](../../active-directory/fundamentals/active-directory-whatis.md) | [Group-based access management / provisioning](../../active-directory/fundamentals/active-directory-whatis.md), [Self-Service Password Reset for cloud users](../../active-directory/fundamentals/active-directory-whatis.md), [Company Branding (Logon Pages/Access Panel customization)](../../active-directory/fundamentals/active-directory-whatis.md), [Application Proxy](../../active-directory/fundamentals/active-directory-whatis.md), [SLA 99.9%](../../active-directory/fundamentals/active-directory-whatis.md) | [Self-Service Group and app Management/Self-Service application additions/Dynamic Groups](../../active-directory/fundamentals/active-directory-whatis.md), [Self-Service Password Reset/Change/Unlock with on-premises write-back](../../active-directory/fundamentals/active-directory-whatis.md), [Multi-Factor Authentication (Cloud and On-premises (MFA Server))](../../active-directory/fundamentals/active-directory-whatis.md), [MIM CAL + MIM Server](../../active-directory/fundamentals/active-directory-whatis.md), [Cloud App Discovery](../../active-directory/fundamentals/active-directory-whatis.md), [Connect Health](../../active-directory/fundamentals/active-directory-whatis.md), [Automatic password rollover for group accounts](../../active-directory/fundamentals/active-directory-whatis.md)| [Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md), [Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md)| [Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator BitLocker recovery](../../active-directory/fundamentals/active-directory-whatis.md), [MDM auto-enrollment, Self-Service BitLocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join](../../active-directory/fundamentals/active-directory-whatis.md)| +| [Directory Objects](../../active-directory/fundamentals/active-directory-whatis.md), [User/Group Management (add/update/delete)/ User-based provisioning, Device registration](../../active-directory/fundamentals/active-directory-whatis.md), [single sign-on (SSO)](../../active-directory/fundamentals/active-directory-whatis.md), [Self-Service Password Change for cloud users](../../active-directory/fundamentals/active-directory-whatis.md), [Connect (Sync engine that extends on-premises directories to Microsoft Entra ID)](../../active-directory/fundamentals/active-directory-whatis.md), [Security / Usage Reports](../../active-directory/fundamentals/active-directory-whatis.md) | [Group-based access management / provisioning](../../active-directory/fundamentals/active-directory-whatis.md), [Self-Service Password Reset for cloud users](../../active-directory/fundamentals/active-directory-whatis.md), [Company Branding (Logon Pages/Access Panel customization)](../../active-directory/fundamentals/active-directory-whatis.md), [Application Proxy](../../active-directory/fundamentals/active-directory-whatis.md), [SLA 99.9%](../../active-directory/fundamentals/active-directory-whatis.md) | [Self-Service Group and app Management/Self-Service application additions/Dynamic Groups](../../active-directory/fundamentals/active-directory-whatis.md), [Self-Service Password Reset/Change/Unlock with on-premises write-back](../../active-directory/fundamentals/active-directory-whatis.md), [Multi-Factor Authentication (Cloud and On-premises (MFA Server))](../../active-directory/fundamentals/active-directory-whatis.md), [MIM CAL + MIM Server](../../active-directory/fundamentals/active-directory-whatis.md), [Cloud App Discovery](../../active-directory/fundamentals/active-directory-whatis.md), [Connect Health](../../active-directory/fundamentals/active-directory-whatis.md), [Automatic password rollover for group accounts](../../active-directory/fundamentals/active-directory-whatis.md)| [Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md), [Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md)| [Join a device to Microsoft Entra ID, Desktop SSO, Microsoft Passport for Microsoft Entra ID, Administrator BitLocker recovery](../../active-directory/fundamentals/active-directory-whatis.md), [MDM auto-enrollment, Self-Service BitLocker recovery, Additional local administrators to Windows 10 devices via Microsoft Entra join](../../active-directory/fundamentals/active-directory-whatis.md)| -- [Cloud App Discovery](/cloud-app-security/set-up-cloud-discovery) is a premium feature of Azure Active Directory that enables you to identify cloud applications that are used by the employees in your organization.+- [Cloud App Discovery](/cloud-app-security/set-up-cloud-discovery) is a premium feature of Microsoft Entra ID that enables you to identify cloud applications that are used by the employees in your organization. -- [Azure Active Directory Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a security service that uses Azure Active Directory anomaly detection capabilities to provide a consolidated view into risk detections and potential vulnerabilities that could affect your organizationΓÇÖs identities.+- [Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a security service that uses Microsoft Entra anomaly detection capabilities to provide a consolidated view into risk detections and potential vulnerabilities that could affect your organizationΓÇÖs identities. -- [Azure Active Directory Domain Services](https://azure.microsoft.com/services/active-directory-ds/) enables you to join Azure VMs to a domain without the need to deploy domain controllers. Users sign in to these VMs by using their corporate Active Directory credentials, and can seamlessly access resources.+- [Microsoft Entra Domain Services](https://azure.microsoft.com/services/active-directory-ds/) enables you to join Azure VMs to a domain without the need to deploy domain controllers. Users sign in to these VMs by using their corporate Active Directory credentials, and can seamlessly access resources. - [Azure Active Directory B2C](https://azure.microsoft.com/services/active-directory-b2c/) is a highly available, global identity management service for consumer-facing apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms. Your customers can sign in to all your apps through customizable experiences that use existing social media accounts, or you can create new standalone credentials. -- [Azure Active Directory B2B Collaboration](../../active-directory/external-identities/what-is-b2b.md) is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.+- [Microsoft Entra B2B Collaboration](../../active-directory/external-identities/what-is-b2b.md) is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities. -- [Azure Active Directory joined](../../active-directory/devices/overview.md) enables you to extend cloud capabilities to Windows 10 devices for centralized management. It makes it possible for users to connect to the corporate or organizational cloud through Azure Active Directory and simplifies access to apps and resources.+- [Microsoft Entra joined](../../active-directory/devices/overview.md) enables you to extend cloud capabilities to Windows 10 devices for centralized management. It makes it possible for users to connect to the corporate or organizational cloud through Microsoft Entra ID and simplifies access to apps and resources. -- [Azure Active Directory Application Proxy](../../active-directory/app-proxy/application-proxy.md) provides SSO and secure remote access for web applications hosted on-premises.+- [Microsoft Entra application proxy](../../active-directory/app-proxy/application-proxy.md) provides SSO and secure remote access for web applications hosted on-premises. ## Next Steps - Understand your [shared responsibility in the cloud](shared-responsibility.md). -- Learn how [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md) can help you prevent, detect, and respond to threats with increased visibility and control over the security of your Azure resources.+- Learn how [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md) can help you prevent, detect, and respond to threats with increased visibility and control over the security of your Azure resources. |
security | Paas Applications Using App Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/paas-applications-using-app-services.md | In this article, we discuss a collection of [Azure App Service](../../app-servic Azure App Service is a platform-as-a-service (PaaS) offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services. It also includes new capabilities for automating business processes and hosting cloud APIs. As a single integrated service, App Service brings a rich set of capabilities to web, mobile, and integration scenarios. -## Authenticate through Azure Active Directory (AD) -App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Azure AD uses OAuth 2.0 to enable you to authorize access to mobile and web applications. To learn more, see [Authentication and authorization in Azure App Service](../../app-service/overview-authentication-authorization.md). +<a name='authenticate-through-azure-active-directory-ad'></a> ++## Authenticate through Microsoft Entra ID +App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Microsoft Entra ID uses OAuth 2.0 to enable you to authorize access to mobile and web applications. To learn more, see [Authentication and authorization in Azure App Service](../../app-service/overview-authentication-authorization.md). ## Restrict access based on role Restricting access is imperative for organizations that want to enforce security policies for data access. You can use Azure role-based access control (Azure RBAC) to assign permissions to users, groups, and applications at a certain scope, such as the need to know and least privilege security principles. To learn more about granting users access to applications, see [What is Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). For App Service on Windows, you can also restrict IP addresses dynamically by co This article introduced you to a collection of App Service security best practices for securing your PaaS web and mobile applications. To learn more about securing your PaaS deployments, see: - [Securing PaaS deployments](paas-deployments.md)-- [Securing PaaS databases in Azure](paas-applications-using-sql.md)+- [Securing PaaS databases in Azure](paas-applications-using-sql.md) |
security | Paas Applications Using Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/paas-applications-using-sql.md | In this article, we discuss a collection of [Azure SQL Database](/azure/azure-sq Azure SQL Database and Azure Synapse Analytics provide a relational database service for your internet-based applications. Let's look at services that help protect your applications and data when using Azure SQL Database and Azure Synapse Analytics in a PaaS deployment: -- Azure Active Directory authentication (instead of SQL Server authentication)+- Microsoft Entra authentication (instead of SQL Server authentication) - Azure SQL firewall - Transparent Data Encryption (TDE) Azure SQL Database can be configured to use one of two types of authentication: - **SQL authentication** uses a username and password. When you created the server for your database, you specified a "server admin" login with a username and password. Using these credentials, you can authenticate to any database on that server as the database owner. -- **Azure Active Directory authentication** uses identities managed by Azure Active Directory and is supported for managed and integrated domains. To use Azure Active Directory Authentication, you must create another server admin called the "Azure AD admin," which is allowed to administer Azure AD users and groups. This admin can also perform all operations that a regular server admin can.+- **Microsoft Entra authentication** uses identities managed by Microsoft Entra ID and is supported for managed and integrated domains. To use Microsoft Entra authentication, you must create another server admin called the "Microsoft Entra admin," which is allowed to administer Microsoft Entra users and groups. This admin can also perform all operations that a regular server admin can. -[Azure Active Directory authentication](../../active-directory/develop/authentication-vs-authorization.md) is a mechanism of connecting to Azure SQL Database and Azure Synapse Analytics by using identities in Azure Active Directory (AD). Azure AD provides an alternative to SQL Server authentication so you can stop the proliferation of user identities across database servers. Azure AD authentication enables you to centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management. +[Microsoft Entra authentication](../../active-directory/develop/authentication-vs-authorization.md) is a mechanism of connecting to Azure SQL Database and Azure Synapse Analytics by using identities in Microsoft Entra ID. Microsoft Entra ID provides an alternative to SQL Server authentication so you can stop the proliferation of user identities across database servers. Microsoft Entra authentication enables you to centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management. -### Benefits of using Azure AD instead of SQL authentication +<a name='benefits-of-using-azure-ad-instead-of-sql-authentication'></a> ++### Benefits of using Microsoft Entra ID instead of SQL authentication - Allows password rotation in a single place.-- Manages database permissions using external Azure AD groups.-- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure AD.+- Manages database permissions using external Microsoft Entra groups. +- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra ID. - Uses contained database users to authenticate identities at the database level. - Supports token-based authentication for applications connecting to SQL Database.-- Supports domain federation with Active Directory Federation Services (ADFS) or native user/password authentication for a local Azure AD without domain synchronization.+- Supports domain federation with Active Directory Federation Services (ADFS) or native user/password authentication for a local Microsoft Entra ID without domain synchronization. - Supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes [Multi-Factor Authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md). MFA includes strong authentication with a range of easy verification options. Verification options are phone call, text message, smart cards with pin, or mobile app notification. For more information, see [Universal Authentication with SQL Database and Azure Synapse Analytics](/azure/azure-sql/database/authentication-mfa-ssms-overview). -To learn more about Azure AD authentication, see: +To learn more about Microsoft Entra authentication, see: -- [Use Azure Active Directory Authentication for authentication with SQL Database, Managed Instance, or Azure Synapse Analytics](/azure/azure-sql/database/authentication-aad-overview)+- [Use Microsoft Entra authentication for authentication with SQL Database, Managed Instance, or Azure Synapse Analytics](/azure/azure-sql/database/authentication-aad-overview) - [Authentication to Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-authentication.md)-- [Token-based authentication support for Azure SQL Database using Azure AD authentication](/azure/azure-sql/database/authentication-aad-overview)+- [Token-based authentication support for Azure SQL Database using Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview) > [!NOTE]-> To ensure that Azure Active Directory is a good fit for your environment, see [Azure AD features and limitations](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). +> To ensure that Microsoft Entra ID is a good fit for your environment, see [Microsoft Entra features and limitations](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). ## Restrict access based on IP address |
security | Paas Deployments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/paas-deployments.md | The following are best practices for managing the identity perimeter. **Best practice**: Protect your VM management interfaces on hybrid PaaS and IaaS services by using a management interface that enables you to remote manage these VMs directly. **Detail**: Remote management protocols such as [SSH](https://en.wikipedia.org/wiki/Secure_Shell), [RDP](https://support.microsoft.com/kb/186607), and [PowerShell remoting](/powershell/module/microsoft.powershell.core/enable-psremoting) can be used. In general, we recommend that you do not enable direct remote access to VMs from the internet. -If possible, use alternate approaches like using virtual private networks in an Azure virtual network. If alternative approaches are not available, ensure that you use complex passphrases and two-factor authentication (such as [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md)). +If possible, use alternate approaches like using virtual private networks in an Azure virtual network. If alternative approaches are not available, ensure that you use complex passphrases and two-factor authentication (such as [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md)). **Best practice**: Use strong authentication and authorization platforms.-**Detail**: Use federated identities in Azure AD instead of custom user stores. When you use federated identities, you take advantage of a platform-based approach and you delegate the management of authorized identities to your partners. A federated identity approach is especially important when employees are terminated and that information needs to be reflected through multiple identity and authorization systems. +**Detail**: Use federated identities in Microsoft Entra ID instead of custom user stores. When you use federated identities, you take advantage of a platform-based approach and you delegate the management of authorized identities to your partners. A federated identity approach is especially important when employees are terminated and that information needs to be reflected through multiple identity and authorization systems. Use platform-supplied authentication and authorization mechanisms instead of custom code. The reason is that developing custom authentication code can be error prone. Most of your developers are not security experts and are unlikely to be aware of the subtleties and the latest developments in authentication and authorization. Commercial code (for example, from Microsoft) is often extensively security reviewed. -Use two-factor authentication. Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses inherent in username and password types of authentication. Access to both the Azure management (portal/remote PowerShell) interfaces and customer-facing services should be designed and configured to use Azure AD Multi-Factor Authentication. +Use two-factor authentication. Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses inherent in username and password types of authentication. Access to both the Azure management (portal/remote PowerShell) interfaces and customer-facing services should be designed and configured to use Microsoft Entra multifactor authentication. Use standard authentication protocols, such as OAuth2 and Kerberos. These protocols have been extensively peer reviewed and are likely implemented as part of your platform libraries for authentication and authorization. The following table lists the STRIDE threats and gives some example mitigations Following are best practices for using App Service. -**Best practice**: [Authenticate through Azure Active Directory](../../app-service/overview-authentication-authorization.md). -**Detail**: App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Azure AD uses OAuth 2.0 to enable you to authorize access to mobile and web applications. +**Best practice**: [Authenticate through Microsoft Entra ID](../../app-service/overview-authentication-authorization.md). +**Detail**: App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Microsoft Entra ID uses OAuth 2.0 to enable you to authorize access to mobile and web applications. **Best practice**: Restrict access based on the need to know and least privilege security principles. **Detail**: Restricting access is imperative for organizations that want to enforce security policies for data access. You can use Azure RBAC to assign permissions to users, groups, and applications at a certain scope. To learn more about granting users access to applications, see [Get started with access management](../../role-based-access-control/overview.md). |
security | Ransomware Features Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/ransomware-features-resources.md | Key capabilities include: - **Native Threat Detection**: Microsoft Defender for Cloud provides high-quality threat detection and response capabilities, also called Extended Detection and Response (XDR). This helps you: - Avoid wasting time and talent of scarce security resources to build custom alerts using raw activity logs. - Ensure effective security monitoring, which often enables security teams to rapidly approve use of Azure services.-- **Passwordless and Multi-factor authentication**: Azure Active Directory MFA, Azure AD Authenticator App, and Windows Hello provide these capabilities. This helps protect accounts against commonly seen password attacks (which account for 99.9% of the volume of identity attacks we see in Azure AD). While no security is perfect, eliminating password-only attack vectors dramatically lowers the ransomware attack risk to Azure resources. +- **Passwordless and multifactor authentication**: Microsoft Entra multifactor authentication, Microsoft Entra Authenticator App, and Windows Hello provide these capabilities. This helps protect accounts against commonly seen password attacks (which account for 99.9% of the volume of identity attacks we see in Microsoft Entra ID). While no security is perfect, eliminating password-only attack vectors dramatically lowers the ransomware attack risk to Azure resources. - **Native Firewall and Network Security**: Microsoft built native DDoS attack mitigations, Firewall, Web Application Firewall, and many other controls into Azure. These security 'as a service' help simplify the configuration and implementation of security controls. These give organizations the choice of using native services or virtual appliances versions of familiar vendor capabilities to simplify their Azure security. ## Microsoft Defender for Cloud Key Features: - [Zero Trust Guidance Center](/security/zero-trust/) - [Azure Web Application Firewall](../../web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md?tabs=owasp32) - [Azure VPN gateway](../../vpn-gateway/openvpn-azure-ad-tenant.md#enable-authentication)-- [Azure Active Directory Multi-Factor Authentication (MFA)](../../active-directory/authentication/howto-mfa-userstates.md)-- [Azure AD Identity Protection](../../active-directory/authentication/concept-password-ban-bad.md)-- [Azure AD Conditional Access](../../active-directory/conditional-access/overview.md)+- [Microsoft Entra multifactor authentication (MFA)](../../active-directory/authentication/howto-mfa-userstates.md) +- [Microsoft Entra ID Protection](../../active-directory/authentication/concept-password-ban-bad.md) +- [Microsoft Entra Conditional Access](../../active-directory/conditional-access/overview.md) - [Microsoft Defender for Cloud documentation](../../defender-for-cloud/index.yml) ## Conclusion |
security | Recover From Identity Compromise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/recover-from-identity-compromise.md | Title: Use Microsoft and Azure security resources to help recover from systemic identity compromise | Microsoft Docs -description: Learn how to use Microsoft and Azure security resources, such as Microsoft 365 Defender, Microsoft Sentinel, Azure Active Directory, Microsoft Defender for Cloud, and Microsoft Defender for IoT and Microsoft recommendations to secure your system against systemic-identity compromises. +description: Learn how to use Microsoft and Azure security resources, such as Microsoft 365 Defender, Microsoft Sentinel, Microsoft Entra ID, Microsoft Defender for Cloud, and Microsoft Defender for IoT and Microsoft recommendations to secure your system against systemic-identity compromises. documentationcenter: na Microsoft's security services provide extensive resources for detailed investiga Investigate and review cloud environment logs for suspicious actions and attacker indications of compromise. For example, check the following logs: - [Unified Audit Logs (UAL)](/powershell/module/exchange/search-unifiedauditlog)-- [Azure Active Directory (Azure AD) logs](../../active-directory/reports-monitoring/overview-monitoring.md)+- [Microsoft Entra logs](../../active-directory/reports-monitoring/overview-monitoring.md) - [Microsoft Exchange on-premises logs](/exchange/mail-flow/transport-logs/transport-logs) - VPN logs, such as from [VPN Gateway](../../vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log.md) - Engineering system logs For more information, see: - [Track and respond to emerging threats with threat analytics](/windows/security/threat-protection/microsoft-defender-atp/threat-analytics) - [Understand the analyst report in threat analytics](/microsoft-365/security/defender/threat-analytics-analyst-reports) -### Monitoring with Azure Active Directory +<a name='monitoring-with-azure-active-directory'></a> -Azure Active Directory sign-in logs can show whether multi-factor authentication is being used correctly. Access sign-in logs directly from the Azure Active Directory area in the Azure portal, use the **Get-AzureADAuditSignInLogs** cmdlet, or view them in the **Logs** area of Microsoft Sentinel. +### Monitoring with Microsoft Entra ID ++Microsoft Entra sign-in logs can show whether multi-factor authentication is being used correctly. Access sign-in logs directly from the Microsoft Entra area in the Azure portal, use the **Get-AzureADAuditSignInLogs** cmdlet, or view them in the **Logs** area of Microsoft Sentinel. For example, search or filter the results for when the **MFA results** field has a value of **MFA requirement satisfied by claim in the token**. If your organization uses ADFS and the claims logged are not included in the ADFS configuration, these claims may indicate attacker activity. Search or filter your results further to exclude extra noise. For example, you may want to include results only from federated domains. If you find suspicious sign-ins, drill down even further based on IP addresses, user accounts, and so on. -The following table describes more methods for using Azure Active directory logs in your investigation: +The following table describes more methods for using Microsoft Entra logs in your investigation: |Method |Description | |||-|**Analyze risky sign-in events** | Azure Active Directory and its Identity Protection platform may generate risk events associated with the use of attacker-generated SAML tokens. <br><br>These events might be labeled as *unfamiliar properties*, *anonymous IP address*, *impossible travel*, and so on. <br><br>We recommend that you closely analyze all risk events associated with accounts that have administrative privileges, including any that may have been automatically been dismissed or remediated. For example, a risk event or an anonymous IP address might be automatically remediated because the user passed MFA. <br><br>Make sure to use [ADFS Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md) so that all authentication events are visible in Azure AD. | -|**Detect domain authentication properties** | Any attempt by the attacker to manipulate domain authentication policies will be recorded in the Azure Active Directory Audit logs, and reflected in the Unified Audit log. <br><br> For example, review any events associated with **Set domain authentication** in the Unified Audit Log, Azure AD Audit logs, and / or your SIEM environment to verify that all activities listed were expected and planned. | +|**Analyze risky sign-in events** | Microsoft Entra ID and its Identity Protection platform may generate risk events associated with the use of attacker-generated SAML tokens. <br><br>These events might be labeled as *unfamiliar properties*, *anonymous IP address*, *impossible travel*, and so on. <br><br>We recommend that you closely analyze all risk events associated with accounts that have administrative privileges, including any that may have been automatically been dismissed or remediated. For example, a risk event or an anonymous IP address might be automatically remediated because the user passed MFA. <br><br>Make sure to use [ADFS Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md) so that all authentication events are visible in Microsoft Entra ID. | +|**Detect domain authentication properties** | Any attempt by the attacker to manipulate domain authentication policies will be recorded in the Microsoft Entra audit logs, and reflected in the Unified Audit log. <br><br> For example, review any events associated with **Set domain authentication** in the Unified Audit Log, Microsoft Entra audit logs, and / or your SIEM environment to verify that all activities listed were expected and planned. | |**Detect credentials for OAuth applications** | Attackers who have gained control of a privileged account may search for an application with the ability to access any user's email in the organization, and then add attacker-controlled credentials to that application. <br><br>For example, you may want to search for any of the following activities, which would be consistent with attacker behavior: <br>- Adding or updating service principal credentials <br>- Updating application certificates and secrets <br>- Adding an app role assignment grant to a user <br>- Adding Oauth2PermissionGrant | |**Detect e-mail access by applications** | Search for access to email by applications in your environment. For example, use the [Microsoft Purview Audit (Premium) features](/microsoft-365/compliance/mailitemsaccessed-forensics-investigations) to investigate compromised accounts. |-|**Detect non-interactive sign-ins to service principals** | The Azure Active Directory sign-in reports provide details about any non-interactive sign-ins that used service principal credentials. For example, you can use the sign-in reports to find valuable data for your investigation, such as an IP address used by the attacker to access email applications. | +|**Detect non-interactive sign-ins to service principals** | The Microsoft Entra sign-in reports provide details about any non-interactive sign-ins that used service principal credentials. For example, you can use the sign-in reports to find valuable data for your investigation, such as an IP address used by the attacker to access email applications. | ## Improve security posture We recommend the following actions to ensure identity-related security posture: - **Review Microsoft's [Five steps to securing your identity infrastructure](steps-secure-identity.md)**, and prioritize the steps as appropriate for your identity architecture. -- **[Consider migrating to Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md)** for your authentication policy.+- **[Consider migrating to Microsoft Entra Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md)** for your authentication policy. -- **Eliminate your organizationΓÇÖs use of legacy authentication**, if systems or applications still require it. For more information, see [Block legacy authentication to Azure AD with Conditional Access](../../active-directory/conditional-access/block-legacy-authentication.md).+- **Eliminate your organizationΓÇÖs use of legacy authentication**, if systems or applications still require it. For more information, see [Block legacy authentication to Microsoft Entra ID with Conditional Access](../../active-directory/conditional-access/block-legacy-authentication.md). - **Treat your ADFS infrastructure and AD Connect infrastructure as a Tier 0 asset**. If there was an attack, you don't want the attacker to retain access at all. Mak For more information, see: -- [Revoke user access in Azure Active Directory](../../active-directory/enterprise-users/users-revoke-access.md)+- [Revoke user access in Microsoft Entra ID](../../active-directory/enterprise-users/users-revoke-access.md) ### Replace your ADFS servers In addition to the recommendations listed earlier in this article, we also recom |Activity |Description | ||| |**Reset passwords** | Reset passwords on any [break-glass accounts](../../active-directory/roles/security-emergency-access.md) and reduce the number of break-glass accounts to the absolute minimum required. |-|**Restrict privileged access accounts** | Ensure that service and user accounts with privileged access are cloud-only accounts, and do not use on-premises accounts that are synced or federated to Azure Active Directory. | +|**Restrict privileged access accounts** | Ensure that service and user accounts with privileged access are cloud-only accounts, and do not use on-premises accounts that are synced or federated to Microsoft Entra ID. | |**Enforce MFA** | Enforce Multi-Factor Authentication (MFA) across all elevated users in the tenant. We recommend enforcing MFA across all users in the tenant. | |**Limit administrative access** | Implement [Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md) (PIM) and conditional access to limit administrative access. <br><br>For Microsoft 365 users, implement [Privileged Access Management](https://techcommunity.microsoft.com/t5/microsoft-security-and/privileged-access-management-in-office-365-is-now-generally/ba-p/261751) (PAM) to limit access to sensitive abilities, such as eDiscovery, Global Admin, Account Administration, and more. | |**Review / reduce delegated permissions and consent grants** | Review and reduce all Enterprise Applications delegated permissions or [consent grants](/graph/auth-limit-mailbox-access) that allow any of the following functionalities: <br><br>- Modification of privileged users and roles <br>- Reading, sending email, or accessing all mailboxes <br>- Accessing OneDrive, Teams, or SharePoint content <br>- Adding Service Principals that can read/write to the directory <br>- Application Permissions versus Delegated Access | In addition to the recommended actions listed above, we recommend that you consi For more information, see: - - [Revoke user access in an emergency in Azure Active Directory](../../active-directory/enterprise-users/users-revoke-access.md) + - [Revoke user access in an emergency in Microsoft Entra ID](../../active-directory/enterprise-users/users-revoke-access.md) ## Next steps |
security | Service Fabric Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/service-fabric-best-practices.md | We recommend the following Azure Service Fabric security best practices: Always use a secure cluster: - Implement cluster security by using certificates.-- Provide client access (admin and read-only) by using Azure Active Directory (Azure AD).+- Provide client access (admin and read-only) by using Microsoft Entra ID. Use automated deployments: - Use scripts to generate, deploy, and roll over the secrets.-- Store the secrets in Azure Key Vault and use Azure AD for all other client access.+- Store the secrets in Azure Key Vault and use Microsoft Entra ID for all other client access. - Require authentication for human access to the secrets. Additionally, consider the following configuration options: There are three [scenarios](../../service-fabric/service-fabric-cluster-security - Node-to-node security: This scenario secures communication between the VMs and the computers in the cluster. This form of security ensures that only those computers that are authorized to join the cluster can host applications and services in the cluster. In this scenario, the clusters that run on Azure, or standalone clusters that run on Windows, can use either [certificate security](../../service-fabric/service-fabric-windows-cluster-x509-security.md) or [Windows security](../../service-fabric/service-fabric-windows-cluster-windows-security.md) for Windows Server machines. - Client-to-node security: This scenario secures communication between a Service Fabric client and the individual nodes in the cluster.-- Service Fabric role-based access control (Service Fabric RBAC): This scenario uses separate identities (certificates, Azure AD, and so on) for each administrator and user client role that accesses the cluster. You specify the role identities when you create the cluster.+- Service Fabric role-based access control (Service Fabric RBAC): This scenario uses separate identities (certificates, Microsoft Entra ID, and so on) for each administrator and user client role that accesses the cluster. You specify the role identities when you create the cluster. >[!NOTE]->**Security recommendation for Azure clusters:** Use Azure AD security to authenticate clients and certificates for node-to-node security. +>**Security recommendation for Azure clusters:** Use Microsoft Entra security to authenticate clients and certificates for node-to-node security. To configure a standalone Windows cluster, see [Configure settings for a standalone Windows cluster](../../service-fabric/service-fabric-cluster-manifest.md). To learn more about using X.509 certificates, see [Add or remove certificates fo Service Fabric also secures the resources that are used by applications. Resources like files, directories, and certificates are stored under the user accounts when the application is deployed. This feature makes running applications more secure from one another, even in a shared hosted environment. - Use an Active Directory domain group or user:-Run the service under the credentials for an Active Directory user or group account. Be sure to use Active Directory on-premises within your domain and not Azure Active Directory. Access other resources in the domain that have been granted permissions by using a domain user or group. For example, resources such as file shares. +Run the service under the credentials for an Active Directory user or group account. Be sure to use Active Directory on-premises within your domain and not Microsoft Entra ID. Access other resources in the domain that have been granted permissions by using a domain user or group. For example, resources such as file shares. - Assign a security access policy for HTTP and HTTPS endpoints: Specify the **SecurityAccessPolicy** property to apply a **RunAs** policy to a service when the service manifest declares endpoint resources with HTTP. Ports allocated to the HTTP endpoints are correctly access-controlled lists for the RunAs user account that the service runs under. When the policy isn't set, http.sys doesn't have access to the service and you can get failures with calls from the client. |
security | Services Technologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/services-technologies.md | Over time, this list will change and grow, just as Azure does. Make sure to chec |[Azure StorSimple Virtual Array](../../storsimple/storsimple-ova-overview.md)| An integrated storage solution that manages storage tasks between an on-premises virtual array running in a hypervisor and Microsoft Azure cloud storage.| |[Client-Side encryption for blobs](../../storage/blobs/client-side-encryption.md)| A client-side encryption solution that supports encrypting data within client applications before uploading to Azure Storage, and decrypting data while downloading to the client. | | [Azure Storage shared access signatures](../../storage/common/storage-sas-overview.md)|A shared access signature (SAS) provides delegated access to resources in your storage account. |-|[Azure Storage Account Keys](../../storage/common/storage-account-create.md)| An access control method for Azure storage that is used authorize requests to the storage account using either the account access keys or an Azure Active Directory (Azure AD) account (default). | +|[Azure Storage Account Keys](../../storage/common/storage-account-create.md)| An access control method for Azure storage that is used authorize requests to the storage account using either the account access keys or a Microsoft Entra account (default). | |[Azure File shares](../../storage/files/storage-files-introduction.md)| A storage security technology that offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol, Network File System (NFS) protocol, and Azure Files REST AP. | |[Azure Storage Analytics](../../storage/common/storage-analytics.md)| A logging and metrics-generating technology for data in your storage account. | Over time, this list will change and grow, just as Azure does. Make sure to chec |Service|Description| ||--| | [Azure role-based access control](../../role-based-access-control/role-assignments-portal.md)|An access control feature designed to allow users to access only the resources they are required to access based on their roles within the organization. |-| [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md)|A cloud-based identity and access management service that supports a multi-tenant, cloud-based directory and multiple identity management services within Azure. | +| [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md)|A cloud-based identity and access management service that supports a multi-tenant, cloud-based directory and multiple identity management services within Azure. | | [Azure Active Directory B2C](../../active-directory-b2c/overview.md)| A customer identity access management (CIAM) solution that enables control over how customers sign-up, sign-in, and manage their profiles when using Azure-based applications. |-| [Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md)| A cloud-based and managed version of Active Directory Domain Services that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. | -| [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md)| A security provision that employs several different forms of authentication and verification before allowing access to secured information. | +| [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md)| A cloud-based and managed version of Active Directory Domain Services that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. | +| [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md)| A security provision that employs several different forms of authentication and verification before allowing access to secured information. | ## Backup and disaster recovery |Service|Description| Over time, this list will change and grow, just as Azure does. Make sure to chec | [Azure Load Balancer](../../load-balancer/load-balancer-overview.md)|A TCP/UDP application network load balancer. | | [Azure ExpressRoute](../../expressroute/expressroute-introduction.md)| A feature that lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. | | [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md)| A DNS-based traffic load balancer.|-| [Azure Active Directory Application Proxy](../../active-directory/app-proxy/application-proxy.md)| An authenticating front-end used to secure remote access to on-premises web applications. | +| [Microsoft Entra application proxy](../../active-directory/app-proxy/application-proxy.md)| An authenticating front-end used to secure remote access to on-premises web applications. | |[Azure Firewall](../../firewall/overview.md)|A cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure.| |[Azure DDoS protection](../../ddos-protection/ddos-protection-overview.md)|Combined with application design best practices, provides defense against DDoS attacks.| |[Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md)| Provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. | |
security | Steps Secure Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/steps-secure-identity.md | Title: Secure your Azure AD identity infrastructure- -description: This document outlines a list of important actions administrators should implement to help them secure their organization using Azure AD capabilities + Title: Secure your Microsoft Entra identity infrastructure ++description: This document outlines a list of important actions administrators should implement to help them secure their organization using Microsoft Entra capabilities tags: azuread If you're reading this document, you're aware of the significance of security. You likely already carry the responsibility for securing your organization. If you need to convince others of the importance of security, send them to read the latest [Microsoft Digital Defense Report](https://www.microsoft.com/security/business/security-intelligence-report). -This document will help you get a more secure posture using the capabilities of Azure Active Directory by using a five-step checklist to improve your organization's protection against cyber-attacks. +This document will help you get a more secure posture using the capabilities of Microsoft Entra ID by using a five-step checklist to improve your organization's protection against cyber-attacks. This checklist will help you quickly deploy critical recommended actions to protect your organization immediately by explaining how to: This checklist will help you quickly deploy critical recommended actions to prot - Enable end-user self-service > [!NOTE]-> Many of the recommendations in this document apply only to applications that are configured to use Azure Active Directory as their identity provider. Configuring apps for Single Sign-On assures the benefits of credential policies, threat detection, auditing, logging, and other features add to those applications. [Azure AD Application Management](../../active-directory/manage-apps/what-is-application-management.md) is the foundation on which all these recommendations are based. +> Many of the recommendations in this document apply only to applications that are configured to use Microsoft Entra ID as their identity provider. Configuring apps for Single Sign-On assures the benefits of credential policies, threat detection, auditing, logging, and other features add to those applications. [Microsoft Entra Application Management](../../active-directory/manage-apps/what-is-application-management.md) is the foundation on which all these recommendations are based. -The recommendations in this document are aligned with the [Identity Secure Score](../../active-directory/fundamentals/identity-secure-score.md), an automated assessment of your Azure AD tenantΓÇÖs identity security configuration. Organizations can use the Identity Secure Score page in the Azure AD portal to find gaps in their current security configuration to ensure they follow current Microsoft best practices for security. Implementing each recommendation in the Secure Score page will increase your score and allow you to track your progress, plus help you compare your implementation against other similar size organizations. +The recommendations in this document are aligned with the [Identity Secure Score](../../active-directory/fundamentals/identity-secure-score.md), an automated assessment of your Microsoft Entra tenantΓÇÖs identity security configuration. Organizations can use the Identity Secure Score page in the Microsoft Entra admin center to find gaps in their current security configuration to ensure they follow current Microsoft best practices for security. Implementing each recommendation in the Secure Score page will increase your score and allow you to track your progress, plus help you compare your implementation against other similar size organizations. :::image type="content" source="media/steps-secure-identity/identity-secure-score-in-azure-portal.png" alt-text="Azure portal window showing Identity Secure Score and some recommendations." lightbox="media/steps-secure-identity/identity-secure-score-in-azure-portal.png"::: > [!NOTE]-> Some of the functionality recommended here is available to all customers, while others require an Azure AD Premium subscription. Please review [Azure Active Directory pricing](https://azure.microsoft.com/pricing/details/active-directory/) and [Azure AD Deployment checklist](../../active-directory/fundamentals/active-directory-deployment-checklist-p2.md) for more information. +> Some of the functionality recommended here is available to all customers, while others require a Microsoft Entra ID P1 or P2 subscription. Please review [Microsoft Entra pricing](https://azure.microsoft.com/pricing/details/active-directory/) and [Microsoft Entra Deployment checklist](../../active-directory/fundamentals/active-directory-deployment-checklist-p2.md) for more information. ## Before you begin: Protect privileged accounts with MFA -Before you begin this checklist, make sure you don't get compromised while you're reading this checklist. In Azure Active Directory we observe 50 million password attacks daily, yet only 20% of users and 30% of global admins are using strong authentications such as multi-factor authentication (MFA). These statistics are based on data as of August 2021. In Azure AD, users who have privileged roles, such as administrators, are the root of trust to build and manage the rest of the environment. Implement the following practices to minimize the effects of a compromise. +Before you begin this checklist, make sure you don't get compromised while you're reading this checklist. In Microsoft Entra we observe 50 million password attacks daily, yet only 20% of users and 30% of global admins are using strong authentications such as multifactor authentication (MFA). These statistics are based on data as of August 2021. In Microsoft Entra ID, users who have privileged roles, such as administrators, are the root of trust to build and manage the rest of the environment. Implement the following practices to minimize the effects of a compromise. -Attackers who get control of privileged accounts can do tremendous damage, so it's critical to [protect these accounts before proceeding](../../active-directory/authentication/how-to-authentication-find-coverage-gaps.md). Enable and require [Azure AD Multi-Factor Authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md) for all administrators in your organization using [Azure AD Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) or [Conditional Access](../../active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md). It's critical. +Attackers who get control of privileged accounts can do tremendous damage, so it's critical to [protect these accounts before proceeding](../../active-directory/authentication/how-to-authentication-find-coverage-gaps.md). Enable and require [Microsoft Entra multifactor authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md) for all administrators in your organization using [Microsoft Entra Security Defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md) or [Conditional Access](../../active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md). It's critical. All set? Let's get started on the checklist. ## Step 1: Strengthen your credentials -Although other types of attacks are emerging, including consent phishing and attacks on nonhuman identities, password-based attacks on user identities are still the most prevalent vector of identity compromise. Well-established spear phishing and password spray campaigns by adversaries continue to be successful against organizations that havenΓÇÖt yet implemented multi-factor authentication (MFA) or other protections against this common tactic. +Although other types of attacks are emerging, including consent phishing and attacks on nonhuman identities, password-based attacks on user identities are still the most prevalent vector of identity compromise. Well-established spear phishing and password spray campaigns by adversaries continue to be successful against organizations that havenΓÇÖt yet implemented multifactor authentication (MFA) or other protections against this common tactic. -As an organization you need to make sure that your identities are validated and secured with MFA everywhere. In 2020, the [FBI IC3 Report](https://www.ic3.gov/Medi). +As an organization you need to make sure that your identities are validated and secured with MFA everywhere. In 2020, the [FBI IC3 Report](https://www.ic3.gov/Medi). ### Make sure your organization uses strong authentication -To easily enable the basic level of identity security, you can use the one-click enablement with [Azure AD security defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md). Security defaults enforce Azure AD MFA for all users in a tenant and blocks sign-ins from legacy protocols tenant-wide. +To easily enable the basic level of identity security, you can use the one-click enablement with [Microsoft Entra security defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md). Security defaults enforce Microsoft Entra multifactor authentication for all users in a tenant and blocks sign-ins from legacy protocols tenant-wide. -If your organization has Azure AD P1 or P2 licenses, then you can also use the [Conditional Access insights and reporting workbook](../../active-directory/conditional-access/howto-conditional-access-insights-reporting.md) to help you discover gaps in your configuration and coverage. From these recommendations, you can easily close this gap by creating a policy using the new Conditional Access templates experience. [Conditional Access templates](../../active-directory/conditional-access/concept-conditional-access-policy-common.md) are designed to provide an easy method to deploy new policies that align with Microsoft recommended [best practices](identity-management-best-practices.md), making it easy to deploy common policies to protect your identities and devices. +If your organization has Microsoft Entra ID P1 or P2 licenses, then you can also use the [Conditional Access insights and reporting workbook](../../active-directory/conditional-access/howto-conditional-access-insights-reporting.md) to help you discover gaps in your configuration and coverage. From these recommendations, you can easily close this gap by creating a policy using the new Conditional Access templates experience. [Conditional Access templates](../../active-directory/conditional-access/concept-conditional-access-policy-common.md) are designed to provide an easy method to deploy new policies that align with Microsoft recommended [best practices](identity-management-best-practices.md), making it easy to deploy common policies to protect your identities and devices. ### Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules. -Many organizations use traditional complexity and password expiration rules. [Microsoft's research](https://www.microsoft.com/research/publication/password-guidance/) has shown and [NIST guidance](https://pages.nist.gov/800-63-3/sp800-63b.html) states that these policies cause users to choose passwords that are easier to guess. We recommend you use [Azure AD password protection](../../active-directory/authentication/concept-password-ban-bad.md) a dynamic banned password feature using current attacker behavior to prevent users from setting passwords that can easily be guessed. This capability is always on when users are created in the cloud, but is now also available for hybrid organizations when they deploy [Azure AD password protection for Windows Server Active Directory](../../active-directory/authentication/concept-password-ban-bad-on-premises.md). In addition, we recommend you remove expiration policies. Password change offers no containment benefits as cyber criminals almost always use credentials as soon as they compromise them. Refer to the following article to [Set the password expiration policy for your organization](/microsoft-365/admin/manage/set-password-expiration-policy). +Many organizations use traditional complexity and password expiration rules. [Microsoft's research](https://www.microsoft.com/research/publication/password-guidance/) has shown and [NIST guidance](https://pages.nist.gov/800-63-3/sp800-63b.html) states that these policies cause users to choose passwords that are easier to guess. We recommend you use [Microsoft Entra password protection](../../active-directory/authentication/concept-password-ban-bad.md) a dynamic banned password feature using current attacker behavior to prevent users from setting passwords that can easily be guessed. This capability is always on when users are created in the cloud, but is now also available for hybrid organizations when they deploy [Microsoft Entra password protection for Windows Server Active Directory](../../active-directory/authentication/concept-password-ban-bad-on-premises.md). In addition, we recommend you remove expiration policies. Password change offers no containment benefits as cyber criminals almost always use credentials as soon as they compromise them. Refer to the following article to [Set the password expiration policy for your organization](/microsoft-365/admin/manage/set-password-expiration-policy). ### Protect against leaked credentials and add resilience against outages -The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable [password hash synchronization (PHS)](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md). If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync for the following two reasons: +The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Microsoft Entra ID is to enable [password hash synchronization (PHS)](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md). If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync for the following two reasons: -- The [Users with leaked credentials report](../../active-directory/identity-protection/overview-identity-protection.md) in Azure AD warns of username and password pairs, which have been exposed publically. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization ΓÇô but only if you enable [password hash sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md) or have cloud-only identities.-- If an on-premises outage happens, like a ransomware attack, you can [switch over to using cloud authentication using password hash sync](../../active-directory/hybrid/choose-ad-authn.md). This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved.+- The [Users with leaked credentials report](../../active-directory/identity-protection/overview-identity-protection.md) in Microsoft Entra ID warns of username and password pairs, which have been exposed publically. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization ΓÇô but only if you enable [password hash sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md) or have cloud-only identities. +- If an on-premises outage happens, like a ransomware attack, you can [switch over to using cloud authentication using password hash sync](../../active-directory/hybrid/choose-ad-authn.md). This backup authentication method will allow you to continue accessing apps configured for authentication with Microsoft Entra ID, including Microsoft 365. In this case, IT staff won't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved. -Passwords are never stored in clear text or encrypted with a reversible algorithm in Azure AD. For more information on the actual process of password hash synchronization, see [Detailed description of how password hash synchronization works](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#detailed-description-of-how-password-hash-synchronization-works). +Passwords are never stored in clear text or encrypted with a reversible algorithm in Microsoft Entra ID. For more information on the actual process of password hash synchronization, see [Detailed description of how password hash synchronization works](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#detailed-description-of-how-password-hash-synchronization-works). ### Implement AD FS extranet smart lockout -Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. Organizations, which configure applications to authenticate directly to Azure AD benefit from Azure AD smart lockout. Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection). +Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. Organizations, which configure applications to authenticate directly to Microsoft Entra ID benefit from Microsoft Entra smart lockout. Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection). ## Step 2: Reduce your attack surface area Credentials are a primary attack vector. The practices in this blog can reduce t ### Block legacy authentication -Apps using their own legacy methods to authenticate with Azure AD and access company data, pose another risk for organizations. Examples of apps using legacy authentication are POP3, IMAP4, or SMTP clients. Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access. +Apps using their own legacy methods to authenticate with Microsoft Entra ID and access company data, pose another risk for organizations. Examples of apps using legacy authentication are POP3, IMAP4, or SMTP clients. Legacy authentication apps authenticate on behalf of the user and prevent Microsoft Entra ID from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multifactor authentication and Conditional Access. We recommend the following actions: -1. Discover legacy authentication in your organization with Azure AD sign-in logs and Log Analytics workbooks. +1. Discover legacy authentication in your organization with Microsoft Entra sign-in logs and Log Analytics workbooks. 1. Setup SharePoint Online and Exchange Online to use modern authentication.-1. If you have Azure AD Premium licenses, use Conditional Access policies to block legacy authentication. For Azure AD free tier, use Azure AD Security Defaults. +1. If you have Microsoft Entra ID P1 or P2 licenses, use Conditional Access policies to block legacy authentication. For Microsoft Entra ID Free tier, use Microsoft Entra Security Defaults. 1. Block legacy authentication if you use AD FS. 1. Block Legacy Authentication with Exchange Server 2019. 1. Disable legacy authentication in Exchange Online. -For more information, see the article [Blocking legacy authentication protocols in Azure AD](../../active-directory/conditional-access/block-legacy-authentication.md). +For more information, see the article [Blocking legacy authentication protocols in Microsoft Entra ID](../../active-directory/conditional-access/block-legacy-authentication.md). ### Block invalid authentication entry points -Using the verify explicitly principle, you should reduce the impact of compromised user credentials when they happen. For each app in your environment, consider the valid use cases: which groups, which networks, which devices and other elements are authorized ΓÇô then block the rest. With Azure AD Conditional Access, you can control how authorized users access their apps and resources based on specific conditions you define. +Using the verify explicitly principle, you should reduce the impact of compromised user credentials when they happen. For each app in your environment, consider the valid use cases: which groups, which networks, which devices and other elements are authorized ΓÇô then block the rest. With Microsoft Entra Conditional Access, you can control how authorized users access their apps and resources based on specific conditions you define. For more information on how to use Conditional Access for your Cloud Apps and user actions, see [Conditional Access Cloud apps, actions, and authentication context](../../active-directory/conditional-access/concept-conditional-access-cloud-apps.md). ### Review and govern admin roles -Another Zero Trust pillar is the need to minimize the likelihood a compromised account can operate with a privileged role. This control can be accomplished by assigning the least amount of privilege to an identity. If youΓÇÖre new to Azure AD Roles, this article will help you understand Azure AD Roles. +Another Zero Trust pillar is the need to minimize the likelihood a compromised account can operate with a privileged role. This control can be accomplished by assigning the least amount of privilege to an identity. If youΓÇÖre new to Microsoft Entra roles, this article will help you understand Microsoft Entra roles. -Privileged roles in Azure AD should be cloud only accounts in order to isolate them from any on-premises environments and donΓÇÖt use on-premises password vaults to store the credentials. +Privileged roles in Microsoft Entra ID should be cloud only accounts in order to isolate them from any on-premises environments and donΓÇÖt use on-premises password vaults to store the credentials. ### Implement Privilege Access Management -Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure Active Directory (Azure AD), Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. +Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. -Azure AD Privileged Identity Management (PIM) helps you minimize account privileges by helping you: +Microsoft Entra Privileged Identity Management (PIM) helps you minimize account privileges by helping you: - Identify and manage users assigned to administrative roles. - Understand unused or excessive privilege roles you should remove.-- Establish rules to make sure privileged roles are protected by multi-factor authentication.+- Establish rules to make sure privileged roles are protected by multifactor authentication. - Establish rules to make sure privileged roles are granted only long enough to accomplish the privileged task. -Enable Azure AD PIM, then view the users who are assigned administrative roles and remove unnecessary accounts in those roles. For remaining privileged users, move them from permanent to eligible. Finally, establish appropriate policies to make sure when they need to gain access to those privileged roles, they can do so securely, with the necessary change control. +Enable Microsoft Entra PIM, then view the users who are assigned administrative roles and remove unnecessary accounts in those roles. For remaining privileged users, move them from permanent to eligible. Finally, establish appropriate policies to make sure when they need to gain access to those privileged roles, they can do so securely, with the necessary change control. -Azure AD built-in and custom roles operate on concepts similar to roles found in the role-based access control system for Azure resources (Azure roles). The difference between these two role-based access control systems is: +Microsoft Entra built-in and custom roles operate on concepts similar to roles found in the role-based access control system for Azure resources (Azure roles). The difference between these two role-based access control systems is: -- Azure AD roles control access to Azure AD resources such as users, groups, and applications using the Microsoft Graph API+- Microsoft Entra roles control access to Microsoft Entra resources such as users, groups, and applications using the Microsoft Graph API - Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management -Both systems contain similarly used role definitions and role assignments. However, Azure AD role permissions can't be used in Azure custom roles and vice versa. As part of deploying your privileged account process, follow the best practice to create at least two emergency accounts to make sure you still have access to Azure AD if you lock yourself out. +Both systems contain similarly used role definitions and role assignments. However, Microsoft Entra role permissions can't be used in Azure custom roles and vice versa. As part of deploying your privileged account process, follow the best practice to create at least two emergency accounts to make sure you still have access to Microsoft Entra ID if you lock yourself out. For more information, see the article [Plan a Privileged Identity Management deployment](../../active-directory/privileged-identity-management/pim-deployment-plan.md) and [securing privileged access](/security/compass/overview). ### Restrict user consent operations -ItΓÇÖs important to understand the various Azure AD application consent experiences, the types of permissions and consent, and their implications on your organizationΓÇÖs security posture. While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure, and other services, it can represent a risk if not used and monitored carefully. +ItΓÇÖs important to understand the various Microsoft Entra application consent experiences, the types of permissions and consent, and their implications on your organizationΓÇÖs security posture. While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure, and other services, it can represent a risk if not used and monitored carefully. Microsoft recommends restricting user consent to allow end-user consent only for apps from verified publishers and only for permissions you select. If end-user consent is restricted, previous consent grants will still be honored but all future consent operations must be performed by an administrator. For restricted cases, admin consent can be requested by users through an integrated admin consent request workflow or through your own support processes. Before restricting end-user consent, use our recommendations to plan this change in your organization. For applications you wish to allow all users to access, consider granting consent on behalf of all users, making sure users who havenΓÇÖt yet consented individually will be able to access the app. If you donΓÇÖt want these applications to be available to all users in all scenarios, use application assignment and Conditional Access to restrict user access to specific apps. -Make sure users can request admin approval for new applications to reduce user friction, minimize support volume, and prevent users from signing up for applications using non-Azure AD credentials. Once you regulate your consent operations, administrators should audit app and consent permissions regularly. +Make sure users can request admin approval for new applications to reduce user friction, minimize support volume, and prevent users from signing up for applications using non-Microsoft Entra credentials. Once you regulate your consent operations, administrators should audit app and consent permissions regularly. -For more information, see the article [Azure Active Directory consent framework](../../active-directory/develop/consent-framework.md). +For more information, see the article [Microsoft Entra consent framework](../../active-directory/develop/consent-framework.md). ## Step 3: Automate threat response -Azure Active Directory has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment. Here are the concrete steps you can take. +Microsoft Entra ID has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment. Here are the concrete steps you can take. For more information, see the article [How To: Configure and enable risk policies](../../active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md). ### Implement sign-in risk policy -A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. A sign-in risk-based policy can be implemented through adding a sign-in risk condition to your Conditional Access policies that evaluates the risk level to a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication. We recommend that you force multi-factor authentication on Medium or above risky sign-ins. +A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. A sign-in risk-based policy can be implemented through adding a sign-in risk condition to your Conditional Access policies that evaluates the risk level to a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multifactor authentication. We recommend that you force multifactor authentication on Medium or above risky sign-ins. :::image type="content" source="media/steps-secure-identity/require-mfa-medium-or-high-risk-sign-in.png" alt-text="Conditional Access policy requiring MFA for medium and high risk sign-ins." lightbox="media/steps-secure-identity/require-mfa-medium-or-high-risk-sign-in.png"::: ### Implement user risk security policy -User risk indicates the likelihood a user's identity has been compromised and is calculated based on the user risk detections that are associated with a user's identity. A user risk-based policy can be implemented through adding a user risk condition to your Conditional Access policies that evaluates the risk level to a specific user. Based on Low, Medium, High risk-level, a policy can be configured to block access or require a secure password change using multi-factor authentication. Microsoft's recommendation is to require a secure password change for users on high risk. +User risk indicates the likelihood a user's identity has been compromised and is calculated based on the user risk detections that are associated with a user's identity. A user risk-based policy can be implemented through adding a user risk condition to your Conditional Access policies that evaluates the risk level to a specific user. Based on Low, Medium, High risk-level, a policy can be configured to block access or require a secure password change using multifactor authentication. Microsoft's recommendation is to require a secure password change for users on high risk. :::image type="content" source="media/steps-secure-identity/require-password-change-high-risk-user.png" alt-text="Conditional Access policy requiring password change for high risk users." lightbox="media/steps-secure-identity/require-password-change-high-risk-user.png"::: -Included in the user risk detection is a check whether the user's credentials match to credentials leaked by cybercriminals. To function optimally, itΓÇÖs important to implement password hash synchronization with Azure AD Connect sync. +Included in the user risk detection is a check whether the user's credentials match to credentials leaked by cybercriminals. To function optimally, itΓÇÖs important to implement password hash synchronization with Microsoft Entra Connect Sync. -### Integrate Microsoft 365 Defender with Azure AD Identity Protection +<a name='integrate-microsoft-365-defender-with-azure-ad-identity-protection'></a> ++### Integrate Microsoft 365 Defender with Microsoft Entra ID Protection For Identity Protection to be able to perform the best risk detection possible, it needs to get as many signals as possible. ItΓÇÖs therefore important to integrate the complete suite of Microsoft 365 Defender Learn more about Microsoft Threat Protection and the importance of integrating d ### Set up monitoring and alerting -Monitoring and auditing your logs is important to detect suspicious behavior. The Azure portal has several ways to integrate Azure AD logs with other tools, like Microsoft Sentinel, Azure Monitor, and other SIEM tools. For more information, see the [Azure Active Directory security operations guide](../../active-directory/fundamentals/security-operations-introduction.md#data-sources). +Monitoring and auditing your logs is important to detect suspicious behavior. The Azure portal has several ways to integrate Microsoft Entra logs with other tools, like Microsoft Sentinel, Azure Monitor, and other SIEM tools. For more information, see the [Microsoft Entra security operations guide](../../active-directory/fundamentals/security-operations-introduction.md#data-sources). ## Step 4: Utilize cloud intelligence -Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events. Make sure you have a log retention policy in place for both your sign-in logs and audit logs for Azure AD by exporting into Azure Monitor or a SIEM tool. +Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events. Make sure you have a log retention policy in place for both your sign-in logs and audit logs for Microsoft Entra ID by exporting into Azure Monitor or a SIEM tool. ++<a name='monitor-azure-ad'></a> ++### Monitor Microsoft Entra ID -### Monitor Azure AD +Microsoft Azure services and features provide you with configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms and address those gaps to help prevent breaches. You can use [Azure Logging and Auditing](log-audit.md) and use [Audit activity reports in the Microsoft Entra admin center](../../active-directory/reports-monitoring/concept-audit-logs.md). See the [Microsoft Entra Security Operations guide](../../active-directory/fundamentals/security-operations-introduction.md) for more details on monitoring user accounts, Privileged accounts, apps, and devices. -Microsoft Azure services and features provide you with configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms and address those gaps to help prevent breaches. You can use [Azure Logging and Auditing](log-audit.md) and use [Audit activity reports in the Azure Active Directory portal](../../active-directory/reports-monitoring/concept-audit-logs.md). See the [Azure AD Security Operations guide](../../active-directory/fundamentals/security-operations-introduction.md) for more details on monitoring user accounts, Privileged accounts, apps, and devices. +<a name='monitor-azure-ad-connect-health-in-hybrid-environments'></a> -### Monitor Azure AD Connect Health in hybrid environments +### Monitor Microsoft Entra Connect Health in hybrid environments -[Monitoring AD FS with Azure AD Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md) provides you with greater insight into potential issues and visibility of attacks on your AD FS infrastructure. You can now view [ADFS sign-ins](../../active-directory/hybrid/how-to-connect-health-ad-fs-sign-in.md) to give greater depth for your monitoring. Azure AD Connect Health delivers alerts with details, resolution steps, and links to related documentation; usage analytics for several metrics related to authentication traffic; performance monitoring and reports. Utilize the [Risky IP WorkBook for ADFS](../../active-directory/hybrid/how-to-connect-health-adfs-risky-ip-workbook.md#) that can help identify the norm for your environment and alert when thereΓÇÖs a change. All Hybrid Infrastructure should be monitored as a Tier 0 asset. Detailed monitoring guidance for these assets can be found in the [Security Operations guide for Infrastructure](../../active-directory/fundamentals/security-operations-infrastructure.md). +[Monitoring AD FS with Microsoft Entra Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md) provides you with greater insight into potential issues and visibility of attacks on your AD FS infrastructure. You can now view [ADFS sign-ins](../../active-directory/hybrid/how-to-connect-health-ad-fs-sign-in.md) to give greater depth for your monitoring. Microsoft Entra Connect Health delivers alerts with details, resolution steps, and links to related documentation; usage analytics for several metrics related to authentication traffic; performance monitoring and reports. Utilize the [Risky IP WorkBook for ADFS](../../active-directory/hybrid/how-to-connect-health-adfs-risky-ip-workbook.md#) that can help identify the norm for your environment and alert when thereΓÇÖs a change. All Hybrid Infrastructure should be monitored as a Tier 0 asset. Detailed monitoring guidance for these assets can be found in the [Security Operations guide for Infrastructure](../../active-directory/fundamentals/security-operations-infrastructure.md). -### Monitor Azure AD Identity Protection events +<a name='monitor-azure-ad-identity-protection-events'></a> -[Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) provides two important reports you should monitor daily: +### Monitor Microsoft Entra ID Protection events ++[Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) provides two important reports you should monitor daily: 1. Risky sign-in reports will surface user sign-in activities you should investigate, the legitimate owner may not have performed the sign-in. 1. Risky user reports will surface user accounts that may have been compromised, such as leaked credential that was detected or the user signed in from different locations causing an impossible travel event. As much as possible you'll want to balance security with productivity. Approachi ### Implement self-service password reset -Azure AD's [self-service password reset (SSPR)](../../active-directory/authentication/tutorial-enable-sspr.md) offers a simple means for IT administrators to allow users to reset or unlock their passwords or accounts without helpdesk or administrator intervention. The system includes detailed reporting that tracks when users have reset their passwords, along with notifications to alert you to misuse or abuse. +Microsoft Entra ID's [self-service password reset (SSPR)](../../active-directory/authentication/tutorial-enable-sspr.md) offers a simple means for IT administrators to allow users to reset or unlock their passwords or accounts without helpdesk or administrator intervention. The system includes detailed reporting that tracks when users have reset their passwords, along with notifications to alert you to misuse or abuse. ### Implement self-service group and application access -Azure AD can allow non-administrators to manage access to resources, using security groups, Microsoft 365 groups, application roles, and access package catalogs. [Self-service group management](../../active-directory/enterprise-users/groups-self-service-management.md) enables group owners to manage their own groups, without needing to be assigned an administrative role. Users can also create and manage Microsoft 365 groups without relying on administrators to handle their requests, and unused groups expire automatically. [Azure AD entitlement management](../../active-directory/governance/entitlement-management-overview.md) further enables delegation and visibility, with comprehensive access request workflows and automatic expiration. You can delegate to non-administrators the ability to configure their own access packages for groups, Teams, applications, and SharePoint Online sites they own, with custom policies for who is required to approve access, including configuring employee's managers and business partner sponsors as approvers. +Microsoft Entra ID can allow non-administrators to manage access to resources, using security groups, Microsoft 365 groups, application roles, and access package catalogs. [Self-service group management](../../active-directory/enterprise-users/groups-self-service-management.md) enables group owners to manage their own groups, without needing to be assigned an administrative role. Users can also create and manage Microsoft 365 groups without relying on administrators to handle their requests, and unused groups expire automatically. [Microsoft Entra entitlement management](../../active-directory/governance/entitlement-management-overview.md) further enables delegation and visibility, with comprehensive access request workflows and automatic expiration. You can delegate to non-administrators the ability to configure their own access packages for groups, Teams, applications, and SharePoint Online sites they own, with custom policies for who is required to approve access, including configuring employee's managers and business partner sponsors as approvers. ++<a name='implement-azure-ad-access-reviews'></a> -### Implement Azure AD access reviews +### Implement Microsoft Entra access reviews -With [Azure AD access reviews](../../active-directory/governance/access-reviews-overview.md), you can manage access package and group memberships, access to enterprise applications, and privileged role assignments to make sure you maintain a security standard. Regular oversight by the users themselves, resource owners, and other reviewers ensure that users don't retain access for extended periods of time when they no longer need it. +With [Microsoft Entra access reviews](../../active-directory/governance/access-reviews-overview.md), you can manage access package and group memberships, access to enterprise applications, and privileged role assignments to make sure you maintain a security standard. Regular oversight by the users themselves, resource owners, and other reviewers ensure that users don't retain access for extended periods of time when they no longer need it. ### Implement automatic user provisioning Provisioning and deprovisioning are the processes that ensure consistency of dig Provisioning is the processes of creating an identity in a target system based on certain conditions. De-provisioning is the process of removing the identity from the target system, when conditions are no longer met. Synchronization is the process of keeping the provisioned object, up to date, so that the source object and target object are similar. -Azure AD currently provides three areas of automated provisioning. They are: +Microsoft Entra ID currently provides three areas of automated provisioning. They are: -- Provisioning from an external non-directory authoritative system of record to Azure AD, via [HR-driven provisioning](../../active-directory/governance/what-is-provisioning.md#hr-driven-provisioning)-- Provisioning from Azure AD to applications, via [App provisioning](../../active-directory/governance/what-is-provisioning.md#app-provisioning)-- Provisioning between Azure AD and Active Directory domain services, via [inter-directory provisioning](../../active-directory/governance/what-is-provisioning.md#inter-directory-provisioning)+- Provisioning from an external non-directory authoritative system of record to Microsoft Entra ID, via [HR-driven provisioning](../../active-directory/governance/what-is-provisioning.md#hr-driven-provisioning) +- Provisioning from Microsoft Entra ID to applications, via [App provisioning](../../active-directory/governance/what-is-provisioning.md#app-provisioning) +- Provisioning between Microsoft Entra ID and Active Directory Domain Services, via [inter-directory provisioning](../../active-directory/governance/what-is-provisioning.md#inter-directory-provisioning) -Find out more here: What is provisioning with Azure Active Directory? +Find out more here: What is provisioning with Microsoft Entra ID? ## Summary We appreciate how seriously you take security and hope this document is a useful ## Next steps -If you need assistance to plan and deploy the recommendations, refer to the [Azure AD project deployment plans](../../active-directory/fundamentals/deployment-plans.md) for help. +If you need assistance to plan and deploy the recommendations, refer to the [Microsoft Entra ID project deployment plans](../../active-directory/fundamentals/deployment-plans.md) for help. If you're confident all these steps are complete, use MicrosoftΓÇÖs [Identity Secure Score](../../active-directory/fundamentals/identity-secure-score.md), which will keep you up to date with the [latest best practices](identity-management-best-practices.md) and security threats. |
security | Subdomain Takeover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/subdomain-takeover.md | It's often up to developers and operations teams to run cleanup processes to avo ### Clean up DNS pointers or Re-claim the DNS -Upon deletion of the classic cloud service resource, the corresponding DNS is reserved as per Azure DNS policies. During the reservation period, re-use of the DNS will be forbidden EXCEPT for subscriptions belonging to the Azure AD tenant of the subscription originally owning the DNS. After the reservation expires, the DNS is free to be claimed by any subscription. By taking DNS reservations, the customer is afforded some time to either 1) clean up any associations/pointers to said DNS or 2) re-claim the DNS in Azure. The recommendation would be to delete unwanted DNS entries at the earliest. The DNS name being reserved can be derived by appending the cloud service name to the DNS zone for that cloud. +Upon deletion of the classic cloud service resource, the corresponding DNS is reserved as per Azure DNS policies. During the reservation period, re-use of the DNS will be forbidden EXCEPT for subscriptions belonging to the Microsoft Entra tenant of the subscription originally owning the DNS. After the reservation expires, the DNS is free to be claimed by any subscription. By taking DNS reservations, the customer is afforded some time to either 1) clean up any associations/pointers to said DNS or 2) re-claim the DNS in Azure. The recommendation would be to delete unwanted DNS entries at the earliest. The DNS name being reserved can be derived by appending the cloud service name to the DNS zone for that cloud. - Public - cloudapp.net - Mooncake - chinacloudapp.cn Upon deletion of the classic cloud service resource, the corresponding DNS is re For example, a hosted service in Public named "test" would have DNS "test.cloudapp.net" Example:-Subscription 'A' and subscription 'B' are the only subscriptions belonging to Azure AD tenant 'AB'. Subscription 'A' contains a classic cloud service 'test' with DNS name 'test.cloudapp.net'. Upon deletion of the cloud service, a reservation is taken on DNS name 'test.cloudapp.net'. During the reservation period, only subscription 'A' or subscription 'B' will be able to claim the DNS name 'test.cloudapp.net' by creating a classic cloud service named 'test'. No other subscriptions will be allowed to claim it. After the reservation period, any subscription in Azure can now claim 'test.cloudapp.net'. +Subscription 'A' and subscription 'B' are the only subscriptions belonging to Microsoft Entra tenant 'AB'. Subscription 'A' contains a classic cloud service 'test' with DNS name 'test.cloudapp.net'. Upon deletion of the cloud service, a reservation is taken on DNS name 'test.cloudapp.net'. During the reservation period, only subscription 'A' or subscription 'B' will be able to claim the DNS name 'test.cloudapp.net' by creating a classic cloud service named 'test'. No other subscriptions will be allowed to claim it. After the reservation period, any subscription in Azure can now claim 'test.cloudapp.net'. ## Next steps |
security | Technical Capabilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/technical-capabilities.md | With Microsoft Azure, you can: Azure helps you protect business and personal information by enabling you to manage user identities and credentials and control access. -### Azure Active Directory +<a name='azure-active-directory'></a> -Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud, enabling additional levels of validation such as multi-factor authentication and Conditional Access policies. Monitoring suspicious activity through advanced security reporting, auditing and alerting helps mitigate potential security issues. [Azure Active Directory Premium](../../active-directory/fundamentals/active-directory-get-started-premium.md) provides single sign-on to thousands of cloud apps and access to web apps you run on-premises. +### Microsoft Entra ID -Security benefits of Azure Active Directory (Azure AD) include the ability to: +Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud, enabling additional levels of validation such as multifactor authentication and Conditional Access policies. Monitoring suspicious activity through advanced security reporting, auditing and alerting helps mitigate potential security issues. [Microsoft Entra ID P1 or P2](../../active-directory/fundamentals/active-directory-get-started-premium.md) provides single sign-on to thousands of cloud apps and access to web apps you run on-premises. ++Security benefits of Microsoft Entra ID include the ability to: - Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and devices in sync. - Provide single sign-on access to your applications including thousands of pre-integrated SaaS apps. -- Enable application access security by enforcing rules-based Multi-Factor Authentication for both on-premises and cloud applications.+- Enable application access security by enforcing rules-based multifactor authentication for both on-premises and cloud applications. -- Provision secure remote access to on-premises web applications through Azure AD Application Proxy.+- Provision secure remote access to on-premises web applications through Microsoft Entra application proxy. -![Azure Active Directory](./media/technical-capabilities/azure-security-technical-capabilities-fig2.png) +![Microsoft Entra ID](./media/technical-capabilities/azure-security-technical-capabilities-fig2.png) The following are core Azure identity management capabilities: - Single sign-on -- Multi-factor authentication+- Multifactor authentication - Security monitoring, alerts, and machine learning-based reports The following are core Azure identity management capabilities: Many organizations rely upon software as a service (SaaS) applications such as Microsoft 365, Box, and Salesforce for end-user productivity. Historically, IT staff needed to individually create and update user accounts in each SaaS application, and users had to remember a password for each SaaS application. -Azure AD extends on-premises Active Directory into the cloud, enabling users to use their primary organizational account to not only sign in to their domain-joined devices and company resources, but also all the web and SaaS applications needed for their job. +Microsoft Entra ID extends on-premises Active Directory into the cloud, enabling users to use their primary organizational account to not only sign in to their domain-joined devices and company resources, but also all the web and SaaS applications needed for their job. ++Not only do users not have to manage multiple sets of usernames and passwords, application access can be automatically provisioned or de-provisioned based on organizational groups and their status as an employee. Microsoft Entra ID introduces security and access governance controls that enable you to centrally manage users' access across SaaS applications. -Not only do users not have to manage multiple sets of usernames and passwords, application access can be automatically provisioned or de-provisioned based on organizational groups and their status as an employee. Azure AD introduces security and access governance controls that enable you to centrally manage users' access across SaaS applications. +<a name='multi-factor-authentication'></a> -#### Multi-factor authentication +#### Multifactor authentication -[Azure AD Multi-Factor Authentication (MFA)](../../active-directory/authentication/overview-authentication.md#azure-ad-multi-factor-authentication) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. [MFA helps safeguard](../../active-directory/authentication/concept-mfa-howitworks.md) access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification optionsΓÇöphone call, text message, or mobile app notification or verification code and third-party OAuth tokens. +[Microsoft Entra multifactor authentication (MFA)](../../active-directory/authentication/overview-authentication.md#azure-ad-multi-factor-authentication) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. [MFA helps safeguard](../../active-directory/authentication/concept-mfa-howitworks.md) access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification optionsΓÇöphone call, text message, or mobile app notification or verification code and third-party OAuth tokens. #### Security monitoring, alerts, and machine learning-based reports -Security monitoring and alerts and machine learning-based reports that identify inconsistent access patterns can help you protect your business. You can use Azure Active Directory's access and usage reports to gain visibility into the integrity and security of your organizationΓÇÖs directory. With this information, a directory admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks. +Security monitoring and alerts and machine learning-based reports that identify inconsistent access patterns can help you protect your business. You can use Microsoft Entra ID's access and usage reports to gain visibility into the integrity and security of your organizationΓÇÖs directory. With this information, a directory admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks. In the [Azure portal](https://portal.azure.com), [reports](../../active-directory/reports-monitoring/overview-reports.md) are categorized in the following ways: - Anomaly reports ΓÇô contain sign in events that we found to be anomalous. Our goal is to make you aware of such activity and enable you to be able to decide about whether an event is suspicious. -- Integrated application reports ΓÇô provide insights into how cloud applications are being used in your organization. Azure Active Directory offers integration with thousands of cloud applications.+- Integrated application reports ΓÇô provide insights into how cloud applications are being used in your organization. Microsoft Entra ID offers integration with thousands of cloud applications. - Error reports ΓÇô indicate errors that may occur when provisioning accounts to external applications. When you use Azure Active Directory B2C, your consumers can sign up for your app #### Device registration -[Azure AD device registration](../../active-directory/devices/overview.md) is the foundation for device-based [Conditional Access](../../active-directory/devices/overview.md) scenarios. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce Conditional Access policies for applications that are hosted in the cloud and on-premises. +[Microsoft Entra device registration](../../active-directory/devices/overview.md) is the foundation for device-based [Conditional Access](../../active-directory/devices/overview.md) scenarios. When a device is registered, Microsoft Entra device registration provides the device with an identity that is used to authenticate the device when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce Conditional Access policies for applications that are hosted in the cloud and on-premises. -When combined with a [mobile device management (MDM)](https://www.microsoft.com/itshowcase/Article/Content/588/Mobile-device-management-at-Microsoft) solution such as Intune, the device attributes in Azure Active Directory are updated with additional information about the device. This allows you to create Conditional Access rules that enforce access from devices to meet your standards for security and compliance. +When combined with a [mobile device management (MDM)](https://www.microsoft.com/itshowcase/Article/Content/588/Mobile-device-management-at-Microsoft) solution such as Intune, the device attributes in Microsoft Entra ID are updated with additional information about the device. This allows you to create Conditional Access rules that enforce access from devices to meet your standards for security and compliance. #### Privileged identity management -[Azure Active Directory (AD) Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md) lets you manage, control, and monitor your privileged identities and access to resources in Azure AD as well as other Microsoft online services like Microsoft 365 or Microsoft Intune. +[Microsoft Entra Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md) lets you manage, control, and monitor your privileged identities and access to resources in Microsoft Entra ID as well as other Microsoft online services like Microsoft 365 or Microsoft Intune. -Sometimes users need to carry out privileged operations in Azure or Microsoft 365 resources, or other SaaS apps. This often means organizations have to give them permanent privileged access in Azure AD. This is a growing security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with their admin privileges. Additionally, if a user account with privileged access is compromised, that one breach could impact their overall cloud security. Azure AD Privileged Identity Management helps to resolve this risk. +Sometimes users need to carry out privileged operations in Azure or Microsoft 365 resources, or other SaaS apps. This often means organizations have to give them permanent privileged access in Microsoft Entra ID. This is a growing security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with their admin privileges. Additionally, if a user account with privileged access is compromised, that one breach could impact their overall cloud security. Microsoft Entra Privileged Identity Management helps to resolve this risk. -Azure AD Privileged Identity Management lets you: +Microsoft Entra Privileged Identity Management lets you: -- See which users are Azure AD admins+- See which users are Microsoft Entra admins - Enable on-demand, "just in time" administrative access to Microsoft Online Services like Microsoft 365 and Intune Azure AD Privileged Identity Management lets you: #### Identity protection -[Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a security service that provides a consolidated view into risk detections and potential vulnerabilities affecting your organizationΓÇÖs identities. Identity Protection uses existing Azure Active DirectoryΓÇÖs anomaly detection capabilities (available through Azure ADΓÇÖs Anomalous Activity Reports), and introduces new risk detection types that can detect anomalies in real time. +[Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) is a security service that provides a consolidated view into risk detections and potential vulnerabilities affecting your organizationΓÇÖs identities. Identity Protection uses existing Microsoft Entra IDΓÇÖs anomaly detection capabilities (available through Microsoft Entra IDΓÇÖs Anomalous Activity Reports), and introduces new risk detection types that can detect anomalies in real time. ## Secure resource access |
security | Threat Detection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/threat-detection.md | Title: Azure threat protection | Microsoft Docs -description: Learn about built-in threat protection functionality for Azure, such as the Azure AD Identity Protection service. +description: Learn about built-in threat protection functionality for Azure, such as the Microsoft Entra ID Protection service. documentationcenter: na -Azure offers built in threat protection functionality through services such as Azure Active Directory (Azure AD), Azure Monitor logs, and Microsoft Defender for Cloud. This collection of security services and capabilities provides a simple and fast way to understand what is happening within your Azure deployments. +Azure offers built in threat protection functionality through services such as Microsoft Entra ID, Azure Monitor logs, and Microsoft Defender for Cloud. This collection of security services and capabilities provides a simple and fast way to understand what is happening within your Azure deployments. Azure provides a wide array of options to configure and customize security to meet the requirements of your app deployments. This article discusses how to meet these requirements. -## Azure Active Directory Identity Protection +<a name='azure-active-directory-identity-protection'></a> -[Azure AD Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) is an [Azure Active Directory Premium P2](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) edition feature that provides an overview of the risk detections and potential vulnerabilities that can affect your organizationΓÇÖs identities. Identity Protection uses existing Azure AD anomaly-detection capabilities that are available through [Azure AD Anomalous Activity Reports](../../active-directory/reports-monitoring/overview-reports.md), and introduces new risk detection types that can detect real time anomalies. +## Microsoft Entra ID Protection -![Azure AD Identity Protection diagram](./media/threat-detection/azure-threat-detection-fig1.png) +[Microsoft Entra ID Protection](../../active-directory/identity-protection/overview-identity-protection.md) is an [Microsoft Entra ID P2](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) edition feature that provides an overview of the risk detections and potential vulnerabilities that can affect your organizationΓÇÖs identities. Identity Protection uses existing Microsoft Entra anomaly-detection capabilities that are available through [Microsoft Entra Anomalous Activity Reports](../../active-directory/reports-monitoring/overview-reports.md), and introduces new risk detection types that can detect real time anomalies. ++![Microsoft Entra ID Protection diagram](./media/threat-detection/azure-threat-detection-fig1.png) Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and risk detections that might indicate that an identity has been compromised. Using this data, Identity Protection generates reports and alerts so that you can investigate these risk detections and take appropriate remediation or mitigation action. ### Identity Protection capabilities -Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other [Conditional Access controls](../../active-directory/conditional-access/overview.md) provided by Azure Active Directory and [EMS](../../active-directory/conditional-access/overview.md), can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement. +Microsoft Entra ID Protection is more than a monitoring and reporting tool. To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other [Conditional Access controls](../../active-directory/conditional-access/overview.md) provided by Microsoft Entra ID and [EMS](../../active-directory/conditional-access/overview.md), can either automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement. Examples of some of the ways that Azure Identity Protection can help secure your accounts and identities include: Examples of some of the ways that Azure Identity Protection can help secure your - Block or secure risky user accounts. - Require users to register for multi-factor authentication. -### Azure AD Privileged Identity Management +<a name='azure-ad-privileged-identity-management'></a> ++### Microsoft Entra Privileged Identity Management -With [Azure Active Directory Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md), you can manage, control, and monitor access within your organization. This feature includes access to resources in Azure AD and other Microsoft online services, such as Microsoft 365 or Microsoft Intune. +With [Microsoft Entra Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md), you can manage, control, and monitor access within your organization. This feature includes access to resources in Microsoft Entra ID and other Microsoft online services, such as Microsoft 365 or Microsoft Intune. -![Azure AD Privileged Identity Management diagram](./media/threat-detection/azure-threat-detection-fig2.png) +![Microsoft Entra Privileged Identity Management diagram](./media/threat-detection/azure-threat-detection-fig2.png) PIM helps you: -- Get alerts and reports about Azure AD administrators and just-in-time (JIT) administrative access to Microsoft online services, such as Microsoft 365 and Intune.+- Get alerts and reports about Microsoft Entra administrators and just-in-time (JIT) administrative access to Microsoft online services, such as Microsoft 365 and Intune. - Get reports about administrator access history and changes in administrator assignments. |
security | Tls Certificate Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/tls-certificate-changes.md | Microsoft uses TLS certificates from the set of Root Certificate Authorities (CA All Azure services are impacted by this change. Details for some services are listed below: -- [Azure Active Directory](../../active-directory/index.yml) (Azure AD) services began this transition on July 7, 2020.+- [Microsoft Entra ID](../../active-directory/index.yml) (Microsoft Entra ID) services began this transition on July 7, 2020. - For the most up-to-date information about the TLS certificate changes for Azure IoT services, refer to [this Azure IoT blog post](https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169). - [Azure IoT Hub](../../iot-hub/iot-hub-tls-support.md) began this transition in February 2023 with an expected completion in October 2023. - [Azure IoT Central](../../iot-central/index.yml) will begin this transition in July 2023. |
security | Virtual Machines Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/virtual-machines-overview.md | Learn more: [Get Started with Microsoft Defender for Endpoint](/windows/security Improving key security can enhance encryption and authentication protections. You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault. -Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption) can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through [Azure Active Directory](../../active-directory/index.yml). +Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption) can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through [Microsoft Entra ID](../../active-directory/index.yml). Learn more: Learn more: ## Next steps -Learn about [security best practices](iaas.md) for VMs and operating systems. +Learn about [security best practices](iaas.md) for VMs and operating systems. |
sentinel | Anomalies Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/anomalies-reference.md | You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory audit logs | +| **Data sources:** | Microsoft Entra audit logs | | **MITRE ATT&CK tactics:** | Persistence | | **MITRE ATT&CK techniques:** | T1136 - Create Account | | **MITRE ATT&CK sub-techniques:** | Cloud Account | You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory audit logs | +| **Data sources:** | Microsoft Entra audit logs | | **MITRE ATT&CK tactics:** | Impact | | **MITRE ATT&CK techniques:** | T1531 - Account Access Removal | | **Activity:** | Core Directory/UserManagement/Delete user<br>Core Directory/Device/Delete user<br>Core Directory/UserManagement/Delete user | You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory audit logs | +| **Data sources:** | Microsoft Entra audit logs | | **MITRE ATT&CK tactics:** | Persistence | | **MITRE ATT&CK techniques:** | T1098 - Account Manipulation | | **Activity:** | Core Directory/UserManagement/Update user | You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory sign-in logs<br>Windows Security logs | +| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs | | **MITRE ATT&CK tactics:** | Credential Access | | **MITRE ATT&CK techniques:** | T1110 - Brute Force |-| **Activity:** | **Azure AD:** Sign-in activity<br>**Windows Security:** Failed login (Event ID 4625) | +| **Activity:** | **Microsoft Entra ID:** Sign-in activity<br>**Windows Security:** Failed login (Event ID 4625) | [Back to UEBA anomalies list](#ueba-anomalies) You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory audit logs | +| **Data sources:** | Microsoft Entra audit logs | | **MITRE ATT&CK tactics:** | Impact | | **MITRE ATT&CK techniques:** | T1531 - Account Access Removal | | **Activity:** | Core Directory/UserManagement/User password reset | You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory audit logs | +| **Data sources:** | Microsoft Entra audit logs | | **MITRE ATT&CK tactics:** | Persistence | | **MITRE ATT&CK techniques:** | T1098 - Account Manipulation | | **MITRE ATT&CK sub-techniques:** | Additional Azure Service Principal Credentials | You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA | Attribute | Value | | -- | | | **Anomaly type:** | UEBA |-| **Data sources:** | Azure Active Directory sign-in logs<br>Windows Security logs | +| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs | | **MITRE ATT&CK tactics:** | Persistence | | **MITRE ATT&CK techniques:** | T1078 - Valid Accounts |-| **Activity:** | **Azure AD:** Sign-in activity<br>**Windows Security:** Successful login (Event ID 4624) | +| **Activity:** | **Microsoft Entra ID:** Sign-in activity<br>**Windows Security:** Successful login (Event ID 4624) | [Back to UEBA anomalies list](#ueba-anomalies) You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA Microsoft Sentinel's customizable, machine learning-based anomalies can identify anomalous behavior with analytics rule templates that can be put to work right out of the box. While anomalies don't necessarily indicate malicious or even suspicious behavior by themselves, they can be used to improve detections, investigations, and threat hunting. -- [Anomalous Azure AD sign-in sessions](#anomalous-azure-ad-sign-in-sessions)+- [Anomalous Microsoft Entra sign-in sessions](#anomalous-azure-ad-sign-in-sessions) - [Anomalous Azure operations](#anomalous-azure-operations) - [Anomalous Code Execution](#anomalous-code-execution) - [Anomalous local account creation](#anomalous-local-account-creation) Microsoft Sentinel's customizable, machine learning-based anomalies can identify - [Unusual network volume anomaly](#unusual-network-volume-anomaly) - [Unusual web traffic detected with IP in URL path](#unusual-web-traffic-detected-with-ip-in-url-path) -### Anomalous Azure AD sign-in sessions +<a name='anomalous-azure-ad-sign-in-sessions'></a> -**Description:** The machine learning model groups the Azure AD sign-in logs on a per-user basis. The model is trained on the previous 6 days of user sign-in behavior. It indicates anomalous user sign-in sessions over the past day. +### Anomalous Microsoft Entra sign-in sessions ++**Description:** The machine learning model groups the Microsoft Entra sign-in logs on a per-user basis. The model is trained on the previous 6 days of user sign-in behavior. It indicates anomalous user sign-in sessions over the past day. | Attribute | Value | | -- | | | **Anomaly type:** | Customizable machine learning |-| **Data sources:** | Azure Active Directory sign-in logs | +| **Data sources:** | Microsoft Entra sign-in logs | | **MITRE ATT&CK tactics:** | Initial Access | | **MITRE ATT&CK techniques:** | T1078 - Valid Accounts<br>T1566 - Phishing<br>T1133 - External Remote Services | Configuration details: | Attribute | Value | | -- | | | **Anomaly type:** | Customizable machine learning |-| **Data sources:** | Azure Active Directory audit logs | +| **Data sources:** | Microsoft Entra audit logs | | **MITRE ATT&CK tactics:** | Collection<br>Discovery<br>Initial Access<br>Persistence<br>Privilege Escalation | | **MITRE ATT&CK techniques:** | **Collection:**<br>T1530 - Data from Cloud Storage Object<br><br>**Discovery:**<br>T1087 - Account Discovery<br>T1538 - Cloud Service Dashboard<br>T1526 - Cloud Service Discovery<br>T1069 - Permission Groups Discovery<br>T1518 - Software Discovery<br><br>**Initial Access:**<br>T1190 - Exploit Public-Facing Application<br>T1078 - Valid Accounts<br><br>**Persistence:**<br>T1098 - Account Manipulation<br>T1136 - Create Account<br>T1078 - Valid Accounts<br><br>**Privilege Escalation:**<br>T1484 - Domain Policy Modification<br>T1078 - Valid Accounts | |
sentinel | Audit Sentinel Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/audit-sentinel-data.md | For more information, see [Microsoft Sentinel data included in Azure Activity lo ### Find all actions taken by a specific user in the last 24 hours -The following **AzureActivity** table query lists all actions taken by a specific Azure AD user in the last 24 hours. +The following **AzureActivity** table query lists all actions taken by a specific Microsoft Entra user in the last 24 hours. ```kql AzureActivity |
sentinel | Authenticate Playbooks To Sentinel | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/authenticate-playbooks-to-sentinel.md | For the complete specification of the Microsoft Sentinel connector, see the [Log The Microsoft Sentinel connector in Logic Apps, and its component triggers and actions, can operate on behalf of any identity that has the necessary permissions (read and/or write) on the relevant workspace. The connector supports multiple identity types: - [Managed identity (Preview)](#authenticate-with-managed-identity)-- [Azure AD user](#authenticate-as-an-azure-ad-user)-- [Service principal (Azure AD application)](#authenticate-as-a-service-principal-azure-ad-application)+- [Microsoft Entra user](#authenticate-as-an-azure-ad-user) +- [Service principal (Microsoft Entra application)](#authenticate-as-a-service-principal-azure-ad-application) ![Authentication Options](media/authenticate-playbooks-to-sentinel/auth-methods.png) To authenticate with managed identity: - On the logic app menu, under **Settings**, select **Identity**. Select **System assigned > On > Save**. When Azure prompts you to confirm, select **Yes**. - - Your logic app can now use the system-assigned identity, which is registered with Azure AD and is represented by an object ID. + - Your logic app can now use the system-assigned identity, which is registered with Microsoft Entra ID and is represented by an object ID. 1. [Give that identity access](../logic-apps/create-managed-service-identity.md#give-identity-access-to-resources) to the Microsoft Sentinel workspace: 1. From the Microsoft Sentinel menu, select **Settings**. To authenticate with managed identity: ![Connect with managed identity](media/authenticate-playbooks-to-sentinel/auth-methods-msi.png) -### Authenticate as an Azure AD user +<a name='authenticate-as-an-azure-ad-user'></a> ++### Authenticate as a Microsoft Entra user To make a connection, select **Sign in**. You will be prompted to provide your account information. Once you have done so, follow the remaining instructions on the screen to create a connection. -### Authenticate as a service principal (Azure AD application) +<a name='authenticate-as-a-service-principal-azure-ad-application'></a> ++### Authenticate as a service principal (Microsoft Entra application) -Service principals can be created by registering an Azure AD application. It is **preferable** to use a registered application as the connector's identity, instead of using a user account, as you will be better able to control permissions, manage credentials, and enable certain limitations on the use of the connector. +Service principals can be created by registering a Microsoft Entra application. It is **preferable** to use a registered application as the connector's identity, instead of using a user account, as you will be better able to control permissions, manage credentials, and enable certain limitations on the use of the connector. To use your own application with the Microsoft Sentinel connector, perform the following steps: -1. Register the application with Azure AD and create a service principal. [Learn how](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). +1. Register the application with Microsoft Entra ID and create a service principal. [Learn how](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). 1. Get credentials (for future authentication). To use your own application with the Microsoft Sentinel connector, perform the f 1. Select the role you wish to assign to the application. For example, to allow the application to perform actions that will make changes in the Sentinel workspace, like updating an incident, select the **Microsoft Sentinel Contributor** role. For actions which only read data, the **Microsoft Sentinel Reader** role is sufficient. [Learn more about the available roles in Microsoft Sentinel](./roles.md). - 1. Find the required application and save. By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it. + 1. Find the required application and save. By default, Microsoft Entra applications aren't displayed in the available options. To find your application, search for the name and select it. 1. Authenticate |
sentinel | Automate Incident Handling With Automation Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/automate-incident-handling-with-automation-rules.md | Automation rules provide a way to automate the handling of Microsoft security al Microsoft security alerts include the following: - Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)-- Azure AD Identity Protection+- Microsoft Entra ID Protection - Microsoft Defender for Cloud (formerly Azure Defender or Azure Security Center) - Defender for IoT (formerly Azure Security Center for IoT) - Microsoft Defender for Office 365 |
sentinel | Automate Responses With Playbooks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/automate-responses-with-playbooks.md | The incident triggers an automation rule which runs a playbook with the followin - Wait until a response is received from the admins, then continue to run. -- If the admins have chosen **Block**, send a command to the firewall to block the IP address in the alert, and another to Azure AD to disable the user.+- If the admins have chosen **Block**, send a command to the firewall to block the IP address in the alert, and another to Microsoft Entra ID to disable the user. #### Response The incident triggers an automation rule which runs a playbook with the followin Two examples: -**Example 1:** Respond to an analytics rule that indicates a compromised user, as discovered by [Azure AD Identity Protection](../active-directory/identity-protection/overview-identity-protection.md): +**Example 1:** Respond to an analytics rule that indicates a compromised user, as discovered by [Microsoft Entra ID Protection](../active-directory/identity-protection/overview-identity-protection.md): - Start when a [new Microsoft Sentinel incident is created](/connectors/azuresentinel/#triggers). Two examples: - Send a Teams message to the user, requesting confirmation that the user took the suspicious action. - - Check with Azure AD Identity Protection to [confirm the user's status as compromised](/connectors/azureadip/#confirm-a-risky-user-as-compromised). Azure AD Identity Protection will label the user as **risky**, and apply any enforcement policy already configured - for example, to require the user to use MFA when next signing in. + - Check with Microsoft Entra ID Protection to [confirm the user's status as compromised](/connectors/azureadip/#confirm-a-risky-user-as-compromised). Microsoft Entra ID Protection will label the user as **risky**, and apply any enforcement policy already configured - for example, to require the user to use MFA when next signing in. > [!NOTE]- > This particular Azure AD action does not initiate any enforcement activity on the user, nor does it initiate any configuration of enforcement policy. It only tells Azure AD Identity Protection to apply any already defined policies as appropriate. Any enforcement depends entirely on the appropriate policies being defined in Azure AD Identity Protection. + > This particular Microsoft Entra action does not initiate any enforcement activity on the user, nor does it initiate any configuration of enforcement policy. It only tells Microsoft Entra ID Protection to apply any already defined policies as appropriate. Any enforcement depends entirely on the appropriate policies being defined in Microsoft Entra ID Protection. **Example 2:** Respond to an analytics rule that indicates a compromised machine, as discovered by [Microsoft Defender for Endpoint](/windows/security/threat-protection/): The following recommended playbooks, and other similar playbooks are available t | Playbook | Folder in<br>GitHub repository | Solution in Content hub/<br>Azure Marketplace | | -- | -- | -- | | **Block an IP address in Azure Firewall** | [AzureFirewall-BlockIP-addNewRule](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Firewall/Playbooks/AzureFirewall-BlockIP-addNewRule) | [Azure Firewall Solution for Sentinel](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/sentinel4azurefirewall.sentinel4azurefirewall?tab=Overview) |- | **Block an Azure AD user** | [Block-AADUser](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Active%20Directory/Playbooks/Block-AADUser) | [Azure Active Directory solution](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivedirectory?tab=Overview) | - | **Reset an Azure AD user password** | [Reset-AADUserPassword](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Active%20Directory/Playbooks/Reset-AADUserPassword) | [Azure Active Directory solution](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivedirectory?tab=Overview) | + | **Block a Microsoft Entra user** | [Block-AADUser](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Active%20Directory/Playbooks/Block-AADUser) | [Microsoft Entra solution](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivedirectory?tab=Overview) | + | **Reset a Microsoft Entra user password** | [Reset-AADUserPassword](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Active%20Directory/Playbooks/Reset-AADUserPassword) | [Microsoft Entra solution](https://azuremarketplace.microsoft.com/en-US/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivedirectory?tab=Overview) | | **Isolate or unisolate device using<br>Microsoft Defender for Endpoint** | [Isolate-MDEMachine](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftDefenderForEndpoint/Playbooks/Isolate-MDEMachine)<br>[Unisolate-MDEMachine](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/MicrosoftDefenderForEndpoint/Playbooks/Unisolate-MDEMachine) | [Microsoft Defender for Endpoint solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-microsoftdefenderendpoint?tab=Overview) | - **Create, update, or close playbooks** can create, update, or close incidents in Microsoft Sentinel, Microsoft 365 security services, or other ticketing systems: The following recommended playbooks, and other similar playbooks are available t - [Tutorial: Use playbooks to automate threat responses in Microsoft Sentinel](tutorial-respond-threats-playbook.md) - [Create and perform incident tasks in Microsoft Sentinel using playbooks](create-tasks-playbook.md)-- |
sentinel | Best Practices Workspace Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/best-practices-workspace-architecture.md | This article is part of the [Deployment guide for Microsoft Sentinel](deploy-ove ## Tenancy considerations -While fewer workspaces are simpler to manage, you might have specific needs for multiple tenants and workspaces. For example, many organizations have a cloud environment that contains multiple [Azure Active Directory (Azure AD) tenants](../active-directory/develop/quickstart-create-new-tenant.md), resulting from mergers and acquisitions or due to identity separation requirements. +While fewer workspaces are simpler to manage, you may have specific needs for multiple tenants and workspaces. For example, many organizations have a cloud environment that contains multiple [Microsoft Entra tenants](../active-directory/develop/quickstart-create-new-tenant.md), resulting from mergers and acquisitions or due to identity separation requirements. When determining how many tenants and workspaces to use, consider that most Microsoft Sentinel features operate by using a single workspace or Microsoft Sentinel instance, and Microsoft Sentinel ingests all logs housed within the workspace. Costs are one of the main considerations when determining Microsoft Sentinel arc ### Working with multiple tenants -If you have multiple tenants, such as if you're a managed security service provider (MSSP), we recommend that you create at least one workspace for each Azure AD tenant to support built-in, [service to service data connectors](connect-data-sources.md#service-to-service-integration-for-data-connectors) that work only within their own Azure AD tenant. +If you have multiple tenants, such as if you're a managed security service provider (MSSP), we recommend that you create at least one workspace for each Microsoft Entra tenant to support built-in, [service to service data connectors](connect-data-sources.md#service-to-service-integration-for-data-connectors) that work only within their own Microsoft Entra tenant. -All connectors based on diagnostics settings can't be connected to a workspace that isn't located in the same tenant where the resource resides. This applies to connectors such as [Azure Firewall](./data-connectors/azure-firewall.md), [Azure Storage](./data-connectors/azure-storage-account.md), [Azure Activity](./data-connectors/azure-activity.md) or [Azure Active Directory](connect-azure-active-directory.md). +All connectors based on diagnostics settings can't be connected to a workspace that isn't located in the same tenant where the resource resides. This applies to connectors such as [Azure Firewall](./data-connectors/azure-firewall.md), [Azure Storage](./data-connectors/azure-storage-account.md), [Azure Activity](./data-connectors/azure-activity.md) or [Microsoft Entra ID](connect-azure-active-directory.md). Use [Azure Lighthouse](../lighthouse/how-to/onboard-customer.md) to help manage multiple Microsoft Sentinel instances in different tenants. > [!NOTE]-> [Partner data connectors](data-connectors-reference.md) are often based on API or agent collections, and therefore are not attached to a specific Azure AD tenant. +> [Partner data connectors](data-connectors-reference.md) are often based on API or agent collections, and therefore are not attached to a specific Microsoft Entra tenant. > > ## Compliance considerations For example, consider if the organization whose architecture is described in the ### Access considerations with multiple workspaces -If you have different entities, subsidiaries, or geographies within your organization, each with their own security teams that need access to Microsoft Sentinel, use separate workspaces for each entity or subsidiary. Implement the separate workspaces within a single Azure AD tenant, or across multiple tenants using Azure Lighthouse. +If you have different entities, subsidiaries, or geographies within your organization, each with their own security teams that need access to Microsoft Sentinel, use separate workspaces for each entity or subsidiary. Implement the separate workspaces within a single Microsoft Entra tenant, or across multiple tenants using Azure Lighthouse. Your central SOC team might also use an additional, optional Microsoft Sentinel workspace to manage centralized artifacts such as analytics rules or workbooks. For more information, see [Extend Microsoft Sentinel across workspaces and tenan In this article, you learned about key decision factors to help you determine the right workspace architecture for your organizations. > [!div class="nextstepaction"]-> >[Design your Microsoft Sentinel workspace architecture](design-your-workspace-architecture.md) +> >[Design your Microsoft Sentinel workspace architecture](design-your-workspace-architecture.md) |
sentinel | Billing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/billing.md | The following data sources are free with Microsoft Sentinel: - Security alerts, including alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Endpoint. - Microsoft Defender for Cloud and Microsoft Defender for Cloud Apps alerts. -Although alerts are free, the raw logs for some Microsoft 365 Defender, Defender for Cloud Apps, Azure Active Directory (Azure AD), and Azure Information Protection (AIP) data types are paid. +Although alerts are free, the raw logs for some Microsoft 365 Defender, Defender for Cloud Apps, Microsoft Entra ID, and Azure Information Protection (AIP) data types are paid. The following table lists the data sources in Microsoft Sentinel that aren't charged. This is the same list as Log Analytics. For more information, see [excluded tables](../azure-monitor/logs/cost-logs.md#excluded-tables). | Microsoft Sentinel data connector | Free data type | |-|--| | **Azure Activity Logs** | AzureActivity | -| **Azure AD Identity Protection** | SecurityAlert (IPC) | +| **Microsoft Entra ID Protection** | SecurityAlert (IPC) | | **Office 365** | OfficeActivity (SharePoint) | || OfficeActivity (Exchange)| || OfficeActivity (Teams) | |
sentinel | Collaborate In Microsoft Teams | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/collaborate-in-microsoft-teams.md | Investigate together with an *incident team* by integrating Microsoft Teams dire - **Team name**: Automatically defined as the name of your incident. Modify the name as needed so that it's easily identifiable to you. - **Team description**: Enter a meaningful description for your incident team.- - **Add groups and members**: Select one or more Azure AD users and/or groups to add to your incident team. As you select users and groups, they will appear in the **Selected groups and users:** list below the **Add groups and members** list. + - **Add groups and members**: Select one or more Microsoft Entra users and/or groups to add to your incident team. As you select users and groups, they will appear in the **Selected groups and users:** list below the **Add groups and members** list. > [!TIP] > If you regularly work with the same users and groups, you may want to select the star :::image type="icon" source="media/collaborate-in-microsoft-teams/save-as-favorite.png" border="false"::: next to each one in the **Selected groups and users** list to save them as favorites. |
sentinel | Configure Fusion Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/configure-fusion-rules.md | This detection is enabled by default in Microsoft Sentinel. To check or change i To enable the queries available as templates in the **Analytics** blade, go to the **Rule templates** tab, select the rule name in the templates gallery, and click **Create rule** in the details pane. - - [Cisco - firewall block but success logon to Azure AD](https://github.com/Azure/Azure-Sentinel/blob/60e7aa065b196a6ed113c748a6e7ae3566f8c89c/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml) + - [Cisco - firewall block but success logon to Microsoft Entra ID](https://github.com/Azure/Azure-Sentinel/blob/60e7aa065b196a6ed113c748a6e7ae3566f8c89c/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml) - [Fortinet - Beacon pattern detected](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml)- - [IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN](https://github.com/Azure/Azure-Sentinel/blob/60e7aa065b196a6ed113c748a6e7ae3566f8c89c/Detections/MultipleDataSources/HostAADCorrelation.yaml) + - [IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN](https://github.com/Azure/Azure-Sentinel/blob/60e7aa065b196a6ed113c748a6e7ae3566f8c89c/Detections/MultipleDataSources/HostAADCorrelation.yaml) - [Multiple Password Reset by user](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml) - [Rare application consent](https://github.com/Azure/Azure-Sentinel/blob/83c6d8c7f65a5f209f39f3e06eb2f7374fd8439c/Detections/AuditLogs/RareApplicationConsent.yaml) - [SharePointFileOperation via previously unseen IPs](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/SharePoint_Downloads_byNewIP.yaml) |
sentinel | Connect Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-azure-active-directory.md | Title: Connect Azure Active Directory data to Microsoft Sentinel | Microsoft Docs -description: Learn how to collect data from Azure Active Directory, and stream Azure AD sign-in, audit, and provisioning logs into Microsoft Sentinel. + Title: Connect Microsoft Entra data to Microsoft Sentinel | Microsoft Docs +description: Learn how to collect data from Microsoft Entra ID, and stream Microsoft Entra sign-in, audit, and provisioning logs into Microsoft Sentinel. Last updated 12/23/2021-# Connect Azure Active Directory (Azure AD) data to Microsoft Sentinel +# Connect Microsoft Entra data to Microsoft Sentinel -You can use Microsoft Sentinel's built-in connector to collect data from [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) and stream it into Microsoft Sentinel. The connector allows you to stream the following log types: +You can use Microsoft Sentinel's built-in connector to collect data from [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) and stream it into Microsoft Sentinel. The connector allows you to stream the following log types: - [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md), which contain information about interactive user sign-ins where a user provides an authentication factor. - The Azure AD connector now includes the following three additional categories of sign-in logs, all currently in **PREVIEW**: + The Microsoft Entra connector now includes the following three additional categories of sign-in logs, all currently in **PREVIEW**: - [**Non-interactive user sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md#non-interactive-user-sign-ins), which contain information about sign-ins performed by a client on behalf of a user without any interaction or authentication factor from the user. You can use Microsoft Sentinel's built-in connector to collect data from [Azure - [**Audit logs**](../active-directory/reports-monitoring/concept-audit-logs.md), which contain information about system activity relating to user and group management, managed applications, and directory activities. -- [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) (also in **PREVIEW**), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service. +- [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) (also in **PREVIEW**), which contain system activity information about users, groups, and roles provisioned by the Microsoft Entra provisioning service. > [!IMPORTANT] > Some of the available log types are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. You can use Microsoft Sentinel's built-in connector to collect data from [Azure ## Prerequisites -- An Azure Active Directory P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Azure AD license (Free/O365/P1/P2) is sufficient to ingest the other log types. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel.+- A Microsoft Entra ID P1 or P2 license is required to ingest sign-in logs into Microsoft Sentinel. Any Microsoft Entra ID license (Free/O365/P1 or P2) is sufficient to ingest the other log types. Additional per-gigabyte charges may apply for Azure Monitor (Log Analytics) and Microsoft Sentinel. - Your user must be assigned the [Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor) role on the workspace. - Your user must be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) or [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) roles on the tenant you want to stream the logs from. -- Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.-- Install the solution for **Azure Active Directory** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).+- Your user must have read and write permissions to the Microsoft Entra diagnostic settings in order to be able to see the connection status. +- Install the solution for **Microsoft Entra ID** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md). -## Connect to Azure Active Directory +<a name='connect-to-azure-active-directory'></a> ++## Connect to Microsoft Entra ID 1. In Microsoft Sentinel, select **Data connectors** from the navigation menu. -1. From the data connectors gallery, select **Azure Active Directory** and then select **Open connector page**. +1. From the data connectors gallery, select **Microsoft Entra ID** and then select **Open connector page**. 1. Mark the check boxes next to the log types you want to stream into Microsoft Sentinel (see above), and select **Connect**. After a successful connection is established, the data appears in **Logs**, unde - `AADManagedIdentitySignInLogs` - `AADProvisioningLogs` -To query the Azure AD logs, enter the relevant table name at the top of the query window. +To query the Microsoft Entra logs, enter the relevant table name at the top of the query window. ## Next steps-In this document, you learned how to connect Azure Active Directory to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: +In this document, you learned how to connect Microsoft Entra ID to Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles: - Learn how to [get visibility into your data and potential threats](get-visibility.md).-- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md). |
sentinel | Connect Azure Windows Microsoft Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-azure-windows-microsoft-services.md | The following articles present information that is common to each group of conne The following integrations are both more unique and popular, and are treated individually, with their own articles: - [Amazon Web Services (AWS) CloudTrail](connect-aws.md)-- [Azure Active Directory](connect-azure-active-directory.md)+- [Microsoft Entra ID](connect-azure-active-directory.md) - [Azure Virtual Desktop](connect-azure-virtual-desktop.md) - [Microsoft 365 Defender](connect-microsoft-365-defender.md) - [Microsoft Defender for Cloud](connect-defender-for-cloud.md) The following integrations are both more unique and popular, and are treated ind - Learn about [Microsoft Sentinel data connectors](connect-data-sources.md) in general. - [Find your Microsoft Sentinel data connector](data-connectors-reference.md). - Learn how to [get visibility into your data and potential threats](get-visibility.md).-- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md). |
sentinel | Connect Data Sources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-data-sources.md | Title: Microsoft Sentinel data connectors -description: Learn about supported data connectors, like Microsoft 365 Defender (formerly Microsoft Threat Protection), Microsoft 365 and Office 365, Azure AD, ATP, and Defender for Cloud Apps to Microsoft Sentinel. +description: Learn about supported data connectors, like Microsoft 365 Defender (formerly Microsoft Threat Protection), Microsoft 365 and Office 365, Microsoft Entra ID, ATP, and Defender for Cloud Apps to Microsoft Sentinel. Last updated 05/16/2023-After you onboard Microsoft Sentinel into your workspace, use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which integrate in real time. For example, the Microsoft 365 Defender connector is a [service-to-service connector](#service-to-service-integration-for-data-connectors) that integrates data from Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. +After you onboard Microsoft Sentinel into your workspace, use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which integrate in real time. For example, the Microsoft 365 Defender connector is a [service-to-service connector](#service-to-service-integration-for-data-connectors) that integrates data from Office 365, Microsoft Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Built-in connectors enable connection to the broader security ecosystem for non-Microsoft products. For example, use [Syslog](#syslog), [Common Event Format (CEF)](#common-event-format-cef), or [REST APIs](#rest-api-integration-for-data-connectors) to connect your data sources with Microsoft Sentinel. Both Microsoft and other organizations author Microsoft Sentinel data connectors - To get started with Microsoft Sentinel, you need a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a [free trial](https://azure.microsoft.com/free/). - Learn how to [onboard your data to Microsoft Sentinel](quickstart-onboard.md) and [get visibility into your data and potential threats](get-visibility.md). - To learn about custom data connectors, see [Resources for creating Microsoft Sentinel custom connectors](create-custom-connector.md).-- For a basic Infrastructure as Code (IaC) reference of Bicep, ARM and Terraform to deploy data connectors in Microsoft Sentinel, see [Microsoft Sentinel data connector IaC reference](/azure/templates/microsoft.securityinsights/dataconnectors).+- For a basic Infrastructure as Code (IaC) reference of Bicep, ARM and Terraform to deploy data connectors in Microsoft Sentinel, see [Microsoft Sentinel data connector IaC reference](/azure/templates/microsoft.securityinsights/dataconnectors). |
sentinel | Connect Google Cloud Platform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-google-cloud-platform.md | This section shows you how to set up the GCP environment manually. Alternatively 1. Fill in the required details, and make sure that the **Tenant ID** and **Tenant name** is the TenantID **without dashes**. > [!NOTE]- > To find the tenant ID, in the Azure portal, navigate to **All Services > Azure Active Directory > Overview** and copy the **TenantID**. + > To find the tenant ID, in the Azure portal, navigate to **All Services > Microsoft Entra ID > Overview** and copy the **TenantID**. 1. Make sure that **Enable pool** is selected. |
sentinel | Connect Logstash Data Connection Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-logstash-data-connection-rules.md | To configure the Logstash configuration file to ingest the logs into a custom ta ||| |`client_app_Id` |The `Application (client) ID` value you create in step 3 when you [create the DCR resources](#create-the-required-dcr-resources), according to the tutorial you used in this section. | |`client_app_secret` |The `Application (client) ID` value you create in step 5 when you [create the DCR resources](#create-the-required-dcr-resources), according to the tutorial you used in this section. |-|`tenant_id` |Your subscription's tenant ID. You can find the tenant ID under **Home > Azure Active Directory > Overview > Basic Information**. | +|`tenant_id` |Your subscription's tenant ID. You can find the tenant ID under **Home > Microsoft Entra ID > Overview > Basic Information**. | |`data_collection_endpoint` |The value of the `logsIngestion` URI in step 3 when you [create the DCR resources](#create-the-required-dcr-resources), according to the tutorial you used in this section. | |`dcr_immutable_id` |The value of the DCR `immutableId` in step 6 when you [create the DCR resources](#create-the-required-dcr-resources), according to the tutorial you used in this section. | |`dcr_stream_name` |For custom tables, as explained in step 6 when you [create the DCR resources](#create-dcr-resources-for-ingestion-into-a-custom-table), go to the JSON view of the DCR, and copy the `dataFlows` > `streams` property. See the `dcr_stream_name` in the [example](#example-output-plugin-configuration-section) below.<br><br>For standard tables, the value is `Custom-SyslogStream`. | After you retrieve the required values: |`retransmission_time` |Sets the amount of time in seconds for retransmitting messages once sending failed. |`10` | |`compress_data` |When this field is `True`, the event data is compressed before using the API. Recommended for high throughput pipelines. |`False` | |`proxy` |Specify which proxy URL to use for all API calls. |None (field is empty) |-|`proxy_aad` |Specify which proxy URL to use for API calls to Azure Active Directory. |Same value as 'proxy' (field is empty) | +|`proxy_aad` |Specify which proxy URL to use for API calls to Microsoft Entra ID. |Same value as 'proxy' (field is empty) | |`proxy_endpoint` |Specify which proxy URL to use for API calls to the Data Collection Endpoint. |Same value as 'proxy' (field is empty) | #### Example: Output plugin configuration section |
sentinel | Connect Microsoft 365 Defender | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-microsoft-365-defender.md | Last updated 02/01/2023 # Connect data from Microsoft 365 Defender to Microsoft Sentinel -Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention (DLP)** and **Azure Active Directory Identity Protection (AADIP)**. +Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention (DLP)** and **Microsoft Entra ID Protection (AADIP)**. The connector also lets you stream **advanced hunting** events from *all* of the above Defender components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics. For more information about incident integration and advanced hunting event colle - Your user must have read and write permissions on your Microsoft Sentinel workspace. -- To make any changes to the connector settings, your user must be a member of the same Azure Active Directory tenant with which your Microsoft Sentinel workspace is associated.+- To make any changes to the connector settings, your user must be a member of the same Microsoft Entra tenant with which your Microsoft Sentinel workspace is associated. - Install the solution for **Microsoft 365 Defender** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md). ### Prerequisites for Active Directory sync via MDI If you want to collect advanced hunting events from Microsoft Defender for Endpo | Table name | Events type | |-|-| | **[IdentityDirectoryEvents](/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table)** | Various identity-related events, like password changes, password expirations, and user principal name (UPN) changes, captured from an on-premises Active Directory domain controller<br><br>Also includes system events on the domain controller |- | **[IdentityInfo](/microsoft-365/security/defender/advanced-hunting-identityinfo-table)** | Information about user accounts obtained from various services, including Azure Active Directory | + | **[IdentityInfo](/microsoft-365/security/defender/advanced-hunting-identityinfo-table)** | Information about user accounts obtained from various services, including Microsoft Entra ID | | **[IdentityLogonEvents](/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table)** | Authentication activities made through your on-premises Active Directory, as captured by Microsoft Defender for Identity <br><br>Authentication activities related to Microsoft online services, as captured by Microsoft Defender for Cloud Apps | | **[IdentityQueryEvents](/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table)** | Information about queries performed against Active Directory objects such as users, groups, devices, and domains | In this document, you learned how to integrate Microsoft 365 Defender incidents, - Learn how to [get visibility into your data, and potential threats](get-visibility.md). - Get started [detecting threats with Microsoft Sentinel](./detect-threats-built-in.md).-- |
sentinel | Connect Services Api Based | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-services-api-based.md | This article presents information that is common to the group of API-based data |Data connector |Licensing, costs, and other prerequisites | |||- |Azure Active Directory Identity Protection | - [Azure AD Premium P2 subscription](https://azure.microsoft.com/pricing/details/active-directory/)<br> - Other charges may apply | + |Microsoft Entra ID Protection | - [Microsoft Entra ID P2 subscription](https://azure.microsoft.com/pricing/details/active-directory/)<br> - Other charges may apply | |Dynamics 365 | - [Microsoft Dynamics 365 production license](/office365/servicedescriptions/microsoft-dynamics-365-online-service-description). Not available for sandbox environments.<br>- At least one user assigned a Microsoft/Office 365 [E1 or greater](/power-platform/admin/enable-use-comprehensive-auditing#requirements) license.<br>- Other charges may apply | |Microsoft Defender for Cloud Apps|For Cloud Discovery logs, [enable Microsoft Sentinel as your SIEM in Microsoft Defender for Cloud Apps](/cloud-app-security/siem-sentinel)| |Microsoft Defender for Endpoint|Valid license for [Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/production-deployment)| You can find and query the data for each service using the table names that appe For more information, see: - [Microsoft Sentinel solutions catalog](sentinel-solutions-catalog.md)-- [Threat intelligence integration in Microsoft Sentinel](threat-intelligence-integration.md)+- [Threat intelligence integration in Microsoft Sentinel](threat-intelligence-integration.md) |
sentinel | Connect Threat Intelligence Tip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-threat-intelligence-tip.md | Learn more about [Threat Intelligence](understand-threat-intelligence.md) in Mic ## Prerequisites - In order to install, update and delete standalone content or solutions in content hub, you need the **Microsoft Sentinel Contributor** role at the resource group level.-- You must have either the **Global administrator** or **Security administrator** Azure AD roles in order to grant permissions to your TIP product or to any other custom application that uses direct integration with the Microsoft Graph Security tiIndicators API.+- You must have either the **Global administrator** or **Security administrator** Microsoft Entra roles in order to grant permissions to your TIP product or to any other custom application that uses direct integration with the Microsoft Graph Security tiIndicators API. - You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators. ## Instructions Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:-1. Obtain an Application ID and Client Secret from your Azure Active Directory +1. Obtain an Application ID and Client Secret from your Microsoft Entra ID 2. Input this information into your TIP solution or custom application 3. Enable the Threat Intelligence Platforms data connector in Microsoft Sentinel -### Sign up for an Application ID and Client secret from your Azure Active Directory +<a name='sign-up-for-an-application-id-and-client-secret-from-your-azure-active-directory'></a> ++### Sign up for an Application ID and Client secret from your Microsoft Entra ID Whether you are working with a TIP or with a custom solution, the tiIndicators API requires some basic information to allow you to connect your feed to it and send it threat indicators. The three pieces of information you need are: Whether you are working with a TIP or with a custom solution, the tiIndicators A - Directory (tenant) ID - Client secret -You can get this information from your Azure Active Directory through a process called **App Registration** which includes the following three steps: +You can get this information from your Microsoft Entra ID through a process called **App Registration** which includes the following three steps: -- Register an app with Azure Active Directory+- Register an app with Microsoft Entra ID - Specify the permissions required by the app to connect to the Microsoft Graph tiIndicators API and send threat indicators - Get consent from your organization to grant these permissions to this application. -#### Register an application with Azure Active Directory +<a name='register-an-application-with-azure-active-directory'></a> ++#### Register an application with Microsoft Entra ID -1. From the Azure portal, navigate to the **Azure Active Directory** service. +1. From the Azure portal, navigate to the **Microsoft Entra ID** service. 1. Select **App Registrations** from the menu and select **New registration**. 1. Choose a name for your application registration, select the **Single tenant** radio button, and select **Register**. You can get this information from your Azure Active Directory through a process #### Specify the permissions required by the application -1. Go back to the main page of the **Azure Active Directory** service. +1. Go back to the main page of the **Microsoft Entra ID** service. 1. Select **App Registrations** from the menu and select your newly registered app. You can get this information from your Azure Active Directory through a process #### Get consent from your organization to grant these permissions -1. To get consent, you need an Azure Active Directory Global Administrator to select the **Grant admin consent for your tenant** button on your appΓÇÖs **API permissions** page. If you do not have the Global Administrator role on your account, this button will not be available, and you will need to ask a Global Administrator from your organization to perform this step. +1. To get consent, you need a Microsoft Entra Global Administrator to select the **Grant admin consent for your tenant** button on your appΓÇÖs **API permissions** page. If you do not have the Global Administrator role on your account, this button will not be available, and you will need to ask a Global Administrator from your organization to perform this step. :::image type="content" source="media/connect-threat-intelligence-tip/threat-intel-api-permissions-2.png" alt-text="Grant consent"::: You can get this information from your Azure Active Directory through a process Now that your app has been registered and permissions have been granted, you can get the last thing on your list - a client secret for your app. -1. Go back to the main page of the **Azure Active Directory** service. +1. Go back to the main page of the **Microsoft Entra ID** service. 1. Select **App Registrations** from the menu and select your newly registered app. |
sentinel | Connect Threat Intelligence Upload Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/connect-threat-intelligence-upload-api.md | Learn more about [Threat Intelligence](understand-threat-intelligence.md) in Mic ## Prerequisites - In order to install, update and delete standalone content or solutions in content hub, you need the **Microsoft Sentinel Contributor** role at the resource group level. - You must have read and write permissions to the Microsoft Sentinel workspace to store your threat indicators.-- You must be able to register an Azure Active Directory (Azure AD) application. -- The Azure AD application must be granted the Microsoft Sentinel contributor role at the workspace level.+- You must be able to register a Microsoft Entra application. +- The Microsoft Entra application must be granted the Microsoft Sentinel contributor role at the workspace level. ## Instructions Follow these steps to import threat indicators to Microsoft Sentinel from your integrated TIP or custom threat intelligence solution:-1. Register an Azure AD application and record its application ID. -1. Generate and record a client secret for your Azure AD application. -1. Assign your Azure AD application the Microsoft Sentinel contributor role or equivalent. +1. Register a Microsoft Entra application and record its application ID. +1. Generate and record a client secret for your Microsoft Entra application. +1. Assign your Microsoft Entra application the Microsoft Sentinel contributor role or equivalent. 1. Enable the Threat Intelligence upload API data connector in Microsoft Sentinel. 1. Configure your TIP solution or custom application. -### Register an Azure AD application +<a name='register-an-azure-ad-application'></a> -The [default user role permissions](../active-directory/fundamentals/users-default-permissions.md#restrict-member-users-default-permissions) allow users to create application registrations. If this setting has been switched to **No**, you'll need permission to manage applications in Azure AD. Any of the following Azure AD roles include the required permissions: +### Register a Microsoft Entra application ++The [default user role permissions](../active-directory/fundamentals/users-default-permissions.md#restrict-member-users-default-permissions) allow users to create application registrations. If this setting has been switched to **No**, you'll need permission to manage applications in Microsoft Entra ID. Any of the following Microsoft Entra roles include the required permissions: - Application administrator - Application developer - Cloud application administrator -For more information on registering your Azure AD application, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application). +For more information on registering your Microsoft Entra application, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application). Once you've registered your application, record its Application (client) ID from the application's **Overview** tab. The upload indicators API ingests threat indicators at the workspace level and a 1. Select **Add** > **Add role assignment**. 1. In the **Role** tab, select the **Microsoft Sentinel Contributor** role > **Next**. 1. On the **Members** tab, select **Assign access to** > **User, group, or service principal**.-1. **Select members**. By default, Azure AD applications aren't displayed in the available options. To find your application, search for it by name. +1. **Select members**. By default, Microsoft Entra applications aren't displayed in the available options. To find your application, search for it by name. :::image type="content" source="media/connect-threat-intelligence-upload-api/assign-role.png" alt-text="Screenshot showing the Microsoft Sentinel contributor role assigned to the application at the workspace level."::: 1. **Select** > **Review + assign**. |
sentinel | Create Codeless Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/create-codeless-connector.md | This section provides metadata in the data connector UI under the **Description* |Array value |Type |Description | |||| | **customs** | String | Describes any custom permissions required for your data connection, in the following syntax: <br>`{`<br>`"name":`string`,`<br>`"description":`string<br>`}` <br><br>Example: The **customs** value displays in Microsoft Sentinel **Prerequisites** section with a blue informational icon. In the GitHub example, this correlates to the line **GitHub API personal token Key: You need access to GitHub personal token...** |-| **licenses** | ENUM | Defines the required licenses, as one of the following values: `OfficeIRM`,`OfficeATP`, `Office365`, `AadP1P2`, `Mcas`, `Aatp`, `Mdatp`, `Mtp`, `IoT` <br><br>Example: The **licenses** value displays in Microsoft Sentinel as: **License: Required Azure AD Premium P2**| +| **licenses** | ENUM | Defines the required licenses, as one of the following values: `OfficeIRM`,`OfficeATP`, `Office365`, `AadP1P2`, `Mcas`, `Aatp`, `Mdatp`, `Mtp`, `IoT` <br><br>Example: The **licenses** value displays in Microsoft Sentinel as: **License: Required Microsoft Entra ID P2**| | **resourceProvider** | [resourceProvider](#resourceprovider) | Describes any prerequisites for your Azure resource. <br><br>Example: The **resourceProvider** value displays in Microsoft Sentinel **Prerequisites** section as: <br>**Workspace: read and write permission is required.**<br>**Keys: read permissions to shared keys for the workspace are required.**| | **tenant** | array of ENUM values<br>Example:<br><br>`"tenant": [`<br>`"GlobalADmin",`<br>`"SecurityAdmin"`<br>`]`<br> | Defines the required permissions, as one or more of the following values: `"GlobalAdmin"`, `"SecurityAdmin"`, `"SecurityReader"`, `"InformationProtection"` <br><br>Example: displays the **tenant** value in Microsoft Sentinel as: **Tenant Permissions: Requires `Global Administrator` or `Security Administrator` on the workspace's tenant**| |
sentinel | Create Tasks Playbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/create-tasks-playbook.md | There are two ways to work with playbooks to generate tasks: ### Use a playbook to add a task and perform it -In this example we're going to add a playbook action that adds a task to the incident to reset a compromised user's password, and we'll add another playbook action that sends a signal to Azure Active Directory Identity Protection (AADIP) to actually reset the password. Then we'll add a final playbook action to mark the task in the incident complete. +In this example we're going to add a playbook action that adds a task to the incident to reset a compromised user's password, and we'll add another playbook action that sends a signal to Microsoft Entra ID Protection (AADIP) to actually reset the password. Then we'll add a final playbook action to mark the task in the incident complete. To add and configure these actions, take the following steps: To add and configure these actions, take the following steps: :::image type="content" source="media/create-tasks-playbook/for-each-accounts.png" alt-text="Screenshot shows how to add a for-each loop action to a playbook in order to perform an action on each discovered account."::: 1. Inside the **For each** loop, select **Add an action**. - Search for and select the **Azure AD Identity Protection** connector, and select the **Confirm a risky user as compromised (Preview)** action. - Add the **Accounts AAD user ID** dynamic content item to the **userIds Item - 1** field. + Search for and select the **Microsoft Entra ID Protection** connector, and select the **Confirm a risky user as compromised (Preview)** action. + Add the **Accounts Microsoft Entra user ID** dynamic content item to the **userIds Item - 1** field. > [!NOTE]- > This field (Accounts AAD user ID) is one way to identify a user in AADIP. It might not necessarily be the best way in every scenario, but is brought here just as an example. For assistance, consult other playbooks that handle compromised users, or the [Azure AD Identity Protection documentation](../active-directory/identity-protection/overview-identity-protection.md). + > This field (Accounts Microsoft Entra user ID) is one way to identify a user in AADIP. It might not necessarily be the best way in every scenario, but is brought here just as an example. For assistance, consult other playbooks that handle compromised users, or the [Microsoft Entra ID Protection documentation](../active-directory/identity-protection/overview-identity-protection.md). - This action sets in motion processes inside Azure AD Identity Protection that will reset the user's password. + This action sets in motion processes inside Microsoft Entra ID Protection that will reset the user's password. :::image type="content" source="media/create-tasks-playbook/confirm-compromised.png" alt-text="Screenshot shows sending entities to AADIP to confirm compromise."::: |
sentinel | Customize Entity Activities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/customize-entity-activities.md | At least one identifier is required in a query. | Entity | Identifier | Description | | - | - | - | | **Account** | Account_Sid | The on-premises SID of the account in Active Directory |-| | Account_AadUserId | The Azure AD object ID of the user in Azure Active Directory | +| | Account_AadUserId | The Microsoft Entra object ID of the user in Microsoft Entra ID | | | Account_Name + Account_NTDomain | Similar to SamAccountName (example: Contoso\Joe) | | | Account_Name + Account_UPNSuffix | Similar to UserPrincipalName (example: Joe@Contoso.com) | | **Host** | Host_HostName + Host_NTDomain | similar to fully qualified domain name (FQDN) | | | Host_HostName + Host_DnsDomain | similar to fully qualified domain name (FQDN) | | | Host_NetBiosName + Host_NTDomain | similar to fully qualified domain name (FQDN) | | | Host_NetBiosName + Host_DnsDomain | similar to fully qualified domain name (FQDN) |-| | Host_AzureID | the Azure AD object ID of the host in Azure Active Directory (if AAD domain joined) | +| | Host_AzureID | the Microsoft Entra object ID of the host in Microsoft Entra ID (if Microsoft Entra domain joined) | | | Host_OMSAgentID | the OMS Agent ID of the agent installed on a specific host (unique per host) | | |
sentinel | Data Connectors Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors-reference.md | Data connectors are available as part of the following offerings: ## Microsoft - [Automated Logic WebCTRL](data-connectors/automated-logic-webctrl.md)-- [Azure Active Directory](data-connectors/azure-active-directory.md)-- [Azure Active Directory Identity Protection](data-connectors/azure-active-directory-identity-protection.md)+- [Microsoft Entra ID](data-connectors/azure-active-directory.md) +- [Microsoft Entra ID Protection](data-connectors/azure-active-directory-identity-protection.md) - [Azure Activity](data-connectors/azure-activity.md) - [Azure Batch Account](data-connectors/azure-batch-account.md) - [Azure Cognitive Search](data-connectors/azure-cognitive-search.md) |
sentinel | Azure Active Directory Identity Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/azure-active-directory-identity-protection.md | Title: "Azure Active Directory Identity Protection connector for Microsoft Sentinel" -description: "Learn how to install the connector Azure Active Directory Identity Protection to connect your data source to Microsoft Sentinel." + Title: "Microsoft Entra ID Protection connector for Microsoft Sentinel" +description: "Learn how to install the connector Microsoft Entra ID Protection to connect your data source to Microsoft Sentinel." Last updated 02/23/2023-# Azure Active Directory Identity Protection connector for Microsoft Sentinel +# Microsoft Entra ID Protection connector for Microsoft Sentinel -Azure Active Directory Identity Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on MicrosoftΓÇÖs experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Azure Active Directory Identity Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. For more information, see the [Microsoft Sentinel documentation ](https://go.microsoft.com/fwlink/p/?linkid=2220065&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci). +Microsoft Entra ID Protection provides a consolidated view at risk users, risk events and vulnerabilities, with the ability to remediate risk immediately, and set policies to auto-remediate future events. The service is built on MicrosoftΓÇÖs experience protecting consumer identities and gains tremendous accuracy from the signal from over 13 billion logins a day. Integrate Microsoft Entra ID Protection alerts with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. For more information, see the [Microsoft Sentinel documentation ](https://go.microsoft.com/fwlink/p/?linkid=2220065&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci). -[Get Azure Active Directory Premium P1/P2 ](https://aka.ms/asi-ipcconnectorgetlink) +[Get Microsoft Entra ID P1 or P2 ](https://aka.ms/asi-ipcconnectorgetlink) ## Connector attributes |
sentinel | Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/azure-active-directory.md | Title: "Azure Active Directory connector for Microsoft Sentinel" -description: "Learn how to install the connector Azure Active Directory to connect your data source to Microsoft Sentinel." + Title: "Microsoft Entra connector for Microsoft Sentinel" +description: "Learn how to install the connector Microsoft Entra ID to connect your data source to Microsoft Sentinel." Last updated 02/23/2023-# Azure Active Directory connector for Microsoft Sentinel +# Microsoft Entra connector for Microsoft Sentinel -Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci). +Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci). ## Connector attributes |
sentinel | Derdack Signl4 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/derdack-signl4.md | Microsoft Sentinel is a cloud native SIEM solution from Microsoft and a security **Automated deployment in Azure** The credentials required to access the beforementioned APIs, are generated by a small PowerShell script that you can download below. The script performs the following tasks for you: - Logs you on to your Azure Subscription (please login with an administrator account)+ - Creates a new enterprise application for this connector in your Microsoft Entra ID, also referred to as service principal - Creates a new role in your Azure IAM that grants read/query permission to only Azure Log Analytics workspaces. - Joins the enterprise application to that user role - Joins the enterprise application to the 'Microsoft Sentinel Contributors' role Microsoft Sentinel is a cloud native SIEM solution from Microsoft and a security Deployment procedure 1. Download the PowerShell deployment script from [here](https://github.com/signl4/signl4-integration-azuresentinel/blob/master/registerSIGNL4Client.ps1).-2. Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Microsoft Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Azure Active Directory. +2. Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Microsoft Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Microsoft Entra ID. 3. Run the script. At the end it outputs information that you need to enter in the connector app configuration.-4. In Azure AD, click on 'App Registrations'. Find the app with the name 'SIGNL4AzureSecurity' and open its details +4. In Microsoft Entra ID, click on 'App Registrations'. Find the app with the name 'SIGNL4AzureSecurity' and open its details 5. On the left menu blade click 'API Permissions'. Then click 'Add a permission'. 6. On the blade that loads, under 'Microsoft APIs' click on the 'Microsoft Graph' tile, then click 'App permission'. 7. In the table that is displayed expand 'SecurityEvents' and check 'SecurityEvents.Read.All' and 'SecurityEvents.ReadWrite.All'. |
sentinel | Threat Intelligence Upload Indicators Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/threat-intelligence-upload-indicators-api.md | You can connect your threat intelligence data sources to Microsoft Sentinel by e Follow These Steps to Connect to your Threat Intelligence: -Get AAD Access Token +Get Microsoft Entra access token -To send request to the APIs, you need to acquire Azure Active Directory access token. You can follow instruction in this page: [Get Azure AD tokens for users by using MSAL](/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token). - - Notice: Please request AAD access token with appropriate scope value. +To send request to the APIs, you need to acquire Microsoft Entra access token. You can follow instruction in this page: [Get Microsoft Entra tokens for users by using MSAL](/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token). + - Notice: Please request Microsoft Entra access token with appropriate scope value. You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](/azure/sentinel/upload-indicators-api). |
sentinel | Data Source Schema Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-source-schema-reference.md | This article lists supported Azure and third-party data source schemas, with lin | Type | Data source | Log Analytics tablename | Schema reference | | -- | - | - | - |-| **Azure** | Azure Active Directory | SigninEvents | [Azure AD activity reports sign-in properties](/graph/api/resources/signin#properties) | -| **Azure** | Azure Active Directory | AuditLogs | [Azure Monitor AuditLogs reference](/azure/azure-monitor/reference/tables/auditlogs) | -| **Azure** | Azure Active Directory | AzureActivity | [Azure Monitor AzureActivity reference](/azure/azure-monitor/reference/tables/azureactivity) | +| **Azure** | Microsoft Entra ID | SigninEvents | [Microsoft Entra activity reports sign-in properties](/graph/api/resources/signin#properties) | +| **Azure** | Microsoft Entra ID | AuditLogs | [Azure Monitor AuditLogs reference](/azure/azure-monitor/reference/tables/auditlogs) | +| **Azure** | Microsoft Entra ID | AzureActivity | [Azure Monitor AzureActivity reference](/azure/azure-monitor/reference/tables/azureactivity) | | **Azure** | Office | OfficeActivity | Office 365 Management Activity API schemas: <br>- [Common schema](/office/office-365-management-api/office-365-management-activity-api-schema#common-schema) <br>- [Exchange Admin schema](/office/office-365-management-api/office-365-management-activity-api-schema#exchange-admin-schema) <br>- [Exchange Mailbox schema](/office/office-365-management-api/office-365-management-activity-api-schema#exchange-mailbox-schema) <br>- [SharePoint Base schema](/office/office-365-management-api/office-365-management-activity-api-schema#sharepoint-base-schema) <br>- [SharePoint file operations](/office/office-365-management-api/office-365-management-activity-api-schema#sharepoint-file-operations) | | **Azure** | Azure Key Vault | AzureDiagnostics | [Azure Monitor AzureDiagnostics reference](/azure/azure-monitor/reference/tables/azurediagnostics) | | **Host** | Linux | Syslog | [Azure Monitor Syslog reference](/azure/azure-monitor/reference/tables/syslog) | |
sentinel | Data Transformation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-transformation.md | The following table describes DCR support for Microsoft Sentinel data connector | [**AMA standard logs**](connect-services-windows-based.md), such as: <li>[Windows Security Events via AMA](./data-connectors/windows-security-events-via-ama.md)<li>[Windows Forwarded Events](./data-connectors/windows-forwarded-events.md)<li>[CEF data](connect-common-event-format.md)<li>[Syslog data](connect-syslog.md) | Standard DCRs | | [**MMA standard logs**](connect-services-windows-based.md), such as <li>[Syslog data](connect-syslog.md)<li>[CommonSecurityLog](connect-azure-windows-microsoft-services.md) | Workspace transformation DCRs | | [**Diagnostic settings-based connections**](connect-services-diagnostic-setting-based.md) | Workspace transformation DCRs, based on the [supported output tables](../azure-monitor/logs/tables-feature-support.md) for specific data connectors |-| **Built-in, service-to-service data connectors**, such as:<li>[Microsoft Office 365](connect-services-api-based.md)<li>[Azure Active Directory](connect-azure-active-directory.md)<li>[Amazon S3](connect-aws.md) | Workspace transformation DCRs, based on the [supported output tables](../azure-monitor/logs/tables-feature-support.md) for specific data connectors | +| **Built-in, service-to-service data connectors**, such as:<li>[Microsoft Office 365](connect-services-api-based.md)<li>[Microsoft Entra ID](connect-azure-active-directory.md)<li>[Amazon S3](connect-aws.md) | Workspace transformation DCRs, based on the [supported output tables](../azure-monitor/logs/tables-feature-support.md) for specific data connectors | | **Built-in, API-based data connectors**, such as: <li>[Codeless data connectors](create-codeless-connector.md)<li>[Azure Functions-based data connectors](connect-azure-functions-template.md) | Not currently supported | For more in-depth information on ingestion-time transformation, the Custom Logs - [Data collection transformations in Azure Monitor Logs](../azure-monitor/essentials/data-collection-transformations.md) - [Logs ingestion API in Azure Monitor Logs](../azure-monitor/logs/logs-ingestion-api-overview.md) - [Data collection rules in Azure Monitor](../azure-monitor/essentials/data-collection-rule-overview.md)- |
sentinel | Data Type Cloud Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-type-cloud-support.md | We have identified support discrepancies between the different clouds for the da - Microsoft Defender for Office 365 - Microsoft Defender for Identity - Microsoft Defender for Cloud Apps-- Azure Active Directory Identity Protection+- Microsoft Entra ID Protection Read more about [support for Microsoft Defender 365 connector data types in different clouds](microsoft-365-defender-cloud-support.md). Read more about [support for Microsoft Defender 365 connector data types in diff In this article, you learned about the types of clouds that affect the supported data types for the different connectors that Microsoft Sentinel supports. - To get started with Microsoft Sentinel, you need a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a [free trial](https://azure.microsoft.com/free/).-- Learn how to [onboard your data to Microsoft Sentinel](quickstart-onboard.md) and [get visibility into your data and potential threats](get-visibility.md).+- Learn how to [onboard your data to Microsoft Sentinel](quickstart-onboard.md) and [get visibility into your data and potential threats](get-visibility.md). |
sentinel | Design Your Workspace Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/design-your-workspace-architecture.md | Do you have an existing workspace that you can use for Microsoft Sentinel? - **If you don't have any tenant-specific logs**, continue directly with [step 4](#step-4-splitting-billing--charge-back). - - **If you *are* collecting tenant-specific logs**, use a separate Microsoft Sentinel workspace for each Azure AD tenant. Continue with [step 4](#step-4-splitting-billing--charge-back) for other considerations. + - **If you *are* collecting tenant-specific logs**, use a separate Microsoft Sentinel workspace for each Microsoft Entra tenant. Continue with [step 4](#step-4-splitting-billing--charge-back) for other considerations. <a name="note1"></a>[Decision tree note #1](#decision-tree): Logs specific to tenant boundaries, such as from Office 365 and Microsoft Defender for Cloud, can only be stored in the workspace within the same tenant. When planning to use resource-context or table level RBAC, consider the followin In this article, you reviewed a decision tree to help you make key decisions about how to design your Microsoft Sentinel workspace architecture. > [!div class="nextstepaction"]-> >[Microsoft Sentinel sample workspace designs](sample-workspace-designs.md) +> >[Microsoft Sentinel sample workspace designs](sample-workspace-designs.md) |
sentinel | Deploy Dynamics 365 Finance Operations Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution.md | In the connector page, make sure that you meet the required prerequisites and co ### Enable data collection -To enable data collection, you create a new role in Finance and Operations with permissions to view the Database Log entity. The role is then assigned to a dedicated Finance and Operations user, mapped to the Azure Active Directory client ID of the Function App's system assigned managed identity. +To enable data collection, you create a new role in Finance and Operations with permissions to view the Database Log entity. The role is then assigned to a dedicated Finance and Operations user, mapped to the Microsoft Entra client ID of the Function App's system assigned managed identity. -To collect the managed identity application ID from Azure Active Directory: +To collect the managed identity application ID from Microsoft Entra ID: 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Browse to **Microsoft Entra ID** > **Enterprise applications**. 1. Change the application type filter to **Managed Identities**. 1. Search for and open the Function App created in the [previous step](#deploy-the-azure-resource-manager-arm-template). Copy the Application ID and save it for later use. To collect the managed identity application ID from Azure Active Directory: #### Register the managed identity in Finance and Operations -1. In the Finance and Operations portal, navigate to **System administration > Setup > Azure Active Directory** applications. +1. In the Finance and Operations portal, navigate to **System administration > Setup > Microsoft Entra ID** applications. 1. Create a new entry in the table: - For the **Client Id**, type the application ID of the managed identity. |
sentinel | Dynamics 365 Finance Operations Security Content | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md | This article details the security content available for the Microsoft Sentinel s | Rule name | Description | Source action | Tactics | | | | | |-|**F&O ΓÇô Non-interactive account mapped to self or sensitive privileged user** |Identifies changes to Azure AD Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account. |Mapping modifications in Finance and Operations portal, under **Modules > System Administration > Azure Active Directory Applications**. <br><br>Data source: `FinanceOperationsActivity_CL` |Credential Access, Persistence, Privilege Escalation | +|**F&O ΓÇô Non-interactive account mapped to self or sensitive privileged user** |Identifies changes to Microsoft Entra Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account. |Mapping modifications in Finance and Operations portal, under **Modules > System Administration > Microsoft Entra Applications**. <br><br>Data source: `FinanceOperationsActivity_CL` |Credential Access, Persistence, Privilege Escalation | |**F&O ΓÇô Mass update or deletion of user account records** |Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds. <br><br>Default update threshold: **50**<br>Default delete threshold: **10** |Deletions or modifications in Finance and Operations portal, under **Modules > System Administration > Users**<br><br>Data source: `FinanceOperationsActivity_CL` |Impact | |**F&O ΓÇô Bank account change following network alias reassignment** |Identifies updates to bank account number by a user account which his alias was recently modified to a new value. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts** correlated with a relevant change in the user account to alias mapping.<br><br>Data source: `FinanceOperationsActivity_CL` |Credential Access, Lateral Movement, Privilege Escalation | |**F&O ΓÇô Reverted bank account number modifications** |Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |Changes in bank account number, in Finance and Operations portal, under **Workspaces > Bank management > All bank accounts**.<br><br>Data source: `FinanceOperationsActivity_CL` |Impact |-|**F&O ΓÇô Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from an Azure AD trusted network location, or from geolocations seen previously in the last 14 days are excluded.<br><br>This detection uses logs ingested from Azure Active Directory. Therefore, you should enable the Azure Active Directory data connector. |Sign-ins to the monitored Finance and Operations environment.<br><br>Data source: `Singinlogs` |Credential Access, Initial Access | +|**F&O ΓÇô Unusual sign-in activity using single factor authentication** |Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra ID trusted network location, or from geolocations seen previously in the last 14 days are excluded.<br><br>This detection uses logs ingested from Microsoft Entra ID. Therefore, you should enable the Microsoft Entra data connector. |Sign-ins to the monitored Finance and Operations environment.<br><br>Data source: `Singinlogs` |Credential Access, Initial Access | ## Next steps |
sentinel | Enable Entity Behavior Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/enable-entity-behavior-analytics.md | As Microsoft Sentinel collects logs and alerts from all of its connected data so To enable or disable this feature (these prerequisites are not required to use the feature): -- Your user must be assigned the **Global Administrator** or **Security Administrator** roles in Azure AD.+- Your user must be assigned the **Global Administrator** or **Security Administrator** roles in Microsoft Entra ID. - Your user must be assigned at least one of the following **Azure roles** ([Learn more about Azure RBAC](roles.md)): - **Microsoft Sentinel Contributor** at the workspace or resource group levels. To enable or disable this feature (these prerequisites are not required to use t 1. Mark the check boxes next to the Active Directory source types from which you want to synchronize user entities with Microsoft Sentinel. - **Active Directory** on-premises (Preview)- - **Azure Active Directory** + - **Microsoft Entra ID** To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you must have the MDI sensor installed on your Active Directory domain controller. See [Microsoft Defender for Identity prerequisites](/defender-for-identity/prerequisites) for more information. To enable or disable this feature (these prerequisites are not required to use t In this article, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA: > [!div class="nextstepaction"]->>[Configure data retention and archive](configure-data-retention-archive.md) +>>[Configure data retention and archive](configure-data-retention-archive.md) |
sentinel | Entities Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/entities-reference.md | The following section contains a more in-depth look at the full schemas of each | UPNSuffix | String | The user principal name suffix for the account. In some cases this is also the domain name. Examples: contoso.com | | Host | Entity | The host which contains the account, if it's a local account. | | Sid | String | The account security identifier, such as S-1-5-18. |-| AadTenantId | Guid? | The Azure AD tenant ID, if known. | -| AadUserId | Guid? | The Azure AD account object ID, if known. | -| PUID | Guid? | The Azure AD Passport User ID, if known. | +| AadTenantId | Guid? | The Microsoft Entra tenant ID, if known. | +| AadUserId | Guid? | The Microsoft Entra account object ID, if known. | +| PUID | Guid? | The Microsoft Entra Passport User ID, if known. | | IsDomainJoined | Bool? | Determines whether this is a domain account. | | DisplayName | String | The display name of the account. | | ObjectGuid | Guid? | The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by Active Directory. | The following list defines identifiers for known cloud applications. The App ID | 26069 | Google Drive | | 26206 | Workiva | | 26311 | Microsoft Dynamics |-| 26318 | Microsoft Azure AD | +| 26318 | Microsoft Entra ID | | 26320 | Microsoft Office Sway | | 26321 | Microsoft Delve | | 26324 | Microsoft Power BI | |
sentinel | Entities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/entities.md | Microsoft Sentinel supports a wide variety of entity types. Each type has its ow As noted just above, for each type of entity there are fields, or sets of fields, that can identify it. These fields or sets of fields can be referred to as **strong identifiers** if they can uniquely identify an entity without any ambiguity, or as **weak identifiers** if they can identify an entity under some circumstances, but are not guaranteed to uniquely identify an entity in all cases. In many cases, though, a selection of weak identifiers can be combined to produce a strong identifier. -For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifer** like an Azure AD account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently. +For example, user accounts can be identified as **account** entities in more than one way: using a single **strong identifer** like a Microsoft Entra account's numeric identifier (the **GUID** field), or its **User Principal Name (UPN)** value, or alternatively, using a combination of **weak identifiers** like its **Name** and **NTDomain** fields. Different data sources can identify the same user in different ways. Whenever Microsoft Sentinel encounters two entities that it can recognize as the same entity based on their identifiers, it merges the two entities into a single entity, so that it can be handled properly and consistently. If, however, one of your resource providers creates an alert in which an entity is not sufficiently identified - for example, using only a single **weak identifier** like a user name without the domain name context - then the user entity cannot be merged with other instances of the same user account. Those other instances would be identified as a separate entity, and those two entities would remain separate instead of unified. -In order to minimize the risk of this happening, you should verify that all of your alert providers properly identify the entities in the alerts they produce. Additionally, synchronizing user account entities with Azure Active Directory may create a unifying directory, which will be able to merge user account entities. +In order to minimize the risk of this happening, you should verify that all of your alert providers properly identify the entities in the alerts they produce. Additionally, synchronizing user account entities with Microsoft Entra ID may create a unifying directory, which will be able to merge user account entities. ### Supported entities |
sentinel | Entity Pages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/entity-pages.md | In these situations, you can select the entity (it will appear as a clickable li More specifically, entity pages consist of three parts: -- The left-side panel contains the entity's identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Activity, Azure Resource Manager, Microsoft Defender for Cloud, CEF/Syslog, and Microsoft 365 Defender (with all its components).+- The left-side panel contains the entity's identifying information, collected from data sources like Microsoft Entra ID, Azure Monitor, Azure Activity, Azure Resource Manager, Microsoft Defender for Cloud, CEF/Syslog, and Microsoft 365 Defender (with all its components). - The center panel shows a [graphical and textual timeline](#the-timeline) of notable events related to the entity, such as alerts, bookmarks, [anomalies](soc-ml-anomalies.md), and activities. Activities are aggregations of notable events from Log Analytics. The queries that detect those activities are developed by Microsoft security research teams, and you can now [add your own custom queries to detect activities](customize-entity-activities.md) of your choosing. The insights are based on the following data sources: - Syslog (Linux) - SecurityEvent (Windows)-- AuditLogs (Azure AD)-- SigninLogs (Azure AD)+- AuditLogs (Microsoft Entra ID) +- SigninLogs (Microsoft Entra ID) - OfficeActivity (Office 365) - BehaviorAnalytics (Microsoft Sentinel UEBA) - Heartbeat (Azure Monitor Agent) |
sentinel | Extend Sentinel Across Workspaces Tenants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/extend-sentinel-across-workspaces-tenants.md | To configure and manage multiple Microsoft Sentinel workspaces, you need to auto ## Manage workspaces across tenants using Azure Lighthouse -As mentioned above, in many scenarios, the different Microsoft Sentinel workspaces can be located in different Azure AD tenants. You can use [Azure Lighthouse](../lighthouse/overview.md) to extend all cross-workspace activities across tenant boundaries, allowing users in your managing tenant to work on Microsoft Sentinel workspaces across all tenants. +As mentioned above, in many scenarios, the different Microsoft Sentinel workspaces can be located in different Microsoft Entra tenants. You can use [Azure Lighthouse](../lighthouse/overview.md) to extend all cross-workspace activities across tenant boundaries, allowing users in your managing tenant to work on Microsoft Sentinel workspaces across all tenants. Once Azure Lighthouse is [onboarded](../lighthouse/how-to/onboard-customer.md), use the [directory + subscription selector](./multiple-tenants-service-providers.md#how-to-access-microsoft-sentinel-in-managed-tenants) on the Azure portal to select all the subscriptions containing workspaces you want to manage, in order to ensure that they'll all be available in the different workspace selectors in the portal. When using Azure Lighthouse, it's recommended to create a group for each Microso In this article, you learned how Microsoft Sentinel's capabilities can be extended across multiple workspaces and tenants. For practical guidance on implementing Microsoft Sentinel's cross-workspace architecture, see the following articles: - Learn how to [work with multiple tenants](./multiple-tenants-service-providers.md) in Microsoft Sentinel, using Azure Lighthouse.-- Learn how to [view and manage incidents in multiple workspaces](./multiple-workspace-view.md) seamlessly.+- Learn how to [view and manage incidents in multiple workspaces](./multiple-workspace-view.md) seamlessly. |
sentinel | Feature Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/feature-availability.md | This article describes the features available in Microsoft Sentinel across diffe |||||| |[Amazon Web Services](connect-aws.md?tabs=ct) |GA |✅ |❌ |❌ | |[Amazon Web Services S3 (Preview)](connect-aws.md?tabs=s3) |Public preview |✅ |❌ |❌ |-|[Azure Active Directory](connect-azure-active-directory.md) |GA |✅ |✅|✅ <sup>[1](#logsavailable)</sup> | -|[Azure Active Directory Identity Protection](connect-services-api-based.md) |GA |✅| ✅ |❌ | +|[Microsoft Entra ID](connect-azure-active-directory.md) |GA |✅ |✅|✅ <sup>[1](#logsavailable)</sup> | +|[Microsoft Entra ID Protection](connect-services-api-based.md) |GA |✅| ✅ |❌ | |[Azure Activity](data-connectors/azure-activity.md) |GA |✅| ✅|✅ | |[Azure DDoS Protection](connect-services-diagnostic-setting-based.md) |GA |✅| ✅|❌ | |[Azure Firewall](data-connectors/azure-firewall.md) |GA |✅| ✅|✅ | This article describes the features available in Microsoft Sentinel across diffe In this article, you learned about available features in Microsoft Sentinel. - [Learn about Microsoft Sentinel](overview.md)-- [Plan your Microsoft Sentinel architecture](design-your-workspace-architecture.md)+- [Plan your Microsoft Sentinel architecture](design-your-workspace-architecture.md) |
sentinel | Fusion Scenario Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/fusion-scenario-reference.md | In order to enable these Fusion-powered attack detection scenarios, any data sou ## Compute resource abuse -### Multiple VM creation activities following suspicious Azure Active Directory sign-in +<a name='multiple-vm-creation-activities-following-suspicious-azure-active-directory-sign-in'></a> ++### Multiple VM creation activities following suspicious Microsoft Entra sign-in This scenario is currently in **PREVIEW**. **MITRE ATT&CK tactics:** Initial Access, Impact **MITRE ATT&CK techniques:** Valid Account (T1078), Resource Hijacking (T1496) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of VMs were created in a single session following a suspicious sign-in to an Azure AD account. This type of alert indicates, with a high degree of confidence, that the account noted in the Fusion incident description has been compromised and used to create new VMs for unauthorized purposes, such as running crypto mining operations. The permutations of suspicious Azure AD sign-in alerts with the multiple VM creation activities alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of VMs were created in a single session following a suspicious sign-in to a Microsoft Entra account. This type of alert indicates, with a high degree of confidence, that the account noted in the Fusion incident description has been compromised and used to create new VMs for unauthorized purposes, such as running crypto mining operations. The permutations of suspicious Microsoft Entra sign-in alerts with the multiple VM creation activities alert are: - **Impossible travel to an atypical location leading to multiple VM creation activities** This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Brute Force (T1110) -**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that a user reset multiple passwords following a suspicious sign-in to an Azure AD account. This evidence suggests that the account noted in the Fusion incident description has been compromised and was used to perform multiple password resets in order to gain access to multiple systems and resources. Account manipulation (including password reset) may aid adversaries in maintaining access to credentials and certain permission levels within an environment. The permutations of suspicious Azure AD sign-in alerts with multiple passwords reset alerts are: +**Description:** Fusion incidents of this type indicate that a user reset multiple passwords following a suspicious sign-in to a Microsoft Entra account. This evidence suggests that the account noted in the Fusion incident description has been compromised and was used to perform multiple password resets in order to gain access to multiple systems and resources. Account manipulation (including password reset) may aid adversaries in maintaining access to credentials and certain permission levels within an environment. The permutations of suspicious Microsoft Entra sign-in alerts with multiple passwords reset alerts are: - **Impossible travel to an atypical location leading to multiple passwords reset** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to multiple passwords reset** -### Suspicious sign-in coinciding with successful sign-in to Palo Alto VPN by IP with multiple failed Azure AD sign-ins +<a name='suspicious-sign-in-coinciding-with-successful-sign-in-to-palo-alto-vpn-by-ip-with-multiple-failed-azure-ad-sign-ins'></a> ++### Suspicious sign-in coinciding with successful sign-in to Palo Alto VPN by IP with multiple failed Microsoft Entra sign-ins This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Brute Force (T1110) -**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that a suspicious sign-in to an Azure AD account coincided with a successful sign-in through a Palo Alto VPN from an IP address from which multiple failed Azure AD sign-ins occurred in a similar time frame. Though not evidence of a multistage attack, the correlation of these two lower-fidelity alerts results in a high-fidelity incident suggesting malicious initial access to the organization's network. Alternatively, this could be an indication of an attacker trying to use brute force techniques to gain access to an Azure AD account. The permutations of suspicious Azure AD sign-in alerts with "IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN" alerts are: +**Description:** Fusion incidents of this type indicate that a suspicious sign-in to a Microsoft Entra account coincided with a successful sign-in through a Palo Alto VPN from an IP address from which multiple failed Microsoft Entra sign-ins occurred in a similar time frame. Though not evidence of a multistage attack, the correlation of these two lower-fidelity alerts results in a high-fidelity incident suggesting malicious initial access to the organization's network. Alternatively, this could be an indication of an attacker trying to use brute force techniques to gain access to a Microsoft Entra account. The permutations of suspicious Microsoft Entra sign-in alerts with "IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN" alerts are: -- **Impossible travel to an atypical location coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN**+- **Impossible travel to an atypical location coinciding with IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN** -- **Sign-in event from an unfamiliar location coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN**+- **Sign-in event from an unfamiliar location coinciding with IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN** -- **Sign-in event from an infected device coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN**+- **Sign-in event from an infected device coinciding with IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN** -- **Sign-in event from an anonymous IP coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN**+- **Sign-in event from an anonymous IP coinciding with IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN** -- **Sign-in event from user with leaked credentials coinciding with IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN**+- **Sign-in event from user with leaked credentials coinciding with IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN** ## Credential harvesting (New threat classification) This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), OS Credential Dumping (T1003) -**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Endpoint +**Data connector sources:** Microsoft Entra ID Protection, Microsoft Defender for Endpoint -**Description:** Fusion incidents of this type indicate that a known credential theft tool was executed following a suspicious Azure AD sign-in. This evidence suggests with high confidence that the user account noted in the alert description has been compromised and may have successfully used a tool like **Mimikatz** to harvest credentials such as keys, plaintext passwords and/or password hashes from the system. The harvested credentials may allow an attacker to access sensitive data, escalate privileges, and/or move laterally across the network. The permutations of suspicious Azure AD sign-in alerts with the malicious credential theft tool alert are: +**Description:** Fusion incidents of this type indicate that a known credential theft tool was executed following a suspicious Microsoft Entra sign-in. This evidence suggests with high confidence that the user account noted in the alert description has been compromised and may have successfully used a tool like **Mimikatz** to harvest credentials such as keys, plaintext passwords and/or password hashes from the system. The harvested credentials may allow an attacker to access sensitive data, escalate privileges, and/or move laterally across the network. The permutations of suspicious Microsoft Entra sign-in alerts with the malicious credential theft tool alert are: - **Impossible travel to atypical locations leading to malicious credential theft tool execution** This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Credentials from Password Stores (T1555), OS Credential Dumping (T1003) -**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Endpoint +**Data connector sources:** Microsoft Entra ID Protection, Microsoft Defender for Endpoint -**Description:** Fusion incidents of this type indicate that activity associated with patterns of credential theft occurred following a suspicious Azure AD sign-in. This evidence suggests with high confidence that the user account noted in the alert description has been compromised and used to steal credentials such as keys, plain-text passwords, password hashes, and so on. The stolen credentials may allow an attacker to access sensitive data, escalate privileges, and/or move laterally across the network. The permutations of suspicious Azure AD sign-in alerts with the credential theft activity alert are: +**Description:** Fusion incidents of this type indicate that activity associated with patterns of credential theft occurred following a suspicious Microsoft Entra sign-in. This evidence suggests with high confidence that the user account noted in the alert description has been compromised and used to steal credentials such as keys, plain-text passwords, password hashes, and so on. The stolen credentials may allow an attacker to access sensitive data, escalate privileges, and/or move laterally across the network. The permutations of suspicious Microsoft Entra sign-in alerts with the credential theft activity alert are: - **Impossible travel to atypical locations leading to suspected credential theft activity** This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Resource Hijacking (T1496) -**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Cloud +**Data connector sources:** Microsoft Entra ID Protection, Microsoft Defender for Cloud -**Description:** Fusion incidents of this type indicate crypto-mining activity associated with a suspicious sign-in to an Azure AD account. This evidence suggests with high confidence that the user account noted in the alert description has been compromised and was used to hijack resources in your environment to mine crypto-currency. This can starve your resources of computing power and/or result in significantly higher-than-expected cloud usage bills. The permutations of suspicious Azure AD sign-in alerts with the crypto-mining activity alert are: +**Description:** Fusion incidents of this type indicate crypto-mining activity associated with a suspicious sign-in to a Microsoft Entra account. This evidence suggests with high confidence that the user account noted in the alert description has been compromised and was used to hijack resources in your environment to mine crypto-currency. This can starve your resources of computing power and/or result in significantly higher-than-expected cloud usage bills. The permutations of suspicious Microsoft Entra sign-in alerts with the crypto-mining activity alert are: - **Impossible travel to atypical locations leading to crypto-mining activity** This scenario is currently in **PREVIEW**. ## Data destruction -### Mass file deletion following suspicious Azure AD sign-in +<a name='mass-file-deletion-following-suspicious-azure-ad-sign-in'></a> ++### Mass file deletion following suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Impact **MITRE ATT&CK techniques:** Valid Account (T1078), Data Destruction (T1485) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of unique files were deleted following a suspicious sign-in to an Azure AD account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to destroy data for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the mass file deletion alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of unique files were deleted following a suspicious sign-in to a Microsoft Entra account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to destroy data for malicious purposes. The permutations of suspicious Microsoft Entra sign-in alerts with the mass file deletion alert are: - **Impossible travel to an atypical location leading to mass file deletion** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to mass file deletion** -### Mass file deletion following successful Azure AD sign-in from IP blocked by a Cisco firewall appliance +<a name='mass-file-deletion-following-successful-azure-ad-sign-in-from-ip-blocked-by-a-cisco-firewall-appliance'></a> ++### Mass file deletion following successful Microsoft Entra sign-in from IP blocked by a Cisco firewall appliance This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Defender for Cloud Apps -**Description:** Fusion incidents of this type indicate that an anomalous number of unique files were deleted following a successful Azure AD sign-in despite the user's IP address being blocked by a Cisco firewall appliance. This evidence suggests that the account noted in the Fusion incident description has been compromised and was used to destroy data for malicious purposes. Because the IP was blocked by the firewall, that same IP logging on successfully to Azure AD is potentially suspect and could indicate credential compromise for the user account. +**Description:** Fusion incidents of this type indicate that an anomalous number of unique files were deleted following a successful Microsoft Entra sign-in despite the user's IP address being blocked by a Cisco firewall appliance. This evidence suggests that the account noted in the Fusion incident description has been compromised and was used to destroy data for malicious purposes. Because the IP was blocked by the firewall, that same IP logging on successfully to Microsoft Entra ID is potentially suspect and could indicate credential compromise for the user account. ++<a name='mass-file-deletion-following-successful-sign-in-to-palo-alto-vpn-by-ip-with-multiple-failed-azure-ad-sign-ins'></a> -### Mass file deletion following successful sign-in to Palo Alto VPN by IP with multiple failed Azure AD sign-ins +### Mass file deletion following successful sign-in to Palo Alto VPN by IP with multiple failed Microsoft Entra sign-ins This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Defender for Cloud Apps -**Description:** Fusion incidents of this type indicate that an anomalous number of unique files were deleted by a user who successfully signed in through a Palo Alto VPN from an IP address from which multiple failed Azure AD sign-ins occurred in a similar time frame. This evidence suggests that the user account noted in the Fusion incident may have been compromised using brute force techniques, and was used to destroy data for malicious purposes. +**Description:** Fusion incidents of this type indicate that an anomalous number of unique files were deleted by a user who successfully signed in through a Palo Alto VPN from an IP address from which multiple failed Microsoft Entra sign-ins occurred in a similar time frame. This evidence suggests that the user account noted in the Fusion incident may have been compromised using brute force techniques, and was used to destroy data for malicious purposes. -### Suspicious email deletion activity following suspicious Azure AD sign-in +<a name='suspicious-email-deletion-activity-following-suspicious-azure-ad-sign-in'></a> ++### Suspicious email deletion activity following suspicious Microsoft Entra sign-in This scenario is currently in **PREVIEW**. **MITRE ATT&CK tactics:** Initial Access, Impact **MITRE ATT&CK techniques:** Valid Account (T1078), Data Destruction (T1485) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of emails were deleted in a single session following a suspicious sign-in to an Azure AD account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to destroy data for malicious purposes, such as harming the organization or hiding spam-related email activity. The permutations of suspicious Azure AD sign-in alerts with the suspicious email deletion activity alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of emails were deleted in a single session following a suspicious sign-in to a Microsoft Entra account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to destroy data for malicious purposes, such as harming the organization or hiding spam-related email activity. The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious email deletion activity alert are: - **Impossible travel to an atypical location leading to suspicious email deletion activity** This scenario is currently in **PREVIEW**. **Description:** Fusion incidents of this type indicate that either a new Exchange administrator account has been created, or an existing Exchange admin account took some administrative action for the first time, in the last two weeks, and that the account then did some mail-forwarding actions, which are unusual for an administrator account. This evidence suggests that the user account noted in the Fusion incident description has been compromised or manipulated, and that it was used to exfiltrate data from your organization's network. -### Mass file download following suspicious Azure AD sign-in +<a name='mass-file-download-following-suspicious-azure-ad-sign-in'></a> ++### Mass file download following suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Exfiltration **MITRE ATT&CK techniques:** Valid Account (T1078) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of files were downloaded by a user following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate data from your organizationΓÇÖs network. The permutations of suspicious Azure AD sign-in alerts with the mass file download alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of files were downloaded by a user following a suspicious sign-in to a Microsoft Entra account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate data from your organizationΓÇÖs network. The permutations of suspicious Microsoft Entra sign-in alerts with the mass file download alert are: - **Impossible travel to an atypical location leading to mass file download** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to mass file download** -### Mass file download following successful Azure AD sign-in from IP blocked by a Cisco firewall appliance +<a name='mass-file-download-following-successful-azure-ad-sign-in-from-ip-blocked-by-a-cisco-firewall-appliance'></a> ++### Mass file download following successful Microsoft Entra sign-in from IP blocked by a Cisco firewall appliance This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Defender for Cloud Apps -**Description:** Fusion incidents of this type indicate that an anomalous number of files were downloaded by a user following a successful Azure AD sign-in despite the user's IP address being blocked by a Cisco firewall appliance. This could possibly be an attempt by an attacker to exfiltrate data from the organization's network after compromising a user account. Because the IP was blocked by the firewall, that same IP logging on successfully to Azure AD is potentially suspect and could indicate credential compromise for the user account. +**Description:** Fusion incidents of this type indicate that an anomalous number of files were downloaded by a user following a successful Microsoft Entra sign-in despite the user's IP address being blocked by a Cisco firewall appliance. This could possibly be an attempt by an attacker to exfiltrate data from the organization's network after compromising a user account. Because the IP was blocked by the firewall, that same IP logging on successfully to Microsoft Entra ID is potentially suspect and could indicate credential compromise for the user account. ### Mass file download coinciding with SharePoint file operation from previously unseen IP This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. **Description:** Fusion incidents of this type indicate that an anomalous number of files were downloaded by a user connected from a previously unseen IP address. Though not evidence of a multistage attack, the correlation of these two lower-fidelity alerts results in a high-fidelity incident suggesting an attempt by an attacker to exfiltrate data from the organization's network from a possibly compromised user account. In stable environments, such connections by previously unseen IPs may be unauthorized, especially if associated with spikes in volume that could be associated with large-scale document exfiltration. -### Mass file sharing following suspicious Azure AD sign-in +<a name='mass-file-sharing-following-suspicious-azure-ad-sign-in'></a> ++### Mass file sharing following suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Exfiltration **MITRE ATT&CK techniques:** Valid Account (T1078), Exfiltration Over Web Service (T1567) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that a number of files above a particular threshold were shared to others following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and used to exfiltrate data from your organization's network by sharing files such as documents, spreadsheets, etc., with unauthorized users for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the mass file sharing alert are: +**Description:** Fusion incidents of this type indicate that a number of files above a particular threshold were shared to others following a suspicious sign-in to a Microsoft Entra account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and used to exfiltrate data from your organization's network by sharing files such as documents, spreadsheets, etc., with unauthorized users for malicious purposes. The permutations of suspicious Microsoft Entra sign-in alerts with the mass file sharing alert are: - **Impossible travel to an atypical location leading to mass file sharing** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to mass file sharing** -### Multiple Power BI report sharing activities following suspicious Azure AD sign-in +<a name='multiple-power-bi-report-sharing-activities-following-suspicious-azure-ad-sign-in'></a> ++### Multiple Power BI report sharing activities following suspicious Microsoft Entra sign-in This scenario is currently in **PREVIEW**. **MITRE ATT&CK tactics:** Initial Access, Exfiltration **MITRE ATT&CK techniques:** Valid Account (T1078), Exfiltration Over Web Service (T1567) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of Power BI reports were shared in a single session following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate data from your organization's network by sharing Power BI reports with unauthorized users for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the multiple Power BI report sharing activities are: +**Description:** Fusion incidents of this type indicate that an anomalous number of Power BI reports were shared in a single session following a suspicious sign-in to a Microsoft Entra account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate data from your organization's network by sharing Power BI reports with unauthorized users for malicious purposes. The permutations of suspicious Microsoft Entra sign-in alerts with the multiple Power BI report sharing activities are: - **Impossible travel to an atypical location leading to multiple Power BI report sharing activities** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to multiple Power BI report sharing activities** -### Office 365 mailbox exfiltration following a suspicious Azure AD sign-in +<a name='office-365-mailbox-exfiltration-following-a-suspicious-azure-ad-sign-in'></a> ++### Office 365 mailbox exfiltration following a suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Exfiltration, Collection **MITRE ATT&CK techniques:** Valid Account (T1078), E-mail collection (T1114), Automated Exfiltration (T1020) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that a suspicious inbox forwarding rule was set on a user's inbox following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the user's account (noted in the Fusion incident description) has been compromised, and that it was used to exfiltrate data from your organization's network by enabling a mailbox forwarding rule without the true user's knowledge. The permutations of suspicious Azure AD sign-in alerts with the Office 365 mailbox exfiltration alert are: +**Description:** Fusion incidents of this type indicate that a suspicious inbox forwarding rule was set on a user's inbox following a suspicious sign-in to a Microsoft Entra account. This indication provides high confidence that the user's account (noted in the Fusion incident description) has been compromised, and that it was used to exfiltrate data from your organization's network by enabling a mailbox forwarding rule without the true user's knowledge. The permutations of suspicious Microsoft Entra sign-in alerts with the Office 365 mailbox exfiltration alert are: - **Impossible travel to an atypical location leading to Office 365 mailbox exfiltration** This scenario is currently in **PREVIEW**. **Description:** Fusion incidents of this type indicate that an attacker attempted to exfiltrate large amounts of data by downloading or sharing through SharePoint through the use of malware. In stable environments, such connections by previously unseen IPs may be unauthorized, especially if associated with spikes in volume that could be associated with large-scale document exfiltration. -### Suspicious inbox manipulation rules set following suspicious Azure AD sign-in +<a name='suspicious-inbox-manipulation-rules-set-following-suspicious-azure-ad-sign-in'></a> ++### Suspicious inbox manipulation rules set following suspicious Microsoft Entra sign-in This scenario belongs to two threat classifications in this list: **data exfiltration** and **lateral movement**. For the sake of clarity, it appears in both sections. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Internal Spear Phishing (T1534), Automated Exfiltration (T1020) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that anomalous inbox rules were set on a user's inbox following a suspicious sign-in to an Azure AD account. This evidence provides a high-confidence indication that the account noted in the Fusion incident description has been compromised and was used to manipulate the userΓÇÖs email inbox rules for malicious purposes, possibly to exfiltrate data from the organization's network. Alternatively, the attacker could be trying to generate phishing emails from within the organization (bypassing phishing detection mechanisms targeted at email from external sources) for the purpose of moving laterally by gaining access to additional user and/or privileged accounts. The permutations of suspicious Azure AD sign-in alerts with the suspicious inbox manipulation rules alert are: +**Description:** Fusion incidents of this type indicate that anomalous inbox rules were set on a user's inbox following a suspicious sign-in to a Microsoft Entra account. This evidence provides a high-confidence indication that the account noted in the Fusion incident description has been compromised and was used to manipulate the userΓÇÖs email inbox rules for malicious purposes, possibly to exfiltrate data from the organization's network. Alternatively, the attacker could be trying to generate phishing emails from within the organization (bypassing phishing detection mechanisms targeted at email from external sources) for the purpose of moving laterally by gaining access to additional user and/or privileged accounts. The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious inbox manipulation rules alert are: - **Impossible travel to an atypical location leading to suspicious inbox manipulation rule** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule** -### Suspicious Power BI report sharing following suspicious Azure AD sign-in +<a name='suspicious-power-bi-report-sharing-following-suspicious-azure-ad-sign-in'></a> ++### Suspicious Power BI report sharing following suspicious Microsoft Entra sign-in This scenario is currently in **PREVIEW**. **MITRE ATT&CK tactics:** Initial Access, Exfiltration **MITRE ATT&CK techniques:** Valid Account (T1078), Exfiltration Over Web Service (T1567) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that a suspicious Power BI report sharing activity occurred following a suspicious sign-in to an Azure AD account. The sharing activity was identified as suspicious because the Power BI report contained sensitive information identified using Natural language processing, and because it was shared with an external email address, published to the web, or delivered as a snapshot to an externally subscribed email address. This alert indicates with high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate sensitive data from your organization by sharing Power BI reports with unauthorized users for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the suspicious Power BI report sharing are: +**Description:** Fusion incidents of this type indicate that a suspicious Power BI report sharing activity occurred following a suspicious sign-in to a Microsoft Entra account. The sharing activity was identified as suspicious because the Power BI report contained sensitive information identified using Natural language processing, and because it was shared with an external email address, published to the web, or delivered as a snapshot to an externally subscribed email address. This alert indicates with high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate sensitive data from your organization by sharing Power BI reports with unauthorized users for malicious purposes. The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious Power BI report sharing are: - **Impossible travel to an atypical location leading to suspicious Power BI report sharing** This scenario is currently in **PREVIEW**. ## Denial of service -### Multiple VM deletion activities following suspicious Azure AD sign-in +<a name='multiple-vm-deletion-activities-following-suspicious-azure-ad-sign-in'></a> ++### Multiple VM deletion activities following suspicious Microsoft Entra sign-in This scenario is currently in **PREVIEW**. **MITRE ATT&CK tactics:** Initial Access, Impact **MITRE ATT&CK techniques:** Valid Account (T1078), Endpoint Denial of Service (T1499) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of VMs were deleted in a single session following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to attempt to disrupt or destroy the organization's cloud environment. The permutations of suspicious Azure AD sign-in alerts with the multiple VM deletion activities alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of VMs were deleted in a single session following a suspicious sign-in to a Microsoft Entra account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to attempt to disrupt or destroy the organization's cloud environment. The permutations of suspicious Microsoft Entra sign-in alerts with the multiple VM deletion activities alert are: - **Impossible travel to an atypical location leading to multiple VM deletion activities** This scenario is currently in **PREVIEW**. ## Lateral movement -### Office 365 impersonation following suspicious Azure AD sign-in +<a name='office-365-impersonation-following-suspicious-azure-ad-sign-in'></a> ++### Office 365 impersonation following suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Lateral Movement **MITRE ATT&CK techniques:** Valid Account (T1078), Internal Spear Phishing (T1534) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of impersonation actions occurred following a suspicious sign-in from an Azure AD account. In some software, there are options to allow users to impersonate other users. For example, email services allow users to authorize other users to send email on their behalf. This alert indicates with higher confidence that the account noted in the Fusion incident description has been compromised and was used to conduct impersonation activities for malicious purposes, such as sending phishing emails for malware distribution or lateral movement. The permutations of suspicious Azure AD sign-in alerts with the Office 365 impersonation alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of impersonation actions occurred following a suspicious sign-in from a Microsoft Entra account. In some software, there are options to allow users to impersonate other users. For example, email services allow users to authorize other users to send email on their behalf. This alert indicates with higher confidence that the account noted in the Fusion incident description has been compromised and was used to conduct impersonation activities for malicious purposes, such as sending phishing emails for malware distribution or lateral movement. The permutations of suspicious Microsoft Entra sign-in alerts with the Office 365 impersonation alert are: - **Impossible travel to an atypical location leading to Office 365 impersonation** This scenario is currently in **PREVIEW**. - **Sign-in event from user with leaked credentials leading to Office 365 impersonation** -### Suspicious inbox manipulation rules set following suspicious Azure AD sign-in +<a name='suspicious-inbox-manipulation-rules-set-following-suspicious-azure-ad-sign-in'></a> ++### Suspicious inbox manipulation rules set following suspicious Microsoft Entra sign-in This scenario belongs to two threat classifications in this list: **lateral movement** and **data exfiltration**. For the sake of clarity, it appears in both sections. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Internal Spear Phishing (T1534), Automated Exfiltration (T1020) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that anomalous inbox rules were set on a user's inbox following a suspicious sign-in to an Azure AD account. This evidence provides a high-confidence indication that the account noted in the Fusion incident description has been compromised and was used to manipulate the userΓÇÖs email inbox rules for malicious purposes, possibly to exfiltrate data from the organization's network. Alternatively, the attacker could be trying to generate phishing emails from within the organization (bypassing phishing detection mechanisms targeted at email from external sources) for the purpose of moving laterally by gaining access to additional user and/or privileged accounts. The permutations of suspicious Azure AD sign-in alerts with the suspicious inbox manipulation rules alert are: +**Description:** Fusion incidents of this type indicate that anomalous inbox rules were set on a user's inbox following a suspicious sign-in to a Microsoft Entra account. This evidence provides a high-confidence indication that the account noted in the Fusion incident description has been compromised and was used to manipulate the userΓÇÖs email inbox rules for malicious purposes, possibly to exfiltrate data from the organization's network. Alternatively, the attacker could be trying to generate phishing emails from within the organization (bypassing phishing detection mechanisms targeted at email from external sources) for the purpose of moving laterally by gaining access to additional user and/or privileged accounts. The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious inbox manipulation rules alert are: - **Impossible travel to an atypical location leading to suspicious inbox manipulation rule** This scenario is currently in **PREVIEW**. ## Malicious administrative activity -### Suspicious cloud app administrative activity following suspicious Azure AD sign-in +<a name='suspicious-cloud-app-administrative-activity-following-suspicious-azure-ad-sign-in'></a> ++### Suspicious cloud app administrative activity following suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Persistence, Defense Evasion, Lateral Movement, Collection, Exfiltration, and Impact **MITRE ATT&CK techniques:** N/A -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an anomalous number of administrative activities were performed in a single session following a suspicious Azure AD sign-in from the same account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to make any number of unauthorized administrative actions with malicious intent. This also indicates that an account with administrative privileges may have been compromised. The permutations of suspicious Azure AD sign-in alerts with the suspicious cloud app administrative activity alert are: +**Description:** Fusion incidents of this type indicate that an anomalous number of administrative activities were performed in a single session following a suspicious Microsoft Entra sign-in from the same account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to make any number of unauthorized administrative actions with malicious intent. This also indicates that an account with administrative privileges may have been compromised. The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious cloud app administrative activity alert are: - **Impossible travel to an atypical location leading to suspicious cloud app administrative activity** This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Command and Scripting Interpreter (T1059) -**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Endpoint (formerly MDATP) +**Data connector sources:** Microsoft Entra ID Protection, Microsoft Defender for Endpoint (formerly MDATP) -**Description:** Fusion incidents of this type indicate that a user executed potentially malicious PowerShell commands following a suspicious sign-in to an Azure AD account. This evidence suggests with high confidence that the account noted in the alert description has been compromised and further malicious actions were taken. Attackers often use PowerShell to execute malicious payloads in memory without leaving artifacts on the disk, in order to avoid detection by disk-based security mechanisms such as virus scanners. The permutations of suspicious Azure AD sign-in alerts with the suspicious PowerShell command alert are: +**Description:** Fusion incidents of this type indicate that a user executed potentially malicious PowerShell commands following a suspicious sign-in to a Microsoft Entra account. This evidence suggests with high confidence that the account noted in the alert description has been compromised and further malicious actions were taken. Attackers often use PowerShell to execute malicious payloads in memory without leaving artifacts on the disk, in order to avoid detection by disk-based security mechanisms such as virus scanners. The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious PowerShell command alert are: - **Impossible travel to atypical locations leading to suspicious PowerShell command line** This scenario is currently in **PREVIEW**. **Description:** Fusion incidents of this type indicate communication patterns, from an internal IP address to an external one, that are consistent with beaconing, following multiple failed user sign-ins to a service from a related internal entity. The combination of these two events could be an indication of malware infection or of a compromised host doing data exfiltration. -### Beacon pattern detected by Fortinet following suspicious Azure AD sign-in +<a name='beacon-pattern-detected-by-fortinet-following-suspicious-azure-ad-sign-in'></a> ++### Beacon pattern detected by Fortinet following suspicious Microsoft Entra sign-in This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Non-Standard Port (T1571), T1065 (retired) -**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate communication patterns, from an internal IP address to an external one, that are consistent with beaconing, following a user sign-in of a suspicious nature to Azure AD. The combination of these two events could be an indication of malware infection or of a compromised host doing data exfiltration. The permutations of beacon pattern detected by Fortinet alerts with suspicious Azure AD sign-in alerts are: +**Description:** Fusion incidents of this type indicate communication patterns, from an internal IP address to an external one, that are consistent with beaconing, following a user sign-in of a suspicious nature to Microsoft Entra ID. The combination of these two events could be an indication of malware infection or of a compromised host doing data exfiltration. The permutations of beacon pattern detected by Fortinet alerts with suspicious Microsoft Entra sign-in alerts are: - **Impossible travel to an atypical location leading to beacon pattern detected by Fortinet** This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Create Account (T1136), Valid Account (T1078) -**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that an application was granted consent by a user who has never or rarely done so, following a related suspicious sign-in to an Azure AD account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and used to access or manipulate the application for malicious purposes. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. Attackers may use this type of configuration change to establish or maintain their foothold on systems. The permutations of suspicious Azure AD sign-in alerts with the rare application consent alert are: +**Description:** Fusion incidents of this type indicate that an application was granted consent by a user who has never or rarely done so, following a related suspicious sign-in to a Microsoft Entra account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and used to access or manipulate the application for malicious purposes. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. Attackers may use this type of configuration change to establish or maintain their foothold on systems. The permutations of suspicious Microsoft Entra sign-in alerts with the rare application consent alert are: - **Impossible travel to an atypical location leading to rare application consent** This scenario is currently in **PREVIEW**. ## Ransomware -### Ransomware execution following suspicious Azure AD sign-in +<a name='ransomware-execution-following-suspicious-azure-ad-sign-in'></a> ++### Ransomware execution following suspicious Microsoft Entra sign-in **MITRE ATT&CK tactics:** Initial Access, Impact **MITRE ATT&CK techniques:** Valid Account (T1078), Data Encrypted for Impact (T1486) -**Data connector sources:** Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that anomalous user behavior indicating a ransomware attack was detected following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to encrypt data for the purposes of extorting the data owner or denying the data owner access to their data. The permutations of suspicious Azure AD sign-in alerts with the ransomware execution alert are: +**Description:** Fusion incidents of this type indicate that anomalous user behavior indicating a ransomware attack was detected following a suspicious sign-in to a Microsoft Entra account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to encrypt data for the purposes of extorting the data owner or denying the data owner access to their data. The permutations of suspicious Microsoft Entra sign-in alerts with the ransomware execution alert are: - **Impossible travel to an atypical location leading to ransomware in cloud app** This scenario is currently in **PREVIEW**. ## Resource hijacking (New threat classification) -### Suspicious resource / resource group deployment by a previously unseen caller following suspicious Azure AD sign-in +<a name='suspicious-resource--resource-group-deployment-by-a-previously-unseen-caller-following-suspicious-azure-ad-sign-in'></a> ++### Suspicious resource / resource group deployment by a previously unseen caller following suspicious Microsoft Entra sign-in This scenario makes use of alerts produced by **scheduled analytics rules**. This scenario is currently in **PREVIEW**. This scenario is currently in **PREVIEW**. **MITRE ATT&CK techniques:** Valid Account (T1078), Resource Hijacking (T1496) -**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection +**Data connector sources:** Microsoft Sentinel (scheduled analytics rule), Microsoft Entra ID Protection -**Description:** Fusion incidents of this type indicate that a user has deployed an Azure resource or resource group - a rare activity - following a suspicious sign-in, with properties not recently seen, to an Azure AD account. This could possibly be an attempt by an attacker to deploy resources or resource groups for malicious purposes after compromising the user account noted in the Fusion incident description. +**Description:** Fusion incidents of this type indicate that a user has deployed an Azure resource or resource group - a rare activity - following a suspicious sign-in, with properties not recently seen, to a Microsoft Entra account. This could possibly be an attempt by an attacker to deploy resources or resource groups for malicious purposes after compromising the user account noted in the Fusion incident description. -The permutations of suspicious Azure AD sign-in alerts with the suspicious resource / resource group deployment by a previously unseen caller alert are: +The permutations of suspicious Microsoft Entra sign-in alerts with the suspicious resource / resource group deployment by a previously unseen caller alert are: - **Impossible travel to an atypical location leading to suspicious resource / resource group deployment by a previously unseen caller** |
sentinel | Fusion | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/fusion.md | The Fusion engine's ML algorithms constantly learn from existing attacks and app - [Out-of-the-box anomaly detections](soc-ml-anomalies.md) - Alerts from Microsoft products:- - Azure Active Directory Identity Protection + - Microsoft Entra ID Protection - Microsoft Defender for Cloud - Microsoft Defender for IoT - Microsoft 365 Defender In order to enable these Fusion-powered attack detection scenarios, their associ | Threat classification | Scenarios | | -- | -- |-| **Compute resource abuse** | <ul><li>(PREVIEW) [Multiple VM creation activities *following* suspicious Azure Active Directory sign-in](fusion-scenario-reference.md#multiple-vm-creation-activities-following-suspicious-azure-active-directory-sign-in) | -| **Credential access** | <ul><li>(PREVIEW) [Multiple passwords reset by user *following* suspicious sign-in](fusion-scenario-reference.md#multiple-passwords-reset-by-user-following-suspicious-sign-in) <li>(PREVIEW) [Suspicious sign-in *coinciding with* successful sign-in to Palo Alto VPN <br>by IP with multiple failed Azure AD sign-ins](fusion-scenario-reference.md#suspicious-sign-in-coinciding-with-successful-sign-in-to-palo-alto-vpn-by-ip-with-multiple-failed-azure-ad-sign-ins) | +| **Compute resource abuse** | <ul><li>(PREVIEW) [Multiple VM creation activities *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#multiple-vm-creation-activities-following-suspicious-azure-active-directory-sign-in) | +| **Credential access** | <ul><li>(PREVIEW) [Multiple passwords reset by user *following* suspicious sign-in](fusion-scenario-reference.md#multiple-passwords-reset-by-user-following-suspicious-sign-in) <li>(PREVIEW) [Suspicious sign-in *coinciding with* successful sign-in to Palo Alto VPN <br>by IP with multiple failed Microsoft Entra sign-ins](fusion-scenario-reference.md#suspicious-sign-in-coinciding-with-successful-sign-in-to-palo-alto-vpn-by-ip-with-multiple-failed-azure-ad-sign-ins) | | **Credential harvesting** | <ul><li>[Malicious credential theft tool execution *following* suspicious sign-in](fusion-scenario-reference.md#malicious-credential-theft-tool-execution-following-suspicious-sign-in) <li>[Suspected credential theft activity *following* suspicious sign-in](fusion-scenario-reference.md#suspected-credential-theft-activity-following-suspicious-sign-in) | | **Crypto-mining** | <ul><li>[Crypto-mining activity *following* suspicious sign-in](fusion-scenario-reference.md#crypto-mining-activity-following-suspicious-sign-in) |-| **Data destruction** | <ul><li>[Mass file deletion *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#mass-file-deletion-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Mass file deletion *following* successful Azure AD sign-in from <br>IP blocked by a Cisco firewall appliance](fusion-scenario-reference.md#mass-file-deletion-following-successful-azure-ad-sign-in-from-ip-blocked-by-a-cisco-firewall-appliance) <li>(PREVIEW) [Mass file deletion *following* successful sign-in to Palo Alto VPN <br>by IP with multiple failed Azure AD sign-ins](fusion-scenario-reference.md#mass-file-deletion-following-successful-sign-in-to-palo-alto-vpn-by-ip-with-multiple-failed-azure-ad-sign-ins) <li>(PREVIEW) [Suspicious email deletion activity *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#suspicious-email-deletion-activity-following-suspicious-azure-ad-sign-in) | -| **Data exfiltration** | <ul><li>(PREVIEW) [Mail forwarding activities *following* new admin-account activity not seen recently](fusion-scenario-reference.md#mail-forwarding-activities-following-new-admin-account-activity-not-seen-recently) <li>[Mass file download *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#mass-file-download-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Mass file download *following* successful Azure AD sign-in from <br>IP blocked by a Cisco firewall appliance](fusion-scenario-reference.md#mass-file-download-following-successful-azure-ad-sign-in-from-ip-blocked-by-a-cisco-firewall-appliance) <li>(PREVIEW) [Mass file download *coinciding with* SharePoint file operation from previously unseen IP](fusion-scenario-reference.md#mass-file-download-coinciding-with-sharepoint-file-operation-from-previously-unseen-ip) <li>[Mass file sharing *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#mass-file-sharing-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Multiple Power BI report sharing activities *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#multiple-power-bi-report-sharing-activities-following-suspicious-azure-ad-sign-in) <li>[Office 365 mailbox exfiltration *following* a suspicious Azure AD sign-in](fusion-scenario-reference.md#office-365-mailbox-exfiltration-following-a-suspicious-azure-ad-sign-in) <li>(PREVIEW) [SharePoint file operation from previously unseen IP *following* malware detection](fusion-scenario-reference.md#sharepoint-file-operation-from-previously-unseen-ip-following-malware-detection) <li>(PREVIEW) [Suspicious inbox manipulation rules set *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#suspicious-inbox-manipulation-rules-set-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Suspicious Power BI report sharing *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#suspicious-power-bi-report-sharing-following-suspicious-azure-ad-sign-in) | -| **Denial of service** | <ul><li>(PREVIEW) [Multiple VM deletion activities *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#multiple-vm-deletion-activities-following-suspicious-azure-ad-sign-in) | -| **Lateral movement** | <ul><li>[Office 365 impersonation *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#office-365-impersonation-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Suspicious inbox manipulation rules set *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#suspicious-inbox-manipulation-rules-set-following-suspicious-azure-ad-sign-in-1) | -| **Malicious administrative activity** | <ul><li>[Suspicious cloud app administrative activity *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#suspicious-cloud-app-administrative-activity-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Mail forwarding activities *following* new admin-account activity not seen recently](fusion-scenario-reference.md#mail-forwarding-activities-following-new-admin-account-activity-not-seen-recently-1) | +| **Data destruction** | <ul><li>[Mass file deletion *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#mass-file-deletion-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Mass file deletion *following* successful Microsoft Entra sign-in from <br>IP blocked by a Cisco firewall appliance](fusion-scenario-reference.md#mass-file-deletion-following-successful-azure-ad-sign-in-from-ip-blocked-by-a-cisco-firewall-appliance) <li>(PREVIEW) [Mass file deletion *following* successful sign-in to Palo Alto VPN <br>by IP with multiple failed Microsoft Entra sign-ins](fusion-scenario-reference.md#mass-file-deletion-following-successful-sign-in-to-palo-alto-vpn-by-ip-with-multiple-failed-azure-ad-sign-ins) <li>(PREVIEW) [Suspicious email deletion activity *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#suspicious-email-deletion-activity-following-suspicious-azure-ad-sign-in) | +| **Data exfiltration** | <ul><li>(PREVIEW) [Mail forwarding activities *following* new admin-account activity not seen recently](fusion-scenario-reference.md#mail-forwarding-activities-following-new-admin-account-activity-not-seen-recently) <li>[Mass file download *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#mass-file-download-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Mass file download *following* successful Microsoft Entra sign-in from <br>IP blocked by a Cisco firewall appliance](fusion-scenario-reference.md#mass-file-download-following-successful-azure-ad-sign-in-from-ip-blocked-by-a-cisco-firewall-appliance) <li>(PREVIEW) [Mass file download *coinciding with* SharePoint file operation from previously unseen IP](fusion-scenario-reference.md#mass-file-download-coinciding-with-sharepoint-file-operation-from-previously-unseen-ip) <li>[Mass file sharing *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#mass-file-sharing-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Multiple Power BI report sharing activities *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#multiple-power-bi-report-sharing-activities-following-suspicious-azure-ad-sign-in) <li>[Office 365 mailbox exfiltration *following* a suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#office-365-mailbox-exfiltration-following-a-suspicious-azure-ad-sign-in) <li>(PREVIEW) [SharePoint file operation from previously unseen IP *following* malware detection](fusion-scenario-reference.md#sharepoint-file-operation-from-previously-unseen-ip-following-malware-detection) <li>(PREVIEW) [Suspicious inbox manipulation rules set *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#suspicious-inbox-manipulation-rules-set-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Suspicious Power BI report sharing *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#suspicious-power-bi-report-sharing-following-suspicious-azure-ad-sign-in) | +| **Denial of service** | <ul><li>(PREVIEW) [Multiple VM deletion activities *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#multiple-vm-deletion-activities-following-suspicious-azure-ad-sign-in) | +| **Lateral movement** | <ul><li>[Office 365 impersonation *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#office-365-impersonation-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Suspicious inbox manipulation rules set *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#suspicious-inbox-manipulation-rules-set-following-suspicious-azure-ad-sign-in) | +| **Malicious administrative activity** | <ul><li>[Suspicious cloud app administrative activity *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#suspicious-cloud-app-administrative-activity-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Mail forwarding activities *following* new admin-account activity not seen recently](fusion-scenario-reference.md#mail-forwarding-activities-following-new-admin-account-activity-not-seen-recently-1) | | **Malicious execution <br>with legitimate process** | <ul><li>(PREVIEW) [PowerShell made a suspicious network connection, *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#powershell-made-a-suspicious-network-connection-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) <li>(PREVIEW) [Suspicious remote WMI execution *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#suspicious-remote-wmi-execution-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) <li>[Suspicious PowerShell command line *following* suspicious sign-in](fusion-scenario-reference.md#suspicious-powershell-command-line-following-suspicious-sign-in) |-| **Malware C2 or download** | <ul><li>(PREVIEW) [Beacon pattern detected by Fortinet following multiple failed user sign-ins to a service](fusion-scenario-reference.md#beacon-pattern-detected-by-fortinet-following-multiple-failed-user-sign-ins-to-a-service) <li>(PREVIEW) [Beacon pattern detected by Fortinet *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#beacon-pattern-detected-by-fortinet-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Network request to TOR anonymization service *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) <li>(PREVIEW) [Outbound connection to IP with a history of unauthorized access attempts *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#outbound-connection-to-ip-with-a-history-of-unauthorized-access-attempts-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) | +| **Malware C2 or download** | <ul><li>(PREVIEW) [Beacon pattern detected by Fortinet following multiple failed user sign-ins to a service](fusion-scenario-reference.md#beacon-pattern-detected-by-fortinet-following-multiple-failed-user-sign-ins-to-a-service) <li>(PREVIEW) [Beacon pattern detected by Fortinet *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#beacon-pattern-detected-by-fortinet-following-suspicious-azure-ad-sign-in) <li>(PREVIEW) [Network request to TOR anonymization service *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) <li>(PREVIEW) [Outbound connection to IP with a history of unauthorized access attempts *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#outbound-connection-to-ip-with-a-history-of-unauthorized-access-attempts-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) | | **Persistence** | <ul><li>(PREVIEW) [Rare application consent *following* suspicious sign-in](fusion-scenario-reference.md#rare-application-consent-following-suspicious-sign-in) |-| **Ransomware** | <ul><li>[Ransomware execution *following* suspicious Azure AD sign-in](fusion-scenario-reference.md#ransomware-execution-following-suspicious-azure-ad-sign-in) | +| **Ransomware** | <ul><li>[Ransomware execution *following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#ransomware-execution-following-suspicious-azure-ad-sign-in) | | **Remote exploitation** | <ul><li>(PREVIEW) [Suspected use of attack framework *followed by* <br>anomalous traffic flagged by Palo Alto Networks firewall](fusion-scenario-reference.md#suspected-use-of-attack-framework-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall) |-| **Resource hijacking** | <ul><li>(PREVIEW) [Suspicious resource / resource group deployment by a previously unseen caller <br>*following* suspicious Azure AD sign-in](fusion-scenario-reference.md#suspicious-resource--resource-group-deployment-by-a-previously-unseen-caller-following-suspicious-azure-ad-sign-in) | +| **Resource hijacking** | <ul><li>(PREVIEW) [Suspicious resource / resource group deployment by a previously unseen caller <br>*following* suspicious Microsoft Entra sign-in](fusion-scenario-reference.md#suspicious-resource--resource-group-deployment-by-a-previously-unseen-caller-following-suspicious-azure-ad-sign-in) | | ## Next steps |
sentinel | Get Visibility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/get-visibility.md | You see the number of analytics rules in Microsoft Sentinel, by enabled, disable ## Use workbooks templates<a name="dashboards"></a> -Workbook templates provide integrated data from your connected data sources to let you deep dive into the events generated in those services. Workbook templates include Azure Active Directory (Azure AD), Azure activity events, and on-premises, which can be data from Windows Events from servers, from first party alerts, from any third-party including firewall traffic logs, Office 365, and insecure protocols based on Windows events. The workbooks are based on Azure Monitor Workbooks to provide you with enhanced customizability and flexibility in designing your own workbook. For more information, see [Workbooks](../azure-monitor/visualize/workbooks-overview.md). +Workbook templates provide integrated data from your connected data sources to let you deep dive into the events generated in those services. Workbook templates include Microsoft Entra ID, Azure activity events, and on-premises, which can be data from Windows Events from servers, from first party alerts, from any third-party including firewall traffic logs, Office 365, and insecure protocols based on Windows events. The workbooks are based on Azure Monitor Workbooks to provide you with enhanced customizability and flexibility in designing your own workbook. For more information, see [Workbooks](../azure-monitor/visualize/workbooks-overview.md). 1. Under **Settings**, select **Workbooks**. Under **My workbooks**, you can see all your saved workbook. Under **Templates**, you can see the workbooks templates that are installed. To find more workbook templates, go to the **Content hub** in Microsoft Sentinel to install product solutions or standalone content. 2. Search for a specific workbook to see the whole list and description of what each offers. -3. Assuming you use Azure AD, to get up and running with Microsoft Sentinel, we recommend that you install the Azure AD solution for Microsoft Sentinel and use the following workbooks: - - **Azure AD**: Use either or both of the following: - - **Azure AD sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbooks provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins. - - **Azure AD audit logs** analyzes admin activities, such as changes in users (add, remove, etc.), group creation, and modifications. +3. Assuming you use Microsoft Entra ID, to get up and running with Microsoft Sentinel, we recommend that you install the Microsoft Entra solution for Microsoft Sentinel and use the following workbooks: + - **Microsoft Entra ID**: Use either or both of the following: + - **Microsoft Entra sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbooks provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins. + - **Microsoft Entra audit logs** analyzes admin activities, such as changes in users (add, remove, etc.), group creation, and modifications. - Install the appropriate solution to add a workbook for your firewall. For example, install the Palo Alto firewall solution for Microsoft Sentinel to add the Palo Alto workbooks. The workbooks analyze your firewall traffic, providing you with correlations between your firewall data and threat events, and highlights suspicious events across entities. Workbooks provide you with information about trends in your traffic and let you drill down into and filter results. SecurityEvent | extend Week = iff(TimeGenerated>ago(7d), "This Week", "Last Week"), TimeGenerated = iff(TimeGenerated>ago(7d), TimeGenerated, TimeGenerated + 7d) ``` -You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Azure Active Directory audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation. That suspicious activity would show up on this dashboard: +You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Microsoft Entra audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation. That suspicious activity would show up on this dashboard: ```console AuditLogs AuditLogs | project-away user1 ``` -You can create different workbooks based on role of person looking at the data and what they're looking for. For example, you can create a workbook for your network admin that includes the firewall data. You can also create workbooks based on how frequently you want to look at them, whether there are things you want to review daily, and others items you want to check once an hour, for example, you might want to look at your Azure AD sign-ins every hour to search for anomalies. +You can create different workbooks based on role of person looking at the data and what they're looking for. For example, you can create a workbook for your network admin that includes the firewall data. You can also create workbooks based on how frequently you want to look at them, whether there are things you want to review daily, and others items you want to check once an hour, for example, you might want to look at your Microsoft Entra sign-ins every hour to search for anomalies. ## Create new detections |
sentinel | Identify Threats With Entity Behavior Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/identify-threats-with-entity-behavior-analytics.md | Microsoft Sentinel presents artifacts that help your security analysts get a cle - as compared to organization's behavior. :::image type="content" source="media/identify-threats-with-entity-behavior-analytics/context.png" alt-text="Entity context"::: -The user entity information that Microsoft Sentinel uses to build its user profiles comes from your Azure Active Directory (and/or your on-premises Active Directory, now in Preview). When you enable UEBA, it synchronizes your Azure Active Directory with Microsoft Sentinel, storing the information in an internal database visible through the *IdentityInfo* table in Log Analytics. +The user entity information that Microsoft Sentinel uses to build its user profiles comes from your Microsoft Entra ID (and/or your on-premises Active Directory, now in Preview). When you enable UEBA, it synchronizes your Microsoft Entra ID with Microsoft Sentinel, storing the information in an internal database visible through the *IdentityInfo* table in Log Analytics. Now in preview, you can also sync your on-premises Active Directory user entity information as well, using Microsoft Defender for Identity. BehaviorAnalytics User peers' metadata provides important context in threat detections, in investigating an incident, and in hunting for a potential threat. Security analysts can observe the normal activities of a user's peers to determine if the user's activities are unusual as compared to those of his or her peers. -Microsoft Sentinel calculates and ranks a user's peers, based on the userΓÇÖs Azure AD security group membership, mailing list, et cetera, and stores the peers ranked 1-20 in the **UserPeerAnalytics** table. The screenshot below shows the schema of the UserPeerAnalytics table, and displays the top eight-ranked peers of the user Kendall Collins. Microsoft Sentinel uses the *term frequency-inverse document frequency* (TF-IDF) algorithm to normalize the weighing for calculating the rank: the smaller the group, the higher the weight. +Microsoft Sentinel calculates and ranks a user's peers, based on the userΓÇÖs Microsoft Entra security group membership, mailing list, et cetera, and stores the peers ranked 1-20 in the **UserPeerAnalytics** table. The screenshot below shows the schema of the UserPeerAnalytics table, and displays the top eight-ranked peers of the user Kendall Collins. Microsoft Sentinel uses the *term frequency-inverse document frequency* (TF-IDF) algorithm to normalize the weighing for calculating the rank: the smaller the group, the higher the weight. :::image type="content" source="./media/identify-threats-with-entity-behavior-analytics/user-peers-metadata.png" alt-text="Screen shot of user peers metadata table"::: You can use the [Jupyter notebook](https://github.com/Azure/Azure-Sentinel-Noteb Permission analytics helps determine the potential impact of the compromising of an organizational asset by an attacker. This impact is also known as the asset's "blast radius." Security analysts can use this information to prioritize investigations and incident handling. -Microsoft Sentinel determines the direct and transitive access rights held by a given user to Azure resources, by evaluating the Azure subscriptions the user can access directly or via groups or service principals. This information, as well as the full list of the user's Azure AD security group membership, is then stored in the **UserAccessAnalytics** table. The screenshot below shows a sample row in the UserAccessAnalytics table, for the user Alex Johnson. **Source entity** is the user or service principal account, and **target entity** is the resource that the source entity has access to. The values of **access level** and **access type** depend on the access-control model of the target entity. You can see that Alex has Contributor access to the Azure subscription *Contoso Hotels Tenant*. The access control model of the subscription is Azure RBAC. +Microsoft Sentinel determines the direct and transitive access rights held by a given user to Azure resources, by evaluating the Azure subscriptions the user can access directly or via groups or service principals. This information, as well as the full list of the user's Microsoft Entra security group membership, is then stored in the **UserAccessAnalytics** table. The screenshot below shows a sample row in the UserAccessAnalytics table, for the user Alex Johnson. **Source entity** is the user or service principal account, and **target entity** is the resource that the source entity has access to. The values of **access level** and **access type** depend on the access-control model of the target entity. You can see that Alex has Contributor access to the Azure subscription *Contoso Hotels Tenant*. The access control model of the subscription is Azure RBAC. :::image type="content" source="./media/identify-threats-with-entity-behavior-analytics/user-access-analytics.png" alt-text="Screen shot of user access analytics table"::: |
sentinel | Investigate Cases | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/investigate-cases.md | An incident can include multiple alerts. It's an aggregation of all the relevant - You'll only be able to investigate the incident if you used the entity mapping fields when you set up your analytics rule. The investigation graph requires that your original incident includes entities. -- If you have a guest user that needs to assign incidents, the user must be assigned the [Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers) role in your Azure AD tenant. Regular (non-guest) users have this role assigned by default.+- If you have a guest user that needs to assign incidents, the user must be assigned the [Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers) role in your Microsoft Entra tenant. Regular (non-guest) users have this role assigned by default. ## How to investigate incidents |
sentinel | Investigate Incidents | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/investigate-incidents.md | Incidents are your case files that contain an aggregation of all the relevant ev Learn more about [roles in Microsoft Sentinel](roles.md). -- If you have a guest user that needs to assign incidents, the user must be assigned the [Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers) role in your Azure AD tenant. Regular (non-guest) users have this role assigned by default.+- If you have a guest user that needs to assign incidents, the user must be assigned the [Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers) role in your Microsoft Entra tenant. Regular (non-guest) users have this role assigned by default. ## Navigate and triage incidents |
sentinel | Investigate With Ueba | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/investigate-with-ueba.md | For example: | where Department != "IT" ``` -- To correlate Azure AD sign-in logs with the **IdentityInfo** table in an alert that's triggered if an application is accessed by someone who isn't a member of a specific security group:+- To correlate Microsoft Entra sign-in logs with the **IdentityInfo** table in an alert that's triggered if an application is accessed by someone who isn't a member of a specific security group: ```kusto SigninLogs For example: | where GroupMembership !contains "Developers" ``` -The **IdentityInfo** table synchronizes with your Azure AD workspace to create a snapshot of your user profile data, such as user metadata, group information, and Azure AD roles assigned to each user. For more information, see [IdentityInfo table](ueba-reference.md#identityinfo-table) in the UEBA enrichments reference. +The **IdentityInfo** table synchronizes with your Microsoft Entra workspace to create a snapshot of your user profile data, such as user metadata, group information, and Microsoft Entra roles assigned to each user. For more information, see [IdentityInfo table](ueba-reference.md#identityinfo-table) in the UEBA enrichments reference. ## Identify password spray and spear phishing attempts |
sentinel | Kusto Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/kusto-overview.md | A good place to start learning Kusto Query Language is to understand the overall This concept of passing data down the pipeline makes for a very intuitive structure, as it is easy to create a mental picture of your data at each step. -To illustrate this, let's take a look at the following query, which looks at Azure Active Directory (Azure AD) sign-in logs. As you read through each line, you can see the keywords that indicate what's happening to the data. We've included the relevant stage in the pipeline as a comment in each line. +To illustrate this, let's take a look at the following query, which looks at Microsoft Entra sign-in logs. As you read through each line, you can see the keywords that indicate what's happening to the data. We've included the relevant stage in the pipeline as a comment in each line. > [!NOTE] > You can add comments to any line in a query by preceding them with a double slash (` // `). |
sentinel | Microsoft 365 Defender Sentinel Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/microsoft-365-defender-sentinel-integration.md | This integration gives Microsoft 365 security incidents the visibility to be man Other services whose alerts are collected by Microsoft 365 Defender include: - **Microsoft Purview Data Loss Prevention (DLP)** ([Learn more](/microsoft-365/security/defender/investigate-dlp))-- **Azure Active Directory Identity Protection (AADIP)** ([Learn more](/defender-cloud-apps/aadip-integration))+- **Microsoft Entra ID Protection (AADIP)** ([Learn more](/defender-cloud-apps/aadip-integration)) In addition to collecting alerts from these components and other services, Microsoft 365 Defender generates alerts of its own. It creates incidents from all of these alerts and sends them to Microsoft Sentinel. Install the Microsoft 365 Defender solution for Microsoft Sentinel and enable th - Incidents will be ingested and synchronized at no extra cost. -Once the Microsoft 365 Defender integration is connected, the connectors for all the integrated components and services (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, Azure Active Directory Identity Protection) will be automatically connected in the background if they weren't already. If any component licenses were purchased after Microsoft 365 Defender was connected, the alerts and incidents from the new product will still flow to Microsoft Sentinel with no additional configuration or charge. +Once the Microsoft 365 Defender integration is connected, the connectors for all the integrated components and services (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, Microsoft Entra ID Protection) will be automatically connected in the background if they weren't already. If any component licenses were purchased after Microsoft 365 Defender was connected, the alerts and incidents from the new product will still flow to Microsoft Sentinel with no additional configuration or charge. ## Microsoft 365 Defender incidents and Microsoft incident creation rules Once the Microsoft 365 Defender integration is connected, the connectors for all - Using both mechanisms together is completely supported, and can be used to facilitate the transition to the new Microsoft 365 Defender incident creation logic. Doing so will, however, create **duplicate incidents** for the same alerts. -- To avoid creating duplicate incidents for the same alerts, we recommend that customers turn off all **Microsoft incident creation rules** for Microsoft 365 Defender-integrated products (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Azure Active Directory Identity Protection) when connecting Microsoft 365 Defender. This can be done by disabling incident creation in the connector page. Keep in mind that if you do this, any filters that were applied by the incident creation rules will not be applied to Microsoft 365 Defender incident integration.+- To avoid creating duplicate incidents for the same alerts, we recommend that customers turn off all **Microsoft incident creation rules** for Microsoft 365 Defender-integrated products (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Microsoft Entra ID Protection) when connecting Microsoft 365 Defender. This can be done by disabling incident creation in the connector page. Keep in mind that if you do this, any filters that were applied by the incident creation rules will not be applied to Microsoft 365 Defender incident integration. ## Working with Microsoft 365 Defender incidents in Microsoft Sentinel and bi-directional sync |
sentinel | Migration Export Ingest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/migration-export-ingest.md | To ingest your historical data into Microsoft Sentinel Basic Logs (option 2 in t 1. [Change the table from Analytics to Basic Logs](../azure-monitor/logs/basic-logs-configure.md). 1. Run the [Custom Log Ingestion script](https://github.com/Azure/Azure-Sentinel/tree/master/Tools/CustomLogsIngestion-DCE-DCR). The script asks for the following details: - Path to the log files to ingest - - Azure AD tenant ID + - Microsoft Entra tenant ID - Application ID - Application secret - DCE endpoint To ingest your historical data into Microsoft Sentinel Basic Logs (option 2 in t To ingest your historical data into Azure Blob Storage (option 3 in the [diagram above](#export-data-from-the-legacy-siem)): 1. [Install and configure AzCopy](../storage/common/storage-use-azcopy-v10.md) on the system to which you exported the logs. Alternatively, install AzCopy on another system that has access to the exported logs. -1. [Create an Azure Blob Storage account](../storage/common/storage-account-create.md) and copy the authorized [Azure Active Directory](../storage/common/storage-use-azcopy-v10.md#option-1-use-azure-active-directory) credentials or [Shared Access Signature](../storage/common/storage-use-azcopy-v10.md#option-2-use-a-sas-token) token. +1. [Create an Azure Blob Storage account](../storage/common/storage-account-create.md) and copy the authorized [Microsoft Entra ID](../storage/common/storage-use-azcopy-v10.md#option-1-use-azure-active-directory) credentials or [Shared Access Signature](../storage/common/storage-use-azcopy-v10.md#option-2-use-a-sas-token) token. 1. [Run AzCopy](../storage/common/storage-use-azcopy-v10.md#run-azcopy) with the folder path that includes the exported logs as the source, and the Azure Blob Storage connection string as the output. ## Next steps To ingest your historical data into Azure Blob Storage (option 3 in the [diagram In this article, you learned how to ingest your data into the target platform. > [!div class="nextstepaction"]-> [Convert your dashboards to workbooks](migration-convert-dashboards.md) +> [Convert your dashboards to workbooks](migration-convert-dashboards.md) |
sentinel | Mssp Protect Intellectual Property | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/mssp-protect-intellectual-property.md | The following image describes how the permissions described in the [previous sec In this image: -- The users granted with **Owner** access to the CSP subscription are the users in the Admin Agents group, in the MSSP Azure AD tenant.+- The users granted with **Owner** access to the CSP subscription are the users in the Admin Agents group, in the MSSP Microsoft Entra tenant. - Other groups from the MSSP get access to the customer environment via Azure Lighthouse. - Customer access to Azure resources is managed by Azure RBAC at the resource group level. You can protect your playbooks as follows, depending on where the analytic rule In both cases, if the playbook needs to access the customerΓÇÖs Azure environment, use a user or service principal that has that access via Lighthouse. -However, if the playbook needs to access non-Azure resources in the customerΓÇÖs tenant, such as Azure AD, Office 365, or Microsoft 365 Defender, create a service principal with appropriate permissions in the customer tenant, and then add that identity in the playbook. +However, if the playbook needs to access non-Azure resources in the customerΓÇÖs tenant, such as Microsoft Entra ID, Office 365, or Microsoft 365 Defender, create a service principal with appropriate permissions in the customer tenant, and then add that identity in the playbook. > [!NOTE] > If you use automation rules together with your playbooks, you must set the automation rule permissions on the resource group where the playbooks live. |
sentinel | Normalization About Schemas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-about-schemas.md | Users are central to activities reported by events. The fields listed in this se | Field | Class | Type | Description | |-|-||-| | <a name="userid"></a>**UserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the user. |-| <a name="userscope"></a>**UserScope** | Optional | string | The scope in which [UserId](#userid) and [Username](#username) are defined. For example, an Azure AD tenant domain name. The [UserIdType](#useridtype) field represents also the type of the associated with this field. | -| <a name="userscopeid"></a>**UserScopeId** | Optional | string | The ID of the scope in which [UserId](#userid) and [Username](#username) are defined. For example, an Azure AD tenant directory ID. The [UserIdType](#useridtype) field represents also the type of the associated with this field. | +| <a name="userscope"></a>**UserScope** | Optional | string | The scope in which [UserId](#userid) and [Username](#username) are defined. For example, a Microsoft Entra tenant domain name. The [UserIdType](#useridtype) field represents also the type of the associated with this field. | +| <a name="userscopeid"></a>**UserScopeId** | Optional | string | The ID of the scope in which [UserId](#userid) and [Username](#username) are defined. For example, a Microsoft Entra tenant directory ID. The [UserIdType](#useridtype) field represents also the type of the associated with this field. | | <a name="useridtype"></a>**UserIdType** | Optional | UserIdType | The type of the ID stored in the [UserId](#userid) field. | | **UserSid**, **UserUid**, **UserAadId**, **UserOktaId**, **UserAWSId**, **UserPuid** | Optional | String | Fields used to store specific user IDs. Select the ID most associated with the event as the primary ID stored in [UserId](#userid). Populate the relevant specific ID field, in addition to [UserId](#userid), even if the event has only one ID. | | **UserAADTenant**, **UserAWSAccount** | Optional | String | Fields used to store specific scopes. Use the [UserScope](#userscope) field for the scope associated with the ID stored in the [UserId](#userid) field. Populate the relevant specific scope field, in addition to [UserScope](#userscope), even if the event has only one ID. | The allowed values for a user ID type are: | - | - | - | | **SID** | A Windows user ID. | `S-1-5-21-1377283216-344919071-3415362939-500` | | **UID** | A Linux user ID. | `4578` |-| **AADID**| An Azure Active Directory user ID.| `9267d02c-5f76-40a9-a9eb-b686f3ca47aa` | +| **AADID**| A Microsoft Entra user ID.| `9267d02c-5f76-40a9-a9eb-b686f3ca47aa` | | **OktaId** | An Okta user ID. | `00urjk4znu3BcncfY0h7` | | **AWSId** | An AWS user ID. | `72643944673` | | **PUID** | A Microsoft 365 user ID. | `10032001582F435C` | |
sentinel | Normalization Common Fields | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-common-fields.md | The currently supported list of vendors and products used in the [EventVendor](# | `Dataminr` | `Dataminr Pulse` | | `GCP` | `Cloud DNS` | | `Infoblox` | `NIOS` | -| `Microsoft` | - Microsoft Azure Active Directory (Azure AD)<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br> - `Azure File Storage`<br> - `Azure NSG flows`<br> - `Azure Queue Storage`<br> - `Azure Table Storage` <br> - `DNS Server`<br> - `Microsoft 365 Defender for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData` +| `Microsoft` | - Microsoft Entra ID<br> - `Azure`<br> - `Azure Firewall`<br> - `Azure Blob Storage`<br> - `Azure File Storage`<br> - `Azure NSG flows`<br> - `Azure Queue Storage`<br> - `Azure Table Storage` <br> - `DNS Server`<br> - `Microsoft 365 Defender for Endpoint`<br> - `Microsoft Defender for IoT`<br> - `Security Events`<br>- `SharePoint`<br>- `OneDrive`<br>- `Sysmon`<br> - `Sysmon for Linu`x<br> - `VMConnection`<br> - `Windows Firewall`<br> - `WireData` | `Linux` | - `su`<br> - `sudo`| | `Okta` | - `Okta`<br> - `Auth0` | | `OpenBSD` | `OpenSSH` | |
sentinel | Normalization Parsers List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-parsers-list.md | To use ASIM authentication parsers, deploy the parsers from the [Microsoft Senti - reported by Microsoft 365 Defender for Endpoint, collected using the Microsoft 365 Defender connector. - `su`, `sudu`, and `sshd` activity reported using Syslog. - reported by Microsoft Defender to IoT Endpoint.-- **Azure Active Directory sign-ins**, collected using the Azure Active Directory connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins.+- **Microsoft Entra sign-ins**, collected using the Microsoft Entra connector. Separate parsers are provided for regular, Non-Interactive, Managed Identities and Service Principles Sign-ins. - **AWS sign-ins**, collected using the AWS CloudTrail connector. - **Okta authentication**, collected using the Okta connector. - **PostgreSQL** sign-in logs. |
sentinel | Normalization Schema Audit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-audit.md | Fields that appear in the table are common to all ASIM schemas. Any of guideline | Field | Class | Type | Description | ||--||--| | <a name="actoruserid"></a>**ActorUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for other IDs, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12-1-4141952679-1282074057-627758481-2916039507` |-| **ActorScope** | Optional | String | The scope, such as Azure AD Domain Name, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| -| **ActorScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScope** | Optional | String | The scope, such as Microsoft Entra Domain Name, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | **ActorUserIdType**| Conditional | UserIdType | The type of the ID stored in the [ActorUserId](#actoruserid) field. For more information and list of allowed values, see [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="actorusername"></a>**ActorUsername** | Recommended | Username | The ActorΓÇÖs username, including domain information when available. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` | | **User** | Alias | | Alias to [ActorUsername](#actorusername) | |
sentinel | Normalization Schema Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-authentication.md | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | ||--||--| | <a name="actoruserid"></a>**ActorUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for additional IDs, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12-1-4141952679-1282074057-627758481-2916039507` |-| **ActorScope** | Optional | String | The scope, such as Azure AD tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| -| **ActorScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | **ActorUserIdType**| Conditional | UserIdType | The type of the ID stored in the [ActorUserId](#actoruserid) field. For more information and list of allowed values, see [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="actorusername"></a>**ActorUsername** | Optional | Username | The ActorΓÇÖs username, including domain information when available. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` | | **ActorUsernameType** | Conditional | UsernameType | Specifies the type of the user name stored in the [ActorUsername](#actorusername) field. For more information, and list of allowed values, see [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md). <br><br>Example: `Windows` | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | ||--||--| |<a name="targetuserid"></a> **TargetUserId** | Optional | UserId | A machine-readable, alphanumeric, unique representation of the target user. For more information, and for alternative fields for additional IDs, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br> Example: `00urjk4znu3BcncfY0h7` |-| **TargetUserScope** | Optional | String | The scope, such as Azure AD tenant, in which [TargetUserId](#targetuserid) and [TargetUsername](#targetusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| -| **TargetUserScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [TargetUserId](#actoruserid) and [TargetUsername](#actorusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **TargetUserScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [TargetUserId](#targetuserid) and [TargetUsername](#targetusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **TargetUserScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [TargetUserId](#actoruserid) and [TargetUsername](#actorusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | **TargetUserIdType** | Conditional | UserIdType | The type of the user ID stored in the [TargetUserId](#targetuserid) field. For more information and list of allowed values, see [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). <br><br> Example: `SID` | | <a name="targetusername"></a>**TargetUsername** | Optional | Username | The target user username, including domain information when available. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `MarieC` | | **TargetUsernameType** |Conditional | UsernameType | Specifies the type of the username stored in the [TargetUsername](#targetusername) field. For more information and list of allowed values, see [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md). | |
sentinel | Normalization Schema Dhcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-dhcp.md | The fields below are specific to DHCP events, but many are similar to fields in | <a name="srcdvcscope"></a>**SrcDvcScope** | Optional | String | The cloud platform scope the device belongs to. **SrcDvcScope** map to a subscription ID on Azure and to an account ID on AWS. | | **SrcDvcIdType** | Conditional | Enumerated | The type of [SrcDvcId](#srcdvcid), if known. Possible values include:<br> - `AzureResourceId`<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list above, and store the others in the **SrcDvcAzureResourceId** and **SrcDvcMDEid**, respectively.<br><br>**Note**: This field is required if [SrcDvcId](#srcdvcid) is used. | | **SrcDeviceType** | Optional | Enumerated | The type of the source device. Possible values include:<br>- `Computer`<br>- `Mobile Device`<br>- `IOT Device`<br>- `Other` |-| <a name="srcuserid"></a>**SrcUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [SrcUserIdType](#srcuseridtype) field. If other IDs are available, we recommend that you normalize the field names to SrcUserSid, SrcUserUid, SrcUserAadId, SrcUserOktaId and UserAwsId, respectively.<br><br>Example: `S-1-12` | +| <a name="srcuserid"></a>**SrcUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. Format and supported types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Microsoft Entra ID): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [SrcUserIdType](#srcuseridtype) field. If other IDs are available, we recommend that you normalize the field names to SrcUserSid, SrcUserUid, SrcUserAadId, SrcUserOktaId and UserAwsId, respectively.<br><br>Example: `S-1-12` | | <a name="srcuseridtype"></a>**SrcUserIdType** | Conditional | Enumerated | The type of the ID stored in the [SrcUserId](#srcuserid) field. Supported values include: `SID`, `UIS`, `AADID`, `OktaId`, and `AWSId`. | | <a name="srcusername"></a>**SrcUsername** | Optional | String | The Source username, including domain information when available. Use one of the following formats and in the following order of priority:<br>- **Upn/Email**: `johndow@contoso.com`<br>- **Windows**: `Contoso\johndow`<br>- **DN**: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM`<br>- **Simple**: `johndow`. Use the Simple form only if domain information is not available.<br><br>Store the Username type in the [SrcUsernameType](#srcusernametype) field. If other IDs are available, we recommend that you normalize the field names to **SrcUserUpn**, **SrcUserWindows** and **SrcUserDn**.<br><br>For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` | | **Username** | Alias | | Alias for [SrcUsername](#srcusername) | |
sentinel | Normalization Schema Dns | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-dns.md | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | |-|-||-| | <a name="srcuserid"></a>**SrcUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. For more information, and for alternative fields for additional IDs, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12-1-4141952679-1282074057-627758481-2916039507` |-| **SrcUserScope** | Optional | String | The scope, such as Azure AD tenant, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| -| **SrcUserScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **SrcUserScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **SrcUserScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="srcuseridtype"></a>**SrcUserIdType** | Conditional | UserIdType | The type of the ID stored in the [SrcUserId](#srcuserid) field. For more information and list of allowed values, see [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="srcusername"></a>**SrcUsername** | Optional | Username | The source username, including domain information when available. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` | | <a name="srcusernametype"></a>**SrcUsernameType** | Conditional | UsernameType | Specifies the type of the user name stored in the [SrcUsername](#srcusername) field. For more information, and list of allowed values, see [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md). <br><br>Example: `Windows` | |
sentinel | Normalization Schema File Event | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-file-event.md | The following fields represent information about the source file in a file opera | Field | Class | Type | Description | ||--||--| | <a name="actoruserid"></a>**ActorUserId** | Recommended | String | A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12` |-| **ActorScope** | Optional | String | The scope, such as Azure AD tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| - **ActorScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| + **ActorScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | **ActorUserIdType**| Conditional | String | The type of the ID stored in the [ActorUserId](#actoruserid) field. For a list of allowed values and further information, refer to [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). | | <a name="actorusername"></a>**ActorUsername** | Mandatory | String | The Actor username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [ActorUsernameType](#actorusernametype) field. If other username formats are available, store them in the fields `ActorUsername<UsernameType>`.<br><br>Example: `AlbertE` | |**User** | Alias| | Alias to the [ActorUsername](#actorusername) field. <br><br>Example: `CONTOSO\dadmin`| |
sentinel | Normalization Schema Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-network.md | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | |-|-||-| | <a name="dstuserid"></a>**DstUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the destination user. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12` |-| **DstUserScope** | Optional | String | The scope, such as Azure AD tenant, in which [DstUserId](#dstuserid) and [DstUsername](#dstusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| -| **DstUserScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [DstUserId](#dstuserid) and [DstUsername](#dstusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **DstUserScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [DstUserId](#dstuserid) and [DstUsername](#dstusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **DstUserScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [DstUserId](#dstuserid) and [DstUsername](#dstusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="dstuseridtype"></a>**DstUserIdType** | Conditional | UserIdType | The type of the ID stored in the [DstUserId](#dstuserid) field. For a list of allowed values and further information, refer to [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). | | <a name="dstusername"></a>**DstUsername** | Optional | String | The destination username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [DstUsernameType](#dstusernametype) field. If other username formats are available, store them in the fields `DstUsername<UsernameType>`.<br><br>Example: `AlbertE` | | <a name="user"></a>**User** | Alias | | Alias to [DstUsername](#dstusername). | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | |-|-||-| | <a name="srcuserid"></a>**SrcUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the source user. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12` |-| **SrcUserScope** | Optional | String | The scope, such as Azure AD tenant, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| -| **SrcUserScopeId** | Optional | String | The scope ID, such as Azure AD Directory ID, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| +| **SrcUserScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **SrcUserScopeId** | Optional | String | The scope ID, such as Microsoft Entra Directory ID, in which [SrcUserId](#srcuserid) and [SrcUsername](#srcusername) are defined. for more information and list of allowed values, see [UserScopeId](normalization-about-schemas.md#userscopeid) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="srcuseridtype"></a>**SrcUserIdType** | Conditional | UserIdType | The type of the ID stored in the [SrcUserId](#srcuserid) field. For a list of allowed values and further information, refer to [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). | | <a name="srcusername"></a>**SrcUsername** | Optional | String | The source username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [SrcUsernameType](#srcusernametype) field. If other username formats are available, store them in the fields `SrcUsername<UsernameType>`.<br><br>Example: `AlbertE` | | <a name="srcusernametype"></a>**SrcUsernameType** | Conditional | UsernameType | Specifies the type of the username stored in the [SrcUsername](#srcusername) field. For a list of allowed values and further information, refer to [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Example: `Windows` | |
sentinel | Normalization Schema Process Event | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-process-event.md | The process event schema references the following entities, which are central to ||--||--| | <a name="actoruserid"></a>**ActorUserId** | Recommended | String | A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-12` | | **ActorUserIdType**| Conditional | String | The type of the ID stored in the [ActorUserId](#actoruserid) field. For a list of allowed values and further information refer to [UserIdType](normalization-about-schemas.md#useridtype) in the [Schema Overview article](normalization-about-schemas.md). |-| **ActorScope** | Optional | String | The scope, such as Azure AD tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| | <a name="actorusername"></a>**ActorUsername** | Mandatory | String | The Actor username, including domain information when available. For the supported format for different ID types, refer to [the User entity](normalization-about-schemas.md#the-user-entity). Use the simple form only if domain information isn't available.<br><br>Store the Username type in the [ActorUsernameType](#actorusernametype) field. If other username formats are available, store them in the fields `ActorUsername<UsernameType>`.<br><br>Example: `AlbertE` | | <a name="actorusernametype"></a>**ActorUsernameType** | Conditional | Enumerated | Specifies the type of the user name stored in the [ActorUsername](#actorusername) field. For a list of allowed values and further information refer to [UsernameType](normalization-about-schemas.md#usernametype) in the [Schema Overview article](normalization-about-schemas.md).<br><br>Example: `Windows` | | **ActorSessionId** | Optional | String | The unique ID of the login session of the Actor. <br><br>Example: `999`<br><br>**Note**: The type is defined as *string* to support varying systems, but on Windows this value must be numeric. <br><br>If you are using a Windows machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. | |
sentinel | Normalization Schema Registry Event | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-registry-event.md | For more information, see [Structure of the Registry](/windows/win32/sysinfo/str | <a name="actorusername"></a>**ActorUsername** | Mandatory | String | The user name of the user who initiated the event. <br><br>Example: `CONTOSO\WIN-GG82ULGC9GO$` | | **ActorUsernameType** | Conditional | Enumerated | Specifies the type of the user name stored in the [ActorUsername](#actorusername) field. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `Windows` | | <a name="actoruserid"></a>**ActorUserId** | Recommended | String | A unique ID of the Actor. The specific ID depends on the system generating the event. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `S-1-5-18` |-| **ActorScope** | Optional | String | The scope, such as Azure AD tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| +| **ActorScope** | Optional | String | The scope, such as Microsoft Entra tenant, in which [ActorUserId](#actoruserid) and [ActorUsername](#actorusername) are defined. or more information and list of allowed values, see [UserScope](normalization-about-schemas.md#userscope) in the [Schema Overview article](normalization-about-schemas.md).| | **ActorUserIdType**| Recommended | String | The type of the ID stored in the [ActorUserId](#actoruserid) field. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity). <br><br>Example: `SID` | | **ActorSessionId** | Conditional | String | The unique ID of the login session of the Actor. <br><br>Example: `999`<br><br>**Note**: The type is defined as *string* to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and the source sends a different type, make sure to convert the value. For example, if source sends a hexadecimal value, convert it to a decimal value. | | <a name="actingprocessname"></a>**ActingProcessName** | Optional | String | The file name of the acting process image file. This name is typically considered to be the process name. <br><br>Example: `C:\Windows\explorer.exe` | |
sentinel | Normalization Schema User Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-user-management.md | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | |-|-||-|-| <a name="targetuserid"></a>**TargetUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the target user. <br><br>Supported formats and types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [TargetUserIdType](#targetuseridtype) field. If other IDs are available, we recommend that you normalize the field names to **TargetUserSid**, **TargetUserUid**, **TargetUserAADID**, **TargetUserOktaId**, and **TargetUserAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `S-1-12` | +| <a name="targetuserid"></a>**TargetUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the target user. <br><br>Supported formats and types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Microsoft Entra ID): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [TargetUserIdType](#targetuseridtype) field. If other IDs are available, we recommend that you normalize the field names to **TargetUserSid**, **TargetUserUid**, **TargetUserAADID**, **TargetUserOktaId**, and **TargetUserAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `S-1-12` | | <a name="targetuseridtype"></a>**TargetUserIdType** | Optional | Enumerated | The type of the ID stored in the [TargetUserId](#targetuserid) field. <br><br>Supported values are `SID`, `UID`, `AADID`, `OktaId`, and `AWSId`. | | <a name="targetusername"></a>**TargetUsername** | Optional | String | The target username, including domain information when available. <br><br>Use one of the following formats and in the following order of priority:<br>- **Upn/Email**: `johndow@contoso.com`<br>- **Windows**: `Contoso\johndow`<br>- **DN**: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM`<br>- **Simple**: `johndow`. Use the Simple form only if domain information isn't available.<br><br>Store the Username type in the [TargetUsernameType](#targetusernametype) field. If other IDs are available, we recommend that you normalize the field names to **TargetUserUpn**, **TargetUserWindows**, and **TargetUserDn**. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` | | <a name="targetusernametype"></a>**TargetUsernameType** | Optional | Enumerated | Specifies the type of the username stored in the [TargetUsername](#targetusername) field. Supported values include `UPN`, `Windows`, `DN`, and `Simple`. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `Windows` | Fields that appear in the table below are common to all ASIM schemas. Any guidel | Field | Class | Type | Description | |-|-||-|-| <a name="actoruserid"></a>**ActorUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the Actor. <br><br>Supported formats and types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [ActorUserIdType](#actoruseridtype) field. If other IDs are available, we recommend that you normalize the field names to **ActorUserSid**, **ActorUserUid**, **ActorUserAadId**, **ActorUserOktaId**, and **ActorAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: S-1-12 | +| <a name="actoruserid"></a>**ActorUserId** | Optional | String | A machine-readable, alphanumeric, unique representation of the Actor. <br><br>Supported formats and types include:<br>- **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br>- **UID** (Linux): `4578`<br>- **AADID** (Microsoft Entra ID): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br>- **OktaId**: `00urjk4znu3BcncfY0h7`<br>- **AWSId**: `72643944673`<br><br>Store the ID type in the [ActorUserIdType](#actoruseridtype) field. If other IDs are available, we recommend that you normalize the field names to **ActorUserSid**, **ActorUserUid**, **ActorUserAadId**, **ActorUserOktaId**, and **ActorAwsId**, respectively. For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: S-1-12 | | <a name="actoruseridtype"></a>**ActorUserIdType** | Optional | Enumerated | The type of the ID stored in the [ActorUserId](#actoruserid) field. Supported values include `SID`, `UID`, `AADID`, `OktaId`, and `AWSId`. | | <a name="actorusername"></a>**ActorUsername** | Mandatory | String | The Actor username, including domain information when available. <br><br>Use one of the following formats and in the following order of priority:<br>- **Upn/Email**: `johndow@contoso.com`<br>- **Windows**: `Contoso\johndow`<br>- **DN**: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM`<br>- **Simple**: `johndow`. Use the Simple form only if domain information isn't available.<br><br>Store the Username type in the [ActorUsernameType](#actorusernametype) field. If other IDs are available, we recommend that you normalize the field names to **ActorUserUpn**, **ActorUserWindows**, and **ActorUserDn**.<br><br>For more information, see [The User entity](normalization-about-schemas.md#the-user-entity).<br><br>Example: `AlbertE` | | <a name="user"></a>**User** | Alias | | Alias to [ActorUsername](#actorusername). | For more information, see: - [Advanced Security Information Model (ASIM) schemas](normalization-about-schemas.md) - [Advanced Security Information Model (ASIM) parsers](normalization-parsers-overview.md) - [Advanced Security Information Model (ASIM) content](normalization-content.md)- |
sentinel | Normalization Schema V1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-v1.md | The following table provides guidance for normalizing data values, which is requ | **MAC Address** | String | Colon-Hexadecimal notation | | **IP Address** | IP Address | The schema does not have separate IPv4 and IPv6 addresses. Any IP address field may include either an IPv4 address or IPv6 address:<ul><li>IPv4 in a dot-decimal notation</li><li>IPv6 in 8 hextets notation, allowing for the short forms described here.</li></ul> | | **User** | String | The following 3 user fields are available:<ul><li>User name</li><li>User UPN</li><li>User domain</li></ul> |-| **User ID** | String | The following 2 user IDs are currently supported:<ul><li>User SID</li><li>Azure Active directory ID</li></ul> | +| **User ID** | String | The following 2 user IDs are currently supported:<ul><li>User SID</li><li>Microsoft Entra ID</li></ul> | | **Device** | String | The following 3 device/host columns are supported:<ul><li>ID</li><li>Name</li><li>Fully qualified domain name (FQDN)</li></ul> | | **Country** | String | A string using ISO 3166-1, according to the following priorities:<ul><li>Alpha-2 codes, such as `US` for the United States</li><li>Alpha-3 codes, such as `USA` for the United States</li><li>Short name</li></ul> | | **Region** | String | The country subdivision name using ISO 3166-2 | Below is the schema of the network sessions table, versioned 1.0.0 | **DstNatIpAddr** | IP address | 2::1 | If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the source. | Destination NAT,<br>IP | | **DstNatPortNumber** | int | 443 | If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the source. | Destination NAT,<br>Port | | **DstUserSid** | User SID | S-12-1445 | The User ID of the identity associated with the sessionΓÇÖs destination. Typically, the identity used to authenticate a server. For more information, see [Data types and formats](#data-types-and-formats). | Destination,<br>User |-| **DstUserAadId** | String (guid) | ae92b0b4-cfba-4b42-85a0-fbd862f4df54 | The Azure AD account object ID of the user at the destination end of the session | Destination,<br>User | +| **DstUserAadId** | String (guid) | ae92b0b4-cfba-4b42-85a0-fbd862f4df54 | The Microsoft Entra account object ID of the user at the destination end of the session | Destination,<br>User | | **DstUserName** | Username (String) | johnd | The username of the identity associated with the sessionΓÇÖs destination. | Destination,<br>User | | **DstUserUpn** | string | johnd@anon.com | The UPN of the identity associated with the sessionΓÇÖs destination. | Destination,<br>User | | **DstUserDomain** | string | WORKGROUP | The domain or computer name of the account at the destination of the session | Destination,<br>User | Below is the schema of the network sessions table, versioned 1.0.0 | **SrcNatIpAddr** | IP address | 4.3.2.1 | If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the destination. | Source NAT,<br>IP | | **SrcNatPortNumber** | Integer | 345 | If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the destination. | Source NAT,<br>Port | | **SrcUserSid** | User ID (String) | S-15-1445 | The user ID of the identity associated with the sessions source. Typically, user performing an action on the client. For more information, see [Data types and formats](#data-types-and-formats). | Source,<br>User |-| **SrcUserAadId** | String (guid) | 16c8752c-7dd2-4cad-9e03-fb5d1cee5477 | The Azure AD account object ID of the user at the source end of the session | Source,<br>User | +| **SrcUserAadId** | String (guid) | 16c8752c-7dd2-4cad-9e03-fb5d1cee5477 | The Microsoft Entra account object ID of the user at the source end of the session | Source,<br>User | | **SrcUserName** | Username (String) | bob | The username of the identity associated with the sessions source. Typically, user performing an action on the client. For more information, see [Data types and formats](#data-types-and-formats). | Source<br>User | | **SrcUserUpn** | string | bob@alice.com | UPN of the account initiating the session | Source,<br>User | | **SrcUserDomain** | string | DESKTOP | The domain for the account initiating the session | Source,<br>User | |
sentinel | Offboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/offboard.md | After the disconnection is identified, the offboarding process begins. - AWS -- Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (*formerly Microsoft Cloud App Security*) including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (*formerly Azure Defender*)+- Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (*formerly Microsoft Cloud App Security*) including Cloud Discovery Shadow IT reporting, Microsoft Entra ID Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (*formerly Azure Defender*) - Threat Intelligence |
sentinel | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/overview.md | To on-board Microsoft Sentinel, you first need to [connect to your data sources] Microsoft Sentinel comes with many connectors for Microsoft solutions that are available out of the box and provide real-time integration. Some of these connectors include: - Microsoft sources like Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, and more.-- Azure service sources like Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more.+- Azure service sources like Microsoft Entra ID, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more. Microsoft Sentinel has built-in connectors to the broader security and applications ecosystems for non-Microsoft solutions. You can also use common event format, Syslog, or REST-API to connect your data sources with Microsoft Sentinel. Microsoft Sentinel's automation and orchestration solution provides a highly ext - HTTP requests - Microsoft Teams - Slack-- Azure Active Directory+- Microsoft Entra ID - Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps |
sentinel | Prepare Multiple Workspaces | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/prepare-multiple-workspaces.md | This table lists some of these scenarios and, when possible, suggests how you mi |-|-|--| | Sovereignty and regulatory compliance | A workspace is tied to a specific region. To keep data in different [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/) to satisfy regulatory requirements, split up the data into separate workspaces. | | | Data ownership | The boundaries of data ownership, for example by subsidiaries or affiliated companies, are better delineated using separate workspaces. | |-| Multiple Azure tenants | Microsoft Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace. | | +| Multiple Azure tenants | Microsoft Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Microsoft Entra tenant boundary. Therefore, each Microsoft Entra tenant requires a separate workspace. | | | Granular data access control | An organization might need to allow different groups, within or outside the organization, to access some of the data collected by Microsoft Sentinel. For example:<br><ul><li>Resource owners' access to data pertaining to their resources</li><li>Regional or subsidiary SOCs' access to data relevant to their parts of the organization</li></ul> | Use [resource Azure RBAC](resource-context-rbac.md) or [table level Azure RBAC](https://techcommunity.microsoft.com/t5/azure-sentinel/table-level-rbac-in-azure-sentinel/ba-p/965043) | | Granular retention settings | Historically, multiple workspaces were the only way to set different retention periods for different data types. This is no longer needed in many cases, thanks to the introduction of table level retention settings. | Use [table level retention settings](https://techcommunity.microsoft.com/t5/azure-sentinel/new-per-data-type-retention-is-now-available-for-azure-sentinel/ba-p/917316) or automate [data deletion](../azure-monitor/logs/personal-data-mgmt.md#exporting-and-deleting-personal-data) | | Split billing | By placing workspaces in separate subscriptions, they can be billed to different parties. | Usage reporting and cross-charging | In case of an MSSP, many if not all of the above requirements apply, making mult ## Microsoft Sentinel multiple workspace architecture -As implied by the requirements above, there are cases where a single SOC needs to centrally manage and monitor multiple Microsoft Sentinel workspaces, potentially across Azure Active Directory (Azure AD) tenants. +As implied by the requirements above, there are cases where a single SOC needs to centrally manage and monitor multiple Microsoft Sentinel workspaces, potentially across Microsoft Entra tenants. - An MSSP Microsoft Sentinel Service. - A global SOC serving multiple subsidiaries, each having its own local SOC. -- A SOC monitoring multiple Azure AD tenants within an organization.+- A SOC monitoring multiple Microsoft Entra tenants within an organization. To address these cases, Microsoft Sentinel offers multiple-workspace capabilities that enable central monitoring, configuration, and management, providing a single pane of glass across everything covered by the SOC. This diagram shows an example architecture for such use cases. In the following sections, we'll explain how to operate this model, and particul In this article, you learned how Microsoft Sentinel can extend across multiple workspaces and tenants. > [!div class="nextstepaction"]->>[Prioritize data connectors](prioritize-data-connectors.md) +>>[Prioritize data connectors](prioritize-data-connectors.md) |
sentinel | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/prerequisites.md | Before deploying Microsoft Sentinel, make sure that your Azure tenant meets the ## Prerequisites -- An [Azure Active Directory license and tenant](../active-directory/develop/quickstart-create-new-tenant.md), or an [individual account with a valid payment method](https://azure.microsoft.com/free/), are required to access Azure and deploy resources.+- An [Microsoft Entra ID license and tenant](../active-directory/develop/quickstart-create-new-tenant.md), or an [individual account with a valid payment method](https://azure.microsoft.com/free/), are required to access Azure and deploy resources. - After you have a tenant, you must have an [Azure subscription](../cost-management-billing/manage/create-subscription.md) to track resource creation and billing. -- After you have a subscription, you'll need the [relevant permissions](../role-based-access-control/index.yml) to begin using your subscription. If you're using a new subscription, an admin or higher from the Azure AD tenant should be designated as the [owner/contributor](../role-based-access-control/rbac-and-directory-admin-roles.md) for the subscription.+- After you have a subscription, you'll need the [relevant permissions](../role-based-access-control/index.yml) to begin using your subscription. If you're using a new subscription, an admin or higher from the Microsoft Entra tenant should be designated as the [owner/contributor](../role-based-access-control/rbac-and-directory-admin-roles.md) for the subscription. - To maintain the least privileged access available, assign roles at the level of the resource group. - For more control over permissions and access, set up custom roles. For more information, see [Role-based access control](../role-based-access-control/custom-roles.md). Before deploying Microsoft Sentinel, make sure that your Azure tenant meets the In this article, you reviewed the prerequisites that help you plan and prepare before deploying Microsoft Sentinel. > [!div class="nextstepaction"]-> >[Review workspace architecture best practices](best-practices-workspace-architecture.md) +> >[Review workspace architecture best practices](best-practices-workspace-architecture.md) |
sentinel | Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/resources.md | Microsoft Sentinel uses Azure Monitor Log Analytics's Kusto Query Language (KQL) ## Microsoft Sentinel templates for data to monitor -The [Azure Active Directory Security Operations Guide](../active-directory/fundamentals/security-operations-introduction.md) includes specific guidance and knowledge about data that's important to monitor for security purposes, for several operational areas. +The [Microsoft Entra Security Operations Guide](../active-directory/fundamentals/security-operations-introduction.md) includes specific guidance and knowledge about data that's important to monitor for security purposes, for several operational areas. In each article, check for sections named [Things to monitor](../active-directory/fundamentals/security-operations-privileged-accounts.md#things-to-monitor) for lists of events that we recommend alerting on and investigating, as well as analytics rule templates to deploy directly to Microsoft Sentinel. |
sentinel | Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/roles.md | Users with particular job requirements might need to be assigned other roles or - **Allow guest users to assign incidents** - If a guest user needs to be able to assign incidents, you need to assign the [**Directory Reader**](../active-directory/roles/permissions-reference.md#directory-readers) to the user, in addition to the **Microsoft Sentinel Responder** role. Note that the Directory Reader role is *not* an Azure role but an Azure Active Directory role, and that regular (non-guest) users have this role assigned by default. + If a guest user needs to be able to assign incidents, you need to assign the [**Directory Reader**](../active-directory/roles/permissions-reference.md#directory-readers) to the user, in addition to the **Microsoft Sentinel Responder** role. Note that the Directory Reader role is *not* an Azure role but a Microsoft Entra role, and that regular (non-guest) users have this role assigned by default. - **Create and delete workbooks** After understanding how roles and permissions work in Microsoft Sentinel, you ca > [!TIP]-> More roles might be required depending on the data you ingest or monitor. For example, Azure AD roles might be required, such as the global admin or security admin roles, to set up data connectors for services in other Microsoft portals. +> More roles might be required depending on the data you ingest or monitor. For example, Microsoft Entra roles may be required, such as the Global Administrator or Security Administrator roles, to set up data connectors for services in other Microsoft portals. > ## Resource-based access control In such cases, we recommend that you configure your role-based access control (R In this article, you learned how to work with roles for Microsoft Sentinel users and what each role enables users to do. > [!div class="nextstepaction"]-> >[Plan costs](billing.md) +> >[Plan costs](billing.md) |
sentinel | Sample Workspace Designs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sample-workspace-designs.md | The Contoso Corporation is a multinational business with headquarters in London. ### Contoso tenants -Due to an acquisition several years ago, Contoso has two Azure AD tenants: `contoso.onmicrosoft.com` and `wingtip.onmicrosoft.com`. Each tenant has its own Office 365 instance and multiple Azure subscriptions, as shown in the following image: +Due to an acquisition several years ago, Contoso has two Microsoft Entra tenants: `contoso.onmicrosoft.com` and `wingtip.onmicrosoft.com`. Each tenant has its own Office 365 instance and multiple Azure subscriptions, as shown in the following image: :::image type="content" source="media/best-practices/contoso-tenants.png" alt-text="Diagram of Contoso tenants, each with separate sets of subscriptions." border="false"::: Due to an acquisition several years ago, Contoso has two Azure AD tenants: `cont Contoso currently has Azure resources hosted in three different regions: US East, EU North, and West Japan, and strict requirement to keep all data generated in Europe within Europe regions. -Both of Contoso's Azure AD tenants have resources in all three regions: US East, EU North, and West Japan +Both of Contoso's Microsoft Entra tenants have resources in all three regions: US East, EU North, and West Japan ### Contoso resource types and collection requirements Contoso needs to collect events from the following data sources: - Office 365-- Azure AD Sign-in and Audit logs+- Microsoft Entra sign-in and audit logs - Azure Activity - Windows Security Events, from both on-premises and Azure VM sources - Syslog, from both on-premises and Azure VM sources Contoso expects to ingest around 300 GB/day from all of their data sources. ### Contoso access requirements -ContosoΓÇÖs Azure environment already has a single existing Log Analytics workspace used by the Operations team to monitor the infrastructure. This workspace is located in Contoso Azure AD tenant, within EU North region, and is being used to collect logs from Azure VMs in all regions. They currently ingest around 50 GB/day. +ContosoΓÇÖs Azure environment already has a single existing Log Analytics workspace used by the Operations team to monitor the infrastructure. This workspace is located in Contoso Microsoft Entra tenant, within EU North region, and is being used to collect logs from Azure VMs in all regions. They currently ingest around 50 GB/day. The Contoso Operations team needs to have access to all the logs that they currently have in the workspace, which include several data types not needed by the SOC, such as **Perf**, **InsightsMetrics**, **ContainerLog**, and more. The Operations team must *not* have access to the new logs that are collected in Microsoft Sentinel. The following steps apply the [Microsoft Sentinel workspace design decision tree 1. Contoso has regulatory requirements, so we need at least one Microsoft Sentinel workspace in Europe. -1. Contoso has two different Azure AD tenants, and collects from tenant-level data sources, like Office 365 and Azure AD Sign-in and Audit logs, so we need at least one workspace per tenant. +1. Contoso has two different Microsoft Entra tenants, and collects from tenant-level data sources, like Office 365 and Microsoft Entra sign-in and audit logs, so we need at least one workspace per tenant. 1. Contoso doesn't need [charge-back](design-your-workspace-architecture.md#step-4-splitting-billing--charge-back), so we can continue with [step 5](design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data). The suggested solution includes: - A separate Log Analytics workspace for the Contoso Operations team. This workspace will only contain data that's not needed by ContosoΓÇÖs SOC team, such as the **Perf**, **InsightsMetrics**, or **ContainerLog** tables. -- Two Microsoft Sentinel workspaces, one in each Azure AD tenant, to ingest data from Office 365, Azure Activity, Azure AD, and all Azure PaaS services.+- Two Microsoft Sentinel workspaces, one in each Microsoft Entra tenant, to ingest data from Office 365, Azure Activity, Microsoft Entra ID, and all Azure PaaS services. - All other data, coming from on-premises data sources, can be routed to one of the two Microsoft Sentinel workspaces. Fabrikam is an organization with headquarters in New York City and offices all a ### Fabrikam tenancy requirements -Fabrikam has a single Azure AD tenant. +Fabrikam has a single Microsoft Entra tenant. ### Fabrikam compliance and regional deployment Fabrikam has no compliance requirements. Fabrikam has resources in several Azure Fabrikam needs to collect events from the following data sources: -- Azure AD Sign-in and Audit logs+- Microsoft Entra sign-in and audit logs - Azure Activity - Security Events, from both on-premises and Azure VM sources - Windows Events, from both on-premises and Azure VM sources The Fabrikam Operations team needs to access: - All Azure Activity data The Fabrikam SOC team needs to access:-- Azure AD Sign-in and Audit logs+- Microsoft Entra sign-in and audit logs - All Azure Activity data - Security events, from both on-premises and Azure VM sources - AWS CloudTrail logs Adventure Works is Microsoft 365 E5 customer, and already has workloads in Azure ### Adventure Works tenancy requirements -Adventure Works has three different Azure AD tenants, one for each of the continents where they have sub-entities: Asia, Europe, and Africa. The different sub-entities' countries/regions have their identities in the tenant of the continent they belong to. For example, Japanese users are in the *Asia* tenant, German users are in the *Europe* tenant and Egyptian users are in the *Africa* tenant. +Adventure Works has three different Microsoft Entra tenants, one for each of the continents where they have sub-entities: Asia, Europe, and Africa. The different sub-entities' countries/regions have their identities in the tenant of the continent they belong to. For example, Japanese users are in the *Asia* tenant, German users are in the *Europe* tenant and Egyptian users are in the *Africa* tenant. ### Adventure Works compliance and regional requirements Adventure Works currently uses three Azure regions, each aligned with the contin Adventure Works needs to collect the following data sources for each sub-entity: -- Azure AD Sign-in and Audit logs+- Microsoft Entra sign-in and audit logs - Office 365 logs - Microsoft 365 Defender for Endpoint raw logs - Azure Activity Azure VMs are scattered across the three continents, but bandwidth costs aren't Adventure Works has a single, centralized SOC team that oversees security operations for all the different sub-entities. -Adventure Works also has three independent SOC teams, one for each of the continents. Each continent's SOC team should be able to access only the data generated within its region, without seeing data from other continents. For example, the Asia SOC team should only access data from Azure resources deployed in Asia, Azure AD Sign-ins from the Asia tenant, and Defender for Endpoint logs from itΓÇÖs the Asia tenant. +Adventure Works also has three independent SOC teams, one for each of the continents. Each continent's SOC team should be able to access only the data generated within its region, without seeing data from other continents. For example, the Asia SOC team should only access data from Azure resources deployed in Asia, Microsoft Entra Sign-ins from the Asia tenant, and Defender for Endpoint logs from itΓÇÖs the Asia tenant. Each continent's SOC team needs to access the full Microsoft Sentinel portal experience. The following steps apply the [Microsoft Sentinel workspace design decision tree 1. Adventure Works has no regulatory requirements, so continue to [step 3](design-your-workspace-architecture.md#step-3-do-you-have-multiple-azure-tenants). -1. Adventure Works has three Azure AD tenants, and needs to collect tenant-level data sources, such as Office 365 logs. Therefore, Adventure Works should create at least Microsoft Sentinel workspaces, one for each tenant. +1. Adventure Works has three Microsoft Entra tenants, and needs to collect tenant-level data sources, such as Office 365 logs. Therefore, Adventure Works should create at least Microsoft Sentinel workspaces, one for each tenant. 1. Adventure Works has no need to split up charges, so continue to [step 5](design-your-workspace-architecture.md#step-5-collecting-any-non-soc-data). The resulting Microsoft Sentinel workspace design for Adventure Works is illustr The suggested solution includes: -- A separate Microsoft Sentinel workspace for each Azure AD tenant. Each workspace collects data related to its tenant for all data sources.+- A separate Microsoft Sentinel workspace for each Microsoft Entra tenant. Each workspace collects data related to its tenant for all data sources. - Each continent's SOC team has access only to the workspace in its own tenant, ensuring that only logs generated within the tenant boundary are accessible by each SOC team. -- The central SOC team can still operate from a separate Azure AD tenant, using Azure Lighthouse to access each of the different Microsoft Sentinel environments. If there's no other tenant, the central SOC team can still use Azure Lighthouse to access the remote workspaces.+- The central SOC team can still operate from a separate Microsoft Entra tenant, using Azure Lighthouse to access each of the different Microsoft Sentinel environments. If there's no other tenant, the central SOC team can still use Azure Lighthouse to access the remote workspaces. - The central SOC team can also create another workspace if it needs to store artifacts that remain hidden from the continent SOC teams, or if it wants to ingest other data that isn't relevant to the continent SOC teams. The suggested solution includes: In this article, you reviewed a set of suggested workspace designs for organizations. > [!div class="nextstepaction"]->>[Prepare for multiple workspaces](prepare-multiple-workspaces.md) +>>[Prepare for multiple workspaces](prepare-multiple-workspaces.md) |
sentinel | Deploy Data Connector Agent Container | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/deploy-data-connector-agent-container.md | The agent connects to your SAP system to pull logs and other data from it, then Your SAP authentication mechanism, and where you deploy your VM, will determine how and where your agent configuration information, including your SAP authentication secrets, is stored. These are the options, in descending order of preference: - An **Azure Key Vault**, accessed through an Azure **system-assigned managed identity**-- An **Azure Key Vault**, accessed through an Azure AD **registered-application service principal**+- An **Azure Key Vault**, accessed through a Microsoft Entra ID **registered-application service principal** - A plaintext **configuration file** If your SAP authentication is done using SNC and X.509 certificates, your only option is to use a configuration file. Select the [**Configuration file** tab below](deploy-data-connector-agent-container-other-methods.md?tabs=config-file#deploy-the-data-connector-agent-container) for the instructions to deploy your agent container. If you're not using SNC, then your SAP configuration and authentication secrets - **A container on an Azure VM** can use an Azure [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to seamlessly access Azure Key Vault. Select the [**Managed identity** tab](deploy-data-connector-agent-container-other-methods.md?tabs=managed-identity#deploy-the-data-connector-agent-container) for the instructions to deploy your agent container using managed identity. - In the event that a system-assigned managed identity can't be used, the container can also authenticate to Azure Key Vault using an [Azure AD registered-application service principal](../../active-directory/develop/app-objects-and-service-principals.md), or, as a last resort, a configuration file. + In the event that a system-assigned managed identity can't be used, the container can also authenticate to Azure Key Vault using an [Microsoft Entra registered-application service principal](../../active-directory/develop/app-objects-and-service-principals.md), or, as a last resort, a configuration file. -- **A container on an on-premises VM**, or **a VM in a third-party cloud environment**, can't use Azure managed identity, but can authenticate to Azure Key Vault using an [Azure AD registered-application service principal](../../active-directory/develop/app-objects-and-service-principals.md). Select the [**Registered application** tab below](deploy-data-connector-agent-container-other-methods.md?tabs=registered-application#deploy-the-data-connector-agent-container) for the instructions to deploy your agent container.+- **A container on an on-premises VM**, or **a VM in a third-party cloud environment**, can't use Azure managed identity, but can authenticate to Azure Key Vault using an [Microsoft Entra registered-application service principal](../../active-directory/develop/app-objects-and-service-principals.md). Select the [**Registered application** tab below](deploy-data-connector-agent-container-other-methods.md?tabs=registered-application#deploy-the-data-connector-agent-container) for the instructions to deploy your agent container. If for some reason a registered-application service principal can't be used, you can use a configuration file, though this is not preferred. |
sentinel | Prerequisites For Deploying Sap Continuous Threat Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring.md | To successfully deploy the Microsoft Sentinel solution for SAP® applications, y | Prerequisite | Description | | - | -- |-| **System architecture** | The data connector component of the SAP solution is deployed as a Docker container, and each SAP client requires its own container instance.<br>The container host can be either a physical machine or a virtual machine, can be located either on-premises or in any cloud. <br>The VM hosting the container ***does not*** have to be located in the same Azure subscription as your Microsoft Sentinel workspace, or even in the same Azure AD tenant. | +| **System architecture** | The data connector component of the SAP solution is deployed as a Docker container, and each SAP client requires its own container instance.<br>The container host can be either a physical machine or a virtual machine, can be located either on-premises or in any cloud. <br>The VM hosting the container ***does not*** have to be located in the same Azure subscription as your Microsoft Sentinel workspace, or even in the same Microsoft Entra tenant. | | **Virtual machine sizing recommendations** | **Minimum specification**, such as for a lab environment:<br>*Standard_B2s* VM, with:<br>- 2 cores<br>- 4 GB RAM<br><br>**Standard connector** (default):<br>*Standard_D2as_v5* VM or<br>*Standard_D2_v5* VM, with: <br>- 2 cores<br>- 8 GB RAM<br><br>**Multiple connectors**:<br>*Standard_D4as_v5* or<br>*Standard_D4_v5* VM, with: <br>- 4 cores<br>- 16 GB RAM | | **Administrative privileges** | Administrative privileges (root) are required on the container host machine. | | **Supported Linux versions** | The SAP data connector agent has been tested with the following Linux distributions:<br>- Ubuntu 18.04 or higher<br>- SLES version 15 or higher<br>- RHEL version 7.7 or higher<br><br>If you have a different operating system, you may need to [deploy and configure the container manually](deploy-data-connector-agent-container-other-methods.md?tabs=deploy-manually#deploy-the-data-connector-agent-container) instead of using the kickstart script. | |
sentinel | Reference Kickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/reference-kickstart.md | The following parameters are configurable. You can see examples of how these par **Required:** No. `kvmi` is assumed by default. -**Explanation:** Specifies whether secrets (username, password, log analytics ID and shared key) should be stored in local configuration file, or in Azure Key Vault. Also controls whether authentication to Azure Key Vault is done using the VM's Azure system-assigned managed identity or an Azure AD registered-application identity. +**Explanation:** Specifies whether secrets (username, password, log analytics ID and shared key) should be stored in local configuration file, or in Azure Key Vault. Also controls whether authentication to Azure Key Vault is done using the VM's Azure system-assigned managed identity or a Microsoft Entra registered-application identity. If set to `kvmi`, Azure Key Vault is used to store secrets, and authentication to Azure Key Vault is done using the virtual machine's Azure system-assigned managed identity. -If set to `kvsi`, Azure Key Vault is used to store secrets, and authentication to Azure Key Vault is done using an Azure AD registered-application identity. Usage of `kvsi` mode requires `--appid`, `--appsecret` and `--tenantid` values. +If set to `kvsi`, Azure Key Vault is used to store secrets, and authentication to Azure Key Vault is done using a Microsoft Entra registered-application identity. Usage of `kvsi` mode requires `--appid`, `--appsecret` and `--tenantid` values. If set to `cfgf`, configuration file stored locally will be used to store secrets. If set to `cfgf`, configuration file stored locally will be used to store secret **Required:** Yes, if [Secret storage location](#secret-storage-location) is set to `kvsi`. -**Explanation:** When Azure Key Vault authentication mode is set to `kvsi`, authentication to key vault is done using an [enterprise application (service principal) identity](deploy-data-connector-agent-container-other-methods.md?tabs=registered-application#deploy-the-data-connector-agent-container). This parameter specifies the Azure Active Directory Tenant ID. +**Explanation:** When Azure Key Vault authentication mode is set to `kvsi`, authentication to key vault is done using an [enterprise application (service principal) identity](deploy-data-connector-agent-container-other-methods.md?tabs=registered-application#deploy-the-data-connector-agent-container). This parameter specifies the Microsoft Entra tenant ID. #### Key Vault Name |
sentinel | Sap Audit Log Workbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/sap-audit-log-workbook.md | You can use the workbook either for ongoing monitoring of your SAP systems, or t The workbook is separated into two tabs: -- [**Logon analysis report**](#logon-analysis-report-tab). Shows different types of data regarding sign-in failures. Data includes anomalous data, Azure Active Directory data, and more. The data is based on the ["SAP systems" watchlist](sap-solution-security-content.md#available-watchlists).+- [**Logon analysis report**](#logon-analysis-report-tab). Shows different types of data regarding sign-in failures. Data includes anomalous data, Microsoft Entra data, and more. The data is based on the ["SAP systems" watchlist](sap-solution-security-content.md#available-watchlists). - [**Audit log alerts report**](#audit-log-alerts-report-tab). Shows different types of data regarding the SAP Audit log events that the Microsoft Sentinel solution for SAP® applications watches. The data is based on the ["SAP_Dynamic_Audit_Log_Monitor_Configuration" watchlist](sap-solution-security-content.md#available-watchlists). ## Logon analysis report tab The areas under **Anomaly detection - filtering out noisy failed login attempts* |Area |Description |Specific data |Options/notes | ||||| | **Logon failure rate** > **Logon failure anomalies** > **Unique User failed logons per SAP system** | Shows the number of unique failed sign ins for each SAP system. | | |-|**SAP and Active Directory are better together** | The **Anomalous login failures** table shows a combination of Microsoft Sentinel and Azure Active Directory data. The workbook displays the users according to risk: Users that indicate the most risk are at the top of the list, and the users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of failed sign-in attempts<br>• A timeline showing at which point an anomalous failed attempt occurred<br>• The type of anomaly<br>• The user's email address<br>• The Azure Active directory risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |• When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Azure Active Directory risk events under **Azure audit and signin risks for user**.<br>• If your Azure Active Directory data is in a different Log Analytics workspace, make sure you select the relevant subscriptions and workspaces at the top of the workbook, under **Azure audit and activities**. | +|**SAP and Active Directory are better together** | The **Anomalous login failures** table shows a combination of Microsoft Sentinel and Microsoft Entra data. The workbook displays the users according to risk: Users that indicate the most risk are at the top of the list, and the users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of failed sign-in attempts<br>• A timeline showing at which point an anomalous failed attempt occurred<br>• The type of anomaly<br>• The user's email address<br>• The Microsoft Entra risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |• When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Microsoft Entra risk events under **Azure audit and signin risks for user**.<br>• If your Microsoft Entra data is in a different Log Analytics workspace, make sure you select the relevant subscriptions and workspaces at the top of the workbook, under **Azure audit and activities**. | |**Logon failure rate per system** |Visually represents the selected SAP systems. |• For each system, shows the number of failures in the selected period<br>• Systems are grouped by type.<br>• The color of the system indicates the number of failed attempts: Green indicates a few suspicious logon attempts, where red indicates more suspicious logon attempts. |You can select a system to see a list of failed sign ins with details about the failures. | In this screenshot, you can see the data shown when the first line is selected in the **Anomalous login failures** table. The specific alerts and incident URLs are shown in the **Incidents/alerts overview for user** table. This tab shows severity and audit trends for each SAP system and user. All areas |Area |Description |Specific data |Options/notes | ||||| |**Alert severity trends per System ID** |Shows a list of systems, with a graph of medium and high severity event trends per system. For example, the 012 system had many high severity events over the entire period, and a few medium severity events with a spike that shows more medium severity events in the middle of the period. | | |-|**Audit trend per user** |Shows a combination of Microsoft Sentinel and Azure Active Directory data. The workbook displays the users according to risk: Users that indicate the most risk are at the top of the list, and users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of high and medium severity events<br>• The user's email address<br>• The Azure Active directory risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Azure Active Directory risk events under **Azure audit and signin risks for user**. | +|**Audit trend per user** |Shows a combination of Microsoft Sentinel and Microsoft Entra data. The workbook displays the users according to risk: Users that indicate the most risk are at the top of the list, and users with less security risk are at the bottom. |For each user, shows:<br>• A timeline of high and medium severity events<br>• The user's email address<br>• The Microsoft Entra risk indicator<br>• The number of incidents and alerts in Microsoft Sentinel |When you select a row, you can see a list of alerts and incidents for that user under **Incidents/alerts overview for user**. Below this list, you can also see of Microsoft Entra risk events under **Azure audit and signin risks for user**. | |**Risk score per system** | Visually represents each system in a cell shape. |• Shows the risk score for each system.<br>• Systems are grouped by type.<br>• The color of the system indicates the risk: Green indicates a system with a lower risk score, where red indicates a higher risk score. |You can select a system to see a list of SAP events per system. | |**Events by MITRE ATT&CK® tactics** |Shows a list of SAP events grouped by MITRE ATT&CK® tactics, like Initial Access or Defense Evasion. | |You can hover over the graph to show the number of sign-ins for different dates. | |**Events by category** |Shows a list of SAP event trends grouped by category, like RFC Start or Logon. | |You can hover over the graph to show the sign-in number for different dates. | |
sentinel | Sap Incident Response Playbooks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/sap-incident-response-playbooks.md | Last updated 06/28/2023 # Microsoft Sentinel incident response playbooks for SAP -This article describes how to take advantage of Microsoft Sentinel's security orchestration, automation, and response (SOAR) capabilities in conjunction with SAP. The article introduces purpose-built playbooks included in the [Microsoft Sentinel solution for SAP® applications](solution-overview.md). You can use these playbooks to respond automatically to suspicious user activity in SAP systems, automating remedial actions in SAP RISE, SAP ERP, SAP Business Technology Platform (BTP) as well as in Azure Active Directory. +This article describes how to take advantage of Microsoft Sentinel's security orchestration, automation, and response (SOAR) capabilities in conjunction with SAP. The article introduces purpose-built playbooks included in the [Microsoft Sentinel solution for SAP® applications](solution-overview.md). You can use these playbooks to respond automatically to suspicious user activity in SAP systems, automating remedial actions in SAP RISE, SAP ERP, SAP Business Technology Platform (BTP) as well as in Microsoft Entra ID. The Microsoft Sentinel SAP solution empowers your organization to secure its SAP environment. For a complete, detailed overview of the Sentinel SAP solution, see the following articles: - [Microsoft Sentinel solution for SAP® applications overview](solution-overview.md) The Microsoft Sentinel solution for SAP® applications includes the following pl You're tasked with defending your organization's SAP environment. You've implemented Microsoft Sentinel solution for SAP® applications. You've enabled the solution's analytics rule "SAP - Execution of a Sensitive Transaction Code," and you've possibly customized the solution's "Sensitive Transactions" watchlist to include particular transaction codes you wish to screen for. An incident warns you of suspicious activity in one of the SAP systems. A user is trying to execute one of these highly sensitive transactions. You must [investigate and respond to this incident](../investigate-incidents.md). -During the triage phase, you decide to take action against this user, kicking it out of your SAP ERP or BTP systems or even from Azure AD. +During the triage phase, you decide to take action against this user, kicking it out of your SAP ERP or BTP systems or even from Microsoft Entra ID. ### Lock out a user from a single system |
sentinel | Sap Solution Log Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/sap-solution-log-reference.md | This functionality is heavily used in the Deterministic and Anomalous Audit Log | The "SAP User Config" watchlist | SearchKey | Search Key | | The "SAP User Config" watchlist | SAPUser | The SAP User | OSS, DDIC | The "SAP User Config" watchlist | Tags | string of tags assigned to user | RunObsoleteProgOK -| The "SAP User Config" watchlist | User's Microsoft Azure Active Directory (Azure AD) Object ID | Azure AD Object ID | +| The "SAP User Config" watchlist | User's Microsoft Entra Object ID | Microsoft Entra Object ID | | The "SAP User Config" watchlist | User Identifier | AD User Identifier | | The "SAP User Config" watchlist | User on-premises Sid | | | The "SAP User Config" watchlist | User Principal Name | | For a full history of user activity, run a custom KQL query against the SAPAudit | | User | The SAP user | | SAP tables ADR6 and USR21 | Email | Taken from user's master data | OSS, DDIC | SAP table USR02 | UserType | string of tags assigned to user | RunObsoleteProgOK -| SAP table USR02 | Timezone | Azure AD Object ID | +| SAP table USR02 | Timezone | Microsoft Entra Object ID | | SAP table USR02 | LockedStatus | AD User Identifier | | SAP audit log | LastSeen | A timestamp | last audit event observed for the user | SAP audit log | LastSeenDaysAgo | days passed since LastSeen | |
sentinel | Sap Solution Security Content | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sap/sap-solution-security-content.md | These watchlists provide the configuration for the Microsoft Sentinel solution f | Playbook name | Parameters | Connections | | - | - | -- | | **SAP Incident Response - Lock user from Teams - Basic** | - SAP-SOAP-User-Password<br>- SAP-SOAP-Username<br>- SOAPApiBasePath<br>- DefaultEmail<br>- TeamsChannel | - Microsoft Sentinel<br>- Microsoft Teams |-| **SAP Incident Response - Lock user from Teams - Advanced** | - SAP-SOAP-KeyVault-Credential-Name<br>- DefaultAdminEmail<br>- TeamsChannel | - Microsoft Sentinel<br>- Azure Monitor Logs<br>- Office 365 Outlook<br>- Azure AD<br>- Azure Key Vault<br>- Microsoft Teams | +| **SAP Incident Response - Lock user from Teams - Advanced** | - SAP-SOAP-KeyVault-Credential-Name<br>- DefaultAdminEmail<br>- TeamsChannel | - Microsoft Sentinel<br>- Azure Monitor Logs<br>- Office 365 Outlook<br>- Microsoft Entra ID<br>- Azure Key Vault<br>- Microsoft Teams | | **SAP Incident Response - Reenable audit logging once deactivated** | - SAP-SOAP-KeyVault-Credential-Name<br>- DefaultAdminEmail<br>- TeamsChannel | - Microsoft Sentinel<br>- Azure Key Vault<br>- Azure Monitor Logs<br>- Microsoft Teams | |
sentinel | Sentinel Content Centralize | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sentinel-content-centralize.md | Here's an example of an analytics rule before and after the centralization chang - After you run the tool to reinstate the analytics rule template, the source changes to the solution that it's reinstated from. - :::image type="content" source="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png" alt-text="Screenshot that shows the analytics rule template after being reinstated from the content hub Azure Active Directory solution." lightbox="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png"::: + :::image type="content" source="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png" alt-text="Screenshot that shows the analytics rule template after being reinstated from the content hub Microsoft Entra solution." lightbox="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png"::: ## Action needed |
sentinel | Sentinel Soar Content | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sentinel-soar-content.md | You can find SOAR integrations and their components in the following places: | | | | | | **Azure DevOps** | Managed Logic Apps connector<br><br>Playbooks | Microsoft<br><br>Community | Sync incidents | | **Azure Firewall**<br>(Available as solution) | Custom Logic Apps connector<br><br>Playbooks | Microsoft | Block IPs |-| **Azure AD Identity Protection** | [Managed Logic Apps connector](/connectors/azureadip/)<br><br>Playbooks | Microsoft<br><br>Community | Users enrichment, <br>Users remediation | -| **Azure AD** | [Managed Logic Apps connector](/connectors/azuread/)<br><br>Playbooks | Microsoft<br><br>Community | Users enrichment, <br>Users remediation | +| **Microsoft Entra ID Protection** | [Managed Logic Apps connector](/connectors/azureadip/)<br><br>Playbooks | Microsoft<br><br>Community | Users enrichment, <br>Users remediation | +| **Microsoft Entra ID** | [Managed Logic Apps connector](/connectors/azuread/)<br><br>Playbooks | Microsoft<br><br>Community | Users enrichment, <br>Users remediation | | **Azure Data Explorer** | [Managed Logic Apps connector](/connectors/kusto/) | Microsoft | Query and investigate | | **Azure Log Analytics Data Collector** | [Managed Logic Apps connector](/connectors/azureloganalyticsdatacollector/) | Microsoft<br><br>Community | Query and investigate | | **Microsoft Defender for Endpoint** | [Managed Logic Apps connector](/connectors/wdatp/)<br><br>Playbooks | Microsoft<br><br>Community | Endpoints enrichment, <br>isolate endpoints | |
sentinel | Sentinel Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sentinel-solution.md | The **Zero Trust (TIC 3.0)** solution is also enhanced by integrations with othe - [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) - [Microsoft Information Protection](https://azure.microsoft.com/services/information-protection/)-- [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)+- [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) - [Microsoft Defender for Cloud](https://azure.microsoft.com/services/active-directory/) - [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender) - [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) |
sentinel | Skill Up Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/skill-up-resources.md | Another relevant solution area is *protecting remote work*. View our [Ignite ses * [Monitoring Zoom with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/monitoring-zoom-with-azure-sentinel/ba-p/1341516): custom connectors, analytic rules, and hunting queries. -* [Monitoring Azure Virtual Desktop with Microsoft Sentinel](../virtual-desktop/diagnostics-log-analytics.md): use Windows Security Events, Azure Active Directory (Azure AD) sign-in logs, Microsoft 365 Defender for Endpoints, and Azure Virtual Desktop diagnostics logs to detect and hunt for Azure Virtual Desktop threats. +* [Monitoring Azure Virtual Desktop with Microsoft Sentinel](../virtual-desktop/diagnostics-log-analytics.md): use Windows Security Events, Microsoft Entra sign-in logs, Microsoft 365 Defender for Endpoints, and Azure Virtual Desktop diagnostics logs to detect and hunt for Azure Virtual Desktop threats. * [Monitor Microsoft Intune](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/secure-working-from-home-deep-insights-at-enrolled-mem-assets/ba-p/1424255) using queries and workbooks. |
sentinel | Top Workbooks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/top-workbooks.md | Access workbooks in Microsoft Sentinel under **Threat Management** > **Workbooks ||| |**Analytics Efficiency** | Provides insights into the efficacy of your analytics rules to help you achieve better SOC performance. <br><br>For more information, see [The Toolkit for Data-Driven SOCs](https://techcommunity.microsoft.com/t5/azure-sentinel/the-toolkit-for-data-driven-socs/ba-p/2143152).| |**Azure Activity** | Provides extensive insight into your organization's Azure activity by analyzing and correlating all user operations and events. <br><br>For more information, see [Auditing with Azure Activity logs](audit-sentinel-data.md#auditing-with-azure-activity-logs). |-|**Azure AD Audit logs** | Uses Azure Active Directory audit logs to provide insights into Azure AD scenarios. <br><br>For more information, see [Quickstart: Get started with Microsoft Sentinel](get-visibility.md). | -|**Azure AD Audit, Activity and Sign-in logs** | Provides insights into Azure Active Directory Audit, Activity, and Sign-in data with one workbook. Shows activity such as sign-ins by location, device, failure reason, user action, and more. <br><br> This workbook can be used by both Security and Azure administrators. | -|**Azure AD Sign-in logs** | Uses the Azure AD sign-in logs to provide insights into Azure AD scenarios. | +|**Microsoft Entra audit logs** | Uses Microsoft Entra audit logs to provide insights into Microsoft Entra scenarios. <br><br>For more information, see [Quickstart: Get started with Microsoft Sentinel](get-visibility.md). | +|**Microsoft Entra audit, Activity and Sign-in logs** | Provides insights into Microsoft Entra audit, Activity, and Sign-in data with one workbook. Shows activity such as sign-ins by location, device, failure reason, user action, and more. <br><br> This workbook can be used by both Security and Azure administrators. | +|**Microsoft Entra sign-in logs** | Uses the Microsoft Entra sign-in logs to provide insights into Microsoft Entra scenarios. | | **Microsoft cloud security benchmark** | Provides a single pane of glass for gathering and managing data to address Microsoft cloud security benchmark control requirements, aggregating data from 25+ Microsoft security products. <br><br>For more information, see our [TechCommunity blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/what-s-new-azure-security-benchmark-workbook-preview/ba-p/2865930). | |**Cybersecurity Maturity Model Certification (CMMC)** | Provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Office 365, Teams, Intune, Azure Virtual Desktop, and so on. <br><br>For more information, see our [TechCommunity blog](https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-cybersecurity-maturity-model-certification-cmmc/ba-p/2111184).| |**Data collection health monitoring** / **Usage monitoring** | Provides insights into your workspace's data ingestion status, such as ingestion size, latency, and number of logs per source. View monitors and detect anomalies to help you determine your workspaces data collection health. <br><br>For more information, see [Monitor the health of your data connectors with this Microsoft Sentinel workbook](monitor-data-connector-health.md). | |
sentinel | Tutorial Log4j Detection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/tutorial-log4j-detection.md | To complete this tutorial, make sure you have: | **Cisco ASA** | CommonSecurityLog (Cisco) | | **Palo Alto Networks (Firewall)** | CommonSecurityLog (PaloAlto) | | **Security Events** | SecurityEvents |- | **Azure Active Directory** | SigninLogs<br>AADNonInteractiveUserSignInLogs | + | **Microsoft Entra ID** | SigninLogs<br>AADNonInteractiveUserSignInLogs | | **Azure Monitor (WireData)** | WireData | | **Azure Monitor (IIS)** | W3CIISLog | | **Azure Activity** | AzureActivity | |
sentinel | Tutorial Respond Threats Playbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/tutorial-respond-threats-playbook.md | For example, if you want to stop potentially compromised users from moving aroun 1. The playbook waits until a response is received from the admins, then continues with its next steps. -1. If the admins choose **Block**, it sends a command to Azure AD to disable the user, and one to the firewall to block the IP address. +1. If the admins choose **Block**, it sends a command to Microsoft Entra ID to disable the user, and one to the firewall to block the IP address. 1. If the admins choose **Ignore**, the playbook closes the incident in Microsoft Sentinel, and the ticket in ServiceNow. To create an automation rule: > 1. Click the **Configure permissions** button to open the **Manage permissions** panel mentioned above, and continue as described there. > > - If, in an **MSSP** scenario, you want to [run a playbook in a customer tenant](automate-incident-handling-with-automation-rules.md#permissions-in-a-multi-tenant-architecture) from an automation rule created while signed into the service provider tenant, you must grant Microsoft Sentinel permission to run the playbook in ***both tenants***. In the **customer** tenant, follow the instructions for the multi-tenant deployment in the preceding bullet point. In the **service provider** tenant, you must add the **Azure Security Insights** app in your Azure Lighthouse onboarding template:- > 1. From the Azure Portal go to **Azure Active Directory**. + > 1. From the Azure Portal go to **Microsoft Entra ID**. > 1. Click on **Enterprise Applications**. > 1. Select **Application Type** and filter on **Microsoft Applications**. > 1. In the search box type **Azure Security Insights**. |
sentinel | Ueba Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/ueba-reference.md | These are the data sources from which the UEBA engine collects and analyzes data | Data source | Events | | -- | |-| **Azure Active Directory**<br>Sign-in logs | All | -| **Azure Active Directory**<br>Audit logs | ApplicationManagement<br>DirectoryManagement<br>GroupManagement<br>Device<br>RoleManagement<br>UserManagementCategory | +| **Microsoft Entra ID**<br>Sign-in logs | All | +| **Microsoft Entra ID**<br>Audit logs | ApplicationManagement<br>DirectoryManagement<br>GroupManagement<br>Device<br>RoleManagement<br>UserManagementCategory | | **Azure Activity logs** | Authorization<br>AzureActiveDirectory<br>Billing<br>Compute<br>Consumption<br>KeyVault<br>Devices<br>Network<br>Resources<br>Intune<br>Logic<br>Sql<br>Storage | | **Windows Security events**<br>*WindowsEvent* or<br>*SecurityEvent* | 4624: An account was successfully logged on<br>4625: An account failed to log on<br>4648: A logon was attempted using explicit credentials<br>4672: Special privileges assigned to new logon<br>4688: A new process has been created | This section describes the enrichments UEBA adds to Microsoft Sentinel entities, The following three dynamic fields from the BehaviorAnalytics table are described in the [entity enrichments dynamic fields](#entity-enrichments-dynamic-fields) section below. - - The [UsersInsights](#usersinsights-field) and [DevicesInsights](#devicesinsights-field) fields contain entity information from Active Directory / Azure AD and Microsoft Threat Intelligence sources. + - The [UsersInsights](#usersinsights-field) and [DevicesInsights](#devicesinsights-field) fields contain entity information from Active Directory / Microsoft Entra ID and Microsoft Threat Intelligence sources. - The [ActivityInsights](#activityinsights-field) field contains entity information based on the behavioral profiles built by Microsoft Sentinel's entity behavior analytics. <a name="baseline-explained"></a>User activities are analyzed against a baseline that is dynamically compiled each time it is used. Each activity has its defined lookback period from which the dynamic baseline is derived. The lookback period is specified in the [**Baseline**](#activityinsights-field) column in this table. -- The **IdentityInfo** table is where identity information synchronized to UEBA from Azure Active Directory (and from on-premises Active Directory via Microsoft Defender for Identity) is stored.+- The **IdentityInfo** table is where identity information synchronized to UEBA from Microsoft Entra ID (and from on-premises Active Directory via Microsoft Defender for Identity) is stored. ### BehaviorAnalytics table The following table describes the enrichments featured in the **UsersInsights** | **Account display name**<br>*(AccountDisplayName)* | The account display name of the user. | Admin, Hayden Cook | | **Account domain**<br>*(AccountDomain)* | The account domain name of the user. | | | **Account object ID**<br>*(AccountObjectID)* | The account object ID of the user. | a58df659-5cab-446c-9dd0-5a3af20ce1c2 |-| **Blast radius**<br>*(BlastRadius)* | The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Azure Active Directory roles and permissions. User must have *Manager* property populated in Azure Active Directory for *BlastRadius* to be calculated. | Low, Medium, High | +| **Blast radius**<br>*(BlastRadius)* | The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Microsoft Entra roles and permissions. User must have *Manager* property populated in Microsoft Entra ID for *BlastRadius* to be calculated. | Low, Medium, High | | **Is dormant account**<br>*(IsDormantAccount)* | The account has not been used for the past 180 days. | True, False | | **Is local admin**<br>*(IsLocalAdmin)* | The account has local administrator privileges. | True, False | | **Is new account**<br>*(IsNewAccount)* | The account was created within the past 30 days. | True, False | The following tables describe the enrichments featured in the **ActivityInsights | **Similar action wasn't performed in the past**<br>*(SimilarActionWasn'tPerformedInThePast)* | 30 | No action in the same resource provider was performed by the user. | True, False | | **Source IP location**<br>*(SourceIPLocation)* | *N/A* | The country resolved from the source IP of the action. | [Surrey, England] | | **Uncommon high volume of operations**<br>*(UncommonHighVolumeOfOperations)* | 7 | A user performed a burst of similar operations within the same provider | True, False |-| **Unusual number of Azure AD conditional access failures**<br>*(UnusualNumberOfAADConditionalAccessFailures)* | 5 | An unusual number of users failed to authenticate due to conditional access | True, False | +| **Unusual number of Microsoft Entra Conditional Access failures**<br>*(UnusualNumberOfAADConditionalAccessFailures)* | 5 | An unusual number of users failed to authenticate due to conditional access | True, False | | **Unusual number of devices added**<br>*(UnusualNumberOfDevicesAdded)* | 5 | A user added an unusual number of devices. | True, False | | **Unusual number of devices deleted**<br>*(UnusualNumberOfDevicesDeleted)* | 5 | A user deleted an unusual number of devices. | True, False | | **Unusual number of users added to group**<br>*(UnusualNumberOfUsersAddedToGroup)* | 5 | A user added an unusual number of users to a group. | True, False | ### IdentityInfo table -After you [enable UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Azure Active Directory is synchronized to the **IdentityInfo** table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Azure AD in your analytics rules to enhance your analytics to fit your use cases and reduce false positives. +After you [enable UEBA](enable-entity-behavior-analytics.md) for your Microsoft Sentinel workspace, data from your Microsoft Entra ID is synchronized to the **IdentityInfo** table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Microsoft Entra ID in your analytics rules to enhance your analytics to fit your use cases and reduce false positives. While the initial synchronization may take a few days, once the data is fully synchronized: -- Changes made to your user profiles in Azure AD are updated in the **IdentityInfo** table within 15 minutes.+- Changes made to your user profiles in Microsoft Entra ID are updated in the **IdentityInfo** table within 15 minutes. -- Group and role information is synchronized between the **IdentityInfo** table and Azure AD daily.+- Group and role information is synchronized between the **IdentityInfo** table and Microsoft Entra ID daily. -- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Azure AD to ensure that stale records are fully updated.+- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID to ensure that stale records are fully updated. - Default retention time in the **IdentityInfo** table is 30 days. The following table describes the user identity data included in the **IdentityI | Field | Type | Description | | - | -- | - |-| **AccountCloudSID** | string | The Azure AD security identifier of the account. | +| **AccountCloudSID** | string | The Microsoft Entra security identifier of the account. | | **AccountCreationTime** | datetime | The date the user account was created (UTC). | | **AccountDisplayName** | string | The display name of the user account. | | **AccountDomain** | string | The domain name of the user account. | | **AccountName** | string | The user name of the user account. |-| **AccountObjectId** | string | The Azure Active Directory object ID for the user account. | +| **AccountObjectId** | string | The Microsoft Entra object ID for the user account. | | **AccountSID** | string | The on-premises security identifier of the user account. |-| **AccountTenantId** | string | The Azure Active Directory tenant ID of the user account. | +| **AccountTenantId** | string | The Microsoft Entra tenant ID of the user account. | | **AccountUPN** | string | The user principal name of the user account. | | **AdditionalMailAddresses** | dynamic | The additional email addresses of the user. |-| **AssignedRoles** | dynamic | The Azure AD roles the user account is assigned to. | -| **BlastRadius** | string | A calculation based on the position of the user in the org tree and the user's Azure Active Directory roles and permissions. <br>Possible values: *Low, Medium, High* | +| **AssignedRoles** | dynamic | The Microsoft Entra roles the user account is assigned to. | +| **BlastRadius** | string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. <br>Possible values: *Low, Medium, High* | | **ChangeSource** | string | The source of the latest change to the entity. <br>Possible values:<br>- *AzureActiveDirectory*<br>- *ActiveDirectory*<br>- *UEBA*<br>- *Watchlist*<br>- *FullSync* | | **City** | string | The city of the user account. | | **Country** | string | The country of the user account. | | **DeletedDateTime** | datetime | The date and time the user was deleted. | | **Department** | string | The department of the user account. | | **GivenName** | string | The given name of the user account. |-| **GroupMembership** | dynamic | Azure AD Groups where the user account is a member. | -| **IsAccountEnabled** | bool | An indication as to whether the user account is enabled in Azure AD or not. | +| **GroupMembership** | dynamic | Microsoft Entra groups where the user account is a member. | +| **IsAccountEnabled** | bool | An indication as to whether the user account is enabled in Microsoft Entra ID or not. | | **JobTitle** | string | The job title of the user account. | | **MailAddress** | string | The primary email address of the user account. | | **Manager** | string | The manager alias of the user account. |-| **OnPremisesDistinguishedName** | string | The Azure AD distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. | +| **OnPremisesDistinguishedName** | string | The Microsoft Entra ID distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. | | **Phone** | string | The phone number of the user account. | | **SourceSystem** | string | The system where the user is managed. <br>Possible values:<br>- *AzureActiveDirectory*<br>- *ActiveDirectory*<br>- *Hybrid* | | **State** | string | The geographical state of the user account. | The following table describes the user identity data included in the **IdentityI | **TimeGenerated** | datetime | The time when the event was generated (UTC). | | **Type** | string | The name of the table. | | **UserAccountControl** | dynamic | Security attributes of the user account in the AD domain. <br> Possible values (may contain more than one):<br>- *AccountDisabled*<br>- *HomedirRequired*<br>- *AccountLocked*<br>- *PasswordNotRequired*<br>- *CannotChangePassword*<br>- *EncryptedTextPasswordAllowed*<br>- *TemporaryDuplicateAccount*<br>- *NormalAccount*<br>- *InterdomainTrustAccount*<br>- *WorkstationTrustAccount*<br>- *ServerTrustAccount*<br>- *PasswordNeverExpires*<br>- *MnsLogonAccount*<br>- *SmartcardRequired*<br>- *TrustedForDelegation*<br>- *DelegationNotAllowed*<br>- *UseDesKeyOnly*<br>- *DontRequirePreauthentication*<br>- *PasswordExpired*<br>- *TrustedToAuthenticationForDelegation*<br>- *PartialSecretsAccount*<br>- *UseAesKeys* |-| **UserState** | string | The current state of the user account in Azure AD.<br>Possible values:<br>- *Active*<br>- *Disabled*<br>- *Dormant*<br>- *Lockout* | +| **UserState** | string | The current state of the user account in Microsoft Entra ID.<br>Possible values:<br>- *Active*<br>- *Disabled*<br>- *Dormant*<br>- *Lockout* | | **UserStateChangedOn** | datetime | The date of the last time the account state was changed (UTC). | | **UserType** | string | The user type. | This document described the Microsoft Sentinel entity behavior analytics table s - Learn more about [entity behavior analytics](identify-threats-with-entity-behavior-analytics.md). - [Enable UEBA in Microsoft Sentinel](enable-entity-behavior-analytics.md). - [Put UEBA to use](investigate-with-ueba.md) in your investigations.-- |
sentinel | Understand Threat Intelligence | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/understand-threat-intelligence.md | Many organizations use threat intelligence platform (TIP) solutions to aggregate This data connector utilizes a new API and offers the following improvements: - The threat indicator fields are based off of the STIX standardized format.-- The Azure Active Directory (Azure AD) application only requires Microsoft Sentinel Contributor role.-- The API request endpoint is scoped at the workspace level and the Azure AD application permissions required allow granular assignment at the workspace level.+- The Microsoft Entra application only requires Microsoft Sentinel Contributor role. +- The API request endpoint is scoped at the workspace level and the Microsoft Entra application permissions required allow granular assignment at the workspace level. For more information, see [Connect your threat intelligence platform using upload indicators API](connect-threat-intelligence-upload-api.md) |
sentinel | Upload Indicators Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/upload-indicators-api.md | An upload indicators API call has five components: 1. Optionally process the HTTP response message header 1. Optionally process the HTTP response message body -## Register your client application with Azure AD +<a name='register-your-client-application-with-azure-ad'></a> -In order to authenticate to Microsoft Sentinel, the request to the upload indicators API requires a valid Azure AD access token. For more information on application registration, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) or see the basic steps as part of the [upload indicators API data connector](connect-threat-intelligence-upload-api.md#register-an-azure-ad-application) setup. +## Register your client application with Microsoft Entra ID ++In order to authenticate to Microsoft Sentinel, the request to the upload indicators API requires a valid Microsoft Entra access token. For more information on application registration, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) or see the basic steps as part of the [upload indicators API data connector](connect-threat-intelligence-upload-api.md#register-an-azure-ad-application) setup. ## Permissions -This API requires the calling Azure AD application to be granted the Microsoft Sentinel contributor role at the workspace level. +This API requires the calling Microsoft Entra application to be granted the Microsoft Sentinel contributor role at the workspace level. ## Create the request -This section covers the first three of the five components discussed earlier. You first need to acquire the access token from Azure AD, which you use to assemble your request message header. +This section covers the first three of the five components discussed earlier. You first need to acquire the access token from Microsoft Entra ID, which you use to assemble your request message header. ### Acquire an access token -Acquire an Azure AD access token with [OAuth 2.0 authentication](../active-directory/fundamentals/auth-oauth2.md). [V1.0 and V2.0](../active-directory/develop/access-tokens.md#token-formats) are valid tokens accepted by the API. +Acquire a Microsoft Entra access token with [OAuth 2.0 authentication](../active-directory/fundamentals/auth-oauth2.md). [V1.0 and V2.0](../active-directory/develop/access-tokens.md#token-formats) are valid tokens accepted by the API. To get a v1.0 token, use [ADAL](../active-directory/azuread-dev/active-directory-authentication-libraries.md) or send requests to the REST API in the following format: - POST `https://login.microsoftonline.com/{{tenantId}}/oauth2/token`-- Headers for using Azure AD App:+- Headers for using Microsoft Entra App: - grant_type: "client_credentials"-- client_id: {Client ID of Azure AD App}-- client_secret: {Client secret of Azure AD App}+- client_id: {Client ID of Microsoft Entra App} +- client_secret: {Client secret of Microsoft Entra App} - resource: `"https://management.azure.com/"` To get a v2.0 token, use Microsoft Authentication Library [MSAL](../active-directory/develop/msal-overview.md) or send requests to the REST API in the following format: - POST `https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token`-- Headers for using Azure AD App:+- Headers for using Microsoft Entra App: - grant_type: "client_credentials"-- client_id: {Client ID of Azure AD App}-- client_secret: {secret of Azure AD App}+- client_id: {Client ID of Microsoft Entra App} +- client_secret: {secret of Microsoft Entra App} - scope: `"https://management.azure.com/.default"` The resource/scope value is the audience of the token. This API only accepts the following audiences: |
sentinel | Workspace Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/workspace-manager.md | Here are the active content types supported with workspace - You need at least two Microsoft Sentinel workspaces. One workspace to manage from and at least one other workspace to be managed. - The [Microsoft Sentinel Contributor role assignment](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) is required on the central workspace (where workspace manager is enabled on), and on the member workspace(s) the contributor needs to manage. To learn more about roles in Microsoft Sentinel, see [Roles and permissions in Microsoft Sentinel](roles.md).-- Enable Azure Lighthouse if you're managing workspaces across multiple Azure AD tenants. To learn more, see [Manage Microsoft Sentinel workspaces at scale](/azure/lighthouse/how-to/manage-sentinel-workspaces).+- Enable Azure Lighthouse if you're managing workspaces across multiple Microsoft Entra tenants. To learn more, see [Manage Microsoft Sentinel workspaces at scale](/azure/lighthouse/how-to/manage-sentinel-workspaces). ## Considerations |
service-bus-messaging | Advanced Features Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/advanced-features-overview.md | The **Support ordering** feature allows you to specify whether messages that are When an Azure region experiences downtime, the disaster recovery feature enables message processing to continue operating in a different region or data center. The feature keeps a structural mirror of a namespace available in the secondary region and allows the namespace identity to switch to the secondary namespace. Already posted messages remain in the former primary namespace for recovery once the availability episode subsides. For more information, see [Azure Service Bus Geo-disaster recovery](service-bus-geo-dr.md). ## Security-Service Bus supports standard [AMQP 1.0](service-bus-amqp-overview.md) and [HTTP or REST](/rest/api/servicebus/) protocols and their respective security facilities, including transport-level security (TLS). Clients can be authorized for access using [Shared Access Signature](service-bus-sas.md) or [Azure Active Directory](service-bus-authentication-and-authorization.md) role-based security. +Service Bus supports standard [AMQP 1.0](service-bus-amqp-overview.md) and [HTTP or REST](/rest/api/servicebus/) protocols and their respective security facilities, including transport-level security (TLS). Clients can be authorized for access using [Shared Access Signature](service-bus-sas.md) or [Microsoft Entra ID](service-bus-authentication-and-authorization.md) role-based security. For protection against unwanted traffic, Service Bus provides [security features](network-security.md) such as IP firewall and integration with virtual networks. |
service-bus-messaging | Authenticate Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/authenticate-application.md | Title: Authenticate an application to access Azure Service Bus entities -description: This article provides information about authenticating an application with Azure Active Directory to access Azure Service Bus entities (queues, topics, etc.) +description: This article provides information about authenticating an application with Microsoft Entra ID to access Azure Service Bus entities (queues, topics, etc.) Last updated 02/24/2023 -# Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities -Azure Service Bus supports using Azure Active Directory (Azure AD) to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. A key advantage of using Azure AD with Azure Service Bus is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft Identity platform. If the authentication succeeds, Azure AD returns an access token to the application, and the application can then use the access token to authorize request to Service Bus resources. +# Authenticate and authorize an application with Microsoft Entra ID to access Azure Service Bus entities +Azure Service Bus supports using Microsoft Entra ID to authorize requests to Service Bus entities (queues, topics, subscriptions, or filters). With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. A key advantage of using Microsoft Entra ID with Azure Service Bus is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. If the authentication succeeds, Microsoft Entra ID returns an access token to the application, and the application can then use the access token to authorize request to Service Bus resources. > [!IMPORTANT]-> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure Active Directory authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). +> You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). ## Overview-When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. With Azure AD, access to a resource is a two-step process. +When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. With Microsoft Entra ID, access to a resource is a two-step process. 1. First, the security principalΓÇÖs identity is authenticated, and an OAuth 2.0 token is returned. The resource name to request a token is `https://servicebus.azure.net`. 1. Next, the token is passed as part of a request to the Service Bus service to authorize access to the specified resource. -The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a Virtual Machine Scale Set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to the Service Bus service, see [Authenticate access to Azure Service Bus resources with Azure Active Directory and managed identities for Azure Resources](service-bus-managed-service-identity.md). +The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a Virtual Machine Scale Set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to the Service Bus service, see [Authenticate access to Azure Service Bus resources with Microsoft Entra ID and managed identities for Azure Resources](service-bus-managed-service-identity.md). The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Service Bus provides Azure roles that encompass sets of permissions for Service Bus resources. The roles that are assigned to a security principal determine the permissions that the principal will have on Service Bus resources. To learn more about assigning Azure roles to Azure Service Bus, see [Azure built-in roles for Azure Service Bus](#azure-built-in-roles-for-azure-service-bus). -Native applications and web applications that make requests to Service Bus can also authorize with Azure AD. This article shows you how to request an access token and use it to authorize requests for Service Bus resources. +Native applications and web applications that make requests to Service Bus can also authorize with Microsoft Entra ID. This article shows you how to request an access token and use it to authorize requests for Service Bus resources. ## Azure built-in roles for Azure Service Bus -Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data. +Microsoft Entra authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data. -When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). For Azure Service Bus, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the Azure RBAC model. Azure provides the following built-in roles for authorizing access to a Service Bus namespace: For more information about how built-in roles are defined, see [Understand role ## Authenticate from an application-A key advantage of using Azure AD with Service Bus is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Azure AD authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Service Bus. +A key advantage of using Microsoft Entra ID with Service Bus is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Microsoft Entra authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Microsoft Entra ID returns the access token to the application, and the application can then use the access token to authorize requests to Azure Service Bus. Following sections shows you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. For more information about Microsoft identity platform 2.0, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md). -For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md). +For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md). -### Register your application with an Azure AD tenant -The first step in using Azure AD to authorize Service Bus entities is registering your client application with an Azure AD tenant from the [Azure portal](https://portal.azure.com/). When you register your client application, you supply information about the application to AD. Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime. To learn more about the client ID, see [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md). +<a name='register-your-application-with-an-azure-ad-tenant'></a> -Follow steps in the [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register your application with Azure AD. +### Register your application with a Microsoft Entra tenant +The first step in using Microsoft Entra ID to authorize Service Bus entities is registering your client application with a Microsoft Entra tenant from the [Azure portal](https://portal.azure.com/). When you register your client application, you supply information about the application to AD. Microsoft Entra ID then provides a client ID (also called an application ID) that you can use to associate your application with Microsoft Entra runtime. To learn more about the client ID, see [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md). ++Follow steps in the [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register your application with Microsoft Entra ID. > [!Note] > If you register your application as a native application, you can specify any valid URI for the Redirect URI. For native applications, this value does not have to be a real URL. For web applications, the redirect URI must be a valid URI, because it specifies the URL to which tokens are provided. After you've registered your application, you'll see the **Application (client) :::image type="content" source="./media/authenticate-application/application-id.png" alt-text="Screenshot showing the App registration page showing the Application ID and Tenant ID."::: -For more information about registering an application with Azure AD, see [Integrating applications with Azure Active Directory](../active-directory/develop/quickstart-register-app.md). +For more information about registering an application with Microsoft Entra ID, see [Integrating applications with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md). ### Create a client secret The application needs a client secret to prove its identity when requesting a to :::image type="content" source="./media/authenticate-application/client-secret.png" alt-text="Screenshot showing the Client secrets section with the secret you added."::: ### Permissions for the Service Bus API-If your application is a console application, you must register a native application and add API permissions for **Microsoft.ServiceBus** to the **required permissions** set. Native applications also need a **redirect-uri** in Azure AD, which serves as an identifier; the URI doesn't need to be a network destination. Use `https://servicebus.microsoft.com` for this example, because the sample code already uses that URI. +If your application is a console application, you must register a native application and add API permissions for **Microsoft.ServiceBus** to the **required permissions** set. Native applications also need a **redirect-uri** in Microsoft Entra ID, which serves as an identifier; the URI doesn't need to be a network destination. Use `https://servicebus.microsoft.com` for this example, because the sample code already uses that URI. ## Assign Azure roles using the Azure portal Assign one of the [Service Bus roles](#azure-built-in-roles-for-azure-service-bus) to the application's service principal at the desired scope (Service Bus namespace, resource group, subscription). For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). |
service-bus-messaging | Configure Customer Managed Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/configure-customer-managed-key.md | After you enable customer-managed keys, you need to associate the customer manag ## Managed identities There are two types of managed identities that you can assign to a Service Bus namespace. -- **System-assigned**: You can enable a managed identity directly on a Service Bus namespace. When you enable a system-assigned managed identity, an identity is created in Azure AD that's tied to the lifecycle of that Service Bus namespace. So when the namespace is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource (namespace) can use this identity to request tokens from Azure AD.+- **System-assigned**: You can enable a managed identity directly on a Service Bus namespace. When you enable a system-assigned managed identity, an identity is created in Microsoft Entra that's tied to the lifecycle of that Service Bus namespace. So when the namespace is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource (namespace) can use this identity to request tokens from Microsoft Entra ID. - **User-assigned**: You may also create a managed identity as a standalone Azure resource, which is called user-assigned identity. You can create a user-assigned managed identity and assign it to one or more Service Bus namespaces. When you use user-assigned managed identities, the identity is managed separately from the resources that use it. They aren't tied to the lifecycle of the namespace. You can explicitly delete a user-assigned identity when you no longer need it. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). |
service-bus-messaging | Disable Local Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/disable-local-authentication.md | Last updated 02/01/2022 # Disable local or shared access key authentication with Azure Service Bus-There are two ways to authenticate to Azure Service Bus resources: Azure Active Directory (Azure AD) and Shared Access Signatures (SAS). Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, thereΓÇÖs no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Service Bus applications when possible. +There are two ways to authenticate to Azure Service Bus resources: Microsoft Entra ID and Shared Access Signatures (SAS). Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, thereΓÇÖs no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible. -This article explains how to disable SAS key authentication and use only Azure AD for authentication. +This article explains how to disable SAS key authentication and use only Microsoft Entra ID for authentication. ## Use portal to disable local auth In this section, you learn how to use the Azure portal to disable local authentication. You can assign the [disable local auth](https://portal.azure.com/#blade/Microsof :::image type="content" source="./media/disable-local-authentication/azure-policy.png" alt-text="Azure policy to disable location authentication."::: ## Next steps-See the following to learn about Azure AD and SAS authentication. +See the following to learn about Microsoft Entra ID and SAS authentication. - [Authentication with SAS](service-bus-sas.md) -- Authentication with Azure AD+- Authentication with Microsoft Entra ID - [Authenticate with managed identities](service-bus-managed-service-identity.md)- - [Authenticate from an application](authenticate-application.md) + - [Authenticate from an application](authenticate-application.md) |
service-bus-messaging | Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/explorer.md | After peeking or receiving a message, we can resend it, which will send a copy o ## Switch authentication type -When working with Service Bus Explorer, it's possible to use either **Access Key** or **Azure Active Directory** authentication. +When working with Service Bus Explorer, it's possible to use either **Access Key** or **Microsoft Entra ID** authentication. 1. Select the **Settings** button. |
service-bus-messaging | Jms Developer Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/jms-developer-guide.md | Each connection factory is an instance of `ConnectionFactory`, `QueueConnectionF To simplify connecting with Azure Service Bus, these interfaces are implemented through `ServiceBusJmsConnectionFactory`, `ServiceBusJmsQueueConnectionFactory` and `ServiceBusJmsTopicConnectionFactory` respectively. > [!IMPORTANT]-> Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Azure Active Directory (Azure AD) backed authentication. When using Azure AD backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus) to the identity as needed. +> Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Microsoft Entra backed authentication. When using Microsoft Entra backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus) to the identity as needed. # [System Assigned Managed Identity](#tab/system-assigned-managed-identity-backed-authentication) |
service-bus-messaging | Migrate Jms Activemq To Servicebus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/migrate-jms-activemq-to-servicebus.md | As part of migrating and modifying your client applications to interact with Azu #### Authentication and authorization -Azure role-based access control (Azure RBAC), backed by Azure Active Directory, is the preferred authentication mechanism for Service Bus. To enable role-based access control, please follow the steps in the [Azure Service Bus JMS 2.0 developer guide](jms-developer-guide.md). +Azure role-based access control (Azure RBAC), backed by Microsoft Entra ID, is the preferred authentication mechanism for Service Bus. To enable role-based access control, please follow the steps in the [Azure Service Bus JMS 2.0 developer guide](jms-developer-guide.md). ## Pre-migration |
service-bus-messaging | Monitor Service Bus Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/monitor-service-bus-reference.md | Name | Description | Supported in Azure Diagnostics | Supported in AZMSRuntimeAu `time Generated (UTC)` | Aggregated time | No | Yes `Status` | Status of the activity (success or failure).| Yes | Yes `Protocol` | Type of the protocol associated with the operation. | Yes | Yes-`AuthType` | Type of authentication (Azure Active Directory or SAS Policy). | Yes | Yes -`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource. | Yes | Yes +`AuthType` | Type of authentication (Microsoft Entra ID or SAS Policy). | Yes | Yes +`AuthKey` | Microsoft Entra application ID or SAS policy name that's used to authenticate to a resource. | Yes | Yes `NetworkType` | Type of the network access: `Public` or`Private`. | yes | Yes `ClientIP` | IP address of the client application. | Yes | Yes `Count` | Total number of operations performed during the aggregated period of 1 minute. | Yes | Yes Azure Service Bus uses Kusto tables from Azure Monitor Logs. You can query these ## Next steps - For details on monitoring Azure Service Bus, see [Monitoring Azure Service Bus](monitor-service-bus.md). - For details on monitoring Azure resources, see [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).- |
service-bus-messaging | Service Bus Authentication And Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-authentication-and-authorization.md | Last updated 02/17/2023 # Service Bus authentication and authorization There are two ways to authenticate and authorize access to Azure Service Bus resources: -- Azure Active Directory (Azure AD)+- Microsoft Entra ID - Shared Access Signatures (SAS). This article gives you details on using these two types of security mechanisms. -## Azure Active Directory -Azure AD integration with Service Bus provides role-based access control (RBAC) to Service Bus resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. Azure AD authenticates the security principal and returns an OAuth 2.0 token. This token can be used to authorize a request to access a Service Bus resource (queue, topic, and so on). +<a name='azure-active-directory'></a> -For more information about authenticating with Azure AD, see the following articles: +## Microsoft Entra ID +Microsoft Entra integration with Service Bus provides role-based access control (RBAC) to Service Bus resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. This token can be used to authorize a request to access a Service Bus resource (queue, topic, and so on). ++For more information about authenticating with Microsoft Entra ID, see the following articles: - [Authenticate with managed identities](service-bus-managed-service-identity.md) - [Authenticate from an application](authenticate-application.md) > [!NOTE]-> [Service Bus REST API](/rest/api/servicebus/) supports OAuth authentication with Azure AD. +> [Service Bus REST API](/rest/api/servicebus/) supports OAuth authentication with Microsoft Entra ID. > [!IMPORTANT]-> Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Service Bus applications when possible. +> Authorizing users or applications using OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there is no need to store tokens in your code and risk potential security vulnerabilities. We recommend that you use Microsoft Entra ID with your Azure Service Bus applications when possible. > -> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure AD authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). +> You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). ## Shared access signature [SAS authentication](service-bus-sas.md) enables you to grant a user access to Service Bus resources, with specific rights. SAS authentication in Service Bus involves the configuration of a cryptographic key with associated rights on a Service Bus resource. Clients can then gain access to that resource by presenting a SAS token, which consists of the resource URI being accessed and an expiry signed with the configured key. SAS authentication support for Service Bus is included in the Azure .NET SDK ver ## Next steps-For more information about authenticating with Azure AD, see the following articles: +For more information about authenticating with Microsoft Entra ID, see the following articles: - [Authentication with managed identities](service-bus-managed-service-identity.md) - [Authentication from an application](authenticate-application.md) |
service-bus-messaging | Service Bus Azure And Service Bus Queues Compared Contrasted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-azure-and-service-bus-queues-compared-contrasted.md | This section discusses the authentication and authorization features supported b ### Additional information * Every request to either of the queuing technologies must be authenticated. Public queues with anonymous access aren't supported. * Using shared access signature (SAS) authentication, you can create a shared access authorization rule on a queue that can give users a write-only, read-only, or full access. For more information, see [Azure Storage - SAS authentication](../storage/common/storage-sas-overview.md) and [Azure Service Bus - SAS authentication](service-bus-sas.md).-* Both queues support authorizing access using Azure Active Directory (Azure AD). Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. For more information, see [Azure Storage - Azure AD authentication](../storage/queues/assign-azure-role-data-access.md) and [Azure Service Bus - Azure AD authentication](service-bus-authentication-and-authorization.md#azure-active-directory). +* Both queues support authorizing access using Microsoft Entra ID. Authorizing users or applications using OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there is no need to store the tokens in your code and risk potential security vulnerabilities. For more information, see [Azure Storage - Microsoft Entra authentication](../storage/queues/assign-azure-role-data-access.md) and [Azure Service Bus - Microsoft Entra authentication](service-bus-authentication-and-authorization.md#azure-active-directory). ## Conclusion By gaining a deeper understanding of the two technologies, you can make a more informed decision on which queue technology to use, and when. The decision on when to use Storage queues or Service Bus queues clearly depends on many factors. These factors may depend heavily on the individual needs of your application and its architecture. |
service-bus-messaging | Service Bus Dotnet Get Started With Queues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-dotnet-get-started-with-queues.md | You can authorize access to the service bus namespace using the following steps: :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing a button to sign in to Azure using Visual Studio."::: -1. Sign-in using the Azure AD account you assigned a role to previously. +1. Sign-in using the Microsoft Entra account you assigned a role to previously. :::image type="content" source="..//storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection."::: |
service-bus-messaging | Service Bus Dotnet How To Use Topics Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-dotnet-how-to-use-topics-subscriptions.md | In this quickstart, you'll do the following steps: > [!NOTE] > This quick start provides step-by-step instructions to implement a simple scenario of sending a batch of messages to a Service Bus topic and receiving those messages from a subscription of the topic. For more samples on other and advanced scenarios, see [Service Bus .NET samples on GitHub](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/servicebus/Azure.Messaging.ServiceBus/samples). -> - This quick start shows you two ways of connecting to Azure Service Bus: **connection string** and **passwordless**. The first option shows you how to use a connection string to connect to a Service Bus namespace. The second option shows you how to use your security principal in Azure Active Directory and the role-based access control (RBAC) to connect to a Service Bus namespace. You don't need to worry about having hard-coded connection string in your code or in a configuration file or in secure storage like Azure Key Vault. If you are new to Azure, you may find the connection string option easier to follow. We recommend using the passwordless option in real-world applications and production environments. For more information, see [Authentication and authorization](service-bus-authentication-and-authorization.md). +> - This quick start shows you two ways of connecting to Azure Service Bus: **connection string** and **passwordless**. The first option shows you how to use a connection string to connect to a Service Bus namespace. The second option shows you how to use your security principal in Microsoft Entra ID and the role-based access control (RBAC) to connect to a Service Bus namespace. You don't need to worry about having hard-coded connection string in your code or in a configuration file or in secure storage like Azure Key Vault. If you are new to Azure, you may find the connection string option easier to follow. We recommend using the passwordless option in real-world applications and production environments. For more information, see [Authentication and authorization](service-bus-authentication-and-authorization.md). ## Prerequisites You can authorize access to the service bus namespace using the following steps: 1. Select the **Sign in** button in the top right of Visual Studio. :::image type="content" source="./media/service-bus-dotnet-get-started-with-queues/azure-sign-button-visual-studio.png" alt-text="Screenshot showing the button to sign in to Azure using Visual Studio.":::-1. Sign-in using the Azure AD account you assigned a role to previously. +1. Sign-in using the Microsoft Entra account you assigned a role to previously. :::image type="content" source="..//storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection."::: |
service-bus-messaging | Service Bus Dotnet Multi Tier App Using Service Bus Queues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-dotnet-multi-tier-app-using-service-bus-queues.md | messaging: The following sections discuss the code that implements this architecture. ## Prerequisites-In this tutorial, you'll use Azure Active Directory (Azure AD) authentication to create `ServiceBusClient` and `ServiceBusAdministrationClient` objects. You'll also use `DefaultAzureCredential` and to use it, you need to do the following steps to test the application locally in a development environment. +In this tutorial, you'll use Microsoft Entra authentication to create `ServiceBusClient` and `ServiceBusAdministrationClient` objects. You'll also use `DefaultAzureCredential` and to use it, you need to do the following steps to test the application locally in a development environment. -1. [Register an application in the Azure AD](../active-directory/develop/quickstart-register-app.md). +1. [Register an application in the Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md). 1. [Add the application to the `Service Bus Data Owner` role](../role-based-access-control/role-assignments-portal.md). 1. Set the `AZURE-CLIENT-ID`, `AZURE-TENANT-ID`, AND `AZURE-CLIENT-SECRET` environment variables. For instructions, see [this article](/dotnet/api/overview/azure/identity-readme#environment-variables). |
service-bus-messaging | Service Bus Geo Dr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-geo-dr.md | The Geo-Disaster recovery feature ensures that the entire configuration of a nam ## Important points to consider - The feature enables instant continuity of operations with the same configuration, but **doesn't replicate the messages held in queues or topic subscriptions or dead-letter queues**. To preserve queue semantics, such a replication will require not only the replication of message data, but of every state change in the broker. For most Service Bus namespaces, the required replication traffic would far exceed the application traffic and with high-throughput queues, most messages would still replicate to the secondary while they're already being deleted from the primary, causing excessively wasteful traffic. For high-latency replication routes, which applies to many pairings you would choose for Geo-disaster recovery, it might also be impossible for the replication traffic to sustainably keep up with the application traffic due to latency-induced throttling effects.-- Azure Active Directory (Azure AD) role-based access control (RBAC) assignments to Service Bus entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them. +- Microsoft Entra role-based access control (RBAC) assignments to Service Bus entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them. - The following configurations aren't replicated. - Virtual network configurations - Private endpoint connections If you have a scenario in which you can't change the connections of producers an The [samples on GitHub](https://github.com/Azure/azure-service-bus/tree/master/samples/DotNet/Microsoft.ServiceBus.Messaging/GeoDR/SBGeoDR2/) show how to set up and initiate a failover. These samples demonstrate the following concepts: -- A .NET sample and settings that are required in Azure Active Directory to use Azure Resource Manager with Service Bus, to set up, and enable Geo-disaster recovery.+- A .NET sample and settings that are required in Microsoft Entra ID to use Azure Resource Manager with Service Bus, to set up, and enable Geo-disaster recovery. - Steps required to execute the sample code. - How to use an existing namespace as an alias. - Steps to alternatively enable Geo-disaster recovery via PowerShell or CLI. Advantage of this approach is that failover can happen at the application layer > For guidance on geo-disaster recovery of a virtual network, see [Virtual Network - Business Continuity](../virtual-network/virtual-network-disaster-recovery-guidance.md). ## Role-based access control-Azure Active Directory (Azure AD) role-based access control (RBAC) assignments to Service Bus entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them. +Microsoft Entra role-based access control (RBAC) assignments to Service Bus entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them. ## Next steps |
service-bus-messaging | Service Bus Ip Filtering | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-ip-filtering.md | The API version **2021-06-01-preview onwards** also introduces a new property na For more information about these properties, see [Create or Update Network Rule Set](/rest/api/servicebus/controlplane-preview/namespaces-network-rule-set/create-or-update-network-rule-set) and [Create or Update Private Endpoint Connections](/rest/api/servicebus/controlplane-preview/private-endpoint-connections/create-or-update). > [!NOTE]-> None of the above settings bypass validation of claims via SAS or Azure AD authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings. +> None of the above settings bypass validation of claims via SAS or Microsoft Entra authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings. ### Azure portal |
service-bus-messaging | Service Bus Managed Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-managed-service-identity.md | -# Authenticate a managed identity with Azure Active Directory to access Azure Service Bus resources -Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service such as Azure Service Bus that supports Azure AD authentication, without having credentials in your code. If you aren't familiar with managed identities, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) before proceeding to read through this article. +# Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources +Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service such as Azure Service Bus that supports Microsoft Entra authentication, without having credentials in your code. If you aren't familiar with managed identities, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) before proceeding to read through this article. Here are the high-level steps to use a managed identity to access a Service Bus entity: Here are the high-level steps to use a managed identity to access a Service Bus 1. In your application, use the managed identity and the endpoint to Service Bus namespace to connect to the namespace. For example, in .NET, you use the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient.-ctor#azure-messaging-servicebus-servicebusclient-ctor(system-string-azure-core-tokencredential)) constructor that takes `TokenCredential` and `fullyQualifiedNamespace` (a string, for example: `cotosons.servicebus.windows.net`) parameters to connect to Service Bus using the managed identity. You pass in [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential), which derives from `TokenCredential` and uses the managed identity. > [!IMPORTANT]- > You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure Active Directory authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). + > You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). ## Azure built-in roles for Azure Service Bus-Azure Active Directory (Azure AD) authorizes access to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities. You can also define custom roles for accessing the data. +Microsoft Entra authorizes access to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities. You can also define custom roles for accessing the data. Azure provides the following Azure built-in roles for authorizing access to a Service Bus namespace: For complete step-by-step instructions to send and receive messages using a mana ## Next steps See [this .NET web application sample on GitHub](https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet/tree/master), which uses a managed identity to connect to Service Bus to send and receive messages. Add the identity of the app service to the **Azure Service Bus Data Owner** role. - |
service-bus-messaging | Service Bus Management Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-management-libraries.md | -There are two approaches you can take to manage Azure Service Bus resources programmatically. The first is to use the [Azure Resource Manager](../azure-resource-manager/management/overview.md)-based libraries, which allow you to manage namespaces, queues, topics, subscriptions, rules, and SAS policies. Azure Resource Manager-based libraries have support for authentication through Azure Active Directory, but not through connection strings. The second approach is to leverage the same Service Bus client libraries that you use to send and receive messages. The client libraries also provide APIs to help you manage queues, topics, subscriptions, and rules in an *existing* namespace. They have support for authentication with connection strings. When deciding which approach to take, consider the following. +There are two approaches you can take to manage Azure Service Bus resources programmatically. The first is to use the [Azure Resource Manager](../azure-resource-manager/management/overview.md)-based libraries, which allow you to manage namespaces, queues, topics, subscriptions, rules, and SAS policies. Azure Resource Manager-based libraries have support for authentication through Microsoft Entra ID, but not through connection strings. The second approach is to leverage the same Service Bus client libraries that you use to send and receive messages. The client libraries also provide APIs to help you manage queues, topics, subscriptions, and rules in an *existing* namespace. They have support for authentication with connection strings. When deciding which approach to take, consider the following. The Azure Resource Manager-based libraries offer the same functionality as Azure portal, CLI, and PowerShell when it comes to managing Service Bus namespaces and entities like queues, topics, subscriptions, etc. If you have been using Azure portal, CLI, or PowerShell for your management operations and would like a dynamic way of doing that, then these libraries might be a better choice for you. However, if you are already using a Service Bus client library for service speci ## Manage using Azure Resource Manager-based libraries -The Azure Resource Manager-based libraries allow you to manage namespaces, queues, topics, subscriptions, rules, and SAS policies. They support authentication with Azure Active Directory (Azure AD) *only*; they do not support connection strings. +The Azure Resource Manager-based libraries allow you to manage namespaces, queues, topics, subscriptions, rules, and SAS policies. They support authentication with Microsoft Entra ID *only*; they do not support connection strings. | Language | Package | Documentation | Samples| |-|-|-|-| |
service-bus-messaging | Service Bus Migrate Azure Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-migrate-azure-credentials.md | Title: Migrate applications to use passwordless authentication with Azure Service Bus -description: Learn to migrate existing Service Bus applications away from connection strings to use Azure AD and Azure RBAC for enhanced security. +description: Learn to migrate existing Service Bus applications away from connection strings to use Microsoft Entra ID and Azure RBAC for enhanced security. The following steps explain how to migrate an existing application to use passwo ### Sign-in and migrate the app code to use passwordless connections -For local development, make sure you're authenticated with the same Azure AD account you assigned the role to for the Service Bus namespace. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ. +For local development, make sure you're authenticated with the same Microsoft Entra account you assigned the role to for the Service Bus namespace. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ. [!INCLUDE [default-azure-credential-sign-in](../../includes/passwordless/default-azure-credential-sign-in.md)] |
service-bus-messaging | Service Bus Python How To Use Topics Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions.md | To follow this quickstart using passwordless authentication and your own Azure a * Run the tutorial code in the same terminal or command prompt. >[!IMPORTANT]-> Make sure you sign in with `az login`. The `DefaultAzureCredential` class in the passwordless code uses the Azure CLI credentials to authenticate with Azure Active Directory (Azure AD). +> Make sure you sign in with `az login`. The `DefaultAzureCredential` class in the passwordless code uses the Azure CLI credentials to authenticate with Microsoft Entra ID. To use the passwordless code, you'll need to specify a: Open your favorite editor, such as [Visual Studio Code](https://code.visualstudi > - Replace `FULLY_QUALIFIED_NAMESPACE` with the fully qualified namespace for your Service Bus namespace. > - Replace `TOPIC_NAME` with the name of the topic. - In the preceding code, you used the Azure Identity client library's `DefaultAzureCredential` class. When the app runs locally during development, `DefaultAzureCredential` will automatically discover and authenticate to Azure using the account you logged into the Azure CLI with. When the app is deployed to Azure, `DefaultAzureCredential` can authenticate your app to Azure AD via a managed identity without any code changes. + In the preceding code, you used the Azure Identity client library's `DefaultAzureCredential` class. When the app runs locally during development, `DefaultAzureCredential` will automatically discover and authenticate to Azure using the account you logged into the Azure CLI with. When the app is deployed to Azure, `DefaultAzureCredential` can authenticate your app to Microsoft Entra ID via a managed identity without any code changes. 3. Add a method to send a single message. |
service-bus-messaging | Service Bus Sas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-sas.md | This article discusses *Shared Access Signatures* (SAS), how they work, and how SAS guards access to Service Bus based on authorization rules that are configured either on a namespace, or a messaging entity (queue, or topic). An authorization rule has a name, is associated with specific rights, and carries a pair of cryptographic keys. You use the rule's name and key via the Service Bus SDK or in your own code to generate a SAS token. A client can then pass the token to Service Bus to prove authorization for the requested operation. > [!NOTE]-> Azure Service Bus supports authorizing access to a Service Bus namespace and its entities using Azure Active Directory (Azure AD). Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. +> Azure Service Bus supports authorizing access to a Service Bus namespace and its entities using Microsoft Entra ID. Authorizing users or applications using OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there is no need to store the tokens in your code and risk potential security vulnerabilities. >-> Microsoft recommends using Azure AD with your Azure Service Bus applications when possible. For more information, see the following articles: -> - [Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities](authenticate-application.md). -> - [Authenticate a managed identity with Azure Active Directory to access Azure Service Bus resources](service-bus-managed-service-identity.md) +> Microsoft recommends using Microsoft Entra ID with your Azure Service Bus applications when possible. For more information, see the following articles: +> - [Authenticate and authorize an application with Microsoft Entra ID to access Azure Service Bus entities](authenticate-application.md). +> - [Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources](service-bus-managed-service-identity.md) > -> You can disable local or SAS key authentication for a Service Bus namespace and allow only Azure AD authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). +> You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md). ## Overview of SAS |
service-bus-messaging | Service Bus Service Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-service-endpoints.md | Binding a Service Bus namespace to a virtual network is a two-step process. You The virtual network rule is an association of the Service Bus namespace with a virtual network subnet. While the rule exists, all workloads bound to the subnet are granted access to the Service Bus namespace. Service Bus itself never establishes outbound connections, doesn't need to gain access, and is therefore never granted access to your subnet by enabling this rule. > [!NOTE]-> Remember that a network service endpoint provides applications running in the virtual network the access to the Service Bus namespace. The virtual network controls the reachability of the endpoint, but not what operations can be done on Service Bus entities (queues, topics, or subscriptions). Use Azure Active Directory (Azure AD) to authorize operations that the applications can perform on the namespace and its entities. For more information, see [Authenticate and authorize an application with Azure AD to access Service Bus entities](authenticate-application.md). +> Remember that a network service endpoint provides applications running in the virtual network the access to the Service Bus namespace. The virtual network controls the reachability of the endpoint, but not what operations can be done on Service Bus entities (queues, topics, or subscriptions). Use Microsoft Entra ID to authorize operations that the applications can perform on the namespace and its entities. For more information, see [Authenticate and authorize an application with Microsoft Entra ID to access Service Bus entities](authenticate-application.md). ## Use Azure portal The API version **2021-06-01-preview onwards** also introduces a new property na For more information about these properties, see [Create or Update Network Rule Set](/rest/api/servicebus/controlplane-preview/namespaces-network-rule-set/create-or-update-network-rule-set) and [Create or Update Private Endpoint Connections](/rest/api/servicebus/controlplane-preview/private-endpoint-connections/create-or-update). > [!NOTE]-> None of the above settings bypass validation of claims via SAS or Azure AD authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings. +> None of the above settings bypass validation of claims via SAS or Microsoft Entra authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings. ### Azure portal |
service-bus-messaging | Service Bus Troubleshooting Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-troubleshooting-guide.md | The identity doesn't have permissions to access the Service Bus topic. ### Resolution To resolve this error, install the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/) library. For more information, see [Local development authentication](/dotnet/api/overview/azure/service-to-service-authentication#local-development-authentication). -To learn how to assign permissions to roles, see [Authenticate a managed identity with Azure Active Directory to access Azure Service Bus resources](service-bus-managed-service-identity.md). +To learn how to assign permissions to roles, see [Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources](service-bus-managed-service-identity.md). ## Service Bus Exception: Put token failed |
service-bus-messaging | Transport Layer Security Enforce Minimum Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/transport-layer-security-enforce-minimum-version.md | Role assignments must be scoped to the level of the Service Bus namespace or hig Be careful to restrict assignment of these roles only to those who require the ability to create a Service Bus namespace or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Service Bus namespaces. For more information, see [**Azure roles, Azure AD roles, and classic subscription administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Service Bus namespaces. For more information, see [**Azure roles, Microsoft Entra roles, and classic subscription administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ## Network considerations |
service-fabric | Cluster Security Certificate Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/cluster-security-certificate-management.md | Let's quickly outline the progression of a certificate from issuance to consumpt 1. The domain owner also designates in the RA the identities of authorized requesters, entities that are entitled to request the enrollment of certificates with the specified domain or subject. -1. An authorized requester then enrolls into a certificate via a secret-management service. In Azure, the secret-management service of choice is Azure Key Vault, which securely stores and allows the retrieval of secrets and certificates by authorized entities. Key Vault also renews and re-keys the certificate as configured in the associated certificate policy. Key Vault uses Azure Active Directory as the identity provider. +1. An authorized requester then enrolls into a certificate via a secret-management service. In Azure, the secret-management service of choice is Azure Key Vault, which securely stores and allows the retrieval of secrets and certificates by authorized entities. Key Vault also renews and re-keys the certificate as configured in the associated certificate policy. Key Vault uses Microsoft Entra ID as the identity provider. 1. An authorized retriever, or *provisioning agent*, retrieves the certificate from the key vault, including its private key, and installs it on the machines that host the cluster. |
service-fabric | Cluster Security Certificates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/cluster-security-certificates.md | Before diving into the details of authentication or securing communication chann - clients: entities allowed to connect to, and execute functionality in a cluster, according to the cluster configuration. We distinguish between two levels of privileges - 'user' and 'admin', respectively. A 'user' client is restricted primarily to read-only operations (but not all read-only functionality), whereas an 'admin' client has unrestricted access to the cluster's functionality. (For more details, refer to [Security roles in a Service Fabric cluster](service-fabric-cluster-security-roles.md).) - (Azure-only) the Service Fabric services which orchestrate and expose controls for operation and management of Service Fabric clusters, referred to as simply 'service'. Depending on the environment, the 'service' may refer to the Azure Service Fabric Resource Provider, or other Resource Providers owned and operated by the Service Fabric team. -In a secure cluster, each of these roles can be configured with their own, distinct identity, declared as the pairing of a predefined role name and its corresponding credential. Service Fabric supports declaring credentials as certificates or domain-based service principal. (Windows-/Kerberos-based identities are also supported, but are beyond the scope of this article; refer to [Windows-based security in Service Fabric clusters](service-fabric-windows-cluster-windows-security.md).) In Azure clusters, client roles may also be declared as [Azure Active Directory-based identities](service-fabric-cluster-creation-setup-aad.md). +In a secure cluster, each of these roles can be configured with their own, distinct identity, declared as the pairing of a predefined role name and its corresponding credential. Service Fabric supports declaring credentials as certificates or domain-based service principal. (Windows-/Kerberos-based identities are also supported, but are beyond the scope of this article; refer to [Windows-based security in Service Fabric clusters](service-fabric-windows-cluster-windows-security.md).) In Azure clusters, client roles may also be declared as [Microsoft Entra ID-based identities](service-fabric-cluster-creation-setup-aad.md). As alluded to above, the Service Fabric runtime defines two levels of privilege in a cluster: 'admin' and 'user'. An administrator client and a 'system' component would both operate with 'admin' privileges, and so are undistinguishable from each other. Upon establishing a connection in/to the cluster, an authenticated caller will be granted by the Service Fabric runtime one of the two roles as the base for the subsequent authorization. We'll examine authentication in depth in the following sections. |
service-fabric | Concepts Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/concepts-managed-identity.md | Last updated 07/11/2022 # Using Managed identities for Azure with Service Fabric -A common challenge when building cloud applications is how to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control. *Managed identities for Azure* solve this problem for all your resources in Azure Active Directory (Azure AD) by providing them with automatically managed identities within Azure AD. You can use a service's identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials stored in your code. +A common challenge when building cloud applications is how to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control. *Managed identities for Azure* solve this problem for all your resources in Microsoft Entra ID by providing them with automatically managed identities within Microsoft Entra ID. You can use a service's identity to authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without any credentials stored in your code. -*Managed identities for Azure resources* are free with Azure AD for Azure subscriptions. There's no extra cost. +*Managed identities for Azure resources* are free with Microsoft Entra ID for Azure subscriptions. There's no extra cost. > [!NOTE] > *Managed identities for Azure* is the new name for the service formerly known as Managed Service Identity (MSI). A common challenge when building cloud applications is how to securely manage th Managed identities for Azure are based upon several key concepts: -- **Client ID** - a unique identifier generated by Azure AD that is tied to an application and service principal during its initial provisioning (also see [Application (client) ID](../active-directory/develop/developer-glossary.md#application-client-id).)+- **Client ID** - a unique identifier generated by Microsoft Entra ID that is tied to an application and service principal during its initial provisioning (also see [Application (client) ID](../active-directory/develop/developer-glossary.md#application-client-id).) - **Principal ID** - the object ID of the service principal object for your managed identity that is used to grant role-based access to an Azure resource. -- **Service Principal** - an Azure Active Directory object, which represents the projection of an Azure AD application in a given tenant (also see [service principal](../active-directory/develop/developer-glossary.md#service-principal-object).)+- **Service Principal** - a Microsoft Entra object, which represents the projection of a Microsoft Entra application in a given tenant (also see [service principal](../active-directory/develop/developer-glossary.md#service-principal-object).) There are two types of managed identities: |
service-fabric | How To Deploy Custom Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-deploy-custom-image.md | Custom windows images are like marketplace images, but you create them yourself ## Before you begin Ensure that you've [created a custom image](../virtual-machines/linux/tutorial-custom-images.md).-Custom image is enabled with Service Fabric Managed Cluster (SFMC) API version 2022-08-01-preview and forward. To use custom images, you must grant SFMC First Party Azure Active Directory (Azure AD) App read access to the virtual machine (VM) Managed Image or Shared Gallery image so that SFMC has permission to read and create VM with the image. +Custom image is enabled with Service Fabric Managed Cluster (SFMC) API version 2022-08-01-preview and forward. To use custom images, you must grant SFMC First Party Microsoft Entra App read access to the virtual machine (VM) Managed Image or Shared Gallery image so that SFMC has permission to read and create VM with the image. If you have chosen to use an Azure Marketplace image, you need to [find and use the appropriate marketplace purchase plan information](../virtual-machines/windows/cli-ps-findimage.md). You can then specify a marketplace image and plan information when you create a VM. You can also browse available images and offers using the [Azure Marketplace](https://azuremarketplace.microsoft.com) or the [Azure CLI](../virtual-machines/linux/cli-ps-findimage.md). -Check [Add a managed identity to a Service Fabric Managed Cluster node type](how-to-managed-identity-managed-cluster-virtual-machine-scale-sets.md#prerequisites) as reference on how to obtain information about SFMC First Party Azure AD App and grant it access to the resources. Reader access is sufficient. +Check [Add a managed identity to a Service Fabric Managed Cluster node type](how-to-managed-identity-managed-cluster-virtual-machine-scale-sets.md#prerequisites) as reference on how to obtain information about SFMC First Party Microsoft Entra App and grant it access to the resources. Reader access is sufficient. `Role definition name: Reader` |
service-fabric | How To Grant Access Other Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-grant-access-other-resources.md | Title: Grant an application access to other Azure resources -description: This article explains how to grant your managed-identity-enabled Service Fabric application access to other Azure resources supporting Azure Active Directory-based authentication. +description: This article explains how to grant your managed-identity-enabled Service Fabric application access to other Azure resources supporting Microsoft Entra ID-based authentication. |
service-fabric | How To Managed Cluster App Deployment Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-managed-cluster-app-deployment-template.md | After the storage account is created, you create a blob container where the appl You can grant access to the container in one of the following ways: -* You can assign an Azure RBAC role that grants permissions to the container to a security principal, so that that security principal can access data in the container via Azure AD authorization. For more information, see [Authorize access to blobs using Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md). +* You can assign an Azure RBAC role that grants permissions to the container to a security principal, so that that security principal can access data in the container via Microsoft Entra authorization. For more information, see [Authorize access to blobs using Microsoft Entra ID](../storage/blobs/authorize-access-azure-active-directory.md). * You can delegate access to the container with a shared access signature to grant a client access to blobs in the container for a limited period of time and with specific permissions. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../storage/common/storage-sas-overview.md). * You can use the account access keys to authorize access to blob data. This approach is the least secure and so is not recommended. |
service-fabric | How To Managed Cluster Azure Active Directory Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-managed-cluster-azure-active-directory-client.md | Title: How to configure Azure Service Fabric managed cluster for Azure active directory client access -description: Learn how to configure an Azure Service Fabric managed cluster for Azure active directory client access + Title: How to configure Azure Service Fabric managed cluster for Microsoft Entra client access +description: Learn how to configure an Azure Service Fabric managed cluster for Microsoft Entra client access Last updated 07/11/2022 # How to configure Azure Service Fabric managed cluster for Active Directory client access -Cluster security is configured when the cluster is first set up and can't be changed later. Before setting up a cluster, read [Service Fabric cluster security scenarios](service-fabric-cluster-security.md). In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Azure Active Directory is also recommended to secure access to management endpoints. Azure AD tenants and users must be created before creating the cluster. For more information, read Set up Azure AD to authenticate clients. +Cluster security is configured when the cluster is first set up and can't be changed later. Before setting up a cluster, read [Service Fabric cluster security scenarios](service-fabric-cluster-security.md). In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Microsoft Entra ID is also recommended to secure access to management endpoints. Microsoft Entra tenants and users must be created before creating the cluster. For more information, read Set up Microsoft Entra ID to authenticate clients. -You add the Azure AD configuration to a cluster resource manager template by referencing the key vault that contains the certificate keys. Add those Azure AD parameters and values in a Resource Manager template parameters file (*azuredeploy.parameters.json*). +You add the Microsoft Entra configuration to a cluster resource manager template by referencing the key vault that contains the certificate keys. Add those Microsoft Entra parameters and values in a Resource Manager template parameters file (*azuredeploy.parameters.json*). > [!NOTE]-> On Azure AD tenants and users must be created before creating the cluster. For more information, read [Set up Azure AD to authenticate clients](service-fabric-cluster-creation-setup-aad.md). +> On Microsoft Entra tenants and users must be created before creating the cluster. For more information, read [Set up Microsoft Entra ID to authenticate clients](service-fabric-cluster-creation-setup-aad.md). ```json { |
service-fabric | How To Managed Cluster Grant Access Other Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-managed-cluster-grant-access-other-resources.md | Title: Grant access to Azure resources on a Service Fabric cluster -description: Learn how to grant a managed-identity-enabled Service Fabric application access to other Azure resources that support Azure Active Directory authentication. +description: Learn how to grant a managed-identity-enabled Service Fabric application access to other Azure resources that support Microsoft Entra authentication. You can use the Service Fabric application's managed identity, which is user-ass 1. Next, ensure the proper subscription is listed in **Subscription** dropdown list and then set **Resource Group** to **All resource groups**. 1. Under **Select**, choose the UAI corresponding to the Service Fabric application and then select **Save**. -Support for system-assigned Service Fabric managed identities doesn't include integration in the Azure portal. If your application uses a system-assigned identity, find the client ID of the application's identity, and then repeat the steps above but selecting the **Azure AD user, group, or service principal** option in the **Find** control. +Support for system-assigned Service Fabric managed identities doesn't include integration in the Azure portal. If your application uses a system-assigned identity, find the client ID of the application's identity, and then repeat the steps above but selecting the **Microsoft Entra user, group, or service principal** option in the **Find** control. ## Grant access to Azure Key Vault |
service-fabric | How To Managed Cluster Managed Identity Service Fabric App Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-managed-cluster-managed-identity-service-fabric-app-code.md | Last updated 07/11/2022 # How to leverage a Service Fabric application's managed identity to access Azure services on a Service Fabric managed cluster -Service Fabric applications can leverage managed identities to access other Azure resources which support Azure Active Directory-based authentication. An application can obtain an [access token](../active-directory/develop/developer-glossary.md#access-token) representing its identity, which may be system-assigned or user-assigned, and use it as a 'bearer' token to authenticate itself to another service - also known as a [protected resource server](../active-directory/develop/developer-glossary.md#resource-server). The token represents the identity assigned to the Service Fabric application, and will only be issued to Azure resources (including SF applications) which share that identity. Refer to the [managed identity overview](../active-directory/managed-identities-azure-resources/overview.md) documentation for a detailed description of managed identities, as well as the distinction between system-assigned and user-assigned identities. We will refer to a managed-identity-enabled Service Fabric application as the [client application](../active-directory/develop/developer-glossary.md#client-application) throughout this article. +Service Fabric applications can leverage managed identities to access other Azure resources which support Microsoft Entra ID-based authentication. An application can obtain an [access token](../active-directory/develop/developer-glossary.md#access-token) representing its identity, which may be system-assigned or user-assigned, and use it as a 'bearer' token to authenticate itself to another service - also known as a [protected resource server](../active-directory/develop/developer-glossary.md#resource-server). The token represents the identity assigned to the Service Fabric application, and will only be issued to Azure resources (including SF applications) which share that identity. Refer to the [managed identity overview](../active-directory/managed-identities-azure-resources/overview.md) documentation for a detailed description of managed identities, as well as the distinction between system-assigned and user-assigned identities. We will refer to a managed-identity-enabled Service Fabric application as the [client application](../active-directory/develop/developer-glossary.md#client-application) throughout this article. See a companion sample application that demonstrates using system-assigned and user-assigned [Service Fabric application managed identities](https://github.com/Azure-Samples/service-fabric-managed-identity) with Reliable Services and containers. > [!IMPORTANT]-> A managed identity represents the association between an Azure resource and a service principal in the corresponding Azure AD tenant associated with the subscription containing the resource. As such, in the context of Service Fabric, managed identities are only supported for applications deployed as Azure resources. +> A managed identity represents the association between an Azure resource and a service principal in the corresponding Microsoft Entra tenant associated with the subscription containing the resource. As such, in the context of Service Fabric, managed identities are only supported for applications deployed as Azure resources. > [!IMPORTANT]-> Prior to using the managed identity of a Service Fabric application, the client application must be granted access to the protected resource. Please refer to the list of [Azure services which support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) +> Prior to using the managed identity of a Service Fabric application, the client application must be granted access to the protected resource. Please refer to the list of [Azure services which support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) to check for support, and then to the respective service's documentation for specific steps to grant an identity access to resources of interest. ## Leverage a managed identity using Azure.Identity The 'status code' field of the HTTP response header indicates the success status | Status Code | Error Reason | How To Handle | | -- | | - | | 404 Not found. | Unknown authentication code, or the application was not assigned a managed identity. | Rectify the application setup or token acquisition code. |-| 429 Too many requests. | Throttle limit reached, imposed by Azure AD or SF. | Retry with Exponential Backoff. See guidance below. | +| 429 Too many requests. | Throttle limit reached, imposed by Microsoft Entra ID or SF. | Retry with Exponential Backoff. See guidance below. | | 4xx Error in request. | One or more of the request parameters was incorrect. | Do not retry. Examine the error details for more information. 4xx errors are design-time errors.|-| 5xx Error from service. | The managed identity subsystem or Azure Active Directory returned a transient error. | It is safe to retry after a short while. You may hit a throttling condition (429) upon retrying.| +| 5xx Error from service. | The managed identity subsystem or Microsoft Entra ID returned a transient error. | It is safe to retry after a short while. You may hit a throttling condition (429) upon retrying.| If an error occurs, the corresponding HTTP response body contains a JSON object with the error details: It is recommended that requests failed due to throttling are retried with an exp | 5 | Wait 16 seconds and retry | ## Resource IDs for Azure services-See [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md) for a list of resources that support Azure AD, and their respective resource IDs. +See [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md) for a list of resources that support Microsoft Entra ID, and their respective resource IDs. ## Next steps * [Deploy an Azure Service Fabric application with user-assigned or system-assigned managed identity](./how-to-deploy-service-fabric-application-system-assigned-managed-identity.md) * [Grant an Azure Service Fabric application access to other Azure resources](./how-to-managed-cluster-grant-access-other-resources.md)-* [Explore a sample application using Service Fabric Managed Identity](https://github.com/Azure-Samples/service-fabric-managed-identity) +* [Explore a sample application using Service Fabric Managed Identity](https://github.com/Azure-Samples/service-fabric-managed-identity) |
service-fabric | How To Managed Identity Service Fabric App Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/how-to-managed-identity-service-fabric-app-code.md | Last updated 07/11/2022 # How to leverage a Service Fabric application's managed identity to access Azure services -Service Fabric applications can leverage managed identities to access other Azure resources which support Azure Active Directory-based authentication. An application can obtain an [access token](../active-directory/develop/developer-glossary.md#access-token) representing its identity, which may be system-assigned or user-assigned, and use it as a 'bearer' token to authenticate itself to another service - also known as a [protected resource server](../active-directory/develop/developer-glossary.md#resource-server). The token represents the identity assigned to the Service Fabric application, and will only be issued to Azure resources (including SF applications) which share that identity. Refer to the [managed identity overview](../active-directory/managed-identities-azure-resources/overview.md) documentation for a detailed description of managed identities, as well as the distinction between system-assigned and user-assigned identities. We will refer to a managed-identity-enabled Service Fabric application as the [client application](../active-directory/develop/developer-glossary.md#client-application) throughout this article. +Service Fabric applications can leverage managed identities to access other Azure resources which support Microsoft Entra ID-based authentication. An application can obtain an [access token](../active-directory/develop/developer-glossary.md#access-token) representing its identity, which may be system-assigned or user-assigned, and use it as a 'bearer' token to authenticate itself to another service - also known as a [protected resource server](../active-directory/develop/developer-glossary.md#resource-server). The token represents the identity assigned to the Service Fabric application, and will only be issued to Azure resources (including SF applications) which share that identity. Refer to the [managed identity overview](../active-directory/managed-identities-azure-resources/overview.md) documentation for a detailed description of managed identities, as well as the distinction between system-assigned and user-assigned identities. We will refer to a managed-identity-enabled Service Fabric application as the [client application](../active-directory/develop/developer-glossary.md#client-application) throughout this article. See a companion sample application that demonstrates using system-assigned and user-assigned [Service Fabric application managed identities](https://github.com/Azure-Samples/service-fabric-managed-identity) with Reliable Services and containers. > [!IMPORTANT]-> A managed identity represents the association between an Azure resource and a service principal in the corresponding Azure AD tenant associated with the subscription containing the resource. As such, in the context of Service Fabric, managed identities are only supported for applications deployed as Azure resources. +> A managed identity represents the association between an Azure resource and a service principal in the corresponding Microsoft Entra tenant associated with the subscription containing the resource. As such, in the context of Service Fabric, managed identities are only supported for applications deployed as Azure resources. > [!IMPORTANT]-> Prior to using the managed identity of a Service Fabric application, the client application must be granted access to the protected resource. Please refer to the list of [Azure services which support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) +> Prior to using the managed identity of a Service Fabric application, the client application must be granted access to the protected resource. Please refer to the list of [Azure services which support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) to check for support, and then to the respective service's documentation for specific steps to grant an identity access to resources of interest. ## Leverage a managed identity using Azure.Identity The 'status code' field of the HTTP response header indicates the success status | Status Code | Error Reason | How To Handle | | -- | | - | | 404 Not found. | Unknown authentication code, or the application was not assigned a managed identity. | Rectify the application setup or token acquisition code. |-| 429 Too many requests. | Throttle limit reached, imposed by AAD or SF. | Retry with Exponential Backoff. See guidance below. | +| 429 Too many requests. | Throttle limit reached, imposed by Microsoft Entra ID or SF. | Retry with Exponential Backoff. See guidance below. | | 4xx Error in request. | One or more of the request parameters was incorrect. | Do not retry. Examine the error details for more information. 4xx errors are design-time errors.|-| 5xx Error from service. | The managed identity subsystem or Azure Active Directory returned a transient error. | It is safe to retry after a short while. You may hit a throttling condition (429) upon retrying.| +| 5xx Error from service. | The managed identity subsystem or Microsoft Entra ID returned a transient error. | It is safe to retry after a short while. You may hit a throttling condition (429) upon retrying.| If an error occurs, the corresponding HTTP response body contains a JSON object with the error details: It is recommended that requests failed due to throttling are retried with an exp | 5 | Wait 16 seconds and retry | ## Resource IDs for Azure services-See [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md) for a list of resources that support Azure AD, and their respective resource IDs. +See [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md) for a list of resources that support Microsoft Entra ID, and their respective resource IDs. ## Next steps * [Deploy a Service Fabric application with Managed Identity to a managed cluster](how-to-managed-cluster-application-managed-identity.md) * [Deploy a Service Fabric application with a system-assigned Managed Identity to a classic cluster](./how-to-deploy-service-fabric-application-system-assigned-managed-identity.md) * [Deploy a Service Fabric application with a user-assigned Managed Identity to a classic cluster](./how-to-deploy-service-fabric-application-user-assigned-managed-identity.md) * [Granting a Service Fabric application's Managed Identity access to Azure resources](./how-to-grant-access-other-resources.md)-* [Explore a sample application using Service Fabric Managed Identity](https://github.com/Azure-Samples/service-fabric-managed-identity) +* [Explore a sample application using Service Fabric Managed Identity](https://github.com/Azure-Samples/service-fabric-managed-identity) |
service-fabric | Service Fabric Application And Service Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-application-and-service-security.md | It is often necessary for resources and APIs exposed by a service to be limited ### Authentication The first step to making API-level trust decisions is authentication. Authentication is the process of reliably ascertaining a userΓÇÖs identity. In microservice scenarios, authentication is typically handled centrally. If you are using an API Gateway, you can [offload authentication](/azure/architecture/patterns/gateway-offloading) to the gateway. If you use this approach, make sure that the individual services cannot be reached directly (without the API Gateway) unless additional security is in place to authenticate messages whether they come from the gateway or not. -If services can be accessed directly, an authentication service like Azure Active Directory or a dedicated authentication microservice acting as a security token service (STS) can be used to authenticate users. Trust decisions are shared between services with security tokens or cookies. +If services can be accessed directly, an authentication service like Microsoft Entra ID or a dedicated authentication microservice acting as a security token service (STS) can be used to authenticate users. Trust decisions are shared between services with security tokens or cookies. For ASP.NET Core, the primary mechanism for [authenticating users](/dotnet/standard/microservices-architecture/secure-net-microservices-web-applications/) is the ASP.NET Core Identity membership system. ASP.NET Core Identity stores user information (including sign-in information, roles, and claims) in a data store configured by the developer. ASP.NET Core Identity supports two-factor authentication. External authentication providers are also supported, so users can sign in using existing authentication processes from providers like Microsoft, Google, Facebook, or Twitter. |
service-fabric | Service Fabric Azure Clusters Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-azure-clusters-overview.md | For more information, read [Node-to-node security](service-fabric-cluster-securi ### Client-to-node security Client-to-node security authenticates clients and helps secure communication between a client and individual nodes in the cluster. This type of security helps ensure that only authorized users can access the cluster and the applications that are deployed on the cluster. Clients are uniquely identified through either their X.509 certificate security credentials. Any number of optional client certificates can be used to authenticate admin or user clients with the cluster. -In addition to client certificates, Azure Active Directory can also be configured to authenticate clients with the cluster. +In addition to client certificates, Microsoft Entra ID can also be configured to authenticate clients with the cluster. For more information, read [Client-to-node security](service-fabric-cluster-security.md#client-to-node-security) ### Role-based access control -Azure role-based access control (Azure RBAC) allows you to assign fine-grained access controls on Azure resources. You can assign different access rules to subscriptions, resource groups, and resources. Azure RBAC rules are inherited along the resource hierarchy unless overridden at a lower level. You can assign any user or user groups on your Azure AD with Azure RBAC rules so that designated users and groups can modify your cluster. For more information, read the [Azure RBAC overview](../role-based-access-control/overview.md). +Azure role-based access control (Azure RBAC) allows you to assign fine-grained access controls on Azure resources. You can assign different access rules to subscriptions, resource groups, and resources. Azure RBAC rules are inherited along the resource hierarchy unless overridden at a lower level. You can assign any user or user groups on your Microsoft Entra ID with Azure RBAC rules so that designated users and groups can modify your cluster. For more information, read the [Azure RBAC overview](../role-based-access-control/overview.md). Service Fabric also supports access control to limit access to certain cluster operations for different groups of users. This helps make the cluster more secure. Two access control types are supported for clients that connect to a cluster: Administrator role and User role. Read more about [securing](service-fabric-cluster-security.md), [scaling](servic Learn about [Service Fabric support options](service-fabric-support.md). -[Image]: media/service-fabric-azure-clusters-overview/Cluster.PNG +[Image]: media/service-fabric-azure-clusters-overview/Cluster.PNG |
service-fabric | Service Fabric Best Practices Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-best-practices-security.md | To give your application access to secrets, include the certificate by adding a To learn about managed identities for Azure resources, see [What is managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). Azure Service Fabric clusters are hosted on Virtual Machine Scale Sets, which support [Managed Service Identity](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources).-To get a list of services that MSI can be used to authenticate to, see [Azure Services that support Azure Active Directory Authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +To get a list of services that MSI can be used to authenticate to, see [Azure Services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). To enable system assigned managed identity during the creation of a virtual machines scale set or an existing virtual machines scale set, declare the following `"Microsoft.Compute/virtualMachinesScaleSets"` property: |
service-fabric | Service Fabric Cluster Creation Create Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-creation-create-template.md | Title: Create an Azure Service Fabric cluster template -description: Learn how to create a Resource Manager template for a Service Fabric cluster. Configure security, Azure Key Vault, and Azure Active Directory (Azure AD) for client authentication. +description: Learn how to create a Resource Manager template for a Service Fabric cluster. Configure security, Azure Key Vault, and Microsoft Entra ID for client authentication. Last updated 07/14/2022 An [Azure Service Fabric cluster](service-fabric-deploy-anywhere.md) is a network-connected set of virtual machines into which your microservices are deployed and managed. A Service Fabric cluster running in Azure is an Azure resource and is deployed, managed, and monitored using the Resource Manager. This article describes how create a Resource Manager template for a Service Fabric cluster running in Azure. When the template is complete, you can [deploy the cluster on Azure](service-fabric-cluster-creation-via-arm.md). -Cluster security is configured when the cluster is first set up and cannot be changed later. Before setting up a cluster, read [Service Fabric cluster security scenarios][service-fabric-cluster-security]. In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Azure Active Directory is also recommended to secure access to management endpoints. Azure AD tenants and users must be created before creating the cluster. For more information, read [Set up Azure AD to authenticate clients](service-fabric-cluster-creation-setup-aad.md). +Cluster security is configured when the cluster is first set up and cannot be changed later. Before setting up a cluster, read [Service Fabric cluster security scenarios][service-fabric-cluster-security]. In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Microsoft Entra ID is also recommended to secure access to management endpoints. Microsoft Entra tenants and users must be created before creating the cluster. For more information, read [Set up Microsoft Entra ID to authenticate clients](service-fabric-cluster-creation-setup-aad.md). Before deploying a production cluster to run production workloads, be sure to first read the [Production readiness checklist](service-fabric-production-readiness-checklist.md). The cluster authentication certificate must be configured in both the Service Fa } ``` -## Add Azure AD configuration to use Azure AD for client access +<a name='add-azure-ad-configuration-to-use-azure-ad-for-client-access'></a> -You add the Azure AD configuration to a cluster Resource Manager template by referencing the key vault that contains the certificate keys. Add those Azure AD parameters and values in a Resource Manager template parameters file (*azuredeploy.parameters.json*). +## Add Microsoft Entra configuration to use Microsoft Entra ID for client access ++You add the Microsoft Entra configuration to a cluster Resource Manager template by referencing the key vault that contains the certificate keys. Add those Microsoft Entra parameters and values in a Resource Manager template parameters file (*azuredeploy.parameters.json*). > [!NOTE]-> On Linux, Azure AD tenants and users must be created before creating the cluster. For more information, read [Set up Azure AD to authenticate clients](service-fabric-cluster-creation-setup-aad.md). +> On Linux, Microsoft Entra tenants and users must be created before creating the cluster. For more information, read [Set up Microsoft Entra ID to authenticate clients](service-fabric-cluster-creation-setup-aad.md). ```json { If you plan to use the Azure service fabric RM PowerShell modules, then you do n If you are using application certs or are using an existing cluster that you have uploaded to the key vault, you need to get this information and populate it. -The RM modules do not have the ability to generate the Azure AD configuration for you, so if you plan to use the Azure AD for client access, you need to populate it. +The RM modules do not have the ability to generate the Microsoft Entra configuration for you, so if you plan to use the Microsoft Entra ID for client access, you need to populate it. ```json { In case you run into issues and get cryptic messages, then use "-Debug" as an op Test-AzResourceGroupDeployment -ResourceGroupName "myresourcegroup" -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json -Debug ``` -The following diagram illustrates where your key vault and Azure AD configuration fit into your Resource Manager template. +The following diagram illustrates where your key vault and Microsoft Entra configuration fit into your Resource Manager template. ![Resource Manager dependency map][cluster-security-arm-dependency-map] |
service-fabric | Service Fabric Cluster Creation Setup Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-creation-setup-aad.md | Title: Set up Azure Active Directory for client authentication -description: Learn how to set up Azure Active Directory (Azure AD) to authenticate clients for Service Fabric clusters. + Title: Set up Microsoft Entra ID for client authentication +description: Learn how to set up Microsoft Entra ID to authenticate clients for Service Fabric clusters. -# Set up Azure Active Directory for client authentication +# Set up Microsoft Entra ID for client authentication > [!WARNING]-> At this time, AAD client authentication and the Managed Identity Token Service are mutually incompatible on Linux. +> At this time, Microsoft Entra client authentication and the Managed Identity Token Service are mutually incompatible on Linux. -For clusters running on Azure, Azure Active Directory (Azure AD) is recommended to secure access to management endpoints. This article describes how to setup Azure AD to authenticate clients for a Service Fabric cluster. +For clusters running on Azure, Microsoft Entra ID is recommended to secure access to management endpoints. This article describes how to setup Microsoft Entra ID to authenticate clients for a Service Fabric cluster. -On Linux, you must complete the following steps before you create the cluster. On Windows, you also have the option to [configure Azure AD authentication for an existing cluster](https://github.com/Azure/Service-Fabric-Troubleshooting-Guides/blob/master/Security/Configure%20Azure%20Active%20Directory%20Authentication%20for%20Existing%20Cluster.md). +On Linux, you must complete the following steps before you create the cluster. On Windows, you also have the option to [configure Microsoft Entra authentication for an existing cluster](https://github.com/Azure/Service-Fabric-Troubleshooting-Guides/blob/master/Security/Configure%20Azure%20Active%20Directory%20Authentication%20for%20Existing%20Cluster.md). -In this article, the term "application" will be used to refer to [Azure Active Directory applications](../active-directory/develop/developer-glossary.md#client-application), not Service Fabric applications; the distinction will be made where necessary. Azure AD enables organizations (known as tenants) to manage user access to applications. +In this article, the term "application" will be used to refer to [Microsoft Entra applications](../active-directory/develop/developer-glossary.md#client-application), not Service Fabric applications; the distinction will be made where necessary. Microsoft Entra ID enables organizations (known as tenants) to manage user access to applications. -A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, you will create two Azure AD applications to control access to the cluster: one web application and one native application. After the applications are created, you will assign users to read-only and admin roles. +A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, you will create two Microsoft Entra applications to control access to the cluster: one web application and one native application. After the applications are created, you will assign users to read-only and admin roles. > [!NOTE]-> At this time, Service Fabric doesn't support Azure AD authentication for storage. +> At this time, Service Fabric doesn't support Microsoft Entra authentication for storage. > [!NOTE]-> It is a [known issue](https://github.com/microsoft/service-fabric/issues/399) that applications and nodes on Linux AAD-enabled clusters cannot be viewed in Azure Portal. +> It is a [known issue](https://github.com/microsoft/service-fabric/issues/399) that applications and nodes on Linux Microsoft Entra ID-enabled clusters cannot be viewed in Azure Portal. > [!NOTE]-> Azure Active Directory now requires an application (app registration) publishers domain to be verified or use of default scheme. See [Configure an application's publisher domain](../active-directory/develop/howto-configure-publisher-domain.md) and [AppId Uri in single tenant applications will require use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains) for additional information. +> Microsoft Entra ID now requires an application (app registration) publishers domain to be verified or use of default scheme. See [Configure an application's publisher domain](../active-directory/develop/howto-configure-publisher-domain.md) and [AppId Uri in single tenant applications will require use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains) for additional information. ## Prerequisites -In this article, we assume that you have already created a tenant. If you have not, start by reading [How to get an Azure Active Directory tenant][active-directory-howto-tenant]. -To simplify some of the steps involved in configuring Azure AD with a Service Fabric cluster, we have created a set of Windows PowerShell scripts. Some actions require administrative level access to Azure AD. If script errors with 401/403 'Authorization_RequestDenied', an administrator will need to execute script. +In this article, we assume that you have already created a tenant. If you have not, start by reading [How to get a Microsoft Entra tenant][active-directory-howto-tenant]. +To simplify some of the steps involved in configuring Microsoft Entra ID with a Service Fabric cluster, we have created a set of Windows PowerShell scripts. Some actions require administrative level access to Microsoft Entra ID. If script errors with 401/403 'Authorization_RequestDenied', an administrator will need to execute script. 1. Authenticate with Azure administrative permissions. 2. [Clone the repo](https://github.com/Azure-Samples/service-fabric-aad-helpers) to your computer. 3. [Ensure you have all prerequisites](https://github.com/Azure-Samples/service-fabric-aad-helpers#getting-started) for the scripts installed. -## Create Azure AD applications and assign users to roles +<a name='create-azure-ad-applications-and-assign-users-to-roles'></a> -We'll use the scripts to create two Azure AD applications to control access to the cluster: one web application and one native application. After you create applications to represent your cluster, you'll create users for the [roles supported by Service Fabric](service-fabric-cluster-security-roles.md): read-only and admin. +## Create Microsoft Entra applications and assign users to roles ++We'll use the scripts to create two Microsoft Entra applications to control access to the cluster: one web application and one native application. After you create applications to represent your cluster, you'll create users for the [roles supported by Service Fabric](service-fabric-cluster-security-roles.md): read-only and admin. ### SetupApplications.ps1 Run `SetupApplications.ps1` and provide the tenant ID, cluster name, web applica - **tenantId:** You can find your *TenantId* by executing the PowerShell command `Get-AzureSubscription`. Executing this command displays the TenantId for every subscription. -- **clusterName:** *ClusterName* is used to prefix the Azure AD applications that are created by the script. It does not need to match the actual cluster name exactly. It is intended only to make it easier to map Azure AD artifacts to the Service Fabric cluster that they're being used with.+- **clusterName:** *ClusterName* is used to prefix the Microsoft Entra applications that are created by the script. It does not need to match the actual cluster name exactly. It is intended only to make it easier to map Microsoft Entra artifacts to the Service Fabric cluster that they're being used with. -- **webApplicationReplyUrl:** *WebApplicationReplyUrl* is the default endpoint that Azure AD returns to your users after they finish signing in. Set this endpoint as the Service Fabric Explorer endpoint for your cluster. If you are creating Azure AD applications to represent an existing cluster, make sure this URL matches your existing cluster's endpoint. If you are creating applications for a new cluster, plan the endpoint your cluster will have and make sure not to use the endpoint of an existing cluster. By default the Service Fabric Explorer endpoint is: `https://<cluster_domain>:19080/Explorer`+- **webApplicationReplyUrl:** *WebApplicationReplyUrl* is the default endpoint that Microsoft Entra ID returns to your users after they finish signing in. Set this endpoint as the Service Fabric Explorer endpoint for your cluster. If you are creating Microsoft Entra applications to represent an existing cluster, make sure this URL matches your existing cluster's endpoint. If you are creating applications for a new cluster, plan the endpoint your cluster will have and make sure not to use the endpoint of an existing cluster. By default the Service Fabric Explorer endpoint is: `https://<cluster_domain>:19080/Explorer` - **webApplicationUri:** *WebApplicationUri* is either the URI of a 'verified domain' or URI using API scheme format of api://{{tenant Id}}/{{cluster name}}. See [AppId Uri in single tenant applications will require use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains) for additional information. $configObj = .\SetupApplications.ps1 -TenantId $tenantId ` -Verbose ``` -The script outputs $configObj variable for subsequent commands and prints the JSON required by the Azure Resource Manager template. Copy the JSON output and use when creating or modifying existing cluster [create your Azure AD enabled cluster](service-fabric-cluster-creation-create-template.md#add-azure-ad-configuration-to-use-azure-ad-for-client-access). +The script outputs $configObj variable for subsequent commands and prints the JSON required by the Azure Resource Manager template. Copy the JSON output and use when creating or modifying existing cluster [create your Microsoft Entra ID enabled cluster](service-fabric-cluster-creation-create-template.md#add-azure-ad-configuration-to-use-azure-ad-for-client-access). #### SetupApplications.ps1 example output $resourceGroupName = 'mysftestcluster' ``` > [!NOTE] -> Update cluster provisioning ARM templates or scripts with new cluster resource Azure AD configuration changes. +> Update cluster provisioning ARM templates or scripts with new cluster resource Microsoft Entra configuration changes. ## Granting admin consent It may be necessary to 'Grant admin consent' for the 'API permissions' being con ![Screenshot that shows the Grant admin consent confirmation with Yes highlighted.](media/service-fabric-cluster-creation-setup-aad/portal-client-api-grant-confirm.png) -## Verifying Azure AD Configuration +<a name='verifying-azure-ad-configuration'></a> ++## Verifying Microsoft Entra Configuration -Navigate to the Service Fabric Explorer (SFX) URL. This should be the same as the parameter webApplicationReplyUrl. An Azure authentication dialog should be displayed. Log on with an account configured with the new Azure AD configuration. Verify that the administrator account has read/write access and that the user has read access. Any modification to the cluster, for example, performing an action, is an administrative action. +Navigate to the Service Fabric Explorer (SFX) URL. This should be the same as the parameter webApplicationReplyUrl. An Azure authentication dialog should be displayed. Log on with an account configured with the new Microsoft Entra configuration. Verify that the administrator account has read/write access and that the user has read access. Any modification to the cluster, for example, performing an action, is an administrative action. -## Troubleshooting help in setting up Azure Active Directory +<a name='troubleshooting-help-in-setting-up-azure-active-directory'></a> -Setting up Azure AD and using it can be challenging, so here are some pointers on what you can do to debug the issue. PowerShell transcript logging can be enabled by using the '-logFile' argument on 'SetupApplications.ps1' and 'SetupUser.ps1' scripts to review output. +## Troubleshooting help in setting up Microsoft Entra ID ++Setting up Microsoft Entra ID and using it can be challenging, so here are some pointers on what you can do to debug the issue. PowerShell transcript logging can be enabled by using the '-logFile' argument on 'SetupApplications.ps1' and 'SetupUser.ps1' scripts to review output. > [!NOTE] > With migration of Identities platforms (ADAL to MSAL), deprecation of AzureRM in favor of Azure AZ, and supporting multiple versions of PowerShell, dependencies may not always be correct or up to date causing errors in script execution. Running PowerShell commands and scripts from Azure Cloud Shell reduces the potential for errors with session auto authentication and managed identity. Scripts will retry on certain requests with HTTP status codes 400 and 404 upto p ### **Service Fabric Explorer prompts you to select a certificate** #### **Problem**-After you sign in successfully to Azure AD in Service Fabric Explorer, the browser returns to the home page but a message prompts you to select a certificate. +After you sign in successfully to Microsoft Entra ID in Service Fabric Explorer, the browser returns to the home page but a message prompts you to select a certificate. ![SFX certificate dialog][sfx-select-certificate-dialog] #### **Reason**-The user is not assigned a role in the Azure AD cluster application. Thus, Azure AD authentication fails on Service Fabric cluster. Service Fabric Explorer falls back to certificate authentication. +The user is not assigned a role in the Microsoft Entra ID cluster application. Thus, Microsoft Entra authentication fails on Service Fabric cluster. Service Fabric Explorer falls back to certificate authentication. #### **Solution**-Follow the instructions for setting up Azure AD, and assign user roles. Also, we recommend that you turn on "User assignment required to access app," as `SetupApplications.ps1` does. +Follow the instructions for setting up Microsoft Entra ID, and assign user roles. Also, we recommend that you turn on "User assignment required to access app," as `SetupApplications.ps1` does. ### **Connection with PowerShell fails with an error: "The specified credentials are invalid"** #### **Problem**-When you use PowerShell to connect to the cluster by using "AzureActiveDirectory" security mode, after you sign in successfully to Azure AD, the connection fails with an error: "The specified credentials are invalid." +When you use PowerShell to connect to the cluster by using "AzureActiveDirectory" security mode, after you sign in successfully to Microsoft Entra ID, the connection fails with an error: "The specified credentials are invalid." #### **Solution** This solution is the same as the preceding one. This solution is the same as the preceding one. ### **Service Fabric Explorer returns a failure when you sign in: "AADSTS50011"** #### **Problem**-When you try to sign in to Azure AD in Service Fabric Explorer, the page returns a failure: "AADSTS50011: The reply address <url> does not match the reply addresses configured for the application: <guid>." +When you try to sign in to Microsoft Entra ID in Service Fabric Explorer, the page returns a failure: "AADSTS50011: The reply address <url> does not match the reply addresses configured for the application: <guid>." ![SFX reply address does not match][sfx-reply-address-not-match] #### **Reason**-The cluster (web) application that represents Service Fabric Explorer attempts to authenticate against Azure AD, and as part of the request it provides the redirect return URL. But the URL is not listed in the Azure AD application **REPLY URL** list. +The cluster (web) application that represents Service Fabric Explorer attempts to authenticate against Microsoft Entra ID, and as part of the request it provides the redirect return URL. But the URL is not listed in the Microsoft Entra application **REPLY URL** list. #### **Solution**-On the Azure AD app registration page for your cluster, select **Authentication**, and under the **Redirect URIs** section, add the Service Fabric Explorer URL to the list. Save your change. +On the Microsoft Entra app registration page for your cluster, select **Authentication**, and under the **Redirect URIs** section, add the Service Fabric Explorer URL to the list. Save your change. ![Web application reply URL][web-application-reply-url] -### **Connecting to the cluster using Azure AD authentication via PowerShell gives an error when you sign in: "AADSTS50011"** +<a name='connecting-to-the-cluster-using-azure-ad-authentication-via-powershell-gives-an-error-when-you-sign-in-aadsts50011'></a> ++### **Connecting to the cluster using Microsoft Entra authentication via PowerShell gives an error when you sign in: "AADSTS50011"** #### **Problem**-When you try to connect to a Service Fabric cluster using Azure AD via PowerShell, the sign-in page returns a failure: "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: <guid>." +When you try to connect to a Service Fabric cluster using Microsoft Entra ID via PowerShell, the sign-in page returns a failure: "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: <guid>." #### **Reason**-Similar to the preceding issue, PowerShell attempts to authenticate against Azure AD, which provides a redirect URL that isn't listed in the Azure AD application **Reply URLs** list. +Similar to the preceding issue, PowerShell attempts to authenticate against Microsoft Entra ID, which provides a redirect URL that isn't listed in the Microsoft Entra application **Reply URLs** list. #### **Solution** Use the same process as in the preceding issue, but the URL must be set to `urn:ietf:wg:oauth:2.0:oob`, a special redirect for command-line authentication. Use the same process as in the preceding issue, but the URL must be set to `urn: #### **Problem** -PowerShell script may fail to perform all of the REST commands required to complete Azure AD configuration with error "Authorization_RequestDenied","Insufficient privileges to complete the operation". Example error: +PowerShell script may fail to perform all of the REST commands required to complete Microsoft Entra configuration with error "Authorization_RequestDenied","Insufficient privileges to complete the operation". Example error: ```powershell Invoke-WebRequest: /home/<user>/clouddrive/service-fabric-aad-helpers/Common.ps1:239 This error is returned when the user account executing the script doesn't have t #### **Solution** -Work with an Administrator of Azure tenant/Azure Active Directory to complete all remaining actions. The scripts provided are idempotent so can be re-executed to complete the process. +Work with an Administrator of Azure tenant/Microsoft Entra ID to complete all remaining actions. The scripts provided are idempotent so can be re-executed to complete the process. -### **Connect the cluster by using Azure AD authentication via PowerShell** +<a name='connect-the-cluster-by-using-azure-ad-authentication-via-powershell'></a> ++### **Connect the cluster by using Microsoft Entra authentication via PowerShell** To connect the Service Fabric cluster, use the following PowerShell command example: ```powershell Connect-ServiceFabricCluster -ConnectionEndpoint <endpoint> -KeepAliveIntervalIn To learn more, see [Connect-ServiceFabricCluster cmdlet](/powershell/module/servicefabric/connect-servicefabriccluster). -### **Can I reuse the same Azure AD tenant in multiple clusters?** +<a name='can-i-reuse-the-same-azure-ad-tenant-in-multiple-clusters'></a> ++### **Can I reuse the same Microsoft Entra tenant in multiple clusters?** Yes. But remember to add the URL of Service Fabric Explorer to your cluster (web) application. Otherwise, Service Fabric Explorer doesnΓÇÖt work. -### **Why do I still need a server certificate while Azure AD is enabled?** -FabricClient and FabricGateway perform a mutual authentication. During Azure AD authentication, Azure AD integration provides a client identity to the server, and the server certificate is used by the client to verify the server's identity. For more information about Service Fabric certificates, see [X.509 certificates and Service Fabric][x509-certificates-and-service-fabric]. +<a name='why-do-i-still-need-a-server-certificate-while-azure-ad-is-enabled'></a> ++### **Why do I still need a server certificate while Microsoft Entra ID is enabled?** +FabricClient and FabricGateway perform a mutual authentication. During Microsoft Entra authentication, Microsoft Entra integration provides a client identity to the server, and the server certificate is used by the client to verify the server's identity. For more information about Service Fabric certificates, see [X.509 certificates and Service Fabric][x509-certificates-and-service-fabric]. ## Next steps-After setting up Azure Active Directory applications and setting roles for users, [configure and deploy a cluster](service-fabric-cluster-creation-via-arm.md). +After setting up Microsoft Entra applications and setting roles for users, [configure and deploy a cluster](service-fabric-cluster-creation-via-arm.md). <!-- Links --> |
service-fabric | Service Fabric Cluster Creation Setup Azure Ad Via Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-creation-setup-azure-ad-via-portal.md | Title: Set up Azure Active Directory for client authentication in the Azure portal -description: Learn how to set up Azure Active Directory (Azure AD) to authenticate clients for Service Fabric clusters by using the Azure portal. + Title: Set up Microsoft Entra ID for client authentication in the Azure portal +description: Learn how to set up Microsoft Entra ID to authenticate clients for Service Fabric clusters by using the Azure portal. Last updated 8/8/2022 -# Set up Azure Active Directory for client authentication in the Azure portal +# Set up Microsoft Entra ID for client authentication in the Azure portal -For clusters running on Azure, you can use Azure Active Directory (Azure AD) to help secure access to management endpoints. This article describes how to set up Azure AD to authenticate clients for an Azure Service Fabric cluster in the Azure portal. +For clusters running on Azure, you can use Microsoft Entra ID to help secure access to management endpoints. This article describes how to set up Microsoft Entra ID to authenticate clients for an Azure Service Fabric cluster in the Azure portal. -In this article, the term *application* generally refers to [Azure AD applications](../active-directory/develop/developer-glossary.md#client-application), not Service Fabric applications. Azure AD enables organizations (known as *tenants*) to manage user access to applications. +In this article, the term *application* generally refers to [Microsoft Entra applications](../active-directory/develop/developer-glossary.md#client-application), not Service Fabric applications. Microsoft Entra ID enables organizations (known as *tenants*) to manage user access to applications. -A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, you'll create two Azure AD applications to control access to the cluster: one web application and one native application. After you create the applications, you'll assign users to read-only and admin roles. +A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, you'll create two Microsoft Entra applications to control access to the cluster: one web application and one native application. After you create the applications, you'll assign users to read-only and admin roles. > [!NOTE]-> - On Linux, you must complete the following steps before you create the cluster. On Windows, you also have the option to [configure Azure AD authentication for an existing cluster](https://github.com/Azure/Service-Fabric-Troubleshooting-Guides/blob/master/Security/Configure%20Azure%20Active%20Directory%20Authentication%20for%20Existing%20Cluster.md). -> - It's a [known issue](https://github.com/microsoft/service-fabric/issues/399) that applications and nodes on Linux Azure AD-enabled clusters can't be viewed in the Azure portal. -> - Azure AD now requires an application's (app registration) publisher domain to be verified or use a default scheme. For more information, see [Configure an application's publisher domain](../active-directory/develop/howto-configure-publisher-domain.md) and [AppId URI in single-tenant applications will require use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). +> - On Linux, you must complete the following steps before you create the cluster. On Windows, you also have the option to [configure Microsoft Entra authentication for an existing cluster](https://github.com/Azure/Service-Fabric-Troubleshooting-Guides/blob/master/Security/Configure%20Azure%20Active%20Directory%20Authentication%20for%20Existing%20Cluster.md). +> - It's a [known issue](https://github.com/microsoft/service-fabric/issues/399) that applications and nodes on Linux Microsoft Entra ID-enabled clusters can't be viewed in the Azure portal. +> - Microsoft Entra ID now requires an application's (app registration) publisher domain to be verified or use a default scheme. For more information, see [Configure an application's publisher domain](../active-directory/develop/howto-configure-publisher-domain.md) and [AppId URI in single-tenant applications will require use of default scheme or verified domains](../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). ## Prerequisites This article assumes that you've already created a tenant. If you haven't, start by reading [Quickstart: Set up a tenant][active-directory-howto-tenant]. -## Register an Azure AD cluster app +<a name='register-an-azure-ad-cluster-app'></a> -Open the Azure AD [App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) pane in the Azure portal and select **+ New registration**. +## Register a Microsoft Entra ID cluster app ++Open the Microsoft Entra ID [App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) pane in the Azure portal and select **+ New registration**. ![Screenshot of the pane for cluster app registrations and the button for a new registration.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-app-registration.png) Enter the following information for a read-only user, and then select **Apply**: ![Screenshot of selections for creating a read-only user role in the portal.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-cluster-roles-readonly.png) -## Register an Azure AD client app +<a name='register-an-azure-ad-client-app'></a> ++## Register a Microsoft Entra client app -Open the Azure AD [App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) pane in the Azure portal, and then select **+ New registration**. +Open the Microsoft Entra ID [App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) pane in the Azure portal, and then select **+ New registration**. ![Screenshot of the pane for client app registrations and the button for a new registration.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-app-registration.png) Select **Properties**, and then select **Yes** for **Assignment required?**. ## Assign application roles to users -After you create Azure AD app registrations for Service Fabric, you can modify Azure AD users to use app registrations to connect to a cluster by using Azure AD. +After you create Microsoft Entra app registrations for Service Fabric, you can modify Microsoft Entra users to use app registrations to connect to a cluster by using Microsoft Entra ID. -For both the read-only and admin roles, you use Azure AD cluster app registration. You don't use Azure AD client app registration for role assignments. Instead, you assign roles from the [Enterprise applications](https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null) pane. +For both the read-only and admin roles, you use Microsoft Entra ID cluster app registration. You don't use Microsoft Entra client app registration for role assignments. Instead, you assign roles from the [Enterprise applications](https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null) pane. ### Remove filters The following screenshot shows the enterprise apps with the filters removed. ![Screenshot of enterprise apps with filters removed.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-enterprise-apps-no-filter.png) -### Add role assignments to Azure AD users +<a name='add-role-assignments-to-azure-ad-users'></a> ++### Add role assignments to Microsoft Entra users -To add applications to existing Azure AD users, go to **Enterprise Applications** and find the Azure AD cluster app registration that you created. +To add applications to existing Microsoft Entra users, go to **Enterprise Applications** and find the Microsoft Entra ID cluster app registration that you created. -Select **Users and groups** > **+ Add user/group** to add an existing Azure AD user role assignment. +Select **Users and groups** > **+ Add user/group** to add an existing Microsoft Entra user role assignment. -![Screenshot of selections for adding an existing Azure AD user role assignment in the portal.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-enterprise-apps-add-user.png) +![Screenshot of selections for adding an existing Microsoft Entra user role assignment in the portal.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-enterprise-apps-add-user.png) Under **Users**, select the **None Selected** link. For users who need full read/write access, find each user, and then under **Sele ![Screenshot of the pane for users and groups, with roles assigned.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-enterprise-apps-user-assignments.png) -## Configure clusters with Azure AD registrations +<a name='configure-clusters-with-azure-ad-registrations'></a> ++## Configure clusters with Microsoft Entra registrations In the Azure portal, open the [Service Fabric Clusters](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.ServiceFabric%2Fclusters) pane. ### Service Fabric managed cluster configuration Open the managed cluster resource and select **Security**.-Select the **Enable Azure Active Directory** checkbox. +Select the **Enable Microsoft Entra ID** checkbox. Enter the following information, and then select **Apply**: - **Tenant ID**: Enter the tenant ID. -- **Cluster application**: Enter the ID for the Azure AD cluster app registration. This is also known as the web application.-- **Client application**: Enter the ID for the Azure AD client app registration. This is also known as the native application.+- **Cluster application**: Enter the ID for the Microsoft Entra ID cluster app registration. This is also known as the web application. +- **Client application**: Enter the ID for the Microsoft Entra client app registration. This is also known as the native application. -![Screenshot of selections for enabling Azure AD for a managed cluster.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-managed-cluster-azure-ad.png) +![Screenshot of selections for enabling Microsoft Entra ID for a managed cluster.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-managed-cluster-azure-ad.png) ### Service Fabric cluster configuration Then select **+ Add**. Enter the following information, and then select **Add**: -- **Authentication type**: Select **Azure Active Directory**.+- **Authentication type**: Select **Microsoft Entra ID**. - **TenantID**: Enter the tenant ID.-- **Cluster application**: Enter the ID for the Azure AD cluster app registration. This is also known as the web application.-- **Client application**: Enter the ID for the Azure AD client app registration. This is also known as the native application.+- **Cluster application**: Enter the ID for the Microsoft Entra ID cluster app registration. This is also known as the web application. +- **Client application**: Enter the ID for the Microsoft Entra client app registration. This is also known as the native application. ![Screenshot of selections on the Add pane.](media/service-fabric-cluster-creation-setup-azure-ad-via-portal/portal-cluster-azure-ad-settings.png) -## Connect to a cluster with Azure AD +<a name='connect-to-a-cluster-with-azure-ad'></a> ++## Connect to a cluster with Microsoft Entra ID To learn more about the code in the following examples, see [Connect-ServiceFabricCluster cmdlet](/powershell/module/servicefabric/connect-servicefabriccluster). -### Connect to a Service Fabric cluster by using Azure AD authentication via PowerShell +<a name='connect-to-a-service-fabric-cluster-by-using-azure-ad-authentication-via-powershell'></a> ++### Connect to a Service Fabric cluster by using Microsoft Entra authentication via PowerShell To use PowerShell to connect to a Service Fabric cluster, you must run the commands from a machine that has the Service Fabric SDK installed. The SDK includes nodes currently in a cluster. Connect-ServiceFabricCluster -ConnectionEndpoint $clusterEndpoint ` -Verbose ``` -### Connect to a Service Fabric managed cluster by using Azure AD authentication via PowerShell +<a name='connect-to-a-service-fabric-managed-cluster-by-using-azure-ad-authentication-via-powershell'></a> ++### Connect to a Service Fabric managed cluster by using Microsoft Entra authentication via PowerShell To connect to a managed cluster, the Az.Resources PowerShell module is also required to query the dynamic cluster server certificate thumbprint that needs to be enumerated and used. Connect-ServiceFabricCluster -ConnectionEndpoint $clusterEndpoint ` -Verbose ``` -## Troubleshoot setting up Azure Active Directory -Setting up Azure AD and using it can be challenging. Here are some pointers on what you can do to debug problems. +<a name='troubleshoot-setting-up-azure-active-directory'></a> ++## Troubleshoot setting up Microsoft Entra ID +Setting up Microsoft Entra ID and using it can be challenging. Here are some pointers on what you can do to debug problems. ### Service Fabric Explorer prompts you to select a certificate #### Problem-After you sign in successfully to Azure AD in Service Fabric Explorer, the browser returns to the home page but a message prompts you to select a certificate. +After you sign in successfully to Microsoft Entra ID in Service Fabric Explorer, the browser returns to the home page but a message prompts you to select a certificate. ![Screenshot of a Service Fabric Explorer dialog for selecting a certificate.][sfx-select-certificate-dialog] #### Reason-The user is not assigned a role in the Azure AD cluster application, so Azure AD authentication fails on the Service Fabric cluster. Service Fabric Explorer falls back to certificate authentication. +The user is not assigned a role in the Microsoft Entra ID cluster application, so Microsoft Entra authentication fails on the Service Fabric cluster. Service Fabric Explorer falls back to certificate authentication. #### Solution-Follow the instructions for setting up Azure AD, and assign user roles. Also, we recommend that you turn on **User assignment required to access app**, as `SetupApplications.ps1` does. +Follow the instructions for setting up Microsoft Entra ID, and assign user roles. Also, we recommend that you turn on **User assignment required to access app**, as `SetupApplications.ps1` does. ### Connection with PowerShell fails with an error: "The specified credentials are invalid" #### Problem-When you use PowerShell to connect to the cluster by using `AzureActiveDirectory` security mode, after you sign in successfully to Azure AD, the connection fails with an error: "The specified credentials are invalid." +When you use PowerShell to connect to the cluster by using `AzureActiveDirectory` security mode, after you sign in successfully to Microsoft Entra ID, the connection fails with an error: "The specified credentials are invalid." #### Solution-Follow the instructions for setting up Azure AD, and assign user roles. Also, we recommend that you turn on **User assignment required to access app**, as `SetupApplications.ps1` does. +Follow the instructions for setting up Microsoft Entra ID, and assign user roles. Also, we recommend that you turn on **User assignment required to access app**, as `SetupApplications.ps1` does. ### Service Fabric Explorer returns an error when you sign in: "AADSTS50011" #### Problem-When you try to sign in to Azure AD in Service Fabric Explorer, the page returns an error: "AADSTS50011: The reply address <url> does not match the reply addresses configured for the application: <guid>." +When you try to sign in to Microsoft Entra ID in Service Fabric Explorer, the page returns an error: "AADSTS50011: The reply address <url> does not match the reply addresses configured for the application: <guid>." ![Screenshot of a Service Fabric Explorer sign-in error that says the reply addresses don't match.][sfx-reply-address-not-match] #### Reason-The cluster (web) application that represents Service Fabric Explorer tries to authenticate against Azure AD. As part of the request, it provides the redirect return URL. But the URL isn't listed in the **Redirect URIs** list for the Azure AD application. +The cluster (web) application that represents Service Fabric Explorer tries to authenticate against Microsoft Entra ID. As part of the request, it provides the redirect return URL. But the URL isn't listed in the **Redirect URIs** list for the Microsoft Entra application. #### Solution-On the Azure AD app registration page for your cluster, select **Authentication**. In the **Redirect URIs** section, add the Service Fabric Explorer URL to the list. Save your change. +On the Microsoft Entra app registration page for your cluster, select **Authentication**. In the **Redirect URIs** section, add the Service Fabric Explorer URL to the list. Save your change. ![Screenshot of setting up reply URL for a web application.][web-application-reply-url] -### Connecting to the cluster by using Azure AD authentication via PowerShell gives an error when you sign in: "AADSTS50011" +<a name='connecting-to-the-cluster-by-using-azure-ad-authentication-via-powershell-gives-an-error-when-you-sign-in-aadsts50011'></a> ++### Connecting to the cluster by using Microsoft Entra authentication via PowerShell gives an error when you sign in: "AADSTS50011" #### Problem-When you try to connect to a Service Fabric cluster by using Azure AD via PowerShell, the sign-in page returns an error: "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: <guid>." +When you try to connect to a Service Fabric cluster by using Microsoft Entra ID via PowerShell, the sign-in page returns an error: "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: <guid>." #### Reason-PowerShell attempts to authenticate against Azure AD, which provides a redirect URL that isn't listed in the **Reply URIs** list for the Azure AD application. +PowerShell attempts to authenticate against Microsoft Entra ID, which provides a redirect URL that isn't listed in the **Reply URIs** list for the Microsoft Entra application. #### Solution-On the Azure AD app registration page for your cluster, select **Authentication**. In the **Redirect URIs** section, set the URL to `urn:ietf:wg:oauth:2.0:oob`. This URL is a special redirect for command-line authentication. +On the Microsoft Entra app registration page for your cluster, select **Authentication**. In the **Redirect URIs** section, set the URL to `urn:ietf:wg:oauth:2.0:oob`. This URL is a special redirect for command-line authentication. ## FAQ -### Can I reuse the same Azure AD tenant in multiple clusters? +<a name='can-i-reuse-the-same-azure-ad-tenant-in-multiple-clusters'></a> ++### Can I reuse the same Microsoft Entra tenant in multiple clusters? Yes. But remember to add the URL of Service Fabric Explorer to your cluster (web) application. Otherwise, Service Fabric Explorer doesn't work. -### Why do I still need a server certificate while Azure AD is enabled? -`FabricClient` and `FabricGateway` perform a mutual authentication. During Azure AD authentication, Azure AD integration provides a client identity to the server, and the client uses the server certificate to verify the server's identity. For more information about Service Fabric certificates, see [X.509 certificates and Service Fabric][x509-certificates-and-service-fabric]. +<a name='why-do-i-still-need-a-server-certificate-while-azure-ad-is-enabled'></a> ++### Why do I still need a server certificate while Microsoft Entra ID is enabled? +`FabricClient` and `FabricGateway` perform a mutual authentication. During Microsoft Entra authentication, Microsoft Entra integration provides a client identity to the server, and the client uses the server certificate to verify the server's identity. For more information about Service Fabric certificates, see [X.509 certificates and Service Fabric][x509-certificates-and-service-fabric]. ## Next steps-After you set up Azure Active Directory applications and set roles for users, [configure and deploy a cluster](service-fabric-cluster-creation-via-arm.md). +After you set up Microsoft Entra applications and set roles for users, [configure and deploy a cluster](service-fabric-cluster-creation-via-arm.md). <!-- Links --> |
service-fabric | Service Fabric Cluster Creation Via Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-creation-via-arm.md | Last updated 07/14/2022 An [Azure Service Fabric cluster](service-fabric-deploy-anywhere.md) is a network-connected set of virtual machines into which your microservices are deployed and managed. A Service Fabric cluster running in Azure is an Azure resource and is deployed using the Azure Resource Manager. This article describes how to deploy a secure Service Fabric cluster in Azure using the Resource Manager. You can use a default cluster template or a custom template. If you don't already have a custom template, you can [learn how to create one](service-fabric-cluster-creation-create-template.md). -The type of security chosen to secure the cluster (i.e.: Windows identity, X509 etc.) must be specified for the initial creation of the cluster, and cannot be changed thereafter. Before setting up a cluster, read [Service Fabric cluster security scenarios][service-fabric-cluster-security]. In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Azure Active Directory is also recommended to secure access to management endpoints. For more information, read [Set up Azure AD to authenticate clients](service-fabric-cluster-creation-setup-aad.md). +The type of security chosen to secure the cluster (i.e.: Windows identity, X509 etc.) must be specified for the initial creation of the cluster, and cannot be changed thereafter. Before setting up a cluster, read [Service Fabric cluster security scenarios][service-fabric-cluster-security]. In Azure, Service Fabric uses x509 certificate to secure your cluster and its endpoints, authenticate clients, and encrypt data. Microsoft Entra ID is also recommended to secure access to management endpoints. For more information, read [Set up Microsoft Entra ID to authenticate clients](service-fabric-cluster-creation-setup-aad.md). If you are creating a production cluster to run production workloads, we recommend you first read through the [production readiness checklist](service-fabric-production-readiness-checklist.md). |
service-fabric | Service Fabric Cluster Creation Via Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-creation-via-portal.md | This is a step-by-step guide that walks you through the steps of setting up a Se * Authenticate administrators using certificates. > [!NOTE]-> For more advanced security options, such as user authentication with Azure Active Directory and setting up certificates for application security, [create your cluster using Azure Resource Manager][create-cluster-arm]. +> For more advanced security options, such as user authentication with Microsoft Entra ID and setting up certificates for application security, [create your cluster using Azure Resource Manager][create-cluster-arm]. > > Additional client certificates authenticate administrators for cluster managemen You do not need to upload Client authentication certificates to Key Vault to work with Service Fabric. These certificates only need to be provided to users who are authorized for cluster management. > [!NOTE]-> Azure Active Directory is the recommended way to authenticate clients for cluster management operations. To use Azure Active Directory, you must [create a cluster using Azure Resource Manager][create-cluster-arm]. +> Microsoft Entra ID is the recommended way to authenticate clients for cluster management operations. To use Microsoft Entra ID, you must [create a cluster using Azure Resource Manager][create-cluster-arm]. > > |
service-fabric | Service Fabric Cluster Fabric Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-fabric-settings.md | The following is a list of Fabric settings that you can customize, organized by ## Security | **Parameter** | **Allowed Values** |**Upgrade Policy**| **Guidance or Short Description** | | | | | |-|AADCertEndpointFormat|string, default is ""|Static|Azure Active Directory Cert Endpoint Format, default Azure Commercial, specified for non-default environment such as Azure Government "https:\//login.microsoftonline.us/{0}/federationmetadata/2007-06/federationmetadata.xml" | +|AADCertEndpointFormat|string, default is ""|Static|Microsoft Entra Cert Endpoint Format, default Azure Commercial, specified for non-default environment such as Azure Government "https:\//login.microsoftonline.us/{0}/federationmetadata/2007-06/federationmetadata.xml" | |AADClientApplication|string, default is ""|Static|Native Client application name or ID representing Fabric Clients | |AADClusterApplication|string, default is ""|Static|Web API application name or ID representing the cluster |-|AADLoginEndpoint|string, default is ""|Static|Azure Active Directory Login Endpoint, default Azure Commercial, specified for non-default environment such as Azure Government "https:\//login.microsoftonline.us" | +|AADLoginEndpoint|string, default is ""|Static|Microsoft Entra Login Endpoint, default Azure Commercial, specified for non-default environment such as Azure Government "https:\//login.microsoftonline.us" | |AADTenantId|string, default is ""|Static|Tenant ID (GUID) | |AcceptExpiredPinnedClusterCertificate|bool, default is FALSE|Dynamic|Flag indicating whether to accept expired cluster certificates declared by thumbprint Applies only to cluster certificates; so as to keep the cluster alive. | |AdminClientCertThumbprints|string, default is ""|Dynamic|Thumbprints of certificates used by clients in admin role. It's a comma-separated name list. |-|AADTokenEndpointFormat|string, default is ""|Static|Azure Active Directory Token Endpoint, default Azure Commercial, specified for non-default environment such as Azure Government "https:\//login.microsoftonline.us/{0}" | +|AADTokenEndpointFormat|string, default is ""|Static|Microsoft Entra Token Endpoint, default Azure Commercial, specified for non-default environment such as Azure Government "https:\//login.microsoftonline.us/{0}" | |AdminClientClaims|string, default is ""|Dynamic|All possible claims expected from admin clients; the same format as ClientClaims; this list internally gets added to ClientClaims; so no need to also add the same entries to ClientClaims. | |AdminClientIdentities|string, default is ""|Dynamic|Windows identities of fabric clients in admin role; used to authorize privileged fabric operations. It's a comma-separated list; each entry is a domain account name or group name. For convenience; the account that runs fabric.exe is automatically assigned admin role; so is group ServiceFabricAdministrators. | |AppRunAsAccountGroupX509Folder|string, default is /home/sfuser/sfusercerts |Static|Folder where AppRunAsAccountGroup X509 certificates and private keys are located | The following is a list of Fabric settings that you can customize, organized by | **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** | | | | | |-|Providers |string, default is "DSTS" |Static|Comma separated list of token validation providers to enable (valid providers are: DSTS; Azure Active Directory). Currently only a single provider can be enabled at any time. | +|Providers |string, default is "DSTS" |Static|Comma separated list of token validation providers to enable (valid providers are: DSTS; Microsoft Entra ID). Currently only a single provider can be enabled at any time. | ## Trace/Etw |
service-fabric | Service Fabric Cluster Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-cluster-security.md | To learn how to set up certificate security in a cluster for Azure, see [Set up To learn how to set up certificate security in a cluster for a standalone Windows Server cluster, see [Secure a standalone cluster on Windows by using X.509 certificates](service-fabric-windows-cluster-x509-security.md). -### Client-to-node Azure Active Directory security on Azure +<a name='client-to-node-azure-active-directory-security-on-azure'></a> -Azure Active Directory (Azure AD) enables organizations (known as tenants) to manage user access to applications. Applications are divided into those with a web-based sign-in UI and those with a native client experience. If you have not already created a tenant, start by reading [How to get an Azure Active Directory tenant][active-directory-howto-tenant]. +### Client-to-node Microsoft Entra security on Azure -For clusters running on Azure, you can also use Azure AD to secure access to management endpoints. A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, to control access to the cluster you create two Azure AD applications: one web application and one native application. To learn how to create the required Azure AD artifacts and how to populate them when you create the cluster, see [Set up Azure AD to authenticate clients](service-fabric-cluster-creation-setup-aad.md). +Microsoft Entra ID enables organizations (known as tenants) to manage user access to applications. Applications are divided into those with a web-based sign-in UI and those with a native client experience. If you have not already created a tenant, start by reading [How to get a Microsoft Entra tenant][active-directory-howto-tenant]. ++For clusters running on Azure, you can also use Microsoft Entra ID to secure access to management endpoints. A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer][service-fabric-visualizing-your-cluster] and [Visual Studio][service-fabric-manage-application-in-visual-studio]. As a result, to control access to the cluster you create two Microsoft Entra applications: one web application and one native application. To learn how to create the required Microsoft Entra artifacts and how to populate them when you create the cluster, see [Set up Microsoft Entra ID to authenticate clients](service-fabric-cluster-creation-setup-aad.md). ## Security recommendations For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for client-to-node mutual authentication is: -* Use Azure Active Directory for client identity +* Use Microsoft Entra ID for client identity * A certificate for server identity and TLS encryption of http communication For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for node-to-node security is to use a Cluster certificate to authenticate nodes. You can use access control to limit access to certain cluster operations for dif Users who are assigned the Administrator role have full access to management capabilities, including read and write capabilities. Users who are assigned the User role, by default, have only read access to management capabilities (for example, query capabilities). They also can resolve applications and services. -Set the Administrator and User client roles when you create the cluster. Assign roles by providing separate identities (for example, by using certificates or Azure AD) for each role type. For more information about default access control settings and how to change default settings, see [Service Fabric role-based access control for Service Fabric clients](service-fabric-cluster-security-roles.md). +Set the Administrator and User client roles when you create the cluster. Assign roles by providing separate identities (for example, by using certificates or Microsoft Entra ID) for each role type. For more information about default access control settings and how to change default settings, see [Service Fabric role-based access control for Service Fabric clients](service-fabric-cluster-security-roles.md). ## X.509 certificates and Service Fabric |
service-fabric | Service Fabric Connect To Secure Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-connect-to-secure-cluster.md | Last updated 07/14/2022 # Connect to a secure cluster -When a client connects to a Service Fabric cluster node, the client can be authenticated and secure communication established using certificate security or Azure Active Directory (AAD). This authentication ensures that only authorized users can access the cluster and deployed applications and perform management tasks. Certificate or AAD security must have been previously enabled on the cluster when the cluster was created. For more information on cluster security scenarios, see [Cluster security](service-fabric-cluster-security.md). If you are connecting to a cluster secured with certificates, [set up the client certificate](service-fabric-connect-to-secure-cluster.md#connectsecureclustersetupclientcert) on the computer that connects to the cluster. +When a client connects to a Service Fabric cluster node, the client can be authenticated and secure communication established using certificate security or Microsoft Entra ID. This authentication ensures that only authorized users can access the cluster and deployed applications and perform management tasks. Certificate or Microsoft Entra security must have been previously enabled on the cluster when the cluster was created. For more information on cluster security scenarios, see [Cluster security](service-fabric-cluster-security.md). If you are connecting to a cluster secured with certificates, [set up the client certificate](service-fabric-connect-to-secure-cluster.md#connectsecureclustersetupclientcert) on the computer that connects to the cluster. <a id="connectsecureclustercli"></a> To connect to an unsecure cluster, provide the cluster endpoint address to the * Connect-ServiceFabricCluster -ConnectionEndpoint <Cluster FQDN>:19000 ``` -### Connect to a secure cluster using Azure Active Directory +<a name='connect-to-a-secure-cluster-using-azure-active-directory'></a> -To connect to a secure cluster that uses Azure Active Directory to authorize cluster administrator access, provide the cluster certificate thumbprint and use the *AzureActiveDirectory* flag. +### Connect to a secure cluster using Microsoft Entra ID ++To connect to a secure cluster that uses Microsoft Entra ID to authorize cluster administrator access, provide the cluster certificate thumbprint and use the *AzureActiveDirectory* flag. ```powershell Connect-ServiceFabricCluster -ConnectionEndpoint <Cluster FQDN>:19000 ` static X509Credentials GetCredentials(string clientCertThumb, string serverCertT } ``` -### Connect to a secure cluster interactively using Azure Active Directory +<a name='connect-to-a-secure-cluster-interactively-using-azure-active-directory'></a> ++### Connect to a secure cluster interactively using Microsoft Entra ID -The following example uses Azure Active Directory for client identity and server certificate for server identity. +The following example uses Microsoft Entra ID for client identity and server certificate for server identity. A dialog window automatically pops up for interactive sign-in upon connecting to the cluster. catch (Exception e) } ``` -### Connect to a secure cluster non-interactively using Azure Active Directory +<a name='connect-to-a-secure-cluster-non-interactively-using-azure-active-directory'></a> ++### Connect to a secure cluster non-interactively using Microsoft Entra ID The following example relies on Microsoft.Identity.Client, Version: 4.37.0. -For more information on AAD token acquisition, see [Microsoft.Identity.Client](/dotnet/api/microsoft.identity.client?view=azure-dotnet&preserve-view=true). +For more information on Microsoft Entra token acquisition, see [Microsoft.Identity.Client](/dotnet/api/microsoft.identity.client?view=azure-dotnet&preserve-view=true). ```csharp string tenantId = "C15CFCEA-02C1-40DC-8466-FBD0EE0B05D2"; catch (Exception e) } ``` -### Connect to a secure cluster without prior metadata knowledge using Azure Active Directory +<a name='connect-to-a-secure-cluster-without-prior-metadata-knowledge-using-azure-active-directory'></a> -The following example uses non-interactive token acquisition, but the same approach can be used to build a custom interactive token acquisition experience. The Azure Active Directory metadata needed for token acquisition is read from cluster configuration. +### Connect to a secure cluster without prior metadata knowledge using Microsoft Entra ID ++The following example uses non-interactive token acquisition, but the same approach can be used to build a custom interactive token acquisition experience. The Microsoft Entra metadata needed for token acquisition is read from cluster configuration. ```csharp string serverCertThumb = "A8136758F4AB8962AF2BF3F27921BE1DF67F4326"; The full URL is also available in the cluster essentials pane of the Azure porta For connecting to a secure cluster on Windows or OS X using a browser, you can import the client certificate, and the browser will prompt you for the certificate to use for connecting to the cluster. On Linux machines, the certificate will have to be imported using advanced browser settings (each browser has different mechanisms) and point it to the certificate location on disk. Read [Set up a client certificate](#connectsecureclustersetupclientcert) for more information. -### Connect to a secure cluster using Azure Active Directory +<a name='connect-to-a-secure-cluster-using-azure-active-directory'></a> ++### Connect to a secure cluster using Microsoft Entra ID -To connect to a cluster that is secured with AAD, point your browser to: +To connect to a cluster that is secured with Microsoft Entra ID, point your browser to: `https://<your-cluster-endpoint>:19080/Explorer` -You are automatically be prompted to sign in with AAD. +You are automatically be prompted to sign in with Microsoft Entra ID. ### Connect to a secure cluster using a client certificate At least two certificates should be used for securing the cluster, one for the c * [Managing your Service Fabric applications in Visual Studio](service-fabric-manage-application-in-visual-studio.md) * [Service Fabric Health model introduction](service-fabric-health-introduction.md) * [Application Security and RunAs](service-fabric-application-runas-security.md)-* [Getting started with Service Fabric CLI](service-fabric-cli.md) +* [Getting started with Service Fabric CLI](service-fabric-cli.md) |
service-fabric | Service Fabric Deploy Remove Applications Fabricclient | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-deploy-remove-applications-fabricclient.md | After you deploy an application and run an instance in the cluster, you can dele If you use Visual Studio for deploying and debugging applications on your local development cluster, all the preceding steps are handled automatically through a PowerShell script. This script is found in the *Scripts* folder of the application project. This article provides background on what that script is doing so that you can do the same operations outside of Visual Studio. ## Connect to the cluster-Connect to the cluster by creating a [FabricClient](/dotnet/api/system.fabric.fabricclient) instance before you run any of the code examples in this article. For examples of connecting to a local development cluster or a remote cluster or cluster secured using Azure Active Directory, X509 certificates, or Windows Active Directory see [Connect to a secure cluster](service-fabric-connect-to-secure-cluster.md#connect-to-a-cluster-using-the-fabricclient-apis). To connect to the local development cluster, run the following example: +Connect to the cluster by creating a [FabricClient](/dotnet/api/system.fabric.fabricclient) instance before you run any of the code examples in this article. For examples of connecting to a local development cluster or a remote cluster or cluster secured using Microsoft Entra ID, X509 certificates, or Windows Active Directory see [Connect to a secure cluster](service-fabric-connect-to-secure-cluster.md#connect-to-a-cluster-using-the-fabricclient-apis). To connect to the local development cluster, run the following example: ```csharp // Connect to the local cluster. |
service-fabric | Service Fabric Deploy Remove Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-deploy-remove-applications.md | Before you run any PowerShell commands in this article, always start by using [C Connect-ServiceFabricCluster ``` -For examples of connecting to a remote cluster or cluster secured using Azure Active Directory, X509 certificates, or Windows Active Directory see [Connect to a secure cluster](service-fabric-connect-to-secure-cluster.md). +For examples of connecting to a remote cluster or cluster secured using Microsoft Entra ID, X509 certificates, or Windows Active Directory see [Connect to a secure cluster](service-fabric-connect-to-secure-cluster.md). ## Upload the application package |
service-fabric | Service Fabric Get Started Containers Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-get-started-containers-linux.md | After you verify that the application runs in Docker, push the image to your reg Run `docker login` to sign in to your container registry with your [registry credentials](../container-registry/container-registry-authentication.md). -The following example passes the ID and password of an Azure Active Directory [service principal](../active-directory/develop/app-objects-and-service-principals.md). For example, you might have assigned a service principal to your registry for an automation scenario. Or, you could sign in using your registry username and password. +The following example passes the ID and password of a Microsoft Entra [service principal](../active-directory/develop/app-objects-and-service-principals.md). For example, you might have assigned a service principal to your registry for an automation scenario. Or, you could sign in using your registry username and password. ```bash docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword |
service-fabric | Service Fabric Get Started Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-get-started-containers.md | After you verify that the container runs on your development machine, push the i Run ``docker login`` to sign in to your container registry with your [registry credentials](../container-registry/container-registry-authentication.md). -The following example passes the ID and password of an Azure Active Directory [service principal](../active-directory/develop/app-objects-and-service-principals.md). For example, you might have assigned a service principal to your registry for an automation scenario. Or, you could sign in using your registry username and password. +The following example passes the ID and password of a Microsoft Entra [service principal](../active-directory/develop/app-objects-and-service-principals.md). For example, you might have assigned a service principal to your registry for an automation scenario. Or, you could sign in using your registry username and password. ``` docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword |
service-fabric | Service Fabric Get Started Tomcat | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-get-started-tomcat.md | Now that you've verified that the Tomcat image runs in a container on your devel 1. Run `docker login` to sign in to your container registry with your [registry credentials](../container-registry/container-registry-authentication.md). - The following example passes the ID and password of an Azure Active Directory [service principal](../active-directory/develop/app-objects-and-service-principals.md). For example, you might have assigned a service principal to your registry for an automation scenario. Or, you could sign in using your registry username and password. + The following example passes the ID and password of a Microsoft Entra [service principal](../active-directory/develop/app-objects-and-service-principals.md). For example, you might have assigned a service principal to your registry for an automation scenario. Or, you could sign in using your registry username and password. ```bash docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword docker rmi myregistry.azurecr.io/samples/tomcattest * For quick steps on additional Linux container features, read [Create your first Service Fabric container application on Linux](service-fabric-get-started-containers-linux.md). * For more detailed steps on Linux containers, read the [Create a Linux container application tutorial](service-fabric-tutorial-create-container-images.md) tutorial. * Learn more about running [containers on Service Fabric](service-fabric-containers-overview.md).-- |
service-fabric | Service Fabric Keyvault References | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-keyvault-references.md | The classic way of delivering secrets to a Service Fabric application was to dec Another option is the use of [Secret Store References](service-fabric-application-secret-store.md#use-the-secret-in-your-application). This experience allows for central management of your application secrets, better visibility into the metadata of deployed secrets, and allows for central management of the encryption certificate. Some may prefer this style of secret management when running standalone Service Fabric clusters. -The recommendation today is to reduce the reliance on secrets wherever possible by using [Managed Identities for Service Fabric applications](concepts-managed-identity.md). Managed identities can be used to authenticate directly to Azure Storage, Azure SQL, and more. That means there's no need to manage a separate credential when accessing [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md). +The recommendation today is to reduce the reliance on secrets wherever possible by using [Managed Identities for Service Fabric applications](concepts-managed-identity.md). Managed identities can be used to authenticate directly to Azure Storage, Azure SQL, and more. That means there's no need to manage a separate credential when accessing [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md). When it isn't possible to use Managed Identity as a client, we recommend using KeyVaultReferences. You should use KeyVaultReferences rather than using Managed Identity to go directly to Key Vault. KeyVaultReferences help increase the availability of your application because it enforces that secret changes happen during rolling upgrades. It also scales better as secrets are cached and served from within the cluster. If your application uses Encrypted Parameters today, there are only minimal changes needed in your application code to use KeyVaultReferences. Your application can continue to expect to come up with a single secret, and for that secret to be the same for the lifetime of the process. |
service-fabric | Service Fabric Manage Application In Visual Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-manage-application-in-visual-studio.md | Last updated 07/14/2022 You can manage your Azure Service Fabric applications and services through Visual Studio. Once you've [set up your development environment](service-fabric-get-started.md), you can use Visual Studio to create Service Fabric applications, add services, or package, register, and deploy applications in your local development cluster. > [!NOTE]-> With the transition from ADAL to MSAL, administrators are now required to explicitly grant permission to the Visual Studio client for publishing applications by adding the following in the cluster's Azure AD App Registration. +> With the transition from ADAL to MSAL, administrators are now required to explicitly grant permission to the Visual Studio client for publishing applications by adding the following in the cluster's Microsoft Entra App Registration. > - Visual Studio 2022 and future versions: 04f0c124-f2bc-4f59-8241-bf6df9866bbd > - Visual Studio 2019 and earlier: 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 |
service-fabric | Service Fabric Manifest Example Reliable Services App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-manifest-example-reliable-services-app.md | Indicates if a code, config or data package should be shared across service inst Grants access permissions to a principal on a resource (such as an endpoint) defined in a service manifest. Typically, it is very useful to control and restrict access of services to different resources in order to minimize security risks. This is especially important when the application is built from a collection of services from a marketplace which are developed by different developers. For more information, see [SecurityAccessPolicy Element](service-fabric-service-model-schema-elements.md#SecurityAccessPolicyElementSecurityAccessPolicyTypeComplexTypeDefinedInServiceManifestImportPoliciesTypecomplexTypeDefinedInSecurityAccessPolicieselementDefinedInDigestedEndpointelement) ### RunAsPolicy Element-Specifies the local user or local system account that a service code package will run as. Domain accounts are supported on Windows Server deployments where Azure Active Directory is available. By default, applications run under the account that the Fabric.exe process runs under. Applications can also run as other accounts, which must be declared in the Principals section. If you apply a RunAs policy to a service, and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy to ensure that ports allocated to these endpoints are correctly access-control listed for the RunAs user account that the service runs under. For an HTTPS endpoint, you also have to define a EndpointBindingPolicy to indicate the name of the certificate to return to the client. For more information, see [RunAsPolicy Element](service-fabric-service-model-schema-elements.md#RunAsPolicyElementRunAsPolicyTypeComplexTypeDefinedInServiceManifestImportPoliciesTypecomplexTypeDefinedInDigestedCodePackageelement) +Specifies the local user or local system account that a service code package will run as. Domain accounts are supported on Windows Server deployments where Microsoft Entra ID is available. By default, applications run under the account that the Fabric.exe process runs under. Applications can also run as other accounts, which must be declared in the Principals section. If you apply a RunAs policy to a service, and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy to ensure that ports allocated to these endpoints are correctly access-control listed for the RunAs user account that the service runs under. For an HTTPS endpoint, you also have to define a EndpointBindingPolicy to indicate the name of the certificate to return to the client. For more information, see [RunAsPolicy Element](service-fabric-service-model-schema-elements.md#RunAsPolicyElementRunAsPolicyTypeComplexTypeDefinedInServiceManifestImportPoliciesTypecomplexTypeDefinedInDigestedCodePackageelement) ### DefaultServices Element Declares service instances that are automatically created whenever an application is instantiated against this application type. For more information, see [DefaultServices Element](service-fabric-service-model-schema-elements.md#DefaultServicesElementDefaultServicesTypeComplexTypeDefinedInApplicationManifestTypecomplexTypeDefinedInApplicationInstanceTypecomplexType) Defines endpoints for the service. For more information, see [Endpoints Element] ### Endpoint Element The endpoint, declared in the service manifest, to override. For more information, see [Endpoint Element](service-fabric-service-model-schema-elements.md#EndpointElementEndpointOverrideTypeComplexTypeDefinedInEndpointselement)- |
service-fabric | Service Fabric Run Service As Ad User Or Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-run-service-as-ad-user-or-group.md | Last updated 07/11/2022 # Run a service as an Active Directory user or group-On a Windows Server standalone cluster, you can run a service as an Active Directory user or group using a RunAs policy. By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Running applications under different accounts, even in a shared hosted environment, makes them more secure from one another. Note that this uses Active Directory on-premises within your domain and not Azure Active Directory (Azure AD). You can also run a service as a [group Managed Service Account (gMSA)](service-fabric-run-service-as-gmsa.md). +On a Windows Server standalone cluster, you can run a service as an Active Directory user or group using a RunAs policy. By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Running applications under different accounts, even in a shared hosted environment, makes them more secure from one another. Note that this uses Active Directory on-premises within your domain and not Microsoft Entra ID. You can also run a service as a [group Managed Service Account (gMSA)](service-fabric-run-service-as-gmsa.md). By using a domain user or group, you can then access other resources in the domain (for example, file shares) that have been granted permissions. |
service-fabric | Service Fabric Run Service As Gmsa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-run-service-as-gmsa.md | On a Windows Server standalone cluster, you can run a service as a *group manage The following example shows how to create a gMSA account called *svc-Test$*, how to deploy that managed service account to the cluster nodes, and how to configure the user principal. > [!NOTE]-> Using a gMSA with a standalone Service Fabric cluster requires Active Directory on-premises within your domain (rather than Azure Active Directory (Azure AD)). +> Using a gMSA with a standalone Service Fabric cluster requires Active Directory on-premises within your domain (rather than Microsoft Entra ID). Pre-requisites: |
service-fabric | Service Fabric Service Model Schema Complex Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-service-model-schema-complex-types.md | Defines endpoints for the service. |minOccurs|0| ## RunAsPolicyType complexType-Specifies the local user or local system account that a service code package will run as. Domain accounts are supported on Windows Server deployments where Azure Active Directory is available. By default, applications run under the account that the Fabric.exe process runs under. Applications can also run as other accounts, which must be declared in the Principals section. If you apply a RunAs policy to a service, and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy to ensure that ports allocated to these endpoints are correctly access-control listed for the RunAs user account that the service runs under. For an HTTPS endpoint, you also have to define a EndpointBindingPolicy to indicate the name of the certificate to return to the client. +Specifies the local user or local system account that a service code package will run as. Domain accounts are supported on Windows Server deployments where Microsoft Entra ID is available. By default, applications run under the account that the Fabric.exe process runs under. Applications can also run as other accounts, which must be declared in the Principals section. If you apply a RunAs policy to a service, and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy to ensure that ports allocated to these endpoints are correctly access-control listed for the RunAs user account that the service runs under. For an HTTPS endpoint, you also have to define a EndpointBindingPolicy to indicate the name of the certificate to return to the client. |Attribute|Value| ||| |
service-fabric | Service Fabric Service Model Schema Elements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-service-model-schema-elements.md | Describes the resources used by this service, which can be declared without modi <a id="RunAsPolicyElementRunAsPolicyTypeComplexTypeDefinedInServiceManifestImportPoliciesTypecomplexTypeDefinedInDigestedCodePackageelement"></a> ## RunAsPolicy element-Specifies the local user or local system account that a service code package will run as. Domain accounts are supported on Windows Server deployments where Azure Active Directory is available. By default, applications run under the account that the Fabric.exe process runs under. Applications can also run as other accounts, which must be declared in the Principals section. If you apply a RunAs policy to a service, and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy to ensure that ports allocated to these endpoints are correctly access-control listed for the RunAs user account that the service runs under. For an HTTPS endpoint, you also have to define a EndpointBindingPolicy to indicate the name of the certificate to return to the client. +Specifies the local user or local system account that a service code package will run as. Domain accounts are supported on Windows Server deployments where Microsoft Entra ID is available. By default, applications run under the account that the Fabric.exe process runs under. Applications can also run as other accounts, which must be declared in the Principals section. If you apply a RunAs policy to a service, and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy to ensure that ports allocated to these endpoints are correctly access-control listed for the RunAs user account that the service runs under. For an HTTPS endpoint, you also have to define a EndpointBindingPolicy to indicate the name of the certificate to return to the client. |Attribute|Value| ||| Name of the user account. |use|required| #### AccountType-Specifies the type of account: LocalUser, DomainUser, NetworkService, LocalService, ManagedServiceAccount, or LocalSystem. The default is LocalUser. Local user accounts are created on the machines where the application is deployed. By default, these accounts do not have the same names as those specified here. Instead, they are dynamically generated and have random passwords. Supported local system account types are LocalUser, NetworkService, LocalService and LocalSystem. Domain accounts are supported on Windows Server deployments where Azure Active Directory is available. +Specifies the type of account: LocalUser, DomainUser, NetworkService, LocalService, ManagedServiceAccount, or LocalSystem. The default is LocalUser. Local user accounts are created on the machines where the application is deployed. By default, these accounts do not have the same names as those specified here. Instead, they are dynamically generated and have random passwords. Supported local system account types are LocalUser, NetworkService, LocalService and LocalSystem. Domain accounts are supported on Windows Server deployments where Microsoft Entra ID is available. |Attribute|Value| ||| Specifies the volume to be bound to container. ```- |
service-fabric | Service Fabric Sfctl Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-sfctl-cluster.md | If connecting to secure cluster, specify an absolute path to a cert (.crt) and k |Argument|Description| | | |-| --aad | Use Azure Active Directory for authentication. | +| --aad | Use Microsoft Entra ID for authentication. | | --ca | Absolute path to CA certs directory to treat as valid or CA bundle file. If using a directory of CA certs, `c_rehash <directory>` provided by OpenSSL must be run first to compute the certificate hashes and create the appropriate symbolics links. This is used to verify that the certificate returned by the cluster is valid. | | --cert | Absolute path to a client certificate file. | | --endpoint | Cluster endpoint URL, including port and HTTP or HTTPS prefix. Typically, the endpoint will look something like `https\://<your-url>\:19080`. If no endpoint is given, it will default to `http\://localhost\:19080`. | |
service-fabric | Service Fabric Standalone Clusters Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-standalone-clusters-overview.md | For more information, read [Node-to-node security](service-fabric-cluster-securi Client-to-node security authenticates clients and helps secure communication between a client and individual nodes in the cluster. This type of security helps ensure that only authorized users can access the cluster and the applications that are deployed on the cluster. Clients are uniquely identified through either their X.509 certificate security credentials. Any number of optional client certificates can be used to authenticate admin or user clients with the cluster. -In addition to client certificates, Azure Active Directory can also be configured to authenticate clients with the cluster. +In addition to client certificates, Microsoft Entra ID can also be configured to authenticate clients with the cluster. For more information, read [Client-to-node security](service-fabric-cluster-security.md#client-to-node-security) |
service-fabric | Service Fabric Tutorial Create Vnet And Windows Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-tutorial-create-vnet-and-windows-cluster.md | In this tutorial, you learn how to: > [!div class="checklist"] > * Create a VNET in Azure using PowerShell > * Create a key vault and upload a certificate-> * Setup Azure Active Directory authentication +> * Setup Microsoft Entra authentication > * Configure diagnostics collection > * Set up the EventStore service > * Set up Azure Monitor logs The [azuredeploy.parameters.json][parameters] parameters file declares many valu |certificateUrlValue|| <p>Value should be empty if creating a self-signed certificate or providing a certificate file. </p><p>To use an existing certificate previously uploaded to a key vault, fill in the certificate URL. For example, "https:\//mykeyvault.vault.azure.net:443/secrets/mycertificate/02bea722c9ef4009a76c5052bcbf8346".</p>| |sourceVaultValue||<p>Value should be empty if creating a self-signed certificate or providing a certificate file.</p><p>To use an existing certificate previously uploaded to a key vault, fill in the source vault value. For example, "/subscriptions/333cc2c84-12fa-5778-bd71-c71c07bf873f/resourceGroups/MyTestRG/providers/Microsoft.KeyVault/vaults/MYKEYVAULT".</p>| -## Set up Azure Active Directory client authentication +<a name='set-up-azure-active-directory-client-authentication'></a> ++## Set up Microsoft Entra client authentication For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for client-to-node mutual authentication is:-* Use Azure Active Directory for client identity. +* Use Microsoft Entra ID for client identity. * Use a certificate for server identity and TLS encryption of HTTP communication. -Setting up Azure Active Directory (Azure AD) to authenticate clients for a Service Fabric cluster must be done before [creating the cluster](#createvaultandcert). Azure AD enables organizations (known as tenants) to manage user access to applications. +Setting up Microsoft Entra ID to authenticate clients for a Service Fabric cluster must be done before [creating the cluster](#createvaultandcert). Microsoft Entra ID enables organizations (known as tenants) to manage user access to applications. -A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer](service-fabric-visualizing-your-cluster.md) and [Visual Studio](service-fabric-manage-application-in-visual-studio.md). As a result, you create two Azure AD applications to control access to the cluster: one web application and one native application. After the applications are created, you assign users to read-only and admin roles. +A Service Fabric cluster offers several entry points to its management functionality, including the web-based [Service Fabric Explorer](service-fabric-visualizing-your-cluster.md) and [Visual Studio](service-fabric-manage-application-in-visual-studio.md). As a result, you create two Microsoft Entra applications to control access to the cluster: one web application and one native application. After the applications are created, you assign users to read-only and admin roles. > [!NOTE] > You must complete the following steps before you create the cluster. Because the scripts expect cluster names and endpoints, the values should be planned and not values that you have already created. -In this article, we assume that you've already created a tenant. If you haven't, start by reading [How to get an Azure Active Directory tenant](../active-directory/develop/quickstart-create-new-tenant.md). +In this article, we assume that you've already created a tenant. If you haven't, start by reading [How to get a Microsoft Entra tenant](../active-directory/develop/quickstart-create-new-tenant.md). ++To simplify steps involved in configuring Microsoft Entra ID with a Service Fabric cluster, we've created a set of Windows PowerShell scripts. [Download the scripts](https://github.com/Azure-Samples/service-fabric-aad-helpers) to your computer. -To simplify steps involved in configuring Azure AD with a Service Fabric cluster, we've created a set of Windows PowerShell scripts. [Download the scripts](https://github.com/Azure-Samples/service-fabric-aad-helpers) to your computer. +<a name='create-azure-ad-applications-and-assign-users-to-roles'></a> -### Create Azure AD applications and assign users to roles -Create two Azure AD applications to control access to the cluster: one web application and one native application. After you've created the applications to represent your cluster, assign your users to the [roles supported by Service Fabric](service-fabric-cluster-security-roles.md): read-only and admin. +### Create Microsoft Entra applications and assign users to roles +Create two Microsoft Entra applications to control access to the cluster: one web application and one native application. After you've created the applications to represent your cluster, assign your users to the [roles supported by Service Fabric](service-fabric-cluster-security-roles.md): read-only and admin. Run `SetupApplications.ps1`, and provide the tenant ID, cluster name, and web application reply URL as parameters. Specify usernames and passwords for the users. For example: $Configobj = .\SetupApplications.ps1 -TenantId '<MyTenantID>' -ClusterName 'mysf > [!NOTE] > For national clouds (for example Azure Government, Microsoft Azure operated by 21Vianet, Azure Germany), specify the `-Location` parameter. -You can find your *TenantId*, or directory ID, in the [Azure portal](https://portal.azure.com). Select **Azure Active Directory** > **Properties** and copy the **Directory ID** value. +You can find your *TenantId*, or directory ID, in the [Azure portal](https://portal.azure.com). Select **Microsoft Entra ID** > **Properties** and copy the **Directory ID** value. -*ClusterName* is used to prefix the Azure AD applications that are created by the script. It doesn't need to exactly match the actual cluster name. It only makes it easier to map Azure AD artifacts to the Service Fabric cluster in use. +*ClusterName* is used to prefix the Microsoft Entra applications that are created by the script. It doesn't need to exactly match the actual cluster name. It only makes it easier to map Microsoft Entra artifacts to the Service Fabric cluster in use. -*WebApplicationReplyUrl* is the default endpoint that Azure AD returns to your users after they finish signing in. Set this endpoint as the Service Fabric Explorer endpoint for your cluster, which by default is: +*WebApplicationReplyUrl* is the default endpoint that Microsoft Entra ID returns to your users after they finish signing in. Set this endpoint as the Service Fabric Explorer endpoint for your cluster, which by default is: https://<cluster_domain>:19080/Explorer -You're prompted to sign in to an account that has administrative privileges for the Azure AD tenant. After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. In the tenant's applications in the [Azure portal](https://portal.azure.com), you should see two new entries: +You're prompted to sign in to an account that has administrative privileges for the Microsoft Entra tenant. After you sign in, the script creates the web and native applications to represent your Service Fabric cluster. In the tenant's applications in the [Azure portal](https://portal.azure.com), you should see two new entries: * *ClusterName*\_Cluster * *ClusterName*\_Client The script prints the JSON required by the Resource Manager template when you cr }, ``` -### Add Azure AD configuration to use Azure AD for client access -In the [azuredeploy.json][template], configure Azure AD in the **Microsoft.ServiceFabric/clusters** section. Add parameters for the tenant ID, cluster application ID, and client application ID. +<a name='add-azure-ad-configuration-to-use-azure-ad-for-client-access'></a> ++### Add Microsoft Entra configuration to use Microsoft Entra ID for client access +In the [azuredeploy.json][template], configure Microsoft Entra ID in the **Microsoft.ServiceFabric/clusters** section. Add parameters for the tenant ID, cluster application ID, and client application ID. ```json { You're now ready to connect to your secure cluster. The **Service Fabric** PowerShell module provides many cmdlets for managing Service Fabric clusters, applications, and services. Use the [Connect-ServiceFabricCluster](/powershell/module/servicefabric/connect-servicefabriccluster) cmdlet to connect to the secure cluster. The certificate SHA1 thumbprint and connection endpoint details are found in the output from the previous step. -If you previously set up Azure AD client authentication, run the following command: +If you previously set up Microsoft Entra client authentication, run the following command: ```powershell Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.cloudapp.azure.com:19000 ` -KeepAliveIntervalInSec 10 ` Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.c -ServerCertThumbprint C4C1E541AD512B8065280292A8BA6079C3F26F10 ``` -If you didn't set up Azure AD client authentication, run the following command: +If you didn't set up Microsoft Entra client authentication, run the following command: ```powershell Connect-ServiceFabricCluster -ConnectionEndpoint mysfcluster123.southcentralus.cloudapp.azure.com:19000 ` -KeepAliveIntervalInSec 10 ` Advance to the following tutorial to learn how to scale your cluster. > [!div class="checklist"] > * Create a VNET in Azure using PowerShell > * Create a key vault and upload a certificate-> * Setup Azure Active Directory authentication +> * Setup Microsoft Entra authentication > * Configure diagnostics collection > * Set up the EventStore service > * Set up Azure Monitor logs |
service-fabric | Service Fabric Tutorial Deploy App With Cicd Vsts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-tutorial-deploy-app-with-cicd-vsts.md | Select **Tasks**->**Environment 1** and then **+New** to add a new cluster conne ![Add cluster connection][add-cluster-connection] -In the **Add new Service Fabric Connection** view select **Certificate Based** or **Azure Active Directory** authentication. Specify a connection name of "mysftestcluster" and a cluster endpoint of "tcp://mysftestcluster.southcentralus.cloudapp.azure.com:19000" (or the endpoint of the cluster you are deploying to). +In the **Add new Service Fabric Connection** view select **Certificate Based** or **Microsoft Entra ID** authentication. Specify a connection name of "mysftestcluster" and a cluster endpoint of "tcp://mysftestcluster.southcentralus.cloudapp.azure.com:19000" (or the endpoint of the cluster you are deploying to). For certificate-based authentication, add the **Server certificate thumbprint** of the server certificate used to create the cluster. In **Client certificate**, add the base-64 encoding of the client certificate file. See the help pop-up on that field for info on how to get that base-64 encoded representation of the certificate. Also add the **Password** for the certificate. You can use the cluster or server certificate if you don't have a separate client certificate. -For Azure Active Directory credentials, add the **Server certificate thumbprint** of the server certificate used to create the cluster and the credentials you want to use to connect to the cluster in the **Username** and **Password** fields. +For Microsoft Entra credentials, add the **Server certificate thumbprint** of the server certificate used to create the cluster and the credentials you want to use to connect to the cluster in the **Username** and **Password** fields. Click **Add** to save the cluster connection. |
service-fabric | Service Fabric Tutorial Deploy Container App With Cicd Vsts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-tutorial-deploy-container-app-with-cicd-vsts.md | Select **Tasks**, then **Environment 1**, and then **+New** to add a new cluster ![Add cluster connection][add-cluster-connection] -In the **Add new Service Fabric Connection** view select **Certificate Based** or **Azure Active Directory** authentication. Specify a connection name of "mysftestcluster" and a cluster endpoint of "tcp://mysftestcluster.southcentralus.cloudapp.azure.com:19000" (or the endpoint of the cluster you are deploying to). +In the **Add new Service Fabric Connection** view select **Certificate Based** or **Microsoft Entra ID** authentication. Specify a connection name of "mysftestcluster" and a cluster endpoint of "tcp://mysftestcluster.southcentralus.cloudapp.azure.com:19000" (or the endpoint of the cluster you are deploying to). For certificate based authentication, add the **Server certificate thumbprint** of the server certificate used to create the cluster. In **Client certificate**, add the base-64 encoding of the client certificate file. See the help pop-up on that field for info on how to get that base-64 encoded representation of the certificate. Also add the **Password** for the certificate. You can use the cluster or server certificate if you don't have a separate client certificate. -For Azure Active Directory credentials, add the **Server certificate thumbprint** of the server certificate used to create the cluster and the credentials you want to use to connect to the cluster in the **Username** and **Password** fields. +For Microsoft Entra credentials, add the **Server certificate thumbprint** of the server certificate used to create the cluster and the credentials you want to use to connect to the cluster in the **Username** and **Password** fields. Click **Add** to save the cluster connection. |
service-fabric | Service Fabric Visualizing Your Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/service-fabric-visualizing-your-cluster.md | For developer workstation setup, you can launch Service Fabric Explorer on your To connect to a Service Fabric cluster, you need the clusters management endpoint (FQDN/IP) and the HTTP management endpoint port (19080 by default). For example https\://mysfcluster.westus.cloudapp.azure.com:19080. Use the "Connect to localhost" checkbox to connect to a local cluster on your workstation. ### Connect to a secure cluster-You can control client access to your Service Fabric cluster either with certificates or using Azure Active Directory (AAD). +You can control client access to your Service Fabric cluster either with certificates or using Microsoft Entra ID. -If you attempt to connect to a secure cluster, then depending on the cluster's configuration you will be required to present a client certificate or sign in using AAD. +If you attempt to connect to a secure cluster, then depending on the cluster's configuration you will be required to present a client certificate or sign in using Microsoft Entra ID. ## Video tutorial [<b>Check this page for a training video to learn how to use Service Fabric Explorer.</b>](/shows/building-microservices-applications-on-azure-service-fabric/service-fabric-explorer) |
site-recovery | Azure To Azure About Networking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-about-networking.md | While using NSG to control outbound connectivity, these service tags need to be - For the storage accounts in source region: - Create a [Storage service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for the source region. - Allow these addresses so that data can be written to the cache storage account, from the VM.-- Create a [Azure Active Directory (AAD) service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for allowing access to all IP addresses corresponding to AAD+- Create a [Microsoft Entra service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for allowing access to all IP addresses corresponding to Microsoft Entra ID - Create an EventsHub service tag-based NSG rule for the target region, allowing access to Site Recovery monitoring. - Create an AzureSiteRecovery service tag-based NSG rule for allowing access to Site Recovery service in any region. - Create an AzureKeyVault service tag-based NSG rule. This is required only for enabling replication of ADE-enabled virtual machines via portal. This example shows how to configure NSG rules for a VM to replicate. 2. Create an outbound HTTPS (443) security rule for "AzureActiveDirectory" on the NSG as shown in the screenshot below. - ![Screenshot shows Add outbound security rule for a network security group for Azure A D.](./media/azure-to-azure-about-networking/aad-tag.png) + ![Screenshot shows Add outbound security rule for a network security group for Microsoft Entra ID.](./media/azure-to-azure-about-networking/aad-tag.png) 3. Similar to above security rules, create outbound HTTPS (443) security rule for "EventHub.CentralUS" on the NSG that corresponds to the target location. This allows access to Site Recovery monitoring. |
site-recovery | Azure To Azure Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-architecture.md | If outbound access for VMs is controlled with URLs, allow these URLs. | **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Allows data to be written from the VM to the cache storage account in the source region. |-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | +| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | | Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.us` | Allows the VM to communicate with the Site Recovery service. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Allows the VM to write Site Recovery monitoring and diagnostics data. | | Key Vault | `*.vault.azure.net` | `*.vault.usgovcloudapi.net` | Allows access to enable replication for ADE-enabled virtual machines via portal | Please note that details of network connectivity requirements can be found in [n **Rule** | **Details** | **Service tag** | | Allow HTTPS outbound: port 443 | Allow ranges that correspond to storage accounts in the source region | Storage.\<region-name>-Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Active Directory (Azure AD) | AzureActiveDirectory +Allow HTTPS outbound: port 443 | Allow ranges that correspond to Microsoft Entra ID | AzureActiveDirectory Allow HTTPS outbound: port 443 | Allow ranges that correspond to Events Hub in the target region. | EventHub.\<region-name> Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Site Recovery | AzureSiteRecovery Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Key Vault (This is required only for enabling replication of ADE-enabled virtual machines via portal) | AzureKeyVault Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Automatio **Rule** | **Details** | **Service tag** | | Allow HTTPS outbound: port 443 | Allow ranges that correspond to storage accounts in the target region | Storage.\<region-name>-Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure AD | AzureActiveDirectory +Allow HTTPS outbound: port 443 | Allow ranges that correspond to Microsoft Entra ID | AzureActiveDirectory Allow HTTPS outbound: port 443 | Allow ranges that correspond to Events Hub in the source region. | EventHub.\<region-name> Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Site Recovery | AzureSiteRecovery Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Key Vault (This is required only for enabling replication of ADE-enabled virtual machines via portal) | AzureKeyVault |
site-recovery | Azure To Azure Autoupdate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-autoupdate.md | If you can't enable automatic updates, see the following common errors and recom - **Error**: You do not have permissions to create an Azure Run As account (service principal) and grant the Contributor role to the service principal. - **Recommended action**: Make sure that the signed-in account is assigned as Contributor and try again. For more information about assigning permissions, see the required permissions section of [How to: Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). + **Recommended action**: Make sure that the signed-in account is assigned as Contributor and try again. For more information about assigning permissions, see the required permissions section of [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). To fix most issues after you enable automatic updates, select **Repair**. If the repair button isn't available, see the error message displayed in the extension update settings pane. If you can't enable automatic updates, see the following common errors and recom - **Error**: The Run As account does not have the permission to access the recovery services resource. - **Recommended action**: Delete and then [re-create the Run As account](../automation/manage-runas-account.md). Or, make sure that the Automation Run As account's Azure Active Directory application can access the recovery services resource. + **Recommended action**: Delete and then [re-create the Run As account](../automation/manage-runas-account.md). Or, make sure that the Automation Run As account's Microsoft Entra application can access the recovery services resource. -- **Error**: Run As account is not found. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connection asset - or the Thumbprint is not identical between Certificate and Connection.+- **Error**: Run As account is not found. Either one of these was deleted or not created - Microsoft Entra Application, Service Principal, Role, Automation Certificate asset, Automation Connection asset - or the Thumbprint is not identical between Certificate and Connection. **Recommended action**: Delete and then [re-create the Run As account](../automation/manage-runas-account.md). If you can't enable automatic updates, see the following common errors and recom ## Next steps [Learn more](./how-to-migrate-run-as-accounts-managed-identity.md) on how to migrate the authentication type of the Automation accounts to Managed Identities.- |
site-recovery | Azure To Azure Common Questions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-common-questions.md | Yes. Site Recovery supports disaster recovery of VMs that have Azure Disk Encryp - Site Recovery supports ADE for Azure VMs running Windows. - Site Recovery supports:- - ADE version 0.1, which has a schema that requires Azure Active Directory (Azure AD). - - ADE version 1.1, which doesn't require Azure AD. For version 1.1, Microsoft Azure VMs must have managed disks. + - ADE version 0.1, which has a schema that requires Microsoft Entra ID. + - ADE version 1.1, which doesn't require Microsoft Entra ID. For version 1.1, Microsoft Azure VMs must have managed disks. - [Learn more](../virtual-machines/extensions/azure-disk-enc-windows.md#extension-schema) about the extension schemas. [Learn more](azure-to-azure-how-to-enable-replication-ade-vms.md) about enabling replication for encrypted VMs. Yes, you can delete it if you don't need it. ### Can I replicate VMs to another subscription? -Yes, you can replicate Azure VMs to any subscription within the same Azure AD tenant. When you enable disaster recovery for VMs, by default the target subscription shown is that of the source VM. You can modify the target subscription, and other settings (such as resource group and virtual network), are populated automatically from the selected subscription. +Yes, you can replicate Azure VMs to any subscription within the same Microsoft Entra tenant. When you enable disaster recovery for VMs, by default the target subscription shown is that of the source VM. You can modify the target subscription, and other settings (such as resource group and virtual network), are populated automatically from the selected subscription. ### Can I replicate VMs in an availability zone to another region? |
site-recovery | Azure To Azure Enable Global Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-enable-global-disaster-recovery.md | Ensure the prerequisites are met and you have created a Recovery Services vault. | | | | Classic VMs | No | | ARM VMs | Yes |-| Azure Disk Encryption v1 (dual pass, with Azure Active Directory (Azure AD)) | Yes | -| Azure Disk Encryption v2 (single pass, without Azure AD) | Yes | +| Azure Disk Encryption v1 (dual pass, with Microsoft Entra ID) | Yes | +| Azure Disk Encryption v2 (single pass, without Microsoft Entra ID) | Yes | | | No | | Managed disks | Yes | | Customer-managed keys | Yes | |
site-recovery | Azure To Azure How To Enable Replication Ade Vms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-replication-ade-vms.md | -> Site Recovery currently supports ADE, with and without Azure Active Directory (Azure AD) for VMs running Windows operating systems. For Linux operating systems, we only support ADE without Azure AD. Moreover, for machines running ADE 1.1 (without Azure AD), the VMs must be using managed disks. VMs with unmanaged disks aren't supported. If you switch from ADE 0.1 (with Azure AD) to 1.1, you need to disable replication and enable replication for a VM after enabling 1.1. +> Site Recovery currently supports ADE, with and without Microsoft Entra ID for VMs running Windows operating systems. For Linux operating systems, we only support ADE without Microsoft Entra ID. Moreover, for machines running ADE 1.1 (without Microsoft Entra ID), the VMs must be using managed disks. VMs with unmanaged disks aren't supported. If you switch from ADE 0.1 (with Microsoft Entra ID) to 1.1, you need to disable replication and enable replication for a VM after enabling 1.1. ## <a id="required-user-permissions"></a> Required user permissions Use the following procedure to replicate Azure Disk Encryption-enabled VMs to an 1. In the **Enable replication** page, under **Source**, do the following: - **Region**: Select the Azure region where you want to protect your virtual machines. For example, the source location is *East Asia*.- - **Subscription**: Select the subscription to which your source virtual machines belong. This can be any subscription that's in the same Azure Active Directory tenant as your recovery services vault. + - **Subscription**: Select the subscription to which your source virtual machines belong. This can be any subscription that's in the same Microsoft Entra tenant as your recovery services vault. - **Resource group**: Select the resource group to which your source virtual machines belong. All the VMs in the selected resource group are listed for protection in the next step. - **Virtual machine deployment model**: Select the Azure deployment model of the source machines. - **Disaster recovery between availability zones**: Select **Yes** if you want to perform zonal disaster recovery on virtual machines. |
site-recovery | Azure To Azure How To Enable Replication Cmk Disks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks.md | As an example, the primary Azure region is East Asia, and the secondary region i 1. In the **Enable replication** page, under **Source**, do the following: - **Region**: Select the Azure region from where you want to protect your VMs. For example, the source location is *East Asia*.- - **Subscription**: Select the subscription to which your source VMs belong. This can be any subscription within the same Azure Active Directory tenant where your recovery services vault exists. + - **Subscription**: Select the subscription to which your source VMs belong. This can be any subscription within the same Microsoft Entra tenant where your recovery services vault exists. - **Resource group**: Select the resource group to which your source virtual machines belong. All the VMs in the selected resource group are listed for protection in the next step. - **Virtual machine deployment model**: Select Azure deployment model of the source machines. - **Disaster recovery between availability zones**: Select **Yes** if you want to perform zonal disaster recovery on virtual machines. As an example, the primary Azure region is East Asia, and the secondary region i * **I have enabled both platform and customer managed keys, how can I protect my disks?** Enabling double encryption with both platform and customer managed keys is supported by Site Recovery. Follow the instructions in this article to protect your machine. You need to create a double encryption enabled DES in the target region in advance. At the time of enabling the replication for such a VM, you can provide this DES to Site Recovery.- |
site-recovery | Azure To Azure How To Enable Replication Private Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.md | Below is a reference architecture on how the replication workflow changes with p [private endpoints](https://azure.microsoft.com/pricing/details/private-link/). - When a private endpoint is created for a vault, the vault is locked down and **isn't accessible from networks other than those networks that have private endpoints**.-- Azure Active Directory currently doesn't support private endpoints. As such, IPs and fully- qualified domain names required for Azure Active Directory to work in a region need to be allowed +- Microsoft Entra ID currently doesn't support private endpoints. As such, IPs and fully + qualified domain names required for Microsoft Entra ID to work in a region need to be allowed outbound access from the secured network. You can also use network security group tag "Azure- Active Directory" and Azure Firewall tags for allowing access to Azure Active Directory, as + Active Directory" and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable. - **At least seven IP addresses are required** in the subnets of both your source machines and your recovery machines. When you create a private endpoint for the vault, Site Recovery creates five |
site-recovery | Azure To Azure How To Enable Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-replication.md | Use the following procedure to replicate Azure VMs to another Azure region. As a For example, the source location is *East Asia*. >[!NOTE] >For cross-regional disaster recovery, the source location should be different from the Recovery Services Vault and its Resource Group's location. However, it can be the same as any of them for zonal disaster recovery.- - **Subscription**: Select the subscription to which your source VMs belong. This can be any subscription within the same Azure Active Directory tenant where your recovery services vault exists. + - **Subscription**: Select the subscription to which your source VMs belong. This can be any subscription within the same Microsoft Entra tenant where your recovery services vault exists. - **Resource group**: Select the resource group to which your source virtual machines belong. All the VMs in the selected resource group are listed for protection in the next step. - **Virtual machine deployment model**: Select Azure deployment model of the source machines. - **Disaster recovery between availability zones**: Select **Yes** if you want to perform zonal disaster recovery on virtual machines. After the enable replication job runs, and the initial replication finishes, the ## Next steps -[Learn more](site-recovery-test-failover-to-azure.md) about running a test failover. +[Learn more](site-recovery-test-failover-to-azure.md) about running a test failover. |
site-recovery | Azure To Azure How To Enable Zone To Zone Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery.md | Before you deploy zone-to-zone disaster recovery for your VMs, ensure that other |Feature | Support statement | |||-|VMs (classic) | Not supported. | -|VMs (Azure Resource Manager) | Supported. | -|Azure Disk Encryption v1 (dual pass, with Microsoft Entra ID) | Supported. | -|Azure Disk Encryption v2 (single pass, without Microsoft Entra ID) | Supported. | -|Unmanaged disks | Not supported. | -|Managed disks | Supported. | -|Customer-managed keys | Supported. | -|Proximity placement groups | Supported. | -|Backup interoperability | File-level backup and restore are supported. Disk and VM-level backup and restore aren't supported. | +|Classic VMs | Not supported | +|ARM VMs | Supported | +|Azure Disk Encryption v1 (dual pass, with Microsoft Entra ID) | Supported | +|Azure Disk Encryption v2 (single pass, without Microsoft Entra ID) | Supported | +|Unmanaged disks | Not supported | +|Managed disks | Supported | +|Customer-managed keys | Supported | +|Proximity placement groups | Supported | +|Backup interoperability | File level backup and restore are supported. Disk and VM level backup and restore aren't supported. | |Hot add/remove | You can add disks after you enable zone-to-zone replication. Removing disks after you enable zone-to-zone replication isn't supported. | ## Set up Site Recovery zone-to-zone disaster recovery |
site-recovery | Azure To Azure Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-support-matrix.md | This article summarizes support and prerequisites for disaster recovery of Azure | **Move vaults across resource groups** | Not supported. **Move compute/storage/network resources across resource groups** | Not supported.<br/><br/> If you move a VM or associated components such as storage/network after the VM is replicating, you need to disable and then re-enable replication for the VM.-**Replicate Azure VMs from one subscription to another for disaster recovery** | Supported within the same Azure Active Directory tenant. -**Migrate VMs across regions within supported geographical clusters (within and across subscriptions)** | Supported within the same Azure Active Directory tenant. +**Replicate Azure VMs from one subscription to another for disaster recovery** | Supported within the same Microsoft Entra tenant. +**Migrate VMs across regions within supported geographical clusters (within and across subscriptions)** | Supported within the same Microsoft Entra tenant. **Migrate VMs within the same region** | Not supported. **Azure Dedicated Hosts** | Not supported. |
site-recovery | Azure To Azure Troubleshoot Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-troubleshoot-errors.md | A connection can't be established to Microsoft 365 authentication and identity I #### Fix the problem Azure Site Recovery required access to Microsoft 365 IP ranges for authentication.-If you're using Azure Network Security Group (NSG) rules/firewall proxy to control outbound network connectivity on the VM, ensure that you use [Azure Active Directory (AAD) service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for allowing access to AAD. We no longer support IP address-based NSG rules. +If you're using Azure Network Security Group (NSG) rules/firewall proxy to control outbound network connectivity on the VM, ensure that you use [Microsoft Entra service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule for allowing access to Microsoft Entra ID. We no longer support IP address-based NSG rules. ### Issue 3: Site Recovery configuration failed (151197) To resolve this issue, wait till system time crosses the skewed future time. Ano ## Next steps -[Replicate Azure VMs to another Azure region](azure-to-azure-how-to-enable-replication.md) +[Replicate Azure VMs to another Azure region](azure-to-azure-how-to-enable-replication.md) |
site-recovery | Azure To Azure Troubleshoot Network Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-troubleshoot-network-connectivity.md | For Site Recovery replication to work, outbound connectivity to specific URLs or | **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Required so that data can be written to the cache storage account in the source region from the VM. If you know all the cache storage accounts for your VMs, you can use an allow-list for the specific storage account URLs. For example, `cache1.blob.core.windows.net` and `cache2.blob.core.windows.net` instead of `*.blob.core.windows.net`. |-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Required for authorization and authentication to the Site Recovery service URLs. | +| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Required for authorization and authentication to the Site Recovery service URLs. | | Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.com` | Required so that the Site Recovery service communication can occur from the VM. You can use the corresponding _Site Recovery IP_ if your firewall proxy supports IPs. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Required so that the Site Recovery monitoring and diagnostics data can be written from the VM. You can use the corresponding _Site Recovery Monitoring IP_ if your firewall proxy supports IPs. | A connection can't be established to Microsoft 365 authentication and identity I #### Resolution - Azure Site Recovery requires access to the Microsoft 365 IP ranges for authentication.-- If you're using Azure Network security group (NSG) rules/firewall proxy to control outbound network connectivity on the VM, ensure you allow communication to the Microsoft 365 IP ranges. Create an [Azure Active Directory (Azure AD) service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule that allows access to all IP addresses corresponding to Azure AD.-- If new addresses are added to Azure AD in the future, you need to create new NSG rules.+- If you're using Azure Network security group (NSG) rules/firewall proxy to control outbound network connectivity on the VM, ensure you allow communication to the Microsoft 365 IP ranges. Create an [Microsoft Entra service tag](../virtual-network/network-security-groups-overview.md#service-tags) based NSG rule that allows access to all IP addresses corresponding to Microsoft Entra ID. +- If new addresses are added to Microsoft Entra ID in the future, you need to create new NSG rules. ### Example NSG configuration This example shows how to configure NSG rules for a VM to replicate. 1. Create an HTTPS outbound security rule for the NSG as shown in the following screenshot. This example uses the **Destination service tag**: _AzureActiveDirectory_ and **Destination port ranges**: _443_. - :::image type="content" source="./media/azure-to-azure-about-networking/aad-tag.png" alt-text="Screenshot shows an Add outbound security rule pane for a security rule for Azure Active Directory."::: + :::image type="content" source="./media/azure-to-azure-about-networking/aad-tag.png" alt-text="Screenshot shows an Add outbound security rule pane for a security rule for Microsoft Entra ID."::: 1. Similar to above security rules, create outbound HTTPS (443) security rule for "EventHub.CentralUS" on the NSG that correspond to the target location. This allows access to Site Recovery monitoring. 1. Create an outbound HTTPS (443) security rule for "AzureSiteRecovery" on the NSG. This allows access to Site Recovery Service in any region. |
site-recovery | Azure To Azure Tutorial Enable Replication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-tutorial-enable-replication.md | Your Azure account needs permissions to create a Recovery Services vault, and to - If you just created a free Azure subscription, you're the account admin, and no further action is needed. - If you aren't the admin, work with the admin to get the permissions you need.- - **Azure Active Directory**: Application owner and application developer roles to enable replication. + - **Microsoft Entra ID**: Application owner and application developer roles to enable replication. - **Create a vault**: Admin or owner permissions on the subscription. - **Manage Site Recovery operations in the vault**: The *Site Recovery Contributor* built-in Azure role. - **Create Azure VMs in the target region**: Either the built-in *Virtual Machine Contributor* role, or specific permissions to: If you're using a URL-based firewall proxy to control outbound connectivity, all | **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Allows data to be written from the VM to the cache storage account in the source region. |-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | +| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | | Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.com` | Allows the VM to communicate with the Site Recovery service. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Allows the VM to write Site Recovery monitoring and diagnostics data. | If you're using network security groups (NSGs) to control connectivity, create a **Tag** | **Allow** | Storage tag |Allows data to be written from the VM to the cache storage account.-Azure AD tag | Allows access to all IP addresses that correspond to Azure AD. +Microsoft Entra ID tag | Allows access to all IP addresses that correspond to Microsoft Entra ID. EventsHub tag | Allows access to Site Recovery monitoring. AzureSiteRecovery tag | Allows access to the Site Recovery service in any region. GuestAndHybridManagement tag | Use if you want to automatically upgrade the Site Recovery Mobility agent that's running on VMs enabled for replication. Select the source settings and enable VM replication. 2. In the **Enable replication** page, under **Source** tab, do the following: - **Region**: Select the source Azure region in which VMs are currently running.- - **Subscription**: Select the subscription in which VMs are running. You can select any subscription that's in the same Azure Active Directory (Azure AD) tenant as the vault. + - **Subscription**: Select the subscription in which VMs are running. You can select any subscription that's in the same Microsoft Entra tenant as the vault. - **Resource group**: Select the desired resource group from the drop-down. - **Virtual machine deployment model**: Retain the default **Resource Manager** setting. - **Disaster recovery between availability zones**: Retain the default **No** setting. |
site-recovery | Deploy Vmware Azure Replication Appliance Modernized | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/deploy-vmware-azure-replication-appliance-modernized.md | You deploy an on-premises replication appliance when you use [Azure Site Recover To create and register the Azure Site Recovery replication appliance, you need an Azure account with: - Contributor or Owner permissions on the Azure subscription.-- Permissions to register Azure Active Directory apps.+- Permissions to register Microsoft Entra apps. - Owner or Contributor plus User Access Administrator permissions on the Azure subscription to create a Key Vault, used during registration of the Azure Site Recovery replication appliance with Azure. If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner for the required permissions. If you just created a free Azure account, you're the owner of your subscription. 4. In **Add a role assignment**, select **Add,** select the Contributor or Owner role, and select the account. Then Select **Save**. - To register the appliance, your Azure account needs permissions to register Azure Active Directory apps. + To register the appliance, your Azure account needs permissions to register Microsoft Entra apps. **Follow these steps to assign required permissions**: - - In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**. In **User settings**, verify that Azure AD users can register applications (set to *Yes* by default). + - In Azure portal, navigate to **Microsoft Entra ID** > **Users** > **User Settings**. In **User settings**, verify that Microsoft Entra users can register applications (set to *Yes* by default). - - In case the **App registrations** settings is set to *No*, request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the Application Developer role to an account to allow the registration of Azure Active Directory App. + - In case the **App registrations** settings is set to *No*, request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the Application Developer role to an account to allow the registration of Microsoft Entra App. ## Prepare infrastructure |
site-recovery | How To Migrate Run As Accounts Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/how-to-migrate-run-as-accounts-managed-identity.md | Last updated 09/14/2023 This article shows you how to migrate your runbooks to use a Managed Identities for Azure Site Recovery. Azure Automation Accounts are used by Azure Site Recovery customers to auto-update the agents of their protected virtual machines. Site Recovery creates Azure Automation Run As Accounts when you enable replication via the IaaS VM Blade and Recovery Services Vault. -On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure AD tokens. +On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Microsoft Entra ID and using it to obtain Microsoft Entra tokens. ## Prerequisites Before you migrate from a Run As account to a managed identity, ensure that you Here are some of the benefits of using managed identities: - **Credentials access** - You don't need to manage credentials.-- **Simplified authentication** - You can use managed identities to authenticate to any resource that supports Azure AD authentication including your own applications.+- **Simplified authentication** - You can use managed identities to authenticate to any resource that supports Microsoft Entra authentication including your own applications. - **Cost effective** - Managed identities can be used at no extra cost. - **Double encryption** - Managed identity is also used to encrypt/decrypt data and metadata using the customer-managed key stored in Azure Key Vault, providing double encryption. To link an existing managed identity Automation account to your Recovery Service Learn more about: - [Managed identities](../active-directory/managed-identities-azure-resources/overview.md). - [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing).- |
site-recovery | Hybrid How To Enable Replication Private Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hybrid-how-to-enable-replication-private-endpoints.md | then create private endpoints in the bypass network. You can choose any form of - Private links are supported in Site Recovery 9.35 and later. - You can create private endpoints only for new Recovery Services vaults that don't have any items registered to them. Therefore, you must create private endpoints before any items are added to the vault. See [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/) for pricing information. - When you create a private endpoint for a vault, the vault is locked down. It can be accessed only from networks that have private endpoints.-- Azure Active Directory doesn't currently support private endpoints. So you need to allow outbound access from the secured Azure virtual network to IPs and fully qualified domain names that are required for Azure Active Directory to work in a region. As applicable, you can also use network security group tag "Azure Active Directory" and Azure Firewall tags to allow access to Azure Active Directory.+- Microsoft Entra ID doesn't currently support private endpoints. So you need to allow outbound access from the secured Azure virtual network to IPs and fully qualified domain names that are required for Microsoft Entra ID to work in a region. As applicable, you can also use network security group tag "Microsoft Entra ID" and Azure Firewall tags to allow access to Microsoft Entra ID. - Five IP addresses are required in the bypass network where you create your private endpoint. When you create a private endpoint for the vault, Site Recovery creates five private links for access to its microservices. - One additional IP address is required in the bypass network for private endpoint connectivity to a cache storage account. You can use any connectivity method between on-premises and your storage account endpoint. For example, you can use the internet or Azure [ExpressRoute](../expressroute/index.yml). Establishing a private link is optional. You can create private endpoints for storage only on General Purpose v2 accounts. See [Azure Page Blobs pricing](https://azure.microsoft.com/pricing/details/storage/page-blobs/) for information about pricing for data transfer on General Purpose v2 accounts. When using the private link with modernized experience for VMware VMs, public ac | - | -| | portal.azure.com | Navigate to the Azure portal. | | `*.windows.net `<br>`*.msftauth.net`<br>`*.msauth.net`<br>`*.microsoft.com`<br>`*.live.com `<br>`*.office.com ` | To sign-in to your Azure subscription. |- |`*.microsoftonline.com `<br>`*.microsoftonline-p.com `| Create Azure Active Directory applications for the appliance to communicate with Azure Site Recovery. | + |`*.microsoftonline.com `<br>`*.microsoftonline-p.com `| Create Microsoft Entra applications for the appliance to communicate with Azure Site Recovery. | | `management.azure.com` | Used for Azure Resource Manager deployments and operations. | | `*.siterecovery.windowsazure.com` | Used to connect to Site Recovery services. | Ensure the following URLs are allowed and reachable from the Azure Site Recovery | | | -| | `login.microsoftonline.us/*` <br> `graph.windows.net ` | `login.microsoftonline.cn` <br> `graph.chinacloudapi.cn` | To sign-in to your Azure subscription. | | `*.portal.azure.us` | `*.portal.azure.cn` | Navigate to the Azure portal. | - | `management.usgovcloudapi.net` | `management.chinacloudapi.cn` | Create Azure Active Directory applications for the appliance to communicate with the Azure Site Recovery service. | + | `management.usgovcloudapi.net` | `management.chinacloudapi.cn` | Create Microsoft Entra applications for the appliance to communicate with the Azure Site Recovery service. | ## Create and use private endpoints for site recovery A [managed identity](../active-directory/managed-identities-azure-resources/over 1. Change the **Status** to **On** and select **Save**. - An Object ID is generated. The vault is now registered with Azure Active Directory. + An Object ID is generated. The vault is now registered with Microsoft Entra ID. ### Create private endpoints for the Recovery Services vault |
site-recovery | Hyper V Azure Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/hyper-v-azure-architecture.md | If you're using a URL-based firewall proxy to control outbound connectivity, all | **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Allows data to be written from the VM to the cache storage account in the source region. |-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | +| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | | Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.com` | Allows the VM to communicate with the Site Recovery service. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Allows the VM to write Site Recovery monitoring and diagnostics data. | After your on-premises infrastructure is up and running again, you can fail back Follow [this tutorial](tutorial-prepare-azure-for-hyperv.md) to get started with Hyper-V to Azure replication.-- |
site-recovery | Physical Azure Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/physical-azure-architecture.md | If you're using a URL-based firewall proxy to control outbound connectivity, all | **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Allows data to be written from the VM to the cache storage account in the source region. |-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | +| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | | Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.com` | Allows the VM to communicate with the Site Recovery service. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Allows the VM to write Site Recovery monitoring and diagnostics data. | |
site-recovery | Physical Azure Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/physical-azure-disaster-recovery.md | Make sure the machine can access these URLs based on your environment: IP address-based firewall rules should allow communication to all of the Azure URLs that are listed above over HTTPS (443) port. To simplify and limit the IP Ranges, it's recommended that URL filtering is done. -- **Commercial IPs** - Allow the [Azure Datacenter IP Ranges](https://www.microsoft.com/download/confirmation.aspx?id=41653), and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the Azure AD, Backup, Replication, and Storage URLs. -- **Government IPs** - Allow the [Azure Government Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=57063), and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support Azure AD, Backup, Replication, and Storage URLs. +- **Commercial IPs** - Allow the [Azure Datacenter IP Ranges](https://www.microsoft.com/download/confirmation.aspx?id=41653), and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the Microsoft Entra ID, Backup, Replication, and Storage URLs. +- **Government IPs** - Allow the [Azure Government Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=57063), and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support Microsoft Entra ID, Backup, Replication, and Storage URLs. #### Run setup Run Unified Setup as a Local Administrator, to install the configuration server. The process server and the master target server are also installed by default on the configuration server. |
site-recovery | Physical Server Azure Architecture Modernized | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/physical-server-azure-architecture-modernized.md | If you're using a URL-based firewall proxy to control outbound connectivity, all | - | -| | portal.azure.com | Navigate to the Azure portal. | | `*.windows.net `<br>`*.msftauth.net`<br>`*.msauth.net`<br>`*.microsoft.com`<br>`*.live.com `<br>`*.office.com ` | To sign-in to your Azure subscription. |-|`*.microsoftonline.com `|Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Site Recovery. | -|management.azure.com |Create Azure AD apps for the appliance to communicate with the Azure Site Recovery service. | +|`*.microsoftonline.com `|Create Microsoft Entra apps for the appliance to communicate with Azure Site Recovery. | +|management.azure.com |Create Microsoft Entra apps for the appliance to communicate with the Azure Site Recovery service. | |`*.services.visualstudio.com `|Upload app logs used for internal monitoring. | |`*.vault.azure.net `|Manage secrets in the Azure Key Vault. Note: Ensure machines to replicate have access to this. | |aka.ms |Allow access to aka.ms links. Used for Azure Site Recovery appliance updates. | App-consistent recovery points are created from app-consistent snapshots.<br/><b ## Next steps -Follow [this tutorial](vmware-azure-tutorial.md) to enable VMware to Azure replication. +Follow [this tutorial](vmware-azure-tutorial.md) to enable VMware to Azure replication. |
site-recovery | Region Move Cross Geos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/region-move-cross-geos.md | Make sure the machine can access these URLs based on your environment: IP address-based firewall rules should allow communication to all of the Azure URLs that are listed above over HTTPS (443) port. To simplify and limit the IP Ranges, it is recommended that URL filtering is done. -- **Commercial IPs** - Allow the [Azure Datacenter IP Ranges](https://www.microsoft.com/download/confirmation.aspx?id=41653), and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the Azure AD, Backup, Replication, and Storage URLs. -- **Government IPs** - Allow the [Azure Government Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=57063), and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support Azure AD, Backup, Replication, and Storage URLs. +- **Commercial IPs** - Allow the [Azure Datacenter IP Ranges](https://www.microsoft.com/download/confirmation.aspx?id=41653), and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the Microsoft Entra ID, Backup, Replication, and Storage URLs. +- **Government IPs** - Allow the [Azure Government Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=57063), and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support Microsoft Entra ID, Backup, Replication, and Storage URLs. #### Run setup Run Unified Setup as a Local Administrator, to install the configuration server. The process server and the master target server are also installed by default on the configuration server. In case you have no plans to reuse any of the source resources please proceed wi In this tutorial you moved an Azure VM to a different Azure region. Now you can configure disaster recovery for the moved VM. > [!div class="nextstepaction"]-> [Set up disaster recovery after migration](azure-to-azure-quickstart.md) +> [Set up disaster recovery after migration](azure-to-azure-quickstart.md) |
site-recovery | Replication Appliance Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/replication-appliance-support-matrix.md | Ensure the following URLs are allowed and reachable from the Azure Site Recovery | portal.azure.com | Navigate to the Azure portal. | | `login.windows.net `<br>`graph.windows.net `<br>`*.msftauth.net`<br>`*.msauth.net`<br>`*.microsoft.com`<br>`*.live.com `<br>`*.office.com ` | To sign-in to your Azure subscription. | |`*.microsoftonline.com `|Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Site Recovery. |- |management.azure.com |Create Azure AD apps for the appliance to communicate with the Azure Site Recovery service. | + |management.azure.com |Create Microsoft Entra apps for the appliance to communicate with the Azure Site Recovery service. | |`*.services.visualstudio.com `|Upload app logs used for internal monitoring. | |`*.vault.azure.net `|Manage secrets in the Azure Key Vault. Note: Ensure that the machines that need to be replicated have access to this URL. | |aka.ms |Allow access to "also known as" links. Used for Azure Site Recovery appliance updates. | Ensure the following URLs are allowed and reachable from the Azure Site Recovery | - | -| -| | `login.microsoftonline.us/*` <br> `graph.microsoftazure.us` | `login.chinacloudapi.cn/*` <br> `graph.chinacloudapi.cn` | To sign-in to your Azure subscription. | | `portal.azure.us` | `portal.azure.cn` |Navigate to the Azure portal. | - | `*.microsoftonline.us/*` <br> `management.usgovcloudapi.net` | `*.microsoftonline.cn/*` <br> `management.chinacloudapi.cn/*` | Create Azure AD apps for the appliance to communicate with the Azure Site Recovery service. | + | `*.microsoftonline.us/*` <br> `management.usgovcloudapi.net` | `*.microsoftonline.cn/*` <br> `management.chinacloudapi.cn/*` | Create Microsoft Entra apps for the appliance to communicate with the Azure Site Recovery service. | | `*.hypervrecoverymanager.windowsazure.us` <br> `*.migration.windowsazure.us` <br> `*.backup.windowsazure.us` | `*.hypervrecoverymanager.windowsazure.cn` <br> `*.migration.windowsazure.cn` <br> `*.backup.windowsazure.cn` | Connect to Azure Site Recovery micro-service URLs. | |`*.vault.usgovcloudapi.net`| `*.vault.azure.cn` |Manage secrets in the Azure Key Vault. Note: Ensure that the machines, which need to be replicated have access to this URL. | For detailed information about how to use multiple appliances and failover a rep ## Next steps - [Learn](vmware-azure-set-up-replication-tutorial-modernized.md) how to set up disaster recovery of VMware VMs to Azure.-- [Learn](../site-recovery/deploy-vmware-azure-replication-appliance-modernized.md) how to deploy Azure Site Recovery replication appliance.+- [Learn](../site-recovery/deploy-vmware-azure-replication-appliance-modernized.md) how to deploy Azure Site Recovery replication appliance. |
site-recovery | Site Recovery Dynamicsax | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-dynamicsax.md | Last updated 11/27/2018 Dynamics AX is one of the most popular ERP solutions used by enterprises to standardize processes across locations, manage resources, and simplify compliance. Because the application is critical to an organization, in the event of a disaster, the application should be up and running in minimum time. -Today, Dynamics AX doesn't provide any out-of-the-box disaster recovery capabilities. Dynamics AX consists of many server components, such as Windows Application Object Server, Azure Active Directory, Azure SQL Database, SharePoint Server, and Reporting Services. To manage the disaster recovery of each of these components manually is not only expensive but also error prone. +Today, Dynamics AX doesn't provide any out-of-the-box disaster recovery capabilities. Dynamics AX consists of many server components, such as Windows Application Object Server, Microsoft Entra ID, Azure SQL Database, SharePoint Server, and Reporting Services. To manage the disaster recovery of each of these components manually is not only expensive but also error prone. This article explains how you can create a disaster recovery solution for your Dynamics AX application by using [Azure Site Recovery](site-recovery-overview.md). It also covers planned/unplanned test failovers by using a one-click recovery plan, supported configurations, and prerequisites. |
site-recovery | Site Recovery Sap | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/site-recovery-sap.md | In this article, we use an **Azure-to-Azure** disaster recovery scenario. The sc ### Required foundation services In the scenario we discuss in this article, the following foundation services are deployed: * Azure ExpressRoute or Azure VPN Gateway-* At least one Azure Active Directory domain controller and DNS server, running in Azure +* At least one Microsoft Entra domain controller and DNS server, running in Azure We recommend that you establish this infrastructure before you deploy Site Recovery. |
site-recovery | Vmware Azure Architecture Modernized | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-architecture-modernized.md | If you're using a URL-based firewall proxy to control outbound connectivity, all | - | -| | portal.azure.com | Navigate to the Azure portal. | | `*.windows.net `<br>`*.msftauth.net`<br>`*.msauth.net`<br>`*.microsoft.com`<br>`*.live.com `<br>`*.office.com ` | To sign-in to your Azure subscription. |-|`*.microsoftonline.com `|Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Site Recovery. | -|management.azure.com |Create Azure AD apps for the appliance to communicate with the Azure Site Recovery service. | +|`*.microsoftonline.com `|Create Microsoft Entra apps for the appliance to communicate with Azure Site Recovery. | +|management.azure.com |Create Microsoft Entra apps for the appliance to communicate with the Azure Site Recovery service. | |`*.services.visualstudio.com `|Upload app logs used for internal monitoring. | |`*.vault.azure.net `|Manage secrets in the Azure Key Vault. Note: Ensure that machines to be replicated have access to this. | |aka.ms |Allow access to "also known as" links. Used for Azure Site Recovery appliance updates. | |
site-recovery | Vmware Azure Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-architecture.md | If you're using a URL-based firewall proxy to control outbound connectivity, all | **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Allows data to be written from the VM to the cache storage account in the source region. |-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | +| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. | | Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.us` | Allows the VM to communicate with the Site Recovery service. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Allows the VM to write Site Recovery monitoring and diagnostics data. | |
site-recovery | Vmware Azure Deploy Configuration Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-deploy-configuration-server.md | Minimum hardware requirements for a configuration server are summarized in the f [!INCLUDE [site-recovery-configuration-server-requirements](../../includes/site-recovery-configuration-and-scaleout-process-server-requirements.md)] -## Azure Active Directory permission requirements +<a name='azure-active-directory-permission-requirements'></a> -You must have a user with one of the following permissions set in Azure Active Directory (Azure AD) to register the configuration server with Azure Site Recovery services. +## Microsoft Entra permission requirements ++You must have a user with one of the following permissions set in Microsoft Entra ID to register the configuration server with Azure Site Recovery services. 1. The user must have an application developer role to create an application. - To verify, sign in to the Azure portal.- - Go to **Azure Active Directory** > **Roles and administrators**. + - Go to **Microsoft Entra ID** > **Roles and administrators**. - Verify that the application developer role is assigned to the user. If not, use a user with this permission or contact an [administrator to enable the permission](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md#assign-roles). 2. If the application developer role can't be assigned, ensure that the **Users can register applications** flag is set as **true** for the user to create an identity. To enable these permissions: 1. Sign in to the Azure portal.- 1. Go to **Azure Active Directory** > **User settings**. + 1. Go to **Microsoft Entra ID** > **User settings**. 1. Under **App registrations**, **Users can register applications**, select **Yes**. ![Azure AD_application_permission](media/vmware-azure-deploy-configuration-server/AAD_application_permission.png) > [!NOTE]-> Active Directory Federation Services *isn't supported*. Use an account managed through [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md). +> Active Directory Federation Services *isn't supported*. Use an account managed through [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). ## Download the template If you want to add an additional NIC to the configuration server, add it before 5. Enter a name that's used to register the configuration server with Site Recovery. Then select **Next**. 6. The tool checks that the VM can connect to Azure. After the connection is established, select **Sign in** to sign in to your Azure subscription.</br> a. The credentials must have access to the vault in which you want to register the configuration server.</br>- b. Ensure that the chosen user account has permission to create an application in Azure. To enable the required permissions, follow the guidelines in the section [Azure Active Directory permission requirements](#azure-active-directory-permission-requirements). + b. Ensure that the chosen user account has permission to create an application in Azure. To enable the required permissions, follow the guidelines in the section [Microsoft Entra permission requirements](#azure-active-directory-permission-requirements). 7. The tool performs some configuration tasks, and then reboots. 8. Sign in to the machine again. The configuration server management wizard starts automatically in a few seconds. Make sure the machine can access these URLs based on your environment: IP address-based firewall rules should allow communication to all of the Azure URLs that are listed above over HTTPS (443) port. To simplify and limit the IP Ranges, it is recommended that URL filtering be done. -- **Commercial IPs** - Allow the [Azure Datacenter IP Ranges](https://www.microsoft.com/download/confirmation.aspx?id=41653), and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the AAD, Backup, Replication, and Storage URLs. -- **Government IPs** - Allow the [Azure Government Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=57063), and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support AAD, Backup, Replication, and Storage URLs. +- **Commercial IPs** - Allow the [Azure Datacenter IP Ranges](https://www.microsoft.com/download/confirmation.aspx?id=41653), and the HTTPS (443) port. Allow IP address ranges for the Azure region of your subscription to support the Microsoft Entra ID, Backup, Replication, and Storage URLs. +- **Government IPs** - Allow the [Azure Government Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=57063), and the HTTPS (443) port for all USGov Regions (Virginia, Texas, Arizona, and Iowa) to support Microsoft Entra ID, Backup, Replication, and Storage URLs. ### Configure settings |
site-recovery | Vmware Azure Multi Tenant Csp Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-multi-tenant-csp-disaster-recovery.md | You can access the tenantΓÇÖs subscription through the Microsoft Partner Center ![The All Resources link](./media/vmware-azure-multi-tenant-csp-disaster-recovery/all-resources-select.png) -4. You can verify access by clicking the Azure Active Directory link on the top right of the Azure portal. +4. You can verify access by clicking the Microsoft Entra ID link on the top right of the Azure portal. - ![Azure Active Directory link](./media/vmware-azure-multi-tenant-csp-disaster-recovery/aad-admin-display.png) + ![Microsoft Entra ID link](./media/vmware-azure-multi-tenant-csp-disaster-recovery/aad-admin-display.png) You can now perform and manage all Site Recovery operations for the tenant in the Azure portal. To access the tenant subscription through CSP for managed disaster recovery, follow the previously described process. |
spatial-anchors | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spatial-anchors/concepts/authentication.md | -In this article, you'll learn the various ways you can authenticate to Azure Spatial Anchors from your app or web service. You'll also learn about the ways you can use Azure role-based access control (Azure RBAC) in Azure Active Directory (Azure AD) to control access to your Spatial Anchors accounts. +In this article, you'll learn the various ways you can authenticate to Azure Spatial Anchors from your app or web service. You'll also learn about the ways you can use Azure role-based access control (Azure RBAC) in Microsoft Entra ID to control access to your Spatial Anchors accounts. > [!WARNING]-> We recommend that you use account keys for quick onboarding, but only during development/prototyping. We don't recommend that you ship your application to production with an embedded account key in it. Instead, use the user-based or service-based Azure AD authentication approaches described next. +> We recommend that you use account keys for quick onboarding, but only during development/prototyping. We don't recommend that you ship your application to production with an embedded account key in it. Instead, use the user-based or service-based Microsoft Entra authentication approaches described next. ## Overview In this article, you'll learn the various ways you can authenticate to Azure Spa To access a given Azure Spatial Anchors account, clients need to first obtain an access token from Azure Mixed Reality Security Token Service (STS). Tokens obtained from STS have a lifetime of 24 hours. They contain information that Spatial Anchors services use to make authorization decisions on the account and ensure that only authorized principals can access the account. -Access tokens can be obtained in exchange for either account keys or tokens issued by Azure AD. +Access tokens can be obtained in exchange for either account keys or tokens issued by Microsoft Entra ID. -Account keys enable you to get started quickly with using the Azure Spatial Anchors service. But before you deploy your application to production, we recommend that you update your app to use Azure AD authentication. +Account keys enable you to get started quickly with using the Azure Spatial Anchors service. But before you deploy your application to production, we recommend that you update your app to use Microsoft Entra authentication. -You can obtain Azure AD authentication tokens in two ways: +You can obtain Microsoft Entra authentication tokens in two ways: -- If you're building an enterprise application and your company is using Azure AD as its identity system, you can use user-based Azure AD authentication in your app. You then grant access to your Spatial Anchors accounts by using your existing Azure AD security groups. You can also grant access directly to users in your organization.-- Otherwise, we recommend that you obtain Azure AD tokens from a web service that supports your app. We recommend this method for production applications because it allows you to avoid embedding the credentials for access to Azure Spatial Anchors in your client application.+- If you're building an enterprise application and your company is using Microsoft Entra ID as its identity system, you can use user-based Microsoft Entra authentication in your app. You then grant access to your Spatial Anchors accounts by using your existing Microsoft Entra security groups. You can also grant access directly to users in your organization. +- Otherwise, we recommend that you obtain Microsoft Entra tokens from a web service that supports your app. We recommend this method for production applications because it allows you to avoid embedding the credentials for access to Azure Spatial Anchors in your client application. ## Account keys configuration.AccountKey(LR"(MyAccountKey)"); After you set that property, the SDK will handle the exchange of the account key for an access token and the necessary caching of tokens for your app. -## Azure AD user authentication +<a name='azure-ad-user-authentication'></a> -For applications that target Azure Active Directory users, we recommend that you use an Azure AD token for the user. You can obtain this token by using the [MSAL](../../active-directory/develop/msal-overview.md). Follow the steps in the [quickstart on registering an app](../../active-directory/develop/quickstart-register-app.md), which include: +## Microsoft Entra user authentication ++For applications that target Microsoft Entra users, we recommend that you use a Microsoft Entra token for the user. You can obtain this token by using the [MSAL](../../active-directory/develop/msal-overview.md). Follow the steps in the [quickstart on registering an app](../../active-directory/develop/quickstart-register-app.md), which include: **In the Azure portal**-1. Register your application in Azure AD as a native application. As part of registering, you'll need to determine whether your application should be multitenant. You'll also need to provide the redirect URLs allowed for your application. +1. Register your application in Microsoft Entra ID as a native application. As part of registering, you'll need to determine whether your application should be multitenant. You'll also need to provide the redirect URLs allowed for your application. 1. Go to the **API permissions** tab. 1. Select **Add a permission**. 1. Select **Mixed Reality Resource Provider** on the **APIs my organization uses** tab. For applications that target Azure Active Directory users, we recommend that you 4. Select **Add permissions**. 1. Select **Grant admin consent**. -1. Assign an [ASA RBAC role](#azure-role-based-access-control) to the application or users that you want to give access to your resource. If you want your application's users to have different roles against the ASA account, register multiple applications in Azure AD and assign a separate role to each one. Then implement your authorization logic to use the right role for your users. For detailed role assignment steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). +1. Assign an [ASA RBAC role](#azure-role-based-access-control) to the application or users that you want to give access to your resource. If you want your application's users to have different roles against the ASA account, register multiple applications in Microsoft Entra ID and assign a separate role to each one. Then implement your authorization logic to use the right role for your users. For detailed role assignment steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). **In your code**-1. Be sure to use the application ID and redirect URI of your own Azure AD application for the **client ID** and **RedirectUri** parameters in MSAL. +1. Be sure to use the application ID and redirect URI of your own Microsoft Entra application for the **client ID** and **RedirectUri** parameters in MSAL. 2. Set the tenant information: 1. If your application supports **My organization only**, replace this value with your **Tenant ID** or **Tenant name**. For example, contoso.microsoft.com. 2. If your application supports **Accounts in any organizational directory**, replace this value with **Organizations**. 3. If your application supports **All Microsoft account users**, replace this value with **Common**.-3. On your token request, set the **scope** to **`https://sts.mixedreality.azure.com//.default`**. This scope will indicate to Azure AD that your application is requesting a token for the Mixed Reality Security Token Service (STS). +3. On your token request, set the **scope** to **`https://sts.mixedreality.azure.com//.default`**. This scope will indicate to Microsoft Entra ID that your application is requesting a token for the Mixed Reality Security Token Service (STS). -After you complete these steps, your application should be able to obtain from MSAL an Azure AD token. You can set that Azure AD token as the `authenticationToken` on your cloud session configuration object: +After you complete these steps, your application should be able to obtain from MSAL a Microsoft Entra token. You can set that Microsoft Entra token as the `authenticationToken` on your cloud session configuration object: # [C#](#tab/csharp) configuration.AuthenticationToken(LR"(MyAuthenticationToken)"); -## Azure AD service authentication +<a name='azure-ad-service-authentication'></a> ++## Microsoft Entra service authentication To deploy apps that use Azure Spatial Anchors to production, we recommend that you use a back-end service that will broker authentication requests. Here's an overview of the process: ![Diagram that provides an overview of authentication to Azure Spatial Anchors.](./media/spatial-anchors-aad-authentication.png) -Here, it's assumed that your app uses its own mechanism to authenticate to its back-end service. (For example, a Microsoft account, PlayFab, Facebook, a Google ID, or a custom user name and password.) After your users are authenticated to your back-end service, that service can retrieve an Azure AD token, exchange it for an access token for Azure Spatial Anchors, and return it back to your client application. +Here, it's assumed that your app uses its own mechanism to authenticate to its back-end service. (For example, a Microsoft account, PlayFab, Facebook, a Google ID, or a custom user name and password.) After your users are authenticated to your back-end service, that service can retrieve a Microsoft Entra token, exchange it for an access token for Azure Spatial Anchors, and return it back to your client application. -The Azure AD access token is retrieved via the [MSAL](../../active-directory/develop/msal-overview.md). Follow the steps in the [register an app quickstart](../../active-directory/develop/quickstart-register-app.md), which include: +The Microsoft Entra access token is retrieved via the [MSAL](../../active-directory/develop/msal-overview.md). Follow the steps in the [register an app quickstart](../../active-directory/develop/quickstart-register-app.md), which include: **In the Azure portal**-1. Register your application in Azure AD: - 1. In the Azure portal, select **Azure Active Directory**, and then select **App registrations**. +1. Register your application in Microsoft Entra ID: + 1. In the Azure portal, select **Microsoft Entra ID**, and then select **App registrations**. 2. Select **New registration**. 3. Enter the name of your application, select **Web app / API** as the application type, and enter the auth URL for your service. Select **Create**. 1. On the application, select **Settings**, and then select the **Certificates and secrets** tab. Create a new client secret, select a duration, and then select **Add**. Be sure to save the secret value. You'll need to include it in your web service's code.-1. Assign an [ASA RBAC role](#azure-role-based-access-control) to the application or users that you want to give access to your resource. If you want your application's users to have different roles against the ASA account, register multiple applications in Azure AD and assign a separate role to each one. Then implement your authorization logic to use the right role for your users. For detailed role assignment steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). +1. Assign an [ASA RBAC role](#azure-role-based-access-control) to the application or users that you want to give access to your resource. If you want your application's users to have different roles against the ASA account, register multiple applications in Microsoft Entra ID and assign a separate role to each one. Then implement your authorization logic to use the right role for your users. For detailed role assignment steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). **In your code** >[!NOTE] > You can use the [service sample](https://github.com/Azure/azure-spatial-anchors-samples/tree/master/Sharing/SharingServiceSample) that is available as a part of the [Spatial Anchors sample apps](https://github.com/Azure/azure-spatial-anchors-samples). -1. Be sure to use the application ID, application secret, and redirect URI of your own Azure AD application as the **client ID**, **secret**, and **RedirectUri** parameters in MSAL. -2. Set the tenant ID to your own Azure AD tenant ID in the **authority** parameter in MSAL. +1. Be sure to use the application ID, application secret, and redirect URI of your own Microsoft Entra application as the **client ID**, **secret**, and **RedirectUri** parameters in MSAL. +2. Set the tenant ID to your own Microsoft Entra tenant ID in the **authority** parameter in MSAL. 3. On your token request, set the **scope** to **`https://sts.mixedreality.azure.com//.default`**. -After you complete these steps, your back-end service can retrieve an Azure AD token. It can then exchange it for an MR token that it will return back to the client. Using an Azure AD token to retrieve an MR token is done via a REST call. Here's a sample call: +After you complete these steps, your back-end service can retrieve a Microsoft Entra token. It can then exchange it for an MR token that it will return back to the client. Using a Microsoft Entra token to retrieve an MR token is done via a REST call. Here's a sample call: ``` GET https://sts.mixedreality.azure.com/Accounts/35d830cb-f062-4062-9792-d6316039df56/token HTTP/1.1 configuration.AccessToken(LR"(MyAccessToken)"); ## Azure role-based access control -To help you control the level of access granted to applications, services, or Azure AD users of your service, you can assign these pre-existing roles as needed against your Azure Spatial Anchors accounts: +To help you control the level of access granted to applications, services, or Microsoft Entra users of your service, you can assign these pre-existing roles as needed against your Azure Spatial Anchors accounts: - **Spatial Anchors Account Owner**. Applications or users that have this role can create spatial anchors, query for them, and delete them. When you authenticate to your account by using account keys, the Spatial Anchors Account Owner role is assigned to the authenticated principal. - **Spatial Anchors Account Contributor**. Applications or users that have this role can create spatial anchors and query for them, but they can't delete them. |
spring-apps | Concept Understand App And Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/concept-understand-app-and-deployment.md | The following features/properties are defined on app level. | Public</br>Endpoint | The URL to access the app. | | Custom</br>Domain | The `CNAME` record that secures the custom domain. | | Service</br>Binding | The out-of-box connection with other Azure services. |-| Managed</br>Identity | The managed identity by Azure Active Directory allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. | +| Managed</br>Identity | The managed identity by Microsoft Entra ID allows your app to easily access other Microsoft Entra protected resources such as Azure Key Vault. | | Persistent</br>Storage | The setting that enables data to persist beyond app restart. | ## Deployment |
spring-apps | How To Access Data Plane Azure Ad Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-access-data-plane-azure-ad-rbac.md | Title: "Access Config Server and Service Registry" -description: How to access Config Server and Service Registry Endpoints with Azure Active Directory role-based access control. +description: How to access Config Server and Service Registry Endpoints with Microsoft Entra role-based access control. -This article explains how to access the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps using Azure Active Directory (Azure AD) role-based access control (RBAC). +This article explains how to access the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps using Microsoft Entra role-based access control (RBAC). > [!NOTE] > Applications deployed and running inside the Azure Spring Apps service are automatically wired up with certificate-based authentication and authorization when accessing the managed Spring Cloud Config Server and Service Registry. You don't need to follow this guidance for these applications. The related certificates are fully managed by the Azure Spring Apps platform, and are automatically injected in your application when connected to Config Server and Service Registry. -## Assign role to Azure AD user/group, MSI, or service principal +<a name='assign-role-to-azure-ad-usergroup-msi-or-service-principal'></a> ++## Assign role to Microsoft Entra user/group, MSI, or service principal Assign the role to the [user | group | service-principal | managed-identity] at [management-group | subscription | resource-group | resource] scope. For detailed steps, see [Assign Azure roles using the Azure portal](../role-base After the role is assigned, the assignee can access the Spring Cloud Config Server and the Spring Cloud Service Registry endpoints using the following procedures: -1. Get an access token. After an Azure AD user is assigned the role, they can use the following commands to sign in to Azure CLI with user, service principal, or managed identity to get an access token. For details, see [Authenticate Azure CLI](/cli/azure/authenticate-azure-cli). +1. Get an access token. After a Microsoft Entra user is assigned the role, they can use the following commands to sign in to Azure CLI with user, service principal, or managed identity to get an access token. For details, see [Authenticate Azure CLI](/cli/azure/authenticate-azure-cli). ```azurecli az login For config server endpoints and detailed path information, see [ResourceControll ## Register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps -After the role is assigned, you can register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps with Azure AD token authentication. Both Config Server and Service Registry support [custom REST template](https://cloud.spring.io/spring-cloud-config/reference/html/#custom-rest-template) to inject the bearer token for authentication. +After the role is assigned, you can register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps with Microsoft Entra token authentication. Both Config Server and Service Registry support [custom REST template](https://cloud.spring.io/spring-cloud-config/reference/html/#custom-rest-template) to inject the bearer token for authentication. For more information, see the samples [Access Azure Spring Apps managed Config Server](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/tree/master/custom-config-server-client) and [Access Azure Spring Apps managed Service Registry](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/tree/master/custom-eureka-client). The following sections explain some important details in these samples. **In *AccessTokenManager.java*:** -`AccessTokenManager` is responsible for getting an access token from Azure AD. Configure the service principal's sign-in information in the *application.properties* file and initialize `ApplicationTokenCredentials` to get the token. You can find this file in both samples. +`AccessTokenManager` is responsible for getting an access token from Microsoft Entra ID. Configure the service principal's sign-in information in the *application.properties* file and initialize `ApplicationTokenCredentials` to get the token. You can find this file in both samples. ```java prop.load(in); credentials = new ApplicationTokenCredentials( **In *CustomConfigServiceBootstrapConfiguration.java*:** -`CustomConfigServiceBootstrapConfiguration` implements the custom REST template for Config Server and injects the token from Azure AD as `Authorization` headers. You can find this file in the [Config Server sample](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/tree/master/custom-config-server-client). +`CustomConfigServiceBootstrapConfiguration` implements the custom REST template for Config Server and injects the token from Microsoft Entra ID as `Authorization` headers. You can find this file in the [Config Server sample](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/tree/master/custom-config-server-client). ```java public class RequestResponseHandlerInterceptor implements ClientHttpRequestInterceptor { |
spring-apps | How To Bind Mysql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-mysql.md | Follow these steps to configure your Spring app to connect to an Azure Database az extension add --name serviceconnector-passwordless --upgrade ``` -1. Then, use the following command to create a user-assigned managed identity for Azure Active Directory authentication. Be sure to replace the variables in the example with actual values. For more information, see [Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server](../mysql/flexible-server/how-to-azure-ad.md). +1. Then, use the following command to create a user-assigned managed identity for Microsoft Entra authentication. Be sure to replace the variables in the example with actual values. For more information, see [Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](../mysql/flexible-server/how-to-azure-ad.md). ```azurecli export AZ_IDENTITY_RESOURCE_ID=$(az identity create \ |
spring-apps | How To Bind Postgres | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-postgres.md | zone_pivot_groups: passwordless-postgresql With Azure Spring Apps, you can bind select Azure services to your applications automatically, instead of having to configure your Spring Boot application manually. This article shows you how to bind your application to your Azure Database for PostgreSQL instance. -In this article, we include two authentication methods: Azure Active Directory (Azure AD) authentication and PostgreSQL authentication. The Passwordless tab shows the Azure AD authentication and the Password tab shows the PostgreSQL authentication. +In this article, we include two authentication methods: Microsoft Entra authentication and PostgreSQL authentication. The Passwordless tab shows the Microsoft Entra authentication and the Password tab shows the PostgreSQL authentication. -Azure AD authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. +Microsoft Entra authentication is a mechanism for connecting to Azure Database for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. PostgreSQL authentication uses accounts stored in PostgreSQL. If you choose to use passwords as credentials for the accounts, these credentials are stored in the user table. Because these passwords are stored in PostgreSQL, you need to manage the rotation of the passwords by yourself. |
spring-apps | How To Configure Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-enterprise-spring-cloud-gateway.md | VMware Spring Cloud Gateway supports authentication and authorization through si | `clientSecret` | Yes | The OpenID Connect client secret from your identity provider. | | `scope` | Yes | A list of scopes to include in JWT identity tokens. This list should be based on the scopes that your identity provider allows. | -To set up SSO with Azure Active Directory, see [Set up single sign-on using Azure Active Directory for Spring Cloud Gateway and API Portal](./how-to-set-up-sso-with-azure-ad.md). +To set up SSO with Microsoft Entra ID, see [Set up single sign-on using Microsoft Entra ID for Spring Cloud Gateway and API Portal](./how-to-set-up-sso-with-azure-ad.md). You can use the Azure portal or the Azure CLI to edit SSO properties. |
spring-apps | How To Enable System Assigned Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-enable-system-assigned-managed-identity.md | zone_pivot_groups: spring-apps-tier-selection This article shows you how to enable and disable system-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and CLI. -Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. +Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code. ## Prerequisites az spring app identity assign \ ## Obtain tokens for Azure resources -An app can use its managed identity to get tokens to access other resources protected by Azure Active Directory, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. +An app can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. -You may need to [configure the target resource to allow access from your application](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). +You may need to [configure the target resource to allow access from your application](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication). Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token. See [How to use VM token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md) for various code and script examples and guidance on important topics such as handling token expiration and HTTP errors. ## Disable system-assigned identity from an app -Removing a system-assigned identity also deletes it from Azure AD. Deleting the app resource automatically removes system-assigned identities from Azure AD. +Removing a system-assigned identity also deletes it from Microsoft Entra ID. Deleting the app resource automatically removes system-assigned identities from Microsoft Entra ID. ### [Portal](#tab/azure-portal) |
spring-apps | How To Github Actions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-github-actions.md | If your action runs in error, for example, if you haven't set the Azure credenti ## Next steps * [Authenticate Azure Spring Apps with Azure Key Vault in GitHub Actions](./github-actions-key-vault.md)-* [Azure Active Directory service principals](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) +* [Microsoft Entra service principals](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) * [GitHub Actions for Azure](https://github.com/Azure/actions/)-* [GitHub Action for deploying to Azure Spring Apps](https://github.com/Azure/spring-apps-deploy) +* [GitHub Action for deploying to Azure Spring Apps](https://github.com/Azure/spring-apps-deploy) |
spring-apps | How To Manage User Assigned Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-manage-user-assigned-managed-identities.md | zone_pivot_groups: spring-apps-tier-selection This article shows you how to assign or remove user-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and Azure CLI. -Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. +Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code. ## Prerequisites az spring app identity assign \ ## Obtain tokens for Azure resources -An application can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. +An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. -You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md) +You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md) Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md). |
spring-apps | How To Service Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-service-registration.md | The Spring Cloud Service Registry server endpoint is injected as an environment ## Next steps -In this article, you learned how to register your application using Spring Cloud Service Registry. To learn how to access the Spring Cloud Service Registry using Azure Active Directory (Azure AD) role-based access control (RBAC), see [Access Config Server and Service Registry](how-to-access-data-plane-azure-ad-rbac.md). +In this article, you learned how to register your application using Spring Cloud Service Registry. To learn how to access the Spring Cloud Service Registry using Microsoft Entra role-based access control (RBAC), see [Access Config Server and Service Registry](how-to-access-data-plane-azure-ad-rbac.md). |
spring-apps | How To Set Up Sso With Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-set-up-sso-with-azure-ad.md | Title: How to set up single sign-on with Azure AD for Spring Cloud Gateway and API Portal for Tanzu + Title: How to set up single sign-on with Microsoft Entra ID for Spring Cloud Gateway and API Portal for Tanzu -description: How to set up single sign-on with Azure Active Directory for Spring Cloud Gateway and API Portal for Tanzu with the Azure Spring Apps Enterprise plan. +description: How to set up single sign-on with Microsoft Entra ID for Spring Cloud Gateway and API Portal for Tanzu with the Azure Spring Apps Enterprise plan. Last updated 05/20/2022 -# Set up single sign-on using Azure Active Directory for Spring Cloud Gateway and API Portal +# Set up single sign-on using Microsoft Entra ID for Spring Cloud Gateway and API Portal **This article applies to:** ❌ Basic/Standard ✔️ Enterprise -This article shows you how to configure single sign-on (SSO) for Spring Cloud Gateway or API Portal using the Azure Active Directory (Azure AD) as an OpenID identify provider. +This article shows you how to configure single sign-on (SSO) for Spring Cloud Gateway or API Portal using the Microsoft Entra ID as an OpenID identify provider. ## Prerequisites - An Enterprise plan instance with Spring Cloud Gateway or API portal enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).-- Sufficient permissions to manage Azure AD applications.+- Sufficient permissions to manage Microsoft Entra applications. To enable SSO for Spring Cloud Gateway or API Portal, you need the following four properties configured: -| SSO Property | Azure AD Configuration | +| SSO Property | Microsoft Entra Configuration | | - | - | | clientId | See [Register App](#create-an-azure-ad-application-registration) | | clientSecret | See [Create Client Secret](#add-a-client-secret) | | scope | See [Configure Scope](#configure-scope) | | issuerUri | See [Generate Issuer URI](#configure-issuer-uri) | -You'll configure the properties in Azure AD in the following steps. +You'll configure the properties in Microsoft Entra ID in the following steps. ## Assign an endpoint for Spring Cloud Gateway or API Portal First, you must get the assigned public endpoint for Spring Cloud Gateway and AP 1. Select **Yes** next to *Assign endpoint*. 1. Copy the URL for use in the next section of this article. -## Create an Azure AD application registration +<a name='create-an-azure-ad-application-registration'></a> ++## Create a Microsoft Entra application registration Register your application to establish a trust relationship between your app and the Microsoft identity platform using the following steps: -1. From the *Home* screen, select **Azure Active Directory** from the left menu. +1. From the *Home* screen, select **Microsoft Entra ID** from the left menu. 1. Select **App Registrations** under *Manage*, then select **New registration**. 1. Enter a display name for your application under *Name*, then select an account type to register under *Supported account types*.-1. In *Redirect URI (optional)* select **Web**, then enter the URL from the above section in the text box. The redirect URI is the location where Azure AD redirects your client and sends security tokens after authentication. +1. In *Redirect URI (optional)* select **Web**, then enter the URL from the above section in the text box. The redirect URI is the location where Microsoft Entra ID redirects your client and sends security tokens after authentication. 1. Select **Register** to finish registering the application. :::image type="content" source="./media/how-to-setup-sso-with-azure-ad/sso-create-app-registration.png" alt-text="Screenshot of how to fill out the Add App Registration screen." lightbox="./media/how-to-setup-sso-with-azure-ad/sso-create-app-registration.png"::: The `scope` property of SSO is a list of scopes to be included in JWT identity t The issuer URI is the URI that is asserted as its Issuer Identifier. For example, if the issuer-uri provided is `https://example.com`, then an OpenID Provider Configuration Request will be made to `https://example.com/.well-known/openid-configuration`. -The issuer URI of Azure AD is like `<authentication-endpoint>/<Your-TenantID>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint for your cloud environment (for example, `https://login.microsoftonline.com` for global Azure), and replace `<Your-TenantID>` with the Directory (tenant) ID where the application was registered. +The issuer URI of Microsoft Entra ID is like `<authentication-endpoint>/<Your-TenantID>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint for your cloud environment (for example, `https://login.microsoftonline.com` for global Azure), and replace `<Your-TenantID>` with the Directory (tenant) ID where the application was registered. ## Configure SSO -After configuring your Azure AD application, you can set up the SSO properties of Spring Cloud Gateway or API Portal following these steps: +After configuring your Microsoft Entra application, you can set up the SSO properties of Spring Cloud Gateway or API Portal following these steps: 1. Select **Spring Cloud Gateway** or **API portal** under *VMware Tanzu components* in the left menu, then select **Configuration**. 1. Enter the `Scope`, `Client Id`, `Client Secret`, and `Issuer URI` in the appropriate fields. Separate multiple scopes with a comma. |
spring-apps | How To Use Enterprise Api Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-enterprise-api-portal.md | API portal supports authentication and authorization using single sign-on (SSO) | clientSecret | Yes | The OpenID Connect client secret provided by your IdP | | scope | Yes | A list of scopes to include in JWT identity tokens. This list should be based on the scopes allowed by your identity provider | -To set up SSO with Azure AD, see [How to set up single sign-on with Azure AD for Spring Cloud Gateway and API Portal for Tanzu](./how-to-set-up-sso-with-azure-ad.md). +To set up SSO with Microsoft Entra ID, see [How to set up single sign-on with Microsoft Entra ID for Spring Cloud Gateway and API Portal for Tanzu](./how-to-set-up-sso-with-azure-ad.md). > [!NOTE] > If you configure the wrong SSO property, such as the wrong password, you should remove the entire SSO property and re-add the correct configuration. |
spring-apps | How To Use Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-managed-identities.md | zone_pivot_groups: spring-apps-tier-selection This article shows you how to use system-assigned and user-assigned managed identities for applications in Azure Spring Apps. -Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. +Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code. ## Feature status For user-assigned managed identities, see [How to assign and remove user-assigne ## Obtain tokens for Azure resources -An application can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. +An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application. -You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md). +You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md). Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md). The following services do not currently support managed identity-based access: ## Concept mapping -The following table shows the mappings between concepts in Managed Identity scope and Azure AD scope: +The following table shows the mappings between concepts in Managed Identity scope and Microsoft Entra scope: -| Managed Identity scope | Azure AD scope | +| Managed Identity scope | Microsoft Entra scope | ||-| | Principal ID | Object ID | | Client ID | Application ID | |
spring-apps | Quickstart Configure Single Sign On Enterprise | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-configure-single-sign-on-enterprise.md | This quickstart shows you how to configure single sign-on for applications runni ## Prepare single sign-on credentials -To configure single sign-on for the application, you need to prepare credentials. The following sections describe steps for using an existing provider or provisioning an application registration with Azure Active Directory. +To configure single sign-on for the application, you need to prepare credentials. The following sections describe steps for using an existing provider or provisioning an application registration with Microsoft Entra ID. ### Use an existing provider -Follow these steps to configure single sign-on using an existing Identity Provider. If you're provisioning an Azure Active Directory App Registration, skip ahead to the following section, [Create and configure an application registration with Azure Active Directory](#create-and-configure-an-application-registration-with-azure-active-directory). +Follow these steps to configure single sign-on using an existing Identity Provider. If you're provisioning a Microsoft Entra App Registration, skip ahead to the following section, [Create and configure an application registration with Microsoft Entra ID](#create-and-configure-an-application-registration-with-azure-active-directory). 1. Configure your existing identity provider to allow redirects back to Spring Cloud Gateway for VMware Tanzu and API portal for VMware Tanzu. Spring Cloud Gateway has a single URI to allow re-entry to the gateway. API portal has two URIs for supporting the user interface and underlying API. The following commands retrieve these URIs that you add to your single sign-on provider's configuration. Follow these steps to configure single sign-on using an existing Identity Provid 1. Obtain the `JWK URI` for your identity provider for use later. The `JWK URI` typically takes the form `${ISSUER_URI}/keys` or `${ISSUER_URI}/<version>/keys`. The Identity Service application uses the public JSON Web Keys (JWK) to verify JSON Web Tokens (JWT) issued by your single sign-on identity provider's authorization server. -### Create and configure an application registration with Azure Active Directory +<a name='create-and-configure-an-application-registration-with-azure-active-directory'></a> -To register the application with Azure Active Directory, follow these steps. If you're using an existing provider's credentials, skip ahead to the following section, [Deploy the Identity Service application](#deploy-the-identity-service-application). +### Create and configure an application registration with Microsoft Entra ID -1. Use the following command to create an application registration with Azure Active Directory and save the output: +To register the application with Microsoft Entra ID, follow these steps. If you're using an existing provider's credentials, skip ahead to the following section, [Deploy the Identity Service application](#deploy-the-identity-service-application). ++1. Use the following command to create an application registration with Microsoft Entra ID and save the output: ```azurecli az ad app create --display-name <app-registration-name> > ad.json |
spring-apps | Quickstart Deploy Event Driven App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-event-driven-app.md | The sample project is an event-driven application that subscribes to a [Service :::image type="content" source="media/quickstart-deploy-event-driven-app/diagram.png" alt-text="Diagram showing the Azure Spring Apps event-driven app architecture." lightbox="media/quickstart-deploy-event-driven-app/diagram.png" border="false"::: +This article provides the following options for deploying to Azure Spring Apps: + ::: zone pivot="sc-consumption-plan,sc-standard" [!INCLUDE [quickstart-tool-introduction](includes/quickstart-deploy-event-driven-app/quickstart-tool-introduction.md)] ::: zone-end ++- The Azure portal is the easiest and fastest way to create resources and deploy applications with a single click. This method is suitable for Spring developers who want to quickly deploy applications to Azure cloud services. +- The Azure CLI is a powerful command line tool to manage Azure resources. It's suitable for Spring developers who are familiar with Azure cloud services. ++ ## 1. Prerequisites ::: zone pivot="sc-consumption-plan,sc-standard" ### [Azure portal](#tab/Azure-portal) +- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. ++### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin) + - An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] - [Git](https://git-scm.com/downloads). - [Java Development Kit (JDK)](/java/azure/jdk/), version 17. The sample project is an event-driven application that subscribes to a [Service ::: zone pivot="sc-enterprise" +### [Azure portal](#tab/Azure-portal-ent) ++- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. ++### [Azure CLI](#tab/Azure-CLI) + - An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] - If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md). - [Git](https://git-scm.com/downloads). - [Java Development Kit (JDK)](/java/azure/jdk/), version 17. - [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. ++ ::: zone-end ::: zone pivot="sc-consumption-plan" The sample project is an event-driven application that subscribes to a [Service Use the following steps to confirm that the event-driven app works correctly. You can validate the app by sending a message to the `lower-case` queue, then confirm that there's a message in the `upper-case` queue. + 1. Send a message to the `lower-case` queue with Service Bus Explorer. For more information, see the [Send a message to a queue or topic](../service-bus-messaging/explorer.md#send-a-message-to-a-queue-or-topic) section of [Use Service Bus Explorer to run data operations on Service Bus](../service-bus-messaging/explorer.md). 1. Confirm that there's a new message sent to the `upper-case` queue. For more information, see the [Peek a message](../service-bus-messaging/explorer.md#peek-a-message) section of [Use Service Bus Explorer to run data operations on Service Bus](../service-bus-messaging/explorer.md). +1. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++ ::: zone pivot="sc-enterprise" -3. Use the following command to check the app's log to investigate any deployment issue: +### [Azure portal](#tab/Azure-portal-ent) ++1. Send a message to the `lower-case` queue with Service Bus Explorer. For more information, see the [Send a message to a queue or topic](../service-bus-messaging/explorer.md#send-a-message-to-a-queue-or-topic) section of [Use Service Bus Explorer to run data operations on Service Bus](../service-bus-messaging/explorer.md). ++1. Confirm that there's a new message sent to the `upper-case` queue. For more information, see the [Peek a message](../service-bus-messaging/explorer.md#peek-a-message) section of [Use Service Bus Explorer to run data operations on Service Bus](../service-bus-messaging/explorer.md). ++1. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++1. Check the details for each resource deployment, which are useful for investigating any deployment issues. ++### [Azure CLI](#tab/Azure-CLI) ++1. Send a message to the `lower-case` queue with Service Bus Explorer. For more information, see the [Send a message to a queue or topic](../service-bus-messaging/explorer.md#send-a-message-to-a-queue-or-topic) section of [Use Service Bus Explorer to run data operations on Service Bus](../service-bus-messaging/explorer.md). ++1. Confirm that there's a new message sent to the `upper-case` queue. For more information, see the [Peek a message](../service-bus-messaging/explorer.md#peek-a-message) section of [Use Service Bus Explorer to run data operations on Service Bus](../service-bus-messaging/explorer.md). ++1. Go to the Azure Spring Apps instance **Overview** page and select **Logs** to check the app's logs. ++ :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal that shows the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: ++1. Use the following command to check the app's log to investigate any deployment issue: ```azurecli az spring app logs \ Use the following steps to confirm that the event-driven app works correctly. Yo --name ${APP_NAME} ``` ---3. From the navigation pane of the Azure Spring Apps instance overview page, select **Logs** to check the app's logs. -- :::image type="content" source="media/quickstart-deploy-event-driven-app/logs.png" alt-text="Screenshot of the Azure portal showing the Azure Spring Apps Logs page." lightbox="media/quickstart-deploy-event-driven-app/logs.png"::: + ::: zone-end |
spring-apps | Quickstart Deploy Restful Api App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/quickstart-deploy-restful-api-app.md | The following diagram shows the architecture of the system: - An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. - [Git](https://git-scm.com/downloads). - [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- A Microsoft Entra ID tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](../active-directory/fundamentals/create-new-tenant.md).+- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](../active-directory/fundamentals/create-new-tenant.md). - [curl](https://curl.se/download.html). ### [Azure Developer CLI](#tab/Azure-Developer-CLI) The following diagram shows the architecture of the system: - An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. - [Git](https://git-scm.com/downloads). - [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- A Microsoft Entra ID tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](../active-directory/fundamentals/create-new-tenant.md).+- A Microsoft Entra tenant. For instructions on creating one, see [Quickstart: Create a new tenant in Microsoft Entra ID](../active-directory/fundamentals/create-new-tenant.md). - [Azure Developer CLI (AZD)](https://aka.ms/azd-install), version 1.0.2 or higher. - [curl](https://curl.se/download.html). Use the following steps to register an application in Microsoft Entra ID, which #### Add user to access the RESTful APIs -Use the following steps to create a member user in your Microsoft Entra ID tenant. Then, the user can manage the data of the `ToDo` application through RESTful APIs. +Use the following steps to create a member user in your Microsoft Entra tenant. Then, the user can manage the data of the `ToDo` application through RESTful APIs. 1. Under **Manage**, select **Users** > **New user** > **Create new user**. Use the following steps to use [OAuth 2.0 authorization code flow](../active-dir 1. Open the URL exposed by the app, then select **Authorize** to prepare the OAuth2 authentication. -1. In the **Available authorizations** window, enter the client ID of the `ToDoWeb` app in the **client_id** field, select all the scopes for **Scopes** field, ignore the **client_secret** field, and then select **Authorize** to redirect to the Microsoft Entra ID sign-in page. +1. In the **Available authorizations** window, enter the client ID of the `ToDoWeb` app in the **client_id** field, select all the scopes for **Scopes** field, ignore the **client_secret** field, and then select **Authorize** to redirect to the Microsoft Entra sign-in page. After completing the sign in with the previous user, you're returned to the **Available authorizations** window. |
spring-apps | Secure Communications End To End | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/secure-communications-end-to-end.md | Zero Trust is based on the principle of "never trust, always verify, and credent To securely load certificates from [Azure Key Vault](../key-vault/index.yml), Spring Boot apps use [managed identities](../active-directory/managed-identities-azure-resources/overview.md) and [Azure role-based access control (RBAC)](../role-based-access-control/index.yml). Azure Spring Apps uses a provider [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) and Azure role-based access control. This secure loading is powered using the Azure Key Vault Java Cryptography Architecture (JCA) Provider. For more information, see [Azure Key Vault JCA client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca). -With Azure Key Vault, you control the storage and distribution of certificates to reduce accidental leakage. Applications and services can securely access certificates. Key Vault uses Azure role-based access control to lock down access to only those requiring access, such as an admin, but also apps, using the principle of least privilege. Applications and services authenticate and authorize, using Azure Active Directory and Azure role-based access control, to access certificates. You can monitor the access and use of certificates in Key Vault through its full audit trail. +With Azure Key Vault, you control the storage and distribution of certificates to reduce accidental leakage. Applications and services can securely access certificates. Key Vault uses Azure role-based access control to lock down access to only those requiring access, such as an admin, but also apps, using the principle of least privilege. Applications and services authenticate and authorize, using Microsoft Entra ID and Azure role-based access control, to access certificates. You can monitor the access and use of certificates in Key Vault through its full audit trail. ## Secure communications end-to-end or terminate TLS at any point |
spring-apps | Tutorial Authenticate Client With Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/tutorial-authenticate-client-with-gateway.md | The following list shows the composition of the sample project: - An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. - [Git](https://git-scm.com/downloads). - [Java Development Kit (JDK)](/java/azure/jdk/), version 17.-- A Microsoft Entra ID tenant. For more information on how to create a Microsoft Entra ID tenant, see [Quickstart: Create a new tenant in Azure AD](../active-directory/fundamentals/create-new-tenant.md).+- A Microsoft Entra tenant. For more information on how to create a Microsoft Entra tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](../active-directory/fundamentals/create-new-tenant.md). - [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. - Install [Node.js](https://nodejs.org). |
spring-apps | Tutorial Managed Identities Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/tutorial-managed-identities-functions.md | Last updated 05/07/2023 This article shows you how to create a managed identity for an app hosted in Azure Spring Apps and use it to invoke HTTP triggered Functions. -Both Azure Functions and App Services have built in support for Azure Active Directory (Azure AD) authentication. By using this built-in authentication capability along with Managed Identities for Azure Spring Apps, you can invoke RESTful services using modern OAuth semantics. This method doesn't require storing secrets in code and provides more granular controls for controlling access to external resources. +Both Azure Functions and App Services have built in support for Microsoft Entra authentication. By using this built-in authentication capability along with Managed Identities for Azure Spring Apps, you can invoke RESTful services using modern OAuth semantics. This method doesn't require storing secrets in code and provides more granular controls for controlling access to external resources. ## Prerequisites az functionapp create \ Make a note of the returned `hostNames` value, which is in the format `https://<your-functionapp-name>.azurewebsites.net`. Use this value in the Function app's root URL for testing the Function app. -## Enable Azure Active Directory authentication +<a name='enable-azure-active-directory-authentication'></a> -Use the following steps to enable Azure Active Directory authentication to access your Function app. +## Enable Microsoft Entra authentication ++Use the following steps to enable Microsoft Entra authentication to access your Function app. 1. In the Azure portal, navigate to your resource group and then open the Function app you created. 1. In the navigation pane, select **Authentication** and then select **Add identity provider** on the main pane. Use the following steps to enable Azure Active Directory authentication to acces :::image type="content" source="media/tutorial-managed-identities-functions/add-identity-provider.png" alt-text="Screenshot of the Azure portal showing the Add an identity provider page with Microsoft highlighted in the identity provider dropdown menu." lightbox="media/tutorial-managed-identities-functions/add-identity-provider.png"::: 1. Select **Add**.-1. For the **Basics** settings on the **Add an identity provider** page, set **Supported account types** to **Any Azure AD directory - Multi-tenant**. +1. For the **Basics** settings on the **Add an identity provider** page, set **Supported account types** to **Any Microsoft Entra directory - Multi-tenant**. 1. Set **Unauthenticated requests** to **HTTP 401 Unauthorized: recommended for APIs**. This setting ensures that all unauthenticated requests are denied (401 response). :::image type="content" source="media/tutorial-managed-identities-functions/identity-provider-settings.png" alt-text="Screenshot of the Azure portal showing the Add an identity provider page with Support account types and Unauthenticated requests highlighted." lightbox="media/tutorial-managed-identities-functions/identity-provider-settings.png"::: 1. Select **Add**. -After you add the settings, the Function app restarts and all subsequent requests are prompted to sign in through Azure AD. You can test that unauthenticated requests are currently being rejected with the Function app's root URL (returned in the `hostNames` output of the `az functionapp create` command). You should then be redirected to your organization's Azure Active Directory sign-in screen. +After you add the settings, the Function app restarts and all subsequent requests are prompted to sign in through Microsoft Entra ID. You can test that unauthenticated requests are currently being rejected with the Function app's root URL (returned in the `hostNames` output of the `az functionapp create` command). You should then be redirected to your organization's Microsoft Entra sign-in screen. You need the Application ID and the Application ID URI for later use. In the Azure portal, navigate to the Function app you created. func init --worker-runtime node func new --template HttpTrigger --name HttpTrigger ``` -By default, functions use key-based authentication to secure HTTP endpoints. To enable Azure AD authentication to secure access to the functions, set the `authLevel` key to `anonymous` in the *function.json* file, as shown in the following example: +By default, functions use key-based authentication to secure HTTP endpoints. To enable Microsoft Entra authentication to secure access to the functions, set the `authLevel` key to `anonymous` in the *function.json* file, as shown in the following example: ```json { |
spring-apps | Tutorial Managed Identities Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/tutorial-managed-identities-key-vault.md | -Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets for your app. You can create a managed identity in Azure Active Directory (Azure AD), and authenticate to any service that supports Azure AD authentication, including Key Vault, without having to display credentials in your code. +Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets for your app. You can create a managed identity in Microsoft Entra ID, and authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without having to display credentials in your code. The following video describes how to manage secrets using Azure Key Vault. |
spring-apps | Vnet Customer Responsibilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/vnet-customer-responsibilities.md | Azure Firewall provides the FQDN tag **AzureKubernetesService** to simplify the | <i>mcr.microsoft.com</i> | HTTPS:443 | Microsoft Container Registry (MCR). | | <i>*.data.mcr.microsoft.com</i> | HTTPS:443 | MCR storage backed by the Azure CDN. | | <i>management.azure.com</i> | HTTPS:443 | Underlying Kubernetes Cluster management. |-| <i>login.microsoftonline.com</i> | HTTPS:443 | Azure Active Directory authentication. | +| <i>login.microsoftonline.com</i> | HTTPS:443 | Microsoft Entra authentication. | | <i>packages.microsoft.com</i> | HTTPS:443 | Microsoft packages repository. | | <i>acs-mirror.azureedge.net</i> | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. | Azure Firewall provides the FQDN tag `AzureKubernetesService` to simplify the fo | <i>mcr.microsoft.com</i> | HTTPS:443 | Microsoft Container Registry (MCR). | | <i>*.data.mcr.microsoft.com</i> | HTTPS:443 | MCR storage backed by the Azure CDN. | | <i>management.chinacloudapi.cn</i> | HTTPS:443 | Underlying Kubernetes Cluster management. |-| <i>login.chinacloudapi.cn</i> | HTTPS:443 | Azure Active Directory authentication. | +| <i>login.chinacloudapi.cn</i> | HTTPS:443 | Microsoft Entra authentication. | | <i>packages.microsoft.com</i> | HTTPS:443 | Microsoft packages repository. | | <i>*.azk8s.cn</i> | HTTPS:443 | Repository required to install required binaries like kubenet and Azure CNI. | |
static-web-apps | Getting Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/getting-started.md | If you don't already have the [Azure Static Web Apps extension for Visual Studio -5. Enter the settings values for that match your framework preset choice. +5. Enter the settings values that match your framework preset choice. # [No Framework](#tab/vanilla-javascript) |
storage | Access Tiers Online Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/access-tiers-online-manage.md | az storage blob upload-batch \ To upload a blob to a specific tier by using AzCopy, use the [azcopy copy](../common/storage-ref-azcopy-copy.md) command and set the `--block-blob-tier` parameter to `hot`, `cool`, or `archive`. > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. ```azcopy azcopy copy '<local-file-path>' 'https://<storage-account-name>.blob.core.windows.net/<container-name>/<blob-name>' --block-blob-tier <blob-tier> To change a blob's tier to a cooler tier, use the [azcopy set-properties](..\com > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. ```azcopy azcopy set-properties 'https://<storage-account-name>.blob.core.windows.net/<container-name>/<blob-name>' --block-blob-tier=<tier> az storage blob copy start \ To copy a blob from cool to hot with AzCopy, use [azcopy copy](..\common\storage-ref-azcopy-copy.md) command and set the `--block-blob-tier` parameter to `hot`. > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. ```azcopy |
storage | Anonymous Read Access Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/anonymous-read-access-configure.md | Role assignments must be scoped to the level of the storage account or higher to Be careful to restrict assignment of these roles only to those administrative users who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). -These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. +These roles do not provide access to data in a storage account via Microsoft Entra ID. However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. The **Microsoft.Storage/storageAccounts/listkeys/action** itself grants data access via the account keys, but does not grant a user the ability to change the **AllowBlobPublicAccess** property for a storage account. For users who need to access data in your storage account but should not have the ability to change the storage account's configuration, consider assigning roles such as [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor), [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader), or [Reader and Data Access](../../role-based-access-control/built-in-roles.md#reader-and-data-access). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ### Set the storage account's AllowBlobPublicAccess property When anonymous access is disallowed for the storage account, a container's anony # [PowerShell](#tab/powershell) -To update the anonymous access level for one or more containers with PowerShell, call the [Set-AzStorageContainerAcl](/powershell/module/az.storage/set-azstoragecontaineracl) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). +To update the anonymous access level for one or more containers with PowerShell, call the [Set-AzStorageContainerAcl](/powershell/module/az.storage/set-azstoragecontaineracl) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Microsoft Entra ID. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). The following example creates a container with anonymous access disabled, and then updates the container's anonymous access setting to permit anonymous access to the container and its blobs. Remember to replace the placeholder values in brackets with your own values: When anonymous access is disallowed for the storage account, a container's anony # [Azure CLI](#tab/azure-cli) -To update the anonymous access level for one or more containers with Azure CLI, call the [az storage container set permission](/cli/azure/storage/container#az-storage-container-set-permission) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). +To update the anonymous access level for one or more containers with Azure CLI, call the [az storage container set permission](/cli/azure/storage/container#az-storage-container-set-permission) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Microsoft Entra ID. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). The following example creates a container with anonymous access disabled, and then updates the container's anonymous access setting to permit anonymous access to the container and its blobs. Remember to replace the placeholder values in brackets with your own values: |
storage | Anonymous Read Access Prevent Classic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/anonymous-read-access-prevent-classic.md | To remediate anonymous access for one or more containers in the Azure portal, fo # [PowerShell](#tab/powershell) -To remediate anonymous access for one or more containers with PowerShell, call the [Set-AzStorageContainerAcl](/powershell/module/az.storage/set-azstoragecontaineracl) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). +To remediate anonymous access for one or more containers with PowerShell, call the [Set-AzStorageContainerAcl](/powershell/module/az.storage/set-azstoragecontaineracl) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Microsoft Entra ID. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). The following example updates a container's anonymous access setting to make the container private. Remember to replace the placeholder values in brackets with your own values: Set-AzStorageContainerAcl -Container $containerName -Permission Off -Context $ct # [Azure CLI](#tab/azure-cli) -To remediate anonymous access for one or more containers with Azure CLI, call the [az storage container set permission](/cli/azure/storage/container#az-storage-container-set-permission) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). +To remediate anonymous access for one or more containers with Azure CLI, call the [az storage container set permission](/cli/azure/storage/container#az-storage-container-set-permission) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's anonymous access level does not support authorization with Microsoft Entra ID. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). The following example updates a container's anonymous access setting to make the container private. Remember to replace the placeholder values in brackets with your own values: |
storage | Anonymous Read Access Prevent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/anonymous-read-access-prevent.md | Role assignments must be scoped to the level of the storage account or higher to Be careful to restrict assignment of these roles only to those administrative users who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). -These roles don't provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. +These roles don't provide access to data in a storage account via Microsoft Entra ID. However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. The **Microsoft.Storage/storageAccounts/listkeys/action** itself grants data access via the account keys, but doesn't grant a user the ability to change the **AllowBlobPublicAccess** property for a storage account. For users who need to access data in your storage account but shouldn't have the ability to change the storage account's configuration, consider assigning roles such as [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor), [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader), or [Reader and Data Access](../../role-based-access-control/built-in-roles.md#reader-and-data-access). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ### Set the storage account's AllowBlobPublicAccess property to False |
storage | Archive Blob | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/archive-blob.md | az storage blob upload-batch \ To archive a single blob on upload with AzCopy, call the [azcopy copy](../common/storage-ref-azcopy-copy.md) command. Provide a local file as the source and the target blob URI as the destination, and specify the archive tier as the target tier, as shown in the following example. Remember to replace the placeholder values in brackets with your own values: > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. ```azcopy azcopy copy 'C:\temp\myTextFile.txt' 'https://<storage-account>.blob.core.windows.net/<container>/myTextFile-archived.txt' --blob-type BlockBlob --block-blob-tier Archive To change a blob's tier from hot or cool to Archive, use the [azcopy set-propert > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. ```azcopy azcopy set-properties 'https://<storage-account-name>.blob.core.windows.net/<container-name>/<blob-name>' --block-blob-tier=archive az storage blob copy start \ To copy a blob from an online tier to the archive tier with AzCopy, specify the URI for the source blob and the URI for the destination blob. The destination blob should have a different name from the source blob, and shouldn't already exist. > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example excludes the SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. Remember to replace placeholders in angle brackets with your own values: |
storage | Archive Rehydrate To Online Tier | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/archive-rehydrate-to-online-tier.md | To change a blob's tier from archive to hot or cool with AzCopy, use the [azcopy > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. > [!NOTE]-> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example also contains no SAS token because it assumes that you've provided authorization credentials by using Azure Active Directory (Azure AD). See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. +> This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). <br>This example also contains no SAS token because it assumes that you've provided authorization credentials by using Microsoft Entra ID. See the [Get started with AzCopy](../common/storage-use-azcopy-v10.md) article to learn about the ways that you can provide authorization credentials to the storage service. ```azcopy azcopy set-properties 'https://<storage-account-name>.blob.core.windows.net/<container-name>/<blob-name>' --block-blob-tier=hot --rehydrate-priority=high |
storage | Assign Azure Role Data Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/assign-azure-role-data-access.md | Title: Assign an Azure role for access to blob data -description: Learn how to assign permissions for blob data to an Azure Active Directory security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Azure AD. +description: Learn how to assign permissions for blob data to a Microsoft Entra security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Microsoft Entra ID. -Azure Active Directory (AAD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob data. +Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob data. -When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). -To learn more about using Azure AD to authorize access to blob data, see [Authorize access to blobs using Azure Active Directory](authorize-access-azure-active-directory.md). +To learn more about using Microsoft Entra ID to authorize access to blob data, see [Authorize access to blobs using Microsoft Entra ID](authorize-access-azure-active-directory.md). > [!NOTE] > This article shows how to assign an Azure role for access to blob data in a storage account. To learn about assigning roles for management operations in Azure Storage, see [Use the Azure Storage resource provider to access management resources](../common/authorization-resource-provider.md). You can use the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manage # [Azure portal](#tab/portal) -To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments: +To access blob data in the Azure portal with Microsoft Entra credentials, a user must have the following role assignments: - A data access role, such as **Storage Blob Data Reader** or **Storage Blob Data Contributor** - The Azure Resource Manager **Reader** role, at a minimum The [Reader](../../role-based-access-control/built-in-roles.md#reader) role is a For example, if you assign the **Storage Blob Data Contributor** role to user Mary at the level of a container named **sample-container**, then Mary is granted read, write, and delete access to all of the blobs in that container. However, if Mary wants to view a blob in the Azure portal, then the **Storage Blob Data Contributor** role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. The additional permissions are required to navigate through the portal and view the other resources that are visible there. -A user must be assigned the **Reader** role to use the Azure portal with Azure AD credentials. However, if a user has been assigned a role with **Microsoft.Storage/storageAccounts/listKeys/action** permissions, then the user can use the portal with the storage account keys, via Shared Key authorization. To use the storage account keys, Shared Key access must be permitted for the storage account. For more information on permitting or disallowing Shared Key access, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md). +A user must be assigned the **Reader** role to use the Azure portal with Microsoft Entra credentials. However, if a user has been assigned a role with **Microsoft.Storage/storageAccounts/listKeys/action** permissions, then the user can use the portal with the storage account keys, via Shared Key authorization. To use the storage account keys, Shared Key access must be permitted for the storage account. For more information on permitting or disallowing Shared Key access, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md). You can also assign an Azure Resource Manager role that provides additional permissions beyond than the **Reader** role. Assigning the least possible permissions is recommended as a security best practice. For more information, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). To assign an Azure role to a security principal with PowerShell, call the [New-A The format of the command can differ based on the scope of the assignment, but the `-ObjectId` and `-RoleDefinitionName` are required parameters. Passing a value for the `-Scope` parameter, while not required, is highly recommended to retain the principle of least privilege. By limiting roles and scopes, you limit the resources which are at risk if the security principal is ever compromised. -The `-ObjectId` parameter is the Azure Active Directory (AAD) object ID of the user, group or service principal to which the role will be assigned. To retrieve the identifier, you can use [Get-AzADUser](/powershell/module/az.resources/get-azaduser) to filter Azure Active Directory users, as shown in the following example. +The `-ObjectId` parameter is the Microsoft Entra object ID of the user, group or service principal to which the role will be assigned. To retrieve the identifier, you can use [Get-AzADUser](/powershell/module/az.resources/get-azaduser) to filter Microsoft Entra users, as shown in the following example. ```azurepowershell Get-AzADUser -DisplayName '<Display Name>' Type : ab12cd34-ef56-ab12-cd34-ef56ab12cd34 ``` -The `-RoleDefinitionName` parameter value is the name of the RBAC role that needs to be assigned to the principal. To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments: +The `-RoleDefinitionName` parameter value is the name of the RBAC role that needs to be assigned to the principal. To access blob data in the Azure portal with Microsoft Entra credentials, a user must have the following role assignments: - A data access role, such as **Storage Blob Data Contributor** or **Storage Blob Data Reader** - The Azure Resource Manager **Reader** role To learn how to use an Azure Resource Manager template to assign an Azure role, Keep in mind the following points about Azure role assignments in Azure Storage: -- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or container.+- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or container. - If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a container.-- If you have set the appropriate allow permissions to access data via Azure AD and are unable to access the data, for example you are getting an "AuthorizationPermissionMismatch" error. Be sure to allow enough time for the permissions changes you have made in Azure AD to replicate, and be sure that you do not have any deny assignments that block your access, see [Understand Azure deny assignments](../../role-based-access-control/deny-assignments.md).+- If you have set the appropriate allow permissions to access data via Microsoft Entra ID and are unable to access the data, for example you are getting an "AuthorizationPermissionMismatch" error. Be sure to allow enough time for the permissions changes you have made in Microsoft Entra ID to replicate, and be sure that you do not have any deny assignments that block your access, see [Understand Azure deny assignments](../../role-based-access-control/deny-assignments.md). > [!NOTE] > You can create custom Azure RBAC roles for granular access to blob data. For more information, see [Azure custom roles](../../role-based-access-control/custom-roles.md). |
storage | Authorize Access Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/authorize-access-azure-active-directory.md | Title: Authorize access to blobs using Active Directory -description: Authorize access to Azure blobs using Azure Active Directory (Azure AD). Assign Azure roles for access rights. Access data with an Azure AD account. +description: Authorize access to Azure blobs using Microsoft Entra ID. Assign Azure roles for access rights. Access data with a Microsoft Entra account. Last updated 03/17/2023 -# Authorize access to blobs using Azure Active Directory +# Authorize access to blobs using Microsoft Entra ID -Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. +Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. -Authorization with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your blob applications when possible to assure access with minimum required privileges. +Authorization with Microsoft Entra ID provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Microsoft Entra authorization with your blob applications when possible to assure access with minimum required privileges. -Authorization with Azure AD is available for all general-purpose and Blob storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization. +Authorization with Microsoft Entra ID is available for all general-purpose and Blob storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Microsoft Entra authorization. -Blob storage additionally supports creating shared access signatures (SAS) that are signed with Azure AD credentials. For more information, see [Grant limited access to data with shared access signatures](../common/storage-sas-overview.md). +Blob storage additionally supports creating shared access signatures (SAS) that are signed with Microsoft Entra credentials. For more information, see [Grant limited access to data with shared access signatures](../common/storage-sas-overview.md). -## Overview of Azure AD for blobs +<a name='overview-of-azure-ad-for-blobs'></a> -When a security principal (a user, group, or application) attempts to access a blob resource, the request must be authorized, unless it's a blob available for anonymous access. With Azure AD, access to a resource is a two-step process: +## Overview of Microsoft Entra ID for blobs ++When a security principal (a user, group, or application) attempts to access a blob resource, the request must be authorized, unless it's a blob available for anonymous access. With Microsoft Entra ID, access to a resource is a two-step process: 1. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. When a security principal (a user, group, or application) attempts to access a b The authorization step requires that one or more Azure RBAC roles be assigned to the security principal making the request. For more information, see [Assign Azure roles for access rights](#assign-azure-roles-for-access-rights). -### Use an Azure AD account with portal, PowerShell, or Azure CLI +<a name='use-an-azure-ad-account-with-portal-powershell-or-azure-cli'></a> ++### Use a Microsoft Entra account with portal, PowerShell, or Azure CLI -To learn about how to access data in the Azure portal with an Azure AD account, see [Data access from the Azure portal](#data-access-from-the-azure-portal). To learn how to call Azure PowerShell or Azure CLI commands with an Azure AD account, see [Data access from PowerShell or Azure CLI](#data-access-from-powershell-or-azure-cli). +To learn about how to access data in the Azure portal with a Microsoft Entra account, see [Data access from the Azure portal](#data-access-from-the-azure-portal). To learn how to call Azure PowerShell or Azure CLI commands with a Microsoft Entra account, see [Data access from PowerShell or Azure CLI](#data-access-from-powershell-or-azure-cli). -### Use Azure AD to authorize access in application code +<a name='use-azure-ad-to-authorize-access-in-application-code'></a> -To authorize access to Azure Storage with Azure AD, you can use one of the following client libraries to acquire an OAuth 2.0 token: +### Use Microsoft Entra ID to authorize access in application code ++To authorize access to Azure Storage with Microsoft Entra ID, you can use one of the following client libraries to acquire an OAuth 2.0 token: - The Azure Identity client library is recommended for most development scenarios. - The [Microsoft Authentication Library (MSAL)](../../active-directory/develop/msal-overview.md) may be suitable for certain advanced scenarios. #### Azure Identity client library -The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Azure Active Directory (Azure AD) via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of Azure Storage requests. +The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Microsoft Entra ID via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of Azure Storage requests. An advantage of the Azure Identity client library is that it enables you to use the same code to acquire the access token whether your application is running in the development environment or in Azure. The Azure Identity client library returns an access token for a security principal. When your code is running in Azure, the security principal may be a managed identity for Azure resources, a service principal, or a user or group. In the development environment, the client library provides an access token for either a user or a service principal for testing purposes. The access token returned by the Azure Identity client library is encapsulated i While Microsoft recommends using the Azure Identity client library when possible, the MSAL library may be appropriate to use in certain advanced scenarios. For more information, see [Learn about MSAL](../../active-directory/develop/msal-overview.md). -When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide an Azure AD resource ID. The Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account. +When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide a Microsoft Entra resource ID. The Microsoft Entra resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account. When you provide a resource ID that is specific to a single storage account and service, the resource ID is used to acquire a token for authorizing requests to the specified account and service only. The following table lists the value to use for the resource ID, based on the cloud you're working with. Replace `<account-name>` with the name of your storage account. You can also provide a resource ID that applies to any storage account, as shown ## Assign Azure roles for access rights -Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure RBAC. Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob data. You can also define custom roles for access to blob data. To learn more about assigning Azure roles for blob access, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md). +Microsoft Entra authorizes access rights to secured resources through Azure RBAC. Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob data. You can also define custom roles for access to blob data. To learn more about assigning Azure roles for blob access, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md). -An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). The RBAC roles that are assigned to a security principal determine the permissions that the principal has for the specified resource. To learn more about assigning Azure roles for blob access, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md) +A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). The RBAC roles that are assigned to a security principal determine the permissions that the principal has for the specified resource. To learn more about assigning Azure roles for blob access, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md) In some cases you may need to enable fine-grained access to blob resources or to simplify permissions when you have a large number of role assignments for a storage resource. You can use Azure attribute-based access control (Azure ABAC) to configure conditions on role assignments. You can use conditions with a [custom role](../../role-based-access-control/custom-roles.md) or select built-in roles. For more information about configuring conditions for Azure storage resources with ABAC, see [Authorize access to blobs using Azure role assignment conditions (preview)](../blobs/storage-auth-abac.md). For details about supported conditions for blob data operations, see [Actions and attributes for Azure role assignment conditions in Azure Storage (preview)](../blobs/storage-auth-abac-attributes.md). > [!NOTE]-> When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for access to Blob Storage. You can assign it at the level of your subscription, resource group, storage account, or container. +> When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for access to Blob Storage. You can assign it at the level of your subscription, resource group, storage account, or container. ### Resource scope For more information about scope for Azure RBAC role assignments, see [Understan ### Azure built-in roles for blobs -Azure RBAC provides several built-in roles for authorizing access to blob data using Azure AD and OAuth. Some examples of roles that provide permissions to data resources in Azure Storage include: +Azure RBAC provides several built-in roles for authorizing access to blob data using Microsoft Entra ID and OAuth. Some examples of roles that provide permissions to data resources in Azure Storage include: - [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner): Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see [Access control in Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-access-control.md). - [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor): Use to grant read/write/delete permissions to Blob storage resources. - [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader): Use to grant read-only permissions to Blob storage resources.-- [Storage Blob Delegator](../../role-based-access-control/built-in-roles.md#storage-blob-delegator): Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.+- [Storage Blob Delegator](../../role-based-access-control/built-in-roles.md#storage-blob-delegator): Get a user delegation key to use to create a shared access signature that is signed with Microsoft Entra credentials for a container or blob. To learn how to assign an Azure built-in role to a security principal, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md). To learn how to list Azure RBAC roles and their permissions, see [List Azure role definitions](../../role-based-access-control/role-definitions-list.md). For more information about how built-in roles are defined for Azure Storage, see [Understand role definitions](../../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md). -Only roles explicitly defined for data access permit a security principal to access blob data. Built-in roles such as **Owner**, **Contributor**, and **Storage Account Contributor** permit a security principal to manage a storage account, but don't provide access to the blob data within that account via Azure AD. However, if a role includes **Microsoft.Storage/storageAccounts/listKeys/action**, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. For more information, see [Choose how to authorize access to blob data in the Azure portal](../../storage/blobs/authorize-data-operations-portal.md). +Only roles explicitly defined for data access permit a security principal to access blob data. Built-in roles such as **Owner**, **Contributor**, and **Storage Account Contributor** permit a security principal to manage a storage account, but don't provide access to the blob data within that account via Microsoft Entra ID. However, if a role includes **Microsoft.Storage/storageAccounts/listKeys/action**, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. For more information, see [Choose how to authorize access to blob data in the Azure portal](../../storage/blobs/authorize-data-operations-portal.md). -For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). +For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). > [!IMPORTANT] > Azure role assignments may take up to 30 minutes to propagate. For detailed information about Azure built-in roles for Azure Storage for both t For details on the permissions required to call specific Blob service operations, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). -## Access data with an Azure AD account +<a name='access-data-with-an-azure-ad-account'></a> ++## Access data with a Microsoft Entra account -Access to blob data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Azure AD account or by using the account access keys (Shared Key authorization). +Access to blob data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Microsoft Entra account or by using the account access keys (Shared Key authorization). [!INCLUDE [storage-shared-key-caution](../../../includes/storage-shared-key-caution.md)] ### Data access from the Azure portal -The Azure portal can use either your Azure AD account or the account access keys to access blob data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you. +The Azure portal can use either your Microsoft Entra account or the account access keys to access blob data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you. -When you attempt to access blob data, the Azure portal first checks whether you've been assigned an Azure role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you've been assigned a role with this action, then the Azure portal uses the account key for accessing blob data via Shared Key authorization. If you haven't been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account. +When you attempt to access blob data, the Azure portal first checks whether you've been assigned an Azure role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you've been assigned a role with this action, then the Azure portal uses the account key for accessing blob data via Shared Key authorization. If you haven't been assigned a role with this action, then the Azure portal attempts to access data using your Microsoft Entra account. -To access blob data from the Azure portal using your Azure AD account, you need permissions to access blob data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure Storage grant access to blob resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the [Reader](../../role-based-access-control/built-in-roles.md#reader) role, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. To learn more about how to assign permissions to users for data access in the Azure portal with an Azure AD account, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md). +To access blob data from the Azure portal using your Microsoft Entra account, you need permissions to access blob data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure Storage grant access to blob resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the [Reader](../../role-based-access-control/built-in-roles.md#reader) role, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. To learn more about how to assign permissions to users for data access in the Azure portal with a Microsoft Entra account, see [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md). The Azure portal indicates which authorization scheme is in use when you navigate to a container. For more information about data access in the portal, see [Choose how to authorize access to blob data in the Azure portal](../blobs/authorize-data-operations-portal.md). ### Data access from PowerShell or Azure CLI -Azure CLI and PowerShell support signing in with Azure AD credentials. After you sign in, your session runs under those credentials. To learn more, see one of the following articles: +Azure CLI and PowerShell support signing in with Microsoft Entra credentials. After you sign in, your session runs under those credentials. To learn more, see one of the following articles: - [Choose how to authorize access to blob data with Azure CLI](authorize-data-operations-cli.md)-- [Run PowerShell commands with Azure AD credentials to access blob data](authorize-data-operations-powershell.md)+- [Run PowerShell commands with Microsoft Entra credentials to access blob data](authorize-data-operations-powershell.md) ## Feature support [!INCLUDE [Blob Storage feature support in Azure Storage accounts](../../../includes/azure-storage-feature-support.md)] -Authorizing blob data operations with Azure AD is supported only for REST API versions 2017-11-09 and later. For more information, see [Versioning for the Azure Storage services](/rest/api/storageservices/versioning-for-the-azure-storage-services#specifying-service-versions-in-requests). +Authorizing blob data operations with Microsoft Entra ID is supported only for REST API versions 2017-11-09 and later. For more information, see [Versioning for the Azure Storage services](/rest/api/storageservices/versioning-for-the-azure-storage-services#specifying-service-versions-in-requests). ## Next steps |
storage | Authorize Data Operations Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/authorize-data-operations-cli.md | Title: Authorize access to blob data with Azure CLI -description: Specify how to authorize data operations against blob data with the Azure CLI. You can authorize data operations using Azure AD credentials, with the account access key, or with a shared access signature (SAS) token. +description: Specify how to authorize data operations against blob data with the Azure CLI. You can authorize data operations using Microsoft Entra credentials, with the account access key, or with a shared access signature (SAS) token. +- With a Microsoft Entra security principal. Microsoft recommends using Microsoft Entra credentials for superior security and ease of use. - With the account access key or a shared access signature (SAS) token. ## Specify how data operations are authorized Azure CLI commands for reading and writing blob data include the optional `--auth-mode` parameter. Specify this parameter to indicate how a data operation is to be authorized: -- Set the `--auth-mode` parameter to `login` to sign in using an Azure AD security principal (recommended).+- Set the `--auth-mode` parameter to `login` to sign in using a Microsoft Entra security principal (recommended). - Set the `--auth-mode` parameter to the legacy `key` value to attempt to retrieve the account access key to use for authorization. If you omit the `--auth-mode` parameter, then the Azure CLI also attempts to retrieve the access key. To use the `--auth-mode` parameter, make sure that you have installed Azure CLI version 2.0.46 or later. Run `az --version` to check your installed version. > [!NOTE]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users who do not already possess the account keys must use Azure AD credentials to access blob data. +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users who do not already possess the account keys must use Microsoft Entra credentials to access blob data. > [!IMPORTANT] > If you omit the `--auth-mode` parameter or set it to `key`, then the Azure CLI attempts to use the account access key for authorization. In this case, Microsoft recommends that you provide the access key either on the command or in the **AZURE_STORAGE_KEY** environment variable. For more information about environment variables, see the section titled [Set environment variables for authorization parameters](#set-environment-variables-for-authorization-parameters). > > If you do not provide the access key, then the Azure CLI attempts to call the Azure Storage resource provider to retrieve it for each operation. Performing many data operations that require a call to the resource provider may result in throttling. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](../common/scalability-targets-resource-provider.md). -## Authorize with Azure AD credentials +<a name='authorize-with-azure-ad-credentials'></a> -When you sign in to Azure CLI with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Blob or Queue storage. For supported operations, you no longer need to pass an account key or SAS token with the command. +## Authorize with Microsoft Entra credentials -You can assign permissions to blob data to an Azure AD security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When you sign in to Azure CLI with Microsoft Entra credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Blob or Queue storage. For supported operations, you no longer need to pass an account key or SAS token with the command. ++You can assign permissions to blob data to a Microsoft Entra security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). ### Permissions for calling data operations -The Azure Storage extensions are supported for operations on blob data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to Azure CLI. Permissions to Azure Storage containers are assigned via Azure RBAC. For example, if you are assigned the **Storage Blob Data Reader** role, then you can run scripting commands that read data from a container. If you are assigned the **Storage Blob Data Contributor** role, then you can run scripting commands that read, write, or delete a container or the data it contains. +The Azure Storage extensions are supported for operations on blob data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you sign in to Azure CLI. Permissions to Azure Storage containers are assigned via Azure RBAC. For example, if you are assigned the **Storage Blob Data Reader** role, then you can run scripting commands that read data from a container. If you are assigned the **Storage Blob Data Contributor** role, then you can run scripting commands that read, write, or delete a container or the data it contains. For details about the permissions required for each Azure Storage operation on a container, see [Call storage operations with OAuth tokens](/rest/api/storageservices/authorize-with-azure-active-directory#call-storage-operations-with-oauth-tokens). -### Example: Authorize an operation to create a container with Azure AD credentials +<a name='example-authorize-an-operation-to-create-a-container-with-azure-ad-credentials'></a> ++### Example: Authorize an operation to create a container with Microsoft Entra credentials -The following example shows how to create a container from Azure CLI using your Azure AD credentials. To create the container, you'll need to sign in to the Azure CLI, and you'll need a resource group and a storage account. To learn how to create these resources, see [Quickstart: Create, download, and list blobs with Azure CLI](../blobs/storage-quickstart-blobs-cli.md). +The following example shows how to create a container from Azure CLI using your Microsoft Entra credentials. To create the container, you'll need to sign in to the Azure CLI, and you'll need a resource group and a storage account. To learn how to create these resources, see [Quickstart: Create, download, and list blobs with Azure CLI](../blobs/storage-quickstart-blobs-cli.md). 1. Before you create the container, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning Azure roles, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). > [!IMPORTANT] > Azure role assignments may take a few minutes to propagate. -1. Call the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command with the `--auth-mode` parameter set to `login` to create the container using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values: +1. Call the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command with the `--auth-mode` parameter set to `login` to create the container using your Microsoft Entra credentials. Remember to replace placeholder values in angle brackets with your own values: ```azurecli az storage container create \ az storage container create \ ``` > [!IMPORTANT]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must access data with Azure AD credentials. +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must access data with Microsoft Entra credentials. ## Authorize with a SAS token You can specify authorization parameters in environment variables to avoid inclu | Environment variable | Description | |||-| AZURE_STORAGE_ACCOUNT | The storage account name. This variable should be used in conjunction with either the storage account key or a SAS token. If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Azure AD account. If a large number of commands are executed at one time, the Azure Storage resource provider throttling limit may be reached. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](../common/scalability-targets-resource-provider.md). | +| AZURE_STORAGE_ACCOUNT | The storage account name. This variable should be used in conjunction with either the storage account key or a SAS token. If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Microsoft Entra account. If a large number of commands are executed at one time, the Azure Storage resource provider throttling limit may be reached. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](../common/scalability-targets-resource-provider.md). | | AZURE_STORAGE_KEY | The storage account key. This variable must be used in conjunction with the storage account name. | | AZURE_STORAGE_CONNECTION_STRING | A connection string that includes the storage account key or a SAS token. This variable must be used in conjunction with the storage account name. | | AZURE_STORAGE_SAS_TOKEN | A shared access signature (SAS) token. This variable must be used in conjunction with the storage account name. |-| AZURE_STORAGE_AUTH_MODE | The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI uses your Azure AD credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key. | +| AZURE_STORAGE_AUTH_MODE | The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI uses your Microsoft Entra credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key. | ## Next steps - [Assign an Azure role for access to blob data](assign-azure-role-data-access.md)-- [Authorize access to data in Azure Storage](../common/authorize-data-access.md)+- [Authorize access to data in Azure Storage](../common/authorize-data-access.md) |
storage | Authorize Data Operations Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/authorize-data-operations-portal.md | Title: Authorize access to blob data in the Azure portal -description: When you access blob data using the Azure portal, the portal makes requests to Azure Storage under the covers. These requests to Azure Storage can be authenticated and authorized using either your Azure AD account or the storage account access key. +description: When you access blob data using the Azure portal, the portal makes requests to Azure Storage under the covers. These requests to Azure Storage can be authenticated and authorized using either your Microsoft Entra account or the storage account access key. -When you access blob data using the [Azure portal](https://portal.azure.com), the portal makes requests to Azure Storage under the covers. A request to Azure Storage can be authorized using either your Azure AD account or the storage account access key. The portal indicates which method you are using, and enables you to switch between the two if you have the appropriate permissions. +When you access blob data using the [Azure portal](https://portal.azure.com), the portal makes requests to Azure Storage under the covers. A request to Azure Storage can be authorized using either your Microsoft Entra account or the storage account access key. The portal indicates which method you are using, and enables you to switch between the two if you have the appropriate permissions. You can also specify how to authorize an individual blob upload operation in the Azure portal. By default the portal uses whichever method you are already using to authorize a blob upload operation, but you have the option to change this setting when you upload a blob. To access blob data with the account access key, you must have an Azure role ass - The Azure Resource Manager [Contributor role](../../role-based-access-control/built-in-roles.md#contributor) - The Azure Resource Manager [Owner role](../../role-based-access-control/built-in-roles.md#owner) -When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. If you have not been assigned a role with this action, then the portal attempts to access data using your Azure AD account. +When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. If you have not been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account. > [!IMPORTANT]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Azure AD credentials to access blob data in the portal. For information about accessing blob data in the portal with Azure AD, see [Use your Azure AD account](#use-your-azure-ad-account). +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Microsoft Entra credentials to access blob data in the portal. For information about accessing blob data in the portal with Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access blob data with the account key. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access blob data with the account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). -### Use your Azure AD account +<a name='use-your-azure-ad-account'></a> -To access blob data from the Azure portal using your Azure AD account, both of the following statements must be true for you: +### Use your Microsoft Entra account ++To access blob data from the Azure portal using your Microsoft Entra account, both of the following statements must be true for you: - You have been assigned either a built-in or custom role that provides access to blob data. - You have been assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. The Azure Resource Manager **Reader** role permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The **Reader** role is necessary so that users can navigate to blob containers in the Azure portal. -For information about the built-in roles that support access to blob data, see [Authorize access to blobs using Azure Active Directory](authorize-access-azure-active-directory.md). +For information about the built-in roles that support access to blob data, see [Authorize access to blobs using Microsoft Entra ID](authorize-access-azure-active-directory.md). Custom roles can support different combinations of the same permissions provided by the built-in roles. For more information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md) and [Understand role definitions for Azure resources](../../role-based-access-control/role-definitions.md). To view blob data in the portal, navigate to the **Overview** for your storage a ## Determine the current authentication method -When you navigate to a container, the Azure portal indicates whether you are currently using the account access key or your Azure AD account to authenticate. +When you navigate to a container, the Azure portal indicates whether you are currently using the account access key or your Microsoft Entra account to authenticate. ### Authenticate with the account access key If you are authenticating using the account access key, you'll see **Access Key* :::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot showing user currently accessing containers with the account key"::: -To switch to using Azure AD account, click the link highlighted in the image. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the right permissions, you'll see an error message like the following one: +To switch to using Microsoft Entra account, click the link highlighted in the image. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the right permissions, you'll see an error message like the following one: + +Notice that no blobs appear in the list if your Microsoft Entra account lacks permissions to view them. Click on the **Switch to access key** link to use the access key for authentication again. -Notice that no blobs appear in the list if your Azure AD account lacks permissions to view them. Click on the **Switch to access key** link to use the access key for authentication again. +<a name='authenticate-with-your-azure-ad-account'></a> -### Authenticate with your Azure AD account +### Authenticate with your Microsoft Entra account -If you are authenticating using your Azure AD account, you'll see **Azure AD User Account** specified as the authentication method in the portal: +If you are authenticating using your Microsoft Entra account, you'll see **Microsoft Entra user Account** specified as the authentication method in the portal: To switch to using the account access key, click the link highlighted in the image. If you have access to the account key, then you'll be able to proceed. However, if you lack access to the account key, you'll see an error message like the following one: :::image type="content" source="media/authorize-data-operations-portal/auth-error-access-key.png" alt-text="Error shown if you do not have access to account key"::: -Notice that no blobs appear in the list if you do not have access to the account keys. Click on the **Switch to Azure AD User Account** link to use your Azure AD account for authentication again. +Notice that no blobs appear in the list if you do not have access to the account keys. Click on the **Switch to Microsoft Entra user Account** link to use your Microsoft Entra account for authentication again. ## Specify how to authorize a blob upload operation -When you upload a blob from the Azure portal, you can specify whether to authenticate and authorize that operation with the account access key or with your Azure AD credentials. By default, the portal uses the current authentication method, as shown in [Determine the current authentication method](#determine-the-current-authentication-method). +When you upload a blob from the Azure portal, you can specify whether to authenticate and authorize that operation with the account access key or with your Microsoft Entra credentials. By default, the portal uses the current authentication method, as shown in [Determine the current authentication method](#determine-the-current-authentication-method). To specify how to authorize a blob upload operation, follow these steps: 1. In the Azure portal, navigate to the container where you wish to upload a blob. 1. Select the **Upload** button. 1. Expand the **Advanced** section to display the advanced properties for the blob.-1. In the **Authentication Type** field, indicate whether you want to authorize the upload operation by using your Azure AD account or with the account access key, as shown in the following image: +1. In the **Authentication Type** field, indicate whether you want to authorize the upload operation by using your Microsoft Entra account or with the account access key, as shown in the following image: :::image type="content" source="media/authorize-data-operations-portal/auth-blob-upload.png" alt-text="Screenshot showing how to change authorization method on blob upload"::: -## Default to Azure AD authorization in the Azure portal +<a name='default-to-azure-ad-authorization-in-the-azure-portal'></a> ++## Default to Microsoft Entra authorization in the Azure portal -When you create a new storage account, you can specify that the Azure portal will default to authorization with Azure AD when a user navigates to blob data. You can also configure this setting for an existing storage account. This setting specifies the default authorization method only, so keep in mind that a user can override this setting and choose to authorize data access with the account key. +When you create a new storage account, you can specify that the Azure portal will default to authorization with Microsoft Entra ID when a user navigates to blob data. You can also configure this setting for an existing storage account. This setting specifies the default authorization method only, so keep in mind that a user can override this setting and choose to authorize data access with the account key. -To specify that the portal will use Azure AD authorization by default for data access when you create a storage account, follow these steps: +To specify that the portal will use Microsoft Entra authorization by default for data access when you create a storage account, follow these steps: 1. Create a new storage account, following the instructions in [Create a storage account](../common/storage-account-create.md).-1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Azure Active Directory authorization in the Azure portal**. +1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Microsoft Entra authorization in the Azure portal**. - :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Azure AD authorization in Azure portal for new account"::: + :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Microsoft Entra authorization in Azure portal for new account"::: 1. Select the **Review + create** button to run validation and create the account. To update this setting for an existing storage account, follow these steps: 1. Navigate to the account overview in the Azure portal. 1. Under **Settings**, select **Configuration**.-1. Set **Default to Azure Active Directory authorization in the Azure portal** to **Enabled**. +1. Set **Default to Microsoft Entra authorization in the Azure portal** to **Enabled**. - :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-update-portal.png" alt-text="Screenshot showing how to configure default Azure AD authorization in Azure portal for existing account"::: + :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-update-portal.png" alt-text="Screenshot showing how to configure default Microsoft Entra authorization in Azure portal for existing account"::: ## Next steps |
storage | Authorize Data Operations Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/authorize-data-operations-powershell.md | Title: Run PowerShell commands with Azure AD credentials to access blob data + Title: Run PowerShell commands with Microsoft Entra credentials to access blob data -description: PowerShell supports signing in with Azure AD credentials to run commands on blob data in Azure Storage. An access token is provided for the session and used to authorize calling operations. Permissions depend on the Azure role assigned to the Azure AD security principal. +description: PowerShell supports signing in with Microsoft Entra credentials to run commands on blob data in Azure Storage. An access token is provided for the session and used to authorize calling operations. Permissions depend on the Azure role assigned to the Microsoft Entra security principal. ms.devlang: powershell -# Run PowerShell commands with Azure AD credentials to access blob data +# Run PowerShell commands with Microsoft Entra credentials to access blob data -Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Azure Active Directory (Azure AD) credentials. When you sign in to PowerShell with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by PowerShell to authorize subsequent data operations against Blob storage. For supported operations, you no longer need to pass an account key or SAS token with the command. +Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Microsoft Entra credentials. When you sign in to PowerShell with Microsoft Entra credentials, an OAuth 2.0 access token is returned. That token is automatically used by PowerShell to authorize subsequent data operations against Blob storage. For supported operations, you no longer need to pass an account key or SAS token with the command. -You can assign permissions to blob data to an Azure AD security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +You can assign permissions to blob data to a Microsoft Entra security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). ## Supported operations -The Azure Storage extensions are supported for operations on blob data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to PowerShell. Permissions to Azure Storage containers are assigned via Azure RBAC. For example, if you have been assigned the **Blob Data Reader** role, then you can run scripting commands that read data from a container. If you have been assigned the **Blob Data Contributor** role, then you can run scripting commands that read, write, or delete a container or the data they contain. +The Azure Storage extensions are supported for operations on blob data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you sign in to PowerShell. Permissions to Azure Storage containers are assigned via Azure RBAC. For example, if you have been assigned the **Blob Data Reader** role, then you can run scripting commands that read data from a container. If you have been assigned the **Blob Data Contributor** role, then you can run scripting commands that read, write, or delete a container or the data they contain. For details about the permissions required for each Azure Storage operation on a container, see [Call storage operations with OAuth tokens](/rest/api/storageservices/authorize-with-azure-active-directory#call-storage-operations-with-oauth-tokens). > [!IMPORTANT]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users users who do not already possess the account keys must use Azure AD credentials to access blob data. In PowerShell, include the `-UseConnectedAccount` parameter to create an **AzureStorageContext** object with your Azure AD credentials. +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users users who do not already possess the account keys must use Microsoft Entra credentials to access blob data. In PowerShell, include the `-UseConnectedAccount` parameter to create an **AzureStorageContext** object with your Microsoft Entra credentials. -## Call PowerShell commands using Azure AD credentials +<a name='call-powershell-commands-using-azure-ad-credentials'></a> -To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Azure AD credentials, create a storage context to reference the storage account, and include the `-UseConnectedAccount` parameter. +## Call PowerShell commands using Microsoft Entra credentials -The following example shows how to create a container in a new storage account from Azure PowerShell using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values: +To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Microsoft Entra credentials, create a storage context to reference the storage account, and include the `-UseConnectedAccount` parameter. ++The following example shows how to create a container in a new storage account from Azure PowerShell using your Microsoft Entra credentials. Remember to replace placeholder values in angle brackets with your own values: 1. Sign in to your Azure account with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command: The following example shows how to create a container in a new storage account f -AllowBlobPublicAccess $false ``` -1. Get the storage account context that specifies the new storage account by calling [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext). When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. Include the `-UseConnectedAccount` parameter to call any subsequent data operations using your Azure AD credentials: +1. Get the storage account context that specifies the new storage account by calling [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext). When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. Include the `-UseConnectedAccount` parameter to call any subsequent data operations using your Microsoft Entra credentials: ```powershell $ctx = New-AzStorageContext -StorageAccountName "<storage-account>" -UseConnectedAccount The following example shows how to create a container in a new storage account f > [!IMPORTANT] > Azure role assignments may take a few minutes to propagate. -1. Create a container by calling [New-AzStorageContainer](/powershell/module/az.storage/new-azstoragecontainer). Because this call uses the context created in the previous steps, the container is created using your Azure AD credentials. +1. Create a container by calling [New-AzStorageContainer](/powershell/module/az.storage/new-azstoragecontainer). Because this call uses the context created in the previous steps, the container is created using your Microsoft Entra credentials. ```powershell $containerName = "sample-container" The following example shows how to create a container in a new storage account f ## Next steps - [Assign an Azure role for access to blob data](assign-azure-role-data-access.md)-- [Authorize access to data in Azure Storage](../common/authorize-data-access.md)+- [Authorize access to data in Azure Storage](../common/authorize-data-access.md) |
storage | Blob Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/blob-cli.md | Blob storage supports block blobs, append blobs, and page blobs. Block blobs are ### Authorize access to Blob storage -You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using a storage account access key. Using Azure AD credentials is recommended, and this article's examples use Azure AD exclusively. +You can authorize access to Blob storage from the Azure CLI either with Microsoft Entra credentials or by using a storage account access key. Using Microsoft Entra credentials is recommended, and this article's examples use Microsoft Entra ID exclusively. -Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to *login* to authorize with Azure AD credentials. Only Blob storage data operations support the `--auth-mode` parameter. Management operations, such as creating a resource group or storage account, automatically use Azure AD credentials for authorization. For more information, see [Choose how to authorize access to blob data with Azure CLI](authorize-data-operations-cli.md). +Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to *login* to authorize with Microsoft Entra credentials. Only Blob storage data operations support the `--auth-mode` parameter. Management operations, such as creating a resource group or storage account, automatically use Microsoft Entra credentials for authorization. For more information, see [Choose how to authorize access to blob data with Azure CLI](authorize-data-operations-cli.md). Run the `login` command to open a browser and connect to your Azure subscription. fi ## Next steps - [Choose how to authorize access to blob data with Azure CLI](./authorize-data-operations-cli.md)-- [Run PowerShell commands with Azure AD credentials to access blob data](./authorize-data-operations-cli.md)-- [Manage blob containers using CLI](blob-containers-cli.md)+- [Run PowerShell commands with Microsoft Entra credentials to access blob data](./authorize-data-operations-cli.md) +- [Manage blob containers using CLI](blob-containers-cli.md) |
storage | Blob Containers Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/blob-containers-cli.md | In this how-to article, you learn to use the Azure CLI with Bash to work with co ### Authorize access to Blob storage -You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using the storage account access key. Using Azure AD credentials is recommended, and this article's examples use Azure AD exclusively. +You can authorize access to Blob storage from the Azure CLI either with Microsoft Entra credentials or by using the storage account access key. Using Microsoft Entra credentials is recommended, and this article's examples use Microsoft Entra ID exclusively. -Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md?toc=/azure/storage/blobs/toc.json). +Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Microsoft Entra credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md?toc=/azure/storage/blobs/toc.json). Run the `login` command to open a browser and connect to your Azure subscription. |
storage | Blob Containers Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/blob-containers-portal.md | Properly managing access to containers and their blobs is key to ensuring that y ### Manage Azure RBAC role assignments for the container -Azure Active Directory (Azure AD) offers optimum security for Blob Storage resources. Azure role-based access control (Azure RBAC) determines what permissions a security principal has to a given resource. To grant access to a container, you'll assign an RBAC role at the container scope or above to a user, group, service principal, or managed identity. You may also choose to add one or more conditions to the role assignment. +Microsoft Entra ID offers optimum security for Blob Storage resources. Azure role-based access control (Azure RBAC) determines what permissions a security principal has to a given resource. To grant access to a container, you'll assign an RBAC role at the container scope or above to a user, group, service principal, or managed identity. You may also choose to add one or more conditions to the role assignment. You can read about the assignment of roles at [Assign Azure roles using the Azure portal](assign-azure-role-data-access.md?tabs=portal). You can read about the assignment of roles at [Assign Azure roles using the Azur A shared access signature (SAS) provides temporary, secure, delegated access to a client who wouldn't normally have permissions. A SAS gives you granular control over how a client can access your data. For example, you can specify which resources are available to the client. You can also limit the types of operations that the client can perform, and specify the duration. -Azure supports three types of SAS. A **service SAS** provides access to a resource in just one of the storage +Azure supports three types of SAS. A **service SAS** provides access to a resource in just one of the storage When you create a SAS, you may set access limitations based on permission level, IP address or range, or start and expiry date and time. You can read more in [Grant limited access to Azure Storage resources using shared access signatures](../common/storage-sas-overview.md). |
storage | Blob Containers Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/blob-containers-powershell.md | This how-to article explains how to work with both individual and multiple stora - Azure PowerShell module Az, which is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see [Install Azure PowerShell](/powershell/azure/install-azure-powershell). -You'll need to obtain authorization to an Azure subscription before you can use the examples in this article. Authorization can occur by authenticating with an Azure Active Directory (Azure AD) account or using a shared key. The examples in this article use Azure AD authentication in conjunction with context objects. Context objects encapsulate your Azure AD credentials and pass them on subsequent data operations, eliminating the need to reauthenticate. +You'll need to obtain authorization to an Azure subscription before you can use the examples in this article. Authorization can occur by authenticating with a Microsoft Entra account or using a shared key. The examples in this article use Microsoft Entra authentication in conjunction with context objects. Context objects encapsulate your Microsoft Entra credentials and pass them on subsequent data operations, eliminating the need to reauthenticate. -To sign in to your Azure account with an Azure AD account, open PowerShell and call the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet. +To sign in to your Azure account with a Microsoft Entra account, open PowerShell and call the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet. ```powershell # Connect to your Azure subscription Connect-AzAccount ``` -After the connection has been established, create the storage account context by calling the `New-AzStorageContext` cmdlet. Include the `-UseConnectedAccount` parameter so that data operations will be performed using your Azure AD credentials. +After the connection has been established, create the storage account context by calling the `New-AzStorageContext` cmdlet. Include the `-UseConnectedAccount` parameter so that data operations will be performed using your Microsoft Entra credentials. ```powershell # Create a context object using Azure AD credentials loop-container4 ## See also -- [Run PowerShell commands with Azure AD credentials to access blob data](./authorize-data-operations-powershell.md)-- [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json)+- [Run PowerShell commands with Microsoft Entra credentials to access blob data](./authorize-data-operations-powershell.md) +- [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json) |
storage | Blob Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/blob-powershell.md | Blob storage supports block blobs, append blobs, and page blobs. Block blobs are ### Configure a context object to encapsulate credentials -Every request to Azure Storage must be authorized. You can authorize a request made from PowerShell with your Azure AD account or by using the account access keys. The examples in this article use Azure AD authorization with context objects. Context objects encapsulate your Azure AD credentials and pass them during subsequent data operations. +Every request to Azure Storage must be authorized. You can authorize a request made from PowerShell with your Microsoft Entra account or by using the account access keys. The examples in this article use Microsoft Entra authorization with context objects. Context objects encapsulate your Microsoft Entra credentials and pass them during subsequent data operations. -To sign in to your Azure account with an Azure AD account, open PowerShell and call the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet. +To sign in to your Azure account with a Microsoft Entra account, open PowerShell and call the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet. ```azurepowershell #Connect to your Azure subscription Connect-AzAccount ``` -After the connection has been established, create the Azure context. Authenticating with Azure AD automatically creates an Azure context for your default subscription. In some cases, you may need to access resources in a different subscription after authenticating. You can change the subscription associated with your current Azure session by modifying the active session context. +After the connection has been established, create the Azure context. Authenticating with Microsoft Entra ID automatically creates an Azure context for your default subscription. In some cases, you may need to access resources in a different subscription after authenticating. You can change the subscription associated with your current Azure session by modifying the active session context. -To use your default subscription, create the context by calling the `New-AzStorageContext` cmdlet. Include the `-UseConnectedAccount` parameter so that data operations are performed using your Azure AD credentials. +To use your default subscription, create the context by calling the `New-AzStorageContext` cmdlet. Include the `-UseConnectedAccount` parameter so that data operations are performed using your Microsoft Entra credentials. ```azurepowershell #Create a context object using Azure AD credentials else ## Next steps -- [Run PowerShell commands with Azure AD credentials to access blob data](./authorize-data-operations-powershell.md)+- [Run PowerShell commands with Microsoft Entra credentials to access blob data](./authorize-data-operations-powershell.md) - [Create a storage account](../common/storage-account-create.md?tabs=azure-portal&toc=/azure/storage/blobs/toc.json) - [Manage blob containers using PowerShell](blob-containers-powershell.md) |
storage | Blob Storage Monitoring Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/blob-storage-monitoring-scenarios.md | Open any log entry to view JSON that describes the activity. The following JSON > [!div class="mx-imgBorder"] > ![Activity Log JSON](./media/blob-storage-monitoring-scenarios/activity-log-json.png) -The availability of the "who" information depends on the method of authentication that was used to perform the control plane operation. If the authorization was performed by an Azure AD security principal, the object identifier of that security principal would also appear in this JSON output (For example: `"http://schemas.microsoft.com/identity/claims/objectidentifier": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"`). Because you might not always see other identity-related information such as an email address or name, the object identifier is always the best way to uniquely identify the security principal. +The availability of the "who" information depends on the method of authentication that was used to perform the control plane operation. If the authorization was performed by a Microsoft Entra security principal, the object identifier of that security principal would also appear in this JSON output (For example: `"http://schemas.microsoft.com/identity/claims/objectidentifier": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"`). Because you might not always see other identity-related information such as an email address or name, the object identifier is always the best way to uniquely identify the security principal. -You can find the friendly name of that security principal by taking the value of the object identifier, and searching for the security principal in Azure AD page of the Azure portal. The following screenshot shows a search result in Azure AD. +You can find the friendly name of that security principal by taking the value of the object identifier, and searching for the security principal in Microsoft Entra ID page of the Azure portal. The following screenshot shows a search result in Microsoft Entra ID. > [!div class="mx-imgBorder"]-> ![Search Azure Active Directory](./media/blob-storage-monitoring-scenarios/search-azure-active-directory.png) +> ![Search Microsoft Entra ID](./media/blob-storage-monitoring-scenarios/search-azure-active-directory.png) ### Auditing data plane operations For the "what" portion of your audit, the `Uri` field shows the item was modifie For the "how" portion of your audit, the `OperationName` field shows which operation was executed. > [!TIP] > For example, if you suspect that a blob or container has been deleted by mistake, then add a `where` clause that returns only log entries where the `OperationName` is set to either [Delete blob](/rest/api/storageservices/delete-blob) or [Delete Container](/rest/api/storageservices/delete-container).-For the "who" portion of your audit, `AuthenticationType` shows which type of authentication was used to make a request. This field can show any of the types of authentication that Azure Storage supports including the use of an account key, a SAS token, or Azure Active Directory (Azure AD) authentication. +For the "who" portion of your audit, `AuthenticationType` shows which type of authentication was used to make a request. This field can show any of the types of authentication that Azure Storage supports including the use of an account key, a SAS token, or Microsoft Entra authentication. -If the request is authorized by using Azure AD, you can use the `RequestObjectId` field to identify the "who". Shared Key and SAS authentication provide no means of auditing individual identities. In those cases, the `callerIPAddress` and `userAgentHeader` fields might help you to identify the source of the operation. If a SAS token was used to authorize an operation, you can identify that token, and if you've mapped tokens to token recipients at your end, you can identify which user, organization, or application has performed the operation. See [Identifying the SAS token used to authorize a request](#identifying-the-sas-token-used-to-authorize-a-request). +If the request is authorized by using Microsoft Entra ID, you can use the `RequestObjectId` field to identify the "who". Shared Key and SAS authentication provide no means of auditing individual identities. In those cases, the `callerIPAddress` and `userAgentHeader` fields might help you to identify the source of the operation. If a SAS token was used to authorize an operation, you can identify that token, and if you've mapped tokens to token recipients at your end, you can identify which user, organization, or application has performed the operation. See [Identifying the SAS token used to authorize a request](#identifying-the-sas-token-used-to-authorize-a-request). #### Identifying the security principal used to authorize a request -If a request was authenticated by using Azure AD, the `RequesterObjectId` field provides the most reliable way to identify the security principal. You can find the friendly name of that security principal by taking the value of the `RequesterObjectId` field, and searching for the security principal in Azure AD page of the Azure portal. The following screenshot shows a search result in Azure AD. +If a request was authenticated by using Microsoft Entra ID, the `RequesterObjectId` field provides the most reliable way to identify the security principal. You can find the friendly name of that security principal by taking the value of the `RequesterObjectId` field, and searching for the security principal in Microsoft Entra ID page of the Azure portal. The following screenshot shows a search result in Microsoft Entra ID. > [!div class="mx-imgBorder"]-> ![Search Azure Active Directory](./media/blob-storage-monitoring-scenarios/search-azure-active-directory.png) +> ![Search Microsoft Entra ID](./media/blob-storage-monitoring-scenarios/search-azure-active-directory.png) -In some cases, a user principal name or *UPN* might appear in logs. For example, if the security principal is an Azure AD user, the UPN will likely appear. For other types of security principals such as user assigned managed identities, or in certain scenarios such as cross Azure AD tenant authentication, the UPN will not appear in logs. +In some cases, a user principal name or *UPN* might appear in logs. For example, if the security principal is a Microsoft Entra user, the UPN will likely appear. For other types of security principals such as user assigned managed identities, or in certain scenarios such as cross Microsoft Entra tenant authentication, the UPN will not appear in logs. This query shows all read operations performed by OAuth security principals. StorageBlobLogs | project TimeGenerated, AuthenticationType, RequesterObjectId, OperationName, Uri ``` -Shared Key and SAS authentication provide no means of auditing individual identities. Therefore, if you want to improve your ability to audit based on identity, we recommended that you transition to Azure AD, and prevent shared key and SAS authentication. To learn how to prevent Shared Key and SAS authentication, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md?toc=/azure/storage/blobs/toc.json&tabs=portal). To get started with Azure AD, see [Authorize access to blobs using Azure Active Directory](authorize-access-azure-active-directory.md). +Shared Key and SAS authentication provide no means of auditing individual identities. Therefore, if you want to improve your ability to audit based on identity, we recommended that you transition to Microsoft Entra ID, and prevent shared key and SAS authentication. To learn how to prevent Shared Key and SAS authentication, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md?toc=/azure/storage/blobs/toc.json&tabs=portal). To get started with Microsoft Entra ID, see [Authorize access to blobs using Microsoft Entra ID](authorize-access-azure-active-directory.md). #### Identifying the SAS token used to authorize a request |
storage | Convert Append And Page Blobs To Block Blobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/convert-append-and-page-blobs-to-block-blobs.md | To convert blobs, copy them to a new location by using PowerShell, Azure CLI, or Replace the `<subscription-id>` placeholder value with the ID of your subscription. -4. Create the storage account context by using the [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext) command. Include the `-UseConnectedAccount` parameter so that data operations will be performed using your Azure Active Directory (Azure AD) credentials. +4. Create the storage account context by using the [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext) command. Include the `-UseConnectedAccount` parameter so that data operations will be performed using your Microsoft Entra credentials. ```powershell $ctx = New-AzStorageContext -StorageAccountName '<storage account name>' -UseConnectedAccount azcopy copy 'https://<storage-account-name>.<blob or dfs>.core.windows.net/<cont - [Hot, Cool, and Archive access tiers for blob data](access-tiers-overview.md) - [Set a blob's access tier](access-tiers-online-manage.md) - [Best practices for using blob access tiers](access-tiers-best-practices.md)-- |
storage | Data Lake Storage Abfs Driver | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-abfs-driver.md | The ABFS driver supports two forms of authentication so that the Hadoop applicat - **Shared Key:** This permits users access to ALL resources in the account. The key is encrypted and stored in Hadoop configuration. -- **Azure Active Directory OAuth Bearer Token:** Azure AD bearer tokens are acquired and refreshed by the driver using either the identity of the end user or a configured Service Principal. Using this authentication model, all access is authorized on a per-call basis using the identity associated with the supplied token and evaluated against the assigned POSIX Access Control List (ACL).+- **Microsoft Entra ID OAuth Bearer Token:** Microsoft Entra bearer tokens are acquired and refreshed by the driver using either the identity of the end user or a configured Service Principal. Using this authentication model, all access is authorized on a per-call basis using the identity associated with the supplied token and evaluated against the assigned POSIX Access Control List (ACL). > [!NOTE] > Azure Data Lake Storage Gen2 supports only Azure AD v1.0 endpoints. The ABFS driver is fully documented in the [Official Hadoop documentation](https ## Next steps - [Create an Azure Databricks Cluster](./data-lake-storage-use-databricks-spark.md)-- [Use the Azure Data Lake Storage Gen2 URI](./data-lake-storage-introduction-abfs-uri.md)+- [Use the Azure Data Lake Storage Gen2 URI](./data-lake-storage-introduction-abfs-uri.md) |
storage | Data Lake Storage Access Control Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-access-control-model.md | Data Lake Storage Gen2 supports the following authorization mechanisms: - Attribute-based access control (Azure ABAC) - Access control lists (ACL) -[Shared Key and SAS authorization](#shared-key-and-shared-access-signature-sas-authorization) grants access to a user (or application) without requiring them to have an identity in Azure Active Directory (Azure AD). With these two forms of authentication, Azure RBAC, Azure ABAC, and ACLs have no effect. +[Shared Key and SAS authorization](#shared-key-and-shared-access-signature-sas-authorization) grants access to a user (or application) without requiring them to have an identity in Microsoft Entra ID. With these two forms of authentication, Azure RBAC, Azure ABAC, and ACLs have no effect. -Azure RBAC and ACL both require the user (or application) to have an identity in Azure AD. Azure RBAC lets you grant "coarse-grain" access to storage account data, such as read or write access to **all** of the data in a storage account. Azure ABAC allows you to refine RBAC role assignments by adding conditions. For example, you can grant read or write access to all data objects in a storage account that have a specific tag. ACLs let you grant "fine-grained" access, such as write access to a specific directory or file. +Azure RBAC and ACL both require the user (or application) to have an identity in Microsoft Entra ID. Azure RBAC lets you grant "coarse-grain" access to storage account data, such as read or write access to **all** of the data in a storage account. Azure ABAC allows you to refine RBAC role assignments by adding conditions. For example, you can grant read or write access to all data objects in a storage account that have a specific tag. ACLs let you grant "fine-grained" access, such as write access to a specific directory or file. This article focuses on Azure RBAC, ABAC, and ACLs, and how the system evaluates them together to make authorization decisions for storage account resources. This article focuses on Azure RBAC, ABAC, and ACLs, and how the system evaluates ## Role-based access control (Azure RBAC) -Azure RBAC uses role assignments to apply sets of permissions to [security principals](../../role-based-access-control/overview.md#security-principal). A security principal is an object that represents a user, group, service principal, or managed identity that is defined in Azure Active Directory (AD). A permission set can give a security principal a "coarse-grain" level of access such as read or write access to **all** of the data in a storage account or **all** of the data in a container. +Azure RBAC uses role assignments to apply sets of permissions to [security principals](../../role-based-access-control/overview.md#security-principal). A security principal is an object that represents a user, group, service principal, or managed identity that is defined in Microsoft Entra ID. A permission set can give a security principal a "coarse-grain" level of access such as read or write access to **all** of the data in a storage account or **all** of the data in a container. The following roles permit a security principal to access data in a storage account. The following table shows you how to combine Azure roles, conditions, and ACL en | | None | `--X` | `--X` | `R-X` | N/A | > [!NOTE]-> To view the contents of a container in Azure Storage Explorer, security principals must [sign in to Storage Explorer by using Azure AD](../../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#attach-to-an-individual-resource), and (at a minimum) have read access (R--) to the root folder (`\`) of a container. This level of permission does give them the ability to list the contents of the root folder. If you don't want the contents of the root folder to be visible, you can assign them [Reader](../../role-based-access-control/built-in-roles.md#reader) role. With that role, they'll be able to list the containers in the account, but not container contents. You can then grant access to specific directories and files by using ACLs. +> To view the contents of a container in Azure Storage Explorer, security principals must [sign in to Storage Explorer by using Microsoft Entra ID](../../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#attach-to-an-individual-resource), and (at a minimum) have read access (R--) to the root folder (`\`) of a container. This level of permission does give them the ability to list the contents of the root folder. If you don't want the contents of the root folder to be visible, you can assign them [Reader](../../role-based-access-control/built-in-roles.md#reader) role. With that role, they'll be able to list the containers in the account, but not container contents. You can then grant access to specific directories and files by using ACLs. ## Security groups |
storage | Data Lake Storage Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-access-control.md | Every file and directory has distinct permissions for these identities: - Named managed identities - All other users -The identities of users and groups are Azure Active Directory (Azure AD) identities. So unless otherwise noted, a *user*, in the context of Data Lake Storage Gen2, can refer to an Azure AD user, service principal, managed identity, or security group. +The identities of users and groups are Microsoft Entra identities. So unless otherwise noted, a *user*, in the context of Data Lake Storage Gen2, can refer to a Microsoft Entra user, service principal, managed identity, or security group. ### The super-user The owning user can change the permissions of the file to give themselves any RW ### Why do I sometimes see GUIDs in ACLs? -A GUID is shown if the entry represents a user and that user doesn't exist in Azure AD anymore. Usually this happens when the user has left the company or if their account has been deleted in Azure AD. Additionally, service principals and security groups do not have a User Principal Name (UPN) to identify them and so they are represented by their OID attribute (a guid). To clean up the ACLs, manually delete these GUID entries. +A GUID is shown if the entry represents a user and that user doesn't exist in Microsoft Entra anymore. Usually this happens when the user has left the company or if their account has been deleted in Microsoft Entra ID. Additionally, service principals and security groups do not have a User Principal Name (UPN) to identify them and so they are represented by their OID attribute (a guid). To clean up the ACLs, manually delete these GUID entries. ### How do I set ACLs correctly for a service principal? -When you define ACLs for service principals, it's important to use the Object ID (OID) of the *service principal* for the app registration that you created. It's important to note that registered apps have a separate service principal in the specific Azure AD tenant. Registered apps have an OID that's visible in the Azure portal, but the *service principal* has another (different) OID. +When you define ACLs for service principals, it's important to use the Object ID (OID) of the *service principal* for the app registration that you created. It's important to note that registered apps have a separate service principal in the specific Microsoft Entra tenant. Registered apps have an OID that's visible in the Azure portal, but the *service principal* has another (different) OID. Article To get the OID for the service principal that corresponds to an app registration, you can use the `az ad sp show` command. Specify the Application ID as the parameter. Here's an example of obtaining the OID for the service principal that corresponds to an app registration with App ID = 18218b12-1895-43e9-ad80-6e8fc1ea88ce. Run the following command in the Azure CLI: |
storage | Data Lake Storage Acl Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-azure-portal.md | To learn about how to use ACLs and Azure roles together, see [Access control mod 7. To add a *security principal* to the ACL, select the **Add principal** button. > [!TIP]- > A security principal is an object that represents a user, group, service principal, or managed identity that is defined in Azure Active Directory (AD). + > A security principal is an object that represents a user, group, service principal, or managed identity that is defined in Microsoft Entra ID. Find the security principal by using the search box, and then select the **Select** button. To learn about how to use ACLs and Azure roles together, see [Access control mod > ![Add a security principal to the ACL](./media/data-lake-storage-acl-azure-portal/get-security-principal.png) > [!NOTE]- > We recommend that you create a security group in Azure AD, and then maintain permissions on the group rather than for individual users. For details on this recommendation, as well as other best practices, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md). + > We recommend that you create a security group in Microsoft Entra ID, and then maintain permissions on the group rather than for individual users. For details on this recommendation, as well as other best practices, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md). 8. To manage the *default ACL*, select the **default permissions** tab, and then select the **Configure default permissions** checkbook. |
storage | Data Lake Storage Acl Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-cli.md | ACL inheritance is already available for new child items that are created under - One of the following security permissions: - - A provisioned Azure Active Directory (Azure AD) [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. + - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory. ACL inheritance is already available for new child items that are created under Replace the `<subscription-id>` placeholder value with the ID of your subscription. > [!NOTE]-> The example presented in this article show Azure Active Directory (Azure AD) authorization. To learn more about authorization methods, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). +> The example presented in this article show Microsoft Entra authorization. To learn more about authorization methods, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). ## Get ACLs |
storage | Data Lake Storage Acl Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-dotnet.md | ACL inheritance is already available for new child items that are created under - One of the following security permissions: - - A provisioned Azure Active Directory (AD) [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription. + - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription. - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory. To get started, install the [Azure.Storage.Files.DataLake](https://www.nuget.org To use the snippets in this article, you'll need to create a [DataLakeServiceClient](/dotnet/api/azure.storage.files.datalake.datalakeserviceclient) instance that represents the storage account. -### Connect by using Azure Active Directory (AD) +<a name='connect-by-using-azure-active-directory-ad'></a> ++### Connect by using Microsoft Entra ID > [!NOTE]-> If you're using Azure Active Directory (Azure AD) to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). +> If you're using Microsoft Entra ID to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). -You can use the [Azure identity client library for .NET](/dotnet/api/overview/azure/identity-readme) to authenticate your application with Azure AD. +You can use the [Azure identity client library for .NET](/dotnet/api/overview/azure/identity-readme) to authenticate your application with Microsoft Entra ID. After you install the package, add this using statement to the top of your code file. |
storage | Data Lake Storage Acl Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-java.md | ACL inheritance is already available for new child items that are created under - One of the following security permissions: - - A provisioned Azure Active Directory (AD) [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. + - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory. ACL inheritance is already available for new child items that are created under To get started, open [this page](https://search.maven.org/artifact/com.azure/azure-storage-file-datalake) and find the latest version of the Java library. Then, open the *pom.xml* file in your text editor. Add a dependency element that references that version. -If you plan to authenticate your client application by using Azure Active Directory (AD), then add a dependency to the Azure Secret Client Library. See [Adding the Secret Client Library package to your project](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity#adding-the-package-to-your-project). +If you plan to authenticate your client application by using Microsoft Entra ID, then add a dependency to the Azure Secret Client Library. See [Adding the Secret Client Library package to your project](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity#adding-the-package-to-your-project). Next, add these imports statements to your code file. import com.azure.storage.file.datalake.options.PathSetAccessControlRecursiveOpti To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account. -### Connect by using Azure Active Directory (Azure AD) +<a name='connect-by-using-azure-active-directory-azure-ad'></a> -You can use the [Azure identity client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity) to authenticate your application with Azure AD. +### Connect by using Microsoft Entra ID ++You can use the [Azure identity client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity) to authenticate your application with Microsoft Entra ID. First, you'll have to assign one of the following [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) roles to your security principal: |
storage | Data Lake Storage Acl Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-javascript.md | This article shows you how to use Node.js to get, set, and update the access con - One of the following security permissions: - - A provisioned Azure Active Directory (AD) [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. + - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory. StorageSharedKeyCredential To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account. -### Connect by using Azure Active Directory (AD) +<a name='connect-by-using-azure-active-directory-ad'></a> ++### Connect by using Microsoft Entra ID > [!NOTE]-> If you're using Azure Active Directory (Azure AD) to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). +> If you're using Microsoft Entra ID to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). -You can use the [Azure identity client library for JS](https://www.npmjs.com/package/@azure/identity) to authenticate your application with Azure AD. +You can use the [Azure identity client library for JS](https://www.npmjs.com/package/@azure/identity) to authenticate your application with Microsoft Entra ID. First, you'll have to assign one of the following [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) roles to your security principal: function GetDataLakeServiceClient(accountName, accountKey) { This example gets and then sets the ACL of a directory named `my-directory`. This example gives the owning user read, write, and execute permissions, gives the owning group only read and execute permissions, and gives all others read access. > [!NOTE]-> If your application authorizes access by using Azure Active Directory (Azure AD), then make sure that the security principal that your application uses to authorize access has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control in Azure Data Lake Storage Gen2](./data-lake-storage-access-control.md). +> If your application authorizes access by using Microsoft Entra ID, then make sure that the security principal that your application uses to authorize access has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control in Azure Data Lake Storage Gen2](./data-lake-storage-access-control.md). ```javascript async function ManageDirectoryACLs(fileSystemClient) { You can also get and set the ACL of the root directory of a container. To get th This example gets and then sets the ACL of a file named `upload-file.txt`. This example gives the owning user read, write, and execute permissions, gives the owning group only read and execute permissions, and gives all others read access. > [!NOTE]-> If your application authorizes access by using Azure Active Directory (Azure AD), then make sure that the security principal that your application uses to authorize access has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control in Azure Data Lake Storage Gen2](./data-lake-storage-access-control.md). +> If your application authorizes access by using Microsoft Entra ID, then make sure that the security principal that your application uses to authorize access has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control in Azure Data Lake Storage Gen2](./data-lake-storage-access-control.md). ```javascript async function ManageFileACLs(fileSystemClient) { |
storage | Data Lake Storage Acl Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-powershell.md | ACL inheritance is already available for new child items that are created under - One of the following security permissions: - - A provisioned Azure Active Directory (AD) [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. + - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription.. - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory. ACL inheritance is already available for new child items that are created under Choose how you want your commands to obtain authorization to the storage account. -### Option 1: Obtain authorization by using Azure Active Directory (AD) +<a name='option-1-obtain-authorization-by-using-azure-active-directory-ad'></a> ++### Option 1: Obtain authorization by using Microsoft Entra ID > [!NOTE]-> If you're using Azure Active Directory (Azure AD) to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). +> If you're using Microsoft Entra ID to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). With this approach, the system ensures that your user account has the appropriate Azure role-based access control (Azure RBAC) assignments and ACL permissions. |
storage | Data Lake Storage Acl Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-acl-python.md | ACL inheritance is already available for new child items that are created under - One of the following security permissions: - - A provisioned Azure Active Directory (AD) [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription. + - A provisioned Microsoft Entra ID [security principal](../../role-based-access-control/overview.md#security-principal) that has been assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, scoped to the target container, storage account, parent resource group, or subscription. - Owning user of the target container or directory to which you plan to apply ACL settings. To set ACLs recursively, this includes all child items in the target container or directory. from azure.identity import DefaultAzureCredential To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account. -### Connect by using Azure Active Directory (AD) +<a name='connect-by-using-azure-active-directory-ad'></a> ++### Connect by using Microsoft Entra ID > [!NOTE]-> If you're using Azure Active Directory (Azure AD) to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). +> If you're using Microsoft Entra ID to authorize access, then make sure that your security principal has been assigned the [Storage Blob Data Owner role](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner). To learn more about how ACL permissions are applied and the effects of changing them, see [Access control model in Azure Data Lake Storage Gen2](./data-lake-storage-access-control-model.md). -You can use the [Azure identity client library for Python](https://pypi.org/project/azure-identity/) to authenticate your application with Azure AD. +You can use the [Azure identity client library for Python](https://pypi.org/project/azure-identity/) to authenticate your application with Microsoft Entra ID. First, you'll have to assign one of the following [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) roles to your security principal: |
storage | Data Lake Storage Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-best-practices.md | Again, the choice you make with the folder and file organization should optimize ## Set up security -Start by reviewing the recommendations in the [Security recommendations for Blob storage](security-recommendations.md) article. You'll find best practice guidance about how to protect your data from accidental or malicious deletion, secure data behind a firewall, and use Azure Active Directory (Azure AD) as the basis of identity management. +Start by reviewing the recommendations in the [Security recommendations for Blob storage](security-recommendations.md) article. You'll find best practice guidance about how to protect your data from accidental or malicious deletion, secure data behind a firewall, and use Microsoft Entra ID as the basis of identity management. Then, review the [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md) article for guidance that is specific to Data Lake Storage Gen2 enabled accounts. This article helps you understand how to use Azure role-based access control (Azure RBAC) roles together with access control lists (ACLs) to enforce security permissions on directories and files in your hierarchical file system. |
storage | Data Lake Storage Directory File Acl Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-directory-file-acl-cli.md | To learn about how to get, set, and update the access control lists (ACL) of dir Replace the `<subscription-id>` placeholder value with the ID of your subscription. > [!NOTE]-> The example presented in this article show Azure Active Directory (Azure AD) authorization. To learn more about authorization methods, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). +> The example presented in this article show Microsoft Entra authorization. To learn more about authorization methods, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). ## Create a container |
storage | Data Lake Storage Directory File Acl Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-directory-file-acl-dotnet.md | using System.IO; ## Authorize access and connect to data resources -To work with the code examples in this article, you need to create an authorized [DataLakeServiceClient](/dotnet/api/azure.storage.files.datalake.datalakeserviceclient) instance that represents the storage account. You can authorize a `DataLakeServiceClient` object using Azure Active Directory (Azure AD), an account access key, or a shared access signature (SAS). +To work with the code examples in this article, you need to create an authorized [DataLakeServiceClient](/dotnet/api/azure.storage.files.datalake.datalakeserviceclient) instance that represents the storage account. You can authorize a `DataLakeServiceClient` object using Microsoft Entra ID, an account access key, or a shared access signature (SAS). -### [Azure AD](#tab/azure-ad) +<a name='azure-ad'></a> -You can use the [Azure identity client library for .NET](/dotnet/api/overview/azure/identity-readme) to authenticate your application with Azure AD. +### [Microsoft Entra ID](#tab/azure-ad) ++You can use the [Azure identity client library for .NET](/dotnet/api/overview/azure/identity-readme) to authenticate your application with Microsoft Entra ID. Create a [DataLakeServiceClient](/dotnet/api/azure.storage.files.datalake.datalakeserviceclient) instance and pass in a new instance of the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class. |
storage | Data Lake Storage Directory File Acl Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-directory-file-acl-java.md | To learn about how to get, set, and update the access control lists (ACL) of dir To get started, open [this page](https://search.maven.org/artifact/com.azure/azure-storage-file-datalake) and find the latest version of the Java library. Then, open the *pom.xml* file in your text editor. Add a dependency element that references that version. -If you plan to authenticate your client application by using Azure Active Directory (Azure AD), then add a dependency to the Azure Identity library. For more information, see [Azure Identity client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity#adding-the-package-to-your-project). +If you plan to authenticate your client application by using Microsoft Entra ID, then add a dependency to the Azure Identity library. For more information, see [Azure Identity client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity#adding-the-package-to-your-project). Next, add these imports statements to your code file. import com.azure.storage.file.datalake.options.*; ## Authorize access and connect to data resources -To work with the code examples in this article, you need to create an authorized [DataLakeServiceClient](/java/api/com.azure.storage.file.datalake.datalakeserviceclient) instance that represents the storage account. You can authorize a `DataLakeServiceClient` object using Azure Active Directory (Azure AD), an account access key, or a shared access signature (SAS). +To work with the code examples in this article, you need to create an authorized [DataLakeServiceClient](/java/api/com.azure.storage.file.datalake.datalakeserviceclient) instance that represents the storage account. You can authorize a `DataLakeServiceClient` object using Microsoft Entra ID, an account access key, or a shared access signature (SAS). -### [Azure AD](#tab/azure-ad) +<a name='azure-ad'></a> -You can use the [Azure identity client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity) to authenticate your application with Azure AD. +### [Microsoft Entra ID](#tab/azure-ad) ++You can use the [Azure identity client library for Java](https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/identity/azure-identity) to authenticate your application with Microsoft Entra ID. Create a [DataLakeServiceClient](/java/api/com.azure.storage.file.datalake.datalakeserviceclient) instance and pass in a new instance of the [DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential) class. |
storage | Data Lake Storage Directory File Acl Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-directory-file-acl-javascript.md | StorageSharedKeyCredential To use the snippets in this article, you'll need to create a **DataLakeServiceClient** instance that represents the storage account. -### Connect by using Azure Active Directory (Azure AD) +<a name='connect-by-using-azure-active-directory-azure-ad'></a> -You can use the [Azure identity client library for JS](https://www.npmjs.com/package/@azure/identity) to authenticate your application with Azure AD. +### Connect by using Microsoft Entra ID ++You can use the [Azure identity client library for JS](https://www.npmjs.com/package/@azure/identity) to authenticate your application with Microsoft Entra ID. Create a [DataLakeServiceClient](/javascript/api/@azure/storage-file-datalake/datalakeserviceclient) instance and pass in a new instance of the [DefaultAzureCredential](/javascript/api/@azure/identity/defaultazurecredential) class. function GetDataLakeServiceClient(accountName, accountKey) { ``` -This method of authorization works only for Node.js applications. If you plan to run your code in a browser, you can authorize by using Azure Active Directory (Azure AD). +This method of authorization works only for Node.js applications. If you plan to run your code in a browser, you can authorize by using Microsoft Entra ID. [!INCLUDE [storage-shared-key-caution](../../../includes/storage-shared-key-caution.md)] |
storage | Data Lake Storage Directory File Acl Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-directory-file-acl-powershell.md | To learn about how to get, set, and update the access control lists (ACL) of dir Choose how you want your commands to obtain authorization to the storage account. -### Option 1: Obtain authorization by using Azure Active Directory (Azure AD) +<a name='option-1-obtain-authorization-by-using-azure-active-directory-azure-ad'></a> ++### Option 1: Obtain authorization by using Microsoft Entra ID With this approach, the system ensures that your user account has the appropriate Azure role-based access control (Azure RBAC) assignments and ACL permissions. |
storage | Data Lake Storage Directory File Acl Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-directory-file-acl-python.md | from azure.identity import DefaultAzureCredential ## Authorize access and connect to data resources -To work with the code examples in this article, you need to create an authorized [DataLakeServiceClient](/python/api/azure-storage-file-datalake/azure.storage.filedatalake.datalakeserviceclient) instance that represents the storage account. You can authorize a `DataLakeServiceClient` object using Azure Active Directory (Azure AD), an account access key, or a shared access signature (SAS). +To work with the code examples in this article, you need to create an authorized [DataLakeServiceClient](/python/api/azure-storage-file-datalake/azure.storage.filedatalake.datalakeserviceclient) instance that represents the storage account. You can authorize a `DataLakeServiceClient` object using Microsoft Entra ID, an account access key, or a shared access signature (SAS). -### [Azure AD](#tab/azure-ad) +<a name='azure-ad'></a> -You can use the [Azure identity client library for Python](https://pypi.org/project/azure-identity/) to authenticate your application with Azure AD. +### [Microsoft Entra ID](#tab/azure-ad) ++You can use the [Azure identity client library for Python](https://pypi.org/project/azure-identity/) to authenticate your application with Microsoft Entra ID. Create an instance of the [DataLakeServiceClient](/python/api/azure-storage-file-datalake/azure.storage.filedatalake.datalakeserviceclient) class and pass in a [DefaultAzureCredential](/python/api/azure-identity/azure.identity.defaultazurecredential) object. The following code example shows how to delete a directory: - [Samples](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-file-datalake/samples) - [Gen1 to Gen2 mapping](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/storage/azure-storage-file-datalake/GEN1_GEN2_MAPPING.md) - [Known issues](data-lake-storage-known-issues.md#api-scope-data-lake-client-library)-- [Give Feedback](https://github.com/Azure/azure-sdk-for-python/issues)+- [Give Feedback](https://github.com/Azure/azure-sdk-for-python/issues) |
storage | Data Lake Storage Explorer Acl | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-explorer-acl.md | The **Manage Access** dialog box allows you to manage permissions for owner and > [!div class="mx-imgBorder"] > ![Manage Access dialog box](./media/data-lake-storage-explorer-acl/manage-access-dialog-box.png) -To add a new user or group to the access control list, select the **Add** button. Then, enter the corresponding Azure Active Directory (Azure AD) entry you wish to add to the list and then select **Add**. The user or group will now appear in the **Users and groups:** field, allowing you to begin managing their permissions. +To add a new user or group to the access control list, select the **Add** button. Then, enter the corresponding Microsoft Entra entry you wish to add to the list and then select **Add**. The user or group will now appear in the **Users and groups:** field, allowing you to begin managing their permissions. > [!NOTE]-> It is a best practice, and recommended, to create a security group in Azure AD and maintain permissions on the group rather than individual users. For details on this recommendation, as well as other best practices, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-explorer-acl.md). +> It is a best practice, and recommended, to create a security group in Microsoft Entra ID and maintain permissions on the group rather than individual users. For details on this recommendation, as well as other best practices, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-explorer-acl.md). Use the check box controls to set access and default ACLs. To learn more about the difference between these types of ACLs, see [Types of ACLs](data-lake-storage-access-control.md#types-of-acls). |
storage | Data Lake Storage Migrate Gen1 To Gen2 Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-migrate-gen1-to-gen2-azure-portal.md | As you create the account, make sure to configure settings with the following va ## Step 2: Verify Azure role-based access control (Azure RBAC) role assignments -For Gen2, ensure that the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role has been assigned to your Azure Active Directory (Azure AD) user identity in the scope of the storage account, parent resource group, or subscription. +For Gen2, ensure that the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role has been assigned to your Microsoft Entra user identity in the scope of the storage account, parent resource group, or subscription. -For Gen1, ensure that the [Owner](../../role-based-access-control/built-in-roles.md#owner) role has been assigned to your Azure AD identity in the scope of the Gen1 account, parent resource group, or subscription. +For Gen1, ensure that the [Owner](../../role-based-access-control/built-in-roles.md#owner) role has been assigned to your Microsoft Entra identity in the scope of the Gen1 account, parent resource group, or subscription. ## Step 3: Migrate Azure Data Lake Analytics workloads The following functionality isn't supported in the compatibility layer. - Chunk-encoding for append operations. -- Any API calls that use `https://management.azure.com/` as the Azure Active Directory (Azure AD) token audience.+- Any API calls that use `https://management.azure.com/` as the Microsoft Entra token audience. - File or directory names with only spaces or tabs, ending with a `.`, containing a `:`, or with multiple consecutive forward slashes (`//`). |
storage | Data Lake Storage Migrate Gen1 To Gen2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-migrate-gen1-to-gen2.md | This table compares the capabilities of Gen1 to that of Gen2. |||| |Data organization|[Hierarchical namespace](data-lake-storage-namespace.md)<br>File and folder support|[Hierarchical namespace](data-lake-storage-namespace.md)<br>Container, file and folder support | |Geo-redundancy| [LRS](../common/storage-redundancy.md#locally-redundant-storage)| [LRS](../common/storage-redundancy.md#locally-redundant-storage), [ZRS](../common/storage-redundancy.md#zone-redundant-storage), [GRS](../common/storage-redundancy.md#geo-redundant-storage), [RA-GRS](../common/storage-redundancy.md#read-access-to-data-in-the-secondary-region) |-|Authentication|[Azure Active Directory (Azure AD) managed identity](../../active-directory/managed-identities-azure-resources/overview.md)<br>[Service principals](../../active-directory/develop/app-objects-and-service-principals.md)|[Azure AD managed identity](../../active-directory/managed-identities-azure-resources/overview.md)<br>[Service principals](../../active-directory/develop/app-objects-and-service-principals.md)<br>[Shared Access Key](/rest/api/storageservices/authorize-with-shared-key)| +|Authentication|[Microsoft Entra managed identity](../../active-directory/managed-identities-azure-resources/overview.md)<br>[Service principals](../../active-directory/develop/app-objects-and-service-principals.md)|[Microsoft Entra managed identity](../../active-directory/managed-identities-azure-resources/overview.md)<br>[Service principals](../../active-directory/develop/app-objects-and-service-principals.md)<br>[Shared Access Key](/rest/api/storageservices/authorize-with-shared-key)| |Authorization|Management - [Azure RBAC](../../role-based-access-control/overview.md)<br>Data - [ACLs](data-lake-storage-access-control.md)|Management - [Azure RBAC](../../role-based-access-control/overview.md)<br>Data - [ACLs](data-lake-storage-access-control.md), [Azure RBAC](../../role-based-access-control/overview.md) | |Encryption - Data at rest|Server side - with [Microsoft-managed](../common/storage-service-encryption.md?toc=/azure/storage/blobs/toc.json) or [customer-managed](../common/customer-managed-keys-overview.md?toc=/azure/storage/blobs/toc.json) keys|Server side - with [Microsoft-managed](../common/storage-service-encryption.md?toc=/azure/storage/blobs/toc.json) or [customer-managed](../common/customer-managed-keys-overview.md?toc=/azure/storage/blobs/toc.json) keys| |VNET Support|[VNET Integration](../../data-lake-store/data-lake-store-network-security.md)|[Service Endpoints](../common/storage-network-security.md?toc=/azure/storage/blobs/toc.json), [Private Endpoints](../common/storage-private-endpoints.md)| |
storage | Data Lake Storage Migrate On Premises HDFS Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-migrate-on-premises-HDFS-cluster.md | You already have the data into your Azure Storage account. Now you apply access ### Create a service principal for your Azure Data Lake Storage Gen2 enabled account -To create a service principal, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +To create a service principal, see [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). - When performing the steps in the [Assign the application to a role](../../active-directory/develop/howto-create-service-principal-portal.md#assign-a-role-to-the-application) section of the article, make sure to assign the **Storage Blob Data Contributor** role to the service principal. This command generates a list of copied files with their permissions. > [!NOTE] > Depending on the number of files in the HDFS, this command can take a long time to run. -### Generate a list of identities and map them to Azure Active Directory identities +<a name='generate-a-list-of-identities-and-map-them-to-azure-active-directory-identities'></a> ++### Generate a list of identities and map them to Microsoft Entra identities 1. Download the `copy-acls.py` script. See the [Download helper scripts and set up your edge node to run them](#download-helper-scripts) section of this article. This command generates a list of copied files with their permissions. 3. Open the `id_map.json` file in a text editor. -4. For each JSON object that appears in the file, update the `target` attribute of either an Azure AD User Principal Name (UPN) or ObjectId (OID), with the appropriate mapped identity. After you're done, save the file. You'll need this file in the next step. +4. For each JSON object that appears in the file, update the `target` attribute of either a Microsoft Entra user Principal Name (UPN) or ObjectId (OID), with the appropriate mapped identity. After you're done, save the file. You'll need this file in the next step. ### Apply permissions to copied files and apply identity mappings |
storage | Data Lake Storage Supported Azure Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/data-lake-storage-supported-azure-services.md | This table lists the Azure services that you can use with Azure Data Lake Storag > [!NOTE] > Support level refers only to how the service is supported with Data Lake Storage Gen 2. -|Azure service |Support level |Azure AD |Shared Key| Related articles | +|Azure service |Support level |Microsoft Entra ID |Shared Key| Related articles | ||-|||| |Azure Data Factory|Generally available|Yes|Yes|<ul><li>[Load data into Azure Data Lake Storage Gen2 with Azure Data Factory](../../data-factory/load-azure-data-lake-storage-gen2.md?toc=/azure/storage/blobs/toc.json)</li></ul>| |Azure Databricks|Generally available|Yes|Yes|<ul><li>[Use with Azure Databricks](/azure/databricks/dat)</li></ul>| |
storage | Encryption Scope Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/encryption-scope-manage.md | New-AzStorageContainer -Name $containerName1 ` To create a container with a default encryption scope with Azure CLI, call the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command, specifying the scope for the `--default-encryption-scope` parameter. To force all blobs in a container to use the container's default scope, set the `--prevent-encryption-scope-override` parameter to `true`. -The following example uses your Azure AD account to authorize the operation to create the container. You can also use the account access key. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). +The following example uses your Microsoft Entra account to authorize the operation to create the container. You can also use the account access key. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). ```azurecli-interactive az storage container create \ |
storage | Monitor Blob Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/monitor-blob-storage.md | Azure Monitor provides the [.NET SDK](https://www.nuget.org/packages/Microsoft.A In these examples, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the Blob storage service. You can find these resource IDs on the **Endpoints** pages of your storage account in the Azure portal. -Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). #### List the account-level metric definition Get started with any of these guides. | [Azure Blob Storage monitoring data reference](monitor-blob-storage-reference.md) | A reference of the logs and metrics created by Azure Blob Storage | | [Troubleshoot performance issues](../common/troubleshoot-storage-performance.md?toc=/azure/storage/blobs/toc.json)| Common performance issues and guidance about how to troubleshoot them. | | [Troubleshoot availability issues](../common/troubleshoot-storage-availability.md?toc=/azure/storage/blobs/toc.json)| Common availability issues and guidance about how to troubleshoot them.|-| [Troubleshoot client application errors](../common/troubleshoot-storage-client-application-errors.md?toc=/azure/storage/blobs/toc.json)| Common issues with connecting clients and how to troubleshoot them.| +| [Troubleshoot client application errors](../common/troubleshoot-storage-client-application-errors.md?toc=/azure/storage/blobs/toc.json)| Common issues with connecting clients and how to troubleshoot them.| |
storage | Network File System Protocol Support How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/network-file-system-protocol-support-how-to.md | Your storage account must be contained within a virtual network. A virtual netwo Currently, the only way to secure the data in your storage account is by using a virtual network and other network security settings. See [Network security recommendations for Blob storage](security-recommendations.md#networking). -Any other tools used to secure data, including account key authorization, Azure Active Directory (Azure AD) security, and access control lists (ACLs) can't be used to authorize an NFS 3.0 request. In fact, if you add an entry for a named user or group to the ACL of a blob or directory, that file becomes inaccessible on the client for non-root users. You would have to remove that entry to restore access to non-root users on the client. +Any other tools used to secure data, including account key authorization, Microsoft Entra security, and access control lists (ACLs) can't be used to authorize an NFS 3.0 request. In fact, if you add an entry for a named user or group to the ACL of a blob or directory, that file becomes inaccessible on the client for non-root users. You would have to remove that entry to restore access to non-root users on the client. > [!IMPORTANT] > The NFS 3.0 protocol uses ports 111 and 2048. If you're connecting from an on-premises network, make sure that your client allows outgoing communication through those ports. If you have granted access to specific VNets, make sure that any network security groups associated with those VNets don't contain security rules that block incoming communication through those ports. |
storage | Network File System Protocol Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/network-file-system-protocol-support.md | For step-by-step guidance, see [Mount Blob storage by using the Network File Sys ## Network security -Traffic must originate from a VNet. A VNet enables clients to securely connect to your storage account. The only way to secure the data in your account is by using a VNet and other network security settings. Any other tool used to secure data including account key authorization, Azure Active Directory (AD) security, and access control lists (ACLs) can't be used to authorize an NFS 3.0 request. +Traffic must originate from a VNet. A VNet enables clients to securely connect to your storage account. The only way to secure the data in your account is by using a VNet and other network security settings. Any other tool used to secure data including account key authorization, Microsoft Entra security, and access control lists (ACLs) can't be used to authorize an NFS 3.0 request. To learn more, see [Network security recommendations for Blob storage](security-recommendations.md#networking). |
storage | Object Replication Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/object-replication-configure.md | az storage account or-policy show \ ## Configure object replication using a JSON file -If you don't have permissions to the source storage account or if you want to use more than 10 container pairs, then you can configure object replication on the destination account and provide a JSON file that contains the policy definition to another user to create the same policy on the source account. For example, if the source account is in a different Azure AD tenant from the destination account, then you can use this approach to configure object replication. +If you don't have permissions to the source storage account or if you want to use more than 10 container pairs, then you can configure object replication on the destination account and provide a JSON file that contains the policy definition to another user to create the same policy on the source account. For example, if the source account is in a different Microsoft Entra tenant from the destination account, then you can use this approach to configure object replication. For information about how to author a JSON file that contains the policy definition, see [Policy definition file](object-replication-overview.md#policy-definition-file). > [!NOTE]-> Cross-tenant object replication is permitted by default for a storage account. To prevent replication across tenants, you can set the **AllowCrossTenantReplication** property to disallow cross-tenant object replication for your storage accounts. For more information, see [Prevent object replication across Azure Active Directory tenants](object-replication-prevent-cross-tenant-policies.md). +> Cross-tenant object replication is permitted by default for a storage account. To prevent replication across tenants, you can set the **AllowCrossTenantReplication** property to disallow cross-tenant object replication for your storage accounts. For more information, see [Prevent object replication across Microsoft Entra tenants](object-replication-prevent-cross-tenant-policies.md). The examples in this section show how to configure the object replication policy on the destination account, and then get the JSON file for that policy that another user can use to configure the policy on the source account. az storage account or-policy delete \ ## Next steps - [Object replication for block blobs](object-replication-overview.md)-- [Prevent object replication across Azure Active Directory tenants](object-replication-prevent-cross-tenant-policies.md)+- [Prevent object replication across Microsoft Entra tenants](object-replication-prevent-cross-tenant-policies.md) - [Enable and manage blob versioning](versioning-enable.md) - [Process change feed in Azure Blob storage](storage-blob-change-feed-how-to.md) |
storage | Object Replication Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/object-replication-overview.md | When you configure object replication, you create a replication policy on the de A source account can replicate to no more than two destination accounts, with one policy for each destination account. Similarly, an account may serve as the destination account for no more than two replication policies. -The source and destination accounts may be in the same region or in different regions. They may also reside in the same subscription or in different subscriptions. Optionally, the source and destination accounts may reside in different Azure Active Directory (Azure AD) tenants. Only one replication policy may be created for each source account/destination account pair. +The source and destination accounts may be in the same region or in different regions. They may also reside in the same subscription or in different subscriptions. Optionally, the source and destination accounts may reside in different Microsoft Entra tenants. Only one replication policy may be created for each source account/destination account pair. ### Replication rules The full resource ID is in the following format: /subscriptions/<subscriptionId>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account> ``` -The policy definition file previously required only the account name, instead of the full resource ID for the storage account. With the introduction of the **AllowCrossTenantReplication** security property in version 2021-02-01 of the Azure Storage resource provider REST API, you must now provide the full resource ID for any object replication policies that are created when cross-tenant replication is disallowed for a storage account that participates in the replication policy. Azure Storage uses the full resource ID to verify whether the source and destination accounts reside within the same tenant. To learn more about disallowing cross-tenant replication policies, see [Prevent replication across Azure AD tenants](#prevent-replication-across-azure-ad-tenants). +The policy definition file previously required only the account name, instead of the full resource ID for the storage account. With the introduction of the **AllowCrossTenantReplication** security property in version 2021-02-01 of the Azure Storage resource provider REST API, you must now provide the full resource ID for any object replication policies that are created when cross-tenant replication is disallowed for a storage account that participates in the replication policy. Azure Storage uses the full resource ID to verify whether the source and destination accounts reside within the same tenant. To learn more about disallowing cross-tenant replication policies, see [Prevent replication across Microsoft Entra tenants](#prevent-replication-across-azure-ad-tenants). While providing only the account name is still supported when cross-tenant replication is allowed for a storage account, Microsoft recommends always providing the full resource ID as a best practice. All previous versions of the Azure Storage resource provider REST API support using the full resource ID path in object replication policies. The following table summarizes which values to use for the **policyId** and **ru | Destination account | The string value *default*. Azure Storage will create the policy ID value for you. | An empty string. Azure Storage will create the rule ID values for you. | | Source account | The value of the policy ID returned when you download the policy definition file for the destination account. | The values of the rule IDs returned when you download the policy definition file for the destination account. | -## Prevent replication across Azure AD tenants +<a name='prevent-replication-across-azure-ad-tenants'></a> -An Azure Active Directory (Azure AD) tenant is a dedicated instance of Azure AD that represents an organization for identity and access management. Each Azure subscription has a trust relationship with a single Azure AD tenant. All resources in a subscription, including storage accounts, are associated with the same Azure AD tenant. For more information, see [What is Azure Active Directory?](../../active-directory/fundamentals/active-directory-whatis.md) +## Prevent replication across Microsoft Entra tenants -By default, a user with appropriate permissions can configure object replication with a source storage account that is in one Azure AD tenant and a destination account that is in a different tenant. If your security policies require that you restrict object replication to storage accounts that reside within the same tenant only, you can disallow replication across tenants by setting a security property, the **AllowCrossTenantReplication** property (preview). When you disallow cross-tenant object replication for a storage account, then for any object replication policy that is configured with that storage account as the source or destination account, Azure Storage requires that both the source and destination accounts reside within the same Azure AD tenant. For more information about disallowing cross-tenant object replication, see [Prevent object replication across Azure Active Directory tenants](object-replication-prevent-cross-tenant-policies.md). +A Microsoft Entra tenant is a dedicated instance of Microsoft Entra ID that represents an organization for identity and access management. Each Azure subscription has a trust relationship with a single Microsoft Entra tenant. All resources in a subscription, including storage accounts, are associated with the same Microsoft Entra tenant. For more information, see [What is Microsoft Entra ID?](../../active-directory/fundamentals/active-directory-whatis.md) ++By default, a user with appropriate permissions can configure object replication with a source storage account that is in one Microsoft Entra tenant and a destination account that is in a different tenant. If your security policies require that you restrict object replication to storage accounts that reside within the same tenant only, you can disallow replication across tenants by setting a security property, the **AllowCrossTenantReplication** property (preview). When you disallow cross-tenant object replication for a storage account, then for any object replication policy that is configured with that storage account as the source or destination account, Azure Storage requires that both the source and destination accounts reside within the same Microsoft Entra tenant. For more information about disallowing cross-tenant object replication, see [Prevent object replication across Microsoft Entra tenants](object-replication-prevent-cross-tenant-policies.md). To disallow cross-tenant object replication for a storage account, set the **AllowCrossTenantReplication** property to *false*. If the storage account doesn't currently participate in any cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* prevents future configuration of cross-tenant object replication policies with this storage account as the source or destination. Here's a breakdown of the costs. To find the price of each cost component, see [ ## Next steps - [Configure object replication](object-replication-configure.md)-- [Prevent object replication across Azure Active Directory tenants](object-replication-prevent-cross-tenant-policies.md)+- [Prevent object replication across Microsoft Entra tenants](object-replication-prevent-cross-tenant-policies.md) - [Blob versioning](versioning-overview.md) - [Change feed support in Azure Blob Storage](storage-blob-change-feed.md)-- |
storage | Object Replication Prevent Cross Tenant Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/object-replication-prevent-cross-tenant-policies.md | Title: Prevent object replication across Azure Active Directory tenants + Title: Prevent object replication across Microsoft Entra tenants description: Prevent cross-tenant object replication -# Prevent object replication across Azure Active Directory tenants +# Prevent object replication across Microsoft Entra tenants Object replication asynchronously copies block blobs from a container in one storage account to a container in another storage account. When you configure an object replication policy, you specify the source account and container and the destination account and container. After the policy is configured, Azure Storage automatically copies the results of create, update, and delete operations on a source object to the destination object. For more information about object replication in Azure Storage, see [Object replication for block blobs](object-replication-overview.md). -By default, an authorized user is permitted to configure an object replication policy where the source account is in one Azure Active Directory (Azure AD) tenant and the destination account is in a different tenant. If your security policies require that you restrict object replication to storage accounts that reside within the same tenant only, you can disallow the creation of policies where the source and destination accounts are in different tenants. By default, cross-tenant object replication is enabled for a storage account unless you explicitly disallow it. +By default, an authorized user is permitted to configure an object replication policy where the source account is in one Microsoft Entra tenant and the destination account is in a different tenant. If your security policies require that you restrict object replication to storage accounts that reside within the same tenant only, you can disallow the creation of policies where the source and destination accounts are in different tenants. By default, cross-tenant object replication is enabled for a storage account unless you explicitly disallow it. This article describes how to remediate cross-tenant object replication for your storage accounts. It also describes how to create policies to enforce a prohibition on cross-tenant object replication for new and existing storage accounts. For more information on how to configure object replication policies, including ## Remediate cross-tenant object replication -To prevent object replication across Azure AD tenants, set the **AllowCrossTenantReplication** property for the storage account to **false**. If a storage account does not currently participate in any cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* prevents future configuration of cross-tenant object replication policies with this storage account as the source or destination. However, if a storage account currently participates in one or more cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* is not permitted until you delete the existing cross-tenant policies. +To prevent object replication across Microsoft Entra tenants, set the **AllowCrossTenantReplication** property for the storage account to **false**. If a storage account does not currently participate in any cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* prevents future configuration of cross-tenant object replication policies with this storage account as the source or destination. However, if a storage account currently participates in one or more cross-tenant object replication policies, then setting the **AllowCrossTenantReplication** property to *false* is not permitted until you delete the existing cross-tenant policies. Cross-tenant policies are permitted by default for a storage account. However, the **AllowCrossTenantReplication** property is not set by default for a new or existing storage account and does not return a value until you explicitly set it. The storage account can participate in object replication policies across tenants when the property value is either **null** or **true**. Setting the **AllowCrossTenantReplication** property does not incur any downtime on the storage account. To set the **AllowCrossTenantReplication** property for a storage account, a use - The Azure Resource Manager [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role - The [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role -These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. +These roles do not provide access to data in a storage account via Microsoft Entra ID. However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. Role assignments must be scoped to the level of the storage account or higher to permit a user to allow or disallow cross-tenant object replication for the storage account. For more information about role scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md). Be careful to restrict assignment of these roles only to those who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ## Use Azure Policy to audit for compliance |
storage | Point In Time Restore Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/point-in-time-restore-overview.md | The time that it takes to restore a set of data is based on the number of write ### Permissions for point-in-time restore -To initiate a restore operation, a client must have write permissions to all containers in the storage account. To grant permissions to authorize a restore operation with Azure Active Directory (Azure AD), assign the **Storage Account Contributor** role to the security principal at the level of the storage account, resource group, or subscription. +To initiate a restore operation, a client must have write permissions to all containers in the storage account. To grant permissions to authorize a restore operation with Microsoft Entra ID, assign the **Storage Account Contributor** role to the security principal at the level of the storage account, resource group, or subscription. ## Limitations and known issues Point-in-time restore for block blobs has the following limitations and known is - Performing a customer-managed failover on a storage account resets the earliest possible restore point for the storage account. For more details, see [Point-in-time restore](../common/storage-disaster-recovery-guidance.md#point-in-time-restore-inconsistencies). - Snapshots aren't created or deleted as part of a restore operation. Only the base blob is restored to its previous state. - Point-in-time restore isn't supported for hierarchical namespaces or operations via Azure Data Lake Storage Gen2.-- Point-in-time restore isn't supported when the storage account's **AllowedCopyScope** property is set to restrict copy scope to the same Azure AD tenant or virtual network. For more information, see [About Permitted scope for copy operations (preview)](../common/security-restrict-copy-operations.md?toc=/azure/storage/blobs/toc.json&tabs=portal#about-permitted-scope-for-copy-operations-preview).+- Point-in-time restore isn't supported when the storage account's **AllowedCopyScope** property is set to restrict copy scope to the same Microsoft Entra tenant or virtual network. For more information, see [About Permitted scope for copy operations (preview)](../common/security-restrict-copy-operations.md?toc=/azure/storage/blobs/toc.json&tabs=portal#about-permitted-scope-for-copy-operations-preview). - Point-in-time restore isn't supported when version-level immutability is enabled on a storage account or a container in an account. For more information on version-level immutability, see [Overview of immutable storage for blob data](immutable-storage-overview.md#version-level-scope). > [!IMPORTANT] |
storage | Quickstart Blobs C Plus Plus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/quickstart-blobs-c-plus-plus.md | You can also authorize requests to Azure Blob Storage by using the account acces ### [Passwordless (Recommended)](#tab/managed-identity) -The Azure Identity library provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK. It provides a set of `TokenCredential` implementations which can be used to construct Azure SDK clients which support Azure AD token authentication. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. +The Azure Identity library provides Microsoft Entra token authentication support across the Azure SDK. It provides a set of `TokenCredential` implementations which can be used to construct Azure SDK clients which support Microsoft Entra token authentication. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. -#### Assign roles to your Azure AD user account +<a name='assign-roles-to-your-azure-ad-user-account'></a> ++#### Assign roles to your Microsoft Entra user account [!INCLUDE [assign-roles](../../../includes/assign-roles.md)] The Azure Identity library provides Azure Active Directory (Azure AD) token auth You can authorize access to data in your storage account using the following steps: -1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. You can authenticate via [Azure CLI](/cli/azure/install-azure-cli). Sign in to Azure through the Azure CLI using the following command: +1. Make sure you're authenticated with the same Microsoft Entra account you assigned the role to on your storage account. You can authenticate via [Azure CLI](/cli/azure/install-azure-cli). Sign in to Azure through the Azure CLI using the following command: ```azurecli az login |
storage | Quickstart Storage Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/quickstart-storage-explorer.md | When you create a SAS for a storage account, Storage Explorer generates an accou When you create a SAS for a container or blob, Storage Explorer generates a service SAS. For more information about the service SAS, see [Create a service SAS](/rest/api/storageservices/create-service-sas). > [!NOTE]-> When you create a SAS with Storage Explorer, the SAS is always assigned with the storage account key. Storage Explorer does not currently support creating a user delegation SAS, which is a SAS that is signed with Azure AD credentials. +> When you create a SAS with Storage Explorer, the SAS is always assigned with the storage account key. Storage Explorer does not currently support creating a user delegation SAS, which is a SAS that is signed with Microsoft Entra credentials. ## Next steps |
storage | Secure File Transfer Protocol Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/secure-file-transfer-protocol-known-issues.md | To transfer files to or from Azure Blob Storage via SFTP clients, see the follow - _Local users_ are the only form of identity management that is currently supported for the SFTP endpoint. -- Azure Active Directory (Azure AD) isn't supported for the SFTP endpoint.+- Microsoft Entra ID isn't supported for the SFTP endpoint. - POSIX-like access control lists (ACLs) aren't supported for the SFTP endpoint. |
storage | Secure File Transfer Protocol Support How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/secure-file-transfer-protocol-support-how-to.md | az storage account update -g <resource-group> -n <storage-account> --enable-sftp ## Configure permissions -Azure Storage doesn't support shared access signature (SAS), or Azure Active directory (Azure AD) authentication for accessing the SFTP endpoint. Instead, you must use an identity called local user that can be secured with an Azure generated password or a secure shell (SSH) key pair. To grant access to a connecting client, the storage account must have an identity associated with the password or key pair. That identity is called a *local user*. +Azure Storage doesn't support shared access signature (SAS), or Microsoft Entra authentication for accessing the SFTP endpoint. Instead, you must use an identity called local user that can be secured with an Azure generated password or a secure shell (SSH) key pair. To grant access to a connecting client, the storage account must have an identity associated with the password or key pair. That identity is called a *local user*. In this section, you'll learn how to create a local user, choose an authentication method, and assign permissions for that local user. |
storage | Secure File Transfer Protocol Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/secure-file-transfer-protocol-support.md | Different protocols are supported by the hierarchical namespace. SFTP is one of ## SFTP permission model -Azure Blob Storage doesn't support Azure Active Directory (Azure AD) authentication or authorization via SFTP. Instead, SFTP utilizes a new form of identity management called _local users_. +Azure Blob Storage doesn't support Microsoft Entra authentication or authorization via SFTP. Instead, SFTP utilizes a new form of identity management called _local users_. Local users must use either a password or a Secure Shell (SSH) private key credential for authentication. You can have a maximum of 1000 local users for a storage account. To set up access permissions, you'll create a local user, and choose authenticat > [!CAUTION] > Local users do not interoperate with other Azure Storage permission models such as RBAC (role based access control), ABAC (attribute based access control), and ACLs (access control lists). >-> For example, Jeff has read only permission (can be controlled via RBAC, ABAC, or ACLs) via their Azure AD identity for file _foo.txt_ stored in container _con1_. If Jeff is accessing the storage account via NFS (when not mounted as root/superuser), Blob REST, or Data Lake Storage Gen2 REST, these permissions will be enforced. However, if Jeff also has a local user identity with delete permission for data in container _con1_, they can delete _foo.txt_ via SFTP using the local user identity. +> For example, Jeff has read only permission (can be controlled via RBAC, ABAC, or ACLs) via their Microsoft Entra identity for file _foo.txt_ stored in container _con1_. If Jeff is accessing the storage account via NFS (when not mounted as root/superuser), Blob REST, or Data Lake Storage Gen2 REST, these permissions will be enforced. However, if Jeff also has a local user identity with delete permission for data in container _con1_, they can delete _foo.txt_ via SFTP using the local user identity. For SFTP enabled storage accounts, you can use the full breadth of Azure Blob Storage security settings, to authenticate and authorize users accessing Blob Storage via Azure portal, Azure CLI, Azure PowerShell commands, AzCopy, as well as Azure SDKs, and Azure REST APIs. To learn more, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md). |
storage | Security Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/security-recommendations.md | Microsoft Defender for Cloud periodically analyzes the security state of your Az | Recommendation | Comments | Defender for Cloud | |-|-|--|-| Use the Azure Resource Manager deployment model | Create new storage accounts using the Azure Resource Manager deployment model for important security enhancements, including superior Azure role-based access control (Azure RBAC) and auditing, Resource Manager-based deployment and governance, access to managed identities, access to Azure Key Vault for secrets, and Azure Active Directory (Azure AD) authentication and authorization for access to Azure Storage data and resources. If possible, migrate existing storage accounts that use the classic deployment model to use Azure Resource Manager. For more information about Azure Resource Manager, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md). | - | +| Use the Azure Resource Manager deployment model | Create new storage accounts using the Azure Resource Manager deployment model for important security enhancements, including superior Azure role-based access control (Azure RBAC) and auditing, Resource Manager-based deployment and governance, access to managed identities, access to Azure Key Vault for secrets, and Microsoft Entra authentication and authorization for access to Azure Storage data and resources. If possible, migrate existing storage accounts that use the classic deployment model to use Azure Resource Manager. For more information about Azure Resource Manager, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md). | - | | Enable Microsoft Defender for all of your storage accounts | Microsoft Defender for Storage provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. Security alerts are triggered in Microsoft Defender for Cloud when anomalies in activity occur and are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and remediate threats. For more information, see [Configure Microsoft Defender for Storage](../common/azure-defender-storage-configure.md). | [Yes](../../defender-for-cloud/implement-security-recommendations.md) | | Turn on soft delete for blobs | Soft delete for blobs enables you to recover blob data after it has been deleted. For more information on soft delete for blobs, see [Soft delete for Azure Storage blobs](./soft-delete-blob-overview.md). | - | | Turn on soft delete for containers | Soft delete for containers enables you to recover a container after it has been deleted. For more information on soft delete for containers, see [Soft delete for containers](./soft-delete-container-overview.md). | - | Microsoft Defender for Cloud periodically analyzes the security state of your Az | Store business-critical data in immutable blobs | Configure legal holds and time-based retention policies to store blob data in a WORM (Write Once, Read Many) state. Blobs stored immutably can be read, but cannot be modified or deleted for the duration of the retention interval. For more information, see [Store business-critical blob data with immutable storage](immutable-storage-overview.md). | - | | Require secure transfer (HTTPS) to the storage account | When you require secure transfer for a storage account, all requests to the storage account must be made over HTTPS. Any requests made over HTTP are rejected. Microsoft recommends that you always require secure transfer for all of your storage accounts. For more information, see [Require secure transfer to ensure secure connections](../common/storage-require-secure-transfer.md). | - | | Limit shared access signature (SAS) tokens to HTTPS connections only | Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of eavesdropping. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). | - |-| Disallow cross-tenant object replication | By default, an authorized user is permitted to configure an object replication policy where the source account is in one Azure AD tenant and the destination account is in a different tenant. Disallow cross-tenant object replication to require that the source and destination accounts participating in an object replication policy are in the same tenant. For more information, see [Prevent object replication across Azure Active Directory tenants](object-replication-prevent-cross-tenant-policies.md). | - | +| Disallow cross-tenant object replication | By default, an authorized user is permitted to configure an object replication policy where the source account is in one Microsoft Entra tenant and the destination account is in a different tenant. Disallow cross-tenant object replication to require that the source and destination accounts participating in an object replication policy are in the same tenant. For more information, see [Prevent object replication across Microsoft Entra tenants](object-replication-prevent-cross-tenant-policies.md). | - | ## Identity and access management | Recommendation | Comments | Defender for Cloud | |-|-|--|-| Use Azure Active Directory (Azure AD) to authorize access to blob data | Azure AD provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. For more information, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). | - | -| Keep in mind the principle of least privilege when assigning permissions to an Azure AD security principal via Azure RBAC | When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | - | -| Use a user delegation SAS to grant limited access to blob data to clients | A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json). | - | -| Secure your account access keys with Azure Key Vault | Microsoft recommends using Azure AD to authorize requests to Azure Storage. However, if you must use Shared Key authorization, then secure your account keys with Azure Key Vault. You can retrieve the keys from the key vault at runtime, instead of saving them with your application. For more information about Azure Key Vault, see [Azure Key Vault overview](../../key-vault/general/overview.md). | - | +| Use Microsoft Entra ID to authorize access to blob data | Microsoft Entra ID provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. For more information, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). | - | +| Keep in mind the principle of least privilege when assigning permissions to a Microsoft Entra security principal via Azure RBAC | When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | - | +| Use a user delegation SAS to grant limited access to blob data to clients | A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json). | - | +| Secure your account access keys with Azure Key Vault | Microsoft recommends using Microsoft Entra ID to authorize requests to Azure Storage. However, if you must use Shared Key authorization, then secure your account keys with Azure Key Vault. You can retrieve the keys from the key vault at runtime, instead of saving them with your application. For more information about Azure Key Vault, see [Azure Key Vault overview](../../key-vault/general/overview.md). | - | | Regenerate your account keys periodically | Rotating the account keys periodically reduces the risk of exposing your data to malicious actors. | - |-| Disallow Shared Key authorization | When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Azure AD will succeed. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md). | - | +| Disallow Shared Key authorization | When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md). | - | | Keep in mind the principle of least privilege when assigning permissions to a SAS | When creating a SAS, specify only those permissions that are required by the client to perform its function. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | - | | Have a revocation plan in place for any SAS that you issue to clients | If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). | - | | If a service SAS is not associated with a stored access policy, then set the expiry time to one hour or less | A service SAS that is not associated with a stored access policy cannot be revoked. For this reason, limiting the expiry time so that the SAS is valid for one hour or less is recommended. | - | |
storage | Snapshots Manage Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/snapshots-manage-dotnet.md | To create a snapshot of a block blob, use one of the following methods: - [CreateSnapshot](/dotnet/api/azure.storage.blobs.specialized.blobbaseclient.createsnapshot) - [CreateSnapshotAsync](/dotnet/api/azure.storage.blobs.specialized.blobbaseclient.createsnapshotasync) -The following code example shows how to create a snapshot. Include a reference to the [Azure.Identity](https://www.nuget.org/packages/azure.identity) library to use your Azure AD credentials to authorize requests to the service. For more information about using the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class to authorize a managed identity to access Azure Storage, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme). +The following code example shows how to create a snapshot. Include a reference to the [Azure.Identity](https://www.nuget.org/packages/azure.identity) library to use your Microsoft Entra credentials to authorize requests to the service. For more information about using the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class to authorize a managed identity to access Azure Storage, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme). ```csharp private static async Task CreateBlockBlobSnapshot( |
storage | Soft Delete Blob Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/soft-delete-blob-enable.md | To enable blob soft delete for your storage account by using the Azure portal, f For more information about how to install PowerShell modules, see [Install the Azure PowerShell module](/powershell/azure/install-azure-powershell) -3. Obtain storage account authorization by using either a storage account key, a connection string, or Azure Active Directory (Azure AD). For more information, see [Connect to the account](data-lake-storage-directory-file-acl-powershell.md#connect-to-the-account). +3. Obtain storage account authorization by using either a storage account key, a connection string, or Microsoft Entra ID. For more information, see [Connect to the account](data-lake-storage-directory-file-acl-powershell.md#connect-to-the-account). The following example obtains authorization by using a storage account key. To enable blob soft delete for your storage account by using the Azure portal, f 3. Connect to your storage account. For more information, see [Connect to the account](data-lake-storage-directory-file-acl-cli.md#connect-to-the-account). > [!NOTE]- > The example presented in this article show Azure Active Directory (Azure AD) authorization. To learn more about authorization methods, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). + > The example presented in this article show Microsoft Entra authorization. To learn more about authorization methods, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md). 4. To enable soft delete with Azure CLI, call the `az storage fs service-properties update` command, specifying the retention period in days. |
storage | Soft Delete Blob Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/soft-delete-blob-manage.md | To restore a soft-deleted blob or directory in the Azure portal, first display t 1. Ensure that you have the **Az.Storage** preview module installed. For more information, see [Enable blob soft delete via PowerShell](soft-delete-blob-enable.md?tabs=azure-powershell#enable-blob-soft-delete-hierarchical-namespace). -2. Obtain storage account authorization by using either a storage account key, a connection string, or Azure Active Directory (Azure AD). For more information, see [Connect to the account](data-lake-storage-directory-file-acl-powershell.md#connect-to-the-account). +2. Obtain storage account authorization by using either a storage account key, a connection string, or Microsoft Entra ID. For more information, see [Connect to the account](data-lake-storage-directory-file-acl-powershell.md#connect-to-the-account). The following example obtains authorization by using a storage account key. |
storage | Storage Auth Abac Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac-cli.md | Here is what the condition looks like in code: ## Step 3: Set up storage -You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using the storage account access key. This article shows how to authorize Blob storage operations using Azure AD. For more information, see [Quickstart: Create, download, and list blobs with Azure CLI](storage-quickstart-blobs-cli.md) +You can authorize access to Blob storage from the Azure CLI either with Microsoft Entra credentials or by using the storage account access key. This article shows how to authorize Blob storage operations using Microsoft Entra ID. For more information, see [Quickstart: Create, download, and list blobs with Azure CLI](storage-quickstart-blobs-cli.md) 1. Use [az storage account](/cli/azure/storage/account) to create a storage account that is compatible with the blob index feature. For more information, see [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md#regional-availability-and-storage-account-support). |
storage | Storage Auth Abac Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac-examples.md | Here are the settings to add this condition using the Azure portal. ### Example: Write blobs in named containers with a path -This condition allows a partner (an Azure AD guest user) to drop files into storage containers named Contosocorp with a path of uploads/contoso/*. This condition is useful for allowing other users to put data in storage containers. +This condition allows a partner (a Microsoft Entra guest user) to drop files into storage containers named Contosocorp with a path of uploads/contoso/*. This condition is useful for allowing other users to put data in storage containers. You must add this condition to any role assignments that include the following actions. |
storage | Storage Auth Abac Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac-portal.md | Here is what the condition looks like in code: 1. Sign in to the Azure portal as an Owner of a subscription. -1. Click **Azure Active Directory**. +1. Click **Microsoft Entra ID**. 1. Create a user or find an existing user. This tutorial uses Chandra as the example. Here is what the condition looks like in code: 1. Open the storage account and container you created. -1. Ensure that the authentication method is set to **Azure AD User Account** and not **Access key**. +1. Ensure that the authentication method is set to **Microsoft Entra user Account** and not **Access key**. :::image type="content" source="./media/storage-auth-abac-portal/test-storage-container.png" alt-text="Screenshot of storage container with test files." lightbox="./media/storage-auth-abac-portal/test-storage-container.png"::: |
storage | Storage Auth Abac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-auth-abac.md | Azure ABAC builds on Azure role-based access control (Azure RBAC) by adding [con ## Overview of conditions in Azure Storage -You can [use Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers. +You can [use Microsoft Entra ID](../common/authorize-data-access.md) (Microsoft Entra ID) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers. Azure ABAC builds on Azure RBAC by adding [role assignment conditions](../../role-based-access-control/conditions-overview.md) in the context of specific actions. A *role assignment condition* is an additional check that is evaluated when the action on the storage resource is being authorized. This condition is expressed as a predicate using attributes associated with any of the following: If you're working with conditions based on [blob index tags](storage-manage-find The [Azure role assignment condition format](../../role-based-access-control/conditions-format.md) allows the use of `@Principal`, `@Resource`, `@Request` or `@Environment` attributes in the conditions. A `@Principal` attribute is a custom security attribute on a principal, such as a user, enterprise application (service principal), or managed identity. A `@Resource` attribute refers to an existing attribute of a storage resource that is being accessed, such as a storage account, a container, or a blob. A `@Request` attribute refers to an attribute or parameter included in a storage operation request. An `@Environment` attribute refers to the network environment or the date and time of a request. -[Azure RBAC supports a limited number of role assignments per subscription](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits). If you need to create thousands of Azure role assignments, you may encounter this limit. Managing hundreds or thousands of role assignments can be difficult. In some cases, you can use conditions to reduce the number of role assignments on your storage account and make them easier to manage. You can [scale the management of role assignments](../../role-based-access-control/conditions-custom-security-attributes-example.md) using conditions and [Azure AD custom security attributes]() for principals. +[Azure RBAC supports a limited number of role assignments per subscription](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits). If you need to create thousands of Azure role assignments, you may encounter this limit. Managing hundreds or thousands of role assignments can be difficult. In some cases, you can use conditions to reduce the number of role assignments on your storage account and make them easier to manage. You can [scale the management of role assignments](../../role-based-access-control/conditions-custom-security-attributes-example.md) using conditions and [Microsoft Entra custom security attributes]() for principals. ## Status of condition features in Azure Storage |
storage | Storage Blob Client Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-client-management.md | Each client type can be instantiated by calling a simple constructor, or an over ## Authorize a client object -For an app to access blob resources and interact with them, a client object must be authorized. The code samples in this article use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to authenticate to Azure via an Azure Active Directory (Azure AD) security principal. The authentication process includes obtaining an access token for authorization. This access token is passed as a credential when the client is instantiated, and the credential persists throughout the client lifetime. The Azure AD security principal requesting the token must be assigned an appropriate Azure RBAC role that grants access to blob data. To learn more, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +For an app to access blob resources and interact with them, a client object must be authorized. The code samples in this article use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to authenticate to Azure via a Microsoft Entra security principal. The authentication process includes obtaining an access token for authorization. This access token is passed as a credential when the client is instantiated, and the credential persists throughout the client lifetime. The Microsoft Entra security principal requesting the token must be assigned an appropriate Azure RBAC role that grants access to blob data. To learn more, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). The following authorization mechanisms can be used to grant the appropriate level of access to a client object:-- [Azure AD](authorize-access-azure-active-directory.md): recommended for optimal security+- [Microsoft Entra ID](authorize-access-azure-active-directory.md): recommended for optimal security - [Shared access signature (SAS)](../common/storage-sas-overview.md): supported, and most secure when using a user delegation SAS token - [Account access key (Shared Key)](/rest/api/storageservices/authorize-with-shared-key): supported, but not recommended as it can be less secure To learn more about using the Azure Storage client libraries to work with data r - [Get started with Azure Blob Storage and .NET](storage-blob-dotnet-get-started.md) - [Get started with Azure Blob Storage and Java](storage-blob-java-get-started.md) - [Get started with Azure Blob Storage and JavaScript](storage-blob-javascript-get-started.md)-- [Get started with Azure Blob Storage and Python](storage-blob-python-get-started.md)+- [Get started with Azure Blob Storage and Python](storage-blob-python-get-started.md) |
storage | Storage Blob Container User Delegation Sas Create Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-container-user-delegation-sas-create-dotnet.md | Title: Create a user delegation SAS for a container with .NET -description: Learn how to create a user delegation SAS for a container with Azure Active Directory credentials by using the .NET client library for Blob Storage. +description: Learn how to create a user delegation SAS for a container with Microsoft Entra credentials by using the .NET client library for Blob Storage. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage). +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage). [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Assign Azure roles for access to data -When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). [!INCLUDE [storage-dev-guide-user-delegation-sas-dotnet](../../../includes/storage-dev-guides/storage-dev-guide-user-delegation-sas-dotnet.md)] |
storage | Storage Blob Container User Delegation Sas Create Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-container-user-delegation-sas-create-java.md | Title: Create a user delegation SAS for a container with Java -description: Learn how to create a user delegation SAS for a container with Azure Active Directory credentials by using the Java client library for Blob Storage. +description: Learn how to create a user delegation SAS for a container with Microsoft Entra credentials by using the Java client library for Blob Storage. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme). +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme). [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Assign Azure roles for access to data -When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). [!INCLUDE [storage-dev-guide-user-delegation-sas-java](../../../includes/storage-dev-guides/storage-dev-guide-user-delegation-sas-java.md)] |
storage | Storage Blob Container User Delegation Sas Create Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-container-user-delegation-sas-create-python.md | Title: Create a user delegation SAS for a container with Python -description: Learn how to create a user delegation SAS for a container with Azure Active Directory credentials by using the Python client library for Blob Storage. +description: Learn how to create a user delegation SAS for a container with Microsoft Entra credentials by using the Python client library for Blob Storage. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container using the [Azure Storage client library for Python](/python/api/overview/azure/storage). +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container using the [Azure Storage client library for Python](/python/api/overview/azure/storage). [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Assign Azure roles for access to data -When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). [!INCLUDE [storage-dev-guide-user-delegation-sas-python](../../../includes/storage-dev-guides/storage-dev-guide-user-delegation-sas-python.md)] |
storage | Storage Blob Copy Async Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-async-dotnet.md | The `StartCopyFromUri` and `StartCopyFromUriAsync` methods return a [CopyFromUri ## Copy a blob from a source within Azure -If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with .NET](storage-blob-copy-url-dotnet.md). +If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with .NET](storage-blob-copy-url-dotnet.md). If the copy source is a blob in a different storage account, the operation can complete asynchronously. The source blob must either be public or authorized via SAS token. The SAS token needs to include the **Read ('r')** permission. To learn more about SAS tokens, see [Delegate access with shared access signatures](../common/storage-sas-overview.md). The following example shows a scenario for copying a source blob from a differen :::code language="csharp" source="~/azure-storage-snippets/blobs/howto/dotnet/BlobDevGuideBlobs/CopyBlob.cs" id="Snippet_CopyAcrossAccounts_CopyBlob"::: > [!NOTE]-> User delegation SAS tokens offer greater security, as they're signed with Azure AD credentials instead of an account key. To create a user delegation SAS token, the Azure AD security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). +> User delegation SAS tokens offer greater security, as they're signed with Microsoft Entra credentials instead of an account key. To create a user delegation SAS token, the Microsoft Entra security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). ## Copy a blob from a source outside of Azure |
storage | Storage Blob Copy Async Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-async-java.md | The `beginCopy` method returns a [SyncPoller](/java/api/com.azure.core.util.poll ## Copy a blob from a source within Azure -If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with Java](storage-blob-copy-url-java.md). +If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with Java](storage-blob-copy-url-java.md). If the copy source is a blob in a different storage account, the operation can complete asynchronously. The source blob must either be public or authorized via SAS token. The SAS token needs to include the **Read ('r')** permission. To learn more about SAS tokens, see [Delegate access with shared access signatures](../common/storage-sas-overview.md). The following example shows a scenario for copying a source blob from a differen :::code language="java" source="~/azure-storage-snippets/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobCopy.java" id="Snippet_CopyAcrossStorageAccounts_CopyBlob"::: > [!NOTE]-> User delegation SAS tokens offer greater security, as they're signed with Azure AD credentials instead of an account key. To create a user delegation SAS token, the Azure AD security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). +> User delegation SAS tokens offer greater security, as they're signed with Microsoft Entra credentials instead of an account key. To create a user delegation SAS token, the Microsoft Entra security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). ## Copy a blob from a source outside of Azure |
storage | Storage Blob Copy Async Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-async-javascript.md | The `beginCopyFromURL` method returns a long running operation poller that allow ## Copy a blob from a source within Azure -If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with JavaScript](storage-blob-copy-url-javascript.md). +If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with JavaScript](storage-blob-copy-url-javascript.md). If the copy source is a blob in a different storage account, the operation can complete asynchronously. The source blob must either be public or authorized via SAS token. The SAS token needs to include the **Read ('r')** permission. To learn more about SAS tokens, see [Delegate access with shared access signatures](../common/storage-sas-overview.md). The following example shows a scenario for copying a source blob from a differen :::code language="javascript" source="~/azure-storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/copy-blob.js" id="Snippet_copy_from_azure_async"::: > [!NOTE]-> User delegation SAS tokens offer greater security, as they're signed with Azure AD credentials instead of an account key. To create a user delegation SAS token, the Azure AD security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). +> User delegation SAS tokens offer greater security, as they're signed with Microsoft Entra credentials instead of an account key. To create a user delegation SAS token, the Microsoft Entra security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). ## Copy a blob from a source outside of Azure |
storage | Storage Blob Copy Async Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-async-python.md | The `start_copy_from_url` returns a dictionary containing *copy_status* and *cop ## Copy a blob from a source within Azure -If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with Python](storage-blob-copy-url-python.md). +If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with Python](storage-blob-copy-url-python.md). If the copy source is a blob in a different storage account, the operation can complete asynchronously. The source blob must either be public or authorized via SAS token. The SAS token needs to include the **Read ('r')** permission. To learn more about SAS tokens, see [Delegate access with shared access signatures](../common/storage-sas-overview.md). The following example shows a scenario for copying a source blob from a differen :::code language="python" source="~/azure-storage-snippets/blobs/howto/python/blob-devguide-py/blob-devguide-copy-blob.py" id="Snippet_copy_blob_from_azure_async"::: > [!NOTE]-> User delegation SAS tokens offer greater security, as they're signed with Azure AD credentials instead of an account key. To create a user delegation SAS token, the Azure AD security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). +> User delegation SAS tokens offer greater security, as they're signed with Microsoft Entra credentials instead of an account key. To create a user delegation SAS token, the Microsoft Entra security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). ## Copy a blob from a source outside of Azure |
storage | Storage Blob Copy Async Typescript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-async-typescript.md | The `beginCopyFromURL` method returns a long running operation poller that allow ## Copy a blob from a source within Azure -If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with TypeScript](storage-blob-copy-url-typescript.md). +If you're copying a blob within the same storage account, the operation can complete synchronously. Access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. For an alterative synchronous copy operation, see [Copy a blob from a source object URL with TypeScript](storage-blob-copy-url-typescript.md). If the copy source is a blob in a different storage account, the operation can complete asynchronously. The source blob must either be public or authorized via SAS token. The SAS token needs to include the **Read ('r')** permission. To learn more about SAS tokens, see [Delegate access with shared access signatures](../common/storage-sas-overview.md). The following example shows a scenario for copying a source blob from a differen :::code language="typescript" source="~/azure-storage-snippets/blobs/howto/TypeScript/NodeJS-v12/dev-guide/src/copy-blob.ts" id="Snippet_copy_from_azure_async"::: > [!NOTE]-> User delegation SAS tokens offer greater security, as they're signed with Azure AD credentials instead of an account key. To create a user delegation SAS token, the Azure AD security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). +> User delegation SAS tokens offer greater security, as they're signed with Microsoft Entra credentials instead of an account key. To create a user delegation SAS token, the Microsoft Entra security principal needs appropriate permissions. For authorization requirements, see [Get User Delegation Key](/rest/api/storageservices/get-user-delegation-key#authorization). ## Copy a blob from a source outside of Azure |
storage | Storage Blob Copy Url Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-url-dotnet.md | For large objects, you may choose to work with individual blocks. The following ## Copy a blob from a source within Azure -If you're copying a blob from a source within Azure, access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. +If you're copying a blob from a source within Azure, access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. The following example shows a scenario for copying from a source blob within Azure. The [SyncUploadFromUriAsync](/dotnet/api/azure.storage.blobs.specialized.blockblobclient.syncuploadfromuriasync) method can optionally accept a Boolean parameter to indicate whether an existing blob should be overwritten, as shown in the example. The `overwrite` parameter defaults to false. |
storage | Storage Blob Copy Url Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-url-java.md | For large objects, you can work with individual blocks. The following method wra ## Copy a blob from a source within Azure -If you're copying a blob from a source within Azure, access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. +If you're copying a blob from a source within Azure, access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. The following example shows a scenario for copying from a source blob within Azure. The [uploadFromUrl](/java/api/com.azure.storage.blob.specialized.blockblobclient#method-details) method can optionally accept a Boolean parameter to indicate whether an existing blob should be overwritten, as shown in the example. |
storage | Storage Blob Copy Url Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-url-javascript.md | For large objects, you may choose to work with individual blocks. The following ## Copy a blob from a source within Azure -If you're copying a blob from a source within Azure, access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. +If you're copying a blob from a source within Azure, access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. The following example shows a scenario for copying from a source blob within Azure: |
storage | Storage Blob Copy Url Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-url-python.md | For large objects, you may choose to work with individual blocks. The following ## Copy a blob from a source within Azure -If you're copying a blob from a source within Azure, access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. +If you're copying a blob from a source within Azure, access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. The following example shows a scenario for copying a source blob within Azure. The [upload_blob_from_url](/python/api/azure-storage-blob/azure.storage.blob.blobclient#azure-storage-blob-blobclient-upload-blob-from-url) method can optionally accept a Boolean parameter to indicate whether an existing blob should be overwritten, as shown in the example. |
storage | Storage Blob Copy Url Typescript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-copy-url-typescript.md | For large objects, you may choose to work with individual blocks. The following ## Copy a blob from a source within Azure -If you're copying a blob from a source within Azure, access to the source blob can be authorized via Azure Active Directory (Azure AD), a shared access signature (SAS), or an account key. +If you're copying a blob from a source within Azure, access to the source blob can be authorized via Microsoft Entra ID, a shared access signature (SAS), or an account key. The following example shows a scenario for copying from a source blob within Azure: |
storage | Storage Blob Create User Delegation Sas Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-create-user-delegation-sas-javascript.md | -This article shows you how to create a user delegation SAS token in the Azure Blob Storage client library v12 for JavaScript. A [user delegation SAS](/rest/api/storageservices/delegate-access-with-shared-access-signature#types-of-shared-access-signatures), introduced with version 2018-11-09, is secured with Azure AD credentials and is supported for the Blob service only to: +This article shows you how to create a user delegation SAS token in the Azure Blob Storage client library v12 for JavaScript. A [user delegation SAS](/rest/api/storageservices/delegate-access-with-shared-access-signature#types-of-shared-access-signatures), introduced with version 2018-11-09, is secured with Microsoft Entra credentials and is supported for the Blob service only to: * Grant access to an existing **container**. * Grant access to create, use, and delete **blobs**. Once the blob SAS token is created, use the token. As an example of using the SA - [Types of SAS tokens](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json) - [API reference](/javascript/api/@azure/storage-blob/) - [Library source code](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob)-- [Give Feedback](https://github.com/Azure/azure-sdk-for-js/issues)+- [Give Feedback](https://github.com/Azure/azure-sdk-for-js/issues) |
storage | Storage Blob Customer Provided Key | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-customer-provided-key.md | To learn more about how to authenticate with the Azure Identity client library, ## Use a customer-provided key to write to a blob -The following example provides an AES-256 key when uploading a blob with the v12 client library for Blob storage. The example uses the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) object to authorize the write request with Azure AD, but you can also authorize the request with Shared Key credentials. For more information about using the DefaultAzureCredential class to authorize a managed identity to access Azure Storage, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme). +The following example provides an AES-256 key when uploading a blob with the v12 client library for Blob storage. The example uses the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) object to authorize the write request with Microsoft Entra ID, but you can also authorize the request with Shared Key credentials. For more information about using the DefaultAzureCredential class to authorize a managed identity to access Azure Storage, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme). ```csharp async static Task UploadBlobWithClientKey(Uri blobUri, |
storage | Storage Blob Dotnet Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-dotnet-get-started.md | To connect an application to Blob Storage, create an instance of the [BlobServic To learn more about creating and managing client objects, see [Create and manage client objects that interact with data resources](storage-blob-client-management.md). -You can authorize a `BlobServiceClient` object by using an Azure Active Directory (Azure AD) authorization token, an account access key, or a shared access signature (SAS). +You can authorize a `BlobServiceClient` object by using a Microsoft Entra authorization token, an account access key, or a shared access signature (SAS). To learn more about each of these authorization mechanisms, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). -## [Azure AD](#tab/azure-ad) +<a name='azure-ad'></a> -To authorize with Azure AD, you'll need to use a security principal. The type of security principal you need depends on where your application runs. Use this table as a guide. +## [Microsoft Entra ID](#tab/azure-ad) ++To authorize with Microsoft Entra ID, you'll need to use a security principal. The type of security principal you need depends on where your application runs. Use this table as a guide. | Where the application runs | Security principal | Guidance | | | | |-| Local machine (developing and testing) | Service principal | To learn how to register the app, set up an Azure AD group, assign roles, and configure environment variables, see [Authorize access using developer service principals](/dotnet/azure/sdk/authentication-local-development-service-principal?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | -| Local machine (developing and testing) | User identity | To learn how to set up an Azure AD group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/dotnet/azure/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | +| Local machine (developing and testing) | Service principal | To learn how to register the app, set up a Microsoft Entra group, assign roles, and configure environment variables, see [Authorize access using developer service principals](/dotnet/azure/sdk/authentication-local-development-service-principal?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | +| Local machine (developing and testing) | User identity | To learn how to set up a Microsoft Entra group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/dotnet/azure/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | | Hosted in Azure | Managed identity | To learn how to enable managed identity and assign roles, see [Authorize access from Azure-hosted apps using a managed identity](/dotnet/azure/sdk/authentication-azure-hosted-apps?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | | Hosted outside of Azure (for example, on-premises apps) | Service principal | To learn how to register the app, assign roles, and configure environment variables, see [Authorize access from on-premises apps using an application service principal](/dotnet/azure/sdk/authentication-on-premises-apps?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | |
storage | Storage Blob Java Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-java-get-started.md | To connect an application to Blob Storage, create an instance of the [BlobServic To learn more about creating and managing client objects, see [Create and manage client objects that interact with data resources](storage-blob-client-management.md). -You can authorize a `BlobServiceClient` object by using an Azure Active Directory (Azure AD) authorization token, an account access key, or a shared access signature (SAS). +You can authorize a `BlobServiceClient` object by using a Microsoft Entra authorization token, an account access key, or a shared access signature (SAS). -## [Azure AD (Recommended)](#tab/azure-ad) +<a name='azure-ad-recommended'></a> -To authorize with Azure AD, you'll need to use a [security principal](../../active-directory/develop/app-objects-and-service-principals.md). Which type of security principal you need depends on where your application runs. Use the following table as a guide: +## [Microsoft Entra ID (Recommended)](#tab/azure-ad) ++To authorize with Microsoft Entra ID, you'll need to use a [security principal](../../active-directory/develop/app-objects-and-service-principals.md). Which type of security principal you need depends on where your application runs. Use the following table as a guide: | Where the application runs | Security principal | Guidance | | | | |-| Local machine (developing and testing) | Service principal | To learn how to register the app, set up an Azure AD group, assign roles, and configure environment variables, see [Authorize access using developer service principals](/dotnet/azure/sdk/authentication-local-development-service-principal?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json). | -| Local machine (developing and testing) | User identity | To learn how to set up an Azure AD group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/dotnet/azure/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json). | +| Local machine (developing and testing) | Service principal | To learn how to register the app, set up a Microsoft Entra group, assign roles, and configure environment variables, see [Authorize access using developer service principals](/dotnet/azure/sdk/authentication-local-development-service-principal?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json). | +| Local machine (developing and testing) | User identity | To learn how to set up a Microsoft Entra group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/dotnet/azure/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json). | | Hosted in Azure | Managed identity | To learn how to enable managed identity and assign roles, see [Authorize access from Azure-hosted apps using a managed identity](/dotnet/azure/sdk/authentication-azure-hosted-apps?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json). | | Hosted outside of Azure (for example, on-premises apps) | Service principal | To learn how to register the app, assign roles, and configure environment variables, see [Authorize access from on-premises apps using an application service principal](/dotnet/azure/sdk/authentication-on-premises-apps?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | |
storage | Storage Blob Javascript Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-javascript-get-started.md | The [sample code snippets](https://github.com/Azure-Samples/AzureStorageSnippets npm install @azure/storage-blob ``` -1. If you want to use passwordless connections using Azure AD, install the Azure Identity client library for JavaScript: +1. If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript: ```bash npm install @azure/identity The [sample code snippets](https://github.com/Azure-Samples/AzureStorageSnippets ## Authorize access and connect to Blob Storage -Azure Active Directory (Azure AD) provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code. +Microsoft Entra ID provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code. ### Set up identity access to the Azure cloud To connect to Azure without passwords, you need to set up an Azure identity or use an existing identity. Once the identity is set up, make sure to assign the appropriate roles to the identity. -To authorize passwordless access with Azure AD, you'll need to use an Azure credential. Which type of credential you need depends on where your application runs. Use this table as a guide. +To authorize passwordless access with Microsoft Entra ID, you'll need to use an Azure credential. Which type of credential you need depends on where your application runs. Use this table as a guide. |Environment|Method| |--|--| The `dotenv` package is used to read your storage account name from a `.env` fil - [Samples](../common/storage-samples-javascript.md?toc=/azure/storage/blobs/toc.json#blob-samples) - [API reference](/javascript/api/@azure/storage-blob/) - [Library source code](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob)-- [Give Feedback](https://github.com/Azure/azure-sdk-for-js/issues)+- [Give Feedback](https://github.com/Azure/azure-sdk-for-js/issues) |
storage | Storage Blob Python Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-python-get-started.md | To connect an application to Blob Storage, create an instance of the [BlobServic To learn more about creating and managing client objects, see [Create and manage client objects that interact with data resources](storage-blob-client-management.md). -You can authorize a `BlobServiceClient` object by using an Azure Active Directory (Azure AD) authorization token, an account access key, or a shared access signature (SAS). +You can authorize a `BlobServiceClient` object by using a Microsoft Entra authorization token, an account access key, or a shared access signature (SAS). -## [Azure AD](#tab/azure-ad) +<a name='azure-ad'></a> -To authorize with Azure AD, you'll need to use a [security principal](../../active-directory/develop/app-objects-and-service-principals.md). Which type of security principal you need depends on where your application runs. Use the following table as a guide: +## [Microsoft Entra ID](#tab/azure-ad) ++To authorize with Microsoft Entra ID, you'll need to use a [security principal](../../active-directory/develop/app-objects-and-service-principals.md). Which type of security principal you need depends on where your application runs. Use the following table as a guide: | Where the application runs | Security principal | Guidance | | | | |-| Local machine (developing and testing) | Service principal | To learn how to register the app, set up an Azure AD group, assign roles, and configure environment variables, see [Authorize access using developer service principals](/azure/developer/python/sdk/authentication-local-development-service-principal?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | -| Local machine (developing and testing) | User identity | To learn how to set up an Azure AD group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/azure/developer/python/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | +| Local machine (developing and testing) | Service principal | To learn how to register the app, set up a Microsoft Entra group, assign roles, and configure environment variables, see [Authorize access using developer service principals](/azure/developer/python/sdk/authentication-local-development-service-principal?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | +| Local machine (developing and testing) | User identity | To learn how to set up a Microsoft Entra group, assign roles, and sign in to Azure, see [Authorize access using developer credentials](/azure/developer/python/sdk/authentication-local-development-dev-accounts?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | | Hosted in Azure | Managed identity | To learn how to enable managed identity and assign roles, see [Authorize access from Azure-hosted apps using a managed identity](/azure/developer/python/sdk/authentication-azure-hosted-apps?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | | Hosted outside of Azure (for example, on-premises apps) | Service principal | To learn how to register the app, assign roles, and configure environment variables, see [Authorize access from on-premises apps using an application service principal](/azure/developer/python/sdk/authentication-on-premises-apps?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) | The following guides show you how to work with data resources and perform specif | [Delete and restore](storage-blob-delete-python.md) | Delete blobs, and if soft-delete is enabled, restore deleted blobs. | | [Find blobs using tags](storage-blob-tags-python.md) | Set and retrieve tags as well as use tags to find blobs. | | [Manage properties and metadata (blobs)](storage-blob-properties-metadata-python.md) | Get and set properties and metadata for blobs. |-| [Set or change a blob's access tier](storage-blob-use-access-tier-python.md) | Set or change the access tier for a block blob. | +| [Set or change a blob's access tier](storage-blob-use-access-tier-python.md) | Set or change the access tier for a block blob. | |
storage | Storage Blob Query Endpoint Srp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-query-endpoint-srp.md | using Azure.ResourceManager.Storage; Client library information: -- [Azure.Identity](/dotnet/api/overview/azure/identity-readme): Provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services.+- [Azure.Identity](/dotnet/api/overview/azure/identity-readme): Provides Microsoft Entra token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services. - [Azure.ResourceManager.Storage](/dotnet/api/overview/azure/resourcemanager.storage-readme): Supports management of Azure Storage resources, including resource groups and storage accounts. - [Azure.Storage.Blobs](/dotnet/api/overview/azure/storage.blobs-readme): Contains the primary classes that you can use to work with Blob Storage data resources. import com.azure.core.management.profile.*; Client library information: -- [com.azure.identity](/java/api/overview/azure/identity-readme): Provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services.+- [com.azure.identity](/java/api/overview/azure/identity-readme): Provides Microsoft Entra token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services. - [com.azure.storage.blob](/java/api/com.azure.storage.blob): Contains the primary classes that you can use to work with Blob Storage data resources. - [com.azure.resourcemanager](/java/api/overview/azure/resourcemanager-readme): Supports management of Azure resources and resource groups. - [com.azure.resourcemanager.storage](/java/api/overview/azure/resourcemanager-storage-readme): Supports management of Azure Storage resources, including resource groups and storage accounts. const { StorageManagementClient } = require("@azure/arm-storage"); Client library information: -- [@azure/identity](/javascript/api/overview/azure/identity-readme): Provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services.+- [@azure/identity](/javascript/api/overview/azure/identity-readme): Provides Microsoft Entra token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services. - [@azure/storage-blob](/javascript/api/overview/azure/storage-blob-readme): Contains the primary classes that you can use to work with Blob Storage data resources. - [@azure/arm-resources](/javascript/api/overview/azure/arm-resources-readme): Supports management of Azure resources and resource groups. - [@azure/arm-storage](/javascript/api/overview/azure/arm-storage-readme): Supports management of Azure Storage resources, including resource groups and storage accounts. from azure.mgmt.storage import StorageManagementClient Client library information: -- [azure-identity](/python/api/overview/azure/identity-readme): Provides Azure Active Directory (Azure AD) token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services.+- [azure-identity](/python/api/overview/azure/identity-readme): Provides Microsoft Entra token authentication support across the Azure SDK, and is needed for passwordless connections to Azure services. - [azure-storage-blob](/python/api/overview/azure/storage-blob-readme): Contains the primary classes that you can use to work with Blob Storage data resources. - [azure-mgmt-resource](/python/api/azure-mgmt-resource/azure.mgmt.resource.resourcemanagementclient): Supports management of Azure resources and resource groups. - [azure-mgmt-storage](/python/api/azure-mgmt-storage/azure.mgmt.storage.storagemanagementclient): Supports management of Azure Storage resources, including resource groups and storage accounts. View the full code samples (GitHub): - [Python](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/python/blob-query-endpoint/blob-query-endpoint.py) To learn more about creating client objects, see [Create and manage client objects that interact with data resources](storage-blob-client-management.md).--- |
storage | Storage Blob Static Website | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-static-website.md | To enable metrics on your static website pages, see [Enable metrics on static we Yes. Storage account [network security rules](../common/storage-network-security.md), including IP-based and VNET firewalls, are supported for the static website endpoint, and may be used to protect your website. -##### Do static websites support Azure Active Directory (Azure AD)? +<a name='do-static-websites-support-azure-active-directory-azure-ad'></a> ++##### Do static websites support Microsoft Entra ID? No. A static website only supports anonymous read access for files in the **$web** container. |
storage | Storage Blob Typescript Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-typescript-get-started.md | This article shows you how to connect to Azure Blob Storage by using the Azure B npm install typescript @azure/storage-blob ``` -1. If you want to use passwordless connections using Azure AD, install the Azure Identity client library for JavaScript: +1. If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript: ```bash npm install @azure/identity This article shows you how to connect to Azure Blob Storage by using the Azure B ## Authorize access and connect to Blob Storage -Azure Active Directory (Azure AD) provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code. +Microsoft Entra ID provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code. ### Set up identity access to the Azure cloud To connect to Azure without passwords, you need to set up an Azure identity or use an existing identity. Once the identity is set up, make sure to assign the appropriate roles to the identity. -To authorize passwordless access with Azure AD, you'll need to use an Azure credential. Which type of credential you need depends on where your application runs. Use this table as a guide. +To authorize passwordless access with Microsoft Entra ID, you'll need to use an Azure credential. Which type of credential you need depends on where your application runs. Use this table as a guide. |Environment|Method| |--|--| |
storage | Storage Blob User Delegation Sas Create Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-user-delegation-sas-create-cli.md | Title: Use Azure CLI to create a user delegation SAS for a container or blob -description: Learn how to create a user delegation SAS with Azure Active Directory credentials by using Azure CLI. +description: Learn how to create a user delegation SAS with Microsoft Entra credentials by using Azure CLI. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container or blob with the Azure CLI. +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container or blob with the Azure CLI. [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Install the latest version of the Azure CLI -To use the Azure CLI to secure a SAS with Azure AD credentials, first make sure that you have installed the latest version of Azure CLI. For more information about installing the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli). +To use the Azure CLI to secure a SAS with Microsoft Entra credentials, first make sure that you have installed the latest version of Azure CLI. For more information about installing the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli). To create a user delegation SAS using the Azure CLI, make sure that you have installed version 2.0.78 or later. To check your installed version, use the `az --version` command. -## Sign in with Azure AD credentials +<a name='sign-in-with-azure-ad-credentials'></a> -Sign in to the Azure CLI with your Azure AD credentials. For more information, see [Sign in with the Azure CLI](/cli/azure/authenticate-azure-cli). +## Sign in with Microsoft Entra credentials ++Sign in to the Azure CLI with your Microsoft Entra credentials. For more information, see [Sign in with the Azure CLI](/cli/azure/authenticate-azure-cli). ## Assign permissions with Azure RBAC -To create a user delegation SAS from Azure PowerShell, the Azure AD account used to sign into Azure CLI must be assigned a role that includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. This permission enables that Azure AD account to request the *user delegation key*. The user delegation key is used to sign the user delegation SAS. The role providing the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action must be assigned at the level of the storage account, the resource group, or the subscription. +To create a user delegation SAS from Azure PowerShell, the Microsoft Entra account used to sign into Azure CLI must be assigned a role that includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. This permission enables that Microsoft Entra account to request the *user delegation key*. The user delegation key is used to sign the user delegation SAS. The role providing the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action must be assigned at the level of the storage account, the resource group, or the subscription. -If you do not have sufficient permissions to assign Azure roles to an Azure AD security principal, you may need to ask the account owner or administrator to assign the necessary permissions. +If you do not have sufficient permissions to assign Azure roles to a Microsoft Entra security principal, you may need to ask the account owner or administrator to assign the necessary permissions. The following example assigns the **Storage Blob Data Contributor** role, which includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. The role is scoped at the level of the storage account. az role assignment create \ For more information about the built-in roles that include the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md). -## Use Azure AD credentials to secure a SAS +<a name='use-azure-ad-credentials-to-secure-a-sas'></a> ++## Use Microsoft Entra credentials to secure a SAS When you create a user delegation SAS with the Azure CLI, the user delegation key that is used to sign the SAS is created for you implicitly. The start time and expiry time that you specify for the SAS are also used as the start time and expiry time for the user delegation key. Because the maximum interval over which the user delegation key is valid is 7 days from the start date, you should specify an expiry time for the SAS that is within 7 days of the start time. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than 7 days will still only be valid for 7 days. -When creating a user delegation SAS, the `--auth-mode login` and `--as-user parameters` are required. Specify *login* for the `--auth-mode` parameter so that requests made to Azure Storage are authorized with your Azure AD credentials. Specify the `--as-user` parameter to indicate that the SAS returned should be a user delegation SAS. +When creating a user delegation SAS, the `--auth-mode login` and `--as-user parameters` are required. Specify *login* for the `--auth-mode` parameter so that requests made to Azure Storage are authorized with your Microsoft Entra credentials. Specify the `--as-user` parameter to indicate that the SAS returned should be a user delegation SAS. ### Create a user delegation SAS for a container |
storage | Storage Blob User Delegation Sas Create Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.md | Title: Create a user delegation SAS for a blob with .NET -description: Learn how to create a user delegation SAS for a blob with Azure Active Directory credentials by using the .NET client library for Blob Storage. +description: Learn how to create a user delegation SAS for a blob with Microsoft Entra credentials by using the .NET client library for Blob Storage. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a blob using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage). +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a blob using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage). [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Assign Azure roles for access to data -When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). [!INCLUDE [storage-dev-guide-user-delegation-sas-dotnet](../../../includes/storage-dev-guides/storage-dev-guide-user-delegation-sas-dotnet.md)] |
storage | Storage Blob User Delegation Sas Create Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-user-delegation-sas-create-java.md | Title: Create a user delegation SAS for a blob with Java -description: Learn how to create a user delegation SAS for a blob with Azure Active Directory credentials by using the Azure Storage client library for Java. +description: Learn how to create a user delegation SAS for a blob with Microsoft Entra credentials by using the Azure Storage client library for Java. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a blob using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme). +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a blob using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme). [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Assign Azure roles for access to data -When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). [!INCLUDE [storage-dev-guide-user-delegation-sas-java](../../../includes/storage-dev-guides/storage-dev-guide-user-delegation-sas-java.md)] |
storage | Storage Blob User Delegation Sas Create Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-user-delegation-sas-create-powershell.md | Title: Use PowerShell to create a user delegation SAS for a container or blob -description: Learn how to create a user delegation SAS with Azure Active Directory credentials by using PowerShell. +description: Learn how to create a user delegation SAS with Microsoft Entra credentials by using PowerShell. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container or blob with Azure PowerShell. +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container or blob with Azure PowerShell. [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] Get-Module -ListAvailable -Name Az.Storage -Refresh For more information about installing Azure PowerShell, see [Install Azure PowerShell with PowerShellGet](/powershell/azure/install-azure-powershell). -## Sign in to Azure PowerShell with Azure AD +<a name='sign-in-to-azure-powershell-with-azure-ad'></a> -Call the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command to sign in with your Azure AD account: +## Sign in to Azure PowerShell with Microsoft Entra ID ++Call the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command to sign in with your Microsoft Entra account: ```powershell Connect-AzAccount For more information about signing in with PowerShell, see [Sign in with Azure P ## Assign permissions with Azure RBAC -To create a user delegation SAS from Azure PowerShell, the Azure AD account used to sign into PowerShell must be assigned a role that includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. This permission enables that Azure AD account to request the *user delegation key*. The user delegation key is used to sign the user delegation SAS. The role providing the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action must be assigned at the level of the storage account, the resource group, or the subscription. For more information about Azure RBAC permissions for creating a user delegation SAS, see the **Assign permissions with Azure RBAC** section in [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). +To create a user delegation SAS from Azure PowerShell, the Microsoft Entra account used to sign into PowerShell must be assigned a role that includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. This permission enables that Microsoft Entra account to request the *user delegation key*. The user delegation key is used to sign the user delegation SAS. The role providing the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action must be assigned at the level of the storage account, the resource group, or the subscription. For more information about Azure RBAC permissions for creating a user delegation SAS, see the **Assign permissions with Azure RBAC** section in [Create a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas). -If you do not have sufficient permissions to assign Azure roles to an Azure AD security principal, you may need to ask the account owner or administrator to assign the necessary permissions. +If you do not have sufficient permissions to assign Azure roles to a Microsoft Entra security principal, you may need to ask the account owner or administrator to assign the necessary permissions. The following example assigns the **Storage Blob Data Contributor** role, which includes the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action. The role is scoped at the level of the storage account. New-AzRoleAssignment -SignInName <email> ` For more information about the built-in roles that include the **Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey** action, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md). -## Use Azure AD credentials to secure a SAS +<a name='use-azure-ad-credentials-to-secure-a-sas'></a> ++## Use Microsoft Entra credentials to secure a SAS When you create a user delegation SAS with Azure PowerShell, the user delegation key that is used to sign the SAS is created for you implicitly. The start time and expiry time that you specify for the SAS are also used as the start time and expiry time for the user delegation key. Because the maximum interval over which the user delegation key is valid is 7 days from the start date, you should specify an expiry time for the SAS that is within 7 days of the start time. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than 7 days will still only be valid for 7 days. -To create a user delegation SAS for a container or blob with Azure PowerShell, first create a new Azure Storage context object, specifying the `-UseConnectedAccount` parameter. The `-UseConnectedAccount` parameter specifies that the command creates the context object under the Azure AD account with which you signed in. +To create a user delegation SAS for a container or blob with Azure PowerShell, first create a new Azure Storage context object, specifying the `-UseConnectedAccount` parameter. The `-UseConnectedAccount` parameter specifies that the command creates the context object under the Microsoft Entra account with which you signed in. Remember to replace placeholder values in angle brackets with your own values: |
storage | Storage Blob User Delegation Sas Create Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-user-delegation-sas-create-python.md | Title: Create a user delegation SAS for a blob with Python -description: Learn how to create a user delegation SAS for a blob with Azure Active Directory credentials by using the Python client library for Blob Storage. +description: Learn how to create a user delegation SAS for a blob with Microsoft Entra credentials by using the Python client library for Blob Storage. -This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a blob using the [Azure Storage client library for Python](/python/api/overview/azure/storage). +This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a blob using the [Azure Storage client library for Python](/python/api/overview/azure/storage). [!INCLUDE [storage-auth-user-delegation-include](../../../includes/storage-auth-user-delegation-include.md)] ## Assign Azure roles for access to data -When an Azure AD security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or an Azure AD user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). [!INCLUDE [storage-dev-guide-user-delegation-sas-python](../../../includes/storage-dev-guides/storage-dev-guide-user-delegation-sas-python.md)] |
storage | Storage Encrypt Decrypt Blobs Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-encrypt-decrypt-blobs-key-vault.md | This tutorial shows you how to: - Key vault - create one using [Azure portal](../../key-vault/general/quick-create-portal.md), [Azure CLI](../../key-vault/general/quick-create-cli.md), or [PowerShell](../../key-vault/general/quick-create-powershell.md) - [Visual Studio 2022](https://visualstudio.microsoft.com) installed -## Assign a role to your Azure AD user +<a name='assign-a-role-to-your-azure-ad-user'></a> ++## Assign a role to your Microsoft Entra user When developing locally, make sure that the user account that is accessing the key vault has the correct permissions. You'll need the [Key Vault Crypto Officer role](../../role-based-access-control/built-in-roles.md#key-vault-crypto-officer) to create a key and perform actions on keys in a key vault. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. You can learn more about the available scopes for role assignments on the [scope overview](../../../articles/role-based-access-control/scope-overview.md) page. The following example shows how to assign the **Key Vault Crypto Officer** role 6. Under **Assign access to**, select **User, group, or service principal**, and then choose **+ Select members**. -7. In the dialog, search for your Azure AD username (usually your *user@domain* email address) and then choose **Select** at the bottom of the dialog. +7. In the dialog, search for your Microsoft Entra username (usually your *user@domain* email address) and then choose **Select** at the bottom of the dialog. 8. Select **Review + assign** to go to the final page, and then **Review + assign** again to complete the process. In this tutorial, you learned how to use .NET client libraries to perform client For a broad overview of client-side encryption for blobs, including instructions for migrating encrypted data to version 2, see [Client-side encryption for blobs](client-side-encryption.md). -For more information about Azure Key Vault, see the [Azure Key Vault overview page](../../key-vault/general/overview.md) +For more information about Azure Key Vault, see the [Azure Key Vault overview page](../../key-vault/general/overview.md) |
storage | Storage Feature Support In Storage Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-feature-support-in-storage-accounts.md | Each table uses the following icons to indicate support level: This table describes the impact of **enabling** the capability and not the specific use of that capability. For example, if you enable the Network File System (NFS) 3.0 protocol but never use the NFS 3.0 protocol to upload a blob, a check mark in the **NFS 3.0 enabled** column indicates that feature support is not negatively impacted by merely enabling NFS 3.0 support. -Even though a feature is not be negatively impacted, it might not be compatible when used with a specific capability. For example, enabling NFS 3.0 has no impact on Azure Active Directory (Azure AD) authorization. However, you can't use Azure AD to authorize an NFS 3.0 request. See any of these articles for information about known limitations: +Even though a feature is not be negatively impacted, it might not be compatible when used with a specific capability. For example, enabling NFS 3.0 has no impact on Microsoft Entra authorization. However, you can't use Microsoft Entra ID to authorize an NFS 3.0 request. See any of these articles for information about known limitations: - [Known issues: Hierarchical namespace capability](data-lake-storage-known-issues.md) The following table describes whether a feature is supported in a standard gener | Storage feature | Default | HNS | NFS | SFTP | ||-|||--| | [Access tiers (hot, cool, cold, and archive)](access-tiers-overview.md) | ✅ | ✅<sup>3</sup> | ✅<sup>3</sup> | ✅<sup>3</sup> |-| [Azure Active Directory security](authorize-access-azure-active-directory.md) | ✅ | ✅ | ✅<sup>1</sup> | ✅<sup>1</sup> | +| [Microsoft Entra security](authorize-access-azure-active-directory.md) | ✅ | ✅ | ✅<sup>1</sup> | ✅<sup>1</sup> | | [Azure DNS Zone endpoints (preview)](../common/storage-account-overview.md?toc=/azure/storage/blobs/toc.json#storage-account-endpoints) | ✅ | ✅ | ✅ | ✅ | | [Blob inventory](blob-inventory.md) | ✅ | ✅ | ✅ | ✅ | | [Blob index tags](storage-manage-find-blobs.md) | ✅ | ⬤ | ⬤ | ⬤ | The following table describes whether a feature is supported in a standard gener | [Storage Analytics logs (classic)](../common/storage-analytics-logging.md?toc=/azure/storage/blobs/toc.json) | ✅ | ✅ | ⬤ | ✅ | | [Storage Analytics metrics (classic)](../common/storage-analytics-metrics.md?toc=/azure/storage/blobs/toc.json) | ✅ | ✅ | ✅ | ✅ | -<sup>1</sup> Requests that clients make by using NFS 3.0 or SFTP can't be authorized by using Azure Active Directory (AD) security. +<sup>1</sup> Requests that clients make by using NFS 3.0 or SFTP can't be authorized by using Microsoft Entra security. <sup>2</sup> Only locally redundant storage (LRS) and zone-redundant storage (ZRS) are supported. The following table describes whether a feature is supported in a premium block | Storage feature | Default | HNS | NFS | SFTP | ||-|||--| | [Access tiers (hot, cool, cold, and archive)](access-tiers-overview.md) | ⬤ | ⬤ | ⬤ | ⬤ |-| [Azure Active Directory security](authorize-access-azure-active-directory.md) | ✅ | ✅ | ✅<sup>1</sup> | ✅<sup>1</sup> | +| [Microsoft Entra security](authorize-access-azure-active-directory.md) | ✅ | ✅ | ✅<sup>1</sup> | ✅<sup>1</sup> | | [Azure DNS Zone endpoints (preview)](../common/storage-account-overview.md?toc=/azure/storage/blobs/toc.json#storage-account-endpoints) | ✅ | ✅ | ✅ | ✅ | | [Blob inventory](blob-inventory.md) | ✅ | ✅ | ✅ | ✅ | | [Blob index tags](storage-manage-find-blobs.md) | ✅ | ⬤ | ⬤ | ⬤ | The following table describes whether a feature is supported in a premium block | [Storage Analytics logs (classic)](../common/storage-analytics-logging.md?toc=/azure/storage/blobs/toc.json) | ✅ | 🟦 | ⬤| ✅ | | [Storage Analytics metrics (classic)](../common/storage-analytics-metrics.md?toc=/azure/storage/blobs/toc.json) | ✅ | ✅ | ✅ | ✅ | -<sup>1</sup> Requests that clients make by using NFS 3.0 or SFTP can't be authorized by using Azure Active Directory (AD) security. +<sup>1</sup> Requests that clients make by using NFS 3.0 or SFTP can't be authorized by using Microsoft Entra security. <sup>2</sup> Only locally redundant storage (LRS) and zone-redundant storage (ZRS) are supported. |
storage | Storage Manage Find Blobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-manage-find-blobs.md | The following sample lifecycle management rule applies to block blobs in a conta You can authorize access to blob index tags using one of the following approaches: -- Using Azure role-based access control (Azure RBAC) to grant permissions to an Azure Active Directory (Azure AD) security principal. Use Azure AD for superior security and ease of use. For more information about using Azure AD with blob operations, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).+- Using Azure role-based access control (Azure RBAC) to grant permissions to a Microsoft Entra security principal. Use Microsoft Entra ID for superior security and ease of use. For more information about using Microsoft Entra ID with blob operations, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). - Using a shared access signature (SAS) to delegate access to blob index. For more information about shared access signatures, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). Blob index tags are a subresource to the blob data. A user with permissions or a ### Role-based access control -Callers using an [Azure AD identity](../common/authorize-data-access.md) may be granted the following permissions to operate on blob index tags. +Callers using an [Microsoft Entra identity](../common/authorize-data-access.md) may be granted the following permissions to operate on blob index tags. | Blob index tag operations | Azure RBAC action | |--|-| |
storage | Storage Quickstart Blobs Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-cli.md | The Azure CLI is Azure's command-line experience for managing Azure resources. Y ## Authorize access to Blob storage -You can authorize access to Blob storage from the Azure CLI either with Azure AD credentials or by using the storage account access key. Using Azure AD credentials is recommended. This article shows how to authorize Blob storage operations using Azure AD. +You can authorize access to Blob storage from the Azure CLI either with Microsoft Entra credentials or by using the storage account access key. Using Microsoft Entra credentials is recommended. This article shows how to authorize Blob storage operations using Microsoft Entra ID. -Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Azure AD credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md?toc=/azure/storage/blobs/toc.json). +Azure CLI commands for data operations against Blob storage support the `--auth-mode` parameter, which enables you to specify how to authorize a given operation. Set the `--auth-mode` parameter to `login` to authorize with Microsoft Entra credentials. For more information, see [Authorize access to blob or queue data with Azure CLI](./authorize-data-operations-cli.md?toc=/azure/storage/blobs/toc.json). -Only Blob storage data operations support the `--auth-mode` parameter. Management operations, such as creating a resource group or storage account, automatically use Azure AD credentials for authorization. +Only Blob storage data operations support the `--auth-mode` parameter. Management operations, such as creating a resource group or storage account, automatically use Microsoft Entra credentials for authorization. To begin, sign-in to to your Azure account with the [az login](/cli/azure/reference-index#az-login). az storage account create \ Blobs are always uploaded into a container. You can organize groups of blobs in containers similar to the way you organize your files on your computer in folders. Create a container for storing blobs with the [az storage container create](/cli/azure/storage/container#az-storage-container-create()) command. -The following example uses your Azure AD account to authorize the operation to create the container. Before you create the container, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role to yourself. Even if you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning Azure roles, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). +The following example uses your Microsoft Entra account to authorize the operation to create the container. Before you create the container, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role to yourself. Even if you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning Azure roles, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md). Remember to replace placeholder values in angle brackets with your own values: |
storage | Storage Quickstart Blobs Go | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-go.md | To work with blob and container resources in a storage account, install the [azb ```console go get github.com/Azure/azure-sdk-for-go/sdk/storage/azblob ```-To authenticate with Azure Active Directory (recommended), install the [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity) module using the following command: +To authenticate with Microsoft Entra ID (recommended), install the [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity) module using the following command: ```console go get github.com/Azure/azure-sdk-for-go/sdk/azidentity To learn more about the order and locations in which `DefaultAzureCredential` lo For example, your app can authenticate using your Azure CLI sign-in credentials with when developing locally. Once it's deployed to Azure, your app can then use a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md). This transition between environments doesn't require any code changes. -### Assign roles to your Azure AD user account +<a name='assign-roles-to-your-azure-ad-user-account'></a> ++### Assign roles to your Microsoft Entra user account [!INCLUDE [assign-roles](../../../includes/assign-roles.md)] For example, your app can authenticate using your Azure CLI sign-in credentials You can authorize access to data in your storage account using the following steps: -1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. The following example shows how to authenticate via the Azure CLI: +1. Make sure you're authenticated with the same Microsoft Entra account you assigned the role to on your storage account. The following example shows how to authenticate via the Azure CLI: ```azurecli az login Next, we walk through the sample code to understand how it works. Working with any Azure resource using the SDK begins with creating a client object. To create the client object, the code sample calls [azblob.NewClient](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#NewClient) with the following values: - **serviceURL** - the URL of the storage account-- **cred** - an Azure AD credential obtained via the `azidentity` module+- **cred** - a Microsoft Entra credential obtained via the `azidentity` module - **options** - client options; pass nil to accept the default values The following code example creates a client object to interact with container and blob resources in a storage account: |
storage | Storage Quickstart Blobs Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-java.md | The order and locations in which `DefaultAzureCredential` looks for credentials For example, your app can authenticate using your Visual Studio Code sign-in credentials with when developing locally. Your app can then use a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) once it has been deployed to Azure. No code changes are required for this transition. -#### Assign roles to your Azure AD user account +<a name='assign-roles-to-your-azure-ad-user-account'></a> ++#### Assign roles to your Microsoft Entra user account [!INCLUDE [assign-roles](../../../includes/assign-roles.md)] For example, your app can authenticate using your Visual Studio Code sign-in cre You can authorize access to data in your storage account using the following steps: -1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell. +1. Make sure you're authenticated with the same Microsoft Entra account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell. #### [Azure CLI](#tab/sign-in-azure-cli) |
storage | Storage Quickstart Blobs Nodejs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-nodejs.md | The order and locations in which `DefaultAzureCredential` looks for credentials For example, your app can authenticate using your Azure CLI sign-in credentials with when developing locally. Your app can then use a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) once it has been deployed to Azure. No code changes are required for this transition. -#### Assign roles to your Azure AD user account +<a name='assign-roles-to-your-azure-ad-user-account'></a> ++#### Assign roles to your Microsoft Entra user account [!INCLUDE [assign-roles](../../../includes/assign-roles.md)] For example, your app can authenticate using your Azure CLI sign-in credentials You can authorize access to data in your storage account using the following steps: -1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell. +1. Make sure you're authenticated with the same Microsoft Entra account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell. #### [Azure CLI](#tab/sign-in-azure-cli) To see Blob storage sample apps, continue to: > [Azure Blob Storage library for JavaScript samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/storage/storage-blob/samples) - To learn more, see the [Azure Blob Storage client libraries for JavaScript](/javascript/api/overview/azure/storage-blob-readme).-- For tutorials, samples, quickstarts, and other documentation, visit [Azure for JavaScript and Node.js developers](/azure/developer/javascript/).+- For tutorials, samples, quickstarts, and other documentation, visit [Azure for JavaScript and Node.js developers](/azure/developer/javascript/). |
storage | Storage Quickstart Blobs Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-python.md | The order and locations in which `DefaultAzureCredential` looks for credentials For example, your app can authenticate using your Azure CLI sign-in credentials with when developing locally. Your app can then use a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) once it has been deployed to Azure. No code changes are required for this transition. -#### Assign roles to your Azure AD user account +<a name='assign-roles-to-your-azure-ad-user-account'></a> ++#### Assign roles to your Microsoft Entra user account [!INCLUDE [assign-roles](../../../includes/assign-roles.md)] For example, your app can authenticate using your Azure CLI sign-in credentials You can authorize access to data in your storage account using the following steps: -1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell. +1. Make sure you're authenticated with the same Microsoft Entra account you assigned the role to on your storage account. You can authenticate via the Azure CLI, Visual Studio Code, or Azure PowerShell. #### [Azure CLI](#tab/sign-in-azure-cli) |
storage | Versioning Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/versioning-overview.md | The following diagram shows what happens when you take a snapshot of a versioned You can authorize access to blob versions using one of the following approaches: -- By using Azure role-based access control (Azure RBAC) to grant permissions to an Azure Active Directory (Azure AD) security principal. Microsoft recommends using Azure AD for superior security and ease of use. For more information about using Azure AD with blob operations, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md).+- By using Azure role-based access control (Azure RBAC) to grant permissions to a Microsoft Entra security principal. Microsoft recommends using Microsoft Entra ID for superior security and ease of use. For more information about using Microsoft Entra ID with blob operations, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). - By using a shared access signature (SAS) to delegate access to blob versions. Specify the version ID for the signed resource type `bv`, representing a blob version, to create a SAS token for operations on a specific version. For more information about shared access signatures, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). - By using the account access keys to authorize operations against blob versions with Shared Key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key). |
storage | Authorization Resource Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/authorization-resource-provider.md | -You can use the Azure Storage resource provider to perform actions such as creating or deleting a storage account or getting a list of storage accounts in a subscription. To authorize requests against the Azure Storage resource provider, use Azure Active Directory (Azure AD). This article describes how to assign permissions to management resources, and points to examples that show how to make requests against the Azure Storage resource provider. +You can use the Azure Storage resource provider to perform actions such as creating or deleting a storage account or getting a list of storage accounts in a subscription. To authorize requests against the Azure Storage resource provider, use Microsoft Entra ID. This article describes how to assign permissions to management resources, and points to examples that show how to make requests against the Azure Storage resource provider. ## Management resources versus data resources Microsoft provides two REST APIs for working with Azure Storage resources. These A request that reads or writes blob data requires different permissions than a request that performs a management operation. Azure RBAC provides fine-grained control over permissions to both types of resources. When you assign an Azure role to a security principal, make sure that you understand what permissions that principal will be granted. For a detailed reference that describes which actions are associated with each Azure built-in role, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md). -Azure Storage supports using Azure AD to authorize requests against Blob and Queue storage. For information about Azure roles for blob and queue data operations, see [Authorize access to blobs and queues using Active Directory](authorize-data-access.md). +Azure Storage supports using Microsoft Entra ID to authorize requests against Blob and Queue storage. For information about Azure roles for blob and queue data operations, see [Authorize access to blobs and queues using Active Directory](authorize-data-access.md). ## Assign management permissions with Azure role-based access control (Azure RBAC) -Every Azure subscription has an associated Azure Active Directory that manages users, groups, and applications. A user, group, or application is also referred to as a security principal in the context of the [Microsoft identity platform](../../active-directory/develop/index.yml). You can grant access to resources in a subscription to a security principal that is defined in the Active Directory by using Azure role-based access control (Azure RBAC). +Every Azure subscription has an associated Microsoft Entra ID that manages users, groups, and applications. A user, group, or application is also referred to as a security principal in the context of the [Microsoft identity platform](../../active-directory/develop/index.yml). You can grant access to resources in a subscription to a security principal that is defined in the Active Directory by using Azure role-based access control (Azure RBAC). When you assign an Azure role to a security principal, you also indicate the scope at which the permissions granted by the role are in effect. For management operations, you can assign a role at the level of the subscription, the resource group, or the storage account. You can assign an Azure role to a security principal by using the [Azure portal](https://portal.azure.com/), the [Azure classic CLI](/cli/azure/install-classic-cli), [PowerShell](/powershell/azure/), or the [Azure Storage resource provider REST API](/rest/api/storagerp). -For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md) and [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). +For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md) and [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). ### Built-in roles for management operations |
storage | Authorize Data Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/authorize-data-access.md | Title: Authorize operations for data access -description: Learn about the different ways to authorize access to data in Azure Storage. Azure Storage supports authorization with Azure Active Directory, Shared Key authorization, or shared access signatures (SAS), and also supports anonymous access to blobs. +description: Learn about the different ways to authorize access to data in Azure Storage. Azure Storage supports authorization with Microsoft Entra ID, Shared Key authorization, or shared access signatures (SAS), and also supports anonymous access to blobs. Each time you access data in your storage account, your client application makes The following table describes the options that Azure Storage offers for authorizing access to data: -| Azure artifact | Shared Key (storage account key) | Shared access signature (SAS) | Azure Active Directory (Azure AD) | On-premises Active Directory Domain Services | anonymous read access | Storage Local Users | +| Azure artifact | Shared Key (storage account key) | Shared access signature (SAS) | Microsoft Entra ID | On-premises Active Directory Domain Services | anonymous read access | Storage Local Users | |--|--|--|--|--|--|--| | Azure Blobs | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../blobs/authorize-access-azure-active-directory.md) | Not supported | [Supported but not recommended](../blobs/anonymous-read-access-overview.md) | [Supported, only for SFTP](../blobs/secure-file-transfer-protocol-support-how-to.md) |-| Azure Files (SMB) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | Not supported | Supported, only with [Azure AD Domain Services](../files/storage-files-identity-auth-active-directory-domain-service-enable.md) for cloud-only or [Azure AD Kerberos](../files/storage-files-identity-auth-azure-active-directory-enable.md) for hybrid identities | [Supported, credentials must be synced to Azure AD](../files/storage-files-active-directory-overview.md) | Not supported | Not supported | +| Azure Files (SMB) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | Not supported | Supported, only with [Microsoft Entra Domain Services](../files/storage-files-identity-auth-active-directory-domain-service-enable.md) for cloud-only or [Microsoft Entra Kerberos](../files/storage-files-identity-auth-azure-active-directory-enable.md) for hybrid identities | [Supported, credentials must be synced to Microsoft Entra ID](../files/storage-files-active-directory-overview.md) | Not supported | Not supported | | Azure Files (REST) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../files/authorize-oauth-rest.md) | Not supported | Not supported | Not supported | | Azure Queues | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../queues/authorize-access-azure-active-directory.md) | Not Supported | Not supported | Not supported | | Azure Tables | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../tables/authorize-access-azure-active-directory.md) | Not supported | Not supported | Not supported | The following table describes the options that Azure Storage offers for authoriz Each authorization option is briefly described below: - **Shared Key authorization** for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/). - Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Azure AD or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md). + Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Microsoft Entra ID or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md). -- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).+- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Microsoft Entra credentials and applies to blobs only. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md). -- **Azure Active Directory (Azure AD) integration** for authorizing requests to blob, queue, and table resources. Microsoft recommends using Azure AD credentials to authorize requests to data when possible for optimal security and ease of use. For more information about Azure AD integration, see the articles for either [blob](../blobs/authorize-access-azure-active-directory.md), [queue](../queues/authorize-access-azure-active-directory.md), or [table](../tables/authorize-access-azure-active-directory.md) resources.+- **Microsoft Entra integration** for authorizing requests to blob, queue, and table resources. Microsoft recommends using Microsoft Entra credentials to authorize requests to data when possible for optimal security and ease of use. For more information about Microsoft Entra integration, see the articles for either [blob](../blobs/authorize-access-azure-active-directory.md), [queue](../queues/authorize-access-azure-active-directory.md), or [table](../tables/authorize-access-azure-active-directory.md) resources. You can use Azure role-based access control (Azure RBAC) to manage a security principal's permissions to blob, queue, and table resources in a storage account. You can also use Azure attribute-based access control (ABAC) to add conditions to Azure role assignments for blob resources. Each authorization option is briefly described below: > > [The status of ABAC condition features in Azure Storage](../blobs/storage-auth-abac.md#status-of-condition-features-in-azure-storage) -- **Azure Active Directory Domain Services (Azure AD DS) authentication** for Azure Files. Azure Files supports identity-based authorization over Server Message Block (SMB) through Azure AD DS. You can use Azure RBAC for granular control over a client's access to Azure Files resources in a storage account. For more information about Azure Files authentication using domain services, see the [overview](../files/storage-files-active-directory-overview.md).+- **Microsoft Entra Domain Services authentication** for Azure Files. Azure Files supports identity-based authorization over Server Message Block (SMB) through Microsoft Entra Domain Services. You can use Azure RBAC for granular control over a client's access to Azure Files resources in a storage account. For more information about Azure Files authentication using domain services, see the [overview](../files/storage-files-active-directory-overview.md). - **On-premises Active Directory Domain Services (AD DS, or on-premises AD DS) authentication** for Azure Files. Azure Files supports identity-based authorization over SMB through AD DS. Your AD DS environment can be hosted in on-premises machines or in Azure VMs. SMB access to Files is supported using AD DS credentials from domain joined machines, either on-premises or in Azure. You can use a combination of Azure RBAC for share level access control and NTFS DACLs for directory/file level permission enforcement. For more information about Azure Files authentication using domain services, see the [overview](../files/storage-files-active-directory-overview.md). Each authorization option is briefly described below: ## Next steps -- Authorize access with Azure Active Directory to either [blob](../blobs/authorize-access-azure-active-directory.md), [queue](../queues/authorize-access-azure-active-directory.md), or [table](../tables/authorize-access-azure-active-directory.md) resources.+- Authorize access with Microsoft Entra ID to either [blob](../blobs/authorize-access-azure-active-directory.md), [queue](../queues/authorize-access-azure-active-directory.md), or [table](../tables/authorize-access-azure-active-directory.md) resources. - [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/) - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](storage-sas-overview.md) |
storage | Customer Managed Keys Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/customer-managed-keys-overview.md | You must use one of the following Azure key stores to store your customer-manage - [Azure Key Vault](../../key-vault/general/overview.md) - [Azure Key Vault Managed Hardware Security Module (HSM)](../../key-vault/managed-hsm/overview.md) -You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault or managed HSM can be in different Azure Active Directory (Azure AD) tenants, regions, and subscriptions. +You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault or managed HSM can be in different Microsoft Entra tenants, regions, and subscriptions. > [!NOTE] > Azure Key Vault and Azure Key Vault Managed HSM support the same APIs and management interfaces for configuration of customer-managed keys. Any action that is supported for Azure Key Vault is also supported for Azure Key Vault Managed HSM. ## About customer-managed keys -The following diagram shows how Azure Storage uses Azure AD and a key vault or managed HSM to make requests using the customer-managed key: +The following diagram shows how Azure Storage uses Microsoft Entra ID and a key vault or managed HSM to make requests using the customer-managed key: :::image type="content" source="media/customer-managed-keys-overview/encryption-customer-managed-keys-diagram.png" alt-text="Diagram showing how customer-managed keys work in Azure Storage"::: The following list explains the numbered steps in the diagram: 1. An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account. 1. An Azure Storage admin configures encryption with a customer-managed key for the storage account.-1. Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Azure AD. +1. Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Microsoft Entra ID. 1. Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault. 1. For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations. Using a key vault or managed HSM has associated costs. For more information, see ### Customer-managed keys with a key vault in the same tenant -You can configure customer-managed keys with the key vault and storage account in the same tenant or in different Azure AD tenants. To learn how to configure Azure Storage encryption with customer-managed keys when the key vault and storage account are in the same tenants, see one of the following articles: +You can configure customer-managed keys with the key vault and storage account in the same tenant or in different Microsoft Entra tenants. To learn how to configure Azure Storage encryption with customer-managed keys when the key vault and storage account are in the same tenants, see one of the following articles: - [Configure customer-managed keys in an Azure key vault for a new storage account](customer-managed-keys-configure-new-account.md) - [Configure customer-managed keys in an Azure key vault for an existing storage account](customer-managed-keys-configure-existing-account.md) To learn more about system-assigned versus user-assigned managed identities, see ### Customer-managed keys with a key vault in a different tenant -To learn how to configure Azure Storage encryption with customer-managed keys when the key vault and storage account are in different Azure AD tenants, see one of the following articles: +To learn how to configure Azure Storage encryption with customer-managed keys when the key vault and storage account are in different Microsoft Entra tenants, see one of the following articles: - [Configure cross-tenant customer-managed keys for a new storage account](customer-managed-keys-configure-cross-tenant-new-account.md) - [Configure cross-tenant customer-managed keys for an existing storage account](customer-managed-keys-configure-cross-tenant-existing-account.md) |
storage | Lock Account Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/lock-account-resource.md | az lock create \ When a **ReadOnly** lock is applied to a storage account, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is blocked for that storage account. The **List Keys** operation is an HTTPS POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. The **List Keys** operation returns the account access keys, which can then be used to read and write to any data in the storage account. -If a client is in possession of the account access keys at the time that the lock is applied to the storage account, then that client can continue to use the keys to access data. However, clients who do not have access to the keys will need to use Azure Active Directory (Azure AD) credentials to access blob or queue data in the storage account. +If a client is in possession of the account access keys at the time that the lock is applied to the storage account, then that client can continue to use the keys to access data. However, clients who do not have access to the keys will need to use Microsoft Entra credentials to access blob or queue data in the storage account. -Users of the Azure portal may be affected when a **ReadOnly** lock is applied, if they have previously accessed blob or queue data in the portal with the account access keys. After the lock is applied, portal users will need to use Azure AD credentials to access blob or queue data in the portal. To do so, a user must have at least two RBAC roles assigned to them: the Azure Resource Manager Reader role at a minimum, and one of the Azure Storage data access roles. For more information, see one of the following articles: +Users of the Azure portal may be affected when a **ReadOnly** lock is applied, if they have previously accessed blob or queue data in the portal with the account access keys. After the lock is applied, portal users will need to use Microsoft Entra credentials to access blob or queue data in the portal. To do so, a user must have at least two RBAC roles assigned to them: the Azure Resource Manager Reader role at a minimum, and one of the Azure Storage data access roles. For more information, see one of the following articles: - [Choose how to authorize access to blob data in the Azure portal](../blobs/authorize-data-operations-portal.md) - [Choose how to authorize access to queue data in the Azure portal](../queues/authorize-data-operations-portal.md) |
storage | Migrate Azure Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/migrate-azure-credentials.md | Title: Migrate applications to use passwordless authentication with Azure Blob Storage -description: Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Azure AD and Azure RBAC for enhanced security. +description: Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Microsoft Entra ID and Azure RBAC for enhanced security. In this tutorial, you learned how to migrate an application to passwordless conn You can read the following resources to explore the concepts discussed in this article in more depth: -* [Authorize access to blobs using Azure Active Directory](../blobs/authorize-access-azure-active-directory.md) +* [Authorize access to blobs using Microsoft Entra ID](../blobs/authorize-access-azure-active-directory.md) * To learn more about .NET Core, see [Get started with .NET in 10 minutes](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/intro). |
storage | Multiple Identity Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/multiple-identity-scenarios.md | You can also enable access to Azure resources for local development by assigning 1) After assigning the **Storage Blob Data Contributor** role to your managed identity, under **Assign access to**, this time select **User, group or service principal**. Choose **+ Select members** to open the flyout menu again. -2) Search for the *user@domain* account or Azure AD security group you would like to grant access to by email address or name, and then select it. This should be the same account you use to sign-in to your local development tooling with, such as Visual Studio or the Azure CLI. +2) Search for the *user@domain* account or Microsoft Entra security group you would like to grant access to by email address or name, and then select it. This should be the same account you use to sign-in to your local development tooling with, such as Visual Studio or the Azure CLI. > [!NOTE]-> You can also assign these roles to an Azure Active Directory security group if you are working on a team with multiple developers. You can then place any developer inside that group who needs access to develop the app locally. +> You can also assign these roles to a Microsoft Entra security group if you are working on a team with multiple developers. You can then place any developer inside that group who needs access to develop the app locally. ### Implement the application code These types of scenarios are explored in more depth in the [identities best prac In this tutorial, you learned how to migrate an application to passwordless connections. You can read the following resources to explore the concepts discussed in this article in more depth: -* [Authorize access to blobs using Azure Active Directory](../blobs/authorize-access-azure-active-directory.md) +* [Authorize access to blobs using Microsoft Entra ID](../blobs/authorize-access-azure-active-directory.md) * To learn more about .NET Core, see [Get started with .NET in 10 minutes](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/intro). |
storage | Security Restrict Copy Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/security-restrict-copy-operations.md | This article shows you how to limit the source accounts of copy operations to ac The **AllowedCopyScope** property of a storage account is used to specify the environments from which data can be copied to the destination account. It is displayed in the Azure portal as configuration setting **Permitted scope for copy operations (preview)**. The property is not set by default and does not return a value until you explicitly set it. It has three possible values: - ***(null)*** (default): Allow copying from any storage account to the destination account.-- **AAD**: Permits copying only from accounts within the same Azure AD tenant as the destination account.+- **Microsoft Entra ID**: Permits copying only from accounts within the same Microsoft Entra tenant as the destination account. - **PrivateLink**: Permits copying only from storage accounts that have private links to the same virtual network as the destination account. The setting applies to [Copy Blob](/rest/api/storageservices/copy-blob) and [Copy Blob From URL](/rest/api/storageservices/copy-blob-from-url) operations. Examples of tools that use Copy Blob are AzCopy and Azure Storage Explorer. The **AllowedCopyScope** property is supported for storage accounts that use the ## Identify the source storage accounts of copy operations -Before changing the value of **AllowedCopyScope** for a storage account, identify users, applications or services that would be affected by the change. Depending on your findings, it might be necessary to adjust the setting to a scope that includes all of the desired copy sources, or to adjust the network or Azure AD configuration for some of the source storage accounts. +Before changing the value of **AllowedCopyScope** for a storage account, identify users, applications or services that would be affected by the change. Depending on your findings, it might be necessary to adjust the setting to a scope that includes all of the desired copy sources, or to adjust the network or Microsoft Entra configuration for some of the source storage accounts. Azure Storage logs capture details in Azure Monitor about requests made against the storage account, including the source and destination of copy operations. For more information, see [Monitor Azure Storage](../blobs/monitor-blob-storage.md). Enable and analyze the logs to identify copy operations that might be affected by changing **AllowedCopyScope** for the destination storage account. To set the **AllowedCopyScope** property for the storage account, a user must ha - The Azure Resource Manager [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role - The [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role -These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. +These roles do not provide access to data in a storage account via Microsoft Entra ID. However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. Role assignments must be scoped to the level of the storage account or higher to permit a user to restrict the scope of copy operations for the account. For more information about role scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md). Be careful to restrict assignment of these roles only to those who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ### Configure the Permitted scope for copy operations (preview) To configure the permitted scope for copy operations for an existing storage acc 1. Set **Permitted scope for copy operations (preview)** to one of the following: - *From any storage account*- - *From storage accounts in the same Azure AD tenant* + - *From storage accounts in the same Microsoft Entra tenant* - *From storage accounts that have a private endpoint to the same virtual network* :::image type="content" source="media\security-restrict-copy-operations\portal-set-scope.png" alt-text="Screenshot showing how to disallow Shared Key access for a storage account." lightbox="media\security-restrict-copy-operations\portal-set-scope.png"::: To configure the permitted scope for copy operations for an existing storage acc # [PowerShell](#tab/azure-powershell) -To configure the permitted scope for copy operations for a new or existing storage account with PowerShell, install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage), version 4.9.0 or later. Next, configure the **AllowedCopyScope** property for a new or existing storage account. The only supported values for the **allowedCopyScope** parameter are *AAD* or *PrivateLink*. To set **AllowedCopyScope** to the default setting of *From any storage account*, you will need to change it in the Azure portal. +To configure the permitted scope for copy operations for a new or existing storage account with PowerShell, install the [Az.Storage PowerShell module](https://www.powershellgallery.com/packages/Az.Storage), version 4.9.0 or later. Next, configure the **AllowedCopyScope** property for a new or existing storage account. The only supported values for the **allowedCopyScope** parameter are *Microsoft Entra ID* or *PrivateLink*. To set **AllowedCopyScope** to the default setting of *From any storage account*, you will need to change it in the Azure portal. -The following example shows how to set the **AllowedCopyScope** property for an existing storage account to allow copying data only from storage accounts within the same Azure AD tenant. Replace the placeholder values in angle brackets (**\<\>**) with your own values: +The following example shows how to set the **AllowedCopyScope** property for an existing storage account to allow copying data only from storage accounts within the same Microsoft Entra tenant. Replace the placeholder values in angle brackets (**\<\>**) with your own values: ```powershell Set-AzStorageAccount -ResourceGroupName <resource-group> ` To configure the permitted scope for copy operations for a new or existing stora > > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. -1. Use the **allowed-copy-scope** argument of the `az storage account create` or `az storage account update` command to configure the **AllowedCopyScope** property for a new or existing storage account. The only supported values for the argument are *AAD* or *PrivateLink*. To set **AllowedCopyScope** to the default setting of *From any storage account*, you will need to change it in the Azure portal. +1. Use the **allowed-copy-scope** argument of the `az storage account create` or `az storage account update` command to configure the **AllowedCopyScope** property for a new or existing storage account. The only supported values for the argument are *Microsoft Entra ID* or *PrivateLink*. To set **AllowedCopyScope** to the default setting of *From any storage account*, you will need to change it in the Azure portal. -The following example shows how to configure the **AllowedCopyScope** property for an existing storage account to allow copying data to the destination account only from storage accounts within the same Azure AD tenant. Replace the placeholder values in angle brackets (**\<\>**) with your own values: +The following example shows how to configure the **AllowedCopyScope** property for an existing storage account to allow copying data to the destination account only from storage accounts within the same Microsoft Entra tenant. Replace the placeholder values in angle brackets (**\<\>**) with your own values: ```azurecli az storage account update \ |
storage | Shared Key Authorization Prevent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/shared-key-authorization-prevent.md | Title: Prevent authorization with Shared Key -description: To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. +description: To require clients to use Microsoft Entra ID to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. ms.devlang: azurecli # Prevent Shared Key authorization for an Azure Storage account -Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. +Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Microsoft Entra ID provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key. -When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Azure AD will succeed. For more information about using Azure AD, see [Authorize access to data in Azure Storage](authorize-data-access.md). +When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see [Authorize access to data in Azure Storage](authorize-data-access.md). The **AllowSharedKeyAccess** property of a storage account is not set by default and does not return a value until you explicitly set it. The storage account permits requests that are authorized with Shared Key when the property value is **null** or when it is **true**. Before disallowing Shared Key access on any of your storage accounts: - [Understand how disallowing Shared Key affects SAS tokens](#understand-how-disallowing-shared-key-affects-sas-tokens) - [Consider compatibility with other Azure tools and services](#consider-compatibility-with-other-azure-tools-and-services)-- Consider the need to [disallow Shared Key authorization to use Azure AD Conditional Access](#disallow-shared-key-authorization-to-use-azure-ad-conditional-access)+- Consider the need to [disallow Shared Key authorization to use Microsoft Entra Conditional Access](#disallow-shared-key-authorization-to-use-azure-ad-conditional-access) - [Transition Azure Files workloads](#transition-azure-files-workloads) ### Understand how disallowing Shared Key affects SAS tokens When Shared Key access is disallowed for the storage account, Azure Storage hand | Type of SAS | Type of authorization | Behavior when AllowSharedKeyAccess is false | |-|-|-|-| User delegation SAS (Blob storage only) | Azure AD | Request is permitted. Microsoft recommends using a user delegation SAS when possible for superior security. | +| User delegation SAS (Blob storage only) | Microsoft Entra ID | Request is permitted. Microsoft recommends using a user delegation SAS when possible for superior security. | | Service SAS | Shared Key | Request is denied for all Azure Storage services. | | Account SAS | Shared Key | Request is denied for all Azure Storage services. | Azure metrics and logging in Azure Monitor do not distinguish between different types of shared access signatures. The **SAS** filter in Azure Metrics Explorer and the **SAS** field in Azure Storage logging in Azure Monitor both report requests that are authorized with any type of SAS. However, different types of shared access signatures are authorized differently, and behave differently when Shared Key access is disallowed: - A service SAS token or an account SAS token is authorized with Shared Key and will not be permitted on a request to Blob storage when the **AllowSharedKeyAccess** property is set to **false**.-- A user delegation SAS is authorized with Azure AD and will be permitted on a request to Blob storage when the **AllowSharedKeyAccess** property is set to **false**.+- A user delegation SAS is authorized with Microsoft Entra ID and will be permitted on a request to Blob storage when the **AllowSharedKeyAccess** property is set to **false**. When you are evaluating traffic to your storage account, keep in mind that metrics and logs as described in [Detect the type of authorization used by client applications](#detect-the-type-of-authorization-used-by-client-applications) may include requests made with a user delegation SAS. For more information about shared access signatures, see [Grant limited access t A number of Azure services use Shared Key authorization to communicate with Azure Storage. If you disallow Shared Key authorization for a storage account, these services will not be able to access data in that account, and your applications may be adversely affected. -Some Azure tools offer the option to use Azure AD authorization to access Azure Storage. The following table lists some popular Azure tools and notes whether they can use Azure AD to authorize requests to Azure Storage. +Some Azure tools offer the option to use Microsoft Entra authorization to access Azure Storage. The following table lists some popular Azure tools and notes whether they can use Microsoft Entra ID to authorize requests to Azure Storage. -| Azure tool | Azure AD authorization to Azure Storage | +| Azure tool | Microsoft Entra authorization to Azure Storage | |-|-|-| Azure portal | Supported. For information about authorizing with your Azure AD account from the Azure portal, see [Choose how to authorize access to blob data in the Azure portal](../blobs/authorize-data-operations-portal.md). | +| Azure portal | Supported. For information about authorizing with your Microsoft Entra account from the Azure portal, see [Choose how to authorize access to blob data in the Azure portal](../blobs/authorize-data-operations-portal.md). | | AzCopy | Supported for Blob Storage. For information about authorizing AzCopy operations, see [Choose how you'll provide authorization credentials](storage-use-azcopy-v10.md#choose-how-youll-provide-authorization-credentials) in the AzCopy documentation. |-| Azure Storage Explorer | Supported for Blob Storage, Queue Storage, Table Storage, and Azure Data Lake Storage Gen2. Azure AD access to File storage is not supported. Make sure to select the correct Azure AD tenant. For more information, see [Get started with Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#sign-in-to-azure) | -| Azure PowerShell | Supported. For information about how to authorize PowerShell commands for blob or queue operations with Azure AD, see [Run PowerShell commands with Azure AD credentials to access blob data](../blobs/authorize-data-operations-powershell.md) or [Run PowerShell commands with Azure AD credentials to access queue data](../queues/authorize-data-operations-powershell.md). | -| Azure CLI | Supported. For information about how to authorize Azure CLI commands with Azure AD for access to blob and queue data, see [Run Azure CLI commands with Azure AD credentials to access blob or queue data](../blobs/authorize-data-operations-cli.md). | +| Azure Storage Explorer | Supported for Blob Storage, Queue Storage, Table Storage, and Azure Data Lake Storage Gen2. Microsoft Entra ID access to File storage is not supported. Make sure to select the correct Microsoft Entra tenant. For more information, see [Get started with Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#sign-in-to-azure) | +| Azure PowerShell | Supported. For information about how to authorize PowerShell commands for blob or queue operations with Microsoft Entra ID, see [Run PowerShell commands with Microsoft Entra credentials to access blob data](../blobs/authorize-data-operations-powershell.md) or [Run PowerShell commands with Microsoft Entra credentials to access queue data](../queues/authorize-data-operations-powershell.md). | +| Azure CLI | Supported. For information about how to authorize Azure CLI commands with Microsoft Entra ID for access to blob and queue data, see [Run Azure CLI commands with Microsoft Entra credentials to access blob or queue data](../blobs/authorize-data-operations-cli.md). | | Azure IoT Hub | Supported. For more information, see [IoT Hub support for virtual networks](../../iot-hub/virtual-network-support.md). | | Azure Cloud Shell | Azure Cloud Shell is an integrated shell in the Azure portal. Azure Cloud Shell hosts files for persistence in an Azure file share in a storage account. These files will become inaccessible if Shared Key authorization is disallowed for that storage account. For more information, see [Persist files in Azure Cloud Shell](../../cloud-shell/persisting-shell-storage.md). <br /><br /> To run commands in Azure Cloud Shell to manage storage accounts for which Shared Key access is disallowed, first make sure that you have been granted the necessary permissions to these accounts via Azure RBAC. For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md). | -### Disallow Shared Key authorization to use Azure AD Conditional Access +<a name='disallow-shared-key-authorization-to-use-azure-ad-conditional-access'></a> -To protect an Azure Storage account with Azure AD [Conditional Access](../../active-directory/conditional-access/overview.md) policies, you must disallow Shared Key authorization for the storage account. +### Disallow Shared Key authorization to use Microsoft Entra Conditional Access ++To protect an Azure Storage account with Microsoft Entra [Conditional Access](../../active-directory/conditional-access/overview.md) policies, you must disallow Shared Key authorization for the storage account. ### Transition Azure Files workloads -Azure Storage supports Azure AD authorization for requests to Blob Storage, Queue Storage, and Table Storage only. If you disallow authorization with Shared Key for a storage account, requests to Azure Files that use Shared Key authorization will fail. The Azure portal always uses Shared Key authorization to access data in Azure Files, so if you disallow authorization with Shared Key for the storage account, you will not be able to access Azure Files data in the Azure portal. +Azure Storage supports Microsoft Entra authorization for requests to Blob Storage, Queue Storage, and Table Storage only. If you disallow authorization with Shared Key for a storage account, requests to Azure Files that use Shared Key authorization will fail. The Azure portal always uses Shared Key authorization to access data in Azure Files, so if you disallow authorization with Shared Key for the storage account, you will not be able to access Azure Files data in the Azure portal. Microsoft recommends that you either migrate any Azure Files data to a separate storage account before you disallow access to an account via Shared Key, or do not apply this setting to storage accounts that support Azure Files workloads. resources ### Configure the Azure Policy for Shared Key access in audit mode -Azure Policy **Storage accounts should prevent shared key access** prevents users with appropriate permissions from configuring new or existing storage accounts to permit Shared Key authorization. Configure this policy in audit mode to identify storage accounts where Shared Key authorization is allowed. After you have changed applications to use Azure AD rather than Shared Key for authorization, you can [update the policy to prevent allowing Shared Key access](#update-the-azure-policy-to-prevent-allowing-shared-key-access). +Azure Policy **Storage accounts should prevent shared key access** prevents users with appropriate permissions from configuring new or existing storage accounts to permit Shared Key authorization. Configure this policy in audit mode to identify storage accounts where Shared Key authorization is allowed. After you have changed applications to use Microsoft Entra rather than Shared Key for authorization, you can [update the policy to prevent allowing Shared Key access](#update-the-azure-policy-to-prevent-allowing-shared-key-access). For more information about the built-in policy, see **Storage accounts should prevent shared key access** in [List of built-in policy definitions](../../governance/policy/samples/built-in-policies.md#storage). To understand how disallowing Shared Key authorization may affect client applica Use metrics to determine how many requests the storage account is receiving that are authorized with Shared Key or a shared access signature (SAS). Use logs to determine which clients are sending those requests. -A SAS may be authorized with either Shared Key or Azure AD. For more information about interpreting requests made with a shared access signature, see [Understand how disallowing Shared Key affects SAS tokens](#understand-how-disallowing-shared-key-affects-sas-tokens). +A SAS may be authorized with either Shared Key or Microsoft Entra ID. For more information about interpreting requests made with a shared access signature, see [Understand how disallowing Shared Key affects SAS tokens](#understand-how-disallowing-shared-key-affects-sas-tokens). ### Determine the number and frequency of requests authorized with Shared Key You can also configure an alert rule based on this query to notify you about req ## Remediate authorization via Shared Key -After you have analyzed how requests to your storage account are being authorized, you can take action to prevent access via Shared Key. But first, you need to update any applications that are using Shared Key authorization to use Azure AD instead. You can monitor logs and metrics as described in [Detect the type of authorization used by client applications](#detect-the-type-of-authorization-used-by-client-applications) to track the transition. For more information about using Azure AD to access data in a storage account, see [Authorize access to data in Azure Storage](authorize-data-access.md). +After you have analyzed how requests to your storage account are being authorized, you can take action to prevent access via Shared Key. But first, you need to update any applications that are using Shared Key authorization to use Microsoft Entra ID instead. You can monitor logs and metrics as described in [Detect the type of authorization used by client applications](#detect-the-type-of-authorization-used-by-client-applications) to track the transition. For more information about using Microsoft Entra ID to access data in a storage account, see [Authorize access to data in Azure Storage](authorize-data-access.md). When you are confident that you can safely reject requests that are authorized with Shared Key, you can set the **AllowSharedKeyAccess** property for the storage account to **false**. > [!WARNING]-> If any clients are currently accessing data in your storage account with Shared Key, then Microsoft recommends that you migrate those clients to Azure AD before disallowing Shared Key access to the storage account. +> If any clients are currently accessing data in your storage account with Shared Key, then Microsoft recommends that you migrate those clients to Microsoft Entra ID before disallowing Shared Key access to the storage account. ### Permissions for allowing or disallowing Shared Key access To set the **AllowSharedKeyAccess** property for the storage account, a user mus - The Azure Resource Manager [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role - The [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role -These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. +These roles do not provide access to data in a storage account via Microsoft Entra ID. However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. Role assignments must be scoped to the level of the storage account or higher to permit a user to allow or disallow Shared Key access for the storage account. For more information about role scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md). Be careful to restrict assignment of these roles only to those who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ### Disable Shared Key authorization To begin enforcing [the Azure Policy assignment you previously created](#configu ## Next steps - [Authorize access to data in Azure Storage](./authorize-data-access.md)-- [Authorize access to blobs and queues using Azure Active Directory](authorize-data-access.md)+- [Authorize access to blobs and queues using Microsoft Entra ID](authorize-data-access.md) - [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key) |
storage | Storage Account Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-account-create.md | The following table describes the fields on the **Advanced** tab. |--|--|--|--| | Security | Require secure transfer for REST API operations | Optional | Require secure transfer to ensure that incoming requests to this storage account are made only via HTTPS (default). Recommended for optimal security. For more information, see [Require secure transfer to ensure secure connections](storage-require-secure-transfer.md). | | Security | Allow enabling anonymous access on individual containers | Optional | When enabled, this setting allows a user with the appropriate permissions to enable anonymous access to a container in the storage account (default). Disabling this setting prevents all anonymous access to the storage account. Microsoft recommends disabling this setting for optimal security.<br/> <br/> For more information, see [Prevent anonymous read access to containers and blobs](../blobs/anonymous-read-access-prevent.md).<br/> <br/> Enabling anonymous access does not make blob data available for anonymous access unless the user takes the additional step to explicitly configure the container's anonymous access setting. |-| Security | Enable storage account key access | Optional | When enabled, this setting allows clients to authorize requests to the storage account using either the account access keys or an Azure Active Directory (Azure AD) account (default). Disabling this setting prevents authorization with the account access keys. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md). | -| Security | Default to Azure Active Directory authorization in the Azure portal | Optional | When enabled, the Azure portal authorizes data operations with the user's Azure AD credentials by default. If the user does not have the appropriate permissions assigned via Azure role-based access control (Azure RBAC) to perform data operations, then the portal will use the account access keys for data access instead. The user can also choose to switch to using the account access keys. For more information, see [Default to Azure AD authorization in the Azure portal](../blobs/authorize-data-operations-portal.md#default-to-azure-ad-authorization-in-the-azure-portal). | +| Security | Enable storage account key access | Optional | When enabled, this setting allows clients to authorize requests to the storage account using either the account access keys or a Microsoft Entra account (default). Disabling this setting prevents authorization with the account access keys. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md). | +| Security | Default to Microsoft Entra authorization in the Azure portal | Optional | When enabled, the Azure portal authorizes data operations with the user's Microsoft Entra credentials by default. If the user does not have the appropriate permissions assigned via Azure role-based access control (Azure RBAC) to perform data operations, then the portal will use the account access keys for data access instead. The user can also choose to switch to using the account access keys. For more information, see [Default to Microsoft Entra authorization in the Azure portal](../blobs/authorize-data-operations-portal.md#default-to-azure-ad-authorization-in-the-azure-portal). | | Security | Minimum TLS version | Required | Select the minimum version of Transport Layer Security (TLS) for incoming requests to the storage account. The default value is TLS version 1.2. When set to the default value, incoming requests made using TLS 1.0 or TLS 1.1 are rejected. For more information, see [Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account](transport-layer-security-configure-minimum-version.md). |-| Security | Permitted scope for copy operations (preview) | Required | Select the scope of storage accounts from which data can be copied to the new account. The default value is `From any storage account`. When set to the default value, users with the appropriate permissions can copy data from any storage account to the new account.<br /><br />Select `From storage accounts in the same Azure AD tenant` to only allow copy operations from storage accounts within the same Azure AD tenant.<br />Select `From storage accounts that have a private endpoint to the same virtual network` to only allow copy operations from storage accounts with private endpoints on the same virtual network.<br /><br /> For more information, see [Restrict the source of copy operations to a storage account](security-restrict-copy-operations.md). | +| Security | Permitted scope for copy operations (preview) | Required | Select the scope of storage accounts from which data can be copied to the new account. The default value is `From any storage account`. When set to the default value, users with the appropriate permissions can copy data from any storage account to the new account.<br /><br />Select `From storage accounts in the same Azure AD tenant` to only allow copy operations from storage accounts within the same Microsoft Entra tenant.<br />Select `From storage accounts that have a private endpoint to the same virtual network` to only allow copy operations from storage accounts with private endpoints on the same virtual network.<br /><br /> For more information, see [Restrict the source of copy operations to a storage account](security-restrict-copy-operations.md). | | Data Lake Storage Gen2 | Enable hierarchical namespace | Optional | To use this storage account for Azure Data Lake Storage Gen2 workloads, configure a hierarchical namespace. For more information, see [Introduction to Azure Data Lake Storage Gen2](../blobs/data-lake-storage-introduction.md). | | Blob storage | Enable SFTP | Optional | Enable the use of Secure File Transfer Protocol (SFTP) to securely transfer of data over the internet. For more information, see [Secure File Transfer (SFTP) protocol support in Azure Blob Storage](../blobs/secure-file-transfer-protocol-support.md). | | Blob storage | Enable network file system (NFS) v3 | Optional | NFS v3 provides Linux file system compatibility at object storage scale enables Linux clients to mount a container in Blob storage from an Azure Virtual Machine (VM) or a computer on-premises. For more information, see [Network File System (NFS) 3.0 protocol support in Azure Blob Storage](../blobs/network-file-system-protocol-support.md). |-| Blob storage | Allow cross-tenant replication | Required | By default, users with appropriate permissions can configure object replication across Azure AD tenants. To prevent replication across tenants, deselect this option. For more information, see [Prevent replication across Azure AD tenants](../blobs/object-replication-overview.md#prevent-replication-across-azure-ad-tenants). | +| Blob storage | Allow cross-tenant replication | Required | By default, users with appropriate permissions can configure object replication across Microsoft Entra tenants. To prevent replication across tenants, deselect this option. For more information, see [Prevent replication across Microsoft Entra tenants](../blobs/object-replication-overview.md#prevent-replication-across-azure-ad-tenants). | | Blob storage | Access tier | Required | Blob access tiers enable you to store blob data in the most cost-effective manner, based on usage. Select the hot tier (default) for frequently accessed data. Select the cool tier for infrequently accessed data. For more information, see [Hot, Cool, and Archive access tiers for blob data](../blobs/access-tiers-overview.md). | | Azure Files | Enable large file shares | Optional | Available only for standard file shares with the LRS or ZRS redundancies. | |
storage | Storage Account Get Info | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-account-get-info.md | You can use a connection string to authorize access to Azure Storage with the ac > [!IMPORTANT] > Your storage account access keys are similar to a root password for your storage account. Always be careful to protect your access keys. Use Azure Key Vault to manage and rotate your keys securely. Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised. >-> Microsoft recommends using Azure Active Directory (Azure AD) to authorize requests against blob and queue data if possible, rather than using the account keys (Shared Key authorization). Authorization with Azure AD provides superior security and ease of use over Shared Key authorization. For more information, see [Authorize access to data in Azure Storage](authorize-data-access.md). +> Microsoft recommends using Microsoft Entra ID to authorize requests against blob and queue data if possible, rather than using the account keys (Shared Key authorization). Authorization with Microsoft Entra ID provides superior security and ease of use over Shared Key authorization. For more information, see [Authorize access to data in Azure Storage](authorize-data-access.md). # [Portal](#tab/portal) |
storage | Storage Account Keys Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-account-keys-manage.md | az storage account keys list \ You can use either of the two keys to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys. -To view or read an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the **Microsoft.Storage/storageAccounts/listkeys/action**. Some Azure built-in roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). +To view or read an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the **Microsoft.Storage/storageAccounts/listkeys/action**. Some Azure built-in roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). ## Use Azure Key Vault to manage your access keys To rotate your storage account access keys with Azure CLI: > [!CAUTION] > Microsoft recommends using only one of the keys in all of your applications at the same time. If you use Key 1 in some places and Key 2 in others, you will not be able to rotate your keys without some application losing access. -To rotate an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the **Microsoft.Storage/storageAccounts/regeneratekey/action**. Some Azure built-in roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about Azure built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). +To rotate an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the **Microsoft.Storage/storageAccounts/regeneratekey/action**. Some Azure built-in roles that include this action are the **Owner**, **Contributor**, and **Storage Account Key Operator Service Role** roles. For more information about the Service Administrator role, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). For detailed information about Azure built-in roles for Azure Storage, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). ## Create a key expiration policy |
storage | Storage Configure Connection String | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-configure-connection-string.md | Your application needs to access the connection string at runtime to authorize r - An application can store the connection string in an **app.config** or **web.config** file. Add the connection string to the **AppSettings** section in these files. > [!WARNING]-> Storing your account access keys or connection string in clear text presents a security risk and is not recommended. Store your account keys in an encrypted format, or migrate your applications to use Azure AD authorization for access to your storage account. +> Storing your account access keys or connection string in clear text presents a security risk and is not recommended. Store your account keys in an encrypted format, or migrate your applications to use Microsoft Entra authorization for access to your storage account. ## Configure a connection string for Azurite |
storage | Storage Explorer Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-explorer-security.md | Microsoft Azure Storage Explorer enables you to easily work with Azure Storage d Storage Explorer provides various ways to access your Azure Storage resources. Whatever method you choose, here are our recommendations. -### Azure AD authentication +<a name='azure-ad-authentication'></a> -The easiest and most secure way to access your Azure Storage resources is to sign in with your Azure account. Signing in uses Azure AD authentication, which allows you to: +### Microsoft Entra authentication ++The easiest and most secure way to access your Azure Storage resources is to sign in with your Azure account. Signing in uses Microsoft Entra authentication, which allows you to: - Give access to specific users and groups. - Revoke access to specific users and groups at any time. - Enforce access conditions, such as requiring multi-factor authentication. -We recommend using Azure AD authentication whenever possible. +We recommend using Microsoft Entra authentication whenever possible. -This section describes the two Azure AD-based technologies that can be used to secure your storage resources. +This section describes the two Microsoft Entra ID-based technologies that can be used to secure your storage resources. #### Azure role-based access control (Azure RBAC) Storage Explorer supports Azure RBAC access to Storage Accounts, Blobs, and Queu ### Shared access signatures (SAS) -If you can't use Azure AD authentication, we recommend using shared access signatures. With shared access signatures, you can: +If you can't use Microsoft Entra authentication, we recommend using shared access signatures. With shared access signatures, you can: - Provide anonymous limited access to secure resources. - Revoke a SAS immediately if generated from a shared access policy (SAP). |
storage | Storage Explorer Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-explorer-sign-in.md | -Sign-in is the recommended way to access your Azure storage resources with Storage Explorer. By signing in you take advantage of Azure AD backed permissions, such as RBAC and Gen2 POSIX ACLs. +Sign-in is the recommended way to access your Azure storage resources with Storage Explorer. By signing in you take advantage of Microsoft Entra backed permissions, such as RBAC and Gen2 POSIX ACLs. ## How to sign in |
storage | Storage Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-introduction.md | Azure Storage offers several types of storage accounts. Each type supports diffe Every request to Azure Storage must be authorized. Azure Storage supports the following authorization methods: -- **Azure Active Directory (Azure AD) integration for blob, queue, and table data.** Azure Storage supports authentication and authorization with Azure AD for the Blob and Queue services via Azure role-based access control (Azure RBAC). Authorization with Azure AD is also supported for the Table service in preview. Authorizing requests with Azure AD is recommended for superior security and ease of use. For more information, see [Authorize access to data in Azure Storage](authorize-data-access.md).-- **Azure AD authorization over SMB for Azure Files.** Azure Files supports identity-based authorization over SMB (Server Message Block) through either Azure Active Directory Domain Services (Azure AD DS) or on-premises Active Directory Domain Services (preview). Your domain-joined Windows VMs can access Azure file shares using Azure AD credentials. For more information, see [Overview of Azure Files identity-based authentication support for SMB access](../files/storage-files-active-directory-overview.md) and [Planning for an Azure Files deployment](../files/storage-files-planning.md#identity).+- **Microsoft Entra integration for blob, queue, and table data.** Azure Storage supports authentication and authorization with Microsoft Entra ID for the Blob and Queue services via Azure role-based access control (Azure RBAC). Authorization with Microsoft Entra ID is also supported for the Table service in preview. Authorizing requests with Microsoft Entra ID is recommended for superior security and ease of use. For more information, see [Authorize access to data in Azure Storage](authorize-data-access.md). +- **Microsoft Entra authorization over SMB for Azure Files.** Azure Files supports identity-based authorization over SMB (Server Message Block) through either Microsoft Entra Domain Services or on-premises Active Directory Domain Services (preview). Your domain-joined Windows VMs can access Azure file shares using Microsoft Entra credentials. For more information, see [Overview of Azure Files identity-based authentication support for SMB access](../files/storage-files-active-directory-overview.md) and [Planning for an Azure Files deployment](../files/storage-files-planning.md#identity). - **Authorization with Shared Key.** The Azure Storage Blob, Files, Queue, and Table services support authorization with Shared Key. A client using Shared Key authorization passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key). - **Authorization using shared access signatures (SAS).** A shared access signature (SAS) is a string containing a security token that can be appended to the URI for a storage resource. The security token encapsulates constraints such as permissions and the interval of access. For more information, see [Using Shared Access Signatures (SAS)](storage-sas-overview.md). - **Active Directory Domain Services with Azure NetApp Files.** Azure NetApp Files features such as SMB volumes, dual-protocol volumes, and NFSv4.1 Kerberos volumes are designed to be used with AD DS. For more information, see [Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files](../../azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md) or learn how to [Configure ADDS LDAP over TLS for Azure NetApp Files](../../azure-netapp-files/configure-ldap-over-tls.md). |
storage | Storage Network Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-network-security.md | Storage accounts have a public endpoint that's accessible through the internet. The Azure Storage firewall provides access control for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when you're using private endpoints. Your firewall configuration also enables trusted Azure platform services to access the storage account. -An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous access, requests to read data in that container don't need to be authorized. The firewall rules remain in effect and will block anonymous traffic. +An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Microsoft Entra credentials for blobs and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous access, requests to read data in that container don't need to be authorized. The firewall rules remain in effect and will block anonymous traffic. Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service that operates within an Azure virtual network or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services. Before implementing network security for your storage accounts, review the impor ### Authorization -Clients granted access via network rules must continue to meet the authorization requirements of the storage account to access the data. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with a shared access signature (SAS) token. +Clients granted access via network rules must continue to meet the authorization requirements of the storage account to access the data. Authorization is supported with Microsoft Entra credentials for blobs and queues, with a valid account access key, or with a shared access signature (SAS) token. When you configure a blob container for anonymous public access, requests to read data in that container don't need to be authorized, but the firewall rules remain in effect and will block anonymous traffic. You must set the default rule to **deny**, or network rules have no effect. Howe ## Grant access from a virtual network -You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Azure AD tenant. With [cross-region service endpoints](#azure-storage-cross-region-service-endpoints), the allowed subnets can also be in different regions from the storage account. +You can configure storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Microsoft Entra tenant. With [cross-region service endpoints](#azure-storage-cross-region-service-endpoints), the allowed subnets can also be in different regions from the storage account. You can enable a [service endpoint](../../virtual-network/virtual-network-service-endpoints-overview.md) for Azure Storage within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a virtual network. Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data. Each storage account supports up to 200 virtual network rules. You can combine t To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets that are being added. A [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) or a user who has permission to the `Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action` [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftnetwork) can apply a rule by using a custom Azure role. -The storage account and the virtual networks that get access can be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant. +The storage account and the virtual networks that get access can be in different subscriptions, including subscriptions that are a part of a different Microsoft Entra tenant. -Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure AD tenant are currently supported only through PowerShell, the Azure CLI, and REST APIs. You can't configure such rules through the Azure portal, though you can view them in the portal. +Configuration of rules that grant access to subnets in virtual networks that are a part of a different Microsoft Entra tenant are currently supported only through PowerShell, the Azure CLI, and REST APIs. You can't configure such rules through the Azure portal, though you can view them in the portal. ### Azure Storage cross-region service endpoints Local and cross-region service endpoints can't coexist on the same subnet. To re You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or the Azure CLI v2. -If you want to enable access to your storage account from a virtual network or subnet in another Azure AD tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants. +If you want to enable access to your storage account from a virtual network or subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Microsoft Entra tenants. #### [Portal](#tab/azure-portal) If you want to enable access to your storage account from a virtual network or s If a service endpoint for Azure Storage wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation. - Presently, only virtual networks that belong to the same Azure AD tenant appear for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or REST APIs. + Presently, only virtual networks that belong to the same Microsoft Entra tenant appear for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or REST APIs. 5. To remove a virtual network or subnet rule, select the ellipsis (**...**) to open the context menu for the virtual network or subnet, and then select **Remove**. If you want to enable access to your storage account from a virtual network or s Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id ``` - To add a network rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. + To add a network rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. 5. Remove a network rule for a virtual network and subnet: If you want to enable access to your storage account from a virtual network or s az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid ``` - To add a rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully qualified subnet ID in the form `/subscriptions/<subscription-ID>/resourceGroups/<resourceGroup-Name>/providers/Microsoft.Network/virtualNetworks/<vNet-name>/subnets/<subnet-name>`. You can use the `subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Azure AD tenant. + To add a rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully qualified subnet ID in the form `/subscriptions/<subscription-ID>/resourceGroups/<resourceGroup-Name>/providers/Microsoft.Network/virtualNetworks/<vNet-name>/subnets/<subnet-name>`. You can use the `subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Microsoft Entra tenant. 5. Remove a network rule for a virtual network and subnet: Resources of some services that are registered in your subscription can access y | Azure File Sync | `Microsoft.StorageSync` | Transform your on-premises file server to a cache for Azure file shares. This capability allows multiple-site sync, fast disaster recovery, and cloud-side backup. [Learn more](../file-sync/file-sync-planning.md). | | Azure HDInsight | `Microsoft.HDInsight` | Provision the initial contents of the default file system for a new HDInsight cluster. [Learn more](../../hdinsight/hdinsight-hadoop-use-blob-storage.md). | | Azure Import/Export | `Microsoft.ImportExport` | Import data to Azure Storage or export data from Azure Storage. [Learn more](../../import-export/storage-import-export-service.md). |-| Azure Monitor | `Microsoft.Insights` | Write monitoring data to a secured storage account, including resource logs, Azure AD sign-in and audit logs, and Microsoft Intune logs. [Learn more](../../azure-monitor/roles-permissions-security.md). | +| Azure Monitor | `Microsoft.Insights` | Write monitoring data to a secured storage account, including resource logs, Microsoft Entra sign-in and audit logs, and Microsoft Intune logs. [Learn more](../../azure-monitor/roles-permissions-security.md). | | Azure networking services | `Microsoft.Network` | Store and analyze network traffic logs, including through the Azure Network Watcher and Azure Traffic Manager services. [Learn more](../../network-watcher/network-watcher-nsg-flow-logging-overview.md). | | Azure Site Recovery | `Microsoft.SiteRecovery` | Enable replication for disaster recovery of Azure IaaS virtual machines when you're using firewall-enabled cache, source, or target storage accounts. [Learn more](../../site-recovery/azure-to-azure-tutorial-enable-replication.md). | |
storage | Storage Ref Azcopy Bench | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-bench.md | Run an upload that doesn't delete the transferred files. (These files can then s `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Configuration Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-configuration-settings.md | The following table describes each environment variable and provides links to co |--|--| | AWS_ACCESS_KEY_ID | Amazon Web Services access key. Provides a key to authorize with Amazon Web Services.[Copy data from Amazon S3 to Azure Storage by using AzCopy](storage-use-azcopy-s3.md) | | AWS_SECRET_ACCESS_KEY | Amazon Web Services secret access key Provides a secret key to authorize with Amazon Web Services. [Copy data from Amazon S3 to Azure Storage by using AzCopy](storage-use-azcopy-s3.md) |-| AZCOPY_ACTIVE_DIRECTORY_ENDPOINT | The Azure Active Directory endpoint to use. This variable is only used for auto login, please use the command line flag instead when invoking the login command. | +| AZCOPY_ACTIVE_DIRECTORY_ENDPOINT | The Microsoft Entra endpoint to use. This variable is only used for auto login, please use the command line flag instead when invoking the login command. | | AZCOPY_AUTO_LOGIN_TYPE | Set this variable to `DEVICE`, `MSI`, or `SPN`. This variable provides the ability to authorize without using the `azcopy login` command. This mechanism is useful in cases where your operating system doesn't have a secret store such as a Linux *keyring*. See [Authorize without a secret store](storage-use-azcopy-authorize-azure-active-directory.md#authorize-without-a-secret-store). | | AZCOPY_BUFFER_GB | Specify the maximum amount of your system memory you want AzCopy to use when downloading and uploading files. Express this value in gigabytes (GB). See [Optimize memory use](storage-use-azcopy-optimize.md#optimize-memory-use) | | AZCOPY_CACHE_PROXY_LOOKUP | By default AzCopy on Windows will cache proxy server lookups at hostname level (not taking URL path into account). Set to any other value than 'true' to disable the cache. | The following table describes each environment variable and provides links to co | AZCOPY_SPA_CERT_PASSWORD | The password of a certificate. Use when `AZCOPY_AUTO_LOGIN_TYPE` is set to `SPN`. See [Authorize without a secret store](storage-use-azcopy-authorize-azure-active-directory.md#authorize-without-a-secret-store) | | AZCOPY_SPA_CERT_PATH | The relative or fully qualified path to a certificate file. Use when `AZCOPY_AUTO_LOGIN_TYPE` is set to `SPN`. See [Authorize without a secret store](storage-use-azcopy-authorize-azure-active-directory.md#authorize-without-a-secret-store) | | AZCOPY_SPA_CLIENT_SECRET | The client secret. Use when `AZCOPY_AUTO_LOGIN_TYPE` is set to `SPN`. See [Authorize without a secret store](storage-use-azcopy-authorize-azure-active-directory.md#authorize-without-a-secret-store) |-| AZCOPY_TENANT_ID | The Azure Active Directory tenant ID to use for OAuth device interactive login. This variable is only used for auto login, please use the command line flag instead when invoking the login command. | +| AZCOPY_TENANT_ID | The Microsoft Entra tenant ID to use for OAuth device interactive login. This variable is only used for auto login, please use the command line flag instead when invoking the login command. | | AZCOPY_TUNE_TO_CPU | Set to false to prevent AzCopy from taking CPU usage into account when autotuning its concurrency level (for example, in the benchmark command). | | AZCOPY_USER_AGENT_PREFIX | Add a prefix to the default AzCopy User Agent, which is used for telemetry purposes. A space is automatically inserted. | | CPK_ENCRYPTION_KEY | A Base64-encoded AES-256 encryption key value. This variable is required for both read and write requests when using Customer Provided Keys to encrypt and decrypt data on Blob storage operations. You can use Customer Provided Keys by setting the `--cpk-by-value=true` flag. | |
storage | Storage Ref Azcopy Copy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-copy.md | preserve full properties, AzCopy needs to send one more request per object or fi `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Doc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-doc.md | azcopy doc [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text"). -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi. ## See also |
storage | Storage Ref Azcopy Env | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-env.md | azcopy env [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de; +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de; *.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Jobs Clean | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-jobs-clean.md | azcopy jobs clean --with-status=completed `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Jobs List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-jobs-list.md | azcopy jobs list [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Jobs Remove | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-jobs-remove.md | azcopy jobs remove [jobID] [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Jobs Resume | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-jobs-resume.md | azcopy jobs resume [jobID] [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Jobs Show | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-jobs-show.md | azcopy jobs show [jobID] [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-jobs.md | azcopy jobs show [jobID] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-list.md | azcopy list [containerURL] --properties [semicolon(;) separated list of attribut `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Login Status | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-login-status.md | azcopy login status [flags] ### Options -`--endpoint` Prints the Azure Active Directory endpoint that is being used in the current session. +`--endpoint` Prints the Microsoft Entra endpoint that is being used in the current session. `-h`, `--help` Help for status -`--tenant` Prints the Azure Active Directory tenant ID that is currently being used in session. +`--tenant` Prints the Microsoft Entra tenant ID that is currently being used in session. ### Options inherited from parent commands -`--aad-endpoint` (string) The Azure Active Directory endpoint to use. The default (https://login.microsoftonline.com) is correct for the global Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity +`--aad-endpoint` (string) The Microsoft Entra endpoint to use. The default (https://login.microsoftonline.com) is correct for the global Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity `--application-id` (string) Application ID of user-assigned identity. Required for service principal auth. azcopy login status [flags] `--service-principal` Log in via Service Principal Name (SPN) by using a certificate or a secret. The client secret or certificate password must be placed in the appropriate environment variable. Type AzCopy env to see names and descriptions of environment variables. -`--tenant-id` (string) The Azure Active Directory tenant ID to use for OAuth device interactive login. +`--tenant-id` (string) The Microsoft Entra tenant ID to use for OAuth device interactive login. -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Login | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-login.md | -Logs in to Azure Active Directory to access Azure Storage resources. +Logs in to Microsoft Entra ID to access Azure Storage resources. ## Synopsis -Log in to Azure Active Directory to access Azure Storage resources. +Log in to Microsoft Entra ID to access Azure Storage resources. To be authorized to your Azure Storage account, you must assign the **Storage Blob Data Contributor** role to your user account in the context of either the Storage account, parent resource group, or parent subscription. azcopy login [flags] ## Examples -Log in interactively with default AAD tenant ID set to common: +Log in interactively with default Microsoft Entra tenant ID set to common: `azcopy login` Subcommand for login to check the login status of your current session. ## Options -`--aad-endpoint` (string) The Azure Active Directory endpoint to use. The default (https://login.microsoftonline.com) is correct for the global Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity. To see a list of national cloud Azure AD endpoints, see [Azure AD authentication endpoints](../../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) +`--aad-endpoint` (string) The Microsoft Entra endpoint to use. The default (https://login.microsoftonline.com) is correct for the global Azure cloud. Set this parameter when authenticating in a national cloud. Not needed for Managed Service Identity. To see a list of national cloud Microsoft Entra endpoints, see [Microsoft Entra authentication endpoints](../../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) `--application-id` (string) Application ID of user-assigned identity. Required for service principal auth. Subcommand for login to check the login status of your current session. `--service-principal` Log in via Service Principal Name (SPN) by using a certificate or a secret. The client secret or certificate password must be placed in the appropriate environment variable. Type AzCopy env to see names and descriptions of environment variables. -`--tenant-id` (string) The Azure Active Directory tenant ID to use for OAuth device interactive login. +`--tenant-id` (string) The Microsoft Entra tenant ID to use for OAuth device interactive login. ## Options inherited from parent commands AzCopy env to see names and descriptions of environment variables. `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Logout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-logout.md | azcopy logout [flags] `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Make | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-make.md | azcopy make "https://[account-name].[blob,file,dfs].core.windows.net/[top-level- `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Remove | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-remove.md | Remove a single directory from a Blob Storage account that has a hierarchical na `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Set Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-set-properties.md | While setting tags on the blobs, there are other permissions('t' for tags) with `--output-level` (string) Define the output verbosity. Available levels: essential, quiet. (default "default") -`--trusted-microsoft-suffixes` (string) Specifies other domain suffixes where Azure Active Directory log in tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies other domain suffixes where Microsoft Entra ID log in tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy Sync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy-sync.md | Note: if include and exclude flags are used together, only files matching the in `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies other domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies other domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also |
storage | Storage Ref Azcopy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-ref-azcopy.md | To report issues or to learn more about the tool, see [https://github.com/Azure/ `--output-type` (string) Format of the command's output. The choices include: text, json. The default value is 'text'. (default "text") -`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Azure Active Directory login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. +`--trusted-microsoft-suffixes` (string) Specifies additional domain suffixes where Microsoft Entra login tokens may be sent. The default is '*.core.windows.net;*.core.chinacloudapi.cn;*.core.cloudapi.de;*.core.usgovcloudapi.net;*.storage.azure.net'. Any listed here are added to the default. For security, you should only put Microsoft Azure domains here. Separate multiple entries with semi-colons. ## See also To report issues or to learn more about the tool, see [https://github.com/Azure/ - [azcopy remove](storage-ref-azcopy-remove.md) - [azcopy sync](storage-ref-azcopy-sync.md) - [azcopy set-properties](storage-ref-azcopy-set-properties.md)- |
storage | Storage Rest Api Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-rest-api-auth.md | Now that you understand how to create the request, call the service, and parse t ## Creating the authorization header > [!TIP]-> Azure Storage now supports Azure Active Directory (Azure AD) integration for blobs and queues. Azure AD offers a much simpler experience for authorizing a request to Azure Storage. For more information on using Azure AD to authorize REST operations, see [Authorize with Azure Active Directory](/rest/api/storageservices/authorize-with-azure-active-directory). For an overview of Azure AD integration with Azure Storage, see [Authenticate access to Azure Storage using Azure Active Directory](authorize-data-access.md). +> Azure Storage now supports Microsoft Entra integration for blobs and queues. Microsoft Entra ID offers a much simpler experience for authorizing a request to Azure Storage. For more information on using Microsoft Entra ID to authorize REST operations, see [Authorize with Microsoft Entra ID](/rest/api/storageservices/authorize-with-azure-active-directory). For an overview of Microsoft Entra integration with Azure Storage, see [Authenticate access to Azure Storage using Microsoft Entra ID](authorize-data-access.md). There is an article that explains conceptually (no code) how to [Authorize requests to Azure Storage](/rest/api/storageservices/authorize-requests-to-azure-storage). |
storage | Storage Samples Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-samples-dotnet.md | The following table provides an overview of our samples repository and the scena :::row::: :::column span="":::- [Authenticate using Azure Active Directory](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/storage/Azure.Storage.Queues/samples/Sample01b_HelloWorldAsync.cs#L167) + [Authenticate using Microsoft Entra ID](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/storage/Azure.Storage.Queues/samples/Sample01b_HelloWorldAsync.cs#L167) :::column-end::: :::column span=""::: [Authenticate using a connection string](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/storage/Azure.Storage.Queues/samples/Sample02_Auth.cs#L24) |
storage | Storage Samples Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-samples-javascript.md | The following tables provide an overview of our samples repository and the scena :::row-end::: :::row::: :::column span="":::- [Authenticate using Azure Active Directory](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/azureAdAuth.js) + [Authenticate using Microsoft Entra ID](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/azureAdAuth.js) :::column-end::: :::column span=""::: [Authenticate using a proxy](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/proxyAuth.js) The following tables provide an overview of our samples repository and the scena [Connect using a proxy](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-queue/samples/v12/javascript/proxyAuth.js) :::column-end::: :::column span="":::- [Authenticate using Azure Active Directory](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-queue/samples/v12/javascript/azureAdAuth.js) + [Authenticate using Microsoft Entra ID](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-queue/samples/v12/javascript/azureAdAuth.js) :::column-end::: :::row-end::: |
storage | Storage Sas Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-sas-overview.md | Azure Storage supports three types of shared access signatures: ### User delegation SAS -A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. +A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only. For more information about the user delegation SAS, see [Create a user delegation SAS (REST API)](/rest/api/storageservices/create-user-delegation-sas). You can also delegate access to the following: For more information about the account SAS, [Create an account SAS (REST API)](/rest/api/storageservices/create-account-sas). > [!NOTE]-> Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security. For more information, see [Authorize access to data in Azure Storage](authorize-data-access.md). +> Microsoft recommends that you use Microsoft Entra credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures for access to Blob storage, use Microsoft Entra credentials to create a user delegation SAS when possible for superior security. For more information, see [Authorize access to data in Azure Storage](authorize-data-access.md). A shared access signature can take one of the following two forms: You can sign a SAS token with a user delegation key or with a storage account ke #### Signing a SAS token with a user delegation key -You can sign a SAS token by using a *user delegation key* that was created using Azure Active Directory (Azure AD) credentials. A user delegation SAS is signed with the user delegation key. +You can sign a SAS token by using a *user delegation key* that was created using Microsoft Entra credentials. A user delegation SAS is signed with the user delegation key. -To get the key, and then create the SAS, an Azure AD security principal must be assigned an Azure role that includes the `Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey` action. For more information, see [Create a user delegation SAS (REST API)](/rest/api/storageservices/create-user-delegation-sas). +To get the key, and then create the SAS, a Microsoft Entra security principal must be assigned an Azure role that includes the `Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey` action. For more information, see [Create a user delegation SAS (REST API)](/rest/api/storageservices/create-user-delegation-sas). #### Signing a SAS token with an account key The following table summarizes how each type of SAS token is authorized. | Type of SAS | Type of authorization | |-|-|-| User delegation SAS (Blob storage only) | Azure AD | +| User delegation SAS (Blob storage only) | Microsoft Entra ID | | Service SAS | Shared Key | | Account SAS | Shared Key | The following recommendations for using shared access signatures can help mitiga - **Always use HTTPS** to create or distribute a SAS. If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS. Then, they can use that SAS just as the intended user could have. This can potentially compromise sensitive data or allowing for data corruption by the malicious user. -- **Use a user delegation SAS when possible.** A user delegation SAS provides superior security to a service SAS or an account SAS. A user delegation SAS is secured with Azure AD credentials, so that you do not need to store your account key with your code.+- **Use a user delegation SAS when possible.** A user delegation SAS provides superior security to a service SAS or an account SAS. A user delegation SAS is secured with Microsoft Entra credentials, so that you do not need to store your account key with your code. - **Have a revocation plan in place for a SAS.** Make sure you are prepared to respond if a SAS is compromised. |
storage | Storage Stored Access Policy Define Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-stored-access-policy-define-dotnet.md | For more information about stored access policies, see [Create a stored access p ## Create a stored access policy -The underlying REST operation to create a stored access policy is [Set Container ACL](/rest/api/storageservices/set-container-acl). You must authorize the operation to create a stored access policy via Shared Key by using the account access keys in a connection string. Authorizing the **Set Container ACL** operation with Azure AD credentials is not supported. For more information, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). +The underlying REST operation to create a stored access policy is [Set Container ACL](/rest/api/storageservices/set-container-acl). You must authorize the operation to create a stored access policy via Shared Key by using the account access keys in a connection string. Authorizing the **Set Container ACL** operation with Microsoft Entra credentials is not supported. For more information, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). The following code examples create a stored access policy on a container. You can use the access policy to specify constraints for a service SAS on the container or its blobs. |
storage | Storage Use Azcopy Authorize Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-authorize-azure-active-directory.md | Title: Authorize access to blobs with AzCopy & Azure Active Directory -description: You can provide authorization credentials for AzCopy operations by using Azure Active Directory (Azure AD). + Title: Authorize access to blobs with AzCopy & Microsoft Entra ID +description: You can provide authorization credentials for AzCopy operations by using Microsoft Entra ID. -# Authorize access to blobs with AzCopy and Azure Active Directory (Azure AD) +# Authorize access to blobs with AzCopy and Microsoft Entra ID -You can provide AzCopy with authorization credentials by using Azure AD. That way, you won't have to append a shared access signature (SAS) token to each command. +You can provide AzCopy with authorization credentials by using Microsoft Entra ID. That way, you won't have to append a shared access signature (SAS) token to each command. Start by verifying your role assignments. Then, choose what type of *security principal* you want to authorize. A [user identity](../../active-directory/fundamentals/add-users-azure-active-directory.md), a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), and a [service principal](../../active-directory/develop/app-objects-and-service-principals.md) are each a type of security principal. -A user identity is any user that has an identity in Azure AD. It's the easiest security principal to authorize. Managed identities and service principals are great options if you plan to use AzCopy inside of a script that runs without user interaction. A managed identity is better suited for scripts that run from an Azure Virtual Machine (VM), and a service principal is better suited for scripts that run on-premises. +A user identity is any user that has an identity in Microsoft Entra ID. It's the easiest security principal to authorize. Managed identities and service principals are great options if you plan to use AzCopy inside of a script that runs without user interaction. A managed identity is better suited for scripts that run from an Azure Virtual Machine (VM), and a service principal is better suited for scripts that run on-premises. To authorize access, you'll set in-memory environment variables. Then run any AzCopy command. AzCopy will retrieve the Auth token required to complete the operation. After the operation completes, the token disappears from memory. This is a great option if you plan to use AzCopy inside of a script that runs wi You can sign into your account by using a client secret or by using the password of a certificate that is associated with your service principal's app registration. -To learn more about creating service principal, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +To learn more about creating service principal, see [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). -To learn more about service principals in general, see [Application and service principal objects in Azure Active Directory](../../active-directory/develop/app-objects-and-service-principals.md) +To learn more about service principals in general, see [Application and service principal objects in Microsoft Entra ID](../../active-directory/develop/app-objects-and-service-principals.md) #### Authorize a service principal by using a client secret export AZCOPY_SPA_CLIENT_SECRET=<client-secret> export AZCOPY_TENANT_ID=<tenant-id> ``` -Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<client-secret>` placeholder with the client secret. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Azure Active Directory > Properties > Directory ID** in the Azure portal. +Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<client-secret>` placeholder with the client secret. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Microsoft Entra ID > Properties > Directory ID** in the Azure portal. > [!NOTE] > Consider using a prompt to collect the password from the user. That way, your password won't appear in your command history. export AZCOPY_SPA_CERT_PASSWORD=<certificate-password> export AZCOPY_TENANT_ID=<tenant-id> ``` -Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<path-to-certificate-file>` placeholder with the relative or fully qualified path to the certificate file. AzCopy saves the path to this certificate but it doesn't save a copy of the certificate, so make sure to keep that certificate in place. Replace the `<certificate-password>` placeholder with the password of the certificate. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Azure Active Directory > Properties > Directory ID** in the Azure portal. +Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<path-to-certificate-file>` placeholder with the relative or fully qualified path to the certificate file. AzCopy saves the path to this certificate but it doesn't save a copy of the certificate, so make sure to keep that certificate in place. Replace the `<certificate-password>` placeholder with the password of the certificate. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Microsoft Entra ID > Properties > Directory ID** in the Azure portal. > [!NOTE] > Consider using a prompt to collect the password from the user. That way, your password won't appear in your command history. If you receive an error, try including the tenant ID of the organization to whic azcopy login --tenant-id=<tenant-id> ``` -Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Azure Active Directory > Properties > Directory ID** in the Azure portal. +Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Microsoft Entra ID > Properties > Directory ID** in the Azure portal. This command returns an authentication code and the URL of a website. Open the website, provide the code, and then choose the **Next** button. Before you run a script, you have to sign in interactively at least one time so You can sign into your account by using a client secret or by using the password of a certificate that is associated with your service principal's app registration. -To learn more about creating service principal, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +To learn more about creating service principal, see [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). #### Authorize a service principal by using a client secret (azcopy login command) Next, type the following command, and then press the ENTER key. azcopy login --service-principal --application-id application-id --tenant-id=tenant-id ``` -Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Azure Active Directory > Properties > Directory ID** in the Azure portal. +Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Microsoft Entra ID > Properties > Directory ID** in the Azure portal. #### Authorize a service principal by using a certificate (azcopy login command) Next, type the following command, and then press the ENTER key. azcopy login --service-principal --application-id application-id --certificate-path <path-to-certificate-file> --tenant-id=<tenant-id> ``` -Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<path-to-certificate-file>` placeholder with the relative or fully qualified path to the certificate file. AzCopy saves the path to this certificate but it doesn't save a copy of the certificate, so make sure to keep that certificate in place. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Azure Active Directory > Properties > Directory ID** in the Azure portal. +Replace the `<application-id>` placeholder with the application ID of your service principal's app registration. Replace the `<path-to-certificate-file>` placeholder with the relative or fully qualified path to the certificate file. AzCopy saves the path to this certificate but it doesn't save a copy of the certificate, so make sure to keep that certificate in place. Replace the `<tenant-id>` placeholder with the tenant ID of the organization to which the storage account belongs. To find the tenant ID, select **Microsoft Entra ID > Properties > Directory ID** in the Azure portal. > [!NOTE] > Consider using a prompt as shown in this example. That way, your password won't appear in your console's command history. |
storage | Storage Use Azcopy Blobs Copy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-blobs-copy.md | AzCopy uses [server-to-server](/rest/api/storageservices/put-block-from-url) [AP See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy and learn about the ways that you can provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD) and that your Azure AD identity has the proper role assignments for both source and destination accounts. +> The examples in this article assume that you've provided authorization credentials by using Microsoft Entra ID and that your Microsoft Entra identity has the proper role assignments for both source and destination accounts. > > Alternatively you can append a SAS token to either the source or destination URL in each AzCopy command. For example: `azcopy copy 'https://<source-storage-account-name>.blob.core.windows.net/<container-name>/<blob-path><SAS-token>' 'https://<destination-storage-account-name>.blob.core.windows.net/<container-name>/<blob-path><SAS-token>'`. See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download Apply the following guidelines to your AzCopy commands. -- If you're using Azure AD authorization for both source and destination, then both accounts must belong to the same Azure AD tenant.+- If you're using Microsoft Entra authorization for both source and destination, then both accounts must belong to the same Microsoft Entra tenant. - Your client must have network access to both the source and destination storage accounts. To learn how to configure the network settings for each storage account, see [Configure Azure Storage firewalls and virtual networks](storage-network-security.md?toc=/azure/storage/blobs/toc.json). The copy operation is synchronous so when the command returns, that indicates th Copy blobs to another storage account and add [blob index tags](../blobs/storage-manage-find-blobs.md) to the target blob. -If you're using Azure AD authorization, your security principal must be assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, or it must be given permission to the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftstorage) via a custom Azure role. If you're using a Shared Access Signature (SAS) token, that token must provide access to the blob's tags via the `t` SAS permission. +If you're using Microsoft Entra authorization, your security principal must be assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, or it must be given permission to the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftstorage) via a custom Azure role. If you're using a Shared Access Signature (SAS) token, that token must provide access to the blob's tags via the `t` SAS permission. To add tags, use the `--blob-tags` option along with a URL encoded key-value pair. |
storage | Storage Use Azcopy Blobs Download | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-blobs-download.md | To see examples for other types of tasks such as uploading files, synchronizing See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy and learn about the ways that you can provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD). +> The examples in this article assume that you've provided authorization credentials by using Microsoft Entra ID. > > If you'd rather use a SAS token to authorize access to blob data, then you can append that token to the resource URL in each AzCopy command. For example: `'https://<storage-account-name>.blob.core.windows.net/<container-name><SAS-token>'`. |
storage | Storage Use Azcopy Blobs Properties Metadata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-blobs-properties-metadata.md | You can use AzCopy to change the [access tier](../blobs/access-tiers-overview.md See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy and learn about the ways that you can provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD). +> The examples in this article assume that you've provided authorization credentials by using Microsoft Entra ID. > > If you'd rather use a SAS token to authorize access to blob data, then you can append that token to the resource URL in each AzCopy command. For example: `'https://<storage-account-name>.blob.core.windows.net/<container-name><SAS-token>'`. |
storage | Storage Use Azcopy Blobs Synchronize | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-blobs-synchronize.md | To see examples for other types of tasks such as uploading files, downloading bl See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy and learn about the ways that you can provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD). +> The examples in this article assume that you've provided authorization credentials by using Microsoft Entra ID. > > If you'd rather use a SAS token to authorize access to blob data, then you can append that token to the resource URL in each AzCopy command. For example: `'https://<storage-account-name>.blob.core.windows.net/<container-name><SAS-token>'`. azcopy sync 'https://mystorageaccount.blob.core.windows.net/mycontainer' 'C:\myD The first container that appears in this command is the source. The second one is the destination. Make sure to append a SAS token to each source URL. -If you provide authorization credentials by using Azure Active Directory (Azure AD), you can omit the SAS token only from the destination URL. Make sure that you've set up the proper roles in your destination account. See [Option 1: Use Azure Active Directory](storage-use-azcopy-v10.md?toc=/azure/storage/blobs/toc.json#option-1-use-azure-active-directory). +If you provide authorization credentials by using Microsoft Entra ID, you can omit the SAS token only from the destination URL. Make sure that you've set up the proper roles in your destination account. See [Option 1: Use Microsoft Entra ID](storage-use-azcopy-v10.md?toc=/azure/storage/blobs/toc.json#option-1-use-azure-active-directory). > [!TIP] > This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). azcopy sync 'https://mysourceaccount.blob.core.windows.net/mycontainer?sv=2018-0 The first directory that appears in this command is the source. The second one is the destination. Make sure to append a SAS token to each source URL. -If you provide authorization credentials by using Azure Active Directory (Azure AD), you can omit the SAS token only from the destination URL. Make sure that you've set up the proper roles in your destination account. See [Option 1: Use Azure Active Directory](storage-use-azcopy-v10.md?toc=/azure/storage/blobs/toc.json#option-1-use-azure-active-directory). +If you provide authorization credentials by using Microsoft Entra ID, you can omit the SAS token only from the destination URL. Make sure that you've set up the proper roles in your destination account. See [Option 1: Use Microsoft Entra ID](storage-use-azcopy-v10.md?toc=/azure/storage/blobs/toc.json#option-1-use-azure-active-directory). > [!TIP] > This example encloses path arguments with single quotes (''). Use single quotes in all command shells except for the Windows Command Shell (cmd.exe). If you're using a Windows Command Shell (cmd.exe), enclose path arguments with double quotes ("") instead of single quotes (''). |
storage | Storage Use Azcopy Blobs Upload | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-blobs-upload.md | To see examples for other types of tasks such as downloading blobs, synchronizin See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy and learn about the ways that you can provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD). +> The examples in this article assume that you've provided authorization credentials by using Microsoft Entra ID. > > If you'd rather use a SAS token to authorize access to blob data, then you can append that token to the resource URL in each AzCopy command. For example: `'https://<storage-account-name>.blob.core.windows.net/<container-name><SAS-token>'`. For detailed reference, see the [azcopy copy](storage-ref-azcopy-copy.md) refere You can upload a file and add [blob index tags](../blobs/storage-manage-find-blobs.md) to the target blob. -If you're using Azure AD authorization, your security principal must be assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, or it must be given permission to the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftstorage) via a custom Azure role. If you're using a Shared Access Signature (SAS) token, that token must provide access to the blob's tags via the `t` SAS permission. +If you're using Microsoft Entra authorization, your security principal must be assigned the [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner) role, or it must be given permission to the `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write` [Azure resource provider operation](../../role-based-access-control/resource-provider-operations.md#microsoftstorage) via a custom Azure role. If you're using a Shared Access Signature (SAS) token, that token must provide access to the blob's tags via the `t` SAS permission. To add tags, use the `--blob-tags` option along with a URL encoded key-value pair. For example, to add the key `my tag` and a value `my tag value`, you would add `--blob-tags='my%20tag=my%20tag%20value'` to the destination parameter. |
storage | Storage Use Azcopy Google Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-google-cloud.md | AzCopy is a command-line utility that you can use to copy blobs or files to or f ## Choose how you'll provide authorization credentials -- To authorize with Azure Storage, use Azure Active Directory (AD) or a Shared Access Signature (SAS) token.+- To authorize with Azure Storage, use Microsoft Entra ID or a Shared Access Signature (SAS) token. - To authorize with Google Cloud Storage, use a service account key. AzCopy is a command-line utility that you can use to copy blobs or files to or f See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy and learn about the ways that you can provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD). +> The examples in this article assume that you've provided authorization credentials by using Microsoft Entra ID. > > If you'd rather use a SAS token to authorize access to blob data, then you can append that token to the resource URL in each AzCopy command. For example: `'https://<storage-account-name>.blob.core.windows.net/<container-name><SAS-token>'`. |
storage | Storage Use Azcopy Migrate On Premises Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-migrate-on-premises-data.md | Download the AzCopy V10 executable file. Place the AzCopy file anywhere on your computer. Add the location of the file to your system path variable so that you can refer to this executable file from any folder on your computer. -## Authenticate with Azure AD +<a name='authenticate-with-azure-ad'></a> ++## Authenticate with Microsoft Entra ID First, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-queue-data-contributor) role to your identity. See [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md). Copy the AzCopy command to a text editor. Update the parameter values of the AzC These examples assume that your folder is named `myFolder`, your storage account name is `mystorageaccount` and your container name is `mycontainer`. > [!NOTE]-> The Linux example appends a SAS token. You'll need to provide one in your command. The current version of AzCopy V10 doesn't support Azure AD authorization in cron jobs. +> The Linux example appends a SAS token. You'll need to provide one in your command. The current version of AzCopy V10 doesn't support Microsoft Entra authorization in cron jobs. # [Linux](#tab/linux) |
storage | Storage Use Azcopy S3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-s3.md | AzCopy is a command-line utility that you can use to copy blobs or files to or f ## Choose how you'll provide authorization credentials -- To authorize with the Azure Storage, use Azure Active Directory (AD) or a Shared Access Signature (SAS) token.+- To authorize with the Azure Storage, use Microsoft Entra ID or a Shared Access Signature (SAS) token. - To authorize with AWS S3, use an AWS access key and a secret access key. AzCopy is a command-line utility that you can use to copy blobs or files to or f See the [Get started with AzCopy](storage-use-azcopy-v10.md) article to download AzCopy, and choose how you'll provide authorization credentials to the storage service. > [!NOTE]-> The examples in this article assume that you've authenticated your identity by using the `AzCopy login` command. AzCopy then uses your Azure AD account to authorize access to data in Blob storage. +> The examples in this article assume that you've authenticated your identity by using the `AzCopy login` command. AzCopy then uses your Microsoft Entra account to authorize access to data in Blob storage. > > If you'd rather use a SAS token to authorize access to blob data, then you can append that token to the resource URL in each AzCopy command. > See these articles to configure settings, optimize performance, and troubleshoot - [AzCopy configuration settings](storage-ref-azcopy-configuration-settings.md) - [Optimize the performance of AzCopy](storage-use-azcopy-optimize.md) - [Troubleshoot AzCopy V10 issues in Azure Storage by using log files](storage-use-azcopy-configure.md)- |
storage | Storage Use Azcopy V10 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-use-azcopy-v10.md | As an owner of your Azure Storage account, you aren't automatically assigned per ## Authorize AzCopy -You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token. +You can provide authorization credentials by using Microsoft Entra ID, or by using a Shared Access Signature (SAS) token. Use this table as a guide: | Storage type | Currently supported method of authorization | |--|--|-|**Blob storage** | Azure AD & SAS | -|**Blob storage (hierarchical namespace)** | Azure AD & SAS | +|**Blob storage** | Microsoft Entra ID & SAS | +|**Blob storage (hierarchical namespace)** | Microsoft Entra ID & SAS | |**File storage** | SAS only | -#### Option 1: Use Azure Active Directory +<a name='option-1-use-azure-active-directory'></a> -This option is available for blob Storage only. By using Azure Active Directory, you can provide credentials once instead of having to append a SAS token to each command. +#### Option 1: Use Microsoft Entra ID ++This option is available for blob Storage only. By using Microsoft Entra ID, you can provide credentials once instead of having to append a SAS token to each command. #### Option 2: Use a SAS token The following table lists all AzCopy v10 commands. Each command links to a refer |[azcopy jobs resume](storage-ref-azcopy-jobs-resume.md?toc=/azure/storage/blobs/toc.json)|Resumes the existing job with the given job ID.| |[azcopy jobs show](storage-ref-azcopy-jobs-show.md?toc=/azure/storage/blobs/toc.json)|Shows detailed information for the given job ID.| |[azcopy list](storage-ref-azcopy-list.md?toc=/azure/storage/blobs/toc.json)|Lists the entities in a given resource.|-|[azcopy login](storage-ref-azcopy-login.md?toc=/azure/storage/blobs/toc.json)|Logs in to Azure Active Directory to access Azure Storage resources.| +|[azcopy login](storage-ref-azcopy-login.md?toc=/azure/storage/blobs/toc.json)|Logs in to Microsoft Entra ID to access Azure Storage resources.| |[azcopy login status](storage-ref-azcopy-login-status.md)|Lists the entities in a given resource.| |[azcopy logout](storage-ref-azcopy-logout.md?toc=/azure/storage/blobs/toc.json)|Logs the user out and terminates access to Azure Storage resources.| |[azcopy make](storage-ref-azcopy-make.md?toc=/azure/storage/blobs/toc.json)|Creates a container or file share.| |
storage | Transport Layer Security Configure Minimum Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/transport-layer-security-configure-minimum-version.md | To set the **MinimumTlsVersion** property for the storage account, a user must h - The Azure Resource Manager [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role - The [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role -These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. +These roles do not provide access to data in a storage account via Microsoft Entra ID. However, they include the **Microsoft.Storage/storageAccounts/listkeys/action**, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account. Role assignments must be scoped to the level of the storage account or higher to permit a user to require a minimum version of TLS for the storage account. For more information about role scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md). Be careful to restrict assignment of these roles only to those who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). > [!NOTE]-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ## Network considerations |
storage | Elastic San Networking Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-networking-concepts.md | -You can configure Elastic SAN volume groups to only allow access over specific endpoints on specific virtual network subnets. The allowed subnets may belong to a virtual network in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant. Once network access is configured for a volume group, the configuration is inherited by all volumes belonging to the group. +You can configure Elastic SAN volume groups to only allow access over specific endpoints on specific virtual network subnets. The allowed subnets may belong to a virtual network in the same subscription, or those in a different subscription, including subscriptions belonging to a different Microsoft Entra tenant. Once network access is configured for a volume group, the configuration is inherited by all volumes belonging to the group. Depending on your configuration, applications on peered virtual networks or on-premises networks can also access volumes in the group. On-premises networks must be connected to the virtual network by a VPN or ExpressRoute. For more details about virtual network configurations, see [Azure virtual network infrastructure](../../virtual-network/vnet-integration-for-azure-services.md). |
storage | Elastic San Networking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-networking.md | To configure network access to your Elastic SAN: ## Configure a virtual network endpoint -You can configure your Elastic SAN volume groups to allow access only from endpoints on specific virtual network subnets. The allowed subnets may belong to virtual networks in the same subscription, or those in a different subscription, including a subscription belonging to a different Azure Active Directory tenant. +You can configure your Elastic SAN volume groups to allow access only from endpoints on specific virtual network subnets. The allowed subnets may belong to virtual networks in the same subscription, or those in a different subscription, including a subscription belonging to a different Microsoft Entra tenant. You can allow access to your Elastic SAN volume group from two types of Azure virtual network endpoints: To create a private endpoint for an Elastic SAN volume group, you must have the If you create the endpoint from a user account that has all of the necessary roles and permissions required for creation and approval, the process can be completed in one step. If not, it will require two separate steps by two different users. -The Elastic SAN and the virtual network may be in different resource groups, regions and subscriptions, including subscriptions that belong to different Azure AD tenants. In these examples, we are creating the private endpoint in the same resource group as the virtual network. +The Elastic SAN and the virtual network may be in different resource groups, regions and subscriptions, including subscriptions that belong to different Microsoft Entra tenants. In these examples, we are creating the private endpoint in the same resource group as the virtual network. # [Portal](#tab/azure-portal) To configure an Azure Storage service endpoint from the virtual network where ac Virtual network service endpoints are public and accessible via the internet. You can [Configure virtual network rules](#configure-virtual-network-rules) to control access to your volume group when using storage service endpoints. > [!NOTE]-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. These rules cannot be configured through the Azure portal, though they may be viewed in the portal. +> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Microsoft Entra tenant are currently only supported through PowerShell, CLI and REST APIs. These rules cannot be configured through the Azure portal, though they may be viewed in the portal. # [Portal](#tab/azure-portal) All incoming requests for data over a service endpoint are blocked by default. O You can manage virtual network rules for volume groups through the Azure portal, PowerShell, or CLI. > [!IMPORTANT]-> If you want to enable access to your storage account from a virtual network/subnet in another Azure AD tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Azure AD tenants. +> If you want to enable access to your storage account from a virtual network/subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Microsoft Entra tenants. > > If you delete a subnet that has been included in a network rule, it will be removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group. You can manage virtual network rules for volume groups through the Azure portal, ``` > [!TIP]- > To add a network rule for a subnet in a virtual network belonging to another Azure AD tenant, use a fully qualified **VirtualNetworkResourceId** parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name". + > To add a network rule for a subnet in a virtual network belonging to another Microsoft Entra tenant, use a fully qualified **VirtualNetworkResourceId** parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name". - Remove a virtual network rule. You can manage virtual network rules for volume groups through the Azure portal, - Add a network rule for a virtual network and subnet. > [!TIP]- > To add a rule for a subnet in a virtual network belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form `/subscriptions/\<subscription-ID\>/resourceGroups/\<resourceGroup-Name\>/providers/Microsoft.Network/virtualNetworks/\<vNet-name\>/subnets/\<subnet-name\>`. + > To add a rule for a subnet in a virtual network belonging to another Microsoft Entra tenant, use a fully-qualified subnet ID in the form `/subscriptions/\<subscription-ID\>/resourceGroups/\<resourceGroup-Name\>/providers/Microsoft.Network/virtualNetworks/\<vNet-name\>/subnets/\<subnet-name\>`. >- > You can use the **subscription** parameter to retrieve the subnet ID for a virtual network belonging to another Azure AD tenant. + > You can use the **subscription** parameter to retrieve the subnet ID for a virtual network belonging to another Microsoft Entra tenant. ```azurecli # First, get the current length of the list of virtual networks. This is needed to ensure you append a new network instead of replacing existing ones. |
storage | File Sync Firewall And Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/file-sync/file-sync-firewall-and-proxy.md | description: Understand Azure File Sync on-premises proxy and firewall settings. Previously updated : 04/04/2023 Last updated : 10/12/2023 The following table describes the required domains for communication: | Service | Public cloud endpoint | Azure Government endpoint | Usage | ||-||| | **Azure Resource Manager** | `https://management.azure.com` | `https://management.usgovcloudapi.net` | Any user call (like PowerShell) goes to/through this URL, including the initial server registration call. |-| **Azure Active Directory** | `https://login.windows.net`<br>`https://login.microsoftonline.com` | `https://login.microsoftonline.us` | Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication. | -| **Azure Active Directory** | `https://graph.microsoft.com/` | `https://graph.microsoft.com/` | As part of deploying Azure File Sync, a service principal in the subscription's Azure Active Directory will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges. | -| **Azure Active Directory** | `https://secure.aadcdn.microsoftonline-p.com` | `https://secure.aadcdn.microsoftonline-p.com`<br>(same as public cloud endpoint URL) | This URL is accessed by the Active Directory authentication library that the Azure File Sync server registration UI uses to log in the administrator. | +| **Microsoft Entra ID** | `https://login.windows.net`<br>`https://login.microsoftonline.com`<br>`https://aadcdn.msftauth.net` | `https://login.microsoftonline.us` | Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication. | +| **Microsoft Entra ID** | `https://graph.microsoft.com/` | `https://graph.microsoft.com/` | As part of deploying Azure File Sync, a service principal in the subscription's Microsoft Entra ID will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges. | +| **Microsoft Entra ID** | `https://secure.aadcdn.microsoftonline-p.com` | `https://secure.aadcdn.microsoftonline-p.com`<br>(same as public cloud endpoint URL) | This URL is accessed by the Active Directory authentication library that the Azure File Sync server registration UI uses to log in the administrator. | | **Azure Storage** | *.core.windows.net | *.core.usgovcloudapi.net | When the server downloads a file, then the server performs that data movement more efficiently when talking directly to the Azure file share in the Storage Account. The server has a SAS key that only allows for targeted file share access. | | **Azure File Sync** | *.one.microsoft.com<br>*.afs.azure.net | *.afs.azure.us | After initial server registration, the server receives a regional URL for the Azure File Sync service instance in that region. The server can use the URL to communicate directly and efficiently with the instance handling its sync. | | **Microsoft PKI** | `https://www.microsoft.com/pki/mscorp/cps`<br>`http://crl.microsoft.com/pki/mscorp/crl/`<br>`http://mscrl.microsoft.com/pki/mscorp/crl/`<br>`http://ocsp.msocsp.com`<br>`http://ocsp.digicert.com/`<br>`http://crl3.digicert.com/` | `https://www.microsoft.com/pki/mscorp/cps`<br>`http://crl.microsoft.com/pki/mscorp/crl/`<br>`http://mscrl.microsoft.com/pki/mscorp/crl/`<br>`http://ocsp.msocsp.com`<br>`http://ocsp.digicert.com/`<br>`http://crl3.digicert.com/` | Once the Azure File Sync agent is installed, the PKI URL is used to download intermediate certificates required to communicate with the Azure File Sync service and Azure file share. The OCSP URL is used to check the status of a certificate. | |
storage | File Sync Networking Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/file-sync/file-sync-networking-overview.md | Azure File Sync requires the IP address ranges for the following services, as id | Azure File Sync | The Azure File Sync service, as represented by the Storage Sync Service object, is responsible for the core activity of syncing data between an Azure file share and a Windows file server. | `StorageSyncService` | | Azure Files | All data synchronized via Azure File Sync is stored in Azure file share. Files changed on your Windows file servers are replicated to your Azure file share, and files tiered on your on-premises file server are seamlessly downloaded when a user requests them. | `Storage` | | Azure Resource Manager | The Azure Resource Manager is the management interface for Azure. All management calls, including Azure File Sync server registration and ongoing sync server tasks, are made through the Azure Resource Manager. | `AzureResourceManager` |-| Azure Active Directory | Azure Active Directory, or Azure AD, contains the user principals required to authorize server registration against a Storage Sync Service, and the service principals required for Azure File Sync to be authorized to access your cloud resources. | `AzureActiveDirectory` | +| Microsoft Entra ID | Microsoft Entra ID (formerly Azure AD) contains the user principals required to authorize server registration against a Storage Sync Service, and the service principals required for Azure File Sync to be authorized to access your cloud resources. | `AzureActiveDirectory` | If you're using Azure File Sync within Azure, even if it's in a different region, you can use the name of the service tag directly in your network security group to allow traffic to that service. To learn more, see [Network security groups](../../virtual-network/network-security-groups-overview.md). |
storage | File Sync Resource Move | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/file-sync/file-sync-resource-move.md | Title: Azure File Sync resource moves and topology changes -description: Learn how to move sync resources across resource groups, subscriptions, and Azure Active Directory tenants. +description: Learn how to move sync resources across resource groups, subscriptions, and Microsoft Entra tenants. Last updated 09/21/2023 -# Move Azure File Sync resources to a different resource group, subscription, or Azure AD tenant +# Move Azure File Sync resources to a different resource group, subscription, or Microsoft Entra tenant -This article describes how to make changes to resource group, subscription, or Azure Active Directory (Azure AD) tenant for your Azure File Sync cloud resources and Azure storage accounts. +This article describes how to make changes to resource group, subscription, or Microsoft Entra tenant for your Azure File Sync cloud resources and Azure storage accounts. When planning to make changes to the Azure File Sync cloud resources, it's important to consider the storage resources at the same time. The following resources exist: As a best practice, the Storage Sync Service and the storage accounts that have * Storage Sync Service and storage accounts are located in **different subscriptions** (same Azure tenant) > [!IMPORTANT]-> Through different combinations of moves, a Storage Sync Service and storage accounts can end up in different subscriptions, governed by different Azure AD tenants. Sync would even appear to be working, but this is not a supported configuration. Sync can stop in the future with no ability to get back into a working condition. +> Through different combinations of moves, a Storage Sync Service and storage accounts can end up in different subscriptions, governed by different Microsoft Entra tenants. Sync would even appear to be working, but this is not a supported configuration. Sync can stop in the future with no ability to get back into a working condition. -When planning your resource move, there are different considerations for [moving within the same Azure AD tenant](#move-within-the-same-azure-active-directory-tenant) and moving across [to a different Azure AD tenant](#move-to-a-new-azure-active-directory-tenant). When moving Azure AD tenants, always move sync and storage resources together. +When planning your resource move, there are different considerations for [moving within the same Microsoft Entra tenant](#move-within-the-same-azure-active-directory-tenant) and moving across [to a different Microsoft Entra tenant](#move-to-a-new-azure-active-directory-tenant). When moving Microsoft Entra tenants, always move sync and storage resources together. -### Move within the same Azure Active Directory tenant +<a name='move-within-the-same-azure-active-directory-tenant'></a> ++### Move within the same Microsoft Entra tenant :::row::: :::column::: When planning your resource move, there are different considerations for [moving > [!WARNING] > When you move a storage account resource, sync will stop immediately. You have to manually authorize sync to access the relevant storage accounts in the new subscription. The [Azure File Sync storage access authorization](#azure-file-sync-storage-access-authorization) section will provide the necessary steps. -### Move to a new Azure Active Directory tenant +<a name='move-to-a-new-azure-active-directory-tenant'></a> ++### Move to a new Microsoft Entra tenant -Individual resources like a Storage Sync Service or storage account can't move by themselves to a different Azure AD tenant. Only Azure subscriptions can move across Azure AD tenants. Think about your subscription structure in the new Azure AD tenant. You can use a dedicated subscription for Azure File Sync. +Individual resources like a Storage Sync Service or storage account can't move by themselves to a different Microsoft Entra tenant. Only Azure subscriptions can move across Microsoft Entra tenants. Think about your subscription structure in the new Microsoft Entra tenant. You can use a dedicated subscription for Azure File Sync. 1. Create an Azure subscription (or determine an existing one in the old tenant that should move).-1. [Perform a subscription move within the same Azure AD tenant](#move-within-the-same-azure-active-directory-tenant) of your Storage Sync Service and all associated storage accounts. -1. Sync will stop. Complete your tenant move immediately or [restore sync's ability to access the storage accounts that moved](#azure-file-sync-storage-access-authorization). You can then move to the new Azure AD tenant later. +1. [Perform a subscription move within the same Microsoft Entra tenant](#move-within-the-same-azure-active-directory-tenant) of your Storage Sync Service and all associated storage accounts. +1. Sync will stop. Complete your tenant move immediately or [restore sync's ability to access the storage accounts that moved](#azure-file-sync-storage-access-authorization). You can then move to the new Microsoft Entra tenant later. -Once all related Azure File Sync resources have been sequestered into their own subscription, you're ready to move the entire subscription to the target Azure AD tenant. The [transfer subscription guide](../../role-based-access-control/transfer-subscription.md) allows you to plan and execute such a transfer. +Once all related Azure File Sync resources have been sequestered into their own subscription, you're ready to move the entire subscription to the target Microsoft Entra tenant. The [transfer subscription guide](../../role-based-access-control/transfer-subscription.md) allows you to plan and execute such a transfer. > [!WARNING] > When you transfer a subscription from one tenant to another, sync will stop immediately. You have to manually authorize sync to access the relevant storage accounts in the new subscription. The [Azure File Sync storage access authorization](#azure-file-sync-storage-access-authorization) section will provide the necessary steps. Once all related Azure File Sync resources have been sequestered into their own You're ready to start the migration once you have a plan and the required permissions: 1. In the Azure portal, navigate to your subscription **Overview** blade. 1. Select **Change directory**.- 1. Follow the wizard steps to assign the new Azure AD tenant. + 1. Follow the wizard steps to assign the new Microsoft Entra tenant. :::column-end::: :::row-end::: ## Azure File Sync storage access authorization -When storage accounts are moved to either a new subscription or are moved within a subscription to a new Azure Active Directory tenant, sync will stop. Role-based access control (RBAC) is used to authorize Azure File Sync to access a storage account, and these role assignments aren't migrated with the resources. +When storage accounts are moved to either a new subscription or are moved within a subscription to a new Microsoft Entra tenant, sync will stop. Role-based access control (RBAC) is used to authorize Azure File Sync to access a storage account, and these role assignments aren't migrated with the resources. ### Azure File Sync service principal When storage accounts are moved to either a new subscription or are moved within :::image type="content" source="media/storage-sync-resource-move/storage-sync-resource-move-afs-rp-registered-small.png" alt-text="An image showing the Azure portal, subscription management, registered resource providers." lightbox="media/storage-sync-resource-move/storage-sync-resource-move-afs-rp-registered.png"::: :::column-end::: :::column:::- The Azure File Sync service principal must exist in your Azure AD tenant before you can authorize sync access to a storage account. </br></br> When you create a new Azure subscription today, the Azure File Sync resource provider *Microsoft.StorageSync* is automatically registered with your subscription. Resource provider registration will make a *service principal* for sync available in the Azure Active Directory tenant that governs the subscription. A service principal is similar to a user account in your Azure AD. You can use the Azure File Sync service principal to authorize access to resources via role-based access control (RBAC). The only resources sync needs access to are your storage accounts containing the file shares that are supposed to sync. *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. </br></br> This assignment is done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. When a storage account moves to a new subscription or Azure AD tenant, this role assignment is lost and [must be manually reestablished](#establish-sync-access-to-a-storage-account). + The Azure File Sync service principal must exist in your Microsoft Entra tenant before you can authorize sync access to a storage account. </br></br> When you create a new Azure subscription today, the Azure File Sync resource provider *Microsoft.StorageSync* is automatically registered with your subscription. Resource provider registration will make a *service principal* for sync available in the Microsoft Entra tenant that governs the subscription. A service principal is similar to a user account in your Microsoft Entra ID. You can use the Azure File Sync service principal to authorize access to resources via role-based access control (RBAC). The only resources sync needs access to are your storage accounts containing the file shares that are supposed to sync. *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. </br></br> This assignment is done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. When a storage account moves to a new subscription or Microsoft Entra tenant, this role assignment is lost and [must be manually reestablished](#establish-sync-access-to-a-storage-account). :::column-end::: :::row-end::: When storage accounts are moved to either a new subscription or are moved within The [Azure File Sync service principal](#azure-file-sync-service-principal) must be used to authorize access to a storage account via role-based access control (RBAC). *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. -This assignment is typically done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. However, when a storage account moves to a new subscription or Azure AD tenant, this role assignment is lost and must be manually reestablished. +This assignment is typically done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. However, when a storage account moves to a new subscription or Microsoft Entra tenant, this role assignment is lost and must be manually reestablished. :::row::: :::column::: |
storage | Analyze Files Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/analyze-files-metrics.md | Azure Monitor provides the [.NET SDK](https://www.nuget.org/packages/Microsoft.A In these examples, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the Azure Files service. You can find these resource IDs on the **Properties** pages of your storage account in the Azure portal. -Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). ### List the account-level metric definition |
storage | Authorize Data Operations Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/authorize-data-operations-portal.md | Title: Authorize access to Azure file share data in the Azure portal -description: When you access file data using the Azure portal, the portal makes requests to Azure Files behind the scenes. These requests can be authenticated and authorized using either your Azure AD account or the storage account access key. +description: When you access file data using the Azure portal, the portal makes requests to Azure Files behind the scenes. These requests can be authenticated and authorized using either your Microsoft Entra account or the storage account access key. -When you access file data using the [Azure portal](https://portal.azure.com?azure-portal=true), the portal makes requests to Azure Files behind the scenes. These requests can be authorized using either your Azure AD account or the storage account access key. The portal indicates which method you're using, and enables you to switch between the two if you have the appropriate permissions. +When you access file data using the [Azure portal](https://portal.azure.com?azure-portal=true), the portal makes requests to Azure Files behind the scenes. These requests can be authorized using either your Microsoft Entra account or the storage account access key. The portal indicates which method you're using, and enables you to switch between the two if you have the appropriate permissions. You can also specify how to authorize an individual file share operation in the Azure portal. By default, the portal uses whichever method you're already using to authorize all file shares, but you have the option to change this setting for individual file shares. You can also specify how to authorize an individual file share operation in the Depending on how you want to authorize access to file data in the Azure portal, you'll need specific permissions. In most cases, these permissions are provided via [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). -### Use your Azure AD account +<a name='use-your-azure-ad-account'></a> -To access file data from the Azure portal using your Azure AD account, both of the following statements must be true: +### Use your Microsoft Entra account ++To access file data from the Azure portal using your Microsoft Entra account, both of the following statements must be true: - You're assigned either a built-in or custom role that provides access to file data. - You're assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. There are two new built-in roles that have the required permissions to access fi - [Storage File Data Privileged Reader](../../role-based-access-control/built-in-roles.md#storage-file-data-privileged-reader) - [Storage File Data Privileged Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-privileged-contributor) -For information about the built-in roles that support access to file data, see [Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST](authorize-oauth-rest.md). +For information about the built-in roles that support access to file data, see [Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST](authorize-oauth-rest.md). > [!NOTE] > The **Storage File Data Privileged Contributor** role has permissions to read, write, delete, and modify ACLs/NTFS permissions on files/directories in Azure file shares. Modifying ACLs/NTFS permissions isn't supported via the Azure portal. To access file data with the storage account access key, you must have an Azure - The Azure Resource Manager [Contributor role](../../role-based-access-control/built-in-roles.md#contributor) - The Azure Resource Manager [Owner role](../../role-based-access-control/built-in-roles.md#owner) -When you attempt to access file data in the Azure portal, the portal first checks whether you've been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you've been assigned a role with this action, then the portal uses the storage account key for accessing file data. If you haven't been assigned a role with this action, then the portal attempts to access data using your Azure AD account. +When you attempt to access file data in the Azure portal, the portal first checks whether you've been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you've been assigned a role with this action, then the portal uses the storage account key for accessing file data. If you haven't been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account. > [!IMPORTANT]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation isn't permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Azure AD credentials to access file data in the portal. For information about accessing file data in the Azure portal with Azure AD, see [Use your Azure AD account](#use-your-azure-ad-account). +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation isn't permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Microsoft Entra credentials to access file data in the portal. For information about accessing file data in the Azure portal with Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account). > [!NOTE]-> The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access file data with the storage account key. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access file data with the storage account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). ## Specify how to authorize operations on a specific file share You can change the authentication method for individual file shares. By default, 1. Navigate to your storage account in the Azure portal and select **Data storage** > **File shares** from the left navigation. 1. Select a file share. 1. Select **Browse**.-1. The **Authentication method** indicates whether you're currently using the storage account access key or your Azure AD account to authenticate and authorize file share operations. If you're currently authenticating using the storage account access key, you'll see **Access Key** specified as the authentication method, as in the following image. If you're authenticating using your Azure AD account, you'll see **Azure AD User Account** specified instead. +1. The **Authentication method** indicates whether you're currently using the storage account access key or your Microsoft Entra account to authenticate and authorize file share operations. If you're currently authenticating using the storage account access key, you'll see **Access Key** specified as the authentication method, as in the following image. If you're authenticating using your Microsoft Entra account, you'll see **Microsoft Entra user account** specified instead. :::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot showing the authentication method set to access key."::: -### Authenticate with your Azure AD account +<a name='authenticate-with-your-azure-ad-account'></a> ++### Authenticate with your Microsoft Entra account -To switch to using your Azure AD account, select the link highlighted in the image that says **Switch to Azure AD User Account**. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the necessary permissions, you'll see an error message that you don't have permissions to list the data using your user account with Azure AD. +To switch to using your Microsoft Entra account, select the link highlighted in the image that says **Switch to Microsoft Entra user account**. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the necessary permissions, you'll see an error message that you don't have permissions to list the data using your user account with Microsoft Entra ID. -Two additional RBAC permissions are required to use your Azure AD account: +Two additional RBAC permissions are required to use your Microsoft Entra account: - `Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action` - `Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action` -No file shares will appear in the list if your Azure AD account lacks permissions to view them. +No file shares will appear in the list if your Microsoft Entra account lacks permissions to view them. ### Authenticate with the storage account access key To switch to using the account access key, select the link that says **Switch to No file shares appear in the list if you don't have access to the storage account access key. -## Default to Azure AD authorization in the Azure portal +<a name='default-to-azure-ad-authorization-in-the-azure-portal'></a> ++## Default to Microsoft Entra authorization in the Azure portal -When you create a new storage account, you can specify that the Azure portal will default to authorization with Azure AD when a user navigates to file data. You can also configure this setting for an existing storage account. This setting specifies the default authorization method only. Keep in mind that a user can override this setting and choose to authorize data access with the storage account key. +When you create a new storage account, you can specify that the Azure portal will default to authorization with Microsoft Entra ID when a user navigates to file data. You can also configure this setting for an existing storage account. This setting specifies the default authorization method only. Keep in mind that a user can override this setting and choose to authorize data access with the storage account key. -To specify that the portal will use Azure AD authorization by default for data access when you create a storage account, follow these steps: +To specify that the portal will use Microsoft Entra authorization by default for data access when you create a storage account, follow these steps: 1. Create a new storage account, following the instructions in [Create a storage account](../common/storage-account-create.md).-1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Azure Active Directory authorization in the Azure portal**. +1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Microsoft Entra authorization in the Azure portal**. - :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Azure AD authorization in Azure portal for new account."::: + :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Microsoft Entra authorization in Azure portal for new account."::: 1. Select **Review + create** to run validation and create the storage account. To update this setting for an existing storage account, follow these steps: 1. Navigate to the storage account overview in the Azure portal. 1. Under **Settings**, select **Configuration**.-1. Set **Default to Azure Active Directory authorization in the Azure portal** to **Enabled**. +1. Set **Default to Microsoft Entra authorization in the Azure portal** to **Enabled**. ## See also -- [Access Azure file shares using Azure AD with Azure Files OAuth over REST](authorize-oauth-rest.md)+- [Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST](authorize-oauth-rest.md) - [Authorize access to data in Azure Storage](../common/authorize-data-access.md) |
storage | Authorize Oauth Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/authorize-oauth-rest.md | Title: Enable admin-level read and write access to Azure file shares using Azure Active Directory with Azure Files OAuth over REST -description: Authorize access to Azure file shares and directories via the OAuth authentication protocol over REST APIs using Azure Active Directory (Azure AD). Assign Azure roles for access rights. Access files with an Azure AD account. + Title: Enable admin-level read and write access to Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST +description: Authorize access to Azure file shares and directories via the OAuth authentication protocol over REST APIs using Microsoft Entra ID. Assign Azure roles for access rights. Access files with a Microsoft Entra account. -# Access Azure file shares using Azure Active Directory with Azure Files OAuth over REST +# Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST -Azure Files OAuth over REST enables admin-level read and write access to Azure file shares for users and applications via the [OAuth](https://oauth.net/) authentication protocol, using Azure Active Directory (Azure AD) for REST API based access. Users, groups, first-party services such as Azure portal, and third-party services and applications using REST interfaces can now use OAuth authentication and authorization with an Azure AD account to access data in Azure file shares. PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure file shares. +Azure Files OAuth over REST enables admin-level read and write access to Azure file shares for users and applications via the [OAuth](https://oauth.net/) authentication protocol, using Microsoft Entra ID for REST API based access. Users, groups, first-party services such as Azure portal, and third-party services and applications using REST interfaces can now use OAuth authentication and authorization with a Microsoft Entra account to access data in Azure file shares. PowerShell cmdlets and Azure CLI commands that call REST APIs can also use OAuth to access Azure file shares. > [!IMPORTANT] > You must call the REST API using an explicit header to indicate your intent to use the additional privilege. This is also true for Azure PowerShell and Azure CLI access. Azure Files OAuth over REST enables admin-level read and write access to Azure f Azure Files OAuth over REST only supports the FileREST Data APIs that support operations on files and directories. OAuth isn't supported on FilesREST data plane APIs that manage FileService and FileShare resources. These management APIs are called using the Storage Account Key or SAS token, and are exposed through the data plane for legacy reasons. We recommend using the control plane APIs (the storage resource provider - Microsoft.Storage) that support OAuth for all management activities related to FileService and FileShare resources. -Authorizing file data operations with Azure AD is supported only for REST API versions 2022-11-02 and later. See [Versioning for Azure Storage](/rest/api/storageservices/versioning-for-the-azure-storage-services). +Authorizing file data operations with Microsoft Entra ID is supported only for REST API versions 2022-11-02 and later. See [Versioning for Azure Storage](/rest/api/storageservices/versioning-for-the-azure-storage-services). ## Customer use cases OAuth authentication and authorization with Azure Files over the REST API interf ### Application development and service integration -OAuth authentication and authorization enable developers to build applications that access Azure Storage REST APIs using user or application identities from Azure AD. +OAuth authentication and authorization enable developers to build applications that access Azure Storage REST APIs using user or application identities from Microsoft Entra ID. Customers and partners can also enable first-party and third-party services to configure necessary access securely and transparently to a customer storage account. Customers with applications and managed identities that require access to file s ### Storage account key replacement -Azure AD provides superior security and ease of use over shared key access. You can replace storage account key access with OAuth authentication and authorization to access Azure File shares with read-all/write-all privileges. This approach also offers better auditing and tracking specific user access. +Microsoft Entra ID provides superior security and ease of use over shared key access. You can replace storage account key access with OAuth authentication and authorization to access Azure File shares with read-all/write-all privileges. This approach also offers better auditing and tracking specific user access. ## Privileged access and access permissions for data operations There are many [built-in roles](../../role-based-access-control/built-in-roles.m ## Authorize access to file data in application code -The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Azure AD via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of requests from the Azure file service. +The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Microsoft Entra ID via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of requests from the Azure file service. An advantage of the Azure Identity client library is that it enables you to use the same code to acquire the access token whether your application is running in the development environment or in Azure. The Azure Identity client library returns an access token for a security principal. When your code is running in Azure, the security principal may be a managed identity for Azure resources, a service principal, or a user or group. In the development environment, the client library provides an access token for either a user or a service principal for testing purposes. You can also authorize access to file data using the Azure portal or Azure Power # [Azure portal](#tab/portal) -The [Azure portal](https://portal.azure.com?azure-portal=true) can use either your Azure AD account or the storage account access key to access file data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you. +The [Azure portal](https://portal.azure.com?azure-portal=true) can use either your Microsoft Entra account or the storage account access key to access file data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you. -When you attempt to access file data, the Azure portal first checks whether you've been assigned an Azure role with `Microsoft.Storage/storageAccounts/listkeys/action`. If you've been assigned a role with this action, then the Azure portal uses the account key for accessing file data via shared key authorization. If you haven't been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account. +When you attempt to access file data, the Azure portal first checks whether you've been assigned an Azure role with `Microsoft.Storage/storageAccounts/listkeys/action`. If you've been assigned a role with this action, then the Azure portal uses the account key for accessing file data via shared key authorization. If you haven't been assigned a role with this action, then the Azure portal attempts to access data using your Microsoft Entra account. -To access file data from the Azure portal using your Azure AD account, you need permissions to access file data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure grant access to file resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires assigning an Azure Resource Manager (ARM) role such as the **Reader** role, scoped to the level of the storage account or higher. The **Reader** role grants the most restrictive permissions, but any ARM role that grants access to storage account management resources is acceptable. +To access file data from the Azure portal using your Microsoft Entra account, you need permissions to access file data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure grant access to file resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires assigning an Azure Resource Manager (ARM) role such as the **Reader** role, scoped to the level of the storage account or higher. The **Reader** role grants the most restrictive permissions, but any ARM role that grants access to storage account management resources is acceptable. The Azure portal indicates which authorization scheme is in use when you navigate to a container. For more information about data access in the portal, see [Choose how to authorize access to file data in the Azure portal](authorize-data-operations-portal.md). # [Azure PowerShell](#tab/powershell) -Azure provides extensions for PowerShell that enable you to sign in and call PowerShell cmdlets using Azure AD credentials. When you sign into PowerShell with Azure AD credentials, an OAuth 2.0 access token is returned. PowerShell automatically uses that token to authorize subsequent data operations against file storage. For supported operations, you no longer need to pass an account key or SAS token with the command. +Azure provides extensions for PowerShell that enable you to sign in and call PowerShell cmdlets using Microsoft Entra credentials. When you sign into PowerShell with Microsoft Entra credentials, an OAuth 2.0 access token is returned. PowerShell automatically uses that token to authorize subsequent data operations against file storage. For supported operations, you no longer need to pass an account key or SAS token with the command. -You can assign permissions to file data to an Azure AD security principal via Azure RBAC. +You can assign permissions to file data to a Microsoft Entra security principal via Azure RBAC. ## Supported operations -The extensions only support operations on file data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you signed into PowerShell. +The extensions only support operations on file data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you signed into PowerShell. The storage context with OAuth will only work if it's called with the `-EnableFileBackupRequestIntent` parameter. This is to specify the explicit intent to use the additional permissions that this feature provides. To authorize access to file data, follow these steps. $file = Set-AzStorageFileContent -ShareName $fileshareName -Path "test2" -Source "<local source file path>" -Context $ctx ``` - Because the cmdlets are called using the storage account context from step 4, the file and directory will be created using Azure AD credentials. + Because the cmdlets are called using the storage account context from step 4, the file and directory will be created using Microsoft Entra credentials. # [Azure CLI](#tab/cli) -Core Azure CLI commands that ship as part of CLI support Files OAuth over REST interface, and you can use them to authenticate and authorize file data operations using Azure AD credentials. +Core Azure CLI commands that ship as part of CLI support Files OAuth over REST interface, and you can use them to authenticate and authorize file data operations using Microsoft Entra credentials. ## Supported operations -The commands only support operations on file data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you signed into Azure CLI. +The commands only support operations on file data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you signed into Azure CLI. OAuth authentication and authorization will only work if the CLI command is called with the `--backup-intent` option or `--enable-file-backup-request-intent` option. This is to specify the explicit intent to use the additional permissions that this feature provides. If you haven't already done so, [install the latest version of Azure CLI](/cli/a az storage file upload --account-name filesoauthsa --share-name testshare1 --auth-mode login --backup-intent --source <source file path> ``` - Because the cli commands are called using authentication type as login (`--auth mode`login and `--backup-intent` parameter), the file and directory will be created using Azure AD credentials. + Because the cli commands are called using authentication type as login (`--auth mode`login and `--backup-intent` parameter), the file and directory will be created using Microsoft Entra credentials. For more information refer to the latest CLI documentation for supported commands: |
storage | Files Nfs Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/files-nfs-protocol.md | Unlike Azure Files using the SMB protocol, file shares using the NFS protocol do A private endpoint (also called a private link) gives your storage account a private, static IP address within your virtual network, preventing connectivity interruptions from dynamic IP address changes. Traffic to your storage account stays within peered virtual networks, including those in other regions and on premises. Standard [data processing rates](https://azure.microsoft.com/pricing/details/private-link/) apply. -If you don't require a static IP address, you can enable a [service endpoint](../../virtual-network/virtual-network-service-endpoints-overview.md) for Azure Files within the virtual network. A service endpoint configures storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Azure AD tenant. There's no extra charge for using service endpoints. +If you don't require a static IP address, you can enable a [service endpoint](../../virtual-network/virtual-network-service-endpoints-overview.md) for Azure Files within the virtual network. A service endpoint configures storage accounts to allow access only from specific subnets. The allowed subnets can belong to a virtual network in the same subscription or a different subscription, including those that belong to a different Microsoft Entra tenant. There's no extra charge for using service endpoints. If you want to access shares from on-premises, then you must set up a VPN or ExpressRoute in addition to a private endpoint. Requests that don't originate from the following sources will be rejected: |
storage | Files Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/files-whats-new.md | description: Learn about new features and enhancements in Azure Files and Azure Previously updated : 10/11/2023 Last updated : 10/12/2023 Azure Files is updated regularly to offer new features and enhancements. This ar #### Azure Files now supports all valid Unicode characters -Expanded character support will allow users to create SMB file shares with file and directory names on par with the NTFS file system for all valid Unicode characters. It also enables tools like AzCopy and Storage Mover to migrate all the files into Azure Files using the REST protocol. Expanded character support is now available in all Azure regions. +Expanded character support will allow users to create SMB file shares with file and directory names on par with the NTFS file system for all valid Unicode characters. It also enables tools like AzCopy and Storage Mover to migrate all the files into Azure Files using the REST protocol. Expanded character support is now available in all Azure regions. For more information, [read the announcement](https://azure.microsoft.com/updates/azurefilessupportforunicodecharacters/). -For more information, [read the announcement](https://azure.microsoft.com/updates/azurefilessupportforunicodecharacters/). +Azure File Sync also supports most of the special case valid Unicode characters and control characters except for the trailing dot (.) ++For more information on unsupported characters in Azure File Sync, refer to the [documentation](/troubleshoot/azure/azure-storage/file-sync-troubleshoot-sync-errors#handling-unsupported-characters). ### 2023 quarter 3 (July, August, September) |
storage | Storage Files Active Directory Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-active-directory-overview.md | Title: Overview - Azure Files identity-based authentication -description: Azure Files supports identity-based authentication over SMB (Server Message Block) with Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (Azure AD DS), and Azure Active Directory (Azure AD) Kerberos for hybrid identities. +description: Azure Files supports identity-based authentication over SMB (Server Message Block) with Active Directory Domain Services (AD DS), Microsoft Entra Domain Services, and Microsoft Entra Kerberos for hybrid identities. It's helpful to understand some key terms relating to identity-based authenticat SMB is an industry-standard network file-sharing protocol. For more information on SMB, see [Microsoft SMB Protocol and CIFS Protocol Overview](/windows/desktop/FileIO/microsoft-smb-protocol-and-cifs-protocol-overview). -- **Azure Active Directory (Azure AD)**+- **Microsoft Entra ID** - Azure AD is Microsoft's multi-tenant cloud-based directory and identity management service. Azure AD combines core directory services, application access management, and identity protection into a single solution. + Microsoft Entra ID (formerly Azure AD) is Microsoft's multi-tenant cloud-based directory and identity management service. Microsoft Entra ID combines core directory services, application access management, and identity protection into a single solution. -- **Azure Active Directory Domain Services (Azure AD DS)**+- **Microsoft Entra Domain Services** - Azure AD DS provides managed domain services such as domain join, group policies, LDAP, and Kerberos/NTLM authentication. These services are fully compatible with Active Directory Domain Services. For more information, see [Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md). + Microsoft Entra Domain Services provides managed domain services such as domain join, group policies, LDAP, and Kerberos/NTLM authentication. These services are fully compatible with Active Directory Domain Services. For more information, see [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md). - **On-premises Active Directory Domain Services (AD DS)** It's helpful to understand some key terms relating to identity-based authenticat - **Hybrid identities** - [Hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) are identities in AD DS that are synced to Azure AD using either the on-premises [Azure AD Connect sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Azure AD Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Azure Active Directory Admin Center. + [Hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) are identities in AD DS that are synced to Microsoft Entra ID using either the on-premises [Microsoft Entra Connect Sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Microsoft Entra Admin Center. ## Supported authentication scenarios Azure Files supports identity-based authentication over SMB through the following methods. You can only use one method per storage account. -- **On-premises AD DS authentication:** On-premises AD DS-joined or Azure AD DS-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Azure AD over SMB. Your client must have line of sight to your AD DS. If you already have AD DS set up on-premises or on a VM in Azure where your devices are domain-joined to your AD, you should use AD DS for Azure file shares authentication.-- **Azure AD DS authentication:** Cloud-based, Azure AD DS-joined Windows VMs can access Azure file shares with Azure AD credentials. In this solution, Azure AD runs a traditional Windows Server AD domain on behalf of the customer, which is a child of the customerΓÇÖs Azure AD tenant. -- **Azure AD Kerberos for hybrid identities:** Using Azure AD for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) allows Azure AD users to access Azure file shares using Kerberos authentication. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. Cloud-only identities aren't currently supported.-- **AD Kerberos authentication for Linux clients:** Linux clients can use Kerberos authentication over SMB for Azure Files using on-premises AD DS or Azure AD DS.+- **On-premises AD DS authentication:** On-premises AD DS-joined or Microsoft Entra Domain Services-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Microsoft Entra ID over SMB. Your client must have line of sight to your AD DS. If you already have AD DS set up on-premises or on a VM in Azure where your devices are domain-joined to your AD, you should use AD DS for Azure file shares authentication. +- **Microsoft Entra Domain Services authentication:** Cloud-based, Microsoft Entra Domain Services-joined Windows VMs can access Azure file shares with Microsoft Entra credentials. In this solution, Microsoft Entra ID runs a traditional Windows Server AD domain on behalf of the customer, which is a child of the customerΓÇÖs Microsoft Entra tenant. +- **Microsoft Entra Kerberos for hybrid identities:** Using Microsoft Entra ID for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) allows Microsoft Entra users to access Azure file shares using Kerberos authentication. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VMs. Cloud-only identities aren't currently supported. +- **AD Kerberos authentication for Linux clients:** Linux clients can use Kerberos authentication over SMB for Azure Files using on-premises AD DS or Microsoft Entra Domain Services. ## Restrictions -- None of the authentication methods support assigning share-level permissions to computer accounts (machine accounts) using Azure RBAC, because computer accounts can't be synced to an identity in Azure AD. If you want to allow a computer account to access Azure file shares using identity-based authentication, [use a default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities) or consider using a service logon account instead.+- None of the authentication methods support assigning share-level permissions to computer accounts (machine accounts) using Azure RBAC, because computer accounts can't be synced to an identity in Microsoft Entra ID. If you want to allow a computer account to access Azure file shares using identity-based authentication, [use a default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities) or consider using a service logon account instead. - Identity-based authentication isn't supported with Network File System (NFS) shares. ## Common use cases Deprecating and replacing scattered on-premises file servers is a common problem ### Lift and shift applications to Azure -When you lift and shift applications to the cloud, you want to keep the same authentication model for your data. As we extend the identity-based access control experience to Azure file shares, it eliminates the need to change your application to modern auth methods and expedite cloud adoption. Azure file shares provide the option to integrate with either Azure AD DS or on-premises AD DS for authentication. If your plan is to be 100% cloud native and minimize the efforts managing cloud infrastructures, Azure AD DS might be a better fit as a fully managed domain service. If you need full compatibility with AD DS capabilities, you might want to consider extending your AD DS environment to cloud by self-hosting domain controllers on VMs. Either way, we provide the flexibility to choose the domain service that best suits your business needs. +When you lift and shift applications to the cloud, you want to keep the same authentication model for your data. As we extend the identity-based access control experience to Azure file shares, it eliminates the need to change your application to modern auth methods and expedite cloud adoption. Azure file shares provide the option to integrate with either Microsoft Entra Domain Services or on-premises AD DS for authentication. If your plan is to be 100% cloud native and minimize the efforts managing cloud infrastructures, Microsoft Entra Domain Services might be a better fit as a fully managed domain service. If you need full compatibility with AD DS capabilities, you might want to consider extending your AD DS environment to cloud by self-hosting domain controllers on VMs. Either way, we provide the flexibility to choose the domain service that best suits your business needs. ### Backup and disaster recovery (DR) If you're keeping your primary file storage on-premises, Azure file shares can s Identity-based authentication for Azure Files offers several benefits over using Shared Key authentication: - **Extend the traditional identity-based file share access experience to the cloud** - If you plan to lift and shift your application to the cloud, replacing traditional file servers with Azure file shares, then you might want your application to authenticate with either on-premises AD DS or Azure AD DS credentials to access file data. Azure Files supports using either on-premises AD DS or Azure AD DS credentials to access Azure file shares over SMB from either on-premises AD DS or Azure AD DS domain-joined VMs. + If you plan to lift and shift your application to the cloud, replacing traditional file servers with Azure file shares, then you might want your application to authenticate with either on-premises AD DS or Microsoft Entra Domain Services credentials to access file data. Azure Files supports using either on-premises AD DS or Microsoft Entra Domain Services credentials to access Azure file shares over SMB from either on-premises AD DS or Microsoft Entra Domain Services domain-joined VMs. - **Enforce granular access control on Azure file shares** You can grant permissions to a specific identity at the share, directory, or file level. For example, suppose that you have several teams using a single Azure file share for project collaboration. You can grant all teams access to non-sensitive directories, while limiting access to directories containing sensitive financial data to your finance team only. Identity-based authentication for Azure Files offers several benefits over using Azure file shares use the Kerberos protocol to authenticate with an AD source. When an identity associated with a user or application running on a client attempts to access data in Azure file shares, the request is sent to the AD source to authenticate the identity. If authentication is successful, it returns a Kerberos token. The client sends a request that includes the Kerberos token, and Azure file shares use that token to authorize the request. Azure file shares only receive the Kerberos token, not the user's access credentials. -You can enable identity-based authentication on your new and existing storage accounts using one of three AD sources: AD DS, Azure AD DS, or Azure AD Kerberos (hybrid identities only). Only one AD source can be used for file access authentication on the storage account, which applies to all file shares in the account. Before you can enable identity-based authentication on your storage account, you must first set up your domain environment. +You can enable identity-based authentication on your new and existing storage accounts using one of three AD sources: AD DS, Microsoft Entra Domain Services, or Microsoft Entra Kerberos (hybrid identities only). Only one AD source can be used for file access authentication on the storage account, which applies to all file shares in the account. Before you can enable identity-based authentication on your storage account, you must first set up your domain environment. ### AD DS For on-premises AD DS authentication, you must set up your AD domain controllers and domain-join your machines or VMs. You can host your domain controllers on Azure VMs or on-premises. Either way, your domain-joined clients must have line of sight to the domain controller, so they must be within the corporate network or virtual network (VNET) of your domain service. -The following diagram depicts on-premises AD DS authentication to Azure file shares over SMB. The on-premises AD DS must be synced to Azure AD using Azure AD Connect sync or Azure AD Connect cloud sync. Only [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) that exist in both on-premises AD DS and Azure AD can be authenticated and authorized for Azure file share access. This is because the share-level permission is configured against the identity represented in Azure AD, whereas the directory/file-level permission is enforced with that in AD DS. Make sure that you configure the permissions correctly against the same hybrid user. +The following diagram depicts on-premises AD DS authentication to Azure file shares over SMB. The on-premises AD DS must be synced to Microsoft Entra ID using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. Only [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) that exist in both on-premises AD DS and Microsoft Entra ID can be authenticated and authorized for Azure file share access. This is because the share-level permission is configured against the identity represented in Microsoft Entra ID, whereas the directory/file-level permission is enforced with that in AD DS. Make sure that you configure the permissions correctly against the same hybrid user. :::image type="content" source="media/storage-files-active-directory-overview/files-ad-ds-auth-diagram.png" alt-text="Diagram that depicts on-premises AD DS authentication to Azure file shares over SMB."::: To learn how to enable AD DS authentication, first read [Overview - on-premises Active Directory Domain Services authentication over SMB for Azure file shares](storage-files-identity-auth-active-directory-enable.md) and then see [Enable AD DS authentication for Azure file shares](storage-files-identity-ad-ds-enable.md). -### Azure AD DS +<a name='azure-ad-ds'></a> -For Azure AD DS authentication, you should enable Azure AD DS and domain-join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Azure AD DS. +### Microsoft Entra Domain Services -The following diagram represents the workflow for Azure AD DS authentication to Azure file shares over SMB. It follows a similar pattern to on-premises AD DS authentication, but there are two major differences: +For Microsoft Entra Domain Services authentication, you should enable Microsoft Entra Domain Services and domain-join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Microsoft Entra Domain Services. -1. You don't need to create the identity in Azure AD DS to represent the storage account. This is performed by the enablement process in the background. +The following diagram represents the workflow for Microsoft Entra Domain Services authentication to Azure file shares over SMB. It follows a similar pattern to on-premises AD DS authentication, but there are two major differences: -2. All users that exist in Azure AD can be authenticated and authorized. The user can be cloud-only or hybrid. The sync from Azure AD to Azure AD DS is managed by the platform without requiring any user configuration. However, the client must be joined to the Azure AD DS hosted domain. It can't be Azure AD joined or registered. Azure AD DS doesn't support non-Azure clients (i.e. user laptops, workstations, VMs in other clouds, etc.) being domain-joined to the Azure AD DS hosted domain. However, it's possible to mount a file share from a non-domain-joined client by providing explicit credentials such as DOMAINNAME\username or using the fully qualified domain name (username@FQDN). +1. You don't need to create the identity in Microsoft Entra Domain Services to represent the storage account. This is performed by the enablement process in the background. +2. All users that exist in Microsoft Entra ID can be authenticated and authorized. The user can be cloud-only or hybrid. The sync from Microsoft Entra ID to Microsoft Entra Domain Services is managed by the platform without requiring any user configuration. However, the client must be joined to the Microsoft Entra Domain Services hosted domain. It can't be Microsoft Entra joined or registered. Microsoft Entra Domain Services doesn't support non-Azure clients (i.e. user laptops, workstations, VMs in other clouds, etc.) being domain-joined to the Microsoft Entra Domain Services hosted domain. However, it's possible to mount a file share from a non-domain-joined client by providing explicit credentials such as DOMAINNAME\username or using the fully qualified domain name (username@FQDN). -To learn how to enable Azure AD DS authentication, see [Enable Azure Active Directory Domain Services authentication on Azure Files](storage-files-identity-auth-domain-services-enable.md). -### Azure AD Kerberos for hybrid identities +To learn how to enable Microsoft Entra Domain Services authentication, see [Enable Microsoft Entra Domain Services authentication on Azure Files](storage-files-identity-auth-domain-services-enable.md). -Enabling and configuring Azure AD for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) allows Azure AD users to access Azure file shares using Kerberos authentication. This configuration uses Azure AD to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs. However, configuring directory and file-level permissions for users and groups requires line-of-sight to the on-premises domain controller. +<a name='azure-ad-kerberos-for-hybrid-identities'></a> ++### Microsoft Entra Kerberos for hybrid identities ++Enabling and configuring Microsoft Entra ID for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md) allows Microsoft Entra users to access Azure file shares using Kerberos authentication. This configuration uses Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VMs. However, configuring directory and file-level permissions for users and groups requires line-of-sight to the on-premises domain controller. > [!IMPORTANT]-> Azure AD Kerberos authentication only supports hybrid user identities; it doesn't support cloud-only identities. A traditional AD DS deployment is required, and it must be synced to Azure AD using Azure AD Connect sync or Azure AD Connect cloud sync. Clients must be Azure AD-joined or [hybrid Azure AD-joined](../../active-directory/devices/hybrid-join-plan.md). Azure AD Kerberos isnΓÇÖt supported on clients joined to Azure AD DS or joined to AD only. +> Microsoft Entra Kerberos authentication only supports hybrid user identities; it doesn't support cloud-only identities. A traditional AD DS deployment is required, and it must be synced to Microsoft Entra ID using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. Clients must be Microsoft Entra joined or [Microsoft Entra hybrid joined](../../active-directory/devices/hybrid-join-plan.md). Microsoft Entra Kerberos isnΓÇÖt supported on clients joined to Microsoft Entra Domain Services or joined to AD only. -To learn how to enable Azure AD Kerberos authentication for hybrid identities, see [Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files](storage-files-identity-auth-hybrid-identities-enable.md). +To learn how to enable Microsoft Entra Kerberos authentication for hybrid identities, see [Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files](storage-files-identity-auth-hybrid-identities-enable.md). -You can also use this feature to store FSLogix profiles on Azure file shares for Azure AD-joined VMs. For more information, see [Create a profile container with Azure Files and Azure Active Directory](../../virtual-desktop/create-profile-container-azure-ad.md). +You can also use this feature to store FSLogix profiles on Azure file shares for Microsoft Entra joined VMs. For more information, see [Create a profile container with Azure Files and Microsoft Entra ID](../../virtual-desktop/create-profile-container-azure-ad.md). ## Access control-Azure Files enforces authorization on user access to both the share level and the directory/file levels. Share-level permission assignment can be performed on Azure AD users or groups managed through Azure RBAC. With Azure RBAC, the credentials you use for file access should be available or synced to Azure AD. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Azure AD to grant access to an Azure file share. +Azure Files enforces authorization on user access to both the share level and the directory/file levels. Share-level permission assignment can be performed on Microsoft Entra users or groups managed through Azure RBAC. With Azure RBAC, the credentials you use for file access should be available or synced to Microsoft Entra ID. You can assign Azure built-in roles like **Storage File Data SMB Share Reader** to users or groups in Microsoft Entra ID to grant access to an Azure file share. At the directory/file level, Azure Files supports preserving, inheriting, and enforcing [Windows ACLs](/windows/win32/secauthz/access-control-lists) just like any Windows file server. You can choose to keep Windows ACLs when copying data over SMB between your existing file share and your Azure file shares. Whether you plan to enforce authorization or not, you can use Azure file shares to back up ACLs along with your data. Once you've enabled an AD source on your storage account, you must do one of the - Set a default share-level permission that applies to all authenticated users and groups - Assign built-in Azure RBAC roles to users and groups, or -- Configure custom roles for Azure AD identities and assign access rights to file shares in your storage account.+- Configure custom roles for Microsoft Entra identities and assign access rights to file shares in your storage account. The assigned share-level permission allows the granted identity to get access to the share only, nothing else, not even the root directory. You still need to separately configure directory and file-level permissions. A user with the storage account key can access Azure file shares with superuser Azure Files supports preserving directory or file level ACLs when copying data to Azure file shares. You can copy ACLs on a directory or file to Azure file shares using either Azure File Sync or common file movement toolsets. For example, you can use [robocopy](/windows-server/administration/windows-commands/robocopy) with the `/copy:s` flag to copy data as well as ACLs to an Azure file share. ACLs are preserved by default, so you don't need to enable identity-based authentication on your storage account to preserve ACLs. ## Pricing-There's no additional service charge to enable identity-based authentication over SMB on your storage account. For more information on pricing, see [Azure Files pricing](https://azure.microsoft.com/pricing/details/storage/files/) and [Azure AD Domain Services pricing](https://azure.microsoft.com/pricing/details/active-directory-ds/). +There's no additional service charge to enable identity-based authentication over SMB on your storage account. For more information on pricing, see [Azure Files pricing](https://azure.microsoft.com/pricing/details/storage/files/) and [Microsoft Entra Domain Services pricing](https://azure.microsoft.com/pricing/details/active-directory-ds/). ## Next steps For more information about Azure Files and identity-based authentication over SMB, see these resources: - [Planning for an Azure Files deployment](storage-files-planning.md) - [Overview - on-premises Active Directory Domain Services authentication over SMB for Azure file shares](storage-files-identity-auth-active-directory-enable.md)-- [Enable Azure Active Directory Domain Services authentication on Azure Files](storage-files-identity-auth-domain-services-enable.md)-- [Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files](storage-files-identity-auth-hybrid-identities-enable.md)+- [Enable Microsoft Entra Domain Services authentication on Azure Files](storage-files-identity-auth-domain-services-enable.md) +- [Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files](storage-files-identity-auth-hybrid-identities-enable.md) - [Enable AD Kerberos authentication for Linux clients](storage-files-identity-auth-linux-kerberos-enable.md) - [FAQ](storage-files-faq.md) |
storage | Storage Files Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-faq.md | - **Can I move the storage sync service and/or storage account to a different resource group, subscription, or Azure AD tenant?** - Yes, you can move the storage sync service and/or storage account to a different resource group, subscription, or Azure AD tenant. After you move the storage sync service or storage account, you need to give the Microsoft.StorageSync application access to the storage account. Follow these steps: + **Can I move the storage sync service and/or storage account to a different resource group, subscription, or Microsoft Entra tenant?** + Yes, you can move the storage sync service and/or storage account to a different resource group, subscription, or Microsoft Entra tenant. After you move the storage sync service or storage account, you need to give the Microsoft.StorageSync application access to the storage account. Follow these steps: 1. Sign in to the Azure portal and select **Access control (IAM)** from the left-hand navigation. 1. Select the **Role assignments** tab to list the users and applications (*service principals*) that have access to your storage account.- > When creating the cloud endpoint, the storage sync service and storage account must be in the same Azure AD tenant. Once the cloud endpoint is created, the storage sync service and storage account can be moved to different Azure AD tenants. + > When creating the cloud endpoint, the storage sync service and storage account must be in the same Microsoft Entra tenant. Once the cloud endpoint is created, the storage sync service and storage account can be moved to different Microsoft Entra tenants. * <a id="afs-ntfs-acls"></a> **Does Azure File Sync preserve directory/file level NTFS ACLs along with data stored in Azure Files?**-**Does Azure Active Directory Domain Services (Azure AD DS) support SMB access using Azure AD credentials from devices joined to or registered with Azure AD?** +**Does Microsoft Entra Domain Services support SMB access using Microsoft Entra credentials from devices joined to or registered with Microsoft Entra ID?** No, this scenario isn't supported. -**Can I access Azure file shares with Azure AD credentials from a VM under a different subscription?** +**Can I access Azure file shares with Microsoft Entra credentials from a VM under a different subscription?** - If the subscription under which the file share is deployed is associated with the same Azure AD tenant as the Azure AD DS deployment to which the VM is domain-joined, you can then access Azure file shares using the same Azure AD credentials. The limitation is imposed not on the subscription but on the associated Azure AD tenant. + If the subscription under which the file share is deployed is associated with the same Microsoft Entra tenant as the Microsoft Entra Domain Services deployment to which the VM is domain-joined, you can then access Azure file shares using the same Microsoft Entra credentials. The limitation is imposed not on the subscription but on the associated Microsoft Entra tenant. * <a id="ad-support-subscription"></a>-**Can I enable either Azure AD DS or on-premises AD DS authentication for Azure file shares using an Azure AD tenant that's different from the Azure file share's primary tenant?** +**Can I enable either Microsoft Entra Domain Services or on-premises AD DS authentication for Azure file shares using a Microsoft Entra tenant that's different from the Azure file share's primary tenant?** - No. Azure Files only supports Azure AD DS or on-premises AD DS integration with an Azure AD tenant that resides in the same subscription as the file share. A subscription can only be associated with one Azure AD tenant. When using on-premises AD DS for authentication, [the AD DS credential should be synced to the Azure AD](../../active-directory/hybrid/how-to-connect-install-roadmap.md) that the storage account is associated with. + No. Azure Files only supports Microsoft Entra Domain Services or on-premises AD DS integration with a Microsoft Entra tenant that resides in the same subscription as the file share. A subscription can only be associated with one Microsoft Entra tenant. When using on-premises AD DS for authentication, [the AD DS credential should be synced to the Microsoft Entra ID](../../active-directory/hybrid/how-to-connect-install-roadmap.md) that the storage account is associated with. * <a id="ad-multiple-forest"></a> **Does on-premises AD DS authentication for Azure file shares support integration with an AD DS environment using multiple forests?**-**How to remove cached credentials with storage account key and delete existing SMB connections before initializing new connection with Azure AD or AD credentials?** +**How to remove cached credentials with storage account key and delete existing SMB connections before initializing new connection with Microsoft Entra ID or AD credentials?** Follow the two step process below to remove the saved credential associated with the storage account key and remove the SMB connection: |
storage | Storage Files Identity Ad Ds Assign Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-assign-permissions.md | Title: Control access to Azure file shares by assigning share-level permissions -description: Learn how to assign share-level permissions to an Azure Active Directory (Azure AD) identity that represents a hybrid user to control user access to Azure file shares with identity-based authentication. +description: Learn how to assign share-level permissions to a Microsoft Entra identity that represents a hybrid user to control user access to Azure file shares with identity-based authentication. recommendations: false # Assign share-level permissions -Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to [specific Azure AD users/groups](#share-level-permissions-for-specific-azure-ad-users-or-groups), and you can assign them to all authenticated identities as a [default share-level permission](#share-level-permissions-for-all-authenticated-identities). +Once you've enabled an Active Directory (AD) source for your storage account, you must configure share-level permissions in order to get access to your file share. There are two ways you can assign share-level permissions. You can assign them to [specific Microsoft Entra users/groups](#share-level-permissions-for-specific-azure-ad-users-or-groups), and you can assign them to all authenticated identities as a [default share-level permission](#share-level-permissions-for-all-authenticated-identities). > [!IMPORTANT] > Full administrative control of a file share, including the ability to take ownership of a file, requires using the storage account key. Full administrative control isn't supported with identity-based authentication. Once you've enabled an Active Directory (AD) source for your storage account, yo ## Which configuration should you use -Share-level permissions on Azure file shares are configured for Azure Active Directory (Azure AD) users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). You must assign share-level permissions to the Azure AD identity representing the same user, group, or service principal in your AD DS in order to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported. +Share-level permissions on Azure file shares are configured for Microsoft Entra users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). You must assign share-level permissions to the Microsoft Entra identity representing the same user, group, or service principal in your AD DS in order to support AD DS authentication to your Azure file share. Authentication and authorization against identities that only exist in Microsoft Entra ID, such as Azure Managed Identities (MSIs), aren't supported. -Most users should assign share-level permissions to specific Azure AD users or groups, and then use Windows ACLs for granular access control at the directory and file level. This is the most stringent and secure configuration. +Most users should assign share-level permissions to specific Microsoft Entra users or groups, and then use Windows ACLs for granular access control at the directory and file level. This is the most stringent and secure configuration. There are three scenarios where we instead recommend using a [default share-level permission](#share-level-permissions-for-all-authenticated-identities) to allow contributor, elevated contributor, or reader access to all authenticated identities: -- If you are unable to sync your on-premises AD DS to Azure AD, you can use a default share-level permission. Assigning a default share-level permission allows you to work around the sync requirement because you don't need to specify the permission to identities in Azure AD. Then you can use Windows ACLs for granular permission enforcement on your files and directories.- - Identities that are tied to an AD but aren't synching to Azure AD can also leverage the default share-level permission. This could include standalone Managed Service Accounts (sMSA), group Managed Service Accounts (gMSA), and computer accounts. -- The on-premises AD DS you're using is synched to a different Azure AD than the Azure AD the file share is deployed in.- - This is typical when you're managing multi-tenant environments. Using a default share-level permission allows you to bypass the requirement for an Azure AD [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md). You can still use Windows ACLs on your files and directories for granular permission enforcement. +- If you are unable to sync your on-premises AD DS to Microsoft Entra ID, you can use a default share-level permission. Assigning a default share-level permission allows you to work around the sync requirement because you don't need to specify the permission to identities in Microsoft Entra ID. Then you can use Windows ACLs for granular permission enforcement on your files and directories. + - Identities that are tied to an AD but aren't synching to Microsoft Entra ID can also leverage the default share-level permission. This could include standalone Managed Service Accounts (sMSA), group Managed Service Accounts (gMSA), and computer accounts. +- The on-premises AD DS you're using is synched to a different Microsoft Entra ID than the Microsoft Entra ID the file share is deployed in. + - This is typical when you're managing multi-tenant environments. Using a default share-level permission allows you to bypass the requirement for a Microsoft Entra ID [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md). You can still use Windows ACLs on your files and directories for granular permission enforcement. - You prefer to enforce authentication only using Windows ACLs at the file and directory level. > [!NOTE]-> Because computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a [default share-level permission](#share-level-permissions-for-all-authenticated-identities). +> Because computer accounts don't have an identity in Microsoft Entra ID, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a [default share-level permission](#share-level-permissions-for-all-authenticated-identities). ## Share-level permissions The following table lists the share-level permissions and how they align with th |[Storage File Data SMB Share Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-contributor) |Allows for read, write, and delete access on files and directories in Azure file shares. [Learn more](storage-files-identity-auth-active-directory-enable.md). | |[Storage File Data SMB Share Elevated Contributor](../../role-based-access-control/built-in-roles.md#storage-file-data-smb-share-elevated-contributor) |Allows for read, write, delete, and modify ACLs on files and directories in Azure file shares. This role is analogous to a file share ACL of change on Windows file servers. [Learn more](storage-files-identity-auth-active-directory-enable.md). | -## Share-level permissions for specific Azure AD users or groups +<a name='share-level-permissions-for-specific-azure-ad-users-or-groups'></a> -If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md) that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is user1@onprem.contoso.com and you have synced to Azure AD as user1@contoso.com using Azure AD Connect sync or Azure AD Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to user1@contoso.com. The same concept applies to groups and service principals. +## Share-level permissions for specific Microsoft Entra users or groups ++If you intend to use a specific Microsoft Entra user or group to access Azure file share resources, that identity must be a [hybrid identity](../../active-directory/hybrid/whatis-hybrid-identity.md) that exists in both on-premises AD DS and Microsoft Entra ID. For example, say you have a user in your AD that is user1@onprem.contoso.com and you have synced to Microsoft Entra ID as user1@contoso.com using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to user1@contoso.com. The same concept applies to groups and service principals. > [!IMPORTANT] > **Assign permissions by explicitly declaring actions and data actions as opposed to using a wildcard (\*) character.** If a custom role definition for a data action contains a wildcard character, all identities assigned to that role are granted access for all possible data actions. This means that all such identities will also be granted any new data action added to the platform. The additional access and permissions granted through new actions or data actions may be unwanted behavior for customers using wildcard. In order for share-level permissions to work, you must: -- Sync the users **and** the groups from your local AD to Azure AD using either the on-premises [Azure AD Connect sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Azure AD Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Azure Active Directory Admin Center.+- Sync the users **and** the groups from your local AD to Microsoft Entra ID using either the on-premises [Microsoft Entra Connect Sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Microsoft Entra Admin Center. - Add AD synced groups to RBAC role so they can access your storage account. > [!TIP] > Optional: Customers who want to migrate SMB server share-level permissions to RBAC permissions can use the `Move-OnPremSharePermissionsToAzureFileShare` PowerShell cmdlet to migrate directory and file-level permissions from on-premises to Azure. This cmdlet evaluates the groups of a particular on-premises file share, then writes the appropriate users and groups to the Azure file share using the three RBAC roles. You provide the information for the on-premises share and the Azure file share when invoking the cmdlet. -You can use the Azure portal, Azure PowerShell, or Azure CLI to assign the built-in roles to the Azure AD identity of a user for granting share-level permissions. +You can use the Azure portal, Azure PowerShell, or Azure CLI to assign the built-in roles to the Microsoft Entra identity of a user for granting share-level permissions. > [!IMPORTANT] > The share-level permissions will take up to three hours to take effect once completed. Please wait for the permissions to sync before connecting to your file share using your credentials. # [Portal](#tab/azure-portal) -To assign an Azure role to an Azure AD identity, using the [Azure portal](https://portal.azure.com), follow these steps: +To assign an Azure role to a Microsoft Entra identity, using the [Azure portal](https://portal.azure.com), follow these steps: 1. In the Azure portal, go to your file share, or [create a file share](storage-how-to-create-file-share.md). 1. Select **Access Control (IAM)**. To assign an Azure role to an Azure AD identity, using the [Azure portal](https: 1. Storage File Data SMB Share Reader 1. Storage File Data SMB Share Contributor 1. Storage File Data SMB Share Elevated Contributor-1. Leave **Assign access to** at the default setting: **Azure AD user, group, or service principal**. Select the target Azure AD identity by name or email address. **The selected Azure AD identity must be a hybrid identity and cannot be a cloud only identity.** This means that the same identity is also represented in AD DS. +1. Leave **Assign access to** at the default setting: **Microsoft Entra user, group, or service principal**. Select the target Microsoft Entra identity by name or email address. **The selected Microsoft Entra identity must be a hybrid identity and cannot be a cloud only identity.** This means that the same identity is also represented in AD DS. 1. Select **Save** to complete the role assignment operation. # [Azure PowerShell](#tab/azure-powershell) -The following PowerShell sample shows how to assign an Azure role to an Azure AD identity, based on sign-in name. For more information about assigning Azure roles with PowerShell, see [Add or remove Azure role assignments using the Azure PowerShell module](../../role-based-access-control/role-assignments-powershell.md). +The following PowerShell sample shows how to assign an Azure role to a Microsoft Entra identity, based on sign-in name. For more information about assigning Azure roles with PowerShell, see [Add or remove Azure role assignments using the Azure PowerShell module](../../role-based-access-control/role-assignments-powershell.md). Before you run the following sample script, replace placeholder values, including brackets, with your values. New-AzRoleAssignment -SignInName <user-principal-name> -RoleDefinitionName $File # [Azure CLI](#tab/azure-cli) -The following CLI 2.0 command assigns an Azure role to an Azure AD identity, based on sign-in name. For more information about assigning Azure roles with Azure CLI, see [Add or remove Azure role assignments using the Azure CLI](../../role-based-access-control/role-assignments-cli.md). +The following CLI 2.0 command assigns an Azure role to a Microsoft Entra identity, based on sign-in name. For more information about assigning Azure roles with Azure CLI, see [Add or remove Azure role assignments using the Azure CLI](../../role-based-access-control/role-assignments-cli.md). Before you run the following sample script, remember to replace placeholder values, including brackets, with your own values. az role assignment create --role "<role-name>" --assignee <user-principal-name> ## Share-level permissions for all authenticated identities -You can add a default share-level permission on your storage account, instead of configuring share-level permissions for Azure AD users or groups. A default share-level permission assigned to your storage account applies to all file shares contained in the storage account. +You can add a default share-level permission on your storage account, instead of configuring share-level permissions for Microsoft Entra users or groups. A default share-level permission assigned to your storage account applies to all file shares contained in the storage account. When you set a default share-level permission, all authenticated users and groups will have the same permission. Authenticated users or groups are identified as the identity can be authenticated against the on-premises AD DS the storage account is associated with. The default share-level permission is set to **None** at initialization, implying that no access is allowed to files or directories in the Azure file share. az storage account update --name $storageAccountName --resource-group $resourceG ## What happens if you use both configurations -You could also assign permissions to all authenticated Azure AD users and specific Azure AD users/groups. With this configuration, a specific user or group will have whichever is the higher-level permission from the default share-level permission and RBAC assignment. In other words, say you granted a user the **Storage File Data SMB Reader** role on the target file share. You also granted the default share-level permission **Storage File Data SMB Share Elevated Contributor** to all authenticated users. With this configuration, that particular user will have **Storage File Data SMB Share Elevated Contributor** level of access to the file share. Higher-level permissions always take precedence. +You could also assign permissions to all authenticated Microsoft Entra users and specific Microsoft Entra users/groups. With this configuration, a specific user or group will have whichever is the higher-level permission from the default share-level permission and RBAC assignment. In other words, say you granted a user the **Storage File Data SMB Reader** role on the target file share. You also granted the default share-level permission **Storage File Data SMB Share Elevated Contributor** to all authenticated users. With this configuration, that particular user will have **Storage File Data SMB Share Elevated Contributor** level of access to the file share. Higher-level permissions always take precedence. ## Next steps -Now that you've assigned share-level permissions, you can [configure directory and file-level permissions](storage-files-identity-ad-ds-configure-permissions.md). Remember that share-level permissions can take up to three hours to take effect. +Now that you've assigned share-level permissions, you can [configure directory and file-level permissions](storage-files-identity-ad-ds-configure-permissions.md). Remember that share-level permissions can take up to three hours to take effect. |
storage | Storage Files Identity Ad Ds Configure Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-configure-permissions.md | After you assign share-level permissions, you can configure Windows access contr Both share-level and file/directory-level permissions are enforced when a user attempts to access a file/directory, so if there's a difference between either of them, only the most restrictive one will be applied. For example, if a user has read/write access at the file level, but only read at a share level, then they can only read that file. The same would be true if it was reversed: if a user had read/write access at the share-level, but only read at the file-level, they can still only read the file. > [!IMPORTANT]-> To configure Windows ACLs, you'll need a client machine running Windows that has line-of-sight to the domain controller. If you're authenticating with Azure Files using Active Directory Domain Services (AD DS) or Azure Active Directory Kerberos (Azure AD Kerberos) for hybrid identities, this means you'll need line-of-sight to the on-premises AD. If you're using Azure Active Directory Domain Services (Azure AD DS), then the client machine must have line-of-sight to the domain controllers for the domain that's managed by Azure AD DS, which are located in Azure. +> To configure Windows ACLs, you'll need a client machine running Windows that has line-of-sight to the domain controller. If you're authenticating with Azure Files using Active Directory Domain Services (AD DS) or Microsoft Entra Kerberos for hybrid identities, this means you'll need line-of-sight to the on-premises AD. If you're using Microsoft Entra Domain Services, then the client machine must have line-of-sight to the domain controllers for the domain that's managed by Microsoft Entra Domain Services, which are located in Azure. ## Applies to | File share type | SMB | NFS | |
storage | Storage Files Identity Ad Ds Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-enable.md | The cmdlets should return the key value. Once you have the kerb1 key, create eit If your OU enforces password expiration, you must update the password before the maximum password age to prevent authentication failures when accessing Azure file shares. See [Update the password of your storage account identity in AD](storage-files-identity-ad-ds-update-password.md) for details. -Keep the SID of the newly created identity, you'll need it for the next step. The identity you've created that represents the storage account doesn't need to be synced to Azure AD. +Keep the SID of the newly created identity, you'll need it for the next step. The identity you've created that represents the storage account doesn't need to be synced to Microsoft Entra ID. ### Enable the feature on your storage account |
storage | Storage Files Identity Ad Ds Mount File Share | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-mount-file-share.md | Sign in to the client using the credentials of the identity that you granted per Before you can mount the Azure file share, make sure you've gone through the following prerequisites: -- If you're mounting the file share from a client that has previously connected to the file share using your storage account key, make sure that you've disconnected the share, removed the persistent credentials of the storage account key, and are currently using AD DS credentials for authentication. For instructions on how to remove cached credentials with storage account key and delete existing SMB connections before initializing a new connection with AD DS or Azure AD credentials, follow the two-step process on the [FAQ page](./storage-files-faq.md#identity-based-authentication).+- If you're mounting the file share from a client that has previously connected to the file share using your storage account key, make sure that you've disconnected the share, removed the persistent credentials of the storage account key, and are currently using AD DS credentials for authentication. For instructions on how to remove cached credentials with storage account key and delete existing SMB connections before initializing a new connection with AD DS or Microsoft Entra credentials, follow the two-step process on the [FAQ page](./storage-files-faq.md#identity-based-authentication). - Your client must have line of sight to your AD DS. If your machine or VM is outside of the network managed by your AD DS, you'll need to enable VPN to reach AD DS for authentication. > [!NOTE] |
storage | Storage Files Identity Auth Active Directory Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-auth-active-directory-enable.md | Title: Overview - On-premises AD DS authentication to Azure file shares -description: Learn about Active Directory Domain Services (AD DS) authentication to Azure file shares. This article goes over supported scenarios, availability, and explains how the permissions work between your AD DS and Azure Active Directory. +description: Learn about Active Directory Domain Services (AD DS) authentication to Azure file shares. This article goes over supported scenarios, availability, and explains how the permissions work between your AD DS and Microsoft Entra ID. If you're new to Azure Files, we recommend reading our [planning guide](storage- ## Supported scenarios and restrictions -- AD DS identities used for Azure Files on-premises AD DS authentication must be synced to Azure AD or [use a default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities). Password hash synchronization is optional.+- AD DS identities used for Azure Files on-premises AD DS authentication must be synced to Microsoft Entra ID or [use a default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities). Password hash synchronization is optional. - Supports Azure file shares managed by Azure File Sync. - Supports Kerberos authentication with AD with [AES 256 encryption](/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?toc=/azure/storage/files/toc.json#azure-files-on-premises-ad-ds-authentication-support-for-aes-256-kerberos-encryption) (recommended) and RC4-HMAC. AES 128 Kerberos encryption isn't yet supported. - Supports single sign-on experience. To help you set up identity-based authentication for some common use cases, we p Before you enable AD DS authentication for Azure file shares, make sure you've completed the following prerequisites: -- Select or create your [AD DS environment](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) and [sync it to Azure AD](../../active-directory/hybrid/how-to-connect-install-roadmap.md) using either the on-premises [Azure AD Connect sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Azure AD Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Azure Active Directory Admin Center.+- Select or create your [AD DS environment](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) and [sync it to Microsoft Entra ID](../../active-directory/hybrid/how-to-connect-install-roadmap.md) using either the on-premises [Microsoft Entra Connect Sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Microsoft Entra Admin Center. - You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Azure AD or use a default share-level permission. The Azure AD tenant and the file share that you're accessing must be associated with the same subscription. + You can enable the feature on a new or existing on-premises AD DS environment. Identities used for access must be synced to Microsoft Entra ID or use a default share-level permission. The Microsoft Entra tenant and the file share that you're accessing must be associated with the same subscription. - Domain-join an on-premises machine or an Azure VM to on-premises AD DS. For information about how to domain-join, refer to [Join a Computer to a Domain](/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain). Azure Files authentication with AD DS is available in [all Azure Public, China a If you plan to enable any networking configurations on your file share, we recommend you read the [networking considerations](./storage-files-networking-overview.md) article and complete the related configuration before enabling AD DS authentication. -Enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-premises AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-premises AD DS to Azure AD using either the on-premises [Azure AD Connect sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Azure AD Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Azure Active Directory Admin Center. You assign share-level permissions to hybrid identities synced to Azure AD while managing file/directory-level access using Windows ACLs. +Enabling AD DS authentication for your Azure file shares allows you to authenticate to your Azure file shares with your on-premises AD DS credentials. Further, it allows you to better manage your permissions to allow granular access control. Doing this requires synching identities from on-premises AD DS to Microsoft Entra ID using either the on-premises [Microsoft Entra Connect Sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md), a lightweight agent that can be installed from the Microsoft Entra Admin Center. You assign share-level permissions to hybrid identities synced to Microsoft Entra ID while managing file/directory-level access using Windows ACLs. Follow these steps to set up Azure Files for AD DS authentication: 1. [Enable AD DS authentication on your storage account](storage-files-identity-ad-ds-enable.md) -1. [Assign share-level permissions to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity](storage-files-identity-ad-ds-assign-permissions.md) +1. [Assign share-level permissions to the Microsoft Entra identity (a user, group, or service principal) that is in sync with the target AD identity](storage-files-identity-ad-ds-assign-permissions.md) 1. [Configure Windows ACLs over SMB for directories and files](storage-files-identity-ad-ds-configure-permissions.md) The following diagram illustrates the end-to-end workflow for enabling AD DS aut ![Files AD workflow diagram](media/storage-files-active-directory-domain-services-enable/diagram-files-ad.png) -Identities used to access Azure file shares must be synced to Azure AD to enforce share-level file permissions through the [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) model. Alternatively, you can use a default share-level permission. [Windows-style DACLs](/previous-versions/technet-magazine/cc161041(v=msdn.10)) on files/directories carried over from existing file servers will be preserved and enforced. This offers seamless integration with your enterprise AD DS environment. As you replace on-premises file servers with Azure file shares, existing users can access Azure file shares from their current clients with a single sign-on experience, without any change to the credentials in use. +Identities used to access Azure file shares must be synced to Microsoft Entra ID to enforce share-level file permissions through the [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) model. Alternatively, you can use a default share-level permission. [Windows-style DACLs](/previous-versions/technet-magazine/cc161041(v=msdn.10)) on files/directories carried over from existing file servers will be preserved and enforced. This offers seamless integration with your enterprise AD DS environment. As you replace on-premises file servers with Azure file shares, existing users can access Azure file shares from their current clients with a single sign-on experience, without any change to the credentials in use. ## Next steps |
storage | Storage Files Identity Auth Domain Services Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-auth-domain-services-enable.md | Title: Use Azure Active Directory Domain Services (Azure AD DS) to authorize user access to Azure Files over SMB -description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Azure Active Directory Domain Services (Azure AD DS). Your domain-joined Windows VMs can then access Azure file shares by using Azure AD credentials. + Title: Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB +description: Learn how to enable identity-based authentication over Server Message Block (SMB) for Azure Files through Microsoft Entra Domain Services. Your domain-joined Windows VMs can then access Azure file shares by using Microsoft Entra credentials. -# Enable Azure Active Directory Domain Services authentication on Azure Files +# Enable Microsoft Entra Domain Services authentication on Azure Files [!INCLUDE [storage-files-aad-auth-include](../../../includes/storage-files-aad-auth-include.md)] -This article focuses on enabling and configuring Azure AD DS for identity-based authentication with Azure file shares. In this authentication scenario, Azure AD credentials and Azure AD DS credentials are the same and can be used interchangeably. +This article focuses on enabling and configuring Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) for identity-based authentication with Azure file shares. In this authentication scenario, Microsoft Entra credentials and Microsoft Entra Domain Services credentials are the same and can be used interchangeably. We strongly recommend that you review the [How it works section](./storage-files-active-directory-overview.md#how-it-works) to select the right AD source for authentication. The setup is different depending on the AD source you choose. If you're new to Azure Files, we recommend reading our [planning guide](storage-files-planning.md) before reading this article. > [!NOTE]-> Azure Files supports Kerberos authentication with Azure AD DS with RC4-HMAC and AES-256 encryption. We recommend using AES-256. +> Azure Files supports Kerberos authentication with Microsoft Entra Domain Services with RC4-HMAC and AES-256 encryption. We recommend using AES-256. >-> Azure Files supports authentication for Azure AD DS with full or partial (scoped) synchronization with Azure AD. For environments with scoped synchronization present, administrators should be aware that Azure Files only honors Azure RBAC role assignments granted to principals that are synchronized. Role assignments granted to identities not synchronized from Azure AD to Azure AD DS will be ignored by the Azure Files service. +> Azure Files supports authentication for Microsoft Entra Domain Services with full or partial (scoped) synchronization with Microsoft Entra ID. For environments with scoped synchronization present, administrators should be aware that Azure Files only honors Azure RBAC role assignments granted to principals that are synchronized. Role assignments granted to identities not synchronized from Microsoft Entra ID to Microsoft Entra Domain Services will be ignored by the Azure Files service. ## Applies to | File share type | SMB | NFS | If you're new to Azure Files, we recommend reading our [planning guide](storage- ## Prerequisites -Before you enable Azure AD DS over SMB for Azure file shares, make sure you've completed the following prerequisites: +Before you enable Microsoft Entra Domain Services over SMB for Azure file shares, make sure you've completed the following prerequisites: -1. **Select or create an Azure AD tenant.** +1. **Select or create a Microsoft Entra tenant.** You can use a new or existing tenant. The tenant and the file share that you want to access must be associated with the same subscription. - To create a new Azure AD tenant, you can [Add an Azure AD tenant and an Azure AD subscription](/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription). If you have an existing Azure AD tenant but want to create a new tenant for use with Azure file shares, see [Create an Azure Active Directory tenant](/rest/api/datacatalog/create-an-azure-active-directory-tenant). + To create a new Microsoft Entra tenant, you can [Add a Microsoft Entra tenant and a Microsoft Entra subscription](/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription). If you have an existing Microsoft Entra tenant but want to create a new tenant for use with Azure file shares, see [Create a Microsoft Entra tenant](/rest/api/datacatalog/create-an-azure-active-directory-tenant). -1. **Enable Azure AD Domain Services on the Azure AD tenant.** +1. **Enable Microsoft Entra Domain Services on the Microsoft Entra tenant.** - To support authentication with Azure AD credentials, you must enable Azure AD DS for your Azure AD tenant. If you aren't the administrator of the Azure AD tenant, contact the administrator and follow the step-by-step guidance to [Enable Azure Active Directory Domain Services using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md). + To support authentication with Microsoft Entra credentials, you must enable Microsoft Entra Domain Services for your Microsoft Entra tenant. If you aren't the administrator of the Microsoft Entra tenant, contact the administrator and follow the step-by-step guidance to [Enable Microsoft Entra Domain Services using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md). - It typically takes about 15 minutes for an Azure AD DS deployment to complete. Verify that the health status of Azure AD DS shows **Running**, with password hash synchronization enabled, before proceeding to the next step. + It typically takes about 15 minutes for a Microsoft Entra Domain Services deployment to complete. Verify that the health status of Microsoft Entra Domain Services shows **Running**, with password hash synchronization enabled, before proceeding to the next step. -1. **Domain-join an Azure VM with Azure AD DS.** +1. **Domain-join an Azure VM with Microsoft Entra Domain Services.** - To access an Azure file share by using Azure AD credentials from a VM, your VM must be domain-joined to Azure AD DS. For more information about how to domain-join a VM, see [Join a Windows Server virtual machine to a managed domain](../../active-directory-domain-services/join-windows-vm.md). Azure AD DS authentication over SMB with Azure file shares is supported only on Azure VMs running on OS versions above Windows 7 or Windows Server 2008 R2. + To access an Azure file share by using Microsoft Entra credentials from a VM, your VM must be domain-joined to Microsoft Entra Domain Services. For more information about how to domain-join a VM, see [Join a Windows Server virtual machine to a managed domain](../../active-directory-domain-services/join-windows-vm.md). Microsoft Entra Domain Services authentication over SMB with Azure file shares is supported only on Azure VMs running on OS versions above Windows 7 or Windows Server 2008 R2. > [!NOTE]- > Non-domain-joined VMs can access Azure file shares using Azure AD DS authentication only if the VM has line-of-sight to the domain controllers for Azure AD DS. Usually this requires either site-to-site or point-to-site VPN. + > Non-domain-joined VMs can access Azure file shares using Microsoft Entra Domain Services authentication only if the VM has line-of-sight to the domain controllers for Microsoft Entra Domain Services. Usually this requires either site-to-site or point-to-site VPN. 1. **Select or create an Azure file share.** - Select a new or existing file share that's associated with the same subscription as your Azure AD tenant. For information about creating a new file share, see [Create a file share in Azure Files](storage-how-to-create-file-share.md). + Select a new or existing file share that's associated with the same subscription as your Microsoft Entra tenant. For information about creating a new file share, see [Create a file share in Azure Files](storage-how-to-create-file-share.md). For optimal performance, we recommend that your file share be in the same region as the VM from which you plan to access the share. 1. **Verify Azure Files connectivity by mounting Azure file shares using your storage account key.** Before you enable Azure AD DS over SMB for Azure file shares, make sure you've c ## Regional availability -Azure Files authentication with Azure AD DS is available in [all Azure Public, Gov, and China regions](https://azure.microsoft.com/global-infrastructure/locations/). +Azure Files authentication with Microsoft Entra Domain Services is available in [all Azure Public, Gov, and China regions](https://azure.microsoft.com/global-infrastructure/locations/). ## Overview of the workflow -Before you enable Azure AD DS authentication over SMB for Azure file shares, verify that your Azure AD and Azure Storage environments are properly configured. We recommend that you walk through the [prerequisites](#prerequisites) to make sure you've completed all the required steps. +Before you enable Microsoft Entra Domain Services authentication over SMB for Azure file shares, verify that your Microsoft Entra ID and Azure Storage environments are properly configured. We recommend that you walk through the [prerequisites](#prerequisites) to make sure you've completed all the required steps. -Follow these steps to grant access to Azure Files resources with Azure AD credentials: +Follow these steps to grant access to Azure Files resources with Microsoft Entra credentials: -1. Enable Azure AD DS authentication over SMB for your storage account to register the storage account with the associated Azure AD DS deployment. -1. Assign share-level permissions to an Azure AD identity (a user, group, or service principal). +1. Enable Microsoft Entra Domain Services authentication over SMB for your storage account to register the storage account with the associated Microsoft Entra Domain Services deployment. +1. Assign share-level permissions to a Microsoft Entra identity (a user, group, or service principal). 1. Connect to your Azure file share using a storage account key and configure Windows access control lists (ACLs) for directories and files. 1. Mount an Azure file share from a domain-joined VM. -The following diagram illustrates the end-to-end workflow for enabling Azure AD DS authentication over SMB for Azure Files. +The following diagram illustrates the end-to-end workflow for enabling Microsoft Entra Domain Services authentication over SMB for Azure Files. -![Diagram showing Azure AD over SMB for Azure Files workflow](media/storage-files-active-directory-enable/azure-active-directory-over-smb-workflow.png) +![Diagram showing Microsoft Entra ID over SMB for Azure Files workflow](media/storage-files-active-directory-enable/azure-active-directory-over-smb-workflow.png) -## Enable Azure AD DS authentication for your account +<a name='enable-azure-ad-ds-authentication-for-your-account'></a> -To enable Azure AD DS authentication over SMB for Azure Files, you can set a property on storage accounts by using the Azure portal, Azure PowerShell, or Azure CLI. Setting this property implicitly "domain joins" the storage account with the associated Azure AD DS deployment. Azure AD DS authentication over SMB is then enabled for all new and existing file shares in the storage account. +## Enable Microsoft Entra Domain Services authentication for your account -Keep in mind that you can enable Azure AD DS authentication over SMB only after you've successfully deployed Azure AD DS to your Azure AD tenant. For more information, see the [prerequisites](#prerequisites). +To enable Microsoft Entra Domain Services authentication over SMB for Azure Files, you can set a property on storage accounts by using the Azure portal, Azure PowerShell, or Azure CLI. Setting this property implicitly "domain joins" the storage account with the associated Microsoft Entra Domain Services deployment. Microsoft Entra Domain Services authentication over SMB is then enabled for all new and existing file shares in the storage account. ++Keep in mind that you can enable Microsoft Entra Domain Services authentication over SMB only after you've successfully deployed Microsoft Entra Domain Services to your Microsoft Entra tenant. For more information, see the [prerequisites](#prerequisites). # [Portal](#tab/azure-portal) -To enable Azure AD DS authentication over SMB with the [Azure portal](https://portal.azure.com), follow these steps: +To enable Microsoft Entra Domain Services authentication over SMB with the [Azure portal](https://portal.azure.com), follow these steps: 1. In the Azure portal, go to your existing storage account, or [create a storage account](../common/storage-account-create.md). 1. In the **File shares** section, select **Active directory: Not Configured**. :::image type="content" source="media/storage-files-active-directory-enable/files-azure-ad-enable-storage-account-identity.png" alt-text="Screenshot of the File shares pane in your storage account, Active directory is highlighted." lightbox="media/storage-files-active-directory-enable/files-azure-ad-enable-storage-account-identity.png"::: -1. Select **Azure Active Directory Domain Services** then enable the feature by ticking the checkbox. +1. Select **Microsoft Entra Domain Services** then enable the feature by ticking the checkbox. 1. Select **Save**. - :::image type="content" source="media/storage-files-active-directory-enable/files-azure-ad-ds-highlight.png" alt-text="Screenshot of the Active Directory pane, Azure Active Directory Domain Services is enabled." lightbox="media/storage-files-active-directory-enable/files-azure-ad-ds-highlight.png"::: + :::image type="content" source="media/storage-files-active-directory-enable/files-azure-ad-ds-highlight.png" alt-text="Screenshot of the Active Directory pane, Microsoft Entra Domain Services is enabled." lightbox="media/storage-files-active-directory-enable/files-azure-ad-ds-highlight.png"::: # [PowerShell](#tab/azure-powershell) -To enable Azure AD DS authentication over SMB with Azure PowerShell, install the latest Az module (2.4 or newer) or the Az.Storage module (1.5 or newer). For more information about installing PowerShell, see [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-azure-powershell). +To enable Microsoft Entra Domain Services authentication over SMB with Azure PowerShell, install the latest Az module (2.4 or newer) or the Az.Storage module (1.5 or newer). For more information about installing PowerShell, see [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-azure-powershell). To create a new storage account, call [New-AzStorageAccount](/powershell/module/az.storage/New-azStorageAccount), and then set the **EnableAzureActiveDirectoryDomainServicesForFile** parameter to **true**. In the following example, remember to replace the placeholder values with your own values. (If you were using the previous preview module, the parameter for enabling the feature is **EnableAzureFilesAadIntegrationForSMB**.) Set-AzStorageAccount -ResourceGroupName "<resource-group-name>" ` # [Azure CLI](#tab/azure-cli) -To enable Azure AD authentication over SMB with Azure CLI, install the latest CLI version (Version 2.0.70 or newer). For more information about installing Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli). +To enable Microsoft Entra authentication over SMB with Azure CLI, install the latest CLI version (Version 2.0.70 or newer). For more information about installing Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli). To create a new storage account, call [az storage account create](/cli/azure/storage/account#az-storage-account-create), and set the `--enable-files-aadds` argument. In the following example, remember to replace the placeholder values with your own values. (If you were using the previous preview module, the parameter for feature enablement is **file-aad**.) az storage account update -n <storage-account-name> -g <resource-group-name> --e ## Recommended: Use AES-256 encryption -By default, Azure AD DS authentication uses Kerberos RC4 encryption. We recommend configuring it to use Kerberos AES-256 encryption instead by following these instructions. +By default, Microsoft Entra Domain Services authentication uses Kerberos RC4 encryption. We recommend configuring it to use Kerberos AES-256 encryption instead by following these instructions. -The action requires running an operation on the Active Directory domain that's managed by Azure AD DS to reach a domain controller to request a property change to the domain object. The cmdlets below are Windows Server Active Directory PowerShell cmdlets, not Azure PowerShell cmdlets. Because of this, these PowerShell commands must be run from a client machine that's domain-joined to the Azure AD DS domain. +The action requires running an operation on the Active Directory domain that's managed by Microsoft Entra Domain Services to reach a domain controller to request a property change to the domain object. The cmdlets below are Windows Server Active Directory PowerShell cmdlets, not Azure PowerShell cmdlets. Because of this, these PowerShell commands must be run from a client machine that's domain-joined to the Microsoft Entra Domain Services domain. > [!IMPORTANT]-> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 from a client machine that's domain-joined to the Azure AD DS domain. PowerShell 7.x and Azure Cloud Shell won't work in this scenario. +> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 from a client machine that's domain-joined to the Microsoft Entra Domain Services domain. PowerShell 7.x and Azure Cloud Shell won't work in this scenario. -Log into the domain-joined client machine as an Azure AD DS user with the required permissions. You must have write access to the `msDS-SupportedEncryptionTypes` attribute of the domain object. Typically, members of the **AAD DC Administrators** group will have the necessary permissions. Open a normal (non-elevated) PowerShell session and execute the following commands. +Log into the domain-joined client machine as a Microsoft Entra Domain Services user with the required permissions. You must have write access to the `msDS-SupportedEncryptionTypes` attribute of the domain object. Typically, members of the **AAD DC Administrators** group will have the necessary permissions. Open a normal (non-elevated) PowerShell session and execute the following commands. ```powershell # 1. Find the service account in your managed domain that represents the storage account. |
storage | Storage Files Identity Auth Hybrid Identities Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-auth-hybrid-identities-enable.md | Title: Use Azure Active Directory to access Azure file shares over SMB for hybrid identities using Kerberos authentication -description: Learn how to enable identity-based Kerberos authentication for hybrid user identities over Server Message Block (SMB) for Azure Files through Azure Active Directory (Azure AD). Your users can then access Azure file shares by using their Azure AD credentials. + Title: Use Microsoft Entra ID to access Azure file shares over SMB for hybrid identities using Kerberos authentication +description: Learn how to enable identity-based Kerberos authentication for hybrid user identities over Server Message Block (SMB) for Azure Files through Microsoft Entra ID. Your users can then access Azure file shares by using their Microsoft Entra credentials. -# Enable Azure Active Directory Kerberos authentication for hybrid identities on Azure Files +# Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files -This article focuses on enabling and configuring Azure Active Directory (Azure AD) for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD DS identities that are synced to Azure AD. Cloud-only identities aren't currently supported. +This article focuses on enabling and configuring Microsoft Entra ID (formerly Azure AD) for authenticating [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD DS identities that are synced to Microsoft Entra ID. Cloud-only identities aren't currently supported. -This configuration allows hybrid users to access Azure file shares using Kerberos authentication, using Azure AD to issue the necessary Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined clients. However, configuring Windows access control lists (ACLs)/directory and file-level permissions for a user or group requires line-of-sight to the on-premises domain controller. +This configuration allows hybrid users to access Azure file shares using Kerberos authentication, using Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined clients. However, configuring Windows access control lists (ACLs)/directory and file-level permissions for a user or group requires line-of-sight to the on-premises domain controller. -For more information on supported options and considerations, see [Overview of Azure Files identity-based authentication options for SMB access](storage-files-active-directory-overview.md). For more information about Azure AD Kerberos, see [Deep dive: How Azure AD Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889). +For more information on supported options and considerations, see [Overview of Azure Files identity-based authentication options for SMB access](storage-files-active-directory-overview.md). For more information, see [this deep dive](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889). > [!IMPORTANT]-> You can only use one AD method for identity-based authentication with Azure Files. If Azure AD Kerberos authentication for hybrid identities doesn't fit your requirements, you might be able to use [on-premises Active Directory Domain Service (AD DS)](storage-files-identity-auth-active-directory-enable.md) or [Azure Active Directory Domain Services (Azure AD DS)](storage-files-identity-auth-domain-services-enable.md) instead. The configuration steps and supported scenarios are different for each method. +> You can only use one AD method for identity-based authentication with Azure Files. If Microsoft Entra Kerberos authentication for hybrid identities doesn't fit your requirements, you might be able to use [on-premises Active Directory Domain Service (AD DS)](storage-files-identity-auth-active-directory-enable.md) or [Microsoft Entra Domain Services](storage-files-identity-auth-domain-services-enable.md) instead. The configuration steps and supported scenarios are different for each method. ## Applies to | File share type | SMB | NFS | For more information on supported options and considerations, see [Overview of A ## Prerequisites -Before you enable Azure AD Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites. +Before you enable Microsoft Entra Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites. > [!NOTE]-> Your Azure storage account can't authenticate with both Azure AD and a second method like AD DS or Azure AD DS. If you've already chosen another AD method for your storage account, you must disable it before enabling Azure AD Kerberos. +> Your Azure storage account can't authenticate with both Microsoft Entra ID and a second method like AD DS or Microsoft Entra Domain Services. If you've already chosen another AD method for your storage account, you must disable it before enabling Microsoft Entra Kerberos. -The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems: +The Microsoft Entra Kerberos functionality for hybrid identities is only available on the following operating systems: - Windows 11 Enterprise/Pro single or multi-session. - Windows 10 Enterprise/Pro single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the [KB5007253 - 2021-11 Cumulative Update Preview for Windows 10](https://support.microsoft.com/topic/november-22-2021-kb5007253-os-builds-19041-1387-19042-1387-19043-1387-and-19044-1387-preview-d1847be9-46c1-49fc-bf56-1d469fc1b3af). - Windows Server, version 2022 with the latest cumulative updates installed, especially the [KB5007254 - 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2](https://support.microsoft.com/topic/november-22-2021-kb5007254-os-build-20348-380-preview-9a960291-d62e-486a-adcc-6babe5ae6fc1). -To learn how to create and configure a Windows VM and log in by using Azure AD-based authentication, see [Log in to a Windows virtual machine in Azure by using Azure AD](../../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md). +To learn how to create and configure a Windows VM and log in by using Microsoft Entra ID-based authentication, see [Log in to a Windows virtual machine in Azure by using Microsoft Entra ID](../../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md). -Clients must be Azure AD-joined or [hybrid Azure AD-joined](../../active-directory/devices/hybrid-join-plan.md). Azure AD Kerberos isnΓÇÖt supported on clients joined to Azure AD DS or joined to AD only. +Clients must be Microsoft Entra joined or [Microsoft Entra hybrid joined](../../active-directory/devices/hybrid-join-plan.md). Microsoft Entra Kerberos isnΓÇÖt supported on clients joined to Microsoft Entra Domain Services or joined to AD only. -This feature doesn't currently support user accounts that you create and manage solely in Azure AD. User accounts must be [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means you'll also need AD DS and either [Azure AD Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md). You must create these accounts in Active Directory and sync them to Azure AD. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Azure AD. +This feature doesn't currently support user accounts that you create and manage solely in Microsoft Entra ID. User accounts must be [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means you'll also need AD DS and either [Microsoft Entra Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md) or [Microsoft Entra Connect cloud sync](../../active-directory/cloud-sync/what-is-cloud-sync.md). You must create these accounts in Active Directory and sync them to Microsoft Entra ID. To assign Azure Role-Based Access Control (RBAC) permissions for the Azure file share to a user group, you must create the group in Active Directory and sync it to Microsoft Entra ID. -You must disable multi-factor authentication (MFA) on the Azure AD app representing the storage account. +You must disable multi-factor authentication (MFA) on the Microsoft Entra app representing the storage account. -With Azure AD Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs. +With Microsoft Entra Kerberos, the Kerberos ticket encryption is always AES-256. But you can set the SMB channel encryption that best fits your needs. ## Regional availability This feature is supported in the [Azure Public, Azure US Gov, and Azure China 21Vianet clouds](https://azure.microsoft.com/global-infrastructure/locations/). -## Enable Azure AD Kerberos authentication for hybrid user accounts +<a name='enable-azure-ad-kerberos-authentication-for-hybrid-user-accounts'></a> -You can enable Azure AD Kerberos authentication on Azure Files for hybrid user accounts using the Azure portal, PowerShell, or Azure CLI. +## Enable Microsoft Entra Kerberos authentication for hybrid user accounts ++You can enable Microsoft Entra Kerberos authentication on Azure Files for hybrid user accounts using the Azure portal, PowerShell, or Azure CLI. # [Portal](#tab/azure-portal) -To enable Azure AD Kerberos authentication using the [Azure portal](https://portal.azure.com), follow these steps. +To enable Microsoft Entra Kerberos authentication using the [Azure portal](https://portal.azure.com), follow these steps. -1. Sign in to the Azure portal and select the storage account you want to enable Azure AD Kerberos authentication for. +1. Sign in to the Azure portal and select the storage account you want to enable Microsoft Entra Kerberos authentication for. 1. Under **Data storage**, select **File shares**. 1. Next to **Active Directory**, select the configuration status (for example, **Not configured**). :::image type="content" source="media/storage-files-identity-auth-hybrid-identities-enable/configure-active-directory.png" alt-text="Screenshot of the Azure portal showing file share settings for a storage account. Active Directory configuration settings are selected." lightbox="media/storage-files-identity-auth-hybrid-identities-enable/configure-active-directory.png" border="true"::: -1. Under **Azure AD Kerberos**, select **Set up**. -1. Select the **Azure AD Kerberos** checkbox. +1. Under **Microsoft Entra Kerberos**, select **Set up**. +1. Select the **Microsoft Entra Kerberos** checkbox. - :::image type="content" source="media/storage-files-identity-auth-hybrid-identities-enable/enable-azure-ad-kerberos.png" alt-text="Screenshot of the Azure portal showing Active Directory configuration settings for a storage account. Azure AD Kerberos is selected." lightbox="media/storage-files-identity-auth-hybrid-identities-enable/enable-azure-ad-kerberos.png" border="true"::: + :::image type="content" source="media/storage-files-identity-auth-hybrid-identities-enable/enable-azure-ad-kerberos.png" alt-text="Screenshot of the Azure portal showing Active Directory configuration settings for a storage account. Microsoft Entra Kerberos is selected." lightbox="media/storage-files-identity-auth-hybrid-identities-enable/enable-azure-ad-kerberos.png" border="true"::: 1. **Optional:** If you want to configure directory and file-level permissions through Windows File Explorer, then you need to specify the domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlet from an on-premises AD-joined client: `Get-ADDomain`. Your domain name should be listed in the output under `DNSRoot` and your domain GUID should be listed under `ObjectGUID`. If you'd prefer to configure directory and file-level permissions using icacls, you can skip this step. However, if you want to use icacls, the client will need line-of-sight to the on-premises AD. To enable Azure AD Kerberos authentication using the [Azure portal](https://port # [Azure PowerShell](#tab/azure-powershell) -To enable Azure AD Kerberos using Azure PowerShell, run the following command. Remember to replace placeholder values, including brackets, with your values. +To enable Microsoft Entra Kerberos using Azure PowerShell, run the following command. Remember to replace placeholder values, including brackets, with your values. ```azurepowershell Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $true Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName # [Azure CLI](#tab/azure-cli) -To enable Azure AD Kerberos using Azure CLI, run the following command. Remember to replace placeholder values, including brackets, with your values. +To enable Microsoft Entra Kerberos using Azure CLI, run the following command. Remember to replace placeholder values, including brackets, with your values. ```azurecli az storage account update --name <storageaccountname> --resource-group <resourcegroupname> --enable-files-aadkerb true az storage account update --name <storageAccountName> --resource-group <resource > [!WARNING]-> If you've previously enabled Azure AD Kerberos authentication through manual limited preview steps to store FSLogix profiles on Azure Files for Azure AD-joined VMs, the password for the storage account's service principal is set to expire every six months. Once the password expires, users won't be able to get Kerberos tickets to the file share. To mitigate this, see "Error - Service principal password has expired in Azure AD" under [Potential errors when enabling Azure AD Kerberos authentication for hybrid users](/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?toc=/azure/storage/files/toc.json#potential-errors-when-enabling-azure-ad-kerberos-authentication-for-hybrid-users). +> If you've previously enabled Microsoft Entra Kerberos authentication through manual limited preview steps to store FSLogix profiles on Azure Files for Microsoft Entra joined VMs, the password for the storage account's service principal is set to expire every six months. Once the password expires, users won't be able to get Kerberos tickets to the file share. To mitigate this, see "Error - Service principal password has expired in Microsoft Entra ID" under [Potential errors when enabling Microsoft Entra Kerberos authentication for hybrid users](/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?toc=/azure/storage/files/toc.json#potential-errors-when-enabling-azure-ad-kerberos-authentication-for-hybrid-users). ## Grant admin consent to the new service principal -After enabling Azure AD Kerberos authentication, you'll need to explicitly grant admin consent to the new Azure AD application registered in your Azure AD tenant. This service principal is auto-generated and isn't used for authorization to the file share, so don't make any edits to the service principal other than those documented here. If you do, you might get an error. +After enabling Microsoft Entra Kerberos authentication, you'll need to explicitly grant admin consent to the new Microsoft Entra application registered in your Microsoft Entra tenant. This service principal is auto-generated and isn't used for authorization to the file share, so don't make any edits to the service principal other than those documented here. If you do, you might get an error. You can configure the API permissions from the [Azure portal](https://portal.azure.com) by following these steps: -1. Open **Azure Active Directory**. +1. Open **Microsoft Entra ID**. 2. Select **App registrations** on the left pane. 3. Select **All Applications**. - :::image type="content" source="media/storage-files-identity-auth-hybrid-identities-enable/azure-portal-azuread-app-registrations.png" alt-text="Screenshot of the Azure portal. Azure Active Directory is open. App registrations is selected in the left pane. All applications is highlighted in the right pane." lightbox="media/storage-files-identity-auth-hybrid-identities-enable/azure-portal-azuread-app-registrations.png"::: + :::image type="content" source="media/storage-files-identity-auth-hybrid-identities-enable/azure-portal-azuread-app-registrations.png" alt-text="Screenshot of the Azure portal. Microsoft Entra ID is open. App registrations is selected in the left pane. All applications is highlighted in the right pane." lightbox="media/storage-files-identity-auth-hybrid-identities-enable/azure-portal-azuread-app-registrations.png"::: 4. Select the application with the name matching **[Storage Account] `<your-storage-account-name>`.file.core.windows.net**. 5. Select **API permissions** in the left pane. You can configure the API permissions from the [Azure portal](https://portal.azu 7. Select **Yes** to confirm. > [!IMPORTANT]- > If you're connecting to a storage account via a private endpoint/private link using Azure AD Kerberos authentication, you'll also need to add the private link FQDN to the storage account's Azure AD application. For instructions, see the entry in our [troubleshooting guide](/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?toc=/azure/storage/files/toc.json#error-1326the-username-or-password-is-incorrect-when-using-private-link). + > If you're connecting to a storage account via a private endpoint/private link using Microsoft Entra Kerberos authentication, you'll also need to add the private link FQDN to the storage account's Microsoft Entra application. For instructions, see the entry in our [troubleshooting guide](/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?toc=/azure/storage/files/toc.json#error-1326the-username-or-password-is-incorrect-when-using-private-link). ## Disable multi-factor authentication on the storage account -Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps. +Microsoft Entra Kerberos doesn't support using MFA to access Azure file shares configured with Microsoft Entra Kerberos. You must exclude the Microsoft Entra app representing your storage account from your MFA conditional access policies if they apply to all apps. The storage account app should have the same name as the storage account in the conditional access exclusion list. When searching for the storage account app in the conditional access exclusion list, search for: **[Storage Account] `<your-storage-account-name>`.file.core.windows.net** To set share-level permissions, follow the instructions in [Assign share-level p Once share-level permissions are in place, you can assign directory/file-level permissions to the user or group. **This requires using a device with line-of-sight to an on-premises AD**. To use Windows File Explorer, the device also needs to be domain-joined. -There are two options for configuring directory and file-level permissions with Azure AD Kerberos authentication: +There are two options for configuring directory and file-level permissions with Microsoft Entra Kerberos authentication: - **Windows File Explorer:** If you choose this option, then the client must be domain-joined to the on-premises AD. - **icacls utility:** If you choose this option, then the client doesn't need to be domain-joined, but needs line-of-sight to the on-premises AD. There are two options for configuring directory and file-level permissions with To configure directory and file-level permissions through Windows File Explorer, you also need to specify domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or from an on-premises AD-joined client. If you prefer to configure using icacls, this step is not required. > [!IMPORTANT]-> You can set file/directory level ACLs for identities which are not synced to Azure AD. However, these ACLs will not be enforced because the Kerberos ticket used for authentication/authorization will not contain these not-synced identities. In order to enforce set ACLs, identities need to be synced to Azure AD. +> You can set file/directory level ACLs for identities which are not synced to Microsoft Entra ID. However, these ACLs will not be enforced because the Kerberos ticket used for authentication/authorization will not contain these not-synced identities. In order to enforce set ACLs, identities need to be synced to Microsoft Entra ID. > [!TIP]-> If Azure AD hybrid joined users from two different forests will be accessing the share, it's best to use icacls to configure directory and file-level permissions. This is because Windows File Explorer ACL configuration requires the client to be domain joined to the Active Directory domain that the storage account is joined to. +> If Microsoft Entra hybrid joined users from two different forests will be accessing the share, it's best to use icacls to configure directory and file-level permissions. This is because Windows File Explorer ACL configuration requires the client to be domain joined to the Active Directory domain that the storage account is joined to. To configure directory and file-level permissions, follow the instructions in [Configure directory and file-level permissions over SMB](storage-files-identity-ad-ds-configure-permissions.md). ## Configure the clients to retrieve Kerberos tickets -Enable the Azure AD Kerberos functionality on the client machine(s) you want to mount/use Azure File shares from. You must do this on every client on which Azure Files will be used. +Enable the Microsoft Entra Kerberos functionality on the client machine(s) you want to mount/use Azure File shares from. You must do this on every client on which Azure Files will be used. Use one of the following three methods: Use one of the following three methods: Changes are not instant, and require a policy refresh or a reboot to take effect. > [!IMPORTANT]-> Once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for on-premises AD DS integration without configuring Kerberos realm mappings. If you want the client(s) to be able to connect to storage accounts configured for AD DS as well as storage accounts configured for Azure AD Kerberos, follow the steps in [Configure coexistence with storage accounts using on-premises AD DS](#configure-coexistence-with-storage-accounts-using-on-premises-ad-ds). +> Once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for on-premises AD DS integration without configuring Kerberos realm mappings. If you want the client(s) to be able to connect to storage accounts configured for AD DS as well as storage accounts configured for Microsoft Entra Kerberos, follow the steps in [Configure coexistence with storage accounts using on-premises AD DS](#configure-coexistence-with-storage-accounts-using-on-premises-ad-ds). ### Configure coexistence with storage accounts using on-premises AD DS -If you want to enable client machines to connect to storage accounts that are configured for AD DS as well as storage accounts configured for Azure AD Kerberos, follow these steps. If you're only using Azure AD Kerberos, skip this section. +If you want to enable client machines to connect to storage accounts that are configured for AD DS as well as storage accounts configured for Microsoft Entra Kerberos, follow these steps. If you're only using Microsoft Entra Kerberos, skip this section. Add an entry for each storage account that uses on-premises AD DS integration. Use one of the following three methods to configure Kerberos realm mappings. Changes aren't instant, and require a policy refresh or a reboot to take effect. Add an entry for each storage account that uses on-premises AD DS integration. U ## Undo the client configuration to retrieve Kerberos tickets -If you no longer want to use a client machine for Azure AD Kerberos authentication, you can disable the Azure AD Kerberos functionality on that machine. Use one of the following three methods: +If you no longer want to use a client machine for Microsoft Entra Kerberos authentication, you can disable the Microsoft Entra Kerberos functionality on that machine. Use one of the following three methods: - Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled), set to 0 - Configure this group policy on the client(s): `Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon` If you followed the steps in [Configure coexistence with storage accounts using Changes aren't instant, and require a policy refresh or a reboot to take effect. > [!IMPORTANT]-> Once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for Azure AD Kerberos authentication. However, they will be able to connect to storage accounts configured to AD DS, without any additional configuration. +> Once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for Microsoft Entra Kerberos authentication. However, they will be able to connect to storage accounts configured to AD DS, without any additional configuration. ++<a name='disable-azure-ad-authentication-on-your-storage-account'></a> -## Disable Azure AD authentication on your storage account +## Disable Microsoft Entra authentication on your storage account -If you want to use another authentication method, you can disable Azure AD authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI. +If you want to use another authentication method, you can disable Microsoft Entra authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI. > [!NOTE] > Disabling this feature means that there will be no Active Directory configuration for file shares in your storage account until you enable one of the other Active Directory sources to reinstate your Active Directory configuration. # [Portal](#tab/azure-portal) -To disable Azure AD Kerberos authentication on your storage account by using the Azure portal, follow these steps. +To disable Microsoft Entra Kerberos authentication on your storage account by using the Azure portal, follow these steps. -1. Sign in to the Azure portal and select the storage account you want to disable Azure AD Kerberos authentication for. +1. Sign in to the Azure portal and select the storage account you want to disable Microsoft Entra Kerberos authentication for. 1. Under **Data storage**, select **File shares**. 1. Next to **Active Directory**, select the configuration status.-1. Under **Azure AD Kerberos**, select **Configure**. -1. Uncheck the **Azure AD Kerberos** checkbox. +1. Under **Microsoft Entra Kerberos**, select **Configure**. +1. Uncheck the **Microsoft Entra Kerberos** checkbox. 1. Select **Save**. # [Azure PowerShell](#tab/azure-powershell) -To disable Azure AD Kerberos authentication on your storage account by using Azure PowerShell, run the following command. Remember to replace placeholder values, including brackets, with your values. +To disable Microsoft Entra Kerberos authentication on your storage account by using Azure PowerShell, run the following command. Remember to replace placeholder values, including brackets, with your values. ```azurepowershell Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName <storageAccountName> -EnableAzureActiveDirectoryKerberosForFile $false Set-AzStorageAccount -ResourceGroupName <resourceGroupName> -StorageAccountName # [Azure CLI](#tab/azure-cli) -To disable Azure AD Kerberos authentication on your storage account by using Azure CLI, run the following command. Remember to replace placeholder values, including brackets, with your values. +To disable Microsoft Entra Kerberos authentication on your storage account by using Azure CLI, run the following command. Remember to replace placeholder values, including brackets, with your values. ```azurecli az storage account update --name <storageaccountname> --resource-group <resourcegroupname> --enable-files-aadkerb false az storage account update --name <storageaccountname> --resource-group <resource For more information, see these resources: -- [Potential errors when enabling Azure AD Kerberos authentication for hybrid users](files-troubleshoot-smb-authentication.md#potential-errors-when-enabling-azure-ad-kerberos-authentication-for-hybrid-users)+- [Potential errors when enabling Microsoft Entra Kerberos authentication for hybrid users](files-troubleshoot-smb-authentication.md#potential-errors-when-enabling-azure-ad-kerberos-authentication-for-hybrid-users) - [Overview of Azure Files identity-based authentication support for SMB access](storage-files-active-directory-overview.md)-- [Create a profile container with Azure Files and Azure Active Directory](../../virtual-desktop/create-profile-container-azure-ad.md)+- [Create a profile container with Azure Files and Microsoft Entra ID](../../virtual-desktop/create-profile-container-azure-ad.md) - [FAQ](storage-files-faq.md) |
storage | Storage Files Identity Auth Linux Kerberos Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-auth-linux-kerberos-enable.md | Title: Use on-premises Active Directory Domain Services or Azure Active Directory Domain Services to authorize access to Azure Files over SMB for Linux clients using Kerberos authentication -description: Learn how to enable identity-based Kerberos authentication for Linux clients over Server Message Block (SMB) for Azure Files using on-premises Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS) + Title: Use on-premises Active Directory Domain Services or Microsoft Entra Domain Services to authorize access to Azure Files over SMB for Linux clients using Kerberos authentication +description: Learn how to enable identity-based Kerberos authentication for Linux clients over Server Message Block (SMB) for Azure Files using on-premises Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services For more information on supported options and considerations, see [Overview of A [Azure Files](storage-files-introduction.md) supports identity-based authentication over Server Message Block (SMB) for Linux virtual machines (VMs) using the Kerberos authentication protocol through the following methods: - On-premises Windows Active Directory Domain Services (AD DS)-- Azure Active Directory Domain Services (Azure AD DS)+- Microsoft Entra Domain Services -In order to use the first option (AD DS), you must sync your AD DS to Azure Active Directory (Azure AD) using Azure AD Connect. +In order to use the first option (AD DS), you must sync your AD DS to Microsoft Entra ID using Microsoft Entra Connect. > [!Note] > This article uses Ubuntu for the example steps. Similar configurations will work for RHEL and SLES machines, allowing you to mount Azure file shares using Active Directory. You can't use identity-based authentication to mount Azure File shares on Linux Before you enable AD authentication over SMB for Azure file shares, make sure you've completed the following prerequisites. -- A Linux VM (Ubuntu 18.04+ or an equivalent RHEL or SLES VM) running on Azure. The VM must have at least one network interface on the VNET containing the Azure AD DS, or an on-premises Linux VM with AD DS synced to Azure AD.+- A Linux VM (Ubuntu 18.04+ or an equivalent RHEL or SLES VM) running on Azure. The VM must have at least one network interface on the VNET containing the Microsoft Entra Domain Services, or an on-premises Linux VM with AD DS synced to Microsoft Entra ID. - Root user or user credentials to a local user account that has full sudo rights (for this guide, localadmin). - The Linux VM must not have joined any AD domain. If it's already a part of a domain, it needs to first leave that domain before it can join this domain.-- An Azure AD tenant [fully configured](../../active-directory-domain-services/tutorial-create-instance.md), with domain user already set up.+- A Microsoft Entra tenant [fully configured](../../active-directory-domain-services/tutorial-create-instance.md), with domain user already set up. Installing the samba package isn't strictly necessary, but it gives you some useful tools and brings in other packages automatically, such as `samba-common` and `smbclient`. Run the following commands to install it. If you're asked for any input values during installation, leave them blank. PING 10.0.2.5 (10.0.2.5) 56(84) bytes of data. rtt min/avg/max/mdev = 0.898/0.922/0.946/0.024 ms ``` -4. If the ping doesn't work, go back to [prerequisites](#prerequisites), and make sure that your VM is on a VNET that has access to the Azure AD tenant. +4. If the ping doesn't work, go back to [prerequisites](#prerequisites), and make sure that your VM is on a VNET that has access to the Microsoft Entra tenant. 5. If the IP addresses are pinging but the DNS servers aren't automatically discovered, you can add the DNS servers manually. Edit `/etc/netplan/50-cloud-init.yaml` with your favorite text editor. then fi ``` -### Connect to Azure AD DS and make sure the services are discoverable +<a name='connect-to-azure-ad-ds-and-make-sure-the-services-are-discoverable'></a> ++### Connect to Microsoft Entra Domain Services and make sure the services are discoverable 1. Make sure that you're able to ping the domain server by the domain name. PING contosodomain.contoso.com (10.0.2.4) 56(84) bytes of data. rtt min/avg/max/mdev = 0.740/1.026/1.419/0.248 ms ``` -2. Make sure you can discover the Azure AD services on the network. +2. Make sure you can discover the Microsoft Entra services on the network. ```bash nslookup sudo smbd -b | grep "CONFIGFILE" 2. Change the SMB configuration to act as a domain member. For more information, see [Setting up samba as a domain member](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member). Here's a sample `smb.conf` file. > [!Note]-> This example is for Azure AD DS, for which we recommend setting `backend = rid` when configuring idmap. On-premises AD DS users might prefer to [choose a different idmap backend](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choosing_an_idmap_backend). +> This example is for Microsoft Entra Domain Services, for which we recommend setting `backend = rid` when configuring idmap. On-premises AD DS users might prefer to [choose a different idmap backend](https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choosing_an_idmap_backend). ```plaintext [global] sudo smbcontrol all reload-config ### Join the domain -1. Use the `net ads join` command to join the host to the Azure AD DS domain. If the command throws an error, see [Troubleshooting samba domain members](https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members) to resolve the issue. +1. Use the `net ads join` command to join the host to the Microsoft Entra Domain Services domain. If the command throws an error, see [Troubleshooting samba domain members](https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members) to resolve the issue. ```bash sudo net ads join -U contososmbadmin # user - garead wbinfo -K 'contososmbadmin%SUPERSECRETPASSWORD' ## Mount the file share -After you've enabled AD (or Azure AD) Kerberos authentication and domain-joined your Linux VM, you can mount the file share. +After you've enabled AD (or Microsoft Entra ID) Kerberos authentication and domain-joined your Linux VM, you can mount the file share. For detailed mounting instructions, see [Mount the Azure file share on-demand with mount](storage-how-to-use-files-linux.md?tabs=smb311#mount-the-azure-file-share-on-demand-with-mount). |
storage | Storage Files Identity Multiple Forests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-multiple-forests.md | -> If you want to set share-level permissions for specific Azure AD users or groups using Azure role-based access control (RBAC), then you must first sync the on-premises AD accounts to Azure AD using [Azure AD Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md). Otherwise, you can use a [default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities). +> If you want to set share-level permissions for specific Microsoft Entra users or groups using Azure role-based access control (RBAC), then you must first sync the on-premises AD accounts to Microsoft Entra ID using [Microsoft Entra Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md). Otherwise, you can use a [default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities). ## Applies to | File share type | SMB | NFS | Many organizations want to use identity-based authentication for SMB Azure file - Two AD DS domain controllers with different forests and on different virtual networks (VNETs) - Sufficient AD permissions to perform administrative tasks (for example, Domain Admin)-- If using Azure RBAC, both forests must be reachable by a single Azure AD Connect sync server+- If using Azure RBAC, both forests must be reachable by a single Microsoft Entra Connect Sync server ## How forest trust relationships work Once authentication passes, the trust is established, and you should be able to ### Set up identity-based authentication and hybrid user accounts -Once the trust is established, follow these steps to create a storage account and SMB file share for each domain, enable AD DS authentication on the storage accounts, and create hybrid user accounts synced to Azure AD. +Once the trust is established, follow these steps to create a storage account and SMB file share for each domain, enable AD DS authentication on the storage accounts, and create hybrid user accounts synced to Microsoft Entra ID. 1. Log in to the Azure portal and create two storage accounts such as **onprem1sa** and **onprem2sa**. For optimal performance, we recommend that you deploy the storage accounts in the same region as the clients from which you plan to access the shares. Once the trust is established, follow these steps to create a storage account an > Creating a second storage account isn't necessary. These instructions are meant to show an example of how to access storage accounts that belong to different forests. If you only have one storage account, you can ignore the second storage account setup instructions. 1. [Create an SMB Azure file share](storage-files-identity-ad-ds-assign-permissions.md) on each storage account.-1. [Sync your on-premises AD to Azure AD](../../active-directory/hybrid/how-to-connect-install-roadmap.md) using [Azure AD Connect sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application. +1. [Sync your on-premises AD to Microsoft Entra ID](../../active-directory/hybrid/how-to-connect-install-roadmap.md) using [Microsoft Entra Connect Sync](../../active-directory/hybrid/whatis-azure-ad-connect.md) application. 1. Domain-join an Azure VM in **Forest 1** to your on-premises AD DS. For information about how to domain-join, refer to [Join a Computer to a Domain](/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain). 1. [Enable AD DS authentication](storage-files-identity-ad-ds-enable.md) on the storage account associated with **Forest 1**, for example **onprem1sa**. This will create a computer account in your on-premises AD called **onprem1sa** to represent the Azure storage account and join the storage account to the **onpremad1.com** domain. You can verify that the AD identity representing the storage account was created by looking in **Active Directory Users and Computers** for **onpremad1.com**. In this example, you'd see a computer account called **onprem1sa**. 1. Create a user account by navigating to **Active Directory > onpremad1.com**. Right-click on **Users**, select **Create**, enter a user name (for example, **onprem1user**), and check the **Password never expires** box (optional).-1. Optional: If you want to use Azure RBAC to assign share-level permissions, you must sync the user to Azure AD using Azure AD Connect. Normally Azure AD Connect sync updates every 30 minutes. However, you can force it to sync immediately by opening an elevated PowerShell session and running `Start-ADSyncSyncCycle -PolicyType Delta`. You might need to install the AzureAD Sync module first by running `Import-Module ADSync`. To verify that the user has been synced to Azure AD, sign in to the Azure portal with the Azure subscription associated with your multi-forest tenant and select **Azure Active Directory**. Select **Manage > Users** and search for the user you added (for example, **onprem1user**). **On-premises sync enabled** should say **Yes**. +1. Optional: If you want to use Azure RBAC to assign share-level permissions, you must sync the user to Microsoft Entra ID using Microsoft Entra Connect. Normally Microsoft Entra Connect Sync updates every 30 minutes. However, you can force it to sync immediately by opening an elevated PowerShell session and running `Start-ADSyncSyncCycle -PolicyType Delta`. You might need to install the AzureAD Sync module first by running `Import-Module ADSync`. To verify that the user has been synced to Microsoft Entra ID, sign in to the Azure portal with the Azure subscription associated with your multi-forest tenant and select **Microsoft Entra ID**. Select **Manage > Users** and search for the user you added (for example, **onprem1user**). **On-premises sync enabled** should say **Yes**. 1. Set share-level permissions using either Azure RBAC roles or a default share-level permission. - - If the user is synced to Azure AD, you can grant a share-level permission (Azure RBAC role) to the user **onprem1user** on storage account **onprem1sa** so the user can mount the file share. To do this, navigate to the file share you created in **onprem1sa** and follow the instructions in [Assign share-level permissions for specific Azure AD users or groups](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-specific-azure-ad-users-or-groups). + - If the user is synced to Microsoft Entra ID, you can grant a share-level permission (Azure RBAC role) to the user **onprem1user** on storage account **onprem1sa** so the user can mount the file share. To do this, navigate to the file share you created in **onprem1sa** and follow the instructions in [Assign share-level permissions for specific Microsoft Entra users or groups](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-specific-azure-ad-users-or-groups). - Otherwise, you can use a [default share-level permission](storage-files-identity-ad-ds-assign-permissions.md#share-level-permissions-for-all-authenticated-identities) that applies to all authenticated identities. Repeat steps 4-8 for **Forest2** domain **onpremad2.com** (storage account **onprem2sa**/user **onprem2user**). If you have more than two forests, repeat the steps for each forest. |
storage | Storage Files Migration Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-migration-overview.md | Unlike object storage in Azure blobs, an Azure file share can natively store fil > [!IMPORTANT] > If you're migrating on-premises file servers to Azure File Sync, set the ACLs for the root directory of the file share **before** copying a large number of files, as changes to permissions for root ACLs can take up to a day to propagate if done after a large file migration. -A user of Active Directory, which is their on-premises domain controller, can natively access an Azure file share. So can a user of Azure Active Directory Domain Services (Azure AD DS). Each uses their current identity to get access based on share permissions and on file and folder ACLs. This behavior is similar to a user connecting to an on-premises file share. +A user of Active Directory, which is their on-premises domain controller, can natively access an Azure file share. So can a user of Microsoft Entra Domain Services. Each uses their current identity to get access based on share permissions and on file and folder ACLs. This behavior is similar to a user connecting to an on-premises file share. The alternative data stream is the primary aspect of file fidelity that currently can't be stored on a file in an Azure file share. It's preserved on-premises when Azure File Sync is used. -Learn more about [on-premises Active Directory authentication](storage-files-identity-auth-active-directory-enable.md) and [Azure AD DS authentication](storage-files-identity-auth-domain-services-enable.md) for Azure file shares. +Learn more about [on-premises Active Directory authentication](storage-files-identity-auth-active-directory-enable.md) and [Microsoft Entra Domain Services authentication](storage-files-identity-auth-domain-services-enable.md) for Azure file shares. ## Migration guides |
storage | Storage Files Migration Storsimple 8000 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-migration-storsimple-8000.md | You'll likely need to deploy several Azure storage accounts. Each one will hold #### Subscription -You can use the same subscription you used for your StorSimple deployment or a different one. The only limitation is that your subscription must be in the same Azure Active Directory tenant as the StorSimple subscription. Consider moving the StorSimple subscription to the appropriate tenant before you start a migration. You can only move the entire subscription, individual StorSimple resources can't be moved to a different tenant or subscription. +You can use the same subscription you used for your StorSimple deployment or a different one. The only limitation is that your subscription must be in the same Microsoft Entra tenant as the StorSimple subscription. Consider moving the StorSimple subscription to the appropriate tenant before you start a migration. You can only move the entire subscription, individual StorSimple resources can't be moved to a different tenant or subscription. #### Resource group |
storage | Storage Files Netapp Comparison | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-netapp-comparison.md | Most workloads that require cloud file storage work well on either Azure Files o | Region Availability | Premium<br><ul><li>30+ Regions</li></ul><br>Standard<br><ul><li>All regions</li></ul><br> To learn more, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=storage). | All tiers<br><ul><li>40+ Regions</li></ul><br> To learn more, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=storage). | | Redundancy | Premium<br><ul><li>LRS</li><li>ZRS</li></ul><br>Standard<br><ul><li>LRS</li><li>ZRS</li><li>GRS</li><li>GZRS</li></ul><br> To learn more, see [redundancy](./storage-files-planning.md#redundancy). | All tiers<br><ul><li>Built-in local HA</li><li>[Cross-region replication](../../azure-netapp-files/cross-region-replication-introduction.md)</li><li>[Cross-zone replication](../../azure-netapp-files/cross-zone-replication-introduction.md)</li><li>[Availability zones for high availability](../../azure-netapp-files/use-availability-zones.md)</li></ul> | | Service-Level Agreement (SLA)<br><br> Note that SLAs for Azure Files and Azure NetApp Files are calculated differently. | [SLA for Azure Files](https://azure.microsoft.com/support/legal/sla/storage/) | [SLA for Azure NetApp Files](https://azure.microsoft.com/support/legal/sla/netapp) | -| Identity-Based Authentication and Authorization | SMB<br><ul><li>Active Directory Domain Services (AD DS)</li><li>Azure Active Directory Domain Services (Azure AD DS)</li><li>Azure Active Directory Kerberos (hybrid identities only)</li></ul><br> Note that identify-based authentication is only supported when using SMB protocol. To learn more, see [FAQ](./storage-files-faq.md#security-authentication-and-access-control). | SMB<br><ul><li>Active Directory Domain Services (AD DS)</li><li>Azure Active Directory Domain Services (Azure AD DS)</li></ul><br> NFS/SMB dual protocol<ul><li>ADDS/LDAP integration</li><li>[ADD/LDAP over TLS](../../azure-netapp-files/configure-ldap-over-tls.md)</li></ul><br>NFSv3/NFSv4.1<ul><li>[ADDS/LDAP integration with NFS extended groups](../../azure-netapp-files/configure-ldap-extended-groups.md)</li></ul><br> To learn more, see [Azure NetApp Files NFS FAQ](../../azure-netapp-files/faq-nfs.md) and [Azure NetApp Files SMB FAQ](../../azure-netapp-files/faq-smb.md). | +| Identity-Based Authentication and Authorization | SMB<br><ul><li>Active Directory Domain Services (AD DS)</li><li>Microsoft Entra Domain Services</li><li>Microsoft Entra Kerberos (hybrid identities only)</li></ul><br> Note that identify-based authentication is only supported when using SMB protocol. To learn more, see [FAQ](./storage-files-faq.md#security-authentication-and-access-control). | SMB<br><ul><li>Active Directory Domain Services (AD DS)</li><li>Microsoft Entra Domain Services</li></ul><br> NFS/SMB dual protocol<ul><li>ADDS/LDAP integration</li><li>[ADD/LDAP over TLS](../../azure-netapp-files/configure-ldap-over-tls.md)</li></ul><br>NFSv3/NFSv4.1<ul><li>[ADDS/LDAP integration with NFS extended groups](../../azure-netapp-files/configure-ldap-extended-groups.md)</li></ul><br> To learn more, see [Azure NetApp Files NFS FAQ](../../azure-netapp-files/faq-nfs.md) and [Azure NetApp Files SMB FAQ](../../azure-netapp-files/faq-smb.md). | | Encryption | All protocols<br><ul><li>Encryption at rest (AES-256) with customer or Microsoft-managed keys</li></ul><br>SMB<br><ul><li>Kerberos encryption using AES-256 (recommended) or RC4-HMAC</li><li>Encryption in transit</li></ul><br>REST<br><ul><li>Encryption in transit</li></ul><br> To learn more, see [Security and networking](files-nfs-protocol.md#security-and-networking). | All protocols<br><ul><li>Encryption at rest (AES-256) with Microsoft-managed keys</li><li>[Encryption at rest (AES-256) with customer-managed keys](../../azure-netapp-files/configure-customer-managed-keys.md)</li></ul><br>SMB<ul><li>Encryption in transit using AES-CCM (SMB 3.0) and AES-GCM (SMB 3.1.1)</li></ul><br>NFS 4.1<ul><li>Encryption in transit using Kerberos with AES-256</li></ul><br> To learn more, see [security FAQ](../../azure-netapp-files/faq-security.md). | | Access Options | <ul><li>Internet</li><li>Secure VNet access</li><li>VPN Gateway</li><li>ExpressRoute</li><li>Azure File Sync</li></ul><br> To learn more, see [network considerations](./storage-files-networking-overview.md). | <ul><li>Secure VNet access</li><li>VPN Gateway</li><li>ExpressRoute</li><li>[Virtual WAN](../../azure-netapp-files/configure-virtual-wan.md)</li><li>[Global File Cache](https://cloud.netapp.com/global-file-cache/azure)</li><li>[HPC Cache](../../hpc-cache/hpc-cache-overview.md)</li><li>[Standard Network Features](../../azure-netapp-files/azure-netapp-files-network-topologies.md#configurable-network-features)</li></ul><br> To learn more, see [network considerations](../../azure-netapp-files/azure-netapp-files-network-topologies.md). | | Data Protection | <ul><li>Incremental snapshots</li><li>File/directory user self-restore</li><li>Restore to new location</li><li>In-place revert</li><li>Share-level soft delete</li><li>Azure Backup integration</li></ul><br> To learn more, see [Azure Files enhances data protection capabilities](https://azure.microsoft.com/blog/azure-files-enhances-data-protection-capabilities/). | <ul><li>[Azure NetApp Files backup](../../azure-netapp-files/backup-introduction.md)</li><li>Snapshots (255/volume)</li><li>File/directory user self-restore</li><li>Restore to new volume</li><li>In-place revert</li><li>[Cross-region replication](../../azure-netapp-files/cross-region-replication-introduction.md)</li><li>[Cross-zone replication](../../azure-netapp-files/cross-zone-replication-introduction.md)</li></ul><br> To learn more, see [How Azure NetApp Files snapshots work](../../azure-netapp-files/snapshots-introduction.md). | |
storage | Storage Files Planning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-planning.md | When deploying Azure file shares into storage accounts, we recommend: To access an Azure file share, the user of the file share must be authenticated and authorized to access the share. This is done based on the identity of the user accessing the file share. Azure Files supports the following methods of authentication: - **On-premises Active Directory Domain Services (AD DS, or on-premises AD DS)**: Azure storage accounts can be domain joined to a customer-owned Active Directory Domain Services, just like a Windows Server file server or NAS device. You can deploy a domain controller on-premises, in an Azure VM, or even as a VM in another cloud provider; Azure Files is agnostic to where your domain controller is hosted. Once a storage account is domain-joined, the end user can mount a file share with the user account they signed into their PC with. AD-based authentication uses the Kerberos authentication protocol.-- **Azure Active Directory Domain Services (Azure AD DS)**: Azure AD DS provides a Microsoft-managed domain controller that can be used for Azure resources. Domain joining your storage account to Azure AD DS provides similar benefits to domain joining it to a customer-owned AD DS. This deployment option is most useful for application lift-and-shift scenarios that require AD-based permissions. Since Azure AD DS provides AD-based authentication, this option also uses the Kerberos authentication protocol.-- **Azure Active Directory (Azure AD) Kerberos for hybrid identities**: Azure AD Kerberos allows you to use Azure AD to authenticate [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD identities that are synced to the cloud. This configuration uses Azure AD to issue Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined VMs.-- **Active Directory authentication over SMB for Linux clients**: Azure Files supports identity-based authentication over SMB for Linux clients using the Kerberos authentication protocol through either AD DS or Azure AD DS.+- **Microsoft Entra Domain Services**: Microsoft Entra Domain Services provides a Microsoft-managed domain controller that can be used for Azure resources. Domain joining your storage account to Microsoft Entra Domain Services provides similar benefits to domain joining it to a customer-owned AD DS. This deployment option is most useful for application lift-and-shift scenarios that require AD-based permissions. Since Microsoft Entra Domain Services provides AD-based authentication, this option also uses the Kerberos authentication protocol. +- **Microsoft Entra Kerberos for hybrid identities**: Microsoft Entra Kerberos allows you to use Microsoft Entra ID to authenticate [hybrid user identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which are on-premises AD identities that are synced to the cloud. This configuration uses Microsoft Entra ID to issue Kerberos tickets to access the file share with the SMB protocol. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VMs. +- **Active Directory authentication over SMB for Linux clients**: Azure Files supports identity-based authentication over SMB for Linux clients using the Kerberos authentication protocol through either AD DS or Microsoft Entra Domain Services. - **Azure storage account key**: Azure file shares may also be mounted with an Azure storage account key. To mount a file share this way, the storage account name is used as the username and the storage account key is used as a password. Using the storage account key to mount the Azure file share is effectively an administrator operation, because the mounted file share will have full permissions to all of the files and folders on the share, even if they have ACLs. When using the storage account key to mount over SMB, the NTLMv2 authentication protocol is used. If you intend to use the storage account key to access your Azure file shares, we recommend using private endpoints or service endpoints as described in the [Networking](#networking) section. For customers migrating from on-premises file servers, or creating new file shares in Azure Files intended to behave like Windows file servers or NAS appliances, domain joining your storage account to **Customer-owned AD DS** is the recommended option. To learn more about domain joining your storage account to a customer-owned AD DS, see [Overview - on-premises Active Directory Domain Services authentication over SMB for Azure file shares](storage-files-identity-auth-active-directory-enable.md). |
storage | Windows Server To Azure Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/windows-server-to-azure-files.md | Azure File Sync can synchronize and cache your Azure file share anywhere you can With Azure Files you benefit from multi-layered security provided by Microsoft across physical data centers, infrastructure, and operations in Azure. We provide several data redundancy options including local, regional, or global. Differential snapshots and snapshot management from Azure Backup simplify data protection, while Azure File Sync offers a variety of [disaster recovery options](../file-sync/file-sync-disaster-recovery-best-practices.md). You can even protect users from accidentally deleting a file or share via [soft delete](storage-files-enable-soft-delete.md). -Access control works just like your Windows file servers. You can [use identity-based authentication](storage-files-active-directory-overview.md) and integrate SMB Azure file shares with your on-premises Active Directory environment or Azure AD, and control share-level and directory/file-level access as well as administrator privileges. +Access control works just like your Windows file servers. You can [use identity-based authentication](storage-files-active-directory-overview.md) and integrate SMB Azure file shares with your on-premises Active Directory environment or Microsoft Entra ID, and control share-level and directory/file-level access as well as administrator privileges. ## See also - [Migrate to Azure Files](storage-files-migration-overview.md)-- [Azure Files networking considerations](storage-files-networking-overview.md)+- [Azure Files networking considerations](storage-files-networking-overview.md) |
storage | Assign Azure Role Data Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/assign-azure-role-data-access.md | Title: Assign an Azure role for access to queue data -description: Learn how to assign permissions for queue data to an Azure Active Directory security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Azure AD. +description: Learn how to assign permissions for queue data to a Microsoft Entra security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Microsoft Entra ID. ms.devlang: azurecli # Assign an Azure role for access to queue data -Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access queue data. +Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access queue data. -When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). -To learn more about using Azure AD to authorize access to queue data, see [Authorize access to queues using Azure Active Directory](authorize-access-azure-active-directory.md). +To learn more about using Microsoft Entra ID to authorize access to queue data, see [Authorize access to queues using Microsoft Entra ID](authorize-access-azure-active-directory.md). > [!NOTE] > This article shows how to assign an Azure role for access to queue data in a storage account. To learn about assigning roles for management operations in Azure Storage, see [Use the Azure Storage resource provider to access management resources](../common/authorization-resource-provider.md). You can use the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manage # [Azure portal](#tab/portal) -To access queue data in the Azure portal with Azure AD credentials, a user must have the following role assignments: +To access queue data in the Azure portal with Microsoft Entra credentials, a user must have the following role assignments: - A data access role, such as **Storage Queue Data Contributor** - The Azure Resource Manager **Reader** role The [Reader](../../role-based-access-control/built-in-roles.md#reader) role is a For example, if you assign the **Storage Queue Data Contributor** role to user Mary at the level of a queue named **sample-queue**, then Mary is granted read, write, and delete access to that queue. However, if Mary wants to view a queue in the Azure portal, then the **Storage Queue Data Contributor** role by itself will not provide sufficient permissions to navigate through the portal to the queue in order to view it. The additional permissions are required to navigate through the portal and view the other resources that are visible there. -A user must be assigned the **Reader** role to use the Azure portal with Azure AD credentials. However, if a user has been assigned a role with **Microsoft.Storage/storageAccounts/listKeys/action** permissions, then the user can use the portal with the storage account keys, via Shared Key authorization. To use the storage account keys, Shared Key access must be permitted for the storage account. For more information on permitting or disallowing Shared Key access, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md). +A user must be assigned the **Reader** role to use the Azure portal with Microsoft Entra credentials. However, if a user has been assigned a role with **Microsoft.Storage/storageAccounts/listKeys/action** permissions, then the user can use the portal with the storage account keys, via Shared Key authorization. To use the storage account keys, Shared Key access must be permitted for the storage account. For more information on permitting or disallowing Shared Key access, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md). You can also assign an Azure Resource Manager role that provides additional permissions beyond than the **Reader** role. Assigning the least possible permissions is recommended as a security best practice. For more information, see [Best practices for Azure RBAC](../../role-based-access-control/best-practices.md). To learn how to use an Azure Resource Manager template to assign an Azure role, Keep in mind the following points about Azure role assignments in Azure Storage: -- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or queue.+- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or queue. - If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a queue. ## Next steps |
storage | Authorize Access Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/authorize-access-azure-active-directory.md | Title: Authorize access to queues using Active Directory -description: Authorize access to Azure queues using Azure Active Directory (Azure AD). Assign Azure roles for access rights. Access data with an Azure AD account. +description: Authorize access to Azure queues using Microsoft Entra ID. Assign Azure roles for access rights. Access data with a Microsoft Entra account. -# Authorize access to queues using Azure Active Directory +# Authorize access to queues using Microsoft Entra ID -Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to queue data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Queue service. +Azure Storage supports using Microsoft Entra ID to authorize requests to queue data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Queue service. -Authorization with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your queue applications when possible to assure access with minimum required privileges. +Authorization with Microsoft Entra ID provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Microsoft Entra authorization with your queue applications when possible to assure access with minimum required privileges. -Authorization with Azure AD is available for all general-purpose storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization. +Authorization with Microsoft Entra ID is available for all general-purpose storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Microsoft Entra authorization. -## Overview of Azure AD for queues +<a name='overview-of-azure-ad-for-queues'></a> -When a security principal (a user, group, or application) attempts to access a queue resource, the request must be authorized, unless it's a queue available for anonymous access. With Azure AD, access to a resource is a two-step process: +## Overview of Microsoft Entra ID for queues ++When a security principal (a user, group, or application) attempts to access a queue resource, the request must be authorized, unless it's a queue available for anonymous access. With Microsoft Entra ID, access to a resource is a two-step process: 1. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. When a security principal (a user, group, or application) attempts to access a q The authorization step requires that one or more Azure RBAC roles be assigned to the security principal making the request. For more information, see [Assign Azure roles for access rights](#assign-azure-roles-for-access-rights). -### Use an Azure AD account with portal, PowerShell, or Azure CLI +<a name='use-an-azure-ad-account-with-portal-powershell-or-azure-cli'></a> ++### Use a Microsoft Entra account with portal, PowerShell, or Azure CLI -To learn about how to access data in the Azure portal with an Azure AD account, see [Data access from the Azure portal](#data-access-from-the-azure-portal). To learn how to call Azure PowerShell or Azure CLI commands with an Azure AD account, see [Data access from PowerShell or Azure CLI](#data-access-from-powershell-or-azure-cli). +To learn about how to access data in the Azure portal with a Microsoft Entra account, see [Data access from the Azure portal](#data-access-from-the-azure-portal). To learn how to call Azure PowerShell or Azure CLI commands with a Microsoft Entra account, see [Data access from PowerShell or Azure CLI](#data-access-from-powershell-or-azure-cli). -### Use Azure AD to authorize access in application code +<a name='use-azure-ad-to-authorize-access-in-application-code'></a> -To authorize access to Azure Storage with Azure AD, you can use one of the following client libraries to acquire an OAuth 2.0 token: +### Use Microsoft Entra ID to authorize access in application code ++To authorize access to Azure Storage with Microsoft Entra ID, you can use one of the following client libraries to acquire an OAuth 2.0 token: - The Azure Identity client library is recommended for most development scenarios. - The [Microsoft Authentication Library (MSAL)](../../active-directory/develop/msal-overview.md) may be suitable for certain advanced scenarios. #### Azure Identity client library -The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Azure Active Directory (Azure AD) via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of Azure Storage requests. +The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Microsoft Entra ID via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of Azure Storage requests. An advantage of the Azure Identity client library is that it enables you to use the same code to acquire the access token whether your application is running in the development environment or in Azure. The Azure Identity client library returns an access token for a security principal. When your code is running in Azure, the security principal may be a managed identity for Azure resources, a service principal, or a user or group. In the development environment, the client library provides an access token for either a user or a service principal for testing purposes. The access token returned by the Azure Identity client library is encapsulated i While Microsoft recommends using the Azure Identity client library when possible, the MSAL library may be appropriate to use in certain advanced scenarios. For more information, see [Learn about MSAL](../../active-directory/develop/msal-overview.md). -When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide an Azure AD resource ID. The Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account. +When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide a Microsoft Entra resource ID. The Microsoft Entra resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account. When you provide a resource ID that is specific to a single storage account and service, the resource ID is used to acquire a token for authorizing requests to the specified account and service only. The following table lists the value to use for the resource ID, based on the cloud you're working with. Replace `<account-name>` with the name of your storage account. You can also provide a resource ID that applies to any storage account, as shown ## Assign Azure roles for access rights -Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure RBAC. Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access queue data. You can also define custom roles for access to queue data. To learn more about assigning Azure roles for queue access, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md). +Microsoft Entra authorizes access rights to secured resources through Azure RBAC. Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access queue data. You can also define custom roles for access to queue data. To learn more about assigning Azure roles for queue access, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md). -An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). The RBAC roles that are assigned to a security principal determine the permissions that the principal will have. To learn more about assigning Azure roles for queue access, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md) +A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). The RBAC roles that are assigned to a security principal determine the permissions that the principal will have. To learn more about assigning Azure roles for queue access, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md) In some cases you may need to enable fine-grained access to queue resources or to simplify permissions when you have a large number of role assignments for a storage resource. You can use Azure attribute-based access control (Azure ABAC) to configure conditions on role assignments. You can use conditions with a [custom role](../../role-based-access-control/custom-roles.md) or select built-in roles. For more information about configuring conditions for Azure storage resources with ABAC, see [Authorize access to queues using Azure role assignment conditions](queues-auth-abac.md). For details about supported conditions for queue data operations, see [Actions and attributes for Azure role assignment conditions for Azure queues](queues-auth-abac-attributes.md). > [!NOTE]-> When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for access to Queue Storage. You can assign it at the level of your subscription, resource group, storage account, or queue. +> When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for access to Queue Storage. You can assign it at the level of your subscription, resource group, storage account, or queue. ### Resource scope For more information about scope for Azure RBAC role assignments, see [Understan ### Azure built-in roles for queues -Azure RBAC provides several built-in roles for authorizing access to queue data using Azure AD and OAuth. Some examples of roles that provide permissions to data resources in Azure Storage include: +Azure RBAC provides several built-in roles for authorizing access to queue data using Microsoft Entra ID and OAuth. Some examples of roles that provide permissions to data resources in Azure Storage include: - [Storage Queue Data Contributor](../../role-based-access-control/built-in-roles.md#storage-queue-data-contributor): Use to grant read/write/delete permissions to Azure queues. - [Storage Queue Data Reader](../../role-based-access-control/built-in-roles.md#storage-queue-data-reader): Use to grant read-only permissions to Azure queues. To learn how to assign an Azure built-in role to a security principal, see [Assi For more information about how built-in roles are defined for Azure Storage, see [Understand role definitions](../../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md). -Only roles explicitly defined for data access permit a security principal to access queue data. Built-in roles such as **Owner**, **Contributor**, and **Storage Account Contributor** permit a security principal to manage a storage account, but don't provide access to the queue data within that account via Azure AD. However, if a role includes **Microsoft.Storage/storageAccounts/listKeys/action**, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. For more information, see [Choose how to authorize access to queue data in the Azure portal](../../storage/queues/authorize-data-operations-portal.md). +Only roles explicitly defined for data access permit a security principal to access queue data. Built-in roles such as **Owner**, **Contributor**, and **Storage Account Contributor** permit a security principal to manage a storage account, but don't provide access to the queue data within that account via Microsoft Entra ID. However, if a role includes **Microsoft.Storage/storageAccounts/listKeys/action**, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. For more information, see [Choose how to authorize access to queue data in the Azure portal](../../storage/queues/authorize-data-operations-portal.md). -For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). +For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). > [!IMPORTANT] > Azure role assignments may take up to 30 minutes to propagate. For detailed information about Azure built-in roles for Azure Storage for both t For details on the permissions required to call specific Queue service operations, see [Permissions for calling data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations). -## Access data with an Azure AD account +<a name='access-data-with-an-azure-ad-account'></a> ++## Access data with a Microsoft Entra account -Access to queue data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Azure AD account or by using the account access keys (Shared Key authorization). +Access to queue data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Microsoft Entra account or by using the account access keys (Shared Key authorization). [!INCLUDE [storage-shared-key-caution](../../../includes/storage-shared-key-caution.md)] ### Data access from the Azure portal -The Azure portal can use either your Azure AD account or the account access keys to access queue data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you. +The Azure portal can use either your Microsoft Entra account or the account access keys to access queue data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you. -When you attempt to access queue data, the Azure portal first checks whether you've been assigned an Azure role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you've been assigned a role with this action, then the Azure portal uses the account key for accessing queue data via Shared Key authorization. If you haven't been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account. +When you attempt to access queue data, the Azure portal first checks whether you've been assigned an Azure role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you've been assigned a role with this action, then the Azure portal uses the account key for accessing queue data via Shared Key authorization. If you haven't been assigned a role with this action, then the Azure portal attempts to access data using your Microsoft Entra account. -To access queue data from the Azure portal using your Azure AD account, you need permissions to access queue data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure Storage grant access to queue resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the [Reader](../../role-based-access-control/built-in-roles.md#reader) role, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. To learn more about how to assign permissions to users for data access in the Azure portal with an Azure AD account, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md). +To access queue data from the Azure portal using your Microsoft Entra account, you need permissions to access queue data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure Storage grant access to queue resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the [Reader](../../role-based-access-control/built-in-roles.md#reader) role, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. To learn more about how to assign permissions to users for data access in the Azure portal with a Microsoft Entra account, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md). The Azure portal indicates which authorization scheme is in use when you navigate to a queue. For more information about data access in the portal, see [Choose how to authorize access to queue data in the Azure portal](authorize-data-operations-portal.md). ### Data access from PowerShell or Azure CLI -Azure CLI and PowerShell support signing in with Azure AD credentials. After you sign in, your session runs under those credentials. To learn more, see one of the following articles: +Azure CLI and PowerShell support signing in with Microsoft Entra credentials. After you sign in, your session runs under those credentials. To learn more, see one of the following articles: - [Choose how to authorize access to queue data with Azure CLI](authorize-data-operations-cli.md)-- [Run PowerShell commands with Azure AD credentials to access queue data](authorize-data-operations-powershell.md)+- [Run PowerShell commands with Microsoft Entra credentials to access queue data](authorize-data-operations-powershell.md) ## Next steps |
storage | Authorize Data Operations Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/authorize-data-operations-cli.md | Title: Choose how to authorize access to queue data with Azure CLI -description: Specify how to authorize data operations against queue data with the Azure CLI. You can authorize data operations using Azure AD credentials, with the account access key, or with a shared access signature (SAS) token. +description: Specify how to authorize data operations against queue data with the Azure CLI. You can authorize data operations using Microsoft Entra credentials, with the account access key, or with a shared access signature (SAS) token. +- With a Microsoft Entra security principal. Microsoft recommends using Microsoft Entra credentials for superior security and ease of use. - With the account access key or a shared access signature (SAS) token. ## Specify how data operations are authorized Azure CLI commands for reading and writing queue data include the optional `--auth-mode` parameter. Specify this parameter to indicate how a data operation is to be authorized: -- Set the `--auth-mode` parameter to `login` to sign in using an Azure AD security principal (recommended).+- Set the `--auth-mode` parameter to `login` to sign in using a Microsoft Entra security principal (recommended). - Set the `--auth-mode` parameter to the legacy `key` value to attempt to retrieve the account access key to use for authorization. If you omit the `--auth-mode` parameter, then the Azure CLI also attempts to retrieve the access key. To use the `--auth-mode` parameter, make sure that you have installed Azure CLI v2.0.46 or later. Run `az --version` to check your installed version. > [!NOTE]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users users who do not already possess the account keys must use Azure AD credentials to access queue data. +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users users who do not already possess the account keys must use Microsoft Entra credentials to access queue data. > [!IMPORTANT] > If you omit the `--auth-mode` parameter or set it to `key`, then the Azure CLI attempts to use the account access key for authorization. In this case, Microsoft recommends that you provide the access key either on the command or in the `AZURE_STORAGE_KEY` environment variable. For more information about environment variables, see the section titled [Set environment variables for authorization parameters](#set-environment-variables-for-authorization-parameters). > > If you do not provide the access key, then the Azure CLI attempts to call the Azure Storage resource provider to retrieve it for each operation. Performing many data operations that require a call to the resource provider may result in throttling. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](../common/scalability-targets-resource-provider.md). -## Authorize with Azure AD credentials +<a name='authorize-with-azure-ad-credentials'></a> -When you sign in to Azure CLI with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Queue Storage. For supported operations, you no longer need to pass an account key or SAS token with the command. +## Authorize with Microsoft Entra credentials -You can assign permissions to queue data to an Azure AD security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Manage access rights to Azure Storage data with Azure RBAC](assign-azure-role-data-access.md). +When you sign in to Azure CLI with Microsoft Entra credentials, an OAuth 2.0 access token is returned. That token is automatically used by Azure CLI to authorize subsequent data operations against Queue Storage. For supported operations, you no longer need to pass an account key or SAS token with the command. ++You can assign permissions to queue data to a Microsoft Entra security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Manage access rights to Azure Storage data with Azure RBAC](assign-azure-role-data-access.md). ### Permissions for calling data operations -The Azure Storage extensions are supported for operations on queue data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to Azure CLI. Permissions to queues are assigned via Azure RBAC. For example, if you are assigned the **Storage Queue Data Reader** role, then you can run scripting commands that read data from a queue. If you are assigned the **Storage Queue Data Contributor** role, then you can run scripting commands that read, write, or delete a queue or the data they contain. +The Azure Storage extensions are supported for operations on queue data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you sign in to Azure CLI. Permissions to queues are assigned via Azure RBAC. For example, if you are assigned the **Storage Queue Data Reader** role, then you can run scripting commands that read data from a queue. If you are assigned the **Storage Queue Data Contributor** role, then you can run scripting commands that read, write, or delete a queue or the data they contain. For details about the permissions required for each Azure Storage operation on a queue, see [Call storage operations with OAuth tokens](/rest/api/storageservices/authorize-with-azure-active-directory#call-storage-operations-with-oauth-tokens). -### Example: Authorize an operation to create a queue with Azure AD credentials +<a name='example-authorize-an-operation-to-create-a-queue-with-azure-ad-credentials'></a> ++### Example: Authorize an operation to create a queue with Microsoft Entra credentials -The following example shows how to create a queue from Azure CLI using your Azure AD credentials. To create the queue, you'll need to sign in to the Azure CLI, and you'll need a resource group and a storage account. +The following example shows how to create a queue from Azure CLI using your Microsoft Entra credentials. To create the queue, you'll need to sign in to the Azure CLI, and you'll need a resource group and a storage account. 1. Before you create the queue, assign the [Storage Queue Data Contributor](../../role-based-access-control/built-in-roles.md#storage-queue-data-contributor) role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning Azure roles, see [Assign an Azure role for access to queue data](assign-azure-role-data-access.md). > [!IMPORTANT] > Azure role assignments may take a few minutes to propagate. -1. Call the [`az storage queue create`](/cli/azure/storage/queue#az-storage-queue-create) command with the `--auth-mode` parameter set to `login` to create the queue using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values: +1. Call the [`az storage queue create`](/cli/azure/storage/queue#az-storage-queue-create) command with the `--auth-mode` parameter set to `login` to create the queue using your Microsoft Entra credentials. Remember to replace placeholder values in angle brackets with your own values: ```azurecli az storage queue create \ You can specify authorization parameters in environment variables to avoid inclu | Environment variable | Description | |--|--|-| **AZURE_STORAGE_ACCOUNT** | The storage account name. This variable should be used in conjunction with either the storage account key or a SAS token. If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Azure AD account. If a large number of commands are run at one time, the Azure Storage resource provider throttling limit may be reached. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](../common/scalability-targets-resource-provider.md). | +| **AZURE_STORAGE_ACCOUNT** | The storage account name. This variable should be used in conjunction with either the storage account key or a SAS token. If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Microsoft Entra account. If a large number of commands are run at one time, the Azure Storage resource provider throttling limit may be reached. For more information about resource provider limits, see [Scalability and performance targets for the Azure Storage resource provider](../common/scalability-targets-resource-provider.md). | | **AZURE_STORAGE_KEY** | The storage account key. This variable must be used in conjunction with the storage account name. | | **AZURE_STORAGE_CONNECTION_STRING** | A connection string that includes the storage account key or a SAS token. This variable must be used in conjunction with the storage account name. | | **AZURE_STORAGE_SAS_TOKEN** | A shared access signature (SAS) token. This variable must be used in conjunction with the storage account name. |-| **AZURE_STORAGE_AUTH_MODE** | The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI uses your Azure AD credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key. | +| **AZURE_STORAGE_AUTH_MODE** | The authorization mode with which to run the command. Permitted values are `login` (recommended) or `key`. If you specify `login`, the Azure CLI uses your Microsoft Entra credentials to authorize the data operation. If you specify the legacy `key` mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key. | ## Next steps - [Assign an Azure role for access to queue data](assign-azure-role-data-access.md)-- [Authorize access to data in Azure Storage](../common/authorize-data-access.md)+- [Authorize access to data in Azure Storage](../common/authorize-data-access.md) |
storage | Authorize Data Operations Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/authorize-data-operations-portal.md | Title: Choose how to authorize access to queue data in the Azure portal -description: When you access queue data using the Azure portal, the portal makes requests to Azure Storage under the covers. These requests to Azure Storage can be authenticated and authorized using either your Azure AD account or the storage account access key. +description: When you access queue data using the Azure portal, the portal makes requests to Azure Storage under the covers. These requests to Azure Storage can be authenticated and authorized using either your Microsoft Entra account or the storage account access key. -When you access queue data using the [Azure portal](https://portal.azure.com), the portal makes requests to Azure Storage under the covers. A request to Azure Storage can be authorized using either your Azure AD account or the storage account access key. The portal indicates which method you are using, and enables you to switch between the two if you have the appropriate permissions. +When you access queue data using the [Azure portal](https://portal.azure.com), the portal makes requests to Azure Storage under the covers. A request to Azure Storage can be authorized using either your Microsoft Entra account or the storage account access key. The portal indicates which method you are using, and enables you to switch between the two if you have the appropriate permissions. ## Permissions needed to access queue data To access queue data with the account access key, you must have an Azure role as - The Azure Resource Manager [Contributor role](../../role-based-access-control/built-in-roles.md#contributor) - The Azure Resource Manager [Owner role](../../role-based-access-control/built-in-roles.md#owner) -When you attempt to access queue data in the Azure portal, the portal first checks whether you have been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you have been assigned a role with this action, then the portal uses the account key for accessing queue data. If you have not been assigned a role with this action, then the portal attempts to access data using your Azure AD account. +When you attempt to access queue data in the Azure portal, the portal first checks whether you have been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you have been assigned a role with this action, then the portal uses the account key for accessing queue data. If you have not been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account. > [!IMPORTANT]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Azure AD credentials to access queue data in the portal. For information about accessing queue data in the portal with Azure AD, see [Use your Azure AD account](#use-your-azure-ad-account). +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Microsoft Entra credentials to access queue data in the portal. For information about accessing queue data in the portal with Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account). > [!NOTE]-> The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [`Owner`](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access queue data with the account key. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). +> The classic subscription administrator roles **Service Administrator** and **Co-Administrator** include the equivalent of the Azure Resource Manager [`Owner`](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access queue data with the account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles). -### Use your Azure AD account +<a name='use-your-azure-ad-account'></a> -To access queue data from the Azure portal using your Azure AD account, both of the following statements must be true for you: +### Use your Microsoft Entra account ++To access queue data from the Azure portal using your Microsoft Entra account, both of the following statements must be true for you: - You have been assigned either a built-in or custom role that provides access to queue data. - You have been assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. The Azure Resource Manager **Reader** role permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The **Reader** role is necessary so that users can navigate to queues in the Azure portal. -For information about the built-in roles that support access to queue data, see [Authorize access to queues using Azure Active Directory](authorize-access-azure-active-directory.md). +For information about the built-in roles that support access to queue data, see [Authorize access to queues using Microsoft Entra ID](authorize-access-azure-active-directory.md). Custom roles can support different combinations of the same permissions provided by the built-in roles. For more information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md) and [Understand role definitions for Azure resources](../../role-based-access-control/role-definitions.md). To view queue data in the portal, navigate to the **Overview** for your storage ## Determine the current authentication method -When you navigate to a queue, the Azure portal indicates whether you are currently using the account access key or your Azure AD account to authenticate. +When you navigate to a queue, the Azure portal indicates whether you are currently using the account access key or your Microsoft Entra account to authenticate. ### Authenticate with the account access key If you are authenticating using the account access key, you'll see **Access Key* :::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot showing user currently accessing queues with the account key"::: -To switch to using Azure AD account, click the link highlighted in the image. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the right permissions, you'll see an error message like the following one: +To switch to using Microsoft Entra account, click the link highlighted in the image. If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. However, if you lack the right permissions, you'll see an error message like the following one: + +Notice that no queues appear in the list if your Microsoft Entra account lacks permissions to view them. Click on the **Switch to access key** link to use the access key for authentication again. -Notice that no queues appear in the list if your Azure AD account lacks permissions to view them. Click on the **Switch to access key** link to use the access key for authentication again. +<a name='authenticate-with-your-azure-ad-account'></a> -### Authenticate with your Azure AD account +### Authenticate with your Microsoft Entra account -If you are authenticating using your Azure AD account, you'll see **Azure AD User Account** specified as the authentication method in the portal: +If you are authenticating using your Microsoft Entra account, you'll see **Microsoft Entra user Account** specified as the authentication method in the portal: To switch to using the account access key, click the link highlighted in the image. If you have access to the account key, then you'll be able to proceed. However, if you lack access to the account key, the Azure portal displays an error message. -Queues are not listed in the portal if you do not have access to the account keys. Click on the **Switch to Azure AD User Account** link to use your Azure AD account for authentication again. +Queues are not listed in the portal if you do not have access to the account keys. Click on the **Switch to Microsoft Entra user Account** link to use your Microsoft Entra account for authentication again. ++<a name='default-to-azure-ad-authorization-in-the-azure-portal'></a> -## Default to Azure AD authorization in the Azure portal +## Default to Microsoft Entra authorization in the Azure portal -When you create a new storage account, you can specify that the Azure portal will default to authorization with Azure AD when a user navigates to queue data. You can also configure this setting for an existing storage account. This setting specifies the default authorization method only, so keep in mind that a user can override this setting and choose to authorize data access with the account key. +When you create a new storage account, you can specify that the Azure portal will default to authorization with Microsoft Entra ID when a user navigates to queue data. You can also configure this setting for an existing storage account. This setting specifies the default authorization method only, so keep in mind that a user can override this setting and choose to authorize data access with the account key. -To specify that the portal will use Azure AD authorization by default for data access when you create a storage account, follow these steps: +To specify that the portal will use Microsoft Entra authorization by default for data access when you create a storage account, follow these steps: 1. Create a new storage account, following the instructions in [Create a storage account](../common/storage-account-create.md).-1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Azure Active Directory authorization in the Azure portal**. +1. On the **Advanced** tab, in the **Security** section, check the box next to **Default to Microsoft Entra authorization in the Azure portal**. - :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Azure AD authorization in Azure portal for new account."::: + :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-create-portal.png" alt-text="Screenshot showing how to configure default Microsoft Entra authorization in Azure portal for new account."::: 1. Select the **Review + create** button to run validation and create the account. To update this setting for an existing storage account, follow these steps: 1. Navigate to the account overview in the Azure portal. 1. Under **Settings**, select **Configuration**.-1. Set **Default to Azure Active Directory authorization in the Azure portal** to **Enabled**. +1. Set **Default to Microsoft Entra authorization in the Azure portal** to **Enabled**. - :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-update-portal.png" alt-text="Screenshot showing how to configure default Azure AD authorization in Azure portal for existing account."::: + :::image type="content" source="media/authorize-data-operations-portal/default-auth-account-update-portal.png" alt-text="Screenshot showing how to configure default Microsoft Entra authorization in Azure portal for existing account."::: ## Next steps |
storage | Authorize Data Operations Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/authorize-data-operations-powershell.md | Title: Run PowerShell commands with Azure AD credentials to access queue data + Title: Run PowerShell commands with Microsoft Entra credentials to access queue data -description: PowerShell supports signing in with Azure AD credentials to run commands on Azure Queue Storage data. An access token is provided for the session and used to authorize calling operations. Permissions depend on the Azure role assigned to the Azure AD security principal. +description: PowerShell supports signing in with Microsoft Entra credentials to run commands on Azure Queue Storage data. An access token is provided for the session and used to authorize calling operations. Permissions depend on the Azure role assigned to the Microsoft Entra security principal. -# Run PowerShell commands with Azure AD credentials to access queue data +# Run PowerShell commands with Microsoft Entra credentials to access queue data -Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Azure Active Directory (Azure AD) credentials. When you sign in to PowerShell with Azure AD credentials, an OAuth 2.0 access token is returned. That token is automatically used by PowerShell to authorize subsequent data operations against Queue Storage. For supported operations, you no longer need to pass an account key or SAS token with the command. +Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Microsoft Entra credentials. When you sign in to PowerShell with Microsoft Entra credentials, an OAuth 2.0 access token is returned. That token is automatically used by PowerShell to authorize subsequent data operations against Queue Storage. For supported operations, you no longer need to pass an account key or SAS token with the command. -You can assign permissions to queue data to an Azure AD security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Manage access rights to Azure Storage data with Azure RBAC](assign-azure-role-data-access.md). +You can assign permissions to queue data to a Microsoft Entra security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, see [Manage access rights to Azure Storage data with Azure RBAC](assign-azure-role-data-access.md). ## Supported operations -The Azure Storage extensions are supported for operations on queue data. Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to PowerShell. Permissions to queues are assigned via Azure RBAC. For example, if you have been assigned the **Queue Data Reader** role, then you can run scripting commands that read data from a queue. If you have been assigned the **Queue Data Contributor** role, then you can run scripting commands that read, write, or delete a queue or the data they contain. +The Azure Storage extensions are supported for operations on queue data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you sign in to PowerShell. Permissions to queues are assigned via Azure RBAC. For example, if you have been assigned the **Queue Data Reader** role, then you can run scripting commands that read data from a queue. If you have been assigned the **Queue Data Contributor** role, then you can run scripting commands that read, write, or delete a queue or the data they contain. For details about the permissions required for each Azure Storage operation on a queue, see [Call storage operations with OAuth tokens](/rest/api/storageservices/authorize-with-azure-active-directory#call-storage-operations-with-oauth-tokens). > [!IMPORTANT]-> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users users who do not already possess the account keys must use Azure AD credentials to access queue data. In PowerShell, include the `-UseConnectedAccount` parameter to create an **AzureStorageContext** object with your Azure AD credentials. +> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users users who do not already possess the account keys must use Microsoft Entra credentials to access queue data. In PowerShell, include the `-UseConnectedAccount` parameter to create an **AzureStorageContext** object with your Microsoft Entra credentials. -## Call PowerShell commands using Azure AD credentials +<a name='call-powershell-commands-using-azure-ad-credentials'></a> ++## Call PowerShell commands using Microsoft Entra credentials [!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)] -To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Azure AD credentials, create a storage context to reference the storage account, and include the `-UseConnectedAccount` parameter. +To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Microsoft Entra credentials, create a storage context to reference the storage account, and include the `-UseConnectedAccount` parameter. -The following example shows how to create a queue in a new storage account from Azure PowerShell using your Azure AD credentials. Remember to replace placeholder values in angle brackets with your own values: +The following example shows how to create a queue in a new storage account from Azure PowerShell using your Microsoft Entra credentials. Remember to replace placeholder values in angle brackets with your own values: 1. Sign in to your Azure account with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) command: The following example shows how to create a queue in a new storage account from -Location $location ` ``` -1. Get the storage account context that specifies the new storage account by calling [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext). When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. Include the `-UseConnectedAccount` parameter to call any subsequent data operations using your Azure AD credentials: +1. Get the storage account context that specifies the new storage account by calling [New-AzStorageContext](/powershell/module/az.storage/new-azstoragecontext). When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. Include the `-UseConnectedAccount` parameter to call any subsequent data operations using your Microsoft Entra credentials: ```powershell $ctx = New-AzStorageContext -StorageAccountName "<storage-account>" -UseConnectedAccount The following example shows how to create a queue in a new storage account from > [!IMPORTANT] > Azure role assignments may take a few minutes to propagate. -1. Create a queue by calling [New-AzStorageQueue](/powershell/module/az.storage/new-azstoragequeue). Because this call uses the context created in the previous steps, the queue is created using your Azure AD credentials. +1. Create a queue by calling [New-AzStorageQueue](/powershell/module/az.storage/new-azstoragequeue). Because this call uses the context created in the previous steps, the queue is created using your Microsoft Entra credentials. ```powershell $queueName = "sample-queue" The following example shows how to create a queue in a new storage account from ## Next steps - [Assign an Azure role for access to queue data](assign-azure-role-data-access.md)-- [Authorize access to data in Azure Storage](../common/authorize-data-access.md)+- [Authorize access to data in Azure Storage](../common/authorize-data-access.md) |
storage | Monitor Queue Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/monitor-queue-storage.md | Azure Monitor provides the [.NET SDK](https://www.nuget.org/packages/microsoft.a In these examples, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the queue. You can find these resource IDs on the **Properties** pages of your storage account in the Azure portal. -Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). ### List the account-level metric definition |
storage | Passwordless Migrate Queues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/passwordless-migrate-queues.md | Title: Migrate applications to use passwordless authentication with Azure Queue Storage -description: Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Azure AD and Azure RBAC for enhanced security with Azure Storage Queues. +description: Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Microsoft Entra ID and Azure RBAC for enhanced security with Azure Storage Queues. Last updated 05/09/2023 After making these code changes, run your application locally. The new configura ## Configure the Azure hosting environment -Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure Queue Storage using a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication. Learn more about managed identities: +Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure Queue Storage using a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Learn more about managed identities: * [Passwordless Overview](/azure/developer/intro/passwordless-overview) * [Managed identity best practices](/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations) In this tutorial, you learned how to migrate an application to passwordless conn You can read the following resources to explore the concepts discussed in this article in more depth: -* [Authorize access to blobs using Azure Active Directory](../blobs/authorize-access-azure-active-directory.md) +* [Authorize access to blobs using Microsoft Entra ID](../blobs/authorize-access-azure-active-directory.md) * To learn more about .NET, see [Get started with .NET in 10 minutes](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/intro). |
storage | Queues Auth Abac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/queues-auth-abac.md | Attribute-based access control (ABAC) is an authorization strategy that defines ## Overview of conditions in Azure Storage -You can [use of Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers or queues. +You can [use of Microsoft Entra ID](../common/authorize-data-access.md) (Microsoft Entra ID) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers or queues. Azure ABAC builds on Azure RBAC by adding [role assignment conditions](../../role-based-access-control/conditions-overview.md) in the context of specific actions. A *role assignment condition* is an additional check that is evaluated when the action on the storage resource is being authorized. This condition is expressed as a predicate using attributes associated with any of the following: - Security principal that is requesting authorization You can use conditions with custom roles so long as the role includes [actions t The [Azure role assignment condition format](../../role-based-access-control/conditions-format.md) allows use of `@Principal`, `@Resource` or `@Request` attributes in the conditions. A `@Principal` attribute is a custom security attribute on a principal, such as a user, enterprise application (service principal), or managed identity. A `@Resource` attribute refers to an existing attribute of a storage resource that is being accessed, such as a storage account or a queue. A `@Request` attribute refers to an attribute or parameter included in a storage operation request. -Azure RBAC currently supports 2,000 role assignments in a subscription. If you need to create thousands of Azure role assignments, you may encounter this limit. Managing hundreds or thousands of role assignments can be difficult. In some cases, you can use conditions to reduce the number of role assignments on your storage account and make them easier to manage. You can [scale the management of role assignments](../../role-based-access-control/conditions-custom-security-attributes-example.md) using conditions and [Azure AD custom security attributes]() for principals. +Azure RBAC currently supports 2,000 role assignments in a subscription. If you need to create thousands of Azure role assignments, you may encounter this limit. Managing hundreds or thousands of role assignments can be difficult. In some cases, you can use conditions to reduce the number of role assignments on your storage account and make them easier to manage. You can [scale the management of role assignments](../../role-based-access-control/conditions-custom-security-attributes-example.md) using conditions and [Microsoft Entra custom security attributes]() for principals. ## Next steps |
storage | Queues Storage Monitoring Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/queues-storage-monitoring-scenarios.md | Open any log entry to view JSON that describes the activity. The following JSON > [!div class="mx-imgBorder"] > ![Activity Log JSON](./media/queues-storage-monitoring-scenarios/activity-log-json.png) -The availability of the "who" information depends on the method of authentication that was used to perform the control plane operation. If the authorization was performed by an Azure AD security principal, the object identifier of that security principal would also appear in this JSON output (For example: `"http://schemas.microsoft.com/identity/claims/objectidentifier": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"`). Because you might not always see other identity-related information such as an email address or name, the object identifier is always the best way to uniquely identify the security principal. +The availability of the "who" information depends on the method of authentication that was used to perform the control plane operation. If the authorization was performed by a Microsoft Entra security principal, the object identifier of that security principal would also appear in this JSON output (For example: `"http://schemas.microsoft.com/identity/claims/objectidentifier": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"`). Because you might not always see other identity-related information such as an email address or name, the object identifier is always the best way to uniquely identify the security principal. -You can find the friendly name of that security principal by taking the value of the object identifier, and searching for the security principal in Azure AD page of the Azure portal. The following screenshot shows a search result in Azure AD. +You can find the friendly name of that security principal by taking the value of the object identifier, and searching for the security principal in Microsoft Entra ID page of the Azure portal. The following screenshot shows a search result in Microsoft Entra ID. > [!div class="mx-imgBorder"]-> ![Search Azure Active Directory](./media/queues-storage-monitoring-scenarios/search-azure-active-directory.png) +> ![Search Microsoft Entra ID](./media/queues-storage-monitoring-scenarios/search-azure-active-directory.png) ### Auditing data plane operations For the "what" portion of your audit, the `Uri` field shows the item was modifie For the "how" portion of your audit, the `OperationName` field shows which operation was executed. -For the "who" portion of your audit, `AuthenticationType` shows which type of authentication was used to make a request. This field can show any of the types of authentication that Azure Storage supports including the use of an account key, a SAS token, or Azure Active Directory (Azure AD) authentication. +For the "who" portion of your audit, `AuthenticationType` shows which type of authentication was used to make a request. This field can show any of the types of authentication that Azure Storage supports including the use of an account key, a SAS token, or Microsoft Entra authentication. -If a request was authenticated by using Azure AD, the `RequesterObjectId` field provides the most reliable way to identify the security principal. You can find the friendly name of that security principal by taking the value of the `RequesterObjectId` field, and searching for the security principal in Azure AD page of the Azure portal. The following screenshot shows a search result in Azure AD. +If a request was authenticated by using Microsoft Entra ID, the `RequesterObjectId` field provides the most reliable way to identify the security principal. You can find the friendly name of that security principal by taking the value of the `RequesterObjectId` field, and searching for the security principal in Microsoft Entra ID page of the Azure portal. The following screenshot shows a search result in Microsoft Entra ID. > [!div class="mx-imgBorder"]-> ![Search Azure Active Directory-2](./media/queues-storage-monitoring-scenarios/search-azure-active-directory.png) +> ![Search Microsoft Entra ID-2](./media/queues-storage-monitoring-scenarios/search-azure-active-directory.png) -In some cases, a user principal name or *UPN* might appear in logs. For example, if the security principal is an Azure AD user, the UPN will likely appear. For other types of security principals such as user assigned managed identities, or in certain scenarios such as cross Azure AD tenant authentication, the UPN will not appear in logs. +In some cases, a user principal name or *UPN* might appear in logs. For example, if the security principal is a Microsoft Entra user, the UPN will likely appear. For other types of security principals such as user assigned managed identities, or in certain scenarios such as cross Microsoft Entra tenant authentication, the UPN will not appear in logs. This query shows all write operations performed by OAuth security principals. StorageQueueLogs | project TimeGenerated, AuthenticationType, RequesterObjectId, OperationName, Uri ``` -Shared Key and SAS authentication provide no means of auditing individual identities. Therefore, if you want to improve your ability to audit based on identity, we recommended that you transition to Azure AD, and prevent shared key and SAS authentication. To learn how to prevent Shared Key and SAS authentication, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md?toc=/azure/storage/queues/toc.json&tabs=portal). To get started with Azure AD, see [Authorize access to blobs using Azure Active Directory](authorize-access-azure-active-directory.md) +Shared Key and SAS authentication provide no means of auditing individual identities. Therefore, if you want to improve your ability to audit based on identity, we recommended that you transition to Microsoft Entra ID, and prevent shared key and SAS authentication. To learn how to prevent Shared Key and SAS authentication, see [Prevent Shared Key authorization for an Azure Storage account](../common/shared-key-authorization-prevent.md?toc=/azure/storage/queues/toc.json&tabs=portal). To get started with Microsoft Entra ID, see [Authorize access to blobs using Microsoft Entra ID](authorize-access-azure-active-directory.md) ## Optimize cost for infrequent queries With Azure Synapse, you can create server-less SQL pool to query log data when y - [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md). - |
storage | Security Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/security-recommendations.md | Microsoft Defender for Cloud periodically analyzes the security state of your Az | Recommendation | Comments | Defender for Cloud | |-|-|--|-| Use the Azure Resource Manager deployment model | Create new storage accounts using the Azure Resource Manager deployment model for important security enhancements, including superior Azure role-based access control (Azure RBAC) and auditing, Resource Manager-based deployment and governance, access to managed identities, access to Azure Key Vault for secrets, and Azure AD-based authentication and authorization for access to Azure Storage data and resources. If possible, migrate existing storage accounts that use the classic deployment model to use Azure Resource Manager. For more information about Azure Resource Manager, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md). | - | +| Use the Azure Resource Manager deployment model | Create new storage accounts using the Azure Resource Manager deployment model for important security enhancements, including superior Azure role-based access control (Azure RBAC) and auditing, Resource Manager-based deployment and governance, access to managed identities, access to Azure Key Vault for secrets, and Microsoft Entra ID-based authentication and authorization for access to Azure Storage data and resources. If possible, migrate existing storage accounts that use the classic deployment model to use Azure Resource Manager. For more information about Azure Resource Manager, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md). | - | | Enable advanced threat protection for all of your storage accounts | [Microsoft Defender for Storage](../../defender-for-cloud/defender-for-storage-introduction.md) provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. Security alerts are triggered in Microsoft Defender for Cloud when anomalous activities occur and are also sent via email to subscription administrators, with details of suspicious activity and recommendations for how to investigate and remediate threats. For more information, see [Protect your Azure Storage accounts](../../defender-for-cloud/defender-for-storage-introduction.md). | [Yes](../../defender-for-cloud/implement-security-recommendations.md) | | Limit shared access signature (SAS) tokens to HTTPS connections only | Requiring HTTPS when a client uses a SAS token to access queue data helps to minimize the risk of eavesdropping. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). | - | Microsoft Defender for Cloud periodically analyzes the security state of your Az | Recommendation | Comments | Defender for Cloud | |-|-|--|-| Use Azure Active Directory (Azure AD) to authorize access to queue data | Azure AD provides superior security and ease of use over Shared Key authorization for authorizing requests to Queue Storage. For more information, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). | - | -| Keep in mind the principle of least privilege when assigning permissions to an Azure AD security principal via Azure RBAC | When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | - | -| Secure your account access keys with Azure Key Vault | Microsoft recommends using Azure AD to authorize requests to Azure Storage. However, if you must use Shared Key authorization, then secure your account keys with Azure Key Vault. You can retrieve the keys from the key vault at runtime, instead of saving them with your application. | - | +| Use Microsoft Entra ID to authorize access to queue data | Microsoft Entra ID provides superior security and ease of use over Shared Key authorization for authorizing requests to Queue Storage. For more information, see [Authorize access to data in Azure Storage](../common/authorize-data-access.md). | - | +| Keep in mind the principle of least privilege when assigning permissions to a Microsoft Entra security principal via Azure RBAC | When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | - | +| Secure your account access keys with Azure Key Vault | Microsoft recommends using Microsoft Entra ID to authorize requests to Azure Storage. However, if you must use Shared Key authorization, then secure your account keys with Azure Key Vault. You can retrieve the keys from the key vault at runtime, instead of saving them with your application. | - | | Regenerate your account keys periodically | Rotating the account keys periodically reduces the risk of exposing your data to malicious actors. | - | | Keep in mind the principle of least privilege when assigning permissions to a SAS | When creating a SAS, specify only those permissions that are required by the client to perform its function. Limiting access to resources helps prevent both unintentional and malicious misuse of your data. | - | | Have a revocation plan in place for any SAS that you issue to clients | If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). | - | |
storage | Partner Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/solution-integration/validated-partners/analytics/partner-overview.md | This article highlights Microsoft partner companies that are integrated with Azu ![Striim company logo](./media/striim-logo.png) |**Striim**<br>Striim enables continuous data movement and in-stream transformations from a wide variety of sources into multiple Azure solutions including Azure Synapse Analytics, Azure Cosmos DB, and Azure cloud databases. The Striim solution enables Azure Data Lake Storage customers to quickly build streaming data pipelines. Customers can choose their desired data latency (real-time, micro-batch, or batch) and enrich the data with more context. These pipelines can then support any application or big data analytics solution, including Azure SQL Data Warehouse and Azure Databricks. |[Partner ](https://www.striim.com/partners/striim-and-microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/striim.azurestorageintegration?tab=overview)| ![Talend company logo](./media/talend-logo.png) |**Talend**<br>Talend Data Fabric is a platform that brings together multiple integration and governance capabilities. Using a single unified platform, Talend delivers complete, clean, and uncompromised data in real time. The Talend Trust Score helps assess the reliability of any data set. |[Partner page](https://www.talend.com/partners/microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/talend.talendclouddi)| ![Unravel](./media/unravel-logo.png) |**Unravel Data**<br>Unravel Data provides observability and automatic management through a single pane of glass. AI-powered recommendations proactively improve reliability, speed, and resource allocations of your data pipelines and jobs. Unravel connects easily with Azure Databricks, HDInsight, Azure Data Lake Storage, and more through the Azure Marketplace or Unravel SaaS service. Unravel Data also helps migrate to Azure by providing an assessment of your environment. This assessment uncovers usage details, dependency maps, cost, and effort needed for a fast move with less risk.|[Partner page](https://www.unraveldata.com/azure-databricks/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/unravel-data.unravel4databrickssubscriptionasaservice?tab=Overview)-|![Wandisco company logo](./medi) is tightly integrated with Azure. Besides having an Azure portal deployment experience, it also uses role-based access control, Azure Active Directory, Azure Policy enforcement, and Activity log integration. With Azure Billing integration, you don't need to add a vendor contract or get more vendor approvals.<br><br>Accelerate the replication of Hadoop data between multiple sources and targets for any data architecture. With LiveData Cloud Services, your data will be available for Azure Databricks, Synapse Analytics, and HDInsight as soon as it lands, with guaranteed 100% data consistency. |[Partner page](https://www.wandisco.com/microsoft/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=Overview)| +|![Wandisco company logo](./medi) is tightly integrated with Azure. Besides having an Azure portal deployment experience, it also uses role-based access control, Microsoft Entra ID, Azure Policy enforcement, and Activity log integration. With Azure Billing integration, you don't need to add a vendor contract or get more vendor approvals.<br><br>Accelerate the replication of Hadoop data between multiple sources and targets for any data architecture. With LiveData Cloud Services, your data will be available for Azure Databricks, Synapse Analytics, and HDInsight as soon as it lands, with guaranteed 100% data consistency. |[Partner page](https://www.wandisco.com/microsoft/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/wandisco.ldma?tab=Overview)| Are you a storage partner but your solution is not listed yet? Send us your info [here](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR3i8TQB_XnRAsV3-7XmQFpFUQjY4QlJYUzFHQ0ZBVDNYWERaUlNRVU5IMyQlQCN0PWcu). ## Next steps |
storage | Cirrus Data Migration Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/solution-integration/validated-partners/data-management/cirrus-data-migration-guide.md | Follow these implementation steps: :::image type="content" source="./media/cirrus-data-migration-guide/cirrus-migration-4.jpg" alt-text="Screenshot that shows entering Azure credentials."::: - For details on creating Azure AD application, see the [step-by-step instructions](https://support.cirrusdata.cloud/en/article/creating-an-azure-service-account-for-cirrus-data-cloud-tw2c9n/). By creating and registering Azure AD application for CMC, you enable automatic creation of Azure Managed Disks on the target virtual machine. + For details on creating Microsoft Entra application, see the [step-by-step instructions](https://support.cirrusdata.cloud/en/article/creating-an-azure-service-account-for-cirrus-data-cloud-tw2c9n/). By creating and registering Microsoft Entra application for CMC, you enable automatic creation of Azure Managed Disks on the target virtual machine. >[!NOTE] >Since you selected **Auto allocate destination volumes** on the previous step, don't select it again for a new allocation. Instead, select **Continue**. |
storage | Isv File Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/solution-integration/validated-partners/primary-secondary-storage/isv-file-services.md | This article compares several ISV solutions that provide files services in Azure | | Nasuni | NetApp CVO | Panzura | Qumulo | Tiger Technology | XenData | |--|-|--||--|--|--|-| **Azure AD support** | Yes (via AD DS) | Yes (via AD DS) | Yes (via AD DS) | Yes | Yes (via AD DS) | Yes (via AD DS) | +| **Microsoft Entra ID support** | Yes (via AD DS) | Yes (via AD DS) | Yes (via AD DS) | Yes | Yes (via AD DS) | Yes (via AD DS) | | **Active directory support** | Yes | Yes | Yes | Yes | Yes | Yes | | **LDAP support** | Yes | Yes | No | Yes | Yes | Yes | |
storage | Assign Azure Role Data Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/tables/assign-azure-role-data-access.md | Title: Assign an Azure role for access to table data -description: Learn how to assign permissions for table data to an Azure Active Directory security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Azure AD. +description: Learn how to assign permissions for table data to a Microsoft Entra security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Microsoft Entra ID. ms.devlang: azurecli # Assign an Azure role for access to table data -Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data in Azure Storage. +Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data in Azure Storage. -When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). -To learn more about using Azure AD to authorize access to table data, see [Authorize access to tables using Azure Active Directory](authorize-access-azure-active-directory.md). +To learn more about using Microsoft Entra ID to authorize access to table data, see [Authorize access to tables using Microsoft Entra ID](authorize-access-azure-active-directory.md). ## Assign an Azure role To learn how to use an Azure Resource Manager template to assign an Azure role, Keep in mind the following points about Azure role assignments in Azure Storage: -- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or table.+- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or table. - If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a table. ## Next steps |
storage | Authorize Access Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/tables/authorize-access-azure-active-directory.md | Title: Authorize access to tables using Active Directory -description: Authorize access to Azure tables using Azure Active Directory (Azure AD). Assign Azure roles for access rights. Access data with an Azure AD account. +description: Authorize access to Azure tables using Microsoft Entra ID. Assign Azure roles for access rights. Access data with a Microsoft Entra account. Last updated 02/09/2023 -# Authorize access to tables using Azure Active Directory +# Authorize access to tables using Microsoft Entra ID -Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to table data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service. +Azure Storage supports using Microsoft Entra ID to authorize requests to table data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service. -Authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your table applications when possible to assure access with minimum required privileges. +Authorizing requests against Azure Storage with Microsoft Entra ID provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Microsoft Entra authorization with your table applications when possible to assure access with minimum required privileges. -Authorization with Azure AD is available for all general-purpose in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization. +Authorization with Microsoft Entra ID is available for all general-purpose in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Microsoft Entra authorization. -## Overview of Azure AD for tables +<a name='overview-of-azure-ad-for-tables'></a> -When a security principal (a user, group, or application) attempts to access a table resource, the request must be authorized. With Azure AD, access to a resource is a two-step process. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. Next, the token is passed as part of a request to the Table service and used by the service to authorize access to the specified resource. +## Overview of Microsoft Entra ID for tables ++When a security principal (a user, group, or application) attempts to access a table resource, the request must be authorized. With Microsoft Entra ID, access to a resource is a two-step process. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. Next, the token is passed as part of a request to the Table service and used by the service to authorize access to the specified resource. The authentication step requires that an application request an OAuth 2.0 access token at runtime. If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to access tables. The authorization step requires that one or more Azure roles be assigned to the ## Assign Azure roles for access rights -Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data. You can also define custom roles for access to table data. +Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data. You can also define custom roles for access to table data. -When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). +When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). ### Resource scope For more information about scope for Azure RBAC role assignments, see [Understan ### Azure built-in roles for tables -Azure RBAC provides built-in roles for authorizing access to table data using Azure AD and OAuth. Built-in roles that provide permissions to tables in Azure Storage include: +Azure RBAC provides built-in roles for authorizing access to table data using Microsoft Entra ID and OAuth. Built-in roles that provide permissions to tables in Azure Storage include: - [Storage Table Data Contributor](../../role-based-access-control/built-in-roles.md#storage-table-data-contributor): Use to grant read/write/delete permissions to Table storage resources. - [Storage Table Data Reader](../../role-based-access-control/built-in-roles.md#storage-table-data-reader): Use to grant read-only permissions to Table storage resources. To learn how to assign an Azure built-in role to a security principal, see [Assi For more information about how built-in roles are defined for Azure Storage, see [Understand role definitions](../../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md). -Only roles explicitly defined for data access permit a security principal to access table data. Built-in roles such as **Owner**, **Contributor**, and **Storage Account Contributor** permit a security principal to manage a storage account, but do not provide access to the table data within that account via Azure AD. However, if a role includes **Microsoft.Storage/storageAccounts/listKeys/action**, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. +Only roles explicitly defined for data access permit a security principal to access table data. Built-in roles such as **Owner**, **Contributor**, and **Storage Account Contributor** permit a security principal to manage a storage account, but do not provide access to the table data within that account via Microsoft Entra ID. However, if a role includes **Microsoft.Storage/storageAccounts/listKeys/action**, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. -For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). +For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the **Storage** section in [Azure built-in roles for Azure RBAC](../../role-based-access-control/built-in-roles.md#storage). Additionally, for information about the different types of roles that provide permissions in Azure, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). > [!IMPORTANT] > Azure role assignments may take up to 30 minutes to propagate. |
storage | Monitor Table Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/tables/monitor-table-storage.md | Azure Monitor provides the [.NET SDK](https://www.nuget.org/packages/Microsoft.A In these examples, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the Table storage service. You can find these resource IDs on the **Properties** pages of your storage account in the Azure portal. -Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create an Azure AD application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). +Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). #### List the account-level metric definition |
storage | Table Storage How To Use Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/tables/table-storage-how-to-use-powershell.md | Install-Module AzTable The AzTable PowerShell module supports authorization with the account access key via Shared Key authorization. The examples in this article show how to authorize table data operations via Shared Key. -Azure Table Storage supports authorization with Azure AD. However, the AzTable PowerShell module does not natively support authorization with Azure AD. Using Azure AD with the AzTable module requires that you call methods in the .NET client library from PowerShell. +Azure Table Storage supports authorization with Microsoft Entra ID. However, the AzTable PowerShell module does not natively support authorization with Microsoft Entra ID. Using Microsoft Entra ID with the AzTable module requires that you call methods in the .NET client library from PowerShell. ## Sign in to Azure For more information, see the following articles * [Working with Azure Tables from PowerShell - AzureRmStorageTable/AzTable PS Module v2.0](https://paulomarquesc.github.io/working-with-azure-storage-tables-from-powershell) -* [Microsoft Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md) is a free, standalone app from Microsoft that enables you to work visually with Azure Storage data on Windows, macOS, and Linux. +* [Microsoft Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md) is a free, standalone app from Microsoft that enables you to work visually with Azure Storage data on Windows, macOS, and Linux. |
stream-analytics | Azure Database Explorer Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/azure-database-explorer-output.md | The following table lists the property names and their descriptions for creating | Subscription | The Azure subscription that you want to use for your cluster. | | Cluster | A unique name that identifies your cluster. The domain name \<region\>.kusto.windows.net is appended to the cluster name that you provide. The name can contain only lowercase letters and numbers. It must contain 4 to 22 characters. | | Database | The name of the database where you're sending the output. The database name must be unique within the cluster. |-| Authentication | A [managed identity from Azure Active Directory (Azure AD)](../active-directory/managed-identities-azure-resources/overview.md), which allows your cluster to easily access other Azure AD-protected resources, such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. Managed identity configuration is currently supported only to [enable customer-managed keys for your cluster](/azure/data-explorer/security#customer-managed-keys-with-azure-key-vault/). | +| Authentication | A [managed identity from Microsoft Entra ID](../active-directory/managed-identities-azure-resources/overview.md), which allows your cluster to easily access other Microsoft Entra protected resources, such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. Managed identity configuration is currently supported only to [enable customer-managed keys for your cluster](/azure/data-explorer/security#customer-managed-keys-with-azure-key-vault/). | | Table | The table name where the output is written. The table name is case-sensitive. The schema of this table should exactly match the number of fields and their types that your job output generates. | ## Partitioning |
stream-analytics | Blob Output Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/blob-output-managed-identity.md | First, you create a managed identity for your Azure Stream Analytics job.  :::image type="content" source="media/event-hubs-managed-identity/system-assigned-managed-identity.png" alt-text="System assigned managed identity":::  -3. A service principal for the Stream Analytics job's identity is created in Azure Active Directory. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure.  +3. A service principal for the Stream Analytics job's identity is created in Microsoft Entra ID. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure.  When you save the configuration, the Object ID (OID) of the service principal is listed as the Principal ID as shown below:  Using Azure Resource Manager allows you to fully automate the deployment of your } ``` - Take note of the **principalId** from the job's definition, which identifies your job's Managed Identity within Azure Active Directory and will be used in the next step to grant the Stream Analytics job access to the storage account. + Take note of the **principalId** from the job's definition, which identifies your job's Managed Identity within Microsoft Entra ID and will be used in the next step to grant the Stream Analytics job access to the storage account. 3. Now that the job is created, see the [Give the Stream Analytics job access to your storage account](#give-the-stream-analytics-job-access-to-your-storage-account) section of this article. Below are the current limitations of this feature: 1. Classic Azure Storage accounts. -2. Azure accounts without Azure Active Directory. +2. Azure accounts without Microsoft Entra ID. -3. Multi-tenant access is not supported. The Service principal created for a given Stream Analytics job must reside in the same Azure Active Directory tenant in which the job was created, and cannot be used with a resource that resides in a different Azure Active Directory tenant. +3. Multi-tenant access is not supported. The Service principal created for a given Stream Analytics job must reside in the same Microsoft Entra tenant in which the job was created, and cannot be used with a resource that resides in a different Microsoft Entra tenant. ## Next steps |
stream-analytics | Cosmos Db Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/cosmos-db-managed-identity.md | -A managed identity is a managed application registered in Azure Active Directory that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource. For more information on managed identities for Azure Stream Analytics, see [Managed identities for Azure Stream Analytics](stream-analytics-managed-identities-overview.md). +A managed identity is a managed application registered in Microsoft Entra ID that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource. For more information on managed identities for Azure Stream Analytics, see [Managed identities for Azure Stream Analytics](stream-analytics-managed-identities-overview.md). This article shows you how to enable system-assigned managed identity for an Azure Cosmos DB output of a Stream Analytics job through the Azure portal. Before you can enable system-assigned managed identity, you must first have a Stream Analytics job and an Azure Cosmos DB resource. First, you create a managed identity for your Azure Stream Analytics job.  :::image type="content" source="media/event-hubs-managed-identity/system-assigned-managed-identity.png" alt-text="System assigned managed identity":::  -3. A service principal for the Stream Analytics job's identity is created in Azure Active Directory. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure.  +3. A service principal for the Stream Analytics job's identity is created in Microsoft Entra ID. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure.  When you save the configuration, the Object ID (OID) of the service principal is listed as the Principal ID as shown below:  For the Stream Analytics job to access your Azure Cosmos DB using managed identi | Cosmos DB Built-in Data Contributor| > [!IMPORTANT]-> Azure Cosmos DB data plane built-in role-based access control (RBAC) is not exposed through the Azure Portal. To assign the Cosmos DB Built-in Data Contributor role, you must grant permission via Azure Powershell. For more information about role-based access control with Azure Active Directory for your Azure Cosmos DB account, please see [configure role-based access control with Azure Active Directory for your Azure Cosmos DB account documentation.](../cosmos-db/how-to-setup-rbac.md) +> Azure Cosmos DB data plane built-in role-based access control (RBAC) is not exposed through the Azure Portal. To assign the Cosmos DB Built-in Data Contributor role, you must grant permission via Azure Powershell. For more information about role-based access control with Microsoft Entra ID for your Azure Cosmos DB account, please see [configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account documentation.](../cosmos-db/how-to-setup-rbac.md) The following command can be used to authenticate your ASA job with Azure Cosmos DB. The `$accountName` and `$resourceGroupName` are for your Azure Cosmos DB account, and the `$principalId` is the value obtained in the previous step, in the Identity tab of your ASA job. You need to have "Contributor" access to your Azure Cosmos DB account for this command to work properly. |
stream-analytics | Event Hubs Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/event-hubs-managed-identity.md | -A managed identity is a managed application registered in Azure Active Directory that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource, including event hubs that are behind a firewall or virtual network (VNet). For more information about how to bypass firewalls, see [Allow access to Azure Event Hubs namespaces via private endpoints](../event-hubs/private-link-service.md#trusted-microsoft-services). +A managed identity is a managed application registered in Microsoft Entra ID that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource, including event hubs that are behind a firewall or virtual network (VNet). For more information about how to bypass firewalls, see [Allow access to Azure Event Hubs namespaces via private endpoints](../event-hubs/private-link-service.md#trusted-microsoft-services). This article shows you how to enable Managed Identity for an event hub input or output of a Stream Analytics job through the Azure portal. Before you enabled Managed Identity, you must first have a Stream Analytics job and an Event Hubs resource. First, you create a managed identity for your Azure Stream Analytics job.  :::image type="content" source="media/event-hubs-managed-identity/system-assigned-managed-identity.png" alt-text="System assigned managed identity":::  -1. A service principal for the Stream Analytics job's identity is created in Azure Active Directory. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure.  +1. A service principal for the Stream Analytics job's identity is created in Microsoft Entra ID. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure.  When you save the configuration, the Object ID (OID) of the service principal is listed as the Principal ID as shown below:  For the Stream Analytics job to access your event hub using managed identity, th 1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). > [!NOTE]-> When giving access to any resource, you should give the least needed access. Depending on whether you are configuring Event Hubs as an input or output, you may not need to assign the Azure Event Hubs Data Owner role which would grant more than needed access to your Eventhub resource. For more information see [Authenticate an application with Azure Active Directory to access Event Hubs resources](../event-hubs/authenticate-application.md) +> When giving access to any resource, you should give the least needed access. Depending on whether you are configuring Event Hubs as an input or output, you may not need to assign the Azure Event Hubs Data Owner role which would grant more than needed access to your Eventhub resource. For more information see [Authenticate an application with Microsoft Entra ID to access Event Hubs resources](../event-hubs/authenticate-application.md) | Setting | Value | | | | |
stream-analytics | Job Config Json | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/job-config-json.md | The following fields are supported in the *JobConfig.json* file used to [create |Sku.Name|string|No|Specifies the SKU name of the job. Acceptable values are "Standard" and "StandardV2".| |Sku.StreamingUnits|integer|Yes|Specifies the number of streaming units that the streaming job uses. [Learn more](stream-analytics-streaming-unit-consumption.md).| |CompatibilityLevel|string|No|Controls certain runtime behaviors of the streaming job. - Acceptable values are "1.0", "1.1", "1.2"|-|UseSystemAssignedIdentity|boolean|No|Set true to enable this job to communicate with other Azure services as itself using a Managed Azure Active Directory Identity.| +|UseSystemAssignedIdentity|boolean|No|Set true to enable this job to communicate with other Azure services as itself using a Managed Microsoft Entra identity.| |GlobalStorage.AccountName|string|No|Global storage account is used for storing content related to your stream analytics job, such as SQL reference data snapshots.| |GlobalStorage.AccountKey|string|No|Corresponding key for global storage account.| |DataSourceCredentialDomain|string|No|Reserved Property for credential local storage.| |
stream-analytics | Power Bi Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/power-bi-output.md | Given this configuration, you can change the original query to the one: ``` ### Renew authorization-If the password has changed since your job was created or last authenticated, you need to reauthenticate your Power BI account. If Azure AD Multi-Factor Authentication is configured on your Azure Active Directory (Azure AD) tenant, you also need to renew Power BI authorization every two weeks. If you don't renew, you could see symptoms such as a lack of job output or an `Authenticate user error` in the operation logs. +If the password has changed since your job was created or last authenticated, you need to reauthenticate your Power BI account. If Microsoft Entra multifactor authentication is configured on your Microsoft Entra tenant, you also need to renew Power BI authorization every two weeks. If you don't renew, you could see symptoms such as a lack of job output or an `Authenticate user error` in the operation logs. Similarly, if a job starts after the token has expired, an error occurs and the job fails. To resolve this issue, stop the job that's running and go to your Power BI output. To avoid data loss, select the **Renew authorization** link, and then restart your job from the **Last Stopped Time**. |
stream-analytics | Powerbi Output Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/powerbi-output-managed-identity.md | Below are the limitations of this feature: - Classic Power BI workspaces aren't supported. -- Azure accounts without Azure Active Directory.+- Azure accounts without Microsoft Entra ID. -- Multi-tenant access isn't supported. The Service principal created for a given Stream Analytics job must reside in the same Azure Active Directory tenant in which the job was created, and can't be used with a resource that resides in a different Azure Active Directory tenant.+- Multi-tenant access isn't supported. The Service principal created for a given Stream Analytics job must reside in the same Microsoft Entra tenant in which the job was created, and can't be used with a resource that resides in a different Microsoft Entra tenant. - [User Assigned Identity](../active-directory/managed-identities-azure-resources/overview.md) isn't supported. This means you aren't able to enter your own service principal to be used by their Stream Analytics job. The service principal must be generated by Azure Stream Analytics. |
stream-analytics | Sql Database Output Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/sql-database-output-managed-identity.md | Last updated 01/31/2023 Azure Stream Analytics supports [Managed Identity authentication](../active-directory/managed-identities-azure-resources/overview.md) for Azure SQL Database and Azure Synapse Analytics output sinks. Managed identities eliminate the limitations of user-based authentication methods, like the need to reauthenticate due to password changes or user token expirations that occur every 90 days. When you remove the need to manually authenticate, your Stream Analytics deployments can be fully automated. -A managed identity is a managed application registered in Azure Active Directory that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource. This article shows you how to enable Managed Identity for an Azure SQL Database or an Azure Synapse Analytics output(s) of a Stream Analytics job through the Azure portal. +A managed identity is a managed application registered in Microsoft Entra ID that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource. This article shows you how to enable Managed Identity for an Azure SQL Database or an Azure Synapse Analytics output(s) of a Stream Analytics job through the Azure portal. ## Overview This article shows you the steps needed to connect your Stream Analytics job to your Azure SQL Database or Azure Synapse Analytics SQL pool using Managed Identity authentication mode. -- You first create a system-assigned managed identity for your Stream Analytics job. This is your job’s identity in Azure Active Directory.+- You first create a system-assigned managed identity for your Stream Analytics job. This is your job’s identity in Microsoft Entra ID. -- Add an Active Directory admin to your SQL server or Synapse workspace, which enables Azure AD (Managed Identity) authentication for that resource.+- Add an Active Directory admin to your SQL server or Synapse workspace, which enables Microsoft Entra ID (Managed Identity) authentication for that resource. - Next, create a contained user representing the Stream Analytics job's identity in the database. Whenever the Stream Analytics job interacts with your SQL DB or Synapse SQL DB resource, this is the identity it will refer to for checking what permissions your Stream Analytics job has. First, you create a managed identity for your Azure Stream Analytics job. ![Select system-assigned managed identity](./media/sql-db-output-managed-identity/system-assigned-managed-identity.png) - A service principal for the Stream Analytics job's identity is created in Azure Active Directory. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. + A service principal for the Stream Analytics job's identity is created in Microsoft Entra ID. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. 1. You can also switch to [user-assigned managed identities](stream-analytics-user-assigned-managed-identity-overview.md). After you've created a managed identity, you select an Active Directory admin. ![Add Active Directory admin](./media/sql-db-output-managed-identity/add-admin.png) - The Active Directory admin page shows all members and groups of your Active Directory. Grayed out users or groups can't be selected as they're not supported as Azure Active Directory administrators. See the list of supported admins in the **Azure Active Directory Features and Limitations** section of [Use Azure Active Directory Authentication for authentication with SQL Database or Azure Synapse](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). + The Active Directory admin page shows all members and groups of your Active Directory. Grayed out users or groups can't be selected as they're not supported as Microsoft Entra administrators. See the list of supported admins in the **Microsoft Entra features and Limitations** section of [Use Microsoft Entra authentication for authentication with SQL Database or Azure Synapse](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations). 1. Select **Save** on the **Active Directory admin** page. The process for changing admin takes a few minutes. ## Create a contained database user -Next, you create a contained database user in your Azure SQL or Azure Synapse database that is mapped to the Azure Active Directory identity. The contained database user doesn't have a login for the primary database, but it maps to an identity in the directory that is associated with the database. The Azure Active Directory identity can be an individual user account or a group. In this case, you want to create a contained database user for your Stream Analytics job. +Next, you create a contained database user in your Azure SQL or Azure Synapse database that is mapped to the Microsoft Entra identity. The contained database user doesn't have a login for the primary database, but it maps to an identity in the directory that is associated with the database. The Microsoft Entra identity can be an individual user account or a group. In this case, you want to create a contained database user for your Stream Analytics job. -For more information, review the following article for background on Azure AD integration: [Universal Authentication with SQL Database and Azure Synapse Analytics (SSMS support for MFA)](/azure/azure-sql/database/authentication-mfa-ssms-overview) +For more information, review the following article for background on Microsoft Entra integration: [Universal Authentication with SQL Database and Azure Synapse Analytics (SSMS support for MFA)](/azure/azure-sql/database/authentication-mfa-ssms-overview) -1. Connect to your Azure SQL or Azure Synapse database using SQL Server Management Studio. The **User name** is an Azure Active Directory user with the **ALTER ANY USER** permission. The admin you set on the SQL Server is an example. Use **Azure Active Directory – Universal with MFA** authentication. +1. Connect to your Azure SQL or Azure Synapse database using SQL Server Management Studio. The **User name** is a Microsoft Entra user with the **ALTER ANY USER** permission. The admin you set on the SQL Server is an example. Use **Microsoft Entra ID – Universal with MFA** authentication. ![Connect to SQL Server](./media/sql-db-output-managed-identity/connect-sql-server.png) For more information, review the following article for background on Azure AD in WHERE type_desc = 'EXTERNAL_USER' ``` -1. For Microsoft's Azure Active Directory to verify if the Stream Analytics job has access to the SQL Database, we need to give Azure Active Directory permission to communicate with the database. To do this, go to the "Firewalls and virtual network"/”Firewalls” page in Azure portal again, and enable "Allow Azure services and resources to access this server/workspace." +1. For Microsoft's Microsoft Entra ID to verify if the Stream Analytics job has access to the SQL Database, we need to give Microsoft Entra permission to communicate with the database. To do this, go to the "Firewalls and virtual network"/”Firewalls” page in Azure portal again, and enable "Allow Azure services and resources to access this server/workspace." ![Firewall and virtual network](./media/sql-db-output-managed-identity/allow-access.png) |
stream-analytics | Stream Analytics Define Outputs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-define-outputs.md | Some outputs types support [partitioning](#partitioning), and [output batch size | Output type | Partitioning | Security | |-|--|-|-|[Azure Data Lake Storage Gen 1](azure-data-lake-storage-gen1-output.md)|Yes|Azure Active Directory user </br> , Managed Identity| +|[Azure Data Lake Storage Gen 1](azure-data-lake-storage-gen1-output.md)|Yes|Microsoft Entra user </br> , Managed Identity| |[Azure Data Explorer](azure-database-explorer-output.md)|Yes|Managed Identity| |[Azure Database for PostgreSQL](postgresql-database-output.md)|Yes|Username and password auth| |[Azure SQL Database](sql-database-output.md)|Yes, optional.|SQL user auth, </br> Managed Identity| |[Azure Synapse Analytics](azure-synapse-analytics-output.md)|Yes|SQL user auth, </br> Managed Identity| |[Blob storage and Azure Data Lake Gen 2](blob-storage-azure-data-lake-gen2-output.md)|Yes|Access key, </br> Managed Identity| |[Azure Event Hubs](event-hubs-output.md)|Yes, need to set the partition key column in output configuration.|Access key, </br> Managed Identity|-|[Power BI](power-bi-output.md)|No|Azure Active Directory user, </br> Managed Identity| +|[Power BI](power-bi-output.md)|No|Microsoft Entra user, </br> Managed Identity| |[Azure Table storage](table-storage-output.md)|Yes|Account key| |[Azure Service Bus queues](service-bus-queues-output.md)|Yes|Access key, </br> Managed Identity| |[Azure Service Bus topics](service-bus-topics-output.md)|Yes|Access key, </br> Managed Identity| |
stream-analytics | Stream Analytics Managed Identities Adls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-managed-identities-adls.md | -Azure Stream Analytics supports managed identity authentication with Azure Data Lake Storage (ADLS) Gen1 output. The identity is a managed application registered in Azure Active Directory that represents a given Stream Analytics job, and can be used to authenticate to a targeted resource. Managed identities eliminate the limitations of user-based authentication methods, like needing to reauthenticate due to password changes or user token expirations that occur every 90 days. Additionally, managed identities help with the automation of Stream Analytics job deployments that output to Azure Data Lake Storage Gen1. +Azure Stream Analytics supports managed identity authentication with Azure Data Lake Storage (ADLS) Gen1 output. The identity is a managed application registered in Microsoft Entra ID that represents a given Stream Analytics job, and can be used to authenticate to a targeted resource. Managed identities eliminate the limitations of user-based authentication methods, like needing to reauthenticate due to password changes or user token expirations that occur every 90 days. Additionally, managed identities help with the automation of Stream Analytics job deployments that output to Azure Data Lake Storage Gen1. This article shows you three ways to enable managed identity for an Azure Stream Analytics job that outputs to an Azure Data Lake Storage Gen1 through the Azure portal, Azure Resource Manager template deployment, and Azure Stream Analytics tools for Visual Studio. This article shows you three ways to enable managed identity for an Azure Stream ![Configure Stream Analytics managed identity](./media/stream-analytics-managed-identities-adls/stream-analytics-managed-identity-preview.png) -2. Select **Use System-assigned Managed Identity** from the window that appears on the right. Click **Save** to a service principal for the identity of the Stream Analytics job in Azure Active Directory. The life cycle of the newly created identity will be managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. +2. Select **Use System-assigned Managed Identity** from the window that appears on the right. Click **Save** to a service principal for the identity of the Stream Analytics job in Microsoft Entra ID. The life cycle of the newly created identity will be managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. When the configuration is saved, the Object ID (OID) of the service principal is listed as the Principal ID as shown below: This article shows you three ways to enable managed identity for an Azure Stream When you submit the job, the tools do two things: - * Automatically creates a service principal for the identity of the Stream Analytics job in Azure Active Directory. The life cycle of the newly created identity will be managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. + * Automatically creates a service principal for the identity of the Stream Analytics job in Microsoft Entra ID. The life cycle of the newly created identity will be managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. * Automatically set **Write** and **Execute** permissions for the ADLS Gen1 prefix path used in the job and assign it to this folder and all children. This article shows you three ways to enable managed identity for an Azure Stream Take note of the Principal ID from the job response to grant access to the required ADLS resource. - The **Tenant ID** is the ID of the Azure Active Directory tenant where the service principal is created. The service principal is created in the Azure tenant that is trusted by the subscription. + The **Tenant ID** is the ID of the Microsoft Entra tenant where the service principal is created. The service principal is created in the Azure tenant that is trusted by the subscription. The **Type** indicates the type of managed identity as explained in types of managed identities. Only the System Assigned type is supported. The Managed Identity created for a Stream Analytics job is deleted only when the ## Limitations This feature doesnΓÇÖt support the following: -1. **Multi-tenant access**: The Service principal created for a given Stream Analytics job will reside on the Azure Active Directory tenant on which the job was created, and cannot be used against a resource that resides on a different Azure Active Directory tenant. Therefore, you can only use MSI on ADLS Gen 1 resources that are within the same Azure Active Directory tenant as your Azure Stream Analytics job. +1. **Multi-tenant access**: The Service principal created for a given Stream Analytics job will reside on the Microsoft Entra tenant on which the job was created, and cannot be used against a resource that resides on a different Microsoft Entra tenant. Therefore, you can only use MSI on ADLS Gen 1 resources that are within the same Microsoft Entra tenant as your Azure Stream Analytics job. 2. **[User Assigned Identity](../active-directory/managed-identities-azure-resources/overview.md)**: is not supported. This means the user is not able to enter their own service principal to be used by their Stream Analytics job. The service principal is generated by Azure Stream Analytics. |
stream-analytics | Stream Analytics Managed Identities Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-managed-identities-overview.md | Last updated 10/27/2022 Azure Stream Analytics currently allows you to authenticate to other Azure resources using managed identities. A common challenge when building cloud applications is credential management in your code to authenticate cloud services. Keeping the credentials secure is an important task. The credentials shouldn't be stored in developer workstations or checked into source control. -The Azure Active Directory (Azure AD) managed identities for Azure resources feature solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. This allows you to assign an identity to your Stream Analytics job which can then authenticate to any input or outputs that supports Azure AD authentication, without any credentials. See [managed identities for Azure resources overview page](../active-directory/managed-identities-azure-resources/overview.md) for more information about this service. +The Microsoft Entra managed identities for Azure resources feature solves this problem. The feature provides Azure services with an automatically managed identity in Microsoft Entra ID. This allows you to assign an identity to your Stream Analytics job which can then authenticate to any input or outputs that supports Microsoft Entra authentication, without any credentials. See [managed identities for Azure resources overview page](../active-directory/managed-identities-azure-resources/overview.md) for more information about this service. ## Managed identity types Stream Analytics supports two types of managed identities: -* System-assigned identity: When you enable a system-assigned managed identity for your job, you create an identity in Azure AD that is tied to the lifecycle of that job. So when you delete the resource, Azure automatically deletes the identity for you. +* System-assigned identity: When you enable a system-assigned managed identity for your job, you create an identity in Microsoft Entra ID that is tied to the lifecycle of that job. So when you delete the resource, Azure automatically deletes the identity for you. * User-assigned identity: You may also create a managed identity as a standalone Azure resource and assign it to your Stream Analytics job. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it. |
stream-analytics | Stream Analytics Monitor Jobs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/stream-analytics-monitor-jobs.md | Before you begin this process, you must have the following prerequisites: ## Create a project 1. Create a Visual Studio C# .NET console application.-2. In the Package Manager Console, run the following commands to install the NuGet packages. The first one is the Azure Stream Analytics Management .NET SDK. The second one is the Azure Monitor SDK that will be used to enable monitoring. The last one is the Azure Active Directory client that will be used for authentication. +2. In the Package Manager Console, run the following commands to install the NuGet packages. The first one is the Azure Stream Analytics Management .NET SDK. The second one is the Azure Monitor SDK that will be used to enable monitoring. The last one is the Microsoft Entra client that will be used for authentication. ```powershell Install-Package Microsoft.Azure.Management.StreamAnalytics For further assistance, try our [Microsoft Q&A question page for Azure Stream An * [Get started using Azure Stream Analytics](stream-analytics-real-time-fraud-detection.md) * [Scale Azure Stream Analytics jobs](stream-analytics-scale-jobs.md) * [Azure Stream Analytics Query Language Reference](/stream-analytics-query/stream-analytics-query-language-reference)-* [Azure Stream Analytics Management REST API Reference](/rest/api/streamanalytics/) +* [Azure Stream Analytics Management REST API Reference](/rest/api/streamanalytics/) |
synapse-analytics | Continuous Integration Delivery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/cicd/continuous-integration-delivery.md | To automate the deployment of an Azure Synapse workspace to multiple environment - Grant Owner permission to the Azure Synapse repository. - Make sure that you've created a self-hosted Azure DevOps VM agent or use an Azure DevOps hosted agent. - Grant permissions to [create an Azure Resource Manager service connection for the resource group](/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml&preserve-view=true).-- An Azure Active Directory (Azure AD) administrator must [install the Azure DevOps Synapse Workspace Deployment Agent extension in the Azure DevOps organization](/azure/devops/marketplace/install-extension).+- A Microsoft Entra administrator must [install the Azure DevOps Synapse Workspace Deployment Agent extension in the Azure DevOps organization](/azure/devops/marketplace/install-extension). - Create or nominate an existing service account for the pipeline to run as. You can use a personal access token instead of a service account, but your pipelines won't work after the user account is deleted. ### GitHub To automate the deployment of an Azure Synapse workspace to multiple environment - Create a GitHub repository that contains the Azure Synapse workspace artifacts and the workspace template. - Make sure that you've created a self-hosted runner or use a GitHub-hosted runner. -### Azure Active Directory +<a name='azure-active-directory'></a> -- If you're using a service principal, in Azure AD, create a service principal to use for deployment. +### Microsoft Entra ID ++- If you're using a service principal, in Microsoft Entra ID, create a service principal to use for deployment. - If you're using a managed identity, enable the system-assigned managed identity on your VM in Azure as the agent or runner, and then add it to Azure Synapse Studio as Synapse admin.-- Use the Azure AD admin role to complete these actions.+- Use the Microsoft Entra admin role to complete these actions. ### Azure Synapse Analytics The artifact in synapse can be referenced by another one. If you have parameteri #### 10. Failed to fetch the deployment status in notebook deployment The notebook you are trying to deploy is attached to a spark pool in the workspace template file, while in the deployment the pool does not exist in the target workspace. If you don't parameterize the pool name, please make sure that having the same name for the pools between environments. ---- |
synapse-analytics | Source Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/cicd/source-control.md | You can associate a Synapse workspace with an Azure DevOps Repository for source ### Azure DevOps Git repository settings -When connecting to your git repository, first select your repository type as Azure DevOps git, and then select one Azure AD tenant from the dropdown list, and click **Continue**. +When connecting to your git repository, first select your repository type as Azure DevOps git, and then select one Microsoft Entra tenant from the dropdown list, and click **Continue**. ![Configure the code repository settings](media/connect-with-azure-devops-repo-selected.png) The configuration pane shows the following Azure DevOps git settings: |: |: |: | | **Repository Type** | The type of the Azure Repos code repository.<br/> | Azure DevOps Git or GitHub | | **Cross tenant sign in** | Checkbox to sign in with cross tenant account. | unselected (default) |-| **Azure Active Directory** | Your Azure AD tenant name. | `<your tenant name>` | +| **Microsoft Entra ID** | Your Microsoft Entra tenant name. | `<your tenant name>` | | **Azure DevOps account** | Your Azure Repos organization name. You can locate your Azure Repos organization name at `https://{organization name}.visualstudio.com`. You can [sign in to your Azure Repos organization](https://www.visualstudio.com/team-services/git/) to access your Visual Studio profile and see your repositories and projects. | `<your organization name>` | | **ProjectName** | Your Azure Repos project name. You can locate your Azure Repos project name at `https://{organization name}.visualstudio.com/{project name}`. | `<your Azure Repos project name>` | | **RepositoryName** | Your Azure Repos code repository name. Azure Repos projects contain Git repositories to manage your source code as your project grows. You can create a new repository or use an existing repository that's already in your project. | `<your Azure Repos code repository name>` | Your can also use repository link to quickly point to the git repository you wan > [!NOTE] > Azure Synapse doesn't support connection to Prem Azure DevOps repository. -### Use a different Azure Active Directory tenant +<a name='use-a-different-azure-active-directory-tenant'></a> -The Azure Repos Git repo can be in a different Azure Active Directory tenant. To specify a different Azure AD tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator) +### Use a different Microsoft Entra tenant ++The Azure Repos Git repo can be in a different Microsoft Entra tenant. To specify a different Microsoft Entra tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator) > [!IMPORTANT]-> To connect to another Azure Active Directory, the user logged in must be a part of that active directory. +> To connect to another Microsoft Entra ID, the user logged in must be a part of that active directory. ### Use your personal Microsoft account To use a personal Microsoft account for Git integration, you can link your personal Azure Repo to your organization's Active Directory. -1. Add your personal Microsoft account to your organization's Active Directory as a guest. For more info, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../../active-directory/external-identities/add-users-administrator.md). +1. Add your personal Microsoft account to your organization's Active Directory as a guest. For more info, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../../active-directory/external-identities/add-users-administrator.md). 2. Log in to the Azure portal with your personal Microsoft account. Then switch to your organization's Active Directory. To use a personal Microsoft account for Git integration, you can link your perso After these configuration steps, your personal repo is available when you set up Git integration in the Synapse Studio. -For more info about connecting Azure Repos to your organization's Active Directory, see [Connect your organization to Azure Active Directory](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). +For more info about connecting Azure Repos to your organization's Active Directory, see [Connect your organization to Microsoft Entra ID](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). ### Use a cross tenant Azure DevOps account |
synapse-analytics | Data Explorer Compare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/data-explorer/data-explorer-compare.md | We recommend starting with Synapse Data Explorer if you are looking for a unifie | **Business Continuity** | Availability Zones | Optional | Enabled by default where Availability Zones are available | | **SKU** | Compute options | 22+ Azure VM SKUs to choose from | Simplified to Synapse workload types SKUs | | **Integrations** | Built-in ingestion pipelines | Event Hub, Event Grid, IoT Hub | Event Hub, Event Grid, and IoT Hub supported via the Azure portal for non-managed VNet |-| | Spark integration | Azure Data Explorer linked service: Built-in Kusto Spark integration with support for Azure Active Directory pass-through authentication, Synapse Workspace MSI, and Service Principal | Built-in Kusto Spark connector integration with support for Azure Active Directory pass-through authentication, Synapse Workspace MSI, and Service Principal | +| | Spark integration | Azure Data Explorer linked service: Built-in Kusto Spark integration with support for Microsoft Entra pass-through authentication, Synapse Workspace MSI, and Service Principal | Built-in Kusto Spark connector integration with support for Microsoft Entra pass-through authentication, Synapse Workspace MSI, and Service Principal | | | KQL artifacts management | Γ£ù | Save KQL queries and integrate with Git | | | Metadata sync | Γ£ù | Γ£ù | | **Features** | KQL queries | Γ£ô | Γ£ô | |
synapse-analytics | Implementation Success Assess Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/implementation-success-assess-environment.md | Use the following checklists of possible requirements to guide your assessment. - Dynamic data masking - Authentication: - SQL login- - Azure Active Directory (Azure AD) + - Microsoft Entra ID - Multi-factor authentication (MFA) - Network security: - Virtual networks |
synapse-analytics | Implementation Success Evaluate Data Integration Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/implementation-success-evaluate-data-integration-design.md | When you execute a pipeline by using Azure IR, it's serverless in nature and so A secured data platform is one of the key requirements of every organization. You should thoroughly plan security for the entire platform rather than individual components. Here are some security guidelines for Azure Synapse pipeline solutions. - Secure data movement to the cloud by using [Azure Synapse private endpoints](https://techcommunity.microsoft.com/t5/azure-architecture-blog/understanding-azure-synapse-private-endpoints/ba-p/2281463).-- Use Azure Active Directory (Azure AD) [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for authentication.+- Use Microsoft Entra [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for authentication. - Use Azure role-based access control (RBAC) and [Synapse RBAC](../security/synapse-workspace-synapse-rbac.md) for authorization. - Store credentials, secrets, and keys in Azure Key Vault rather than in the pipeline. For more information, see [Use Azure Key Vault secrets in pipeline activities](../../data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities.md). - Connect to on-premises resources via Azure ExpressRoute or VPN over private endpoints. A secured data platform is one of the key requirements of every organization. Yo ## Next steps -In the [next article](implementation-success-evaluate-dedicated-sql-pool-design.md) in the *Azure Synapse success by design* series, learn how to evaluate your dedicated SQL pool design to identify issues and validate that it meets guidelines and requirements. +In the [next article](implementation-success-evaluate-dedicated-sql-pool-design.md) in the *Azure Synapse success by design* series, learn how to evaluate your dedicated SQL pool design to identify issues and validate that it meets guidelines and requirements. |
synapse-analytics | Implementation Success Evaluate Serverless Sql Pool Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/implementation-success-evaluate-serverless-sql-pool-design.md | For security, evaluate the following points. - **Data storage:** Using the information gathered during the [assessment stage](implementation-success-assess-environment.md), identify whether typical *Raw*, *Stage*, and *Curated* data lake areas need to be placed on the same storage account instead of independent storage accounts. The latter might result in more flexibility in terms of roles and permissions. It can also add more input/output operations per second (IOPS) capacity that might be needed if your architecture must support heavy and simultaneous read/write workloads (like real-time or IoT scenarios). Validate whether you need to segregate further by keeping your sandboxed and master data areas on separate storage accounts. Most users won't need to update or delete data, so they don't need write permissions to the data lake, except for sandboxed and private areas. - From your assessment information, identify whether any requirements rely on security features like [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15&viewFallbackFrom=azure-sqldw-latest&preserve-view=true), [Dynamic data masking](/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql&preserve-view=true) or [Row-level security](/sql/relational-databases/security/row-level-security?view=azure-sqldw-latest&preserve-view=true). Validate the availability of these features in specific scenarios, like when used with the OPENROWSET function. Anticipate potential workarounds that may be required.-- From your assessment information, identify what would be the best authentication methods. Consider Azure Active Directory (Azure AD) service principals, shared access signature (SAS), and when and how authentication pass-through can be used and integrated in the exploration tool of choice of the customer. Evaluate the design and validate that the best authentication method as part of the design.+- From your assessment information, identify what would be the best authentication methods. Consider Microsoft Entra service principals, shared access signature (SAS), and when and how authentication pass-through can be used and integrated in the exploration tool of choice of the customer. Evaluate the design and validate that the best authentication method as part of the design. ### Other considerations Review your design and check whether you have put in place [best practices and r ## Next steps -In the [next article](implementation-success-evaluate-spark-pool-design.md) in the *Azure Synapse success by design* series, learn how to evaluate your Spark pool design to identify issues and validate that it meets guidelines and requirements. +In the [next article](implementation-success-evaluate-spark-pool-design.md) in the *Azure Synapse success by design* series, learn how to evaluate your Spark pool design to identify issues and validate that it meets guidelines and requirements. |
synapse-analytics | Implementation Success Evaluate Team Skill Sets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/implementation-success-evaluate-team-skill-sets.md | The *Azure administrator* manages administrative aspects of Azure. They're respo ### Security administrator -The *security administrator* must have local knowledge of the existing security landscape and requirements. This role collaborates with the [Synapse administrator](#synapse-administrator), [Synapse database administrator](#synapse-database-administrator), [Synapse Spark administrator](#synapse-spark-administrator), and other roles to set up security requirements. The security administrator could also be an Azure Active Directory (Azure AD) administrator. +The *security administrator* must have local knowledge of the existing security landscape and requirements. This role collaborates with the [Synapse administrator](#synapse-administrator), [Synapse database administrator](#synapse-database-administrator), [Synapse Spark administrator](#synapse-spark-administrator), and other roles to set up security requirements. The security administrator could also be a Microsoft Entra administrator. ### Network administrator |
synapse-analytics | Implementation Success Evaluate Workspace Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/implementation-success-evaluate-workspace-design.md | Review the security design for the workspace and compare it with the information Serverless SQL pools and Apache Spark tables store their data in an Azure Data Lake Gen2 (ADLS Gen2) container that's associated with the workspace. User-installed Apache Spark libraries are also managed in this same storage account. To enable these use cases, both users and the workspace managed service identity (MSI) must be added to the **Storage Blob Data Contributor** role of the ADLS Gen2 storage container. Verify this requirement against your security requirements. -Dedicated SQL pools provide a rich set of security features to encrypt and mask sensitive data. Both dedicated and serverless SQL pools enable the full surface area of SQL Server permissions including built-in roles, user-defined roles, SQL authentication, and Azure Active Directory (Azure AD) authentication. Review the security design for your solution's dedicated SQL pool and serverless SQL pool access and data. +Dedicated SQL pools provide a rich set of security features to encrypt and mask sensitive data. Both dedicated and serverless SQL pools enable the full surface area of SQL Server permissions including built-in roles, user-defined roles, SQL authentication, and Microsoft Entra authentication. Review the security design for your solution's dedicated SQL pool and serverless SQL pool access and data. Review the security plan for your data lake and all the ADLS Gen2 storage accounts (and others) that will form part of your Azure Synapse Analytics solution. ADLS Gen2 storage isn't itself a compute engine and so it doesn't have a built-in ability to selectively mask data attributes. You can apply ADLS Gen2 permissions at the storage account or container level by using role-based access control (RBAC) and/or at the folder or file level by using access control lists (ACLs). Review the design carefully and strive to avoid unnecessary complexity. Here are some points to consider for the security design. -- Make sure Azure AD set up requirements are included in the design.+- Make sure Microsoft Entra ID set up requirements are included in the design. - Check for cross-tenant scenarios. Such issues may arise because some data is in another Azure tenant, or it needs to move to another tenant, or it needs to be accessed by users from another tenant. Ensure these scenarios are considered in your design. - What are the roles for each workspace? How will they use the workspace? - How is the security designed within the workspace? |
synapse-analytics | Implementation Success Perform Operational Readiness Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/implementation-success-perform-operational-readiness-review.md | It's important to review solution readiness by using the following points. Data security and privacy are non-negotiable. Azure Synapse implements a multi-layered security architecture for end-to-end protection of your data. Review security readiness by using the following points. -- **Authentication:** Ensure Azure Active Directory (Azure AD) authentication is used whenever possible. If non-Azure AD authentication is used, ensure strong password mechanisms are in place and that passwords are rotated on a regular basis. For more information, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance/). Ensure monitoring is in place to detect suspicious actions related to user authentication. Consider using [Azure Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) to automate the detection and remediation of identity-based risks.+- **Authentication:** Ensure Microsoft Entra authentication is used whenever possible. If non-Microsoft Entra authentication is used, ensure strong password mechanisms are in place and that passwords are rotated on a regular basis. For more information, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance/). Ensure monitoring is in place to detect suspicious actions related to user authentication. Consider using [Azure Identity Protection](../../active-directory/identity-protection/overview-identity-protection.md) to automate the detection and remediation of identity-based risks. - **Access control:** Ensure proper access controls are in place following the [principle of least privilege](../../active-directory/develop/secure-least-privileged-access.md). Use security features available with Azure services to strengthen the security of your solution. For example, Azure Synapse provides granular security features, including row-level security (RLS), column-level security, and dynamic data masking. For more information, see [Azure Synapse Analytics security white paper: Access control](security-white-paper-access-control.md). - **Threat protection:** Ensure proper threat detection mechanisms are place to prevent, detect, and respond to threats. Azure Synapse provides SQL Auditing, SQL Threat Detection, and Vulnerability Assessment to audit, protect, and monitor databases. For more information, see [Azure Synapse Analytics security white paper: Threat detection](security-white-paper-threat-protection.md). Use the built-in DR mechanisms available with Azure services for building your D ## Next steps -In the [next article](implementation-success-perform-user-readiness-and-onboarding-plan-review.md) in the *Azure Synapse success by design* series, learn how to perform monitoring of your Azure Synapse solution. +In the [next article](implementation-success-perform-user-readiness-and-onboarding-plan-review.md) in the *Azure Synapse success by design* series, learn how to perform monitoring of your Azure Synapse solution. |
synapse-analytics | Proof Of Concept Playbook Data Explorer Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/proof-of-concept-playbook-data-explorer-pool.md | Using the specific tests you identified, select a dataset to support the tests. Based upon the high-level architecture of your proposed future state architecture, identify the components that will form part of your POC. Your high-level future state architecture likely contains many data sources, numerous data consumers, big data components, and possibly machine learning and artificial intelligence (AI) data consumers. Your POC architecture should specifically identify components that will be part of the POC. Importantly, it should identify any components that won't form part of the POC testing. -If you're already using Azure, identify any resources you already have in place (Azure Active Directory, ExpressRoute, and others) that you can use during the POC. Also identify the Azure regions your organization uses. Now is a great time to identify the throughput of your ExpressRoute connection and to check with other business users that your POC can consume some of that throughput without adverse impact on production systems. +If you're already using Azure, identify any resources you already have in place (Microsoft Entra ID, ExpressRoute, and others) that you can use during the POC. Also identify the Azure regions your organization uses. Now is a great time to identify the throughput of your ExpressRoute connection and to check with other business users that your POC can consume some of that throughput without adverse impact on production systems. For more information, see [Big data architectures](/azure/architecture/data-guide/big-data/). |
synapse-analytics | Proof Of Concept Playbook Dedicated Sql Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/proof-of-concept-playbook-dedicated-sql-pool.md | A high-level future architecture likely contains many data sources and data cons Additionally, if you're already using Azure, identify the following: -- Any existing Azure resources that you can use during the POC. For example, resources can include Azure Active Directory (Azure AD), or Azure ExpressRoute.+- Any existing Azure resources that you can use during the POC. For example, resources can include Microsoft Entra ID, or Azure ExpressRoute. - What Azure region(s) your organization prefers. - A subscription you can use for non-production POC work. - The throughput of your network connection to Azure. Identify the team members and their commitment to support your POC. Team members - An application data expert to source the data for the POC dataset. - An Azure Synapse specialist. - An expert advisor to optimize the POC tests.-- Any person who will be required for specific POC project tasks but who aren't required for its entire duration. These supporting resources could include network administrators, Azure administrators, or Azure AD administrators.+- Any person who will be required for specific POC project tasks but who aren't required for its entire duration. These supporting resources could include network administrators, Azure administrators, or Microsoft Entra administrators. > [!TIP] > We recommend engaging an expert advisor to assist with your POC. [Microsoft's partner community](https://appsource.microsoft.com/marketplace/partner-dir) has global availability of expert consultants who can help you assess, evaluate, or implement Azure Synapse. |
synapse-analytics | Proof Of Concept Playbook Serverless Sql Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/proof-of-concept-playbook-serverless-sql-pool.md | Using the specific tests you identified, select a dataset to support the tests. Based upon the high-level architecture of your proposed future state architecture, identify the components that will form part of your POC. Your high-level future state architecture likely contains many data sources, numerous data consumers, big data components, and possibly machine learning and artificial intelligence (AI) data consumers. Your POC architecture should specifically identify components that will be part of the POC. Importantly, it should identify any components that won't form part of the POC testing. -If you're already using Azure, identify any resources you already have in place (Azure Active Directory, ExpressRoute, and others) that you can use during the POC. Also identify the Azure regions your organization uses. Now is a great time to identify the throughput of your ExpressRoute connection and to check with other business users that your POC can consume some of that throughput without adverse impact on production systems. +If you're already using Azure, identify any resources you already have in place (Microsoft Entra ID, ExpressRoute, and others) that you can use during the POC. Also identify the Azure regions your organization uses. Now is a great time to identify the throughput of your ExpressRoute connection and to check with other business users that your POC can consume some of that throughput without adverse impact on production systems. ### Identify POC resources |
synapse-analytics | Proof Of Concept Playbook Spark Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/proof-of-concept-playbook-spark-pool.md | Using the specific tests you identified, select a dataset to support the tests. Based upon the high-level architecture of your proposed future state architecture, identify the components that will form part of your POC. Your high-level future state architecture likely contains many data sources, numerous data consumers, big data components, and possibly machine learning and artificial intelligence (AI) data consumers. Your POC architecture should specifically identify components that will be part of the POC. Importantly, it should identify any components that won't form part of the POC testing. -If you're already using Azure, identify any resources you already have in place (Azure Active Directory, ExpressRoute, and others) that you can use during the POC. Also identify the Azure regions your organization uses. Now is a great time to identify the throughput of your ExpressRoute connection and to check with other business users that your POC can consume some of that throughput without adverse impact on production systems. +If you're already using Azure, identify any resources you already have in place (Microsoft Entra ID, ExpressRoute, and others) that you can use during the POC. Also identify the Azure regions your organization uses. Now is a great time to identify the throughput of your ExpressRoute connection and to check with other business users that your POC can consume some of that throughput without adverse impact on production systems. For more information, see [Big data architectures](/azure/architecture/data-guide/big-data/). |
synapse-analytics | Security White Paper Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/security-white-paper-access-control.md | Azure Synapse supports a wide range of capabilities to control who can access wh ## Object-level security -Every object in a dedicated SQL pool has associated permissions that can be granted to a principal. In the context of users and service accounts, that's how individual tables, views, stored procedures, and functions are secured. Object permissions, like SELECT, can be granted to user accounts (SQL logins, Azure Active Directory users or groups) and [database roles](/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15&preserve-view=true), which provides flexibility for database administrators. Further, permissions granted on tables and views can be combined with other access control mechanisms (described below), such as column-level security, row-level security, and dynamic data masking. +Every object in a dedicated SQL pool has associated permissions that can be granted to a principal. In the context of users and service accounts, that's how individual tables, views, stored procedures, and functions are secured. Object permissions, like SELECT, can be granted to user accounts (SQL logins, Microsoft Entra users or groups) and [database roles](/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15&preserve-view=true), which provides flexibility for database administrators. Further, permissions granted on tables and views can be combined with other access control mechanisms (described below), such as column-level security, row-level security, and dynamic data masking. In Azure Synapse, all permissions are granted to database-level users and roles. Additionally, any user granted the built-in [Synapse Administrator RBAC role](../security/synapse-workspace-synapse-rbac-roles.md) at the workspace level is automatically granted full access to all dedicated SQL pools. -In addition to securing SQL tables in Azure Synapse, dedicated SQL pool (formerly SQL DW), serverless SQL pool, and Spark tables can be secured too. By default, users assigned to the **Storage Blob Data Contributor** role of data lakes connected to the workspace have READ, WRITE, and EXECUTE permissions on all Spark-created tables *when users interactively execute code in notebook*. It's called *Azure Active Directory (Azure AD) pass-through*, and it applies to all data lakes connected to the workspace. However, if the same user executes the same notebook *through a pipeline*, the workspace Managed Service Identity (MSI) is used for authentication. So, for the pipeline to successfully execute workspace MSI, it must also belong to the **Storage Blob Data Contributor** role of the data lake that's accessed. +In addition to securing SQL tables in Azure Synapse, dedicated SQL pool (formerly SQL DW), serverless SQL pool, and Spark tables can be secured too. By default, users assigned to the **Storage Blob Data Contributor** role of data lakes connected to the workspace have READ, WRITE, and EXECUTE permissions on all Spark-created tables *when users interactively execute code in notebook*. It's called *Microsoft Entra pass-through*, and it applies to all data lakes connected to the workspace. However, if the same user executes the same notebook *through a pipeline*, the workspace Managed Service Identity (MSI) is used for authentication. So, for the pipeline to successfully execute workspace MSI, it must also belong to the **Storage Blob Data Contributor** role of the data lake that's accessed. ## Row-level security |
synapse-analytics | Security White Paper Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/security-white-paper-authentication.md | Some of the benefits of these robust authentication mechanisms include: - SQL endpoints with [Multi-factor authentication](../sql/mfa-authentication.md). - Elimination of the need to manage credentials with [managed identity](../../data-factory/data-factory-service-identity.md). -Azure Synapse, dedicated SQL pool (formerly SQL DW), and serverless SQL pool currently support [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) authentication and [SQL authentication](../sql/sql-authentication.md), while Apache Spark pool supports only Azure AD authentication. Multi-factor authentication and managed identity are fully supported for Azure Synapse, dedicated SQL pool (formerly SQL DW), serverless SQL pool, and Apache Spark pool. +Azure Synapse, dedicated SQL pool (formerly SQL DW), and serverless SQL pool currently support [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) (Microsoft Entra ID) authentication and [SQL authentication](../sql/sql-authentication.md), while Apache Spark pool supports only Microsoft Entra authentication. Multi-factor authentication and managed identity are fully supported for Azure Synapse, dedicated SQL pool (formerly SQL DW), serverless SQL pool, and Apache Spark pool. ## Next steps |
synapse-analytics | Security White Paper Network Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/guidance/security-white-paper-network-security.md | The above diagram depicts the following key points: | ![Item 1.](media/common/icon-01-red-30x30.png) | The private endpoint in the customer VNet is mapped to a single dedicated SQL pool (formerly SQL DW) endpoint in Workspace A. | | ![Item 2.](media/common/icon-02-red-30x30.png) | Other SQL pool endpoints in the other workspaces (B and C) aren't accessible through this private endpoint, minimizing exposure. | -Private endpoint works across Azure Active Directory (Azure AD) tenants and regions, so it's possible to create private endpoint connections to Synapse workspaces across tenants and regions. In this case, it goes through the [private endpoint connection approval workflow](../../private-link/private-endpoint-overview.md#access-to-a-private-link-resource-using-approval-workflow). The resource owner controls which private endpoint connections are approved or denied. The resource owner is in full control of who can connect to their workspaces. +Private endpoint works across Microsoft Entra tenants and regions, so it's possible to create private endpoint connections to Synapse workspaces across tenants and regions. In this case, it goes through the [private endpoint connection approval workflow](../../private-link/private-endpoint-overview.md#access-to-a-private-link-resource-using-approval-workflow). The resource owner controls which private endpoint connections are approved or denied. The resource owner is in full control of who can connect to their workspaces. The following diagram depicts a private endpoint connection approval workflow. In addition, Spark pools operate as a job cluster. It means each user gets their ## Data exfiltration protection -Synapse workspaces with Managed VNet have an additional security feature called *[data exfiltration protection](../security/workspace-data-exfiltration-protection.md)*. It protects all egress traffic going out from Azure Synapse from all services, including dedicated SQL pools, serverless SQL pools, Apache spark pools, and pipelines. It's configured by enabling data exfiltration protection at the workspace level (at workspace creation time) to restrict the outbound connections to an allowed list of Azure Active Directory (Azure AD) tenants. By default, only the home tenant of the workspace is added to the list, but it's possible to add or modify the list of Azure AD tenants anytime after the workspace is created. Adding additional tenants is a highly privileged operation that requires the elevated role of [Synapse Administrator](../security/synapse-workspace-synapse-rbac-roles.md). It effectively controls exfiltration of data from Azure Synapse to other organizations and tenants, without the need to have complicated network security policies in place. +Synapse workspaces with Managed VNet have an additional security feature called *[data exfiltration protection](../security/workspace-data-exfiltration-protection.md)*. It protects all egress traffic going out from Azure Synapse from all services, including dedicated SQL pools, serverless SQL pools, Apache spark pools, and pipelines. It's configured by enabling data exfiltration protection at the workspace level (at workspace creation time) to restrict the outbound connections to an allowed list of Microsoft Entra tenants. By default, only the home tenant of the workspace is added to the list, but it's possible to add or modify the list of Microsoft Entra tenants anytime after the workspace is created. Adding additional tenants is a highly privileged operation that requires the elevated role of [Synapse Administrator](../security/synapse-workspace-synapse-rbac-roles.md). It effectively controls exfiltration of data from Azure Synapse to other organizations and tenants, without the need to have complicated network security policies in place. For workspaces with data exfiltration protection enabled, Synapse pipelines and Apache Spark pools must use managed private endpoint connections for all their outbound connections. The above diagram depicts the following key points: | ![Item 1.](media/common/icon-01-red-30x30.png) | The workstation in a restricted customer VNet accesses the Synapse Studio using a web browser. | | ![Item 2.](media/common/icon-02-red-30x30.png) | A private endpoint created for private link hubs resource is used to download the static studio contents using Azure Private Link. | | ![Item 3.](media/common/icon-03-red-30x30.png) | Private endpoints created for Synapse workspace endpoints access the workspace resources securely using Azure Private Links. |-| ![Item 4.](media/common/icon-04-red-30x30.png) | Network security group rules in the restricted customer VNet allow outbound traffic over port 443 to a limited set of Azure services, such as Azure Resource Manager, Azure Front Door, and Azure Active Directory. | +| ![Item 4.](media/common/icon-04-red-30x30.png) | Network security group rules in the restricted customer VNet allow outbound traffic over port 443 to a limited set of Azure services, such as Azure Resource Manager, Azure Front Door, and Microsoft Entra ID. | | ![Item 5.](media/common/icon-05-red-30x30.png) | Network security group rules in the restricted customer VNet deny all other outbound traffic from the VNet. | | ![Item 6.](media/common/icon-06-red-30x30.png) | Public access is disabled on the Synapse workspace. | |
synapse-analytics | How To Access Container With Access Control Lists | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/how-to-access-container-with-access-control-lists.md | You can now browse an Azure Data Lake Storage Gen2 (ADLS Gen2) container or fold ## Prerequisites The following prerequisites must be met prior to connecting a container or folder in Azure Synapse:-* The Storage Blob Data Contributor (Azure RBAC) role or access control lists (ACLs) must be granted to your Azure AD identity. +* The Storage Blob Data Contributor (Azure RBAC) role or access control lists (ACLs) must be granted to your Microsoft Entra identity. * A linked service to the ADLS Gen2 container must be created in the Synapse workspace. |
synapse-analytics | How To Move Workspace From One Region To Another | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/how-to-move-workspace-from-one-region-to-another.md | Moving an Azure Synapse workspace from one region to another region is a multist 1. Create serverless SQL pool and Spark pool databases and objects. 1. Add an Azure DevOps Service Principal to the Azure Synapse role-based access control (RBAC) Synapse Artifact Publisher role if you're using an Azure DevOps release pipeline to deploy the artifacts. 1. Deploy code artifact (SQL Scripts, Notebooks), linked services, pipelines, datasets, Spark Job definitions triggers, and credentials from Azure DevOps release pipelines to the target region Azure Synapse workspace.-1. Add Azure Active Directory (Azure AD) users or groups to Azure Synapse RBAC roles. Granting Storage Blob Contributor access to system-assigned managed identity (SA-MI) on Azure Storage and Azure Key Vault if you're authenticating by using managed identity. -1. Grant Storage Blob Reader or Storage Blob Contributor roles to required Azure AD users on default attached storage or on the Storage account that has data to be queried by using a serverless SQL pool. +1. Add Microsoft Entra users or groups to Azure Synapse RBAC roles. Granting Storage Blob Contributor access to system-assigned managed identity (SA-MI) on Azure Storage and Azure Key Vault if you're authenticating by using managed identity. +1. Grant Storage Blob Reader or Storage Blob Contributor roles to required Microsoft Entra users on default attached storage or on the Storage account that has data to be queried by using a serverless SQL pool. 1. Re-create self-hosted integration runtime (SHIR). 1. Manually upload all required libraries and jars in the target Azure Synapse workspace. 1. Create all managed private endpoints if the workspace is deployed in a managed virtual network. To create a SHIR, follow the steps in [Create and configure a self-hosted integr ## Step 8: Assign an Azure role to managed identity - Assign `Storage Blob Contributor` access to the managed identity of the new workspace on the default attached Data Lake Storage Gen2 account. Also assign access on other storage accounts where SA-MI is used for authentication. Assign `Storage Blob Contributor` or `Storage Blob Reader` access to Azure AD users and groups for all the required storage accounts. + Assign `Storage Blob Contributor` access to the managed identity of the new workspace on the default attached Data Lake Storage Gen2 account. Also assign access on other storage accounts where SA-MI is used for authentication. Assign `Storage Blob Contributor` or `Storage Blob Reader` access to Microsoft Entra users and groups for all the required storage accounts. ### Azure portal Follow the steps in [Grant permissions to workspace managed identity](security/how-to-grant-workspace-managed-identity-permissions.md) to assign a Storage Blob Data Contributor role to the managed identity of the workspace. az role assignment create --assignee $workSpaceIdentityObjectID ` ## Step 9: Assign Azure Synapse RBAC roles -Add all the users who need access to the target workspace with separate roles and permissions. The following PowerShell and CLI script adds an Azure AD user to the Synapse Administrator role in the target region workspace. +Add all the users who need access to the target workspace with separate roles and permissions. The following PowerShell and CLI script adds a Microsoft Entra user to the Synapse Administrator role in the target region workspace. To get all the Azure Synapse RBAC role names, see [Azure Synapse RBAC roles](security/synapse-workspace-synapse-rbac-roles.md). To add or delete Azure Synapse RBAC assignments from Synapse Studio, follow the ### Azure PowerShell -The following PowerShell script adds the Synapse Administrator role assignment to an Azure AD user or group. You can use -RoleDefinitionId instead of -RoleDefinitionName with the following command to add the users to the workspace: +The following PowerShell script adds the Synapse Administrator role assignment to a Microsoft Entra user or group. You can use -RoleDefinitionId instead of -RoleDefinitionName with the following command to add the users to the workspace: ```powershell New-AzSynapseRoleAssignment ` Get-AzSynapseRoleAssignment -WorkspaceName $workspaceName ``` -To get the ObjectIds and RoleIds in the source region workspace, run the `Get-AzSynapseRoleAssignment` command. Assign the same Azure Synapse RBAC roles to the Azure AD users or groups in the target region workspace. +To get the ObjectIds and RoleIds in the source region workspace, run the `Get-AzSynapseRoleAssignment` command. Assign the same Azure Synapse RBAC roles to the Microsoft Entra users or groups in the target region workspace. Instead of using `-ObjectId` as the parameter, you can also use `-SignInName`, where you provide the email address or the user principal name of the user. To find out more about the available options, see [Azure Synapse RBAC - PowerShell cmdlet](/powershell/module/az.synapse/new-azsynapseroleassignment). ### Azure CLI -Get the Object ID of the user and assign the required Azure Synapse RBAC permissions to the Azure AD user. You can provide the email address of the user (username@contoso.com) for the `--assignee` parameter. +Get the Object ID of the user and assign the required Azure Synapse RBAC permissions to the Microsoft Entra user. You can provide the email address of the user (username@contoso.com) for the `--assignee` parameter. ```azurecli az synapse role assignment create ` |
synapse-analytics | How To Recover Workspace After Tenant Move | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/how-to-recover-workspace-after-tenant-move.md | Title: Recovering Synapse Analytics workspace after transferring a subscription to a different Azure AD directory -description: This article provides steps to recover the Synapse Analytics workspace after moving a subscription to a different Azure AD directory (tenant) + Title: Recovering Synapse Analytics workspace after transferring a subscription to a different Microsoft Entra directory +description: This article provides steps to recover the Synapse Analytics workspace after moving a subscription to a different Microsoft Entra directory (tenant) -# Recovering Synapse Analytics workspace after transferring a subscription to a different Azure AD directory (tenant) +# Recovering Synapse Analytics workspace after transferring a subscription to a different Microsoft Entra directory (tenant) -This article describes how to recover the Synapse Analytics workspace after transferring its subscription to a different Azure AD directory. The Synapse Analytics workspace will not be accessible after transferring a subscription to a different Azure AD directory (tenant). +This article describes how to recover the Synapse Analytics workspace after transferring its subscription to a different Microsoft Entra directory. The Synapse Analytics workspace will not be accessible after transferring a subscription to a different Microsoft Entra directory (tenant). When you try to launch the Synapse studio after the move, you will see the error: "Failed to load one or more resources due to no access, error code 403." When you try to launch the Synapse studio after the move, you will see the error Follow the steps in this article after transferring a subscription across tenant to recover the Synapse Analytics workspace. -Transferring a subscription to a different Azure AD directory (tenant) is a complex process that must be carefully planned and executed. Azure Synapse Analytics require security principals (identities) to operate normally. When a subscription is moved to a different tenant, all principal IDs change, role assignments are deleted from Azure resource, and system assigned managed identities are dropped. +Transferring a subscription to a different Microsoft Entra directory (tenant) is a complex process that must be carefully planned and executed. Azure Synapse Analytics require security principals (identities) to operate normally. When a subscription is moved to a different tenant, all principal IDs change, role assignments are deleted from Azure resource, and system assigned managed identities are dropped. -To understand the impact of transferring a subscription to another tenant see [Transfer an Azure subscription to a different Azure AD directory](../role-based-access-control/transfer-subscription.md) +To understand the impact of transferring a subscription to another tenant see [Transfer an Azure subscription to a different Microsoft Entra directory](../role-based-access-control/transfer-subscription.md) This article covers the steps involved in recovering a Synapse Analytics workspace after moving the subscription across tenants. ## Pre-requisites -- To know more about service or resources impacted by tenant move see [Transfer an Azure subscription to a different Azure AD directory](../role-based-access-control/transfer-subscription.md).-- Save all the role assignment for Azure Active Directory (Azure AD) users, groups, and managed identities. This information can be used to assign the required permissions on Azure resources like Azure Synapse Analytics and ADLS Gen2 after tenant move. See [Step 1: Prepare for the transfer](../role-based-access-control/transfer-subscription.md#step-1-prepare-for-the-transfer)-- Save all the permissions necessary for Azure AD users in dedicated and serverless SQL pool. Azure AD users will be deleted from the dedicated and serverless SQL pools after tenant move.+- To know more about service or resources impacted by tenant move see [Transfer an Azure subscription to a different Microsoft Entra directory](../role-based-access-control/transfer-subscription.md). +- Save all the role assignment for Microsoft Entra users, groups, and managed identities. This information can be used to assign the required permissions on Azure resources like Azure Synapse Analytics and ADLS Gen2 after tenant move. See [Step 1: Prepare for the transfer](../role-based-access-control/transfer-subscription.md#step-1-prepare-for-the-transfer) +- Save all the permissions necessary for Microsoft Entra users in dedicated and serverless SQL pool. Microsoft Entra users will be deleted from the dedicated and serverless SQL pools after tenant move. ## Steps for recovering Synapse Analytics workspace This article covers the steps involved in recovering a Synapse Analytics workspa After transferring the subscription to another tenant, follow the below steps to recover the Azure Synapse Analytics workspace. 1. [Disable and re-enable the system Assigned Managed Identity](#disablereenable). More information later in this article.-2. [Assign Azure RBAC (role based access control) permissions to the required Azure AD users, groups, and managed identities](../role-based-access-control/transfer-subscription.md#step-3-re-create-resources) on the Synapse Analytics workspace and required Azure resources. +2. [Assign Azure RBAC (role based access control) permissions to the required Microsoft Entra users, groups, and managed identities](../role-based-access-control/transfer-subscription.md#step-3-re-create-resources) on the Synapse Analytics workspace and required Azure resources. 3. [Set the SQL Active Directory admin.](/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#provision-azure-ad-admin-sql-database)-4. Re-create [Azure AD users and groups](sql/sql-authentication.md?tabs=provisioned#non-administrator-users) based on their equivalent users and groups in the new Azure AD tenant for the dedicated and serverless SQL pools. -5. Assign Azure RBAC to Azure AD users, groups to Synapse Analytics workspace. This step should be first step after recovering the workspace. Without this step, launching Synapse Studio will throw 403 messages, due to Azure AD users not having permissions on the workspace: +4. Re-create [Microsoft Entra users and groups](sql/sql-authentication.md?tabs=provisioned#non-administrator-users) based on their equivalent users and groups in the new Microsoft Entra tenant for the dedicated and serverless SQL pools. +5. Assign Azure RBAC to Microsoft Entra users, groups to Synapse Analytics workspace. This step should be first step after recovering the workspace. Without this step, launching Synapse Studio will throw 403 messages, due to Microsoft Entra users not having permissions on the workspace: ```JSON {"error":{"code":"Unauthorized","message":"The principal '<subscriptionid>' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/read, Scope: workspaces/tenantmove-ws-1/*."}} ```-6. Assign Azure RBAC roles to Azure AD users, groups, service principals to all the resources used in the workspace artifacts, such as ADLS Gen2. For more information on Azure RBAC in ADLS Gen2, see [Role-based access control (Azure RBAC)](../storage/blobs/data-lake-storage-access-control-model.md#role-based-access-control-azure-rbac). -7. Add Synapse RBAC role assignments to Azure AD users and groups. For more information, see [How to manage Synapse RBAC role assignments in Synapse Studio](security/how-to-manage-synapse-rbac-role-assignments.md) -8. Recreate all the Azure AD logins and users in dedicated and serverless SQL pool. For more information, see [SQL Authentication in Azure Synapse Analytics](sql/sql-authentication.md) +6. Assign Azure RBAC roles to Microsoft Entra users, groups, service principals to all the resources used in the workspace artifacts, such as ADLS Gen2. For more information on Azure RBAC in ADLS Gen2, see [Role-based access control (Azure RBAC)](../storage/blobs/data-lake-storage-access-control-model.md#role-based-access-control-azure-rbac). +7. Add Synapse RBAC role assignments to Microsoft Entra users and groups. For more information, see [How to manage Synapse RBAC role assignments in Synapse Studio](security/how-to-manage-synapse-rbac-role-assignments.md) +8. Recreate all the Microsoft Entra logins and users in dedicated and serverless SQL pool. For more information, see [SQL Authentication in Azure Synapse Analytics](sql/sql-authentication.md) 9. Recreate all user assigned managed identity and assign user-assigned managed identity to the Synapse Analytics workspace. For more information, see [Credentials in Azure Data Factory and Azure Synapse](../data-factory/credentials.md) > [!NOTE] Execute the following command to check the provisioningState value and the Ident ## Next steps -- [Transfer an Azure subscription to a different Azure AD directory](../role-based-access-control/transfer-subscription.md)+- [Transfer an Azure subscription to a different Microsoft Entra directory](../role-based-access-control/transfer-subscription.md) - [Move an Azure Synapse Analytics workspace from one region to another](how-to-move-workspace-from-one-region-to-another.md)-- [Assign Azure RBAC (role based access control) permissions to the required Azure AD users, groups, and managed identities](../role-based-access-control/transfer-subscription.md#step-3-re-create-resources)-- [How to manage Synapse RBAC role assignments in Synapse Studio](security/how-to-manage-synapse-rbac-role-assignments.md) +- [Assign Azure RBAC (role based access control) permissions to the required Microsoft Entra users, groups, and managed identities](../role-based-access-control/transfer-subscription.md#step-3-re-create-resources) +- [How to manage Synapse RBAC role assignments in Synapse Studio](security/how-to-manage-synapse-rbac-role-assignments.md) |
synapse-analytics | Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/known-issues.md | When using an ARM template, Bicep template, or direct REST API PUT operation to |Synapse Component|Issue|Status|Date Resolved |||||-|Azure Synapse serverless SQL pool|[Queries using Azure AD authentication fails after 1 hour](#queries-using-azure-ad-authentication-fails-after-1-hour)|Resolved|August 2023 +|Azure Synapse serverless SQL pool|[Queries using Microsoft Entra authentication fails after 1 hour](#queries-using-azure-ad-authentication-fails-after-1-hour)|Resolved|August 2023 |Azure Synapse serverless SQL pool|[Query failures while reading Cosmos DB data using OPENROWSET](#query-failures-while-reading-azure-cosmos-db-data-using-openrowset)|Resolved|March 2023 |Azure Synapse Apache Spark pool|[Failed to write to SQL Dedicated Pool from Synapse Spark using Azure Synapse Dedicated SQL Pool Connector for Apache Spark when using notebooks in pipelines](#failed-to-write-to-sql-dedicated-pool-from-synapse-spark-using-azure-synapse-dedicated-sql-pool-connector-for-apache-spark-when-using-notebooks-in-pipelines)|Resolved|June 2023 ## Azure Synapse Analytics serverless SQL pool recently closed known issues summary -### Queries using Azure AD authentication fails after 1 hour +<a name='queries-using-azure-ad-authentication-fails-after-1-hour'></a> -SQL connections using Azure AD authentication that remain active for more than 1 hour will start to fail. This includes querying storage using Azure AD pass-through authentication and statements that interact with Azure AD, like CREATE EXTERNAL PROVIDER. This affects every tool that keeps connections active, like query editor in SSMS and ADS. Tools that open new connection to execute queries aren't affected, like Synapse Studio. +### Queries using Microsoft Entra authentication fails after 1 hour ++SQL connections using Microsoft Entra authentication that remain active for more than 1 hour will start to fail. This includes querying storage using Microsoft Entra pass-through authentication and statements that interact with Microsoft Entra ID, like CREATE EXTERNAL PROVIDER. This affects every tool that keeps connections active, like query editor in SSMS and ADS. Tools that open new connection to execute queries aren't affected, like Synapse Studio. **Status**: Resolved |
synapse-analytics | Quickstart Integrate Azure Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/machine-learning/quickstart-integrate-azure-machine-learning.md | This step will create a new Service Principal. If you want to use an existing Se 1. Open Azure portal. -1. Go to **Azure Active Directory** -> **App registrations**. +1. Go to **Microsoft Entra ID** -> **App registrations**. 1. Click **New registration**. Then, follow instructions to register a new application. |
synapse-analytics | What Is Machine Learning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/machine-learning/what-is-machine-learning.md | In addition to MLlib, popular libraries such as [Scikit Learn](https://scikit-le ### Train models with Azure Machine Learning automated ML -Another way to train machine learning models, that does not require much prior familiarity with machine learning, is to use automated ML. [Automated ML](../../machine-learning/concept-automated-ml.md) is a feature that automatically trains a set of machine learning models and allows the user to select the best model based on specific metrics. Thanks to a seamless integration with Azure Machine Learning from Azure Synapse Notebooks, users can easily leverage automated ML in Synapse with passthrough Azure Active Directory authentication. This means that you only need to point to your Azure Machine Learning workspace and do not need to enter any credentials. The tutorial, [Train a model in Python with automated machine learning](../spark/apache-spark-azure-machine-learning-tutorial.md), describes how to train models using Azure Machine Learning automated ML on Synapse Spark Pools. +Another way to train machine learning models, that does not require much prior familiarity with machine learning, is to use automated ML. [Automated ML](../../machine-learning/concept-automated-ml.md) is a feature that automatically trains a set of machine learning models and allows the user to select the best model based on specific metrics. Thanks to a seamless integration with Azure Machine Learning from Azure Synapse Notebooks, users can easily leverage automated ML in Synapse with passthrough Microsoft Entra authentication. This means that you only need to point to your Azure Machine Learning workspace and do not need to enter any credentials. The tutorial, [Train a model in Python with automated machine learning](../spark/apache-spark-azure-machine-learning-tutorial.md), describes how to train models using Azure Machine Learning automated ML on Synapse Spark Pools. ## Model deployment and scoring SynapseML (previously known as MMLSpark), is an open-source library that simplif * [Get started with Azure Synapse Analytics](../get-started.md) * [Create a workspace](../get-started-create-workspace.md) * [Quickstart: Create a new Azure Machine Learning linked service in Synapse](quickstart-integrate-azure-machine-learning.md)-* [Tutorial: Machine learning model scoring wizard - dedicated SQL pool](tutorial-sql-pool-model-scoring-wizard.md) +* [Tutorial: Machine learning model scoring wizard - dedicated SQL pool](tutorial-sql-pool-model-scoring-wizard.md) |
synapse-analytics | Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/metadata/database.md | The Spark `default` database is available in the serverless SQL pool context as Tables in the lake databases cannot be modified from a serverless SQL pool. Use the [Database designer](../database-designer/modify-lake-database.md) or Apache Spark pools to modify a lake database. The serverless SQL pool enables you to make the following changes in a lake database using Transact-SQL commands: - Adding, altering, and dropping views, procedures, inline table-value functions in a lake database.-- Adding and removing database-scoped Azure AD users.-- Add or remove Azure AD database users to the **db_datareader** role. Azure AD database users in the **db_datareader** role have permission to read all tables in the lake database, but cannot read data from other databases.+- Adding and removing database-scoped Microsoft Entra users. +- Add or remove Microsoft Entra database users to the **db_datareader** role. Microsoft Entra database users in the **db_datareader** role have permission to read all tables in the lake database, but cannot read data from other databases. ## Security model The lake databases and tables are secured at two levels: -- The underlying storage layer by assigning to Azure AD users one of the following: +- The underlying storage layer by assigning to Microsoft Entra users one of the following: - Azure role-based access control (Azure RBAC) - Azure attribute-based access control (Azure ABAC) role - ACL permissions-- The SQL layer where you can define an Azure AD user and grant SQL permissions to SELECT data from tables referencing the lake data.+- The SQL layer where you can define a Microsoft Entra user and grant SQL permissions to SELECT data from tables referencing the lake data. ## Lake security model -Access to lake database files is controlled using the lake permissions on storage layer. Only Azure AD users can use tables in the lake databases, and they can access the data in the lake using their own identities. +Access to lake database files is controlled using the lake permissions on storage layer. Only Microsoft Entra users can use tables in the lake databases, and they can access the data in the lake using their own identities. -You can grant access to the underlying data used for external tables to a security principal, such as: a user, an Azure AD application with [assigned service principal](../../active-directory/develop/howto-create-service-principal-portal.md), or a security group. For data access, grant both of the following permissions: +You can grant access to the underlying data used for external tables to a security principal, such as: a user, a Microsoft Entra application with [assigned service principal](../../active-directory/develop/howto-create-service-principal-portal.md), or a security group. For data access, grant both of the following permissions: - Grant `read (R)` permission on files (such as the table's underlying data files). - Grant `execute (X)` permission on the folder where the files are stored and on every parent folder up to the root. You can read more about these permissions on [Access control lists(ACLs)](../../storage/blobs/data-lake-storage-access-control.md) page. The Azure Synapse workspace provides a T-SQL endpoint that enables you to query - Administrators: Assign the **Synapse SQL Administrator** workspace role or **sysadmin** server-level role inside the serverless SQL pool. This role has full control over all databases. The **Synapse Administrator** and **Synapse SQL Administrator** roles also have all permissions on all objects in a serverless SQL pool, by default. - Workspace readers: Grant the server-level permissions **GRANT CONNECT ANY DATABASE** and **GRANT SELECT ALL USER SECURABLES** on serverless SQL pool to a login that will enable the login to access and read any database. This might be a good choice for assigning reader/non-admin access to a user.-- Database readers: Create database users from Azure AD in your lake database and add them to **db_datareader** role, which will enable them to read data in the lake database.+- Database readers: Create database users from Microsoft Entra ID in your lake database and add them to **db_datareader** role, which will enable them to read data in the lake database. Learn more about [setting access control on shared databases here](../sql/shared-databases-access-control.md). Lake databases allow creation of custom T-SQL objects, such as schemas, procedur ### Create SQL database reader in lake database -In this example, we are adding an Azure AD user in the lake database who can read data via shared tables. The users are added in the lake database via the serverless SQL pool. Then, assign the user to the **db_datareader** role so they can read data. +In this example, we are adding a Microsoft Entra user in the lake database who can read data via shared tables. The users are added in the lake database via the serverless SQL pool. Then, assign the user to the **db_datareader** role so they can read data. ```sql CREATE USER [customuser@contoso.com] FROM EXTERNAL PROVIDER; |
synapse-analytics | 3 Security Access Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/migration-guides/netezza/3-security-access-operations.md | Azure Synapse supports two basic options for connection and authorization: - **SQL authentication**: SQL authentication is via a database connection that includes a database identifier, user ID, and password plus other optional parameters. This is functionally equivalent to Netezza local connections. -- **Azure Active Directory (Azure AD) authentication**: with Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage Azure Synapse users and simplifies permission management. Azure AD can also support connections to LDAP and Kerberos services—for example, Azure AD can be used to connect to existing LDAP directories if these are to remain in place after migration of the database.+- **Microsoft Entra authentication**: with Microsoft Entra authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage Azure Synapse users and simplifies permission management. Microsoft Entra ID can also support connections to LDAP and Kerberos services—for example, Microsoft Entra ID can be used to connect to existing LDAP directories if these are to remain in place after migration of the database. ### Users, roles, and permissions |
synapse-analytics | 3 Security Access Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/migration-guides/oracle/3-security-access-operations.md | Azure Synapse supports two basic options for connection and authorization: - **SQL authentication**: SQL authentication uses a database connection that includes a database identifier, user ID, and password, plus other optional parameters. This method of authentication is functionally equivalent to Oracle [database authentication](#oracle-authorization-options). -- **Azure AD authentication**: with Azure AD authentication, you can centrally manage the identities of database users and Microsoft services in one location. Centralized management provides a single place to manage Azure Synapse users and simplifies permission management. Azure AD authentication supports connections to LDAP and Kerberos services. For example, you can use Azure AD authentication to connect to existing LDAP directories if they're to remain in place after migration of the database.+- **Microsoft Entra authentication**: with Microsoft Entra authentication, you can centrally manage the identities of database users and Microsoft services in one location. Centralized management provides a single place to manage Azure Synapse users and simplifies permission management. Microsoft Entra authentication supports connections to LDAP and Kerberos services. For example, you can use Microsoft Entra authentication to connect to existing LDAP directories if they're to remain in place after migration of the database. ### Users, roles, and permissions If you increase DWUs, the number of compute nodes increase, which adds more comp ## Next steps -To learn more about visualization and reporting, see the next article in this series: [Visualization and reporting for Oracle migrations](4-visualization-reporting.md). +To learn more about visualization and reporting, see the next article in this series: [Visualization and reporting for Oracle migrations](4-visualization-reporting.md). |
synapse-analytics | 3 Security Access Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/migration-guides/teradata/3-security-access-operations.md | Azure Synapse supports two basic options for connection and authorization: - **SQL authentication**: SQL authentication is via a database connection that includes a database identifier, user ID, and password plus other optional parameters. This is functionally equivalent to Teradata TD1, TD2 and default connections. -- **Azure Active Directory (Azure AD) authentication**: with Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage SQL Data Warehouse users and simplifies permission management. Azure AD can also support connections to LDAP and Kerberos services—for example, Azure AD can be used to connect to existing LDAP directories if these are to remain in place after migration of the database.+- **Microsoft Entra authentication**: with Microsoft Entra authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage SQL Data Warehouse users and simplifies permission management. Microsoft Entra ID can also support connections to LDAP and Kerberos services—for example, Microsoft Entra ID can be used to connect to existing LDAP directories if these are to remain in place after migration of the database. ### Users, roles, and permissions Adding more compute nodes adds more compute power and ability to leverage more p ## Next steps -To learn more about visualization and reporting, see the next article in this series: [Visualization and reporting for Teradata migrations](4-visualization-reporting.md). +To learn more about visualization and reporting, see the next article in this series: [Visualization and reporting for Teradata migrations](4-visualization-reporting.md). |
synapse-analytics | Quickstart Connect Azure Data Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/quickstart-connect-azure-data-explorer.md | This article describes how to access an Azure Data Explorer database from Synaps * [Create an Azure Data Explorer cluster and database](/azure/data-explorer/create-cluster-database-portal). * Have an existing Azure Synapse Analytics workspace, or create a new workspace by following the steps in [Quickstart: Create an Azure Synapse workspace](./quickstart-create-workspace.md). * Have an existing Apache Spark pool, or create a new pool by following the steps in [Quickstart: Create an Apache Spark pool using the Azure portal](./quickstart-create-apache-spark-pool-portal.md).-* [Create an Azure Active Directory (Azure AD) app by provisioning an Azure AD application](/azure/data-explorer/kusto/management/access-control/how-to-provision-aad-app). -* Grant your Azure AD app access to your database by following the steps in [Manage Azure Data Explorer database permissions](/azure/data-explorer/manage-database-permissions). +* [Create a Microsoft Entra app by provisioning a Microsoft Entra application](/azure/data-explorer/kusto/management/access-control/how-to-provision-aad-app). +* Grant your Microsoft Entra app access to your database by following the steps in [Manage Azure Data Explorer database permissions](/azure/data-explorer/manage-database-permissions). ## Go to Synapse Studio From the Data Object Explorer, follow these steps to directly connect an Azure D 1. Before you can interact with the linked service from a notebook, it must be published to the Workspace. Click **Publish** in the toolbar, review the pending changes and click **OK**. > [!NOTE]- > In the current release, the database objects are populated based on your Azure AD account permissions on the Azure Data Explorer databases. When you run the Apache Spark notebooks or integration jobs, the credential in the link service will be used (for example, service principal). + > In the current release, the database objects are populated based on your Microsoft Entra account permissions on the Azure Data Explorer databases. When you run the Apache Spark notebooks or integration jobs, the credential in the link service will be used (for example, service principal). ## Quickly interact with code-generated actions |
synapse-analytics | Quickstart Create Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/quickstart-create-workspace.md | This quickstart describes the steps to create an Azure Synapse workspace by usin 1. Select **Review + create** > **Create**. Your workspace is ready in a few minutes. > [!NOTE]-> After creating your Azure Synapse workspace, you will not be able to move the workspace to another Azure Active Directory tenant. If you do so through subscription migration or other actions, you may lose access to the artifacts within the workspace. +> After creating your Azure Synapse workspace, you will not be able to move the workspace to another Microsoft Entra tenant. If you do so through subscription migration or other actions, you may lose access to the artifacts within the workspace. ## Open Synapse Studio Managed identities for your Azure Synapse workspace might already have access to * [Create a dedicated SQL pool](quickstart-create-sql-pool-studio.md) * [Create a serverless Apache Spark pool](quickstart-create-apache-spark-pool-portal.md)-* [Use serverless SQL pool](quickstart-sql-on-demand.md) +* [Use serverless SQL pool](quickstart-sql-on-demand.md) |
synapse-analytics | Quickstart Load Studio Sql Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/quickstart-load-studio-sql-pool.md | You can bulk load data by right-clicking the following area within Synapse Studi ## Prerequisites -- The wizard generates a COPY statement, which uses Azure Active Directory (Azure AD) pass-through for authentication. Your [Azure AD user must have access](./sql-data-warehouse/quickstart-bulk-load-copy-tsql-examples.md#d-azure-active-directory-authentication) to the workspace with at least the Storage Blob Data Contributor Azure role for the Azure Data Lake Storage Gen2 account. +- The wizard generates a COPY statement, which uses Microsoft Entra pass-through for authentication. Your [Microsoft Entra user must have access](./sql-data-warehouse/quickstart-bulk-load-copy-tsql-examples.md#d-azure-active-directory-authentication) to the workspace with at least the Storage Blob Data Contributor Azure role for the Azure Data Lake Storage Gen2 account. - You must have the required [permissions to use the COPY statement](/sql/t-sql/statements/copy-into-transact-sql?view=azure-sqldw-latest&preserve-view=true#permissions) and Create Table permissions if you're creating a new table to load to. |
synapse-analytics | How To Create A Workspace With Data Exfiltration Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection.md | -This article describes how to create a workspace with data exfiltration protection enabled and how to manage the approved Azure AD tenants for this workspace. +This article describes how to create a workspace with data exfiltration protection enabled and how to manage the approved Microsoft Entra tenants for this workspace. > [!Note] > You cannot change the workspace configuration for managed virtual network and data exfiltration protection after the workspace is created. Follow the steps listed in [Quickstart: Create a Synapse workspace](../quickstar ## Add data exfiltration protection when creating your workspace 1. On the Networking tab, select the ΓÇ£Enable managed virtual networkΓÇ¥ checkbox. 1. Select ΓÇ£YesΓÇ¥ for the ΓÇ£Allow outbound data traffic only to approved targetsΓÇ¥ option.-1. Choose the approved Azure AD tenants for this workspace. +1. Choose the approved Microsoft Entra tenants for this workspace. 1. Review the configuration and create the workspace. :::image type="content" source="./media/how-to-create-a-workspace-with-data-exfiltration-protection/workspace-creation-data-exfiltration-protection.png" alt-text="Screenshot that shows a Create Synapse workspace with 'Enable manage virtual network' selected."::: -## Manage approved Azure Active Directory tenants for the workspace -1. From the workspaceΓÇÖs Azure portal, navigate to ΓÇ£Approved Azure AD tenantsΓÇ¥. The list of approved Azure AD tenants for the workspace will be listed here. The workspaceΓÇÖs tenant is included by default and is not listed. +<a name='manage-approved-azure-active-directory-tenants-for-the-workspace'></a> ++## Manage approved Microsoft Entra tenants for the workspace +1. From the workspaceΓÇÖs Azure portal, navigate to ΓÇ£Approved Microsoft Entra tenantsΓÇ¥. The list of approved Microsoft Entra tenants for the workspace will be listed here. The workspaceΓÇÖs tenant is included by default and is not listed. 1. Use ΓÇ£+AddΓÇ¥ to include new tenants to the approved list.-1. To remove an Azure AD tenant from the approved list, select the tenant and select on ΓÇ£DeleteΓÇ¥ and then ΓÇ£SaveΓÇ¥. +1. To remove a Microsoft Entra tenant from the approved list, select the tenant and select on ΓÇ£DeleteΓÇ¥ and then ΓÇ£SaveΓÇ¥. :::image type="content" source="./media/how-to-create-a-workspace-with-data-exfiltration-protection/workspace-manage-aad-tenant-list.png" alt-text="Create a workspace with data exfiltration protection"::: -## Connecting to Azure resources in approved Azure AD tenants +<a name='connecting-to-azure-resources-in-approved-azure-ad-tenants'></a> ++## Connecting to Azure resources in approved Microsoft Entra tenants -You can create managed private endpoints to connect to Azure resources that reside in Azure AD tenants, which are approved for a workspace. Follow the steps listed in the guide for [creating managed private endpoints](./how-to-create-managed-private-endpoints.md). +You can create managed private endpoints to connect to Azure resources that reside in Microsoft Entra tenants, which are approved for a workspace. Follow the steps listed in the guide for [creating managed private endpoints](./how-to-create-managed-private-endpoints.md). > [!IMPORTANT] > Resources in tenants other than the workspace's tenant must not have blocking firewall rules in place for the SQL pools to connect to them. Resources within the workspaceΓÇÖs managed virtual network, such as Spark clusters, can connect over managed private links to firewall-protected resources. |
synapse-analytics | How To Manage Synapse Rbac Role Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md | Title: How to manage Azure Synapse RBAC assignments in Synapse Studio -description: This article describes how to assign and revoke Azure Synapse RBAC roles to Azure AD security principals +description: This article describes how to assign and revoke Azure Synapse RBAC roles to Microsoft Entra security principals This article shows how to add and delete Synapse RBAC role assignments. >[!important] >- Changes made to Synapse RBAC role assignments may take 2-5 minutes to take effect. ->- If you are managing Synapse RBAC permissions by modifying membership of security groups, then changes to membership are managed using Azure Active Directory. Changes to group memberships may take 10-15 minutes or longer to take effect. +>- If you are managing Synapse RBAC permissions by modifying membership of security groups, then changes to membership are managed using Microsoft Entra ID. Changes to group memberships may take 10-15 minutes or longer to take effect. ## Open Synapse Studio Remember that changes to role assignments will take 2-5 minutes to take effect. ## Next steps -[Understand the Synapse RBAC roles required to perform common tasks](./synapse-workspace-understand-what-role-you-need.md) +[Understand the Synapse RBAC roles required to perform common tasks](./synapse-workspace-understand-what-role-you-need.md) |
synapse-analytics | How To Review Synapse Rbac Role Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/how-to-review-synapse-rbac-role-assignments.md | You can filter the list by principal name or email, and selectively filter the o >If you are directly or indirectly a member of a group that is assigned roles, you may have permissions that are not shown. >[!tip]->You can find your group memberships using Azure Active Directory in the Azure portal. +>You can find your group memberships using Microsoft Entra ID in the Azure portal. If you create a new workspace, you and the workspace MSI service principal are automatically given the Synapse Administrator role at workspace scope. If you create a new workspace, you and the workspace MSI service principal are a Learn [how to manage Synapse RBAC role assignments](./how-to-manage-synapse-rbac-role-assignments.md). -Learn [which role you need to do specific tasks](./synapse-workspace-understand-what-role-you-need.md) +Learn [which role you need to do specific tasks](./synapse-workspace-understand-what-role-you-need.md) |
synapse-analytics | How To Set Up Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/how-to-set-up-access-control.md | The `workspace1_SQLAdmins` group to configure SQL permissions when you create SQ These five groups are sufficient for a basic setup. Later, you can add security groups to handle users who need more specialized access or restrict access to individual resources only. > [!NOTE]->- Learn how to create a security group in [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). ->- Learn how to add a security group from another security group in [Add or remove a group from another group using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-membership-azure-portal.md). +>- Learn how to create a security group in [Create a basic group and add members using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). +>- Learn how to add a security group from another security group in [Add or remove a group from another group using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-membership-azure-portal.md). >- When creating a security group make sure that the **Group Type** is **Security**. Microsoft 365 groups are not supported for Azure SQL. >[!Tip]->Individual Synapse users can use Azure Active Directory in the Azure portal to view their group memberships. This allows them to determine which roles they've been granted. +>Individual Synapse users can use Microsoft Entra ID in the Azure portal to view their group memberships. This allows them to determine which roles they've been granted. ## Step 2: Prepare your ADLS Gen2 storage account The *workspace creator* is automatically assigned as *SQL Active Directory Admin - Open Azure portal - Navigate to `workspace1`-- Under **Settings**, select **Azure Active Directory**+- Under **Settings**, select **Microsoft Entra ID** - Select **Set admin** and choose **`workspace1_SQLAdmins`** >[!Note] This guide has focused on setting up a basic access control system. You can supp **Restrict operators from accessing code artifacts**. Create security groups for operators who need to monitor operational status of Synapse compute resources and view logs but who don't need access to code or to publish updates to the service. Assign these groups the Compute Operator role scoped to specific Spark pools and Integration runtimes. -**Disable local authentication**. By allowing only Azure Active Directory authentication, you can centrally manage access to Azure Synapse resources, such as SQL pools. Local authentication for all resources within the workspace can be disabled during or after workspace creation. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). +**Disable local authentication**. By allowing only Microsoft Entra authentication, you can centrally manage access to Azure Synapse resources, such as SQL pools. Local authentication for all resources within the workspace can be disabled during or after workspace creation. For more information on Microsoft Entra-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). ## Next steps |
synapse-analytics | Synapse Private Link Hubs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/synapse-private-link-hubs.md | You can securely connect to Azure Synapse Studio from your Azure virtual networ There are two steps to connect to Synapse Studio using private links. First, you must create a private link hubs resource. Second, you must create a private endpoint from your Azure virtual network to this private link hub. You can then use private endpoints to securely communicate with Synapse Studio. You must integrate the private endpoints with your DNS solution, either your on-premises solution or Azure Private DNS. ## Azure Private Links Hubs and Azure Synapse Studio-You can use a single Azure Synapse private link hub resource to privately connect to all your Azure Synapse Analytics workspaces using Azure Synapse Studio. The workspaces do not have to be in the same region as the Azure Synapse Private link hub. The Azure Synapse Private link hub resource can also be used for connections to Synapse workspaces in different subscriptions or Azure AD tenants. +You can use a single Azure Synapse private link hub resource to privately connect to all your Azure Synapse Analytics workspaces using Azure Synapse Studio. The workspaces do not have to be in the same region as the Azure Synapse Private link hub. The Azure Synapse Private link hub resource can also be used for connections to Synapse workspaces in different subscriptions or Microsoft Entra tenants. You can create your private link hub by searching for *Synapse private link hubs* in the Azure portal and selecting **Azure Synapse Analytics (private link hubs)** from Services. Follow the steps in the guide for how to [connect to workspace resources from a restricted network](./how-to-connect-to-workspace-from-restricted-network.md) for details. Certain URLs must be accessible from the client browser after enabling Azure Synapse private link hub. For more information, see [Connect to workspace resources from a restricted network](how-to-connect-to-workspace-from-restricted-network.md). Learn more about [Managed private endpoints](./synapse-workspace-managed-private [Create Managed private endpoints to your data sources](./how-to-create-managed-private-endpoints.md) [Connect to Synapse workspace using private endpoints](./how-to-connect-to-workspace-with-private-links.md)- |
synapse-analytics | Synapse Workspace Access Control Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/synapse-workspace-access-control-overview.md | Azure roles are used to control management of: To *create* these resources, you need to be an Azure Owner or Contributor on the resource group. To *manage* them once created, you need to be an Azure Owner or Contributor on either the resource group or the individual resources. -An Azure Owner or Contributor can enable or disable Azure AD-only authentication for Azure Synapse workspaces. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). +An Azure Owner or Contributor can enable or disable Microsoft Entra-only authentication for Azure Synapse workspaces. For more information on Microsoft Entra-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). ### Develop and execute code in Azure Synapse Synapse supports two development models. Serverless SQL pools and Apache Spark tables store their data in an ADLS Gen2 co To simplify managing access control, you can use security groups to assign roles to individuals and groups. Security groups can be created to mirror personas or job functions in your organization that need access to Synapse resources or artifacts. These persona-based security groups can then be assigned one or more Azure roles, Synapse roles, SQL permissions, or Git permissions. With well-chosen security groups, it's easy to assign a user the required permissions by adding them to the appropriate security group. >[!Note]->If using security groups to manage access, there is additional latency introduced by Azure Active Directory before changes take effect. +>If using security groups to manage access, there is additional latency introduced by Microsoft Entra ID before changes take effect. ## Access control enforcement in Synapse Studio |
synapse-analytics | Workspace Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/workspace-conditional-access.md | -You can now configure conditional access policies for Azure Synapse workspaces. Conditional access is a tool provided by Azure Active Directory to bring several signals such as device type and device IP location together to make decisions to grant access, block access, or enforce multi-factor authentication for a resource. Conditional access policies are configured in Azure Active Directory. Learn more about [conditional access](../../active-directory/conditional-access/overview.md). +You can now configure conditional access policies for Azure Synapse workspaces. Conditional access is a tool provided by Microsoft Entra ID to bring several signals such as device type and device IP location together to make decisions to grant access, block access, or enforce multi-factor authentication for a resource. Conditional access policies are configured in Microsoft Entra ID. Learn more about [conditional access](../../active-directory/conditional-access/overview.md). ## Configure conditional access The following steps show how to configure a conditional access policy for Azure Synapse workspaces. -1. Sign in to the Azure portal using an account with *global administrator permissions*, select **Azure Active Directory**, choose **Security** from the menu. +1. Sign in to the Azure portal using an account with *global administrator permissions*, select **Microsoft Entra ID**, choose **Security** from the menu. 2. Select **Conditional Access**, then choose **+ New Policy**, and provide a name for the policy.-3. Under **Assignments**, select **Users and groups**, check the **Select users and groups** option, and then select an Azure AD user or group for Conditional access. Click Select, and then click Done. +3. Under **Assignments**, select **Users and groups**, check the **Select users and groups** option, and then select a Microsoft Entra user or group for Conditional access. Click Select, and then click Done. 4. Select **Cloud apps**, click **Select apps**. Select **Microsoft Azure Synapse Gateway**. Then click Select and Done. 5. Under **Access Controls**, select **Grant** and then check the policy you want to apply, and select Done. 6. Set the **Enable policy** toggle to **On**, then select Create. The following steps show how to configure a conditional access policy for Azure ## Next steps Learn more about conditional access policies and their components. - [Common conditional access policies](../../active-directory/conditional-access/concept-conditional-access-policy-common.md)-- [Building a conditional access policy](../../active-directory/conditional-access/concept-conditional-access-policies.md)+- [Building a conditional access policy](../../active-directory/conditional-access/concept-conditional-access-policies.md) |
synapse-analytics | Workspace Data Exfiltration Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/workspace-data-exfiltration-protection.md | At the time of workspace creation, you can choose to configure the workspace wit > You cannot change the workspace configuration for managed virtual network and data exfiltration protection after the workspace is created. ## Managing Synapse workspace data egress to approved targets-After the workspace is created with data exfiltration protection enabled, the owners of the workspace resource can manage the list of approved Azure AD tenants for the workspace. Users with the [right permissions](./synapse-workspace-access-control-overview.md) on the workspace can use the Synapse Studio to create managed private endpoint connection requests to resources in the workspaceΓÇÖs approved Azure AD tenants. Managed private endpoint creation will be blocked if the user attempts to create a private endpoint connection to a resource in an unapproved tenant. +After the workspace is created with data exfiltration protection enabled, the owners of the workspace resource can manage the list of approved Microsoft Entra tenants for the workspace. Users with the [right permissions](./synapse-workspace-access-control-overview.md) on the workspace can use the Synapse Studio to create managed private endpoint connection requests to resources in the workspaceΓÇÖs approved Microsoft Entra tenants. Managed private endpoint creation will be blocked if the user attempts to create a private endpoint connection to a resource in an unapproved tenant. ## Sample workspace with data exfiltration protection enabled-Let us use an example to illustrate data exfiltration protection for Synapse workspaces. Contoso has Azure resources in Tenant A and Tenant B and there is a need for these resources to connect securely. A Synapse workspace has been created in Tenant A with Tenant B added as an approved Azure AD tenant. The diagram shows private endpoint connections to Azure Storage accounts in Tenant A and Tenant B that have been approved by the Storage account owners. The diagram also shows blocked private endpoint creation. The creation of this private endpoint was blocked as it targeted an Azure Storage account in the Fabrikam Azure AD tenant, which is not an approved Azure AD tenant for ContosoΓÇÖs workspace. +Let us use an example to illustrate data exfiltration protection for Synapse workspaces. Contoso has Azure resources in Tenant A and Tenant B and there is a need for these resources to connect securely. A Synapse workspace has been created in Tenant A with Tenant B added as an approved Microsoft Entra tenant. The diagram shows private endpoint connections to Azure Storage accounts in Tenant A and Tenant B that have been approved by the Storage account owners. The diagram also shows blocked private endpoint creation. The creation of this private endpoint was blocked as it targeted an Azure Storage account in the Fabrikam Microsoft Entra tenant, which is not an approved Microsoft Entra tenant for ContosoΓÇÖs workspace. :::image type="content" source="media/workspace-data-exfiltration-protection/workspace-data-exfiltration-protection-diagram.png" alt-text="This diagram shows how data exfiltration protection is implemented for Synapse workspaces" lightbox="./media/workspace-data-exfiltration-protection/workspace-data-exfiltration-protection-diagram.png"::: |
synapse-analytics | Apache Spark Azure Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/apache-spark-azure-log-analytics.md | Users can query to evaluate metrics and logs at a set frequency, and fire an ale After the Synapse workspace is created with [data exfiltration protection](../security/workspace-data-exfiltration-protection.md) enabled. -When you want to enable this feature, you need to create managed private endpoint connection requests to [Azure Monitor private link scopes (A M P L S)](../../azure-monitor/logs/private-link-security.md) in the workspaceΓÇÖs approved Azure AD tenants. +When you want to enable this feature, you need to create managed private endpoint connection requests to [Azure Monitor private link scopes (A M P L S)](../../azure-monitor/logs/private-link-security.md) in the workspaceΓÇÖs approved Microsoft Entra tenants. You can follow below steps to create a managed private endpoint connection to Azure Monitor private link scopes (A M P L S): |
synapse-analytics | Apache Spark Secure Credentials With Tokenlibrary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary.md | zone_pivot_groups: programming-languages-spark-all-minus-sql-r Accessing data from external sources is a common pattern. Unless the external data source allows anonymous access, chances are you need to secure your connection with a credential, secret, or connection string. -Azure Synapse Analytics uses Azure Active Directory (Azure AD) passthrough by default for authentication between resources. If you need to connect to a resource using other credentials, use the mssparkutils directly. The mssparkutils simplifies the process of retrieving SAS tokens, Azure AD tokens, connection strings, and secrets stored in a linked service or from an Azure Key Vault. +Azure Synapse Analytics uses Microsoft Entra passthrough by default for authentication between resources. If you need to connect to a resource using other credentials, use the mssparkutils directly. The mssparkutils simplifies the process of retrieving SAS tokens, Microsoft Entra tokens, connection strings, and secrets stored in a linked service or from an Azure Key Vault. -Azure AD passthrough uses permissions assigned to you as a user in Azure AD, rather than permissions assigned to Synapse or a separate service principal. For example, if you want to use Azure AD passthrough to access a blob in a storage account, then you should go to that storage account and assign blob contributor role to yourself. +Microsoft Entra passthrough uses permissions assigned to you as a user in Microsoft Entra ID, rather than permissions assigned to Synapse or a separate service principal. For example, if you want to use Microsoft Entra passthrough to access a blob in a storage account, then you should go to that storage account and assign blob contributor role to yourself. -When retrieving secrets from Azure Key Vault, we recommend creating a linked service to your Azure Key Vault. Ensure that the Synapse workspace managed service identity (MSI) has Secret Get privileges on your Azure Key Vault. Synapse will authenticate to Azure Key Vault using the Synapse workspace managed service identity. If you connect directly to Azure Key Vault without a linked service, you will authenticate using your user Azure Active Directory credential. +When retrieving secrets from Azure Key Vault, we recommend creating a linked service to your Azure Key Vault. Ensure that the Synapse workspace managed service identity (MSI) has Secret Get privileges on your Azure Key Vault. Synapse will authenticate to Azure Key Vault using the Synapse workspace managed service identity. If you connect directly to Azure Key Vault without a linked service, you will authenticate using your user Microsoft Entra credential. For more information, see [linked services](../../data-factory/concepts-linked-services.md?context=/azure/synapse-analytics/context/context). Get result: #### ADLS Gen2 Primary Storage -Accessing files from the primary Azure Data Lake Storage uses Azure Active Directory passthrough for authentication by default and doesn't require the explicit use of the mssparkutils. The identity used in the passthrough authentication differs based on a few factors. By default, interactive notebooks are executed using the user's identity, but it can be changed to the workspace managed service identity (MSI). Batch jobs and non-interactive executions of the notebook use the Workspace MSI. +Accessing files from the primary Azure Data Lake Storage uses Microsoft Entra passthrough for authentication by default and doesn't require the explicit use of the mssparkutils. The identity used in the passthrough authentication differs based on a few factors. By default, interactive notebooks are executed using the user's identity, but it can be changed to the workspace managed service identity (MSI). Batch jobs and non-interactive executions of the notebook use the Workspace MSI. ::: zone pivot = "programming-language-scala" The output will look like #### GetSecret() -To retrieve a secret stored from Azure Key Vault, we recommend that you create a linked service to Azure Key Vault within the Synapse workspace. The Synapse workspace managed service identity will need to be granted **GET** Secrets permission to the Azure Key Vault. The linked service will use the managed service identity to connect to Azure Key Vault service to retrieve the secret. Otherwise, connecting directly to Azure Key Vault will use the user's Azure Active Directory (Azure AD) credential. In this case, the user will need to be granted the Get Secret permissions in Azure Key Vault. +To retrieve a secret stored from Azure Key Vault, we recommend that you create a linked service to Azure Key Vault within the Synapse workspace. The Synapse workspace managed service identity will need to be granted **GET** Secrets permission to the Azure Key Vault. The linked service will use the managed service identity to connect to Azure Key Vault service to retrieve the secret. Otherwise, connecting directly to Azure Key Vault will use the user's Microsoft Entra credential. In this case, the user will need to be granted the Get Secret permissions in Azure Key Vault. In government clouds, please provide the fully qualified domain name of the keyvault. |
synapse-analytics | Connect Monitor Azure Synapse Spark Application Level Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/connect-monitor-azure-synapse-spark-application-level-metrics.md | This tutorial also introduces the Azure Synapse REST metrics APIs. You can fetch ## Use Azure Synapse Prometheus connector for your on-premises Prometheus servers [Azure Synapse Prometheus connector](https://github.com/microsoft/azure-synapse-spark-metrics) is an open-source project. The Synapse Prometheus connector uses a file-based service discovery method to allow you to:+ - Authenticate to Synapse workspace via a Microsoft Entra service principal. - Fetch workspace Apache Spark applications list. - Pull Apache Spark application metrics through Prometheus file-based configuration. Wait for a few seconds and the connector should start working. And you can see t ## Use Azure Synapse Prometheus or REST metrics APIs to collect metrics data ### 1. Authentication-You can use the client credentials flow to get an access token. To access the metrics API, you should get an Azure AD access token for the service principal, which has proper permission to access the APIs. +You can use the client credentials flow to get an access token. To access the metrics API, you should get a Microsoft Entra access token for the service principal, which has proper permission to access the APIs. | Parameter | Required | Description | | - | -- | - | |
synapse-analytics | Apache Spark Cdm Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/data-sources/apache-spark-cdm-connector.md | SAS token credentials are an extra option for authentication to storage accounts ### Options for credential-based access control -As an alternative to using a managed identity or a user identity, you can provide explicit credentials to enable the Spark CDM connector to access data. In Azure Active Directory, [create an app registration](../../../active-directory/develop/quickstart-register-app.md). Then grant this app registration access to the storage account by using either of the following roles: +As an alternative to using a managed identity or a user identity, you can provide explicit credentials to enable the Spark CDM connector to access data. In Microsoft Entra ID, [create an app registration](../../../active-directory/develop/quickstart-register-app.md). Then grant this app registration access to the storage account by using either of the following roles: * Storage Blob Data Contributor to allow the library to write to Common Data Model folders * Storage Blob Data Reader to allow only read permissions After you create permissions, you can pass the app ID, app key, and tenant ID to |-||::| | `appId` | The app registration ID for authentication to the storage account | `<guid>` | | `appKey` | The registered app key or secret | `<encrypted secret>` |-| `tenantId` | The Azure Active Directory tenant ID under which the app is registered | `<guid>` | +| `tenantId` | The Microsoft Entra tenant ID under which the app is registered | `<guid>` | ## Examples |
synapse-analytics | Apache Spark Kusto Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/data-sources/apache-spark-kusto-connector.md | -When using Azure Synapse Notebooks or Apache Spark job definitions, the authentication between systems is made seamless with the linked service. The Token Service connects with Azure Active Directory to obtain security tokens for use when accessing the Kusto cluster. +When using Azure Synapse Notebooks or Apache Spark job definitions, the authentication between systems is made seamless with the linked service. The Token Service connects with Microsoft Entra ID to obtain security tokens for use when accessing the Kusto cluster. For Azure Synapse Pipelines, the authentication uses the service principal name. Currently, managed identities aren't supported with the Azure Data Explorer connector. For Azure Synapse Pipelines, the authentication uses the service principal name. ## Limitations - The Azure Data Explorer linked service can only be configured with the Service Principal Name.- - Within Azure Synapse Notebooks or Apache Spark Job Definitions, the Azure Data Explorer connector uses Azure AD pass-through to connect to the Kusto Cluster. + - Within Azure Synapse Notebooks or Apache Spark Job Definitions, the Azure Data Explorer connector uses Microsoft Entra pass-through to connect to the Kusto Cluster. ## Use the Azure Data Explorer (Kusto) connector |
synapse-analytics | Apache Spark Sql Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/data-sources/apache-spark-sql-connector.md | -Compared to the built-in JDBC connector, this connector provides the ability to bulk insert data into SQL databases. It can outperform row-by-row insertion with 10x to 20x faster performance. The Spark connector for SQL Server and Azure SQL Database also supports Azure Active Directory (Azure AD) [authentication](/sql/connect/spark/connector#azure-active-directory-authentication), enabling you to connect securely to your Azure SQL databases from Azure Synapse Analytics. +Compared to the built-in JDBC connector, this connector provides the ability to bulk insert data into SQL databases. It can outperform row-by-row insertion with 10x to 20x faster performance. The Spark connector for SQL Server and Azure SQL Database also supports Microsoft Entra [authentication](/sql/connect/spark/connector#azure-active-directory-authentication), enabling you to connect securely to your Azure SQL databases from Azure Synapse Analytics. This article covers how to use the DataFrame API to connect to SQL databases using the MS SQL connector. This article provides detailed examples using the PySpark API. For all of the supported arguments and samples for connecting to SQL databases using the MS SQL connector, see [Azure Data SQL samples](https://github.com/microsoft/sql-server-samples#azure-data-sql-samples-repository). password = mssparkutils.credentials.getSecret('azure key vault name','secret nam ``` > [!NOTE]-> Currently, there is no linked service or AAD pass-through support with the Azure SQL connector. +> Currently, there is no linked service or Microsoft Entra pass-through support with the Azure SQL connector. ## Use the Azure SQL and SQL Server connector except ValueError as error : print("Connector write failed", error) ``` -## Azure Active Directory authentication +<a name='azure-active-directory-authentication'></a> ++## Microsoft Entra authentication ### Python example with service principal ```python |
synapse-analytics | Microsoft Spark Utilities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/microsoft-spark-utilities.md | Microsoft Spark Utilities (MSSparkUtils) is a builtin package to help you easily ### Configure access to Azure Data Lake Storage Gen2 -Synapse notebooks use Azure Active Directory (Azure AD) pass-through to access the ADLS Gen2 accounts. You need to be a **Storage Blob Data Contributor** to access the ADLS Gen2 account (or folder). +Synapse notebooks use Microsoft Entra pass-through to access the ADLS Gen2 accounts. You need to be a **Storage Blob Data Contributor** to access the ADLS Gen2 account (or folder). Synapse pipelines use workspace's Managed Service Identity (MSI) to access the storage accounts. To use MSSparkUtils in your pipeline activities, your workspace identity needs to be **Storage Blob Data Contributor** to access the ADLS Gen2 account (or folder). -Follow these steps to make sure your Azure AD and workspace MSI have access to the ADLS Gen2 account: +Follow these steps to make sure your Microsoft Entra ID and workspace MSI have access to the ADLS Gen2 account: 1. Open the [Azure portal](https://portal.azure.com/) and the storage account you want to access. You can navigate to the specific container you want to access. Follow these steps to make sure your Azure AD and workspace MSI have access to t | | | | Role | Storage Blob Data Contributor | | Assign access to | USER and MANAGEDIDENTITY |- | Members | your Azure AD account and your workspace identity | + | Members | your Microsoft Entra account and your workspace identity | > [!NOTE] > The managed identity name is also the workspace name. Follow these steps to add an Azure Key Vault as a Synapse linked service: 6. Select **Create** first and click **Publish all** to save your change. -Synapse notebooks use Azure active directory(Azure AD) pass-through to access Azure Key Vault. Synapse pipelines use workspace identity(MSI) to access Azure Key Vault. To make sure your code work both in notebook and in Synapse pipeline, we recommend granting secret access permission for both your Azure AD account and workspace identity. +Synapse notebooks use Microsoft Entra pass-through to access Azure Key Vault. Synapse pipelines use workspace identity(MSI) to access Azure Key Vault. To make sure your code work both in notebook and in Synapse pipeline, we recommend granting secret access permission for both your Microsoft Entra account and workspace identity. Follow these steps to grant secret access to your workspace identity: 1. Open the [Azure portal](https://portal.azure.com/) and the Azure Key Vault you want to access. 2. Select the **Access policies** from the left panel. 3. Select **Add Access Policy**: - Choose **Key, Secret, & Certificate Management** as config template.- - Select **your Azure AD account** and **your workspace identity** (same as your workspace name) in the select principal or make sure it is already assigned. + - Select **your Microsoft Entra account** and **your workspace identity** (same as your workspace name) in the select principal or make sure it is already assigned. 4. Select **Select** and **Add**. 5. Select the **Save** button to commit changes. putSecretWithLS(linkedService, secretName, secretValue): puts AKV secret for a g ### Get token -Returns Azure AD token for a given audience, name (optional). The table below list all the available audience types: +Returns Microsoft Entra token for a given audience, name (optional). The table below list all the available audience types: | Audience Type | String literal to be used in API call | |-|| |
synapse-analytics | Synapse Spark Sql Pool Import Export | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/spark/synapse-spark-sql-pool-import-export.md | Review and setup following dependent Azure Resources: Connect to the Synapse Dedicated SQL Pool database and run following setup statements: -* Create a database user that is mapped to the Azure Active Directory User Identity used to sign in to the Azure Synapse Workspace. +* Create a database user that is mapped to the Microsoft Entra user Identity used to sign in to the Azure Synapse Workspace. ```sql CREATE USER [username@domain.com] FROM EXTERNAL PROVIDER; Connect to the Synapse Dedicated SQL Pool database and run following setup state ### Authentication -#### Azure Active Directory based authentication +<a name='azure-active-directory-based-authentication'></a> -Azure Active Directory based authentication is an integrated authentication approach. The user is required to successfully sign in to the Azure Synapse Analytics Workspace. +#### Microsoft Entra ID based authentication ++Microsoft Entra ID based authentication is an integrated authentication approach. The user is required to successfully sign in to the Azure Synapse Analytics Workspace. #### Basic authentication To successfully bootstrap and orchestrate the read or write operation, the Conne Following is the list of configuration options based on usage scenario: -* **Read using Azure AD based authentication** +* **Read using Microsoft Entra ID based authentication** * Credentials are auto-mapped, and user isn't required to provide specific configuration options. * Three-part table name argument on `synapsesql` method is required to read from respective table in Azure Synapse Dedicated SQL Pool. * **Read using basic authentication** Following is the list of configuration options based on usage scenario: * `Constants.PASSWORD` - SQL User Password. * Azure Data Lake Storage (Gen 2) End Point - Staging Folders * `Constants.DATA_SOURCE` - Storage path set on the data source location parameter is used for data staging.-* **Write using Azure AD based authentication** +* **Write using Microsoft Entra ID based authentication** * Azure Synapse Dedicated SQL End Point * By default, the Connector infers the Synapse Dedicated SQL end point by using the database name set on the `synapsesql` method's three-part table name parameter. * Alternatively, users can use the `Constants.SERVER` option to specify the sql end point. Ensure the end point hosts the corresponding database with respective schema. synapsesql(table_name: str="") -> org.apache.spark.sql.DataFrame ``` -#### Read from a table using Azure AD based authentication +<a name='read-from-a-table-using-azure-ad-based-authentication'></a> ++#### Read from a table using Microsoft Entra ID based authentication ##### [Scala](#tab/scala1) dfToReadFromTable.show() ``` -#### Read from a query using Azure AD based authentication +<a name='read-from-a-query-using-azure-ad-based-authentication'></a> ++#### Read from a query using Microsoft Entra ID based authentication > [!Note] > Restrictions while reading from query: > * Table name and query cannot be specified at the same time. synapsesql(table_name: str, table_type: str = Constants.INTERNAL, location: str ``` -#### Write using Azure AD based authentication +<a name='write-using-azure-ad-based-authentication'></a> ++#### Write using Microsoft Entra ID based authentication Following is a comprehensive code template that describes how to use the Connector for write scenarios: from com.microsoft.spark.sqlanalytics.Constants import Constants #### Write using basic authentication -Following code snippet replaces the write definition described in the [Write using Azure AD based authentication](#write-using-azure-ad-based-authentication) section, to submit write request using SQL basic authentication approach: +Following code snippet replaces the write definition described in the [Write using Microsoft Entra ID based authentication](#write-using-azure-ad-based-authentication) section, to submit write request using SQL basic authentication approach: ##### [Scala](#tab/scala5) |
synapse-analytics | Manage Compute With Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/manage-compute-with-azure-functions.md | To deploy the template, you need the following information: - Name of the resource group your dedicated SQL pool (formerly SQL DW) instance is in - Name of the server your dedicated SQL pool (formerly SQL DW) instance is in - Name of your dedicated SQL pool (formerly SQL DW) instance-- Tenant ID (Directory ID) of your Azure Active Directory+- Tenant ID (Directory ID) of your Microsoft Entra ID - Subscription ID - Service Principal Application ID - Service Principal Secret Key |
synapse-analytics | Quickstart Bulk Load Copy Tsql Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/quickstart-bulk-load-copy-tsql-examples.md | Managed Identity authentication is required when your storage account is attache #### Steps -1. If you have a standalone dedicated SQL pool, register your SQL server with Azure Active Directory (Azure AD) using PowerShell: +1. If you have a standalone dedicated SQL pool, register your SQL server with Microsoft Entra ID using PowerShell: ```powershell Connect-AzAccount Managed Identity authentication is required when your storage account is attache | | | | Role | Storage Blob Data Contributor | | Assign access to | SERVICEPRINCIPAL |- | Members | server or workspace hosting your dedicated SQL pool that you've registered with Azure Active Directory (Azure AD) | + | Members | server or workspace hosting your dedicated SQL pool that you've registered with Microsoft Entra ID | ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) Managed Identity authentication is required when your storage account is attache ) ``` -## D. Azure Active Directory Authentication +<a name='d-azure-active-directory-authentication'></a> ++## D. Microsoft Entra authentication #### Steps 1. Under your storage account, select **Access control (IAM)**. Managed Identity authentication is required when your storage account is attache | | | | Role | Storage Blob Data Owner, Contributor, or Reader | | Assign access to | USER |- | Members | Azure AD user | + | Members | Microsoft Entra user | ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) Managed Identity authentication is required when your storage account is attache ![Granting Azure RBAC permission to load](./media/quickstart-bulk-load-copy-tsql-examples/rbac-load-permissions.png) -1. Configure Azure AD authentication. Refer to [Configure and manage Azure AD authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell). +1. Configure Microsoft Entra authentication. Refer to [Configure and manage Microsoft Entra authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell). 1. Connect to your SQL pool using Active Directory where you can now run the COPY statement without specifying any credentials: Managed Identity authentication is required when your storage account is attache ## E. Service Principal Authentication #### Steps -1. [Create an Azure Active Directory application](../..//active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). +1. [Create a Microsoft Entra application](../..//active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). 2. [Get application ID](../..//active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application). 3. [Get the authentication key](../../active-directory/develop/howto-create-service-principal-portal.md#set-up-authentication). 4. [Get the V1 OAuth 2.0 token endpoint](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md?bc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2ftoc.json#step-4-get-the-oauth-20-token-endpoint-only-for-java-based-applications).-5. [Assign read, write, and execution permissions to your Azure AD application](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md?bc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2ftoc.json#step-3-assign-the-azure-ad-application-to-the-azure-data-lake-storage-gen1-account-file-or-folder) on your storage account. +5. [Assign read, write, and execution permissions to your Microsoft Entra application](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md?bc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2fsql-data-warehouse%2ftoc.json#step-3-assign-the-azure-ad-application-to-the-azure-data-lake-storage-gen1-account-file-or-folder) on your storage account. 6. You can now run the COPY statement: ```sql |
synapse-analytics | Sql Data Warehouse Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-authentication.md | Title: Authentication for dedicated SQL pool (formerly SQL DW) -description: Learn how to authenticate to dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics by using Azure Active Directory (Azure AD) or SQL Server authentication. +description: Learn how to authenticate to dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics by using Microsoft Entra ID or SQL Server authentication. Last updated 04/02/2019 tag: azure-synapse # Authenticate to dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics -Learn how to authenticate to dedicated SQL pool (formerly SQL DW) in Azure Synapse by using Azure Active Directory (Azure AD) or SQL Server authentication. +Learn how to authenticate to dedicated SQL pool (formerly SQL DW) in Azure Synapse by using Microsoft Entra ID or SQL Server authentication. To connect to a dedicated SQL pool (formerly SQL DW), you must pass in security credentials for authentication purposes. Upon establishing a connection, certain connection settings are configured as part of establishing your query session. By default, your connection connects to the *master* database and not your user > [!NOTE] > The Transact-SQL statement **USE MyDatabase;** is not supported for changing the database for a connection. For guidance connecting to a SQL pool with SSDT, refer to the [Query with Visual Studio](sql-data-warehouse-query-visual-studio.md) article. -## Azure Active Directory authentication +<a name='azure-active-directory-authentication'></a> -[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) authentication is a mechanism of connecting to SQL pool by using identities in Azure Active Directory (Azure AD). With Azure Active Directory authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage dedicated SQL pool (formerly SQL DW) users and simplifies permission management. +## Microsoft Entra authentication ++[Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) authentication is a mechanism of connecting to SQL pool by using identities in Microsoft Entra ID. With Microsoft Entra authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage dedicated SQL pool (formerly SQL DW) users and simplifies permission management. ### Benefits -Azure Active Directory benefits include: +Microsoft Entra ID benefits include: * Provides an alternative to SQL Server authentication. * Helps stop the proliferation of user identities across servers. * Allows password rotation in a single place-* Manage database permissions using external (Azure AD) groups. -* Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. +* Manage database permissions using external (Microsoft Entra ID) groups. +* Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra ID. * Uses contained database users to authenticate identities at the database level. * Supports token-based authentication for applications connecting to SQL pool. * Supports Multi-Factor authentication through Active Directory Universal Authentication for various tools including [SQL Server Management Studio](/azure/azure-sql/database/authentication-mfa-ssms-overview?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json) and [SQL Server Data Tools](/sql/ssdt/azure-active-directory?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true). > [!NOTE]-> Azure Active Directory is still relatively new and has some limitations. To ensure that Azure Active Directory is a good fit for your environment, see [Azure AD features and limitations](/azure/azure-sql/database/authentication-aad-overview?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json#azure-ad-features-and-limitations), specifically the Additional considerations. +> Microsoft Entra ID is still relatively new and has some limitations. To ensure that Microsoft Entra ID is a good fit for your environment, see [Microsoft Entra features and limitations](/azure/azure-sql/database/authentication-aad-overview?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json#azure-ad-features-and-limitations), specifically the Additional considerations. ### Configuration steps -Follow these steps to configure Azure Active Directory authentication. +Follow these steps to configure Microsoft Entra authentication. -1. Create and populate an Azure Active Directory +1. Create and populate a Microsoft Entra ID 2. Optional: Associate or change the active directory that is currently associated with your Azure Subscription-3. Create an Azure Active Directory administrator for Azure Synapse +3. Create a Microsoft Entra administrator for Azure Synapse 4. Configure your client computers-5. Create contained database users in your database mapped to Azure AD identities -6. Connect to your SQL pool by using Azure AD identities +5. Create contained database users in your database mapped to Microsoft Entra identities +6. Connect to your SQL pool by using Microsoft Entra identities -Currently Azure Active Directory users are not shown in SSDT Object Explorer. As a workaround, view the users in [sys.database_principals](/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true). +Currently Microsoft Entra users are not shown in SSDT Object Explorer. As a workaround, view the users in [sys.database_principals](/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true). ### Find the details -* The steps to configure and use Azure Active Directory authentication are nearly identical for Azure SQL Database and Synapse SQL in Azure Synapse. Follow the detailed steps in the topic [Connecting to SQL Database or SQL Pool By Using Azure Active Directory Authentication](/azure/azure-sql/database/authentication-aad-overview?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). +* The steps to configure and use Microsoft Entra authentication are nearly identical for Azure SQL Database and Synapse SQL in Azure Synapse. Follow the detailed steps in the topic [Connecting to SQL Database or SQL Pool By Using Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). * Create custom database roles and add users to the roles. Then grant granular permissions to the roles. For more information, see [Getting Started with Database Engine Permissions](/sql/relational-databases/security/authentication-access/getting-started-with-database-engine-permissions?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true). ## Next steps |
synapse-analytics | Sql Data Warehouse Get Started Connect Sqlcmd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-get-started-connect-sqlcmd.md | For example, your connection string might look like the following: C:\>sqlcmd -S MySqlDw.database.windows.net -d Adventure_Works -U myuser -P myP@ssword -I ``` -To use Azure Active Directory Integrated authentication, you need to add the Azure Active Directory parameters: +To use Microsoft Entra integrated authentication, you need to add the Microsoft Entra parameters: -* **Azure Active Directory Authentication (-G):** use Azure Active Directory for authentication +* **Microsoft Entra authentication (-G):** use Microsoft Entra ID for authentication For example, your connection string might look like the following: C:\>sqlcmd -S MySqlDw.database.windows.net -d Adventure_Works -G -I ``` > [!NOTE]-> You need to [enable Azure Active Directory Authentication](sql-data-warehouse-authentication.md) to authenticate using Active Directory. +> You need to [enable Microsoft Entra authentication](sql-data-warehouse-authentication.md) to authenticate using Active Directory. ## 2. Query |
synapse-analytics | Sql Data Warehouse How To Troubleshoot Missed Classification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-how-to-troubleshoot-missed-classification.md | EXEC sp_droprolemember '[Resource Class]', membername; ### Some administrative users are always mapped to smallrc workload group -Consider a scenario for the Azure Synapse Workspace SQL Admin login, the Azure Synapse Azure Active Directory admin (user or group member), or a database owner. These users may still have a workload classifier or have been added to a resource class role other than smallrc. All queries executed by these user will still run on smallrc resource class, even though the user is mapped to a different resource class or workload group. +Consider a scenario for the Azure Synapse Workspace SQL Admin login, the Azure Synapse Microsoft Entra admin (user or group member), or a database owner. These users may still have a workload classifier or have been added to a resource class role other than smallrc. All queries executed by these user will still run on smallrc resource class, even though the user is mapped to a different resource class or workload group. **Recommendation**: These administrative users can't change their default workload group. For more information, see [workload management with resource classes](resource-classes-for-workload-management.md#default-resource-class). It is recommended that critical or performance-sensitive workloads not run as one of these administrative users in the dedicated SQL pool. -The Azure Synapse Workspace SQL Admin login and the Azure Synapse Azure Active Directory admin (user or group member) are specified in the Azure portal: +The Azure Synapse Workspace SQL Admin login and the Azure Synapse Microsoft Entra admin (user or group member) are specified in the Azure portal: :::image type="content" source="./media/sql-data-warehouse-how-to-troubleshoot-missed-classification/identify-sql-admin.png" alt-text="Identifying the service admin by looking at the Workspace SQL Admin Login field" lightbox="./media/sql-data-warehouse-how-to-troubleshoot-missed-classification/identify-sql-admin.png"::: |
synapse-analytics | Sql Data Warehouse Load From Azure Data Lake Store | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-load-from-azure-data-lake-store.md | Before you begin this tutorial, download and install the newest version of [SQL To run this tutorial, you need: * A dedicated SQL pool. See [Create a dedicated SQL pool and query data](create-data-warehouse-portal.md).-* A Data Lake Storage account. See [Get started with Azure Data Lake Storage](../../data-lake-store/data-lake-store-get-started-portal.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). For this storage account, you will need to configure or specify one of the following credentials to load: A storage account key, shared access signature (SAS) key, an Azure Directory Application user, or an Azure AD user that has the appropriate Azure role to the storage account. +* A Data Lake Storage account. See [Get started with Azure Data Lake Storage](../../data-lake-store/data-lake-store-get-started-portal.md?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). For this storage account, you will need to configure or specify one of the following credentials to load: A storage account key, shared access signature (SAS) key, an Azure Directory Application user, or a Microsoft Entra user that has the appropriate Azure role to the storage account. * Currently, ingesting data using the COPY command into an Azure Storage account that is using the new [Azure Storage DNS partition feature](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-create-additional-5000-azure-storage-accounts/ba-p/3465466) results in an error. Provision a storage account in a subscription that does not use DNS partitioning for this tutorial. ## Create the target table |
synapse-analytics | Sql Data Warehouse Overview Manage Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-manage-security.md | Connections to your dedicated SQL pool (formerly SQL DW) are encrypted by defaul ## Authentication -Authentication refers to how you prove your identity when connecting to the database. Dedicated SQL pool (formerly SQL DW) currently supports SQL Server Authentication with a username and password, and with Azure Active Directory. +Authentication refers to how you prove your identity when connecting to the database. Dedicated SQL pool (formerly SQL DW) currently supports SQL Server Authentication with a username and password, and with Microsoft Entra ID. When you created the server for your database, you specified a "server admin" login with a username and password. Using these credentials, you can authenticate to any database on that server as the database owner, or "dbo" through SQL Server Authentication. CREATE USER ApplicationUser FOR LOGIN ApplicationLogin; To give a user permission to perform additional operations such as creating logins or creating new databases, assign the user to the `Loginmanager` and `dbmanager` roles in the master database. -For more information on these additional roles and authenticating to a SQL Database, see [Managing databases and logins in Azure SQL Database](/azure/azure-sql/database/logins-create-manage?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). For more information on connecting using Azure Active Directory, see [Connecting by using Azure Active Directory Authentication](sql-data-warehouse-authentication.md). +For more information on these additional roles and authenticating to a SQL Database, see [Managing databases and logins in Azure SQL Database](/azure/azure-sql/database/logins-create-manage?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json). For more information on connecting using Microsoft Entra ID, see [Connecting by using Microsoft Entra authentication](sql-data-warehouse-authentication.md). ## Authorization |
synapse-analytics | Sql Data Warehouse Query Ssms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-query-ssms.md | Now that a connection has been established to your database, let's write a query ## Next steps -Now that you can connect and query, try [visualizing the data with Power BI](/power-bi/connect-dat). +Now that you can connect and query, try [visualizing the data with Power BI](/power-bi/connect-dat). |
synapse-analytics | Sql Data Warehouse Query Visual Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-query-visual-studio.md | Now that a connection has been established to your database, let's write a query ## Next steps Now that you can connect and query, try [visualizing the data with Power BI](/power-bi/connect-data/service-azure-sql-data-warehouse-with-direct-connect). -To configure your environment for Azure Active Directory authentication, see [Authenticate to dedicated SQL pool (formerly SQL DW)](sql-data-warehouse-authentication.md). +To configure your environment for Microsoft Entra authentication, see [Authenticate to dedicated SQL pool (formerly SQL DW)](sql-data-warehouse-authentication.md). |
synapse-analytics | Sql Data Warehouse Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-troubleshoot.md | This article lists common troubleshooting issues in dedicated SQL pool (formerly | Issue | Resolution | | :-- | :-- |-| Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456) | This error occurs when an Azure AD user tries to connect to the `master` database, but does not have a user in `master`. To correct this issue, either specify the dedicated SQL pool (formerly SQL DW) you wish to connect to at connection time or add the user to the `master` database. For more information, see [Security overview](sql-data-warehouse-overview-manage-security.md). | -| The server principal "MyUserName" is not able to access the database `master` under the current security context. Cannot open user default database. Login failed. Login failed for user 'MyUserName'. (Microsoft SQL Server, Error: 916) | This error occurs when an Azure AD user tries to connect to the `master` database, but does not have a user in `master`. To correct this issue, either specify the dedicated SQL pool (formerly SQL DW) you wish to connect to at connection time or add the user to the `master` database. For more information, see [Security overview](sql-data-warehouse-overview-manage-security.md). | +| Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456) | This error occurs when a Microsoft Entra user tries to connect to the `master` database, but does not have a user in `master`. To correct this issue, either specify the dedicated SQL pool (formerly SQL DW) you wish to connect to at connection time or add the user to the `master` database. For more information, see [Security overview](sql-data-warehouse-overview-manage-security.md). | +| The server principal "MyUserName" is not able to access the database `master` under the current security context. Cannot open user default database. Login failed. Login failed for user 'MyUserName'. (Microsoft SQL Server, Error: 916) | This error occurs when a Microsoft Entra user tries to connect to the `master` database, but does not have a user in `master`. To correct this issue, either specify the dedicated SQL pool (formerly SQL DW) you wish to connect to at connection time or add the user to the `master` database. For more information, see [Security overview](sql-data-warehouse-overview-manage-security.md). | | CTAIP error | This error can occur when a login has been created on the SQL Database `master` database, but not in the specific SQL database. If you encounter this error, take a look at the [Security overview](sql-data-warehouse-overview-manage-security.md) article. This article explains how to create a login and user in the `master` database, and then how to create a user in a SQL database. | | Blocked by Firewall | Dedicated SQL pools (formerly SQL DW) are protected by firewalls to ensure only known IP addresses have access to a database. The firewalls are secure by default, which means that you must explicitly enable and IP address or range of addresses before you can connect. To configure your firewall for access, follow the steps in [Configure server firewall access for your client IP](create-data-warehouse-portal.md) in the [Provisioning instructions](create-data-warehouse-portal.md). | | Cannot connect with tool or driver | Dedicated SQL pool (formerly SQL DW) recommends using [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true), [SSDT for Visual Studio](sql-data-warehouse-install-visual-studio.md), or [sqlcmd](sql-data-warehouse-get-started-connect-sqlcmd.md) to query your data. For more information on drivers and connecting to Azure Synapse, see [Drivers for Azure Synapse](sql-data-warehouse-connection-strings.md) and [Connect to Azure Synapse](sql-data-warehouse-connect-overview.md) articles. | This article lists common troubleshooting issues in dedicated SQL pool (formerly | Issue | Resolution | | :-- | :-- |-| Visual Studio object explorer is missing Azure AD users | This is a known issue. As a workaround, view the users in [sys.database_principals](/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true). See [Authentication to Azure Synapse](sql-data-warehouse-authentication.md) to learn more about using Azure Active Directory with dedicated SQL pool (formerly SQL DW). | +| Visual Studio object explorer is missing Microsoft Entra users | This is a known issue. As a workaround, view the users in [sys.database_principals](/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?toc=/azure/synapse-analytics/sql-data-warehouse/toc.json&bc=/azure/synapse-analytics/sql-data-warehouse/breadcrumb/toc.json&view=azure-sqldw-latest&preserve-view=true). See [Authentication to Azure Synapse](sql-data-warehouse-authentication.md) to learn more about using Microsoft Entra ID with dedicated SQL pool (formerly SQL DW). | | Manual scripting, using the scripting wizard, or connecting via SSMS is slow, not responding, or producing errors | Ensure that users have been created in the `master` database. In scripting options, also make sure that the engine edition is set as "Microsoft Azure Synapse Analytics Edition" and engine type is "Microsoft Azure SQL Database". | | Generate scripts fails in SSMS | Generating a script for dedicated SQL pool (formerly SQL DW) fails if the option "Generate script for dependent objects" option is set to "True." As a workaround, users must manually go to **Tools -> Options ->SQL Server Object Explorer -> Generate script for dependent options and set to false** | |
synapse-analytics | Workspace Connected Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/workspace-connected-create.md | Before you enable the Synapse workspace features on your data warehouse, you mus - Rights to create and manage the SQL resources that are hosted on the SQL logical server. - Write permissions on the host SQL Server. - Rights to create Azure Synapse resources.-- An Azure Active Directory admin identified on the logical server.+- A Microsoft Entra admin identified on the logical server. ## Enable Synapse workspace features for an existing dedicated SQL pool (formerly SQL DW) Follow these steps to create a Synapse workspace for your existing data warehous > [!NOTE] > All dedicated SQL pool (formerly SQL DW) instances hosted on the logical server are available via the new workspace.- > Allowing authentication via Azure Active Directory (Azure AD) only is not supported for dedicated SQL pools with Azure Synapse features enabled. Policies that enable Azure AD-only only authentication will not apply to new or existing dedicated SQL pools with Azure Synapse features enabled. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). + > Allowing authentication via Microsoft Entra-only is not supported for dedicated SQL pools with Azure Synapse features enabled. Policies that enable Microsoft Entra-only only authentication will not apply to new or existing dedicated SQL pools with Azure Synapse features enabled. For more information on Microsoft Entra-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). ## Post provisioning steps The following steps must be completed to ensure that your existing dedicated SQL pool (formerly SQL DW) instances can be accessed via the Synapse Studio. 1. In the Synapse workspace overview page, select **Connected server**. The **Connected server** takes you to the connected SQL Logical server that hosts your data warehouses. In the essential menu, select **Connected server**. 2. Open **Firewalls and virtual networks** and ensure that your client IP or a predetermined IP range has access to the logical server.-3. Open **Active Directory admin** and ensure that an Azure AD admin has been set on the logical server. +3. Open **Active Directory admin** and ensure that a Microsoft Entra admin has been set on the logical server. 4. Select one of the dedicated SQL pool (formerly SQL DW) instances hosted on the logical server. In the overview page, select **Launch Synapse Studio** or go to the [Sign in to the Synapse Studio](https://web.azuresynapse.net) and sign in to your workspace. 5. Open the **Data hub** and expand the dedicated SQL pool in the Object explorer to ensure that you've access and can query your data warehouse. |
synapse-analytics | Workspace Connected Experience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql-data-warehouse/workspace-connected-experience.md | The following information will apply when using a dedicated SQL DW (formerly SQL - **SQL capabilities** All SQL capabilities will remain with logical SQL server after the Synapse workspace feature has been enabled. Access to the server via the SQL resource provider will still be possible after the workspace has been enabled. All management functions can be initiated via the workspace and the operation will take place on the Logical SQL Server hosting your SQL pools. No existing automation, tooling, or connections will be broken or interrupted when a workspace is enabled. - **Resource move** Initiating a resource move on a Server with the Synapse workspace feature enabled will cause the link between the server and the workspace to break. You will no longer be able to access your existing dedicated SQL pool (formerly SQL DW) instances from the workspace. To ensure that the connection is retained, it is recommended that both resources remain within the same subscription and resource group. - **Monitoring** SQL requests submitted via the Synapse Studio in a workspace enabled dedicated SQL pool (formerly SQL DW) can be viewed in the Monitor hub. For all other monitoring activities, you can go to Azure portal dedicated SQL pool (formerly SQL DW) monitoring. -- **Security** and **Access controls** As stated above, all management functions for your SQL server and dedicated SQL pools (formerly SQL DW) instances will continue to reside on logical SQL server. These functions include, firewall rule management, setting the Azure AD admin of the server, and all access control for the data in your dedicated SQL pool (formerly SQL DW). The following steps must be taken to ensure that your dedicated SQL pool (formerly SQL DW) is accessible and can be used via the Synapse workspace. The workspace role memberships do not give users permissions to the data in dedicated SQL pool (formerly SQL DW) instances. Follow your normal [SQL authentication](sql-data-warehouse-authentication.md) policies to ensure users can access the dedicated SQL pool (formerly SQL DW) instances on the logical server. If the dedicated SQL pool (formerly SQL DW) host server has a Managed identity already assigned to it, this managed identity's name will be the same as that of Workspace Managed identity that is automatically created to support the Workspace partner services (for example, ADF pipelines). Two Managed identities with the same name can exist in a connected Scenario. The Managed identities can be distinguished by their Azure AD object IDs, functionality to create SQL users using Object IDs is coming soon.+- **Security** and **Access controls** As stated above, all management functions for your SQL server and dedicated SQL pools (formerly SQL DW) instances will continue to reside on logical SQL server. These functions include, firewall rule management, setting the Microsoft Entra admin of the server, and all access control for the data in your dedicated SQL pool (formerly SQL DW). The following steps must be taken to ensure that your dedicated SQL pool (formerly SQL DW) is accessible and can be used via the Synapse workspace. The workspace role memberships do not give users permissions to the data in dedicated SQL pool (formerly SQL DW) instances. Follow your normal [SQL authentication](sql-data-warehouse-authentication.md) policies to ensure users can access the dedicated SQL pool (formerly SQL DW) instances on the logical server. If the dedicated SQL pool (formerly SQL DW) host server has a Managed identity already assigned to it, this managed identity's name will be the same as that of Workspace Managed identity that is automatically created to support the Workspace partner services (for example, ADF pipelines). Two Managed identities with the same name can exist in a connected Scenario. The Managed identities can be distinguished by their Microsoft Entra object IDs, functionality to create SQL users using Object IDs is coming soon. ```sql CREATE USER [<workspace managed identity] FROM EXTERNAL PROVIDER The following information will apply when using a dedicated SQL DW (formerly SQL > [!NOTE] > The connected workspace Synapse Studio will display the names of dedicated pools based on the permissions the user has in Azure. Objects under the pools will not be accessible if the user does not have permissions on the SQL pools. >- > Allowing authentication via Azure Active Directory (Azure AD) only is not supported for dedicated SQL pools with Azure Synapse features enabled. Policies that enable Azure AD-only only authentication will not apply to new or existing dedicated SQL pools with Azure Synapse features enabled. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). + > Allowing authentication via Microsoft Entra-only is not supported for dedicated SQL pools with Azure Synapse features enabled. Policies that enable Microsoft Entra-only only authentication will not apply to new or existing dedicated SQL pools with Azure Synapse features enabled. For more information on Microsoft Entra-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md). - **Network security** If the Synapse workspace you enabled on your existing dedicated SQL pool (formerly SQL DW) is enabled for data infiltration protection. Create a managed private endpoint connection from the workspace to the logical SQL server. Approve the private endpoint connection request to allow communications between the server and workspace. - **Studio** SQL pools in the **Data hub** A workspace enabled dedicated SQL pool (formerly SQL DW) can be identified via the tool tip in the Data hub. |
synapse-analytics | Active Directory Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/active-directory-authentication.md | Title: Azure Active Directory -description: Learn about how to use Azure Active Directory for authentication with Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse SQL. + Title: Microsoft Entra ID +description: Learn about how to use Microsoft Entra ID for authentication with Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse SQL. Last updated 3/07/2022 -# Use Azure Active Directory Authentication for authentication with Synapse SQL +# Use Microsoft Entra authentication for authentication with Synapse SQL -Azure Active Directory authentication is a mechanism that connects to [Azure Synapse Analytics](../overview-faq.yml) by using identities in Azure Active Directory (Azure AD). +Microsoft Entra authentication is a mechanism that connects to [Azure Synapse Analytics](../overview-faq.yml) by using identities in Microsoft Entra ID. -With Azure AD authentication, you can centrally manage user identities that have access to Azure Synapse to simplify permission management. Benefits include the following: +With Microsoft Entra authentication, you can centrally manage user identities that have access to Azure Synapse to simplify permission management. Benefits include the following: - It provides an alternative to regular username and password authentication. - Helps stop the proliferation of user identities across servers. - Allows password rotation in a single place.-- Customers can manage permissions using external (Azure AD) groups.-- It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory.-- Azure AD supports token-based authentication for applications connecting to Azure Synapse.-- Azure AD authentication supports ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization.-- Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes multi-factor authentication (MFA). MFA includes strong authentication with a range of easy verification options, including phone call, text message, smart cards with pin, or mobile app notification. For more information, see [SSMS support for Azure AD MFA with Synapse SQL](mfa-authentication.md).-- Azure AD supports similar connections from SQL Server Data Tools (SSDT) that use Active Directory Interactive Authentication. For more information, see-[Azure Active Directory support in SQL Server Data Tools (SSDT)](/sql/ssdt/azure-active-directory?view=azure-sqldw-latest&preserve-view=true). +- Customers can manage permissions using external (Microsoft Entra ID) groups. +- It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra ID. +- Microsoft Entra ID supports token-based authentication for applications connecting to Azure Synapse. +- Microsoft Entra authentication supports ADFS (domain federation) or native user/password authentication for a local Microsoft Entra ID without domain synchronization. +- Microsoft Entra ID supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes multifactor authentication (MFA). MFA includes strong authentication with a range of easy verification options, including phone call, text message, smart cards with pin, or mobile app notification. For more information, see [SSMS support for Microsoft Entra multifactor authentication with Synapse SQL](mfa-authentication.md). +- Microsoft Entra ID supports similar connections from SQL Server Data Tools (SSDT) that use Active Directory Interactive Authentication. For more information, see +[Microsoft Entra ID support in SQL Server Data Tools (SSDT)](/sql/ssdt/azure-active-directory?view=azure-sqldw-latest&preserve-view=true). -The configuration steps include the following procedures to configure and use Azure Active Directory authentication. +The configuration steps include the following procedures to configure and use Microsoft Entra authentication. -1. Create and populate Azure AD. -2. Create an Azure Active Directory identity -3. Assign role to created Azure Active Directory identity in Synapse workspace -4. Connect to Synapse Studio by using Azure AD identities. +1. Create and populate Microsoft Entra ID. +2. Create a Microsoft Entra identity +3. Assign role to created Microsoft Entra identity in Synapse workspace +4. Connect to Synapse Studio by using Microsoft Entra identities. -## Azure AD pass-through in Azure Synapse Analytics +<a name='azure-ad-pass-through-in-azure-synapse-analytics'></a> -Azure Synapse Analytics enables you to access the data in the data lake using your Azure Active Directory identity. +## Microsoft Entra pass-through in Azure Synapse Analytics ++Azure Synapse Analytics enables you to access the data in the data lake using your Microsoft Entra identity. Defining access rights on the files and data that is respected in different data engines enables you to simplify your data lake solutions by having a single place where the permissions are defined instead of having to define them in multiple places. ## Trust architecture -The following high-level diagram summarizes the solution architecture of using Azure AD authentication with Synapse SQL. To support Azure AD native user password, only the Cloud portion and Azure AD/Synapse Synapse SQL is considered. To support Federated authentication (or user/password for Windows credentials), the communication with ADFS block is required. The arrows indicate communication pathways. +The following high-level diagram summarizes the solution architecture of using Microsoft Entra authentication with Synapse SQL. To support Microsoft Entra native user password, only the Cloud portion and Azure AD/Synapse Synapse SQL is considered. To support Federated authentication (or user/password for Windows credentials), the communication with ADFS block is required. The arrows indicate communication pathways. -![azure ad auth diagram](./media/aad-authentication/1-active-directory-authentication-diagram.png) +![Microsoft Entra auth diagram](./media/aad-authentication/1-active-directory-authentication-diagram.png) -The following diagram indicates the federation, trust, and hosting relationships that allow a client to connect to a database by submitting a token. The token is authenticated by an Azure AD, and is trusted by the database. +The following diagram indicates the federation, trust, and hosting relationships that allow a client to connect to a database by submitting a token. The token is authenticated by a Microsoft Entra ID, and is trusted by the database. -Customer 1 can represent an Azure Active Directory with native users or an Azure AD with federated users. Customer 2 represents a possible solution including imported users; in this example coming from a federated Azure Active Directory with ADFS being synchronized with Azure Active Directory. +Customer 1 can represent a Microsoft Entra ID with native users or a Microsoft Entra ID with federated users. Customer 2 represents a possible solution including imported users; in this example coming from a federated Microsoft Entra ID with ADFS being synchronized with Microsoft Entra ID. -It's important to understand that access to a database using Azure AD authentication requires that the hosting subscription is associated to the Azure AD. The same subscription must be used to create the SQL Server hosting the Azure SQL Database or dedicated SQL pool. +It's important to understand that access to a database using Microsoft Entra authentication requires that the hosting subscription is associated to the Microsoft Entra ID. The same subscription must be used to create the SQL Server hosting the Azure SQL Database or dedicated SQL pool. ![subscription relationship](./media/aad-authentication/2-subscription-relationship.png) ## Administrator structure -When using Azure AD authentication, there are two Administrator accounts for the Synapse SQL; the original SQL administrator (using SQL authentication) and the Azure AD administrator. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. +When using Microsoft Entra authentication, there are two Administrator accounts for the Synapse SQL; the original SQL administrator (using SQL authentication) and the Microsoft Entra administrator. Only the administrator based on a Microsoft Entra account can create the first Microsoft Entra ID contained database user in a user database. -The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the Synapse SQL instance. +The Microsoft Entra administrator login can be a Microsoft Entra user or a Microsoft Entra group. When the administrator is a group account, it can be used by any group member, enabling multiple Microsoft Entra administrators for the Synapse SQL instance. -Using group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in Azure Synapse Analytics workspace. Only one Azure AD administrator (a user or group) can be configured at any time. +Using group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in Azure Synapse Analytics workspace. Only one Microsoft Entra administrator (a user or group) can be configured at any time. ![admin structure](./media/aad-authentication/3-admin-structure.png) ## Permissions -To create new users, you must have the `ALTER ANY USER` permission in the database. The `ALTER ANY USER` permission can be granted to any database user. The `ALTER ANY USER` permission is also held by the SQL administrator and Azure AD administrator accounts, and database users with the `CONTROL ON DATABASE` or `ALTER ON DATABASE` permission for that database, and by members of the `db_owner` database role. +To create new users, you must have the `ALTER ANY USER` permission in the database. The `ALTER ANY USER` permission can be granted to any database user. The `ALTER ANY USER` permission is also held by the SQL administrator and Microsoft Entra administrator accounts, and database users with the `CONTROL ON DATABASE` or `ALTER ON DATABASE` permission for that database, and by members of the `db_owner` database role. -To create a contained database user in Synapse SQL, you must connect to the database or instance using an Azure AD identity. To create the first contained database user, you must connect to the database by using an Azure AD administrator (who is the owner of the database). +To create a contained database user in Synapse SQL, you must connect to the database or instance using a Microsoft Entra identity. To create the first contained database user, you must connect to the database by using a Microsoft Entra administrator (who is the owner of the database). -Any Azure AD authentication is only possible if the Azure AD admin was created for Synapse SQL. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously inside Synapse SQL can no longer connect to the database using their Azure Active Directory credentials. +Any Microsoft Entra authentication is only possible if the Microsoft Entra admin was created for Synapse SQL. If the Microsoft Entra admin was removed from the server, existing Microsoft Entra users created previously inside Synapse SQL can no longer connect to the database using their Microsoft Entra credentials. ## Disable local authentication -By allowing only Azure Active Directory authentication, centrally manage access to Azure Synapse resources, such as SQL pools. To disable local authentication in Synapse during workspace creation, select **Use only Azure Active Directory (Azure AD) authentication** as the authentication method. A SQL Administrator login will still be created but it will be disabled. Local authentication can be enabled later by an Azure Owner or Contributor of the Synapse workspace. +By allowing only Microsoft Entra authentication, centrally manage access to Azure Synapse resources, such as SQL pools. To disable local authentication in Synapse during workspace creation, select **Use only Microsoft Entra authentication** as the authentication method. A SQL Administrator login will still be created but it will be disabled. Local authentication can be enabled later by an Azure Owner or Contributor of the Synapse workspace. -![Azure AD-only auth configuration during workspace creation](./media/aad-authentication/active-directory-only-authentication-workspace-creation.png) +![Microsoft Entra-only auth configuration during workspace creation](./media/aad-authentication/active-directory-only-authentication-workspace-creation.png) -You can also disable local authentication after a workspace is created through the Azure portal. Local authentication cannot be disabled until an Azure Active Directory admin is created for the Azure Synapse workspace. +You can also disable local authentication after a workspace is created through the Azure portal. Local authentication cannot be disabled until a Microsoft Entra admin is created for the Azure Synapse workspace. -![Azure AD-only auth configuration after workspace creation](./media/aad-authentication/active-directory-only-authentication-after-workspace-creation.png) +![Microsoft Entra-only auth configuration after workspace creation](./media/aad-authentication/active-directory-only-authentication-after-workspace-creation.png) -## Azure AD features and limitations +<a name='azure-ad-features-and-limitations'></a> ++## Microsoft Entra features and limitations -- The following members of Azure AD can be provisioned in Synapse SQL:+- The following members of Microsoft Entra ID can be provisioned in Synapse SQL: - - Native members: A member created in Azure AD in the managed domain or in a customer domain. For more information, see [Add your own domain name to Azure AD](../../active-directory/fundamentals/add-custom-domain.md). - - Federated domain members: A member created in Azure AD with a federated domain. For more information, see [Deploying Active Directory Federation Services in Azure](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs). + - Native members: A member created in Microsoft Entra ID in the managed domain or in a customer domain. For more information, see [Add your own domain name to Microsoft Entra ID](../../active-directory/fundamentals/add-custom-domain.md). + - Federated domain members: A member created in Microsoft Entra ID with a federated domain. For more information, see [Deploying Active Directory Federation Services in Azure](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs). - Imported members from other Azure ADs who are native or federated domain members. - Active Directory groups created as security groups. -- Azure AD users that are part of a group that has `db_owner` server role can't use the **[CREATE DATABASE SCOPED CREDENTIAL](/sql/t-sql/statements/create-database-scoped-credential-transact-sql?view=azure-sqldw-latest&preserve-view=true)** syntax in Synapse SQL. You will see the following error:+- Microsoft Entra users that are part of a group that has `db_owner` server role can't use the **[CREATE DATABASE SCOPED CREDENTIAL](/sql/t-sql/statements/create-database-scoped-credential-transact-sql?view=azure-sqldw-latest&preserve-view=true)** syntax in Synapse SQL. You will see the following error: `SQL Error [2760] [S0001]: The specified schema name 'user@mydomain.com' either does not exist or you do not have permission to use it.` - Grant the `db_owner` role directly to the individual Azure AD user to mitigate the **CREATE DATABASE SCOPED CREDENTIAL** issue. + Grant the `db_owner` role directly to the individual Microsoft Entra user to mitigate the **CREATE DATABASE SCOPED CREDENTIAL** issue. -- These system functions return NULL values when executed under Azure AD principals:+- These system functions return NULL values when executed under Microsoft Entra principals: - `SUSER_ID()` - `SUSER_NAME(<admin ID>)` You can also disable local authentication after a workspace is created through t - `SUSER_ID(<admin name>)` - `SUSER_SID(<admin name>)` -## Connect using Azure AD identities +<a name='connect-using-azure-ad-identities'></a> ++## Connect using Microsoft Entra identities -Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities: +Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities: -- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA+- Microsoft Entra Password +- Microsoft Entra integrated +- Microsoft Entra Universal with MFA - Using Application token authentication -The following authentication methods are supported for Azure AD server principals (logins): +The following authentication methods are supported for Microsoft Entra server principals (logins): -- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA+- Microsoft Entra Password +- Microsoft Entra integrated +- Microsoft Entra Universal with MFA ### Additional considerations -- To enhance manageability, we recommend you provision a dedicated Azure AD group as an administrator.-- Only one Azure AD administrator (a user or group) can be configured for Synapse SQL pools at any time.- - The addition of Azure AD server principals (logins) for Synapse SQL allows the possibility of creating multiple Azure AD server principals (logins) that can be added to the `sysadmin` role. -- Only an Azure AD administrator for Synapse SQL can initially connect to Synapse SQL using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users.+- To enhance manageability, we recommend you provision a dedicated Microsoft Entra group as an administrator. +- Only one Microsoft Entra administrator (a user or group) can be configured for Synapse SQL pools at any time. + - The addition of Microsoft Entra server principals (logins) for Synapse SQL allows the possibility of creating multiple Microsoft Entra server principals (logins) that can be added to the `sysadmin` role. +- Only a Microsoft Entra administrator for Synapse SQL can initially connect to Synapse SQL using a Microsoft Entra account. The Active Directory administrator can configure subsequent Microsoft Entra database users. - We recommend setting the connection timeout to 30 seconds.-- SQL Server 2016 Management Studio and SQL Server Data Tools for Visual Studio 2015 (version 14.0.60311.1April 2016 or later) support Azure Active Directory authentication. (Azure AD authentication is supported by the **.NET Framework Data Provider for SqlServer**; at least version .NET Framework 4.6). So, the newest versions of these tools and data-tier applications (DAC and .BACPAC) can use Azure AD authentication.+- SQL Server 2016 Management Studio and SQL Server Data Tools for Visual Studio 2015 (version 14.0.60311.1April 2016 or later) support Microsoft Entra authentication. (Microsoft Entra authentication is supported by the **.NET Framework Data Provider for SqlServer**; at least version .NET Framework 4.6). So, the newest versions of these tools and data-tier applications (DAC and .BACPAC) can use Microsoft Entra authentication. - Beginning with version 15.0.1, [sqlcmd utility](/sql/tools/sqlcmd-utility?view=azure-sqldw-latest&preserve-view=true) and [bcp utility](/sql/tools/bcp-utility?view=azure-sqldw-latest&preserve-view=true) support Active Directory Interactive authentication with MFA.-- SQL Server Data Tools for Visual Studio 2015 requires at least the April 2016 version of the Data Tools (version 14.0.60311.1). Currently, Azure AD users aren't shown in SSDT Object Explorer. As a workaround, view the users in [sys.database_principals](/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=azure-sqldw-latest&preserve-view=true).-- [Microsoft JDBC Driver 6.0 for SQL Server](https://www.microsoft.com/download/details.aspx?id=11774) supports Azure AD authentication. Also, see [Setting the Connection Properties](/sql/connect/jdbc/setting-the-connection-properties?view=azure-sqldw-latest&preserve-view=true).-- The Azure Active Directory admin account controls access to dedicated pools, while Synapse RBAC roles are used to control access to serverless pools, for example, with the **Synapse Administrator** and **Synapse SQL Administrator** role. Configure Synapse RBAC roles via Synapse Studio, for more information, see [How to manage Synapse RBAC role assignments in Synapse Studio](../security/how-to-manage-synapse-rbac-role-assignments.md).-- If a user is configured as an Azure Active Directory administrator and Synapse Administrator, and then removed from the Azure Active Directory administrator role, then the user will lose access to the dedicated SQL pools in Synapse. They must be removed and then added to the Synapse Administrator role to regain access to dedicated SQL pools.+- SQL Server Data Tools for Visual Studio 2015 requires at least the April 2016 version of the Data Tools (version 14.0.60311.1). Currently, Microsoft Entra users aren't shown in SSDT Object Explorer. As a workaround, view the users in [sys.database_principals](/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=azure-sqldw-latest&preserve-view=true). +- [Microsoft JDBC Driver 6.0 for SQL Server](https://www.microsoft.com/download/details.aspx?id=11774) supports Microsoft Entra authentication. Also, see [Setting the Connection Properties](/sql/connect/jdbc/setting-the-connection-properties?view=azure-sqldw-latest&preserve-view=true). +- The Microsoft Entra admin account controls access to dedicated pools, while Synapse RBAC roles are used to control access to serverless pools, for example, with the **Synapse Administrator** and **Synapse SQL Administrator** role. Configure Synapse RBAC roles via Synapse Studio, for more information, see [How to manage Synapse RBAC role assignments in Synapse Studio](../security/how-to-manage-synapse-rbac-role-assignments.md). +- If a user is configured as a Microsoft Entra administrator and Synapse Administrator, and then removed from the Microsoft Entra administrator role, then the user will lose access to the dedicated SQL pools in Synapse. They must be removed and then added to the Synapse Administrator role to regain access to dedicated SQL pools. ## Next steps |
synapse-analytics | Create Use External Tables | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/create-use-external-tables.md | In this section, you'll learn how to create and use [native external tables](dev External tables are useful when you want to control access to external data in Synapse SQL pool. External tables are also useful if you want to use tools, such as Power BI, in conjunction with Synapse SQL pool. External tables can access two types of storage: - Public storage where users access public storage files.-- Protected storage where users access storage files using SAS credential, Azure AD identity, or Managed Identity of Synapse workspace.+- Protected storage where users access storage files using SAS credential, Microsoft Entra identity, or Managed Identity of Synapse workspace. > [!NOTE] > In dedicated SQL pools you can only use native external tables with a Parquet file type, and this feature is in **public preview**. If you want to use generally available Parquet reader functionality in dedicated SQL pools, or you need to access CSV or ORC files, use Hadoop external tables. Native external tables are generally available in serverless SQL pools. The queries in this article will be executed on your sample database and use the ## External table on a file -You can create external tables that access data on an Azure storage account that allows access to users with some Azure AD identity or SAS key. You can create external tables the same way you create regular SQL Server external tables. +You can create external tables that access data on an Azure storage account that allows access to users with some Microsoft Entra identity or SAS key. You can create external tables the same way you create regular SQL Server external tables. The following query creates an external table that reads *population.csv* file from SynapseSQL demo Azure storage account that is referenced using `sqlondemanddemo` data source and protected with database scoped credential called `sqlondemand`. |
synapse-analytics | Develop Openrowset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/develop-openrowset.md | The `OPENROWSET` function can optionally contain a `DATA_SOURCE` parameter to sp FORMAT = 'PARQUET') AS [file] ``` -This is a quick and easy way to read the content of the files without pre-configuration. This option enables you to use the basic authentication option to access the storage (Azure AD passthrough for Azure AD logins and SAS token for SQL logins). +This is a quick and easy way to read the content of the files without pre-configuration. This option enables you to use the basic authentication option to access the storage (Microsoft Entra passthrough for Microsoft Entra logins and SAS token for SQL logins). - `OPENROWSET` with `DATA_SOURCE` can be used to access files on specified storage account: This is a quick and easy way to read the content of the files without pre-config This option enables you to configure location of the storage account in the data source and specify the authentication method that should be used to access storage. > [!IMPORTANT]- > `OPENROWSET` without `DATA_SOURCE` provides quick and easy way to access the storage files but offers limited authentication options. As an example, Azure AD principals can access files only using their [Azure AD identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or publicly available files. If you need more powerful authentication options, use `DATA_SOURCE` option and define credential that you want to use to access storage. + > `OPENROWSET` without `DATA_SOURCE` provides quick and easy way to access the storage files but offers limited authentication options. As an example, Microsoft Entra principals can access files only using their [Microsoft Entra identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or publicly available files. If you need more powerful authentication options, use `DATA_SOURCE` option and define credential that you want to use to access storage. ## Security A database user must have `ADMINISTER BULK OPERATIONS` permission to use the `OPENROWSET` function. -The storage administrator must also enable a user to access the files by providing valid SAS token or enabling Azure AD principal to access storage files. Learn more about storage access control in [this article](develop-storage-files-storage-access-control.md). +The storage administrator must also enable a user to access the files by providing valid SAS token or enabling Microsoft Entra principal to access storage files. Learn more about storage access control in [this article](develop-storage-files-storage-access-control.md). `OPENROWSET` use the following rules to determine how to authenticate to storage: - In `OPENROWSET` without `DATA_SOURCE` authentication mechanism depends on caller type. - Any user can use `OPENROWSET` without `DATA_SOURCE` to read publicly available files on Azure storage.- - Azure AD logins can access protected files using their own [Azure AD identity](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) if Azure storage allows the Azure AD user to access underlying files (for example, if the caller has `Storage Reader` permission on Azure storage). + - Microsoft Entra logins can access protected files using their own [Microsoft Entra identity](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) if Azure storage allows the Microsoft Entra user to access underlying files (for example, if the caller has `Storage Reader` permission on Azure storage). - SQL logins can also use `OPENROWSET` without `DATA_SOURCE` to access publicly available files, files protected using SAS token, or Managed Identity of Synapse workspace. You would need to [create server-scoped credential](develop-storage-files-storage-access-control.md#examples) to allow access to storage files. -- In `OPENROWSET` with `DATA_SOURCE` authentication mechanism is defined in database scoped credential assigned to the referenced data source. This option enables you to access publicly available storage, or access storage using SAS token, Managed Identity of workspace, or [Azure AD identity of caller](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) (if caller is Azure AD principal). If `DATA_SOURCE` references Azure storage that isn't public, you would need to [create database-scoped credential](develop-storage-files-storage-access-control.md#examples) and reference it in `DATA SOURCE` to allow access to storage files.+- In `OPENROWSET` with `DATA_SOURCE` authentication mechanism is defined in database scoped credential assigned to the referenced data source. This option enables you to access publicly available storage, or access storage using SAS token, Managed Identity of workspace, or [Microsoft Entra identity of caller](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) (if caller is Microsoft Entra principal). If `DATA_SOURCE` references Azure storage that isn't public, you would need to [create database-scoped credential](develop-storage-files-storage-access-control.md#examples) and reference it in `DATA SOURCE` to allow access to storage files. Caller must have `REFERENCES` permission on credential to use it to authenticate to storage. |
synapse-analytics | Develop Storage Files Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/develop-storage-files-overview.md | This article describes how users can read data from the files stored on Azure St - [OPENROWSET](develop-openrowset.md) function that enables ad-hoc queries over the files in Azure Storage. - [External table](develop-tables-external-tables.md) that is a predefined data structure built on top of set of external files. -User can use [different authentication methods](develop-storage-files-storage-access-control.md) such as Azure AD passthrough authentication (default for Azure AD principals) and SAS authentication (default for SQL principals). +User can use [different authentication methods](develop-storage-files-storage-access-control.md) such as Microsoft Entra passthrough authentication (default for Microsoft Entra principals) and SAS authentication (default for SQL principals). ## Query files using OPENROWSET SELECT * FROM User can access storage using the following access rules: -- Azure AD user - `OPENROWSET` will use Azure AD identity of caller to access Azure Storage or access storage with anonymous access.+- Microsoft Entra user - `OPENROWSET` will use Microsoft Entra identity of caller to access Azure Storage or access storage with anonymous access. - SQL user ΓÇô `OPENROWSET` will access storage with anonymous access or can be impersonated using SAS token or Managed identity of workspace. ### [Impersonation](#tab/impersonation) CREATE CREDENTIAL [https://<storage_account>.dfs.core.windows.net/<container>] GRANT REFERENCES ON CREDENTIAL::[https://<storage_account>.dfs.core.windows.net/<container>] TO sqluser ``` -If there's no server-level CREDENTIAL that matches the URL, or the SQL user doesn't have references permission for this credential, the error will be returned. SQL principals can't impersonate using some Azure AD identity. +If there's no server-level CREDENTIAL that matches the URL, or the SQL user doesn't have references permission for this credential, the error will be returned. SQL principals can't impersonate using some Microsoft Entra identity. ### [Direct access](#tab/direct-access) -No additional setup is needed to enable Azure AD users to access the files using their identities. +No additional setup is needed to enable Microsoft Entra users to access the files using their identities. Any user can access Azure storage that allows anonymous access (additional setup isn't needed). SELECT * FROM FORMAT= 'parquet') as rows ``` -The user that executes this query must be able to access the files. The users must be impersonated using [SAS token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [Managed Identity of workspace](develop-storage-files-storage-access-control.md?tabs=managed-identity) if they can't directly access the files using their [Azure AD identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or [anonymous access](develop-storage-files-storage-access-control.md?tabs=public-access). +The user that executes this query must be able to access the files. The users must be impersonated using [SAS token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [Managed Identity of workspace](develop-storage-files-storage-access-control.md?tabs=managed-identity) if they can't directly access the files using their [Microsoft Entra identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or [anonymous access](develop-storage-files-storage-access-control.md?tabs=public-access). ### [Impersonation](#tab/impersonation) Caller must have one of the following permissions to execute OPENROWSET function ### [Direct access](#tab/direct-access) -User can create EXTERNAL DATA SOURCE without CREDENTIAL that will reference public access storage OR use Azure AD passthrough authentication: +User can create EXTERNAL DATA SOURCE without CREDENTIAL that will reference public access storage OR use Microsoft Entra passthrough authentication: ```sql CREATE EXTERNAL DATA SOURCE MyAzureInvoices FILE_FORMAT = TextFileFormat ) ; ``` -User that reads data from this table must be able to access the files. The users must be impersonated using [SAS token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [Managed Identity of workspace](develop-storage-files-storage-access-control.md?tabs=managed-identity) if they cannot directly access the files using their [Azure AD identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or [anonymous access](develop-storage-files-storage-access-control.md?tabs=public-access). +User that reads data from this table must be able to access the files. The users must be impersonated using [SAS token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [Managed Identity of workspace](develop-storage-files-storage-access-control.md?tabs=managed-identity) if they cannot directly access the files using their [Microsoft Entra identity](develop-storage-files-storage-access-control.md?tabs=user-identity) or [anonymous access](develop-storage-files-storage-access-control.md?tabs=public-access). ### [Impersonation](#tab/impersonation) CREATE EXTERNAL DATA SOURCE AzureDataLakeStore ### [Direct access](#tab/direct-access) -User can create EXTERNAL DATA SOURCE without CREDENTIAL that will reference public access storage OR use Azure AD passthrough authentication: +User can create EXTERNAL DATA SOURCE without CREDENTIAL that will reference public access storage OR use Microsoft Entra passthrough authentication: ```sql CREATE EXTERNAL DATA SOURCE MyAzureInvoices |
synapse-analytics | Develop Storage Files Storage Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/develop-storage-files-storage-access-control.md | +- **Storage level** - User should have permission to access underlying storage files. Your storage administrator should allow Microsoft Entra principal to read/write files, or generate shared access signature (SAS) key that will be used to access storage. - **SQL service level** - User should have granted permission to read data using [external table](develop-tables-external-tables.md) or to execute the `OPENROWSET` function. Read more about [the required permissions in this section](develop-storage-files-overview.md#permissions). -This article describes the types of credentials you can use and how credential lookup is enacted for SQL and Azure AD users. +This article describes the types of credentials you can use and how credential lookup is enacted for SQL and Microsoft Entra users. ## Storage permissions A serverless SQL pool in Synapse Analytics workspace can read the content of files stored in Azure Data Lake storage. You need to configure permissions on storage to enable a user who executes a SQL query to read the files. There are three methods for enabling the access to the files:-- **[Role based access control (RBAC)](../../role-based-access-control/overview.md)** enables you to assign a role to some Azure AD user in the tenant where your storage is placed. A reader must be a member of the Storage Blob Data Reader, Storage Blob Data Contributor, or Storage Blob Data Owner role on the storage account. A user who writes data in the Azure storage must be a member of the Storage Blob Data Contributor or Storage Blob Data Owner role. The Storage Owner role does not imply that a user is also Storage Data Owner.-- **Access Control Lists (ACL)** enable you to define a fine grained [Read(R), Write(W), and Execute(X) permissions](../../storage/blobs/data-lake-storage-access-control.md#levels-of-permission) on the files and directories in Azure storage. ACL can be assigned to Azure AD users. If readers want to read a file on a path in Azure Storage, they must have Execute(X) ACL on every folder in the file path, and Read(R) ACL on the file. [Learn more how to set ACL permissions in storage layer](../../storage/blobs/data-lake-storage-access-control.md#how-to-set-acls).-- **Shared access signature (SAS)** enables a reader to access the files on the Azure Data Lake storage using the time-limited token. The reader doesn't even need to be authenticated as Azure AD user. SAS token contains the permissions granted to the reader as well as the period when the token is valid. SAS token is good choice for time-constrained access to any user that doesn't even need to be in the same Azure AD tenant. SAS token can be defined on the storage account or on specific directories. Learn more about [granting limited access to Azure Storage resources using shared access signatures](../../storage/common/storage-sas-overview.md).+- **[Role based access control (RBAC)](../../role-based-access-control/overview.md)** enables you to assign a role to some Microsoft Entra user in the tenant where your storage is placed. A reader must be a member of the Storage Blob Data Reader, Storage Blob Data Contributor, or Storage Blob Data Owner role on the storage account. A user who writes data in the Azure storage must be a member of the Storage Blob Data Contributor or Storage Blob Data Owner role. The Storage Owner role does not imply that a user is also Storage Data Owner. +- **Access Control Lists (ACL)** enable you to define a fine grained [Read(R), Write(W), and Execute(X) permissions](../../storage/blobs/data-lake-storage-access-control.md#levels-of-permission) on the files and directories in Azure storage. ACL can be assigned to Microsoft Entra users. If readers want to read a file on a path in Azure Storage, they must have Execute(X) ACL on every folder in the file path, and Read(R) ACL on the file. [Learn more how to set ACL permissions in storage layer](../../storage/blobs/data-lake-storage-access-control.md#how-to-set-acls). +- **Shared access signature (SAS)** enables a reader to access the files on the Azure Data Lake storage using the time-limited token. The reader doesn't even need to be authenticated as Microsoft Entra user. SAS token contains the permissions granted to the reader as well as the period when the token is valid. SAS token is good choice for time-constrained access to any user that doesn't even need to be in the same Microsoft Entra tenant. SAS token can be defined on the storage account or on specific directories. Learn more about [granting limited access to Azure Storage resources using shared access signatures](../../storage/common/storage-sas-overview.md). As an alternative, you can make your files publicly available by allowing anonymous access. This approach should NOT be used if you have non-public data. As an alternative, you can make your files publicly available by allowing anonym A user that has logged into a serverless SQL pool must be authorized to access and query the files in Azure Storage if the files aren't publicly available. You can use four authorization types to access non-public storage: [user identity](?tabs=user-identity), [shared access signature](?tabs=shared-access-signature), [service principal](?tab/service-principal), and [managed identity](?tabs=managed-identity). > [!NOTE]-> **Azure AD pass-through** is the default behavior when you create a workspace. +> **Microsoft Entra pass-through** is the default behavior when you create a workspace. ### [User identity](#tab/user-identity) -**User identity**, also known as "Azure AD pass-through", is an authorization type where the identity of the Azure AD user that logged into serverless SQL pool is used to authorize data access. Before accessing the data, the Azure Storage administrator must grant permissions to the Azure AD user. As indicated in the [Supported authorization types for database users table](#supported-authorization-types-for-databases-users), it's not supported for the SQL user type. +**User identity**, also known as "Microsoft Entra pass-through", is an authorization type where the identity of the Microsoft Entra user that logged into serverless SQL pool is used to authorize data access. Before accessing the data, the Azure Storage administrator must grant permissions to the Microsoft Entra user. As indicated in the [Supported authorization types for database users table](#supported-authorization-types-for-databases-users), it's not supported for the SQL user type. > [!IMPORTANT]-> An Azure Active Directory authentication token might be cached by the client applications. For example, Power BI caches Azure Active Directory tokens and reuses the same token for an hour. Long-running queries might fail if the token expires in the middle of the query execution. If you are experiencing query failures caused by the Azure Active Directory access token that expires in the middle of the query, consider switching to a [service principal](develop-storage-files-storage-access-control.md?tabs=service-principal#supported-storage-authorization-types), [managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#supported-storage-authorization-types) or [shared access signature](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#supported-storage-authorization-types). +> A Microsoft Entra authentication token might be cached by the client applications. For example, Power BI caches Microsoft Entra tokens and reuses the same token for an hour. Long-running queries might fail if the token expires in the middle of the query execution. If you are experiencing query failures caused by the Microsoft Entra access token that expires in the middle of the query, consider switching to a [service principal](develop-storage-files-storage-access-control.md?tabs=service-principal#supported-storage-authorization-types), [managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#supported-storage-authorization-types) or [shared access signature](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#supported-storage-authorization-types). You need to be a member of the Storage Blob Data Owner, Storage Blob Data Contributor, or Storage Blob Data Reader role to use your identity to access the data. As an alternative, you can specify fine-grained ACL rules to access files and folders. Even if you are an Owner of a Storage Account, you still need to add yourself into one of the Storage Blob Data roles. To learn more about access control in Azure Data Lake Store Gen2, review the [Access control in Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-access-control.md) article. You can get an SAS token by navigating to the **Azure portal -> Storage Account To enable access using an SAS token, you need to create a database-scoped or server-scoped credential > [!IMPORTANT]-> You cannot access private storage accounts with the SAS token. Consider switching to [Managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#supported-storage-authorization-types) or [Azure AD pass-through](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) authentication to access protected storage. +> You cannot access private storage accounts with the SAS token. Consider switching to [Managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#supported-storage-authorization-types) or [Microsoft Entra pass-through](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) authentication to access protected storage. ### [Service principal](#tab/service-principal) -A **service principal** is the local representation of a global application object in a particular Azure Active Directory tenant. This authentication method is appropriate in cases where storage access is to be authorized for a user application, service, or automation tool. For more information on service principals in Azure Active Directory, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals). +A **service principal** is the local representation of a global application object in a particular Microsoft Entra tenant. This authentication method is appropriate in cases where storage access is to be authorized for a user application, service, or automation tool. For more information on service principals in Microsoft Entra ID, see [Application and service principal objects in Microsoft Entra ID](/azure/active-directory/develop/app-objects-and-service-principals). -The application needs to be registered in Azure Active Directory. For more information on the registration process, follow [Quickstart: Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). Once the application is registered, its service principal can be used for authorization. +The application needs to be registered in Microsoft Entra ID. For more information on the registration process, follow [Quickstart: Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). Once the application is registered, its service principal can be used for authorization. The service principal should be assigned to the Storage Blob Data Owner, Storage Blob Data Contributor, and Storage Blob Data Reader roles in order for the application to access the data. Even if the service principal is the Owner of a storage account, it still needs to be granted an appropriate Storage Blob Data role. As an alternative way of granting access to storage files and folders, fine-grained ACL rules for service principal can be defined. To learn more about access control in Azure Data Lake Store Gen2, review [Access ### [Managed service identity](#tab/managed-identity) -**Managed service identity** or managed identity is also known as an MSI. An MSI is a feature of Azure Active Directory that provides Azure services to an Azure service, in this case, for your serverless SQL pool. The MSI is created automatically in Azure AD. This identity can be used to authorize the request for data access in Azure Storage. +**Managed service identity** or managed identity is also known as an MSI. An MSI is a feature of Microsoft Entra ID that provides Azure services to an Azure service, in this case, for your serverless SQL pool. The MSI is created automatically in Microsoft Entra ID. This identity can be used to authorize the request for data access in Azure Storage. -Before accessing the data, the Azure Storage administrator must grant permissions to the managed service identity for accessing data. Granting permissions to MSI is done the same way as granting permission to any other Azure AD user. +Before accessing the data, the Azure Storage administrator must grant permissions to the managed service identity for accessing data. Granting permissions to MSI is done the same way as granting permission to any other Microsoft Entra user. ### [Anonymous access](#tab/public-access) In cases when Azure Storage is in a different tenant from the Synapse serverless The following table provides available Azure Storage authorization types for different sign-in methods into an Azure Synapse Analytics serverless SQL endpoint: -| Authorization type | *SQL user* | *Azure AD user* | *Service principal* | +| Authorization type | *SQL user* | *Microsoft Entra user* | *Service principal* | | - | - | -- | -- | | [User Identity](?tabs=user-identity#supported-storage-authorization-types) | Not Supported | Supported | Supported| | [SAS](?tabs=shared-access-signature#supported-storage-authorization-types) | Supported | Supported | Supported| You can configure storage accounts to allow access to a specific serverless SQL The following table provides available firewall-protected Azure Storage authorization types for different sign-in methods into an Azure Synapse Analytics serverless SQL endpoint: -| Authorization type | *SQL user* | *Azure AD user* | *Service principal* | +| Authorization type | *SQL user* | *Microsoft Entra user* | *Service principal* | | - | - | -- | -- | | [User Identity](?tabs=user-identity#supported-storage-authorization-types) | Not Supported | Supported | Supported| | [SAS](?tabs=shared-access-signature#supported-storage-authorization-types) | Not Supported | Not Supported | Not Supported| Follow these steps to configure your storage account and add an exception for th - Resource group name - you can find this in Azure portal in the **Overview** of your storage account. - Account Name - name of the storage account that is protected by firewall rules.- - Tenant ID - you can find this in [Azure portal in Azure Active Directory](/azure/active-directory/fundamentals/how-to-find-tenant), under **Properties**, in **Tenant properties**. + - Tenant ID - you can find this in [Azure portal in Microsoft Entra ID](/azure/active-directory/fundamentals/how-to-find-tenant), under **Properties**, in **Tenant properties**. - Workspace Name - Name of the Azure Synapse workspace. ```powershell Server-level credentials are then able to access Azure storage using the followi ### [User identity](#tab/user-identity) -Azure Active Directory users can access any file on Azure storage if they are members of the Storage Blob Data Owner, Storage Blob Data Contributor, or Storage Blob Data Reader role. Azure AD users don't need credentials to access storage. +Microsoft Entra users can access any file on Azure storage if they are members of the Storage Blob Data Owner, Storage Blob Data Contributor, or Storage Blob Data Reader role. Microsoft Entra users don't need credentials to access storage. -SQL authenticated users can't use Azure AD authentication to access storage. They can access storage through a database credential using Managed Identity, SAS Key, Service Principal or if there is public access to the storage. +SQL authenticated users can't use Microsoft Entra authentication to access storage. They can access storage through a database credential using Managed Identity, SAS Key, Service Principal or if there is public access to the storage. ### [Shared access signature](#tab/shared-access-signature) Optionally, you can use just the base URL of the storage account, without contai ### [Service principal](#tab/service-principal) -The following script creates a server-level credential that can be used to access files in a storage using Service principal for authentication and authorization. **AppID** can be found by visiting App registrations in Azure portal and selecting the App requesting storage access. **Secret** is obtained during the App registration. **AuthorityUrl** is URL of Azure Active Directory Oauth2.0 authority. +The following script creates a server-level credential that can be used to access files in a storage using Service principal for authentication and authorization. **AppID** can be found by visiting App registrations in Azure portal and selecting the App requesting storage access. **Secret** is obtained during the App registration. **AuthorityUrl** is URL of Microsoft Entra ID Oauth2.0 authority. ```sql CREATE CREDENTIAL [https://<storage_account>.dfs.core.windows.net/<container>] Database-scoped credentials are used when any principal calls `OPENROWSET` funct Database-scoped credentials enable access to Azure storage using the following authentication types: -### [Azure AD Identity](#tab/user-identity) +<a name='azure-ad-identity'></a> -Azure AD users can access any file on Azure storage if they are members of the Storage Blob Data Owner, Storage Blob Data Contributor, or Storage Blob Data Reader roles. Azure AD users don't need credentials to access storage. +### [Microsoft Entra identity](#tab/user-identity) ++Microsoft Entra users can access any file on Azure storage if they are members of the Storage Blob Data Owner, Storage Blob Data Contributor, or Storage Blob Data Reader roles. Microsoft Entra users don't need credentials to access storage. ```sql CREATE EXTERNAL DATA SOURCE mysample WITH ( LOCATION = 'https://<storage_account>.dfs.core.windows.net/<containe ) ``` -SQL authenticated users can't use Azure AD authentication to access storage. They can access storage through a database credential using Managed Identity, SAS Key, Service Principal or if there is public access to the storage. +SQL authenticated users can't use Microsoft Entra authentication to access storage. They can access storage through a database credential using Managed Identity, SAS Key, Service Principal or if there is public access to the storage. ### [Shared access signature](#tab/shared-access-signature) WITH ( LOCATION = 'https://<storage_account>.dfs.core.windows.net/<containe ``` ### [Service principal](#tab/service-principal)-The following script creates a database-scoped credential that can be used to access files in a storage using service principal for authentication and authorization. **AppID** can be found by visiting App registrations in Azure portal and selecting the App requesting storage access. **Secret** is obtained during the App registration. **AuthorityUrl** is URL of Azure Active Directory Oauth2.0 authority. +The following script creates a database-scoped credential that can be used to access files in a storage using service principal for authentication and authorization. **AppID** can be found by visiting App registrations in Azure portal and selecting the App requesting storage access. **Secret** is obtained during the App registration. **AuthorityUrl** is URL of Microsoft Entra ID Oauth2.0 authority. ```sql -- Optional: Create MASTER KEY if not exists in database: WITH ( LOCATION = 'https://<storage_account>.dfs.core.windows.net/<containe ### [Managed Identity](#tab/managed-identity) -The following script creates a database-scoped credential that can be used to impersonate current Azure AD user as Managed Identity of service. The script creates a sample external data source that uses workspace identity to access storage. +The following script creates a database-scoped credential that can be used to impersonate current Microsoft Entra user as Managed Identity of service. The script creates a sample external data source that uses workspace identity to access storage. ```sql -- Optional: Create MASTER KEY if not exists in database: GO ### Access a data source using credentials -Modify the following script to create an external table that accesses Azure storage using SAS token, Azure AD identity of user, or managed identity of workspace. +Modify the following script to create an external table that accesses Azure storage using SAS token, Microsoft Entra identity of user, or managed identity of workspace. ```sql -- Create master key in databases with some password (one-off per database) |
synapse-analytics | Develop Tables External Tables | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/develop-tables-external-tables.md | The key differences between Hadoop and native external tables: | [File elimination](#file-elimination) (predicate pushdown) | No | Yes in serverless SQL pool. For the string pushdown, you need to use `Latin1_General_100_BIN2_UTF8` collation on the `VARCHAR` columns to enable pushdown. For more information on collations, refer to [Collation types supported for Synapse SQL](reference-collation-types.md).| | Custom format for location | No | Yes, using wildcards like `/year=*/month=*/day=*` for Parquet or CSV formats. Custom folder paths are not available in Delta Lake. In the serverless SQL pool, you can also use recursive wildcards `/logs/**` to reference Parquet or CSV files in any sub-folder beneath the referenced folder. | | Recursive folder scan | Yes | Yes. In serverless SQL pools must be specified `/**` at the end of the location path. In Dedicated pool the folders are always scanned recursively. |-| Storage authentication | Storage Access Key(SAK), Azure Active Directory passthrough, Managed identity, custom application Azure Active Directory identity | [Shared Access Signature(SAS)](develop-storage-files-storage-access-control.md?tabs=shared-access-signature), [Azure Active Directory passthrough](develop-storage-files-storage-access-control.md?tabs=user-identity), [Managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity), [Custom application Azure AD identity](develop-storage-files-storage-access-control.md?tabs=service-principal). | +| Storage authentication | Storage Access Key(SAK), Microsoft Entra passthrough, Managed identity, custom application Microsoft Entra identity | [Shared Access Signature(SAS)](develop-storage-files-storage-access-control.md?tabs=shared-access-signature), [Microsoft Entra passthrough](develop-storage-files-storage-access-control.md?tabs=user-identity), [Managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity), [Custom application Microsoft Entra identity](develop-storage-files-storage-access-control.md?tabs=service-principal). | | Column mapping | Ordinal - the columns in the external table definition are mapped to the columns in the underlying Parquet files by position. | Serverless pool: by name. The columns in the external table definition are mapped to the columns in the underlying Parquet files by column name matching. <br/> Dedicated pool: ordinal matching. The columns in the external table definition are mapped to the columns in the underlying Parquet files by position.| | CETAS (exporting/transformation) | Yes | CETAS with the native tables as a target works only in the serverless SQL pool. You cannot use the dedicated SQL pools to export data using native tables. | |
synapse-analytics | Get Started Azure Data Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/get-started-azure-data-studio.md | The connection requires the following parameters: > > - `<Azure Synapse workspace name>`.sql.azuresynapse.net -Choose **Windows Authentication**, **Azure Active Directory**, or **SQL Login** as the **Authentication Type**. +Choose **Windows Authentication**, **Microsoft Entra ID**, or **SQL Login** as the **Authentication Type**. To use **SQL Login** as the authentication type, add the username/password parameters: * **User:** Server user in the form `<User>` * **Password:** Password associated with the user -To use Azure Active Directory, you need to choose the needed authentication type. +To use Microsoft Entra ID, you need to choose the needed authentication type. -![AAD Authentication](./media/get-started-azure-data-studio/3-aad-auth.png) +![Microsoft Entra authentication](./media/get-started-azure-data-studio/3-aad-auth.png) The following screenshot shows the **Connection Details** for **Windows Authentication**: |
synapse-analytics | Get Started Connect Sqlcmd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/get-started-connect-sqlcmd.md | C:\>sqlcmd -S partyeunrt-ondemand.sql.azuresynapse.net -d demo -U Enter_Your_Use C:\>sqlcmd -S MySqlDw.sql.azuresynapse.net -d Adventure_Works -U myuser -P myP@ssword -I ``` -To use Azure Active Directory Integrated authentication, you need to add the Azure Active Directory parameters: +To use Microsoft Entra integrated authentication, you need to add the Microsoft Entra parameters: -* **Azure Active Directory Authentication (-G):** use Azure Active Directory for authentication +* **Microsoft Entra authentication (-G):** use Microsoft Entra ID for authentication Your connection string might look like on of the following examples: C:\>sqlcmd -S MySqlDw.sql.azuresynapse.net -d Adventure_Works -G -I ``` > [!NOTE]-> You need to [enable Azure Active Directory Authentication](../sql/active-directory-authentication.md) to authenticate using Active Directory. +> You need to [enable Microsoft Entra authentication](../sql/active-directory-authentication.md) to authenticate using Active Directory. ## 2. Query |
synapse-analytics | Get Started Ssms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/get-started-ssms.md | Now that you've established a database connection, you can query the data. ## Next steps Now that you can connect and query, try [visualizing the data with Power BI](get-started-power-bi-professional.md). -To configure your environment for Azure Active Directory authentication, see [Authenticate to Synapse SQL](../sql/sql-authentication.md). -+To configure your environment for Microsoft Entra authentication, see [Authenticate to Synapse SQL](../sql/sql-authentication.md). |
synapse-analytics | Get Started Visual Studio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/get-started-visual-studio.md | Now that a connection has been established to your database, you'll write a quer ## Next steps Now that you can connect and query, try [visualizing the data with Power BI](get-started-power-bi-professional.md).-To configure your environment for Azure Active Directory authentication, see [Authenticate to dedicated SQL pool](sql-authentication.md?tabs=provisioned). - +To configure your environment for Microsoft Entra authentication, see [Authenticate to dedicated SQL pool](sql-authentication.md?tabs=provisioned). + |
synapse-analytics | Mfa Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/mfa-authentication.md | Title: Using Multi-factor AAD authentication + Title: Using multifactor Microsoft Entra authentication description: Synapse SQL support connections from SQL Server Management Studio (SSMS) using Active Directory Universal Authentication. -# Use Multi-factor AAD authentication with Synapse SQL (SSMS support for MFA) +# Use multifactor Microsoft Entra authentication with Synapse SQL (SSMS support for MFA) Synapse SQL support connections from SQL Server Management Studio (SSMS) using *Active Directory Universal Authentication*. There are two non-interactive authentication models as well, which can be used i - `Active Directory - Password` - `Active Directory - Integrated` -The interactive method is that also supports Azure AD Multi-Factor Authentication (MFA) is: +The interactive method is that also supports Microsoft Entra multifactor authentication (MFA) is: - `Active Directory - Universal with MFA` -Azure AD MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication with a range of easy verification options (phone call, text message, smart cards with pin, or mobile app notification), allowing users to choose the method they prefer. Interactive MFA with Azure AD can result in a pop-up dialog box for validation. +Microsoft Entra multifactor authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication with a range of easy verification options (phone call, text message, smart cards with pin, or mobile app notification), allowing users to choose the method they prefer. Interactive MFA with Microsoft Entra ID can result in a pop-up dialog box for validation. -For a description of Multi-Factor Authentication, see [Multi-Factor Authentication](../../active-directory/authentication//concept-mfa-howitworks.md). +For a description of multifactor authentication, see [multifactor authentication](../../active-directory/authentication//concept-mfa-howitworks.md). -### Azure AD domain name or tenant ID parameter +<a name='azure-ad-domain-name-or-tenant-id-parameter'></a> -Beginning with [SSMS version 17](/sql/ssms/download-sql-server-management-studio-ssms?view=azure-sqldw-latest&preserve-view=true), users that are imported into the current Active Directory from other Azure Active Directories as guest users, can provide the Azure AD domain name, or tenant ID when they connect. +### Microsoft Entra domain name or tenant ID parameter ++Beginning with [SSMS version 17](/sql/ssms/download-sql-server-management-studio-ssms?view=azure-sqldw-latest&preserve-view=true), users that are imported into the current Active Directory from other Azure Active Directories as guest users, can provide the Microsoft Entra domain name, or tenant ID when they connect. Guest users include users invited from other Azure ADs, Microsoft accounts such as outlook.com, hotmail.com, live.com, or other accounts like gmail.com. This information, allows **Active Directory Universal with MFA Authentication** to identify the correct authenticating authority. This option is also required to support Microsoft accounts (MSA) such as outlook.com, hotmail.com, live.com, or non-MSA accounts. -All these users who want to be authenticated using Universal Authentication must enter their Azure AD domain name or tenant ID. This parameter represents the current Azure AD domain name/tenant ID the Azure Server is linked with. +All these users who want to be authenticated using Universal Authentication must enter their Microsoft Entra domain name or tenant ID. This parameter represents the current Microsoft Entra domain name/tenant ID the Azure Server is linked with. -For example, if Azure Server is associated with Azure AD domain `contosotest.onmicrosoft.com` where user `joe@contosodev.onmicrosoft.com` is hosted as an imported user from Azure AD domain `contosodev.onmicrosoft.com`, the domain name required to authenticate this user is `contosotest.onmicrosoft.com`. +For example, if Azure Server is associated with Microsoft Entra domain `contosotest.onmicrosoft.com` where user `joe@contosodev.onmicrosoft.com` is hosted as an imported user from Microsoft Entra domain `contosodev.onmicrosoft.com`, the domain name required to authenticate this user is `contosotest.onmicrosoft.com`. -When the user is a native user of the Azure AD linked to Azure Server, and is not an MSA account, no domain name or tenant ID is required. +When the user is a native user of the Microsoft Entra ID linked to Azure Server, and is not an MSA account, no domain name or tenant ID is required. To enter the parameter (beginning with SSMS version 17.2), in the **Connect to Database** dialog box, complete the dialog box, selecting **Active Directory - Universal with MFA** authentication, select **Options**, complete the **User name** box, and then select the **Connection Properties** tab. If you are running SSMS 18.x or later, then the AD domain name or tenant ID is n ![mfa-tenant-ssms](./media/mfa-authentication/mfa-no-tenant-ssms.png) -### Azure AD business to business support -Azure AD users supported for Azure AD B2B scenarios as guest users (see [What is Azure B2B collaboration](../../active-directory/external-identities/what-is-b2b.md?bc=%2fazure%2fsynapse-analytics%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2ftoc.json) can connect to Synapse SQL only as part of members of a group created in current Azure AD and mapped manually using the Transact-SQL `CREATE USER` statement in a given database. +<a name='azure-ad-business-to-business-support'></a> ++### Microsoft Entra business to business support +Microsoft Entra users supported for Microsoft Entra B2B scenarios as guest users (see [What is Azure B2B collaboration](../../active-directory/external-identities/what-is-b2b.md?bc=%2fazure%2fsynapse-analytics%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2ftoc.json) can connect to Synapse SQL only as part of members of a group created in current Microsoft Entra ID and mapped manually using the Transact-SQL `CREATE USER` statement in a given database. -For example, if `steve@gmail.com` is invited to Azure AD `contosotest` (with the Azure Ad domain `contosotest.onmicrosoft.com`), an Azure AD group, such as `usergroup` must be created in the Azure AD that contains the `steve@gmail.com` member. Then, this group must be created for a specific database (that is, MyDatabase) by Azure AD SQL admin or Azure AD DBO by executing a Transact-SQL `CREATE USER [usergroup] FROM EXTERNAL PROVIDER` statement. +For example, if `steve@gmail.com` is invited to Azure AD `contosotest` (with the Microsoft Entra domain `contosotest.onmicrosoft.com`), a Microsoft Entra group, such as `usergroup` must be created in the Microsoft Entra ID that contains the `steve@gmail.com` member. Then, this group must be created for a specific database (that is, MyDatabase) by Microsoft Entra SQL admin or Microsoft Entra DBO by executing a Transact-SQL `CREATE USER [usergroup] FROM EXTERNAL PROVIDER` statement. After the database user is created, then the user `steve@gmail.com` can log in to `MyDatabase` using the SSMS authentication option `Active Directory ΓÇô Universal with MFA support`. As a guest user, `steve@gmail.com` must check the box and add the AD domain name ## Universal Authentication limitations for Synapse SQL - SSMS and SqlPackage.exe are the only tools currently enabled for MFA through Active Directory Universal Authentication.-- SSMS version 17.2, supports multi-user concurrent access using Universal Authentication with MFA. Version 17.0 and 17.1, restricted a login for an instance of SSMS using Universal Authentication to a single Azure Active Directory account. To log in as another Azure AD account, you must use another instance of SSMS. (This restriction is limited to Active Directory Universal Authentication; you can log in to different servers using Active Directory Password Authentication, Active Directory Integrated Authentication, or SQL Server Authentication).+- SSMS version 17.2, supports multi-user concurrent access using Universal Authentication with MFA. Version 17.0 and 17.1, restricted a login for an instance of SSMS using Universal Authentication to a single Microsoft Entra account. To log in as another Microsoft Entra account, you must use another instance of SSMS. (This restriction is limited to Active Directory Universal Authentication; you can log in to different servers using Active Directory Password Authentication, Active Directory Integrated Authentication, or SQL Server Authentication). - SSMS supports Active Directory Universal Authentication for Object Explorer, Query Editor, and Query Store visualization. - SSMS version 17.2 provides DacFx Wizard support for Export/Extract/Deploy Data database. Once a specific user is authenticated through the initial authentication dialog using Universal Authentication, the DacFx Wizard functions the same way it does for all other authentication methods. - The SSMS Table Designer doesn't support Universal Authentication. As a guest user, `steve@gmail.com` must check the box and add the AD domain name - The Active Directory Authentication Library (ADAL) version for Universal authentication was updated to its latest ADAL.dll 3.13.9 available released version. See [Active Directory Authentication Library 3.14.1](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). ## Next steps-For more information, see the [Connect to Synapse SQL with SQL Server Management Studio](get-started-ssms.md) article. +For more information, see the [Connect to Synapse SQL with SQL Server Management Studio](get-started-ssms.md) article. |
synapse-analytics | On Demand Workspace Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/on-demand-workspace-overview.md | Security can be enforced using: - Logins and users - Credentials to control access to storage accounts - Grant, deny, and revoke permissions per object level-- Azure Active Directory integration+- Microsoft Entra integration Supported T-SQL: In order to enable smooth experience for in place querying of data residing in f Serverless SQL pool offers mechanisms to secure access to your data. -### Azure Active Directory integration and multi-factor authentication +<a name='azure-active-directory-integration-and-multi-factor-authentication'></a> -Serverless SQL pool enables you to centrally manage identities of database user and other Microsoft services with [Azure Active Directory integration](/azure/azure-sql/database/authentication-aad-configure). This capability simplifies permission management and enhances security. Azure Active Directory (Azure AD) supports [multi-factor authentication](/azure/azure-sql/database/authentication-mfa-ssms-configure) (MFA) to increase data and application security while supporting a single sign-on process. +### Microsoft Entra integration and multi-factor authentication ++Serverless SQL pool enables you to centrally manage identities of database user and other Microsoft services with [Microsoft Entra integration](/azure/azure-sql/database/authentication-aad-configure). This capability simplifies permission management and enhances security. Microsoft Entra ID supports [multi-factor authentication](/azure/azure-sql/database/authentication-mfa-ssms-configure) (MFA) to increase data and application security while supporting a single sign-on process. #### Authentication Serverless SQL pool authentication refers to how users prove their identity when This authentication method uses a username and password. -- **Azure Active Directory Authentication**:+- **Microsoft Entra authentication**: - This authentication method uses identities managed by Azure Active Directory. For Azure AD users, multi-factor authentication can be enabled. Use Active Directory authentication (integrated security) [whenever possible](/sql/relational-databases/security/choose-an-authentication-mode?view=azure-sqldw-latest&preserve-view=true). + This authentication method uses identities managed by Microsoft Entra ID. For Microsoft Entra users, multi-factor authentication can be enabled. Use Active Directory authentication (integrated security) [whenever possible](/sql/relational-databases/security/choose-an-authentication-mode?view=azure-sqldw-latest&preserve-view=true). #### Authorization Authorization refers to what a user can do within a serverless SQL pool database If SQL Authentication is used, the SQL user exists only in serverless SQL pool and permissions are scoped to the objects in serverless SQL pool. Access to securable objects in other services (such as Azure Storage) can't be granted to SQL user directly since it only exists in scope of serverless SQL pool. The SQL user needs to use one of the [supported authorization types](develop-storage-files-storage-access-control.md#supported-storage-authorization-types) to access the files. -If Azure AD authentication is used, a user can sign in to serverless SQL pool and other services, like Azure Storage, and can grant permissions to the Azure AD user. +If Microsoft Entra authentication is used, a user can sign in to serverless SQL pool and other services, like Azure Storage, and can grant permissions to the Microsoft Entra user. ### Access to storage accounts A user that is logged into the serverless SQL pool service must be authorized to - **[Shared access signature (SAS)](develop-storage-files-storage-access-control.md?tabs=shared-access-signature)** provides delegated access to resources in storage account. With a SAS, you can grant clients access to resources in storage account, without sharing account keys. A SAS gives you granular control over the type of access you grant to clients who have the SAS: validity interval, granted permissions, acceptable IP address range, acceptable protocol (https/http). -- **[User Identity](develop-storage-files-storage-access-control.md?tabs=user-identity)** (also known as "pass-through") is an authorization type where the identity of the Azure AD user that logged into serverless SQL pool is used to authorize access to the data. Before accessing the data, Azure Storage administrator must grant permissions to Azure AD user for accessing the data. This authorization type uses the Azure AD user that logged into serverless SQL pool, therefore it's not supported for SQL user types.+- **[User Identity](develop-storage-files-storage-access-control.md?tabs=user-identity)** (also known as "pass-through") is an authorization type where the identity of the Microsoft Entra user that logged into serverless SQL pool is used to authorize access to the data. Before accessing the data, Azure Storage administrator must grant permissions to Microsoft Entra user for accessing the data. This authorization type uses the Microsoft Entra user that logged into serverless SQL pool, therefore it's not supported for SQL user types. - **[Workspace Identity](develop-storage-files-storage-access-control.md?tabs=managed-identity)** is an authorization type where the identity of the Synapse workspace is used to authorize access to the data. Before accessing the data, Azure Storage administrator must grant permissions to workspace identity for accessing the data. |
synapse-analytics | Overview Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/overview-features.md | Synapse SQL pools enable you to use built-in security features to secure your da | Feature | Dedicated | Serverless | | | | |-| **Logins** | N/A (only contained users are supported in databases) | Yes, server-level Azure AD and SQL logins are supported. | +| **Logins** | N/A (only contained users are supported in databases) | Yes, server-level Microsoft Entra ID and SQL logins are supported. | | **Users** | N/A (only contained users are supported in databases) | Yes, database users are supported. |-| **[Contained users](/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=azure-sqldw-latest&preserve-view=true)** | Yes. **Note:** only one Azure AD user can be unrestricted admin | No, the contained users are not supported. | +| **[Contained users](/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=azure-sqldw-latest&preserve-view=true)** | Yes. **Note:** only one Microsoft Entra user can be unrestricted admin | No, the contained users are not supported. | | **SQL username/password authentication**| Yes | Yes, users can access serverless SQL pool using their usernames and passwords. |-| **Azure Active Directory (Azure AD) authentication**| Yes, Azure AD users | Yes, Azure AD logins and users can access serverless SQL pools using their Azure AD identities. | -| **Storage Azure Active Directory (Azure AD) passthrough authentication** | Yes | Yes, [Azure AD passthrough authentication](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) is applicable to Azure AD logins. The identity of the Azure AD user is passed to the storage if a credential is not specified. Azure AD passthrough authentication is not available for the SQL users. | +| **Microsoft Entra authentication**| Yes, Microsoft Entra users | Yes, Microsoft Entra logins and users can access serverless SQL pools using their Microsoft Entra identities. | +| **Storage Microsoft Entra passthrough authentication** | Yes | Yes, [Microsoft Entra passthrough authentication](develop-storage-files-storage-access-control.md?tabs=user-identity#supported-storage-authorization-types) is applicable to Microsoft Entra logins. The identity of the Microsoft Entra user is passed to the storage if a credential is not specified. Microsoft Entra passthrough authentication is not available for the SQL users. | | **Storage shared access signature (SAS) token authentication** | No | Yes, using [DATABASE SCOPED CREDENTIAL](/sql/t-sql/statements/create-database-scoped-credential-transact-sql?view=azure-sqldw-latest&preserve-view=true) with [shared access signature token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#database-scoped-credential) in [EXTERNAL DATA SOURCE](/sql/t-sql/statements/create-external-data-source-transact-sql?view=azure-sqldw-latest&preserve-view=true) or instance-level [CREDENTIAL](/sql/t-sql/statements/create-credential-transact-sql?view=azure-sqldw-latest&preserve-view=true) with [shared access signature](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#server-level-credential). | | **Storage Access Key authentication** | Yes, using [DATABASE SCOPED CREDENTIAL](/sql/t-sql/statements/create-database-scoped-credential-transact-sql?view=azure-sqldw-latest&preserve-view=true) in [EXTERNAL DATA SOURCE](/sql/t-sql/statements/create-external-data-source-transact-sql?view=azure-sqldw-latest&preserve-view=true) | No, [use SAS token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#database-scoped-credential) instead of storage access key. | | **Storage [Managed Identity](../../data-factory/data-factory-service-identity.md?context=/azure/synapse-analytics/context/context&tabs=synapse-analytics) authentication** | Yes, using [Managed Service Identity Credential](/azure/azure-sql/database/vnet-service-endpoint-rule-overview?preserve-view=true&toc=%2fazure%2fsynapse-analytics%2ftoc.json&view=azure-sqldw-latest&preserve-view=true) | Yes, The query can access the storage using the workspace [Managed Identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#database-scoped-credential) credential. | |
synapse-analytics | Query Delta Lake Format | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/query-delta-lake-format.md | The [OPENROWSET](develop-openrowset.md) function enables you to read the content ### Read Delta Lake folder -The easiest way to see to the content of your `DELTA` file is to provide the file URL to the [OPENROWSET](develop-openrowset.md) function and specify `DELTA` format. If the file is publicly available or if your Azure AD identity can access this file, you should be able to see the content of the file using a query like the one shown in the following example: +The easiest way to see to the content of your `DELTA` file is to provide the file URL to the [OPENROWSET](develop-openrowset.md) function and specify `DELTA` format. If the file is publicly available or if your Microsoft Entra identity can access this file, you should be able to see the content of the file using a query like the one shown in the following example: ```sql SELECT TOP 10 * |
synapse-analytics | Query Json Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/query-json-files.md | The easiest way to see to the content of your JSON file is to provide the file U |{"date_rep":"2020-07-26","day":26,"month":7,"year":2020,"cases":4,"deaths":0,"geo_id":"AF"}| |{"date_rep":"2020-07-27","day":27,"month":7,"year":2020,"cases":8,"deaths":0,"geo_id":"AF"}| -If the file is publicly available, or if your Azure AD identity can access this file, you should see the content of the file using the query like the one shown in the following examples. +If the file is publicly available, or if your Microsoft Entra identity can access this file, you should see the content of the file using the query like the one shown in the following examples. ### Read JSON files |
synapse-analytics | Query Parquet Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/query-parquet-files.md | In this article, you'll learn how to write a query using serverless SQL pool tha ### Read parquet file -The easiest way to see to the content of your `PARQUET` file is to provide file URL to `OPENROWSET` function and specify parquet `FORMAT`. If the file is publicly available or if your Azure AD identity can access this file, you should be able to see the content of the file using the query like the one shown in the following example: +The easiest way to see to the content of your `PARQUET` file is to provide file URL to `OPENROWSET` function and specify parquet `FORMAT`. If the file is publicly available or if your Microsoft Entra identity can access this file, you should be able to see the content of the file using the query like the one shown in the following example: ```sql select top 10 * |
synapse-analytics | Query Single Csv File | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/query-single-csv-file.md | All of the above variations will be covered below. ### Read a csv file -The easiest way to see to the content of your `CSV` file is to provide file URL to `OPENROWSET` function, specify csv `FORMAT`, and 2.0 `PARSER_VERSION`. If the file is publicly available or if your Azure AD identity can access this file, you should be able to see the content of the file using the query like the one shown in the following example: +The easiest way to see to the content of your `CSV` file is to provide file URL to `OPENROWSET` function, specify csv `FORMAT`, and 2.0 `PARSER_VERSION`. If the file is publicly available or if your Microsoft Entra identity can access this file, you should be able to see the content of the file using the query like the one shown in the following example: ```sql select top 10 * |
synapse-analytics | Resources Self Help Sql On Demand | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/resources-self-help-sql-on-demand.md | Finally, make sure the appropriate roles are granted and have not been revoked. This error is caused by changing workspace customer managed key used for encryption. You can choose to re-encrypt all the data in the workspace with the latest version of the active key. To-re-encrypt, change the key in the Azure portal to a temporary key and then switch back to the key you wish to use for encryption. Learn here how to [manage the workspace keys](../security/workspaces-encryption.md#manage-the-workspace-customer-managed-key). -### Synapse serverless SQL pool is unavailable after transferring a subscription to a different Azure AD tenant +<a name='synapse-serverless-sql-pool-is-unavailable-after-transferring-a-subscription-to-a-different-azure-ad-tenant'></a> -If you moved a subscription to another Azure AD tenant, you might experience some issues with serverless SQL pool. Create a support ticket and Azure support will contact you to resolve the issue. +### Synapse serverless SQL pool is unavailable after transferring a subscription to a different Microsoft Entra tenant ++If you moved a subscription to another Microsoft Entra tenant, you might experience some issues with serverless SQL pool. Create a support ticket and Azure support will contact you to resolve the issue. ## Storage access -If you get errors while you try to access files in Azure storage, make sure that you have permission to access data. You should be able to access publicly available files. If you try to access data without credentials, make sure that your Azure Active Directory (Azure AD) identity can directly access the files. +If you get errors while you try to access files in Azure storage, make sure that you have permission to access data. You should be able to access publicly available files. If you try to access data without credentials, make sure that your Microsoft Entra identity can directly access the files. If you have a shared access signature key that you should use to access files, make sure that you created a [server-level](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#server-level-credential) or [database-scoped](develop-storage-files-storage-access-control.md?tabs=shared-access-signature#database-scoped-credential) credential that contains that credential. The credentials are required if you need to access data by using the workspace [managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#database-scoped-credential) and custom [service principal name (SPN)](develop-storage-files-storage-access-control.md?tabs=service-principal#database-scoped-credential). ### Can't read, list, or access files in Azure Data Lake Storage -If you use an Azure AD login without explicit credentials, make sure that your Azure AD identity can access the files in storage. To access the files, your Azure AD identity must have the **Blob Data Reader** permission, or permissions to **List** and **Read** [access control lists (ACL) in ADLS](../../storage/blobs/data-lake-storage-access-control-model.md). For more information, see [Query fails because file cannot be opened](#query-fails-because-file-cant-be-opened). +If you use a Microsoft Entra login without explicit credentials, make sure that your Microsoft Entra identity can access the files in storage. To access the files, your Microsoft Entra identity must have the **Blob Data Reader** permission, or permissions to **List** and **Read** [access control lists (ACL) in ADLS](../../storage/blobs/data-lake-storage-access-control-model.md). For more information, see [Query fails because file cannot be opened](#query-fails-because-file-cant-be-opened). If you access storage by using [credentials](develop-storage-files-storage-access-control.md#credentials), make sure that your [managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity) or [SPN](develop-storage-files-storage-access-control.md?tabs=service-principal) has the **Data Reader** or **Contributor role** or specific ACL permissions. If you used a [shared access signature token](develop-storage-files-storage-access-control.md?tabs=shared-access-signature), make sure that it has `rl` permission and that it hasn't expired. If you use a SQL login and the `OPENROWSET` function [without a data source](dev ### Query fails because file can't be opened -If your query fails with the error `File cannot be opened because it does not exist or it is used by another process` and you're sure that both files exist and aren't used by another process, serverless SQL pool can't access the file. This problem usually happens because your Azure AD identity doesn't have rights to access the file or because a firewall is blocking access to the file. +If your query fails with the error `File cannot be opened because it does not exist or it is used by another process` and you're sure that both files exist and aren't used by another process, serverless SQL pool can't access the file. This problem usually happens because your Microsoft Entra identity doesn't have rights to access the file or because a firewall is blocking access to the file. -By default, serverless SQL pool tries to access the file by using your Azure AD identity. To resolve this issue, you must have proper rights to access the file. The easiest way is to grant yourself a Storage Blob Data Contributor role on the storage account you're trying to query. +By default, serverless SQL pool tries to access the file by using your Microsoft Entra identity. To resolve this issue, you must have proper rights to access the file. The easiest way is to grant yourself a Storage Blob Data Contributor role on the storage account you're trying to query. For more information, see: -- [Azure AD access control for storage](../../storage/blobs/assign-azure-role-data-access.md)+- [Microsoft Entra ID access control for storage](../../storage/blobs/assign-azure-role-data-access.md) - [Control storage account access for serverless SQL pool in Synapse Analytics](develop-storage-files-storage-access-control.md) #### Alternative to Storage Blob Data Contributor role If you want to query data2.csv in this example, the following permissions are ne This error indicates that the user who's querying Azure Data Lake can't list the files in storage. There are several scenarios where this error might happen: -- The Azure AD user who's using [Azure AD pass-through authentication](develop-storage-files-storage-access-control.md?tabs=user-identity) doesn't have permission to list the files in Data Lake Storage.-- The Azure AD or SQL user who's reading data by using a [shared access signature key](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [workspace managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity) and that key or identity doesn't have permission to list the files in storage.+- The Microsoft Entra user who's using [Microsoft Entra pass-through authentication](develop-storage-files-storage-access-control.md?tabs=user-identity) doesn't have permission to list the files in Data Lake Storage. +- The Microsoft Entra ID or SQL user who's reading data by using a [shared access signature key](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [workspace managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity) and that key or identity doesn't have permission to list the files in storage. - The user who's accessing Dataverse data who doesn't have permission to query data in Dataverse. This scenario might happen if you use SQL users. - The user who's accessing Delta Lake might not have permission to read the Delta Lake transaction log. The easiest way to resolve this issue is to grant yourself the **Storage Blob Da For more information, see: -- [Azure AD access control for storage](../../storage/blobs/assign-azure-role-data-access.md)+- [Microsoft Entra ID access control for storage](../../storage/blobs/assign-azure-role-data-access.md) - [Control storage account access for serverless SQL pool in Synapse Analytics](develop-storage-files-storage-access-control.md) #### Content of Dataverse table can't be listed -If you are using the Azure Synapse Link for Dataverse to read the linked DataVerse tables, you need to use Azure AD account to access the linked data using the serverless SQL pool. For more information, see [Azure Synapse Link for Dataverse with Azure Data Lake](/powerapps/maker/data-platform/azure-synapse-link-data-lake). +If you are using the Azure Synapse Link for Dataverse to read the linked DataVerse tables, you need to use Microsoft Entra account to access the linked data using the serverless SQL pool. For more information, see [Azure Synapse Link for Dataverse with Azure Data Lake](/powerapps/maker/data-platform/azure-synapse-link-data-lake). If you try to use a SQL login to read an external table that is referencing the DataVerse table, you will get the following error: `External table '???' is not accessible because content of directory cannot be listed.` -Dataverse external tables always use Azure AD passthrough authentication. You *can't* configure them to use a [shared access signature key](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [workspace managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity). +Dataverse external tables always use Microsoft Entra passthrough authentication. You *can't* configure them to use a [shared access signature key](develop-storage-files-storage-access-control.md?tabs=shared-access-signature) or [workspace managed identity](develop-storage-files-storage-access-control.md?tabs=managed-identity). #### Content of Delta Lake transaction log can't be listed There are reasons why this error code can happen: #### [0x80070005](#tab/x80070005) -This error can occur when the authentication method is user identity, which is also known as Azure AD pass-through, and the Azure AD access token expires. This can happen if you are logging in for the first time after more than 90 days and at the same time you are inactive in the session for more than one hour. +This error can occur when the authentication method is user identity, which is also known as Microsoft Entra pass-through, and the Microsoft Entra access token expires. This can happen if you are logging in for the first time after more than 90 days and at the same time you are inactive in the session for more than one hour. The error message might also resemble: `File {path} cannot be opened because it does not exist or it is used by another process.` -- The Azure AD authentication token might be cached by the client applications. For example, Power BI caches the Azure AD token and reuses the same token for one hour. The long-running queries might fail if the token expires during execution.+- The Microsoft Entra authentication token might be cached by the client applications. For example, Power BI caches the Microsoft Entra token and reuses the same token for one hour. The long-running queries might fail if the token expires during execution. Consider the following mitigations: -- Restart the client application to obtain a new Azure AD token.+- Restart the client application to obtain a new Microsoft Entra token. #### [0x80070008](#tab/x80070008) To read or download a blob in the Archive tier, rehydrate it to an online tier. #### [0x80070057](#tab/x80070057) -This error can occur when the authentication method is user identity, which is also known as Azure AD pass-through, and the Azure AD access token expires. This can happen if you are logging in for the first time after more than 90 days and at the same time you are inactive in the session for more than one hour. +This error can occur when the authentication method is user identity, which is also known as Microsoft Entra pass-through, and the Microsoft Entra access token expires. This can happen if you are logging in for the first time after more than 90 days and at the same time you are inactive in the session for more than one hour. The error message might also resemble the following pattern: `File {path} cannot be opened because it does not exist or it is used by another process.` -- The Azure AD authentication token might be cached by the client applications. For example, Power BI caches an Azure AD token and reuses it for one hour. The long-running queries might fail if the token expires in the middle of execution.+- The Microsoft Entra authentication token might be cached by the client applications. For example, Power BI caches a Microsoft Entra token and reuses it for one hour. The long-running queries might fail if the token expires in the middle of execution. Consider the following mitigations to resolve the issue: -- Restart the client application to obtain a new Azure AD token.+- Restart the client application to obtain a new Microsoft Entra token. #### [0x80072EE7](#tab/x80072EE7) Here's the solution: WITH ( FORMAT_TYPE = PARQUET) ``` -### Can't create Azure AD login or user +<a name='cant-create-azure-ad-login-or-user'></a> ++### Can't create Microsoft Entra login or user -If you get an error while you're trying to create a new Azure AD login or user in a database, check the login you used to connect to your database. The login that's trying to create a new Azure AD user must have permission to access the Azure AD domain and check if the user exists. Be aware that: +If you get an error while you're trying to create a new Microsoft Entra login or user in a database, check the login you used to connect to your database. The login that's trying to create a new Microsoft Entra user must have permission to access the Microsoft Entra domain and check if the user exists. Be aware that: - SQL logins don't have this permission, so you'll always get this error if you use SQL authentication.-- If you use an Azure AD login to create new logins, check to see if you have permission to access the Azure AD domain.+- If you use a Microsoft Entra login to create new logins, check to see if you have permission to access the Microsoft Entra domain. ## Azure Cosmos DB If you created a Delta table in Spark, and it is not shown in the serverless SQL ## Lake database -The Lake database tables that are created using Spark or Synapse designer are automatically available in serverless SQL pool for querying. You can use serverless SQL pool to query the Parquet, CSV, and Delta Lake tables that are created using Spark pool, and add additional schemas, views, procedures, table-value functions, and Azure AD users in `db_datareader` role to your Lake database. Possible issues are listed in this section. +The Lake database tables that are created using Spark or Synapse designer are automatically available in serverless SQL pool for querying. You can use serverless SQL pool to query the Parquet, CSV, and Delta Lake tables that are created using Spark pool, and add additional schemas, views, procedures, table-value functions, and Microsoft Entra users in `db_datareader` role to your Lake database. Possible issues are listed in this section. ### A table created in Spark is not available in serverless pool The Lake databases are replicated from the Apache Spark pool and managed by Apac Only the following operations are allowed in the Lake databases: - Creating, dropping, or altering views, procedures, and inline table-value functions (iTVF) in the **schemas other than `dbo`**. -- Creating and dropping the database users from Azure Active Directory.+- Creating and dropping the database users from Microsoft Entra ID. - Adding or removing database users from `db_datareader` schema. Other operations are not allowed in Lake databases. If a user can't access a lakehouse or Spark database, the user might not have pe ### SQL user can't access Dataverse tables -Dataverse tables access storage by using the caller's Azure AD identity. A SQL user with high permissions might try to select data from a table, but the table wouldn't be able to access Dataverse data. This scenario isn't supported. +Dataverse tables access storage by using the caller's Microsoft Entra identity. A SQL user with high permissions might try to select data from a table, but the table wouldn't be able to access Dataverse data. This scenario isn't supported. ++<a name='azure-ad-service-principal-sign-in-failures-when-spi-creates-a-role-assignment'></a> -### Azure AD service principal sign-in failures when SPI creates a role assignment +### Microsoft Entra service principal sign-in failures when SPI creates a role assignment -If you want to create a role assignment for a service principal identifier (SPI) or Azure AD app by using another SPI, or you've already created one and it fails to sign in, you'll probably receive the following error: `Login error: Login failed for user '<token-identified principal>'.` +If you want to create a role assignment for a service principal identifier (SPI) or Microsoft Entra app by using another SPI, or you've already created one and it fails to sign in, you'll probably receive the following error: `Login error: Login failed for user '<token-identified principal>'.` For service principals, login should be created with an application ID as a security ID (SID) not with an object ID. There's a known limitation for service principals, which prevents Azure Synapse from fetching the application ID from Microsoft Graph when it creates a role assignment for another SPI or app. |
synapse-analytics | Shared Databases Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/shared-databases-access-control.md | Title: How to set up access control on synchronized objects in serverless SQL pool -description: Authorize shared databases access to non-privileged Azure AD users in serverless SQL pool. +description: Authorize shared databases access to non-privileged Microsoft Entra users in serverless SQL pool. reviewer: vvasic-msft, jovanpop-msft, WilliamDAssafMSFT After executing the code script below, it will allow non-admin users to have ser > [!NOTE] > These statements should be executed on master database, as these are all server-level permissions. -After creating a login and granting permissions, users can run queries on top of the synchronized external tables. This mitigation can also be applied to Azure AD security groups. +After creating a login and granting permissions, users can run queries on top of the synchronized external tables. This mitigation can also be applied to Microsoft Entra security groups. More security on the objects can be managed through specific schemas and lock access to a specific schema. The workaround requires extra DDL. For this scenario, you can create new serverless database, schemas, and views that will point to the Spark tables data on ADLS. -Access to the data on storage account can be managed via [ACL](../../storage/blobs/data-lake-storage-access-control.md) or regular [Storage Blob Data Owner/Reader/Contributor roles](../../storage/blobs/data-lake-storage-access-control-model.md) for Azure AD users/groups. For Service Principals (Azure AD apps), make sure you use ACL setup. +Access to the data on storage account can be managed via [ACL](../../storage/blobs/data-lake-storage-access-control.md) or regular [Storage Blob Data Owner/Reader/Contributor roles](../../storage/blobs/data-lake-storage-access-control-model.md) for Microsoft Entra users/groups. For Service Principals (Microsoft Entra apps), make sure you use ACL setup. > [!NOTE] > - If you want to forbid using OPENROWSET on top of the data, you can use `DENY ADMINISTER BULK OPERATIONS to [login@contoso.com];` For more information, visit [DENY Server permissions](/sql/t-sql/statements/deny-server-permissions-transact-sql?view=sql-server-ver15#remarks&preserve-view=true). |
synapse-analytics | Sql Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/sql-authentication.md | Azure Synapse Analytics has two SQL form-factors that enable you to control your To authorize to Synapse SQL, you can use two authorization types: -- Azure Active Directory authorization+- Microsoft Entra authorization - SQL authorization -SQL authorization enables legacy applications to connect to Azure Synapse SQL in a familiar way. However, Azure Active Directory authentication allows you to centrally manage access to Azure Synapse resources, such as SQL pools. Azure Synapse Analytics supports disabling local authentication, such as SQL authentication, both during and after workspace creation. Once disabled, local authentication can be enabled at any time by authorized users. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](active-directory-authentication.md). +SQL authorization enables legacy applications to connect to Azure Synapse SQL in a familiar way. However, Microsoft Entra authentication allows you to centrally manage access to Azure Synapse resources, such as SQL pools. Azure Synapse Analytics supports disabling local authentication, such as SQL authentication, both during and after workspace creation. Once disabled, local authentication can be enabled at any time by authorized users. For more information on Microsoft Entra-only authentication, see [Disabling local authentication in Azure Synapse Analytics](active-directory-authentication.md). ## Administrative accounts There are two administrative accounts (**SQL admin username** and **SQL Active D - **SQL Active Directory admin** - One Azure Active Directory account, either an individual or security group account, can also be configured as an administrator. It's optional to configure an Azure AD administrator, but an Azure AD administrator **must** be configured if you want to use Azure AD accounts to connect to Synapse SQL. + One Microsoft Entra account, either an individual or security group account, can also be configured as an administrator. It's optional to configure a Microsoft Entra administrator, but a Microsoft Entra administrator **must** be configured if you want to use Microsoft Entra accounts to connect to Synapse SQL. - - The Azure Active Directory admin account controls access to dedicated SQL pools, while Synapse RBAC roles can be used to control access to serverless pools, for example, with the **Synapse Administrator** and **Synapse SQL Administrator** role. + - The Microsoft Entra admin account controls access to dedicated SQL pools, while Synapse RBAC roles can be used to control access to serverless pools, for example, with the **Synapse Administrator** and **Synapse SQL Administrator** role. The **SQL admin username** and **SQL Active Directory admin** accounts have the following characteristics: When using an open port in the server-level firewall, administrators can connect One of these administrative roles is the **dbmanager** role. Members of this role can create new databases. To use this role, you create a user in the `master` database and then add the user to the **dbmanager** database role. -To create a database, the user must be a user based on a SQL Server login in the `master` database or contained database user based on an Azure Active Directory user. +To create a database, the user must be a user based on a SQL Server login in the `master` database or contained database user based on a Microsoft Entra user. 1. Using an administrator account, connect to the `master` database. 2. Create a SQL Server authentication login, using the [CREATE LOGIN](/sql/t-sql/statements/create-login-transact-sql?view=azure-sqldw-latest&preserve-view=true) statement. Sample statement: To create a database, the user must be a user based on a SQL Server login in the To improve performance, logins (server-level principals) are temporarily cached at the database level. To refresh the authentication cache, see [DBCC FLUSHAUTHCACHE](/sql/t-sql/database-console-commands/dbcc-flushauthcache-transact-sql?view=azure-sqldw-latest&preserve-view=true). -3. Create a databases user by using the [CREATE USER](/sql/t-sql/statements/create-user-transact-sql?view=azure-sqldw-latest&preserve-view=true) statement. The user can be an Azure Active Directory authentication contained database user (if you've configured your environment for Azure AD authentication), or a SQL Server authentication contained database user, or a SQL Server authentication user based on a SQL Server authentication login (created in the previous step.) +3. Create a databases user by using the [CREATE USER](/sql/t-sql/statements/create-user-transact-sql?view=azure-sqldw-latest&preserve-view=true) statement. The user can be a Microsoft Entra authentication contained database user (if you've configured your environment for Microsoft Entra authentication), or a SQL Server authentication contained database user, or a SQL Server authentication user based on a SQL Server authentication login (created in the previous step.) Sample statements: - Create a user with Azure Active Directory: + Create a user with Microsoft Entra ID: ```sql CREATE USER [mike@contoso.com] FROM EXTERNAL PROVIDER; ``` The other administrative role is the login manager role. Members of this role ca Generally, non-administrator accounts don't need access to the `master` database. Create contained database users at the database level using the [CREATE USER (Transact-SQL)](/sql/t-sql/statements/create-user-transact-sql) statement. -The user can be an Azure Active Directory authentication contained database user (if you have configured your environment for Azure AD authentication), or a SQL Server authentication contained database user, or a SQL Server authentication user based on a SQL Server authentication login (created in the previous step.) +The user can be a Microsoft Entra authentication contained database user (if you have configured your environment for Microsoft Entra authentication), or a SQL Server authentication contained database user, or a SQL Server authentication user based on a SQL Server authentication login (created in the previous step.) To create users, connect to the database, and execute statements similar to the following examples: EXEC sp_addrolemember 'db_owner', 'Mary'; Efficient access management uses permissions assigned to groups and roles instead of individual users. -- When using Azure Active Directory authentication, put Azure Active Directory users into an Azure Active Directory group. Create a contained database user for the group. Place one or more database users into a [database role](/sql/relational-databases/security/authentication-access/database-level-roles?view=azure-sqldw-latest&preserve-view=true) and then assign [permissions](/sql/relational-databases/security/permissions-database-engine?view=azure-sqldw-latest&preserve-view=true) to the database role.+- When using Microsoft Entra authentication, put Microsoft Entra users into a Microsoft Entra group. Create a contained database user for the group. Place one or more database users into a [database role](/sql/relational-databases/security/authentication-access/database-level-roles?view=azure-sqldw-latest&preserve-view=true) and then assign [permissions](/sql/relational-databases/security/permissions-database-engine?view=azure-sqldw-latest&preserve-view=true) to the database role. - When using SQL Server authentication, create contained database users in the database. Place one or more database users into a [database role](/sql/relational-databases/security/authentication-access/database-level-roles?view=azure-sqldw-latest&preserve-view=true) and then assign [permissions](/sql/relational-databases/security/permissions-database-engine?view=azure-sqldw-latest&preserve-view=true) to the database role. When managing logins and users in SQL Database, consider the following points: - You must be connected to the `master` database when executing the `CREATE/ALTER/DROP DATABASE` statements. - The database user corresponding to the **Server admin** login can't be altered or dropped.-- **Server admin** will be disabled if Azure AD-only authentication is enabled.+- **Server admin** will be disabled if Microsoft Entra-only authentication is enabled. - US-English is the default language of the **Server admin** login.-- Only the administrators (**Server admin** login or Azure AD administrator) and the members of the **dbmanager** database role in the `master` database have permission to execute the `CREATE DATABASE` and `DROP DATABASE` statements.+- Only the administrators (**Server admin** login or Microsoft Entra administrator) and the members of the **dbmanager** database role in the `master` database have permission to execute the `CREATE DATABASE` and `DROP DATABASE` statements. - You must be connected to the `master` database when executing the `CREATE/ALTER/DROP LOGIN` statements. However, using logins is discouraged. Use contained database users instead. For more information, see [Contained Database Users - Making Your Database Portable](/sql/relational-databases/security/contained-database-users-making-your-database-portable). - To connect to a user database, you must provide the name of the database in the connection string. - Only the server-level principal login and the members of the **loginmanager** database role in the `master` database have permission to execute the `CREATE LOGIN`, `ALTER LOGIN`, and `DROP LOGIN` statements. - When executing the `CREATE/ALTER/DROP LOGIN` and `CREATE/ALTER/DROP DATABASE` statements in an ADO.NET application, using parameterized commands isn't allowed. For more information, see [Commands and Parameters](/dotnet/framework/data/adonet/commands-and-parameters). - When executing the `CREATE USER` statement with the `FOR/FROM LOGIN` option, it must be the only statement in a Transact-SQL batch. - When executing the `ALTER USER` statement with the `WITH LOGIN` option, it must be the only statement in a Transact-SQL batch.-- `CREATE/ALTER/DROP LOGIN` and `CREATE/ALTER/DROP USER` statements are not supported when Azure AD-only authentication is enabled for the Azure Synapse workspace.+- `CREATE/ALTER/DROP LOGIN` and `CREATE/ALTER/DROP USER` statements are not supported when Microsoft Entra-only authentication is enabled for the Azure Synapse workspace. - To `CREATE/ALTER/DROP` a user requires the `ALTER ANY USER` permission on the database. - When the owner of a database role tries to add or remove another database user to or from that database role, the following error may occur: **User or role 'Name' does not exist in this database.** This error occurs because the user isn't visible to the owner. To resolve this issue, grant the role owner the `VIEW DEFINITION` permission on the user. |
synapse-analytics | Tutorial Logical Data Warehouse | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/sql/tutorial-logical-data-warehouse.md | CREATE EXTERNAL DATA SOURCE ecdc_cases WITH ( ); ``` -A caller may access data source without credential if an owner of data source allowed anonymous access or give explicit access to Azure AD identity of the caller. +A caller may access data source without credential if an owner of data source allowed anonymous access or give explicit access to Microsoft Entra identity of the caller. You can explicitly define a custom credential that will be used while accessing data on external data source. - [Managed Identity](develop-storage-files-storage-access-control.md?tabs=managed-identity) of the Synapse workspace To optimize performance, you should use the smallest possible types in the `WITH ## Access and permissions As a final step, you should create database users that should be able to access your LDW, and give them permissions to select data from the external tables and views.-In the following script you can see how to add a new user that will be authenticated using Azure AD identity: +In the following script you can see how to add a new user that will be authenticated using Microsoft Entra identity: ```sql CREATE USER [jovan@contoso.com] FROM EXTERNAL PROVIDER; GO ``` -Instead of Azure AD principals, you can create SQL principals that authenticate with the login name and password. +Instead of Microsoft Entra principals, you can create SQL principals that authenticate with the login name and password. ```sql CREATE LOGIN [jovan] WITH PASSWORD = 'My Very strong Password ! 1234'; |
synapse-analytics | Connect Synapse Link Sql Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/synapse-link/connect-synapse-link-sql-database.md | This article is a step-by-step guide for getting started with Azure Synapse Link :::image type="content" source="../media/connect-synapse-link-sql-database/configure-network-firewall-sql-database.png" alt-text="Screenshot that shows how to configure firewalls for your SQL database by using the Azure portal."::: -1. Using Microsoft SQL Server Management Studio (SSMS) or Azure Data Studio, connect to the logical server. If you want to have your Azure Synapse workspace connect to your Azure SQL database by using a managed identity, set the Azure Active Directory admin permissions on the logical server. To apply the privileges in step 6, use the same admin name to connect to the logical server with administrative privileges. +1. Using Microsoft SQL Server Management Studio (SSMS) or Azure Data Studio, connect to the logical server. If you want to have your Azure Synapse workspace connect to your Azure SQL database by using a managed identity, set the Microsoft Entra admin permissions on the logical server. To apply the privileges in step 6, use the same admin name to connect to the logical server with administrative privileges. 1. Expand **Databases**, right-click the database you've created, and then select **New Query**. |
synapse-analytics | Synapse Link For Sql Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/synapse-link/synapse-link-for-sql-known-issues.md | The following sections list limitations for Azure Synapse Link for SQL. * Service principal isn't supported for authenticating to source Azure SQL DB, so when creating Azure SQL DB linked Service, choose SQL authentication, user-assigned managed identity (UAMI) or service assigned managed Identity (SAMI). * If the Azure SQL Database logical server has both a SAMI and UAMI configured, Azure Synapse Link uses SAMI. * Azure Synapse Link can't be enabled on the secondary database once a GeoDR failover has happened if the secondary database has a different name from the primary database.-* If you enable Azure Synapse Link for SQL on your database as a Microsoft Azure Active Directory (Azure AD) user, Point-in-time restore (PITR) will fail. PITR only works when you enable Azure Synapse Link for SQL on your database as a SQL user. -* If you create a database as an Azure AD user and enable Azure Synapse Link for SQL, a SQL authentication user (for example, even sysadmin role) won't be able to disable/make changes to Azure Synapse Link for SQL artifacts. However, another Azure AD user is able to enable/disable Azure Synapse Link for SQL on the same database. Similarly, if you create a database as an SQL authentication user, enabling/disabling Azure Synapse Link for SQL as an Azure AD user won't work. +* If you enable Azure Synapse Link for SQL on your database as a Microsoft Entra user, Point-in-time restore (PITR) will fail. PITR only works when you enable Azure Synapse Link for SQL on your database as a SQL user. +* If you create a database as a Microsoft Entra user and enable Azure Synapse Link for SQL, a SQL authentication user (for example, even sysadmin role) won't be able to disable/make changes to Azure Synapse Link for SQL artifacts. However, another Microsoft Entra user is able to enable/disable Azure Synapse Link for SQL on the same database. Similarly, if you create a database as an SQL authentication user, enabling/disabling Azure Synapse Link for SQL as a Microsoft Entra user won't work. * Cross-tenant data replication is not supported where an Azure SQL Database and the Azure Synapse workspace are in separate tenants. |
synapse-analytics | Troubleshoot Sql Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/synapse-link/troubleshoot/troubleshoot-sql-azure-active-directory.md | Title: Troubleshooting guide for Azure Synapse Link for Azure SQL Database and Azure Active Directory user impersonation -description: Learn how to troubleshoot user impersonation issues with Azure Synapse Link for Azure SQL Database and Azure Active Directory + Title: Troubleshooting guide for Azure Synapse Link for Azure SQL Database and Microsoft Entra user impersonation +description: Learn how to troubleshoot user impersonation issues with Azure Synapse Link for Azure SQL Database and Microsoft Entra ID -# Troubleshoot: Azure Synapse Link for Azure SQL Database and Azure Active Directory user impersonation +# Troubleshoot: Azure Synapse Link for Azure SQL Database and Microsoft Entra user impersonation -This article is a guide to troubleshoot Azure Synapse Link for Azure SQL Database and Azure Active Directory (Azure AD) user impersonation. This article applies only to databases in Azure SQL Database. +This article is a guide to troubleshoot Azure Synapse Link for Azure SQL Database and Microsoft Entra user impersonation. This article applies only to databases in Azure SQL Database. ## Symptom -If you create database using a login connected to Microsoft Azure Active Directory and then try to perform Azure Synapse Link database operations signed in with any SQL Authenticated principal, you will receive error messages due to an impersonation failure. The following sample errors are all a symptom of the same problem. +If you create database using a login connected to Microsoft Entra ID and then try to perform Azure Synapse Link database operations signed in with any SQL Authenticated principal, you will receive error messages due to an impersonation failure. The following sample errors are all a symptom of the same problem. | Database Operation | Sample Error | |:--|:--| If you create database using a login connected to Microsoft Azure Active Directo ## Resolution -Sign in to the Azure SQL Database with an Azure AD database principal. It doesn't have to be the same Azure AD account that created the database. +Sign in to the Azure SQL Database with a Microsoft Entra database principal. It doesn't have to be the same Microsoft Entra account that created the database. ## See also Sign in to the Azure SQL Database with an Azure AD database principal. It doesn' ## Next steps + - [Get started with Azure Synapse Link for Azure SQL Database](../connect-synapse-link-sql-database.md) |
synapse-analytics | Troubleshoot Sql Link Creation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/synapse-link/troubleshoot/troubleshoot-sql-link-creation.md | Disable and re-enable the SAMI for the Azure SQL logical server. ## Next steps - [Get started with Azure Synapse Link for Azure SQL Database](../connect-synapse-link-sql-database.md)+ - [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) - [Azure Synapse Link for SQL FAQ](../faq.yml) - [Known limitations and issues with Azure Synapse Link for SQL](../synapse-link-for-sql-known-issues.md) - [sys.dm_change_feed_errors (Transact-SQL)](/sql/relational-databases/system-dynamic-management-views/sys-dm-change-feed-errors) |
synapse-analytics | Synapse Service Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/synapse-service-identity.md | This article helps you understand managed identity (formerly known as Managed Se ## Overview -Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Azure Active Directory (Azure AD) authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Azure AD tokens. +Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Microsoft Entra tokens. There are two types of supported managed identities: -- **System-assigned:** You can enable a managed identity directly on a service instance. When you allow a system-assigned managed identity during the creation of the service, an identity is created in Azure AD tied to that service instance's lifecycle. By design, only that Azure resource can use this identity to request tokens from Azure AD. So when the resource is deleted, Azure automatically deletes the identity for you. Azure Synapse Analytics requires that a system-assigned managed identity must be created along with the Synapse workspace.+- **System-assigned:** You can enable a managed identity directly on a service instance. When you allow a system-assigned managed identity during the creation of the service, an identity is created in Microsoft Entra tied to that service instance's lifecycle. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. So when the resource is deleted, Azure automatically deletes the identity for you. Azure Synapse Analytics requires that a system-assigned managed identity must be created along with the Synapse workspace. - **User-assigned:** You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md) and assign it to one or more instances of a Synapse workspace. In user-assigned managed identities, the identity is managed separately from the resources that use it. Managed identity provides the below benefits: IdentityType PrincipalId TenantId SystemAssigned cadadb30-XXXX-XXXX-XXXX-ef3500e2ff05 72f988bf-XXXX-XXXX-XXXX-2d7cd011db47 ``` -You can get the application ID by copying above principal ID, then running below Azure Active Directory command with principal ID as parameter. +You can get the application ID by copying above principal ID, then running below Microsoft Entra ID command with principal ID as parameter. ```powershell PS C:\> Get-AzADServicePrincipal -ObjectId cadadb30-XXXX-XXXX-XXXX-ef3500e2ff05 You can easily execute Synapse Spark Notebooks with the system assigned managed ## User-assigned managed identity -You can create, delete, manage user-assigned managed identities in Azure Active Directory. For more details refer to [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md). +You can create, delete, manage user-assigned managed identities in Microsoft Entra ID. For more details refer to [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md). In order to use a user-assigned managed identity, you must first [create credentials](../data-factory/credentials.md) in your service instance for the UAMI. |
synapse-analytics | Troubleshoot Synapse Studio And Storage Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/troubleshoot/troubleshoot-synapse-studio-and-storage-connectivity.md | There might be several possible reasons behind this issue: You can use the command "nslookup \<storage-account-name\>.dfs.core.windows.net" to check the connectivity after the storage private endpoint is configured. It should return a string similar to: "\<storage-account-name\>.privatelink.dfs.core.windows.net". -### The storage resource is not behind a vNet but the Blob service (Azure AD) endpoint is not accessible due to firewall configured +<a name='the-storage-resource-is-not-behind-a-vnet-but-the-blob-service-azure-ad-endpoint-is-not-accessible-due-to-firewall-configured'></a> -**SOLUTION**: In this case, you need to open your storage account in the Azure portal. In the left navigation scroll down to **Support + troubleshooting** and select **Connectivity check** to check the **Blob service (Azure AD)** connectivity status. If it is not accessible, follow the promoted guide to check the **Firewalls and virtual networks** configuration under your storage account page. For more information about storage firewalls, see [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md). +### The storage resource is not behind a vNet but the Blob service (Microsoft Entra ID) endpoint is not accessible due to firewall configured ++**SOLUTION**: In this case, you need to open your storage account in the Azure portal. In the left navigation scroll down to **Support + troubleshooting** and select **Connectivity check** to check the **Blob service (Microsoft Entra ID)** connectivity status. If it is not accessible, follow the promoted guide to check the **Firewalls and virtual networks** configuration under your storage account page. For more information about storage firewalls, see [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md). ### Other issues to check You can use the command "nslookup \<storage-account-name\>.dfs.core.windows.net" ## Next steps-If the previous steps don't help to resolve your issue, [create a support ticket](../sql-data-warehouse/sql-data-warehouse-get-started-create-support-ticket.md). +If the previous steps don't help to resolve your issue, [create a support ticket](../sql-data-warehouse/sql-data-warehouse-get-started-create-support-ticket.md). |
time-series-insights | Concepts Access Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/concepts-access-policies.md | -> Access Policies grant Azure AD Users and/or Groups Data Plane access to your Time Series Insights Environment. -> An Azure Active Directory is tied to a Tenant. So if you decide to move your Subscription between Tenants, make sure to follow the procedure +> Access Policies grant Microsoft Entra users and/or Groups Data Plane access to your Time Series Insights Environment. +> A Microsoft Entra ID is tied to a Tenant. So if you decide to move your Subscription between Tenants, make sure to follow the procedure > from [the section below](#procedure-for-when-the-subscription-is-moved-across-tenants). ## Sign in to Azure Time Series Insights Follow these steps to grant data access for a user principal. [![Verify the correct users and roles](media/data-access/data-access-verify-and-confirm-assignments.png)](media/data-access/data-access-verify-and-confirm-assignments.png#lightbox) -## Provide guest access from another Azure AD tenant +<a name='provide-guest-access-from-another-azure-ad-tenant'></a> -The `Guest` role isn't a management role. It's a term used for an account that's invited from one tenant to another. After the guest account is invited into the tenant's directory, it can have the same access control applied to it like any other account. You can grant management access to an Azure Time Series Insights Environment by using the Access Control (IAM) blade. Or you can grant access to the data in the environment through the Data Access Policies blade. For more information on Azure Active Directory (Azure AD) tenant guest access, read [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md). +## Provide guest access from another Microsoft Entra tenant -Follow these steps to grant guest access to an Azure Time Series Insights environment to an Azure AD user from another tenant. +The `Guest` role isn't a management role. It's a term used for an account that's invited from one tenant to another. After the guest account is invited into the tenant's directory, it can have the same access control applied to it like any other account. You can grant management access to an Azure Time Series Insights Environment by using the Access Control (IAM) blade. Or you can grant access to the data in the environment through the Data Access Policies blade. For more information on Microsoft Entra tenant guest access, read [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md). -1. Go to Azure portal, click on **Azure Active Directory**, scroll down on the **Overview** tab and then select **Guest user**. +Follow these steps to grant guest access to an Azure Time Series Insights environment to a Microsoft Entra user from another tenant. ++1. Go to Azure portal, click on **Microsoft Entra ID**, scroll down on the **Overview** tab and then select **Guest user**. [![Select Data Access Polices, then + Invite](media/data-access/data-access-invite-another-aad-tenant.png)](media/data-access/data-access-invite-another-aad-tenant.png#lightbox) -1. Enter the email address for the user you want to invite. This email address must be associated with Azure AD. You can optionally include a personal message with the invitation. +1. Enter the email address for the user you want to invite. This email address must be associated with Microsoft Entra ID. You can optionally include a personal message with the invitation. [![Enter the email address to find the selected user](media/data-access/data-access-invite-guest-by-email.png)](media/data-access/data-access-invite-guest-by-email.png#lightbox) Follow these steps to grant guest access to an Azure Time Series Insights enviro ## Procedure for when the Subscription is moved across Tenants -Time Series Insights Data Access Policies are backed by Azure Active Directory, which are tied to an Azure Tenant where the Subscription lives in. +Time Series Insights Data Access Policies are backed by Microsoft Entra ID, which are tied to an Azure Tenant where the Subscription lives in. -The Azure AD Objects that you grant Data Access Policies to and the the Time Series Insights Environment itself should live under the same Tenant. If not, these objects will not have access to the Environment. +The Microsoft Entra Objects that you grant Data Access Policies to and the the Time Series Insights Environment itself should live under the same Tenant. If not, these objects will not have access to the Environment. -If you plan to move the Subscription the Environment lives in to a different Tenant, you must ensure that the Data Access Policies are updated to reflect the Azure AD Objects under the new Tenant. +If you plan to move the Subscription the Environment lives in to a different Tenant, you must ensure that the Data Access Policies are updated to reflect the Microsoft Entra Objects under the new Tenant. To make this process smooth, follow the steps below. To make this process smooth, follow the steps below. Having Contributor access to the Subscription in the target Tenant, you can - Remove all the Data Access Policies that were migrated with the Environment, since they belong to the source Tenant.-- Re-grant Access Policies to the Environment using the steps above, now pointing to the Azure AD objects in the target Tenant.+- Re-grant Access Policies to the Environment using the steps above, now pointing to the Microsoft Entra objects in the target Tenant. ## Next steps -* Read [Authentication and Authorization](time-series-insights-authentication-and-authorization.md) for Azure Active Directory app registration steps. +* Read [Authentication and Authorization](time-series-insights-authentication-and-authorization.md) for Microsoft Entra app registration steps. * View [your environment in the Azure Time Series Insights Explorer](./concepts-ux-panels.md). |
time-series-insights | Time Series Insights Authentication And Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/time-series-insights-authentication-and-authorization.md | -Depending on your business needs, your solution might include one or more client applications that you use to interact with your Azure Time Series Insights environment's [APIs](/rest/api/time-series-insights/reference-data-access-overview). Azure Time Series Insights performs authentication using [Azure AD Security Tokens based on OAUTH 2.0](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). To authenticate your client(s), you'll need to get a bearer token with the right permissions, and pass it along with your API calls. This document describes several methods for getting credentials that you can use to get a bearer token and authenticate, including using managed identity and Azure Active Directory app registration. +Depending on your business needs, your solution might include one or more client applications that you use to interact with your Azure Time Series Insights environment's [APIs](/rest/api/time-series-insights/reference-data-access-overview). Azure Time Series Insights performs authentication using [Microsoft Entra Security Tokens based on OAUTH 2.0](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). To authenticate your client(s), you'll need to get a bearer token with the right permissions, and pass it along with your API calls. This document describes several methods for getting credentials that you can use to get a bearer token and authenticate, including using managed identity and Microsoft Entra app registration. ## Managed identities -The following sections describe how to use a managed identity from Azure Active Directory (Azure AD) to access the Azure Time Series Insights API. On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. Here are some of the benefits of using Managed identities: +The following sections describe how to use a managed identity from Microsoft Entra ID to access the Azure Time Series Insights API. On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Microsoft Entra ID and using it to obtain Microsoft Entra tokens. Here are some of the benefits of using Managed identities: - You don't need to manage credentials. Credentials are not even accessible to you.-- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication including Azure Key Vault.+- You can use managed identities to authenticate to any Azure service that supports Microsoft Entra authentication including Azure Key Vault. - Managed identities can be used without any additional cost. For more information on the two types of managed identities read [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md) You can use managed identities from your: See [Azure services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) for the complete list. -## Azure Active Directory app registration +<a name='azure-active-directory-app-registration'></a> -We recommend using managed identities whenever possible so that you don't need to manage credentials. If your client application is not hosted on an Azure service that supports managed identities you can register your application with an Azure AD tenant. When you register your application with Azure AD, you are creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the [Azure portal](https://portal.azure.com/), you choose whether it's a single tenant (only accessible in your tenant) or multi-tenant (accessible in other tenants) and can optionally set a redirect URI (where the access token is sent to). +## Microsoft Entra app registration ++We recommend using managed identities whenever possible so that you don't need to manage credentials. If your client application is not hosted on an Azure service that supports managed identities you can register your application with a Microsoft Entra tenant. When you register your application with Microsoft Entra ID, you are creating an identity configuration for your application that allows it to integrate with Microsoft Entra ID. When you register an app in the [Azure portal](https://portal.azure.com/), you choose whether it's a single tenant (only accessible in your tenant) or multi-tenant (accessible in other tenants) and can optionally set a redirect URI (where the access token is sent to). When you've completed the app registration, you have a globally unique instance of the app (the application object) which lives within your home tenant or directory. You also have a globally unique ID for your app (the app or client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more. If you register an application in the portal, an application object as well as a Be sure to review the [Security](../active-directory/develop/identity-platform-integration-checklist.md#security) checklist for your application. As a best practice, you should use [certificate credentials](../active-directory/develop/active-directory-certificate-credentials.md), not password credentials (client secrets). -See [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md) for more details. +See [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md) for more details. ## Step 1: Create your managed identity or app registration Once you've identified whether you'll be using a managed identity or app registr ### Managed identity -The steps you'll use to create a managed identity will vary depending on where your code is located and whether or not you're creating a system assigned or user assigned identity. Read [Managed identity types](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) to understand the difference. Once you've selected your identity type, locate and follow the correct tutorial in the Azure AD-managed identities [documentation](../active-directory/managed-identities-azure-resources/index.yml). There you will find instructions for how to configure managed identities for: +The steps you'll use to create a managed identity will vary depending on where your code is located and whether or not you're creating a system assigned or user assigned identity. Read [Managed identity types](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) to understand the difference. Once you've selected your identity type, locate and follow the correct tutorial in the Microsoft Entra managed identities [documentation](../active-directory/managed-identities-azure-resources/index.yml). There you will find instructions for how to configure managed identities for: - [Azure VMs](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#enable-system-assigned-managed-identity-during-creation-of-a-vm) - [App Service and Azure Functions](../app-service/overview-managed-identity.md) |
time-series-insights | Time Series Insights Customer Data Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/time-series-insights-customer-data-requests.md | To view, export, and delete personal data that may be subject to a data subject ## Identifying customer data -Azure Time Series Insights considers personal data to be data associated with administrators and users of Time Series Insights. Time Series Insights stores the Azure Active Directory object-ID of users with access to the environment. The Azure portal displays user email addresses, but these email addresses are not stored within Time Series Insights, they are dynamically looked up using the Azure Active Directory object-ID in Azure Active Directory. +Azure Time Series Insights considers personal data to be data associated with administrators and users of Time Series Insights. Time Series Insights stores the Microsoft Entra object-ID of users with access to the environment. The Azure portal displays user email addresses, but these email addresses are not stored within Time Series Insights, they are dynamically looked up using the Microsoft Entra object-ID in Microsoft Entra ID. ## Deleting customer data For more information, read [Configuring retention in Time Series Insights](time- * View the [Azure Time Series Insights explorer](time-series-insights-explorer.md). -* Learn about [Configuring retention in Time Series Insights](time-series-insights-how-to-configure-retention.md). +* Learn about [Configuring retention in Time Series Insights](time-series-insights-how-to-configure-retention.md). |
time-series-insights | Time Series Insights Manage Reference Data Csharp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/time-series-insights-manage-reference-data-csharp.md | -This article demonstrates how to combine C#, [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), and Azure Active Directory to make programmatic API requests to the Azure Time Series Insights Gen 1 [Reference Data Management API](/rest/api/time-series-insights/gen1-reference-data-api). +This article demonstrates how to combine C#, [MSAL.NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet), and Microsoft Entra ID to make programmatic API requests to the Azure Time Series Insights Gen 1 [Reference Data Management API](/rest/api/time-series-insights/gen1-reference-data-api). > [!TIP] > View GA C# code samples at [https://github.com/Azure-Samples/Azure-Time-Series-Insights](https://github.com/Azure-Samples/Azure-Time-Series-Insights/tree/master/gen1-sample/csharp-tsi-gen1-sample). Complete the following steps before you compile and run the sample code: | | | | uuid | String | -1. Configure your Azure Time Series Insights environment for Azure Active Directory as described in [Authentication and authorization](time-series-insights-authentication-and-authorization.md). Use `http://localhost:8080/` as the **Redirect URI**. +1. Configure your Azure Time Series Insights environment for Microsoft Entra ID as described in [Authentication and authorization](time-series-insights-authentication-and-authorization.md). Use `http://localhost:8080/` as the **Redirect URI**. 1. Install the required project dependencies. |
time-series-insights | Time Series Insights Manage Resources Using Azure Resource Manager Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/time-series-insights-manage-resources-using-azure-resource-manager-template.md | The following procedure describes how to use PowerShell to deploy an Azure Resou | eventSourceDisplayName | An optional friendly name to show in tooling or user interfaces instead of the event source name. | | eventSourceTimestampPropertyName | The event property that will be used as the event source's timestamp. If a value isn't specified for timestampPropertyName, or if null or empty-string is specified, the event creation time will be used. | | eventSourceKeyName | The name of the shared access key that the Azure Time Series Insights service will use to connect to the event hub. |- | accessPolicyReaderObjectIds | A list of object IDs of the users or applications in Azure AD that should have Reader access to the environment. The service principal objectId can be obtained by calling the **Get-AzADUser** or the **Get-AzADServicePrincipal** cmdlets. Creating an access policy for Azure AD groups is not yet supported. | - | accessPolicyContributorObjectIds | A list of object IDs of the users or applications in Azure AD that should have Contributor access to the environment. The service principal objectId can be obtained by calling the **Get-AzADUser** or the **Get-AzADServicePrincipal** cmdlets. Creating an access policy for Azure AD groups is not yet supported. | + | accessPolicyReaderObjectIds | A list of object IDs of the users or applications in Microsoft Entra ID that should have Reader access to the environment. The service principal objectId can be obtained by calling the **Get-AzADUser** or the **Get-AzADServicePrincipal** cmdlets. Creating an access policy for Microsoft Entra groups is not yet supported. | + | accessPolicyContributorObjectIds | A list of object IDs of the users or applications in Microsoft Entra ID that should have Contributor access to the environment. The service principal objectId can be obtained by calling the **Get-AzADUser** or the **Get-AzADServicePrincipal** cmdlets. Creating an access policy for Microsoft Entra groups is not yet supported. | - As an example, the following parameters file would be used to create an environment and an event source that reads events from an existing event hub. It also creates two access policies that grant Contributor access to the environment. |
time-series-insights | Time Series Insights Query Data Csharp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/time-series-insights-query-data-csharp.md | This C# example demonstrates how to use the [Gen1 Query APIs](/rest/api/time-ser The sample code below demonstrates the following features: -* How to acquire an access token through Azure Active Directory using [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). +* How to acquire an access token through Microsoft Entra ID using [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). * How to pass that acquired access token in the `Authorization` header of subsequent Query API requests. The sample code below demonstrates the following features: Complete the following steps before you compile and run the sample code: 1. [Provision a Gen1 Azure Time Series Insights](./time-series-insights-get-started.md) environment.-1. Configure your Azure Time Series Insights environment for Azure Active Directory as described in [Authentication and authorization](time-series-insights-authentication-and-authorization.md). +1. Configure your Azure Time Series Insights environment for Microsoft Entra ID as described in [Authentication and authorization](time-series-insights-authentication-and-authorization.md). 1. Install the required project dependencies. 1. Edit the sample code below by replacing each **#DUMMY#** with the appropriate environment identifier. 1. Execute the code inside Visual Studio. Please refer to the [Azure Time Series Insights](https://github.com/Azure-Sample * To learn more about querying, read the [Query API reference](/rest/api/time-series-insights/gen1-query-api). * Read how to [connect a JavaScript app using the client SDK](https://github.com/microsoft/tsiclient) to Time Series Insights.-Azure-Samples/Azure-Time-Series-Insights/gen1-sample/csharp-tsi-gen1-sample/Program.cs +Azure-Samples/Azure-Time-Series-Insights/gen1-sample/csharp-tsi-gen1-sample/Program.cs |
time-series-insights | Time Series Insights Update Query Data Csharp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/time-series-insights/time-series-insights-update-query-data-csharp.md | This C# example demonstrates how to query data from the [Gen2 Data Access APIs]( The sample code below demonstrates the following features: * Support for SDK auto-generation from [Azure AutoRest](https://github.com/Azure/AutoRest).-* How to acquire an access token through Azure Active Directory using [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). +* How to acquire an access token through Microsoft Entra ID using [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). * How to pass that acquired access token in the `Authorization` header of subsequent Data Access API requests. * The sample provides a console interface demonstrating how HTTP requests are made to the following: * [Gen2 Environments API](/rest/api/time-series-insights/reference-environments-apis) The sample code below demonstrates the following features: Complete the following steps before you compile and run the sample code: 1. [Provision a Gen2 Azure Time Series Insights](./how-to-create-environment-using-portal.md) environment.-1. Configure your Azure Time Series Insights environment for Azure Active Directory as described in [Authentication and authorization](time-series-insights-authentication-and-authorization.md). +1. Configure your Azure Time Series Insights environment for Microsoft Entra ID as described in [Authentication and authorization](time-series-insights-authentication-and-authorization.md). 1. Run the [GenerateCode.bat](https://github.com/Azure-Samples/Azure-Time-Series-Insights/blob/master/gen2-sample/csharp-tsi-gen2-sample/DataPlaneClient/GenerateCode.bat) as specified in the [Readme.md](https://github.com/Azure-Samples/Azure-Time-Series-Insights/blob/master/gen2-sample/csharp-tsi-gen2-sample/DataPlaneClient/Readme.md) to generate the Azure Time Series Insights Gen2 client dependencies. 1. Open the `TSIPreviewDataPlaneclient.sln` solution and set `DataPlaneClientSampleApp` as the default project in Visual Studio. 1. Install the required project dependencies using the steps described [below](#project-dependencies) and compile the example to an executable `.exe` file. Please refer to the [Azure Time Series Insights](https://github.com/Azure-Sample * To learn more about querying, read the [Query API reference](/rest/api/time-series-insights/reference-query-apis). -* Read how to [connect a JavaScript app using the client SDK](https://github.com/microsoft/tsiclient) to Azure Time Series Insights. +* Read how to [connect a JavaScript app using the client SDK](https://github.com/microsoft/tsiclient) to Azure Time Series Insights. |
virtual-desktop | Add Session Hosts Host Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/add-session-hosts-host-pool.md | Review the [Prerequisites for Azure Virtual Desktop](prerequisites.md) for a gen - An existing host pool. -- If you have existing session hosts in the host pool, make a note of the virtual machine size, the image, and name prefix that was used. All session hosts in a host pool should be the same configuration, including the same identity provider. For example, a host pool shouldn't contain some session hosts joined to Azure AD and some session hosts joined to an Active Directory domain.+- If you have existing session hosts in the host pool, make a note of the virtual machine size, the image, and name prefix that was used. All session hosts in a host pool should be the same configuration, including the same identity provider. For example, a host pool shouldn't contain some session hosts joined to Microsoft Entra ID and some session hosts joined to an Active Directory domain. - The Azure account you use must have the following built-in role-based access control (RBAC) roles as a minimum on the resource group: Review the [Prerequisites for Azure Virtual Desktop](prerequisites.md) for a gen - If you want to use Azure CLI or Azure PowerShell locally, see [Use Azure CLI and Azure PowerShell with Azure Virtual Desktop](cli-powershell.md) to make sure you have the [desktopvirtualization](/cli/azure/desktopvirtualization) Azure CLI extension or the [Az.DesktopVirtualization](/powershell/module/az.desktopvirtualization) PowerShell module installed. Alternatively, use the [Azure Cloud Shell](../cloud-shell/overview.md). > [!IMPORTANT]-> If you want to create Azure Active Directory-joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. +> If you want to create Microsoft Entra joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. ## Generate a registration key Here's how to create session hosts and register them to a host pool using the Az | Parameter | Value/Description | |--|--| | Resource group | This automatically defaults to the same resource group as your host pool, but you can select an alternative existing one from the drop-down list. |- | Name prefix | Enter a name for your session hosts, for example **aad-hp01-sh**.<br /><br />This will be used as the prefix for your session host VMs. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example **aad-hp01-sh-0**.<br /><br />This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique. | + | Name prefix | Enter a name for your session hosts, for example **me-id-hp01-sh**.<br /><br />This will be used as the prefix for your session host VMs. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example **me-id-hp01-sh-0**.<br /><br />This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique. | | Virtual machine location | Select the Azure region where your session host VMs will be deployed. This must be the same region that your virtual network is in. | | Availability options | Select from **[availability zones](../reliability/availability-zones-overview.md)**, **[availability set](../virtual-machines/availability-set-overview.md)**, or **No infrastructure dependency required**. If you select availability zones or availability set, complete the extra parameters that appear. | | Security type | Select from **Standard**, **[Trusted launch virtual machines](../virtual-machines/trusted-launch.md)**, or **[Confidential virtual machines](../confidential-computing/confidential-vm-overview.md)**.<br /><br />- If you select **Trusted launch virtual machines**, options for **secure boot** and **vTPM** are automatically selected.<br /><br />- If you select **Confidential virtual machines**, options for **secure boot**, **vTPM**, and **integrity monitoring** are automatically selected. You can't opt out of vTPM when using a confidential VM. | Here's how to create session hosts and register them to a host pool using the Az | Network security group | Select whether you want to use a network security group (NSG).<br /><br />- **Basic** will create a new NSG for the VM NIC.<br /><br />- **Advanced** enables you to select an existing NSG. | | Public inbound ports | We recommend you select **No**. | | **Domain to join** | |- | Select which directory you would like to join | Select from **Azure Active Directory** or **Active Directory** and complete the relevant parameters for the option you select.<br /><br />To learn more about joining session hosts to Azure AD, see [Azure AD-joined session hosts](azure-ad-joined-session-hosts.md). | + | Select which directory you would like to join | Select from **Microsoft Entra ID** or **Active Directory** and complete the relevant parameters for the option you select.<br /><br />To learn more about joining session hosts to Microsoft Entra ID, see [Microsoft Entra joined session hosts](azure-ad-joined-session-hosts.md). | | **Virtual Machine Administrator account** | | | Username | Enter a name to use as the local administrator account for the new session host VMs. | | Password | Enter a password for the local administrator account. | Select the relevant tab for your scenario and follow the steps. # [GUI](#tab/gui) -1. Make sure the virtual machines you want to use as session hosts are joined to Azure Active Directory or an Active Directory domain (AD DS or Azure AD DS). +1. Make sure the virtual machines you want to use as session hosts are joined to Microsoft Entra ID or an Active Directory domain (AD DS or Microsoft Entra Domain Services). 1. If your virtual machines are running a Windows Server OS, you'll need to install the *Remote Desktop Session Host* role, then restart the virtual machine. For more information, see [Install roles, role services, and features by using the add Roles and Features Wizard](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard). Using `msiexec` enables you to install the agent and boot loader from the comman > [!IMPORTANT] > In the following examples, you'll need to change the `<placeholder>` values for your own. -1. Make sure the virtual machines you want to use as session hosts are joined to Azure Active Directory or an Active Directory domain (AD DS or Azure AD DS). +1. Make sure the virtual machines you want to use as session hosts are joined to Microsoft Entra ID or an Active Directory domain (AD DS or Microsoft Entra Domain Services). 1. If your virtual machines are running a Windows Server OS, you'll need to install the *Remote Desktop Session Host* role by running the following command as an administrator, which will also restart the virtual machines: |
virtual-desktop | Administrative Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/administrative-template.md | +- Intune, which enables you to centrally configure session hosts that are enrolled in Intune and joined to Microsoft Entra ID or Microsoft Entra hybrid joined. - Group Policy with Active Directory (AD), which enables you to centrally configure session hosts that are joined to an AD domain. |
virtual-desktop | App Attach File Share | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/app-attach-file-share.md | To assign session hosts VMs permissions for the storage account and file share: 2. Add the computer accounts for all session hosts VMs as members of the group. -3. Sync the AD DS group to Azure Active Directory (Azure AD). +3. Sync the AD DS group to Microsoft Entra ID. 4. Create a storage account. |
virtual-desktop | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/authentication.md | In this article, we'll give you a brief overview of what kinds of identities and Azure Virtual Desktop supports different types of identities depending on which configuration you choose. This section explains which identities you can use for each configuration. >[!IMPORTANT]->Azure Virtual Desktop doesn't support signing in to Azure AD with one user account, then signing in to Windows with a separate user account. Signing in with two different accounts at the same time can lead to users reconnecting to the wrong session host, incorrect or missing information in the Azure portal, and error messages appearing while using MSIX app attach. +>Azure Virtual Desktop doesn't support signing in to Microsoft Entra ID with one user account, then signing in to Windows with a separate user account. Signing in with two different accounts at the same time can lead to users reconnecting to the wrong session host, incorrect or missing information in the Azure portal, and error messages appearing while using MSIX app attach. ### On-premises identity -Since users must be discoverable through Azure Active Directory (Azure AD) to access the Azure Virtual Desktop, user identities that exist only in Active Directory Domain Services (AD DS) aren't supported. This includes standalone Active Directory deployments with Active Directory Federation Services (AD FS). +Since users must be discoverable through Microsoft Entra ID to access the Azure Virtual Desktop, user identities that exist only in Active Directory Domain Services (AD DS) aren't supported. This includes standalone Active Directory deployments with Active Directory Federation Services (AD FS). ### Hybrid identity -Azure Virtual Desktop supports [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md) through Azure AD, including those federated using AD FS. You can manage these user identities in AD DS and sync them to Azure AD using [Azure AD Connect](../active-directory/hybrid/whatis-azure-ad-connect.md). You can also use Azure AD to manage these identities and sync them to [Azure AD Domain Services (Azure AD DS)](../active-directory-domain-services/overview.md). +Azure Virtual Desktop supports [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md) through Microsoft Entra ID, including those federated using AD FS. You can manage these user identities in AD DS and sync them to Microsoft Entra ID using [Microsoft Entra Connect](../active-directory/hybrid/whatis-azure-ad-connect.md). You can also use Microsoft Entra ID to manage these identities and sync them to [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md). -When accessing Azure Virtual Desktop using hybrid identities, sometimes the User Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and Azure AD don't match. For example, the AD account user@contoso.local may correspond to user@contoso.com in Azure AD. Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Azure AD accounts match. SID refers to the user object property "ObjectSID" in AD and "OnPremisesSecurityIdentifier" in Azure AD. +When accessing Azure Virtual Desktop using hybrid identities, sometimes the User Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and Microsoft Entra ID don't match. For example, the AD account user@contoso.local may correspond to user@contoso.com in Microsoft Entra ID. Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Microsoft Entra accounts match. SID refers to the user object property "ObjectSID" in AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID. ### Cloud-only identity -Azure Virtual Desktop supports cloud-only identities when using [Azure AD joined VMs](deploy-azure-ad-joined-vm.md). These users are created and managed directly in Azure AD. +Azure Virtual Desktop supports cloud-only identities when using [Microsoft Entra joined VMs](deploy-azure-ad-joined-vm.md). These users are created and managed directly in Microsoft Entra ID. >[!NOTE]->You can also assign hybrid identities to Azure Virtual Desktop Application groups that host Session hosts of join type Azure AD joined. +>You can also assign hybrid identities to Azure Virtual Desktop Application groups that host Session hosts of join type Microsoft Entra joined. ### Third-party identity providers -If you're using an Identity Provider (IdP) other than Azure AD to manage your user accounts, you must ensure that: +If you're using an Identity Provider (IdP) other than Microsoft Entra ID to manage your user accounts, you must ensure that: -- Your IdP is [federated with Azure AD](../active-directory/devices/azureadjoin-plan.md#federated-environment).-- Your session hosts are Azure AD-joined or [Hybrid Azure AD-joined](../active-directory/devices/hybrid-join-plan.md).-- You enable [Azure AD authentication](configure-single-sign-on.md) to the session host.+- Your IdP is [federated with Microsoft Entra ID](../active-directory/devices/azureadjoin-plan.md#federated-environment). +- Your session hosts are Microsoft Entra joined or [Microsoft Entra hybrid joined](../active-directory/devices/hybrid-join-plan.md). +- You enable [Microsoft Entra authentication](configure-single-sign-on.md) to the session host. ### External identity Azure Virtual Desktop currently doesn't support [external identities](../active- ## Service authentication -To access Azure Virtual Desktop resources, you must first authenticate to the service by signing in with an Azure AD account. Authentication happens whenever you subscribe to a workspace to retrieve your resources and connect to apps or desktops. You can use [third-party identity providers](../active-directory/devices/azureadjoin-plan.md#federated-environment) as long as they federate with Azure AD. +To access Azure Virtual Desktop resources, you must first authenticate to the service by signing in with a Microsoft Entra account. Authentication happens whenever you subscribe to a workspace to retrieve your resources and connect to apps or desktops. You can use [third-party identity providers](../active-directory/devices/azureadjoin-plan.md#federated-environment) as long as they federate with Microsoft Entra ID. -### Multi-factor authentication +<a name='multi-factor-authentication'></a> -Follow the instructions in [Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) to learn how to enforce Azure AD Multi-Factor Authentication for your deployment. That article will also tell you how to configure how often your users are prompted to enter their credentials. When deploying Azure AD-joined VMs, note the extra steps for [Azure AD-joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms). +### Multifactor authentication ++Follow the instructions in [Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) to learn how to enforce Microsoft Entra multifactor authentication for your deployment. That article will also tell you how to configure how often your users are prompted to enter their credentials. When deploying Microsoft Entra joined VMs, note the extra steps for [Microsoft Entra joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms). ### Passwordless authentication -You can use any authentication type supported by Azure AD, such as [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) and other [passwordless authentication options](../active-directory/authentication/concept-authentication-passwordless.md) (for example, FIDO keys), to authenticate to the service. +You can use any authentication type supported by Microsoft Entra ID, such as [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) and other [passwordless authentication options](../active-directory/authentication/concept-authentication-passwordless.md) (for example, FIDO keys), to authenticate to the service. ### Smart card authentication -To use a smart card to authenticate to Azure AD, you must first [configure AD FS for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) or [configure Azure AD certificate-based authentication](../active-directory/authentication/concept-certificate-based-authentication.md). +To use a smart card to authenticate to Microsoft Entra ID, you must first [configure AD FS for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) or [configure Microsoft Entra certificate-based authentication](../active-directory/authentication/concept-certificate-based-authentication.md). ## Session host authentication If you haven't already enabled [single sign-on](#single-sign-on-sso) or saved yo |Client |Supported authentication type(s) | |||-|Windows Desktop client | Username and password <br>Smart card <br>[Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) <br>[Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) <br>[Azure AD authentication](configure-single-sign-on.md) | -|Azure Virtual Desktop Store app | Username and password <br>Smart card <br>[Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) <br>[Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) <br>[Azure AD authentication](configure-single-sign-on.md) | +|Windows Desktop client | Username and password <br>Smart card <br>[Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) <br>[Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) <br>[Microsoft Entra authentication](configure-single-sign-on.md) | +|Azure Virtual Desktop Store app | Username and password <br>Smart card <br>[Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) <br>[Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) <br>[Microsoft Entra authentication](configure-single-sign-on.md) | |Remote Desktop app | Username and password | |Web client | Username and password | |Android client | Username and password | If you haven't already enabled [single sign-on](#single-sign-on-sso) or saved yo ### Single sign-on (SSO) -SSO allows the connection to skip the session host credential prompt and automatically sign the user in to Windows. For session hosts that are Azure AD-joined or Hybrid Azure AD-joined, it's recommended to enable [SSO using Azure AD authentication](configure-single-sign-on.md). Azure AD authentication provides other benefits including passwordless authentication and support for third-party identity providers. +SSO allows the connection to skip the session host credential prompt and automatically sign the user in to Windows. For session hosts that are Microsoft Entra joined or Microsoft Entra hybrid joined, it's recommended to enable [SSO using Microsoft Entra authentication](configure-single-sign-on.md). Microsoft Entra authentication provides other benefits including passwordless authentication and support for third-party identity providers. Azure Virtual Desktop also supports [SSO using Active Directory Federation Services (AD FS)](configure-adfs-sso.md) for the Windows Desktop and web clients. To disable passwordless authentication on your host pool, you must [customize an When enabled, all WebAuthn requests in the session are redirected to the local PC. You can use Windows Hello for Business or locally attached security devices to complete the authentication process. -To access Azure AD resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. To enable this method, follow the steps in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method). +To access Microsoft Entra resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. To enable this method, follow the steps in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method). ### In-session smart card authentication To use a smart card in your session, make sure you've installed the smart card d ## Next steps - Curious about other ways to keep your deployment secure? Check out [Security best practices](security-guide.md).-- Having issues connecting to Azure AD-joined VMs? Look at [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).+- Having issues connecting to Microsoft Entra joined VMs? Look at [Troubleshoot connections to Microsoft Entra joined VMs](troubleshoot-azure-ad-connections.md). - Having issues with in-session passwordless authentication? See [Troubleshoot WebAuthn redirection](troubleshoot-device-redirections.md#webauthn-redirection). - Want to use smart cards from outside your corporate network? Review how to set up a [KDC Proxy server](key-distribution-center-proxy.md). |
virtual-desktop | Automatic Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/automatic-migration.md | Before you use the migration module, make sure you have the following things rea - PowerShell or PowerShell ISE to run the scripts you'll see in this article. The Microsoft.RdInfra.RDPowershell module doesn't work in PowerShell Core. >[!IMPORTANT]->Migration only creates service objects in the US geography. If you try to migrate your service objects to another geography, it won't work. Also, if you have more than 500 application groups in your Azure Virtual Desktop (classic) deployment, you won't be able to migrate. You'll only be able to migrate if you rebuild your environment to reduce the number of application groups within your Azure Active Directory (Azure AD) tenant. +>Migration only creates service objects in the US geography. If you try to migrate your service objects to another geography, it won't work. Also, if you have more than 500 application groups in your Azure Virtual Desktop (classic) deployment, you won't be able to migrate. You'll only be able to migrate if you rebuild your environment to reduce the number of application groups within your Microsoft Entra tenant. ## Prepare your PowerShell environment |
virtual-desktop | Azure Ad Joined Session Hosts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/azure-ad-joined-session-hosts.md | Title: Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure -description: How to configure and deploy Azure AD joined VMs in Azure Virtual Desktop. + Title: Deploy Microsoft Entra joined VMs in Azure Virtual Desktop - Azure +description: How to configure and deploy Microsoft Entra joined VMs in Azure Virtual Desktop. Last updated 06/23/2023 -# Deploy Azure AD-joined virtual machines in Azure Virtual Desktop +# Deploy Microsoft Entra joined virtual machines in Azure Virtual Desktop -This article will walk you through the process of deploying and accessing Azure Active Directory joined virtual machines in Azure Virtual Desktop. Azure AD-joined VMs remove the need to have line-of-sight from the VM to an on-premises or virtualized Active Directory Domain Controller (DC) or to deploy Azure AD Domain services (Azure AD DS). In some cases, it can remove the need for a DC entirely, simplifying the deployment and management of the environment. These VMs can also be automatically enrolled in Intune for ease of management. +This article will walk you through the process of deploying and accessing Microsoft Entra joined virtual machines in Azure Virtual Desktop. Microsoft Entra joined VMs remove the need to have line-of-sight from the VM to an on-premises or virtualized Active Directory Domain Controller (DC) or to deploy Microsoft Entra Domain Services. In some cases, it can remove the need for a DC entirely, simplifying the deployment and management of the environment. These VMs can also be automatically enrolled in Intune for ease of management. ## Known limitations -The following known limitations may affect access to your on-premises or Active Directory domain-joined resources and you should consider them when deciding whether Azure AD-joined VMs are right for your environment. +The following known limitations may affect access to your on-premises or Active Directory domain-joined resources and you should consider them when deciding whether Microsoft Entra joined VMs are right for your environment. -- Azure Virtual Desktop (classic) doesn't support Azure AD-joined VMs.-- Azure AD-joined VMs don't currently support external identities, such as Azure AD Business-to-Business (B2B) and Azure AD Business-to-Consumer (B2C).-- Azure AD-joined VMs can only access [Azure Files shares](create-profile-container-azure-ad.md) or [Azure NetApp Files shares](create-fslogix-profile-container.md) for hybrid users using Azure AD Kerberos for FSLogix user profiles.-- The [Remote Desktop app for Windows](users/connect-microsoft-store.md) doesn't support Azure AD-joined VMs.+- Azure Virtual Desktop (classic) doesn't support Microsoft Entra joined VMs. +- Microsoft Entra joined VMs don't currently support external identities, such as Microsoft Entra Business-to-Business (B2B) and Azure AD Business-to-Consumer (B2C). +- Microsoft Entra joined VMs can only access [Azure Files shares](create-profile-container-azure-ad.md) or [Azure NetApp Files shares](create-fslogix-profile-container.md) for hybrid users using Microsoft Entra Kerberos for FSLogix user profiles. +- The [Remote Desktop app for Windows](users/connect-microsoft-store.md) doesn't support Microsoft Entra joined VMs. -## Deploy Azure AD-joined VMs +<a name='deploy-azure-ad-joined-vms'></a> -You can deploy Azure AD-joined VMs directly from the Azure portal when you [create a new host pool](create-host-pools-azure-marketplace.md) or [expand an existing host pool](expand-existing-host-pool.md). To deploy an Azure AD-joined VM, open the **Virtual Machines** tab, then select whether to join the VM to Active Directory or Azure Active Directory. Selecting **Azure Active Directory** gives you the option to enroll VMs with Intune automatically, which lets you easily [manage your session hosts](management.md). Keep in mind that the Azure Active Directory option will only join VMs to the same Azure AD tenant as the subscription you're in. +## Deploy Microsoft Entra joined VMs ++You can deploy Microsoft Entra joined VMs directly from the Azure portal when you [create a new host pool](create-host-pools-azure-marketplace.md) or [expand an existing host pool](expand-existing-host-pool.md). To deploy a Microsoft Entra joined VM, open the **Virtual Machines** tab, then select whether to join the VM to Active Directory or Microsoft Entra ID. Selecting **Microsoft Entra ID** gives you the option to enroll VMs with Intune automatically, which lets you easily [manage your session hosts](management.md). Keep in mind that the Microsoft Entra option will only join VMs to the same Microsoft Entra tenant as the subscription you're in. > [!NOTE]-> - Host pools should only contain VMs of the same domain join type. For example, Azure AD-joined VMs should only be with other Azure AD VMs, and vice-versa. +> - Host pools should only contain VMs of the same domain join type. For example, Microsoft Entra joined VMs should only be with other Microsoft Entra VMs, and vice-versa. > - The VMs in the host pool must be Windows 11 or Windows 10 single-session or multi-session, version 2004 or later, or Windows Server 2022 or Windows Server 2019. ### Assign user access to host pools After you've created your host pool, you must assign users access to their resources. To grant access to resources, add each user to the application group. Follow the instructions in [Manage application groups](manage-app-groups.md) to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever possible. -For Azure AD-joined VMs, you'll need to do two extra things on top of the requirements for Active Directory or Azure Active Directory Domain Services-based deployments: +For Microsoft Entra joined VMs, you'll need to do two extra things on top of the requirements for Active Directory or Microsoft Entra Domain Services-based deployments: - Assign your users the **Virtual Machine User Login** role so they can sign in to the VMs. - Assign administrators who need local administrative privileges the **Virtual Machine Administrator Login** role. -To grant users access to Azure AD-joined VMs, you must [configure role assignments for the VM](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#configure-role-assignments-for-the-vm). You can assign the **Virtual Machine User Login** or **Virtual Machine Administrator Login** role either on the VMs, the resource group containing the VMs, or the subscription. We recommend assigning the Virtual Machine User Login role to the same user group you used for the application group at the resource group level to make it apply to all the VMs in the host pool. +To grant users access to Microsoft Entra joined VMs, you must [configure role assignments for the VM](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#configure-role-assignments-for-the-vm). You can assign the **Virtual Machine User Login** or **Virtual Machine Administrator Login** role either on the VMs, the resource group containing the VMs, or the subscription. We recommend assigning the Virtual Machine User Login role to the same user group you used for the application group at the resource group level to make it apply to all the VMs in the host pool. ++<a name='access-azure-ad-joined-vms'></a> -## Access Azure AD-joined VMs +## Access Microsoft Entra joined VMs -This section explains how to access Azure AD-joined VMs from different Azure Virtual Desktop clients. +This section explains how to access Microsoft Entra joined VMs from different Azure Virtual Desktop clients. ### Connect using the Windows Desktop client The default configuration supports connections from Windows 11 or Windows 10 using the [Windows Desktop client](users/connect-windows.md). You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions: -- The local PC is Azure AD-joined to the same Azure AD tenant as the session host-- The local PC is hybrid Azure AD-joined to the same Azure AD tenant as the session host-- The local PC is running Windows 11 or Windows 10, version 2004 or later, and is Azure AD registered to the same Azure AD tenant as the session host+- The local PC is Microsoft Entra joined to the same Microsoft Entra tenant as the session host +- The local PC is Microsoft Entra hybrid joined to the same Microsoft Entra tenant as the session host +- The local PC is running Windows 11 or Windows 10, version 2004 or later, and is Microsoft Entra registered to the same Microsoft Entra tenant as the session host If your local PC doesn't meet one of these conditions, add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host. ### Connect using the other clients -To access Azure AD-joined VMs using the web, Android, macOS and iOS clients, you must add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host. +To access Microsoft Entra joined VMs using the web, Android, macOS and iOS clients, you must add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host. ++<a name='enforcing-azure-ad-multi-factor-authentication-for-azure-ad-joined-session-vms'></a> -### Enforcing Azure AD Multi-Factor Authentication for Azure AD-joined session VMs +### Enforcing Microsoft Entra multifactor authentication for Microsoft Entra joined session VMs -You can use Azure AD Multi-Factor Authentication with Azure AD-joined VMs. Follow the steps to [Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) and note the extra steps for [Azure AD-joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms). +You can use Microsoft Entra multifactor authentication with Microsoft Entra joined VMs. Follow the steps to [Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) and note the extra steps for [Microsoft Entra joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms). -If you're using Azure AD Multi-Factor Authentication and you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) from your Conditional Access policy. +If you're using Microsoft Entra multifactor authentication and you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) from your Conditional Access policy. ### Single sign-on -You can enable a single sign-on experience using Azure AD authentication when accessing Azure AD-joined VMs. Follow the steps to [Configure single sign-on](configure-single-sign-on.md) to provide a seamless connection experience. +You can enable a single sign-on experience using Microsoft Entra authentication when accessing Microsoft Entra joined VMs. Follow the steps to [Configure single sign-on](configure-single-sign-on.md) to provide a seamless connection experience. ## User profiles -You can use FSLogix profile containers with Azure AD-joined VMs when you store them on Azure Files or Azure NetApp Files while using hybrid user accounts. For more information, see [Create a profile container with Azure Files and Azure AD](create-profile-container-azure-ad.md). +You can use FSLogix profile containers with Microsoft Entra joined VMs when you store them on Azure Files or Azure NetApp Files while using hybrid user accounts. For more information, see [Create a profile container with Azure Files and Microsoft Entra ID](create-profile-container-azure-ad.md). ## Accessing on-premises resources -While you don't need an Active Directory to deploy or access your Azure AD-joined VMs, an Active Directory and line-of-sight to it are needed to access on-premises resources from those VMs. To learn more about accessing on-premises resources, see [How SSO to on-premises resources works on Azure AD joined devices](../active-directory/devices/azuread-join-sso.md). +While you don't need an Active Directory to deploy or access your Microsoft Entra joined VMs, an Active Directory and line-of-sight to it are needed to access on-premises resources from those VMs. To learn more about accessing on-premises resources, see [How SSO to on-premises resources works on Microsoft Entra joined devices](../active-directory/devices/azuread-join-sso.md). ## Next steps -Now that you've deployed some Azure AD joined VMs, we recommend enabling single sign-on before connecting with a supported Azure Virtual Desktop client to test it as part of a user session. To learn more, check out these articles: +Now that you've deployed some Microsoft Entra joined VMs, we recommend enabling single sign-on before connecting with a supported Azure Virtual Desktop client to test it as part of a user session. To learn more, check out these articles: - [Configure single sign-on](configure-single-sign-on.md)-- [Create a profile container with Azure Files and Azure AD](create-profile-container-azure-ad.md)+- [Create a profile container with Azure Files and Microsoft Entra ID](create-profile-container-azure-ad.md) - [Connect with the Windows Desktop client](users/connect-windows.md) - [Connect with the web client](users/connect-web.md)-- [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md)+- [Troubleshoot connections to Microsoft Entra joined VMs](troubleshoot-azure-ad-connections.md) - [Create a profile container with Azure NetApp Files](create-fslogix-profile-container.md) |
virtual-desktop | Azure Stack Hci | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/azure-stack-hci.md | To use Azure Virtual Desktop for Azure Stack HCI, you'll need the following thin - Azure Arc virtual machine (VM) management should be set up on the Azure Stack HCI cluster. For more information, see [VM provisioning through Azure portal on Azure Stack HCI (preview)](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines). -- [An on-premises Active Directory (AD) synced with Azure Active Directory](/azure/architecture/reference-architectures/identity/azure-ad). The AD domain should resolve using DNS. For more information, see [Prerequisites for Azure Virtual Desktop](prerequisites.md#network).+- [An on-premises Active Directory (AD) synced with Microsoft Entra ID](/azure/architecture/reference-architectures/identity/azure-ad). The AD domain should resolve using DNS. For more information, see [Prerequisites for Azure Virtual Desktop](prerequisites.md#network). - A stable connection to Azure from your on-premises network. |
virtual-desktop | Configure Adfs Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/configure-adfs-sso.md | Before configuring AD FS single sign-on, you must have the following setup runni - You must deploy the **Active Directory Federation Services (AD FS)** role. All servers running this role must be domain-joined, have the latest Windows updates installed, and be running Windows Server 2016 or later. See our [federation tutorial](../active-directory/hybrid/tutorial-federation.md) to get started setting up this role. - We recommend setting up the **Web Application Proxy** role to secure your environment's connection to the AD FS servers. All servers running this role must have the latest Windows updates installed, and be running Windows Server 2016 or later. See this [Web Application Proxy guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383662(v=ws.11)) to get started setting up this role. -- You must deploy **Azure AD Connect** to sync users to Azure AD. Azure AD Connect must be configured in [federation mode](../active-directory/hybrid/how-to-connect-install-custom.md).+- You must deploy **Microsoft Entra Connect** to sync users to Microsoft Entra ID. Microsoft Entra Connect must be configured in [federation mode](../active-directory/hybrid/how-to-connect-install-custom.md). - [Set up your PowerShell environment](powershell-module.md) for Azure Virtual Desktop on the AD FS server. > [!NOTE]-> This solution is not supported with Azure AD Domain Services. You must use an Active Directory Domain Services domain controller. +> This solution is not supported with Microsoft Entra Domain Services. You must use an Active Directory Domain Services domain controller. ## Supported clients To create a new enrollment agent certificate template: 6. Next, select **Object Types...**, then **Service Accounts**, and then **OK**. 7. Enter the service account name for AD FS and select **OK**. * In an isolated AD FS setup, the service account will be named "adfssvc$"- * If you set up AD FS using Azure AD Connect, the service account will be named "aadcsvc$" + * If you set up AD FS using Microsoft Entra Connect, the service account will be named "aadcsvc$" 8. After the service account is added and is visible in the **Security** tab, select it in the **Group or user names** pane, select **Allow** for both "Enroll" and "Autoenroll" in the **Permissions for the AD FS service account** pane, then select **OK** to save. :::image type="content" source="media/adfs-enrollment-properties-security.png" alt-text="A screenshot showing the security tab of the Enrollment Agent certificate template after it is properly configured."::: To update an existing enrollment agent certificate template: 5. Next, select **Object Types...**, then **Service Accounts**, and then **OK**. 6. Enter the service account name for AD FS and select **OK**. * In an isolated AD FS setup, the service account will be named "adfssvc$"- * If you set up AD FS using Azure AD Connect, the service account will be named "aadcsvc$" + * If you set up AD FS using Microsoft Entra Connect, the service account will be named "aadcsvc$" 7. After the service account is added and is visible in the **Security** tab, select it in the **Group or user names** pane, select **Allow** for both "Enroll" and "Autoenroll" in the **Permissions for the AD FS service account** pane, then select **OK** to save. ### Create the Smartcard Logon certificate template To create the Smartcard Logon certificate template: 10. Select **Object Types...**, **Service Accounts**, and **OK**. 11. Enter the service account name for AD FS just like you did in the [Create the enrollment agent certificate template](#create-the-enrollment-agent-certificate-template) section. * In an isolated AD FS setup, the service account will be named "adfssvc$"- * If you set up AD FS using Azure AD Connect, the service account will be named "aadcsvc$" + * If you set up AD FS using Microsoft Entra Connect, the service account will be named "aadcsvc$" 12. After the service account is added and is visible in the **Security** tab, select it in the **Group or user names** pane, select **Allow** for both "Enroll" and "Autoenroll", then select **OK** to save. :::image type="content" source="media/adfs-sso-properties-security.png" alt-text="A screenshot showing the security tab of the SSO certificate template after it is properly configured."::: |
virtual-desktop | Configure Rdp Shortpath Limit Ports Public Networks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/configure-rdp-shortpath-limit-ports-public-networks.md | When choosing the base and pool size, consider the number of ports you choose. T ## Enable a limited port range -To enable a limited port range when using RDP Shortpath for public networks, you can use Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Azure Active Directory (Azure AD). +To enable a limited port range when using RDP Shortpath for public networks, you can use Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Microsoft Entra ID. 1. Download the [Azure Virtual Desktop administrative template](https://aka.ms/avdgpo) and extract the contents of the .cab file and .zip archive. |
virtual-desktop | Configure Rdp Shortpath | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/configure-rdp-shortpath.md | The steps to enable RDP Shortpath differ for session hosts depending on whether # [Managed networks](#tab/managed-networks) -To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpath listener on your session hosts. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Azure Active Directory (Azure AD). +To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpath listener on your session hosts. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Microsoft Entra ID. 1. Download the [Azure Virtual Desktop administrative template](https://aka.ms/avdgpo) and extract the contents of the .cab file and .zip archive. To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa # [Public networks](#tab/public-networks) -If you need to configure session hosts and clients to enable RDP Shortpath for public networks because their default settings have been changed, follow these steps. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Azure Active Directory (Azure AD). +If you need to configure session hosts and clients to enable RDP Shortpath for public networks because their default settings have been changed, follow these steps. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Microsoft Entra ID. 1. Depending on whether you want to configure Group Policy centrally from your AD domain, or locally for each session host: If you need to configure session hosts and clients to enable RDP Shortpath for p ### Windows clients -The steps to ensure your clients are configured correctly are the same regardless of whether you want to use RDP Shortpath for managed networks or public networks. You can do this using Group Policy for managed clients that are joined to an Active Directory domain, Intune for managed clients that are joined to Azure Active Directory (Azure AD) and enrolled in Intune, or local Group Policy for clients that aren't managed. +The steps to ensure your clients are configured correctly are the same regardless of whether you want to use RDP Shortpath for managed networks or public networks. You can do this using Group Policy for managed clients that are joined to an Active Directory domain, Intune for managed clients that are joined to Microsoft Entra ID and enrolled in Intune, or local Group Policy for clients that aren't managed. > [!NOTE] > By default in Windows, RDP traffic will attempt to use both TCP and UDP protocols. You will only need to follow these steps if the client has previously been configured to use TCP only. The steps to disable RDP Shortpath differ for session hosts depending on whether # [Managed networks](#tab/managed-networks) -To disable RDP Shortpath for managed networks on your session hosts, you need to disable the RDP Shortpath listener. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an AD domain, or locally for session hosts that are joined to Azure AD. +To disable RDP Shortpath for managed networks on your session hosts, you need to disable the RDP Shortpath listener. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an AD domain, or locally for session hosts that are joined to Microsoft Entra ID. Alternatively, you can block port **3390** (default) to your session hosts on a firewall or Network Security Group. Alternatively, you can block port **3390** (default) to your session hosts on a # [Public networks](#tab/public-networks) -To disable RDP Shortpath for public networks on your session hosts, you can set RDP transport protocols to only allow TCP. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an AD domain, or locally for session hosts that are joined to Azure AD. +To disable RDP Shortpath for public networks on your session hosts, you can set RDP transport protocols to only allow TCP. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an AD domain, or locally for session hosts that are joined to Microsoft Entra ID. > [!CAUTION] > This will also disable RDP Shortpath for managed networks. Alternatively, if you want to disable RDP Shortpath for public networks only, yo ### Windows clients -On client devices, you can disable RDP Shortpath for managed networks and public networks by configuring RDP traffic to only use TCP. You can do this using Group Policy for managed clients that are joined to an Active Directory domain, Intune for managed clients that are joined to (Azure AD) and enrolled in Intune, or local Group Policy for clients that aren't managed. +On client devices, you can disable RDP Shortpath for managed networks and public networks by configuring RDP traffic to only use TCP. You can do this using Group Policy for managed clients that are joined to an Active Directory domain, Intune for managed clients that are joined to (Microsoft Entra ID) and enrolled in Intune, or local Group Policy for clients that aren't managed. > [!IMPORTANT] > If you have previously set RDP traffic to attempt to use both TCP and UDP protocols using Group Policy or Intune, ensure the settings don't conflict. |
virtual-desktop | Configure Single Sign On | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/configure-single-sign-on.md | Title: Configure single sign-on for Azure Virtual Desktop using Azure AD Authentication - Azure -description: How to configure single sign-on for an Azure Virtual Desktop environment using Azure AD Authentication. + Title: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication - Azure +description: How to configure single sign-on for an Azure Virtual Desktop environment using Microsoft Entra authentication. -# Configure single sign-on for Azure Virtual Desktop using Azure AD Authentication +# Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication > [!IMPORTANT]-> Single sign-on using Azure AD authentication is currently in public preview. +> Single sign-on using Microsoft Entra authentication is currently in public preview. > This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -This article walks you through the process of configuring single sign-on (SSO) using Azure Active Directory (Azure AD) authentication for Azure Virtual Desktop (preview). When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Azure AD to sign in to your Azure Virtual Desktop resources. When enabled, this feature provides a single sign-on experience when authenticating to the session host and configures the session to provide single sign-on to Azure AD-based resources inside the session. +This article walks you through the process of configuring single sign-on (SSO) using Microsoft Entra authentication for Azure Virtual Desktop (preview). When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Azure Virtual Desktop resources. When enabled, this feature provides a single sign-on experience when authenticating to the session host and configures the session to provide single sign-on to Microsoft Entra ID-based resources inside the session. For information on using passwordless authentication within the session, see [In-session passwordless authentication (preview)](authentication.md#in-session-passwordless-authentication-preview). Single sign-on is available on session hosts using the following operating syste - Windows 10 Enterprise single or multi-session, versions 20H2 or later with the [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. - Windows Server 2022 with the [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. -Session hosts must be Azure AD-joined or [hybrid Azure AD-Joined](../active-directory/devices/hybrid-join-plan.md). +Session hosts must be Microsoft Entra joined or [Microsoft Entra hybrid joined](../active-directory/devices/hybrid-join-plan.md). > [!NOTE]-> Azure Virtual Desktop doesn't support this solution with VMs joined to Azure AD Domain Services or Active Directory only joined session hosts. +> Azure Virtual Desktop doesn't support this solution with VMs joined to Microsoft Entra Domain Services or Active Directory only joined session hosts. Clients currently supported: -- [Windows Desktop client](users/connect-windows.md) on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Azure AD.+- [Windows Desktop client](users/connect-windows.md) on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Microsoft Entra ID. - [Web client](users/connect-web.md). - [macOS client](users/connect-macos.md) version 10.8.2 or later. - [iOS client](users/connect-ios-ipados.md) version 10.5.1 or later. Before enabling single sign-on, review the following information for using SSO i ### Allow remote desktop connection dialog -When enabling single sign-on, you'll currently be prompted to authenticate to Azure AD and allow the Remote Desktop connection when launching a connection to a new host. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. +When enabling single sign-on, you'll currently be prompted to authenticate to Microsoft Entra ID and allow the Remote Desktop connection when launching a connection to a new host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. ### Disconnection when the session is locked -When SSO is enabled, you sign in to Windows using an Azure AD authentication token, which provides support for passwordless authentication to Windows. The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. +When SSO is enabled, you sign in to Windows using a Microsoft Entra authentication token, which provides support for passwordless authentication to Windows. The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. -Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies. +Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies. ### Using an Active Directory domain admin account with single sign-on -In environments with an Active Directory (AD) and hybrid user accounts, the default Password Replication Policy on Read-only Domain Controllers denies password replication for members of Domain Admins and Administrators security groups. This will prevent these admin accounts from signing in to hybrid Azure AD-joined hosts and may keep prompting them to enter their credentials. It will also prevent admin accounts from accessing on-premises resources that leverage Kerberos authentication from Azure AD-joined hosts. +In environments with an Active Directory (AD) and hybrid user accounts, the default Password Replication Policy on Read-only Domain Controllers denies password replication for members of Domain Admins and Administrators security groups. This will prevent these admin accounts from signing in to Microsoft Entra hybrid joined hosts and may keep prompting them to enter their credentials. It will also prevent admin accounts from accessing on-premises resources that leverage Kerberos authentication from Microsoft Entra joined hosts. To allow these admin accounts to connect when single sign-on is enabled: To enable single sign-on in your environment, you must first create a Kerberos S You must [Create a Kerberos Server object](../active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md#create-a-kerberos-server-object) if your session host meets the following criteria: -- Your session host is hybrid Azure AD-joined. You must have a Kerberos Server object to complete authentication to the domain controller.-- Your session host is Azure AD-joined and your environment contains Active Directory Domain Controllers. You must have a Kerberos Server object for users to access on-premises resources, such as SMB shares, and Windows-integrated authentication to websites.+- Your session host is Microsoft Entra hybrid joined. You must have a Kerberos Server object to complete authentication to the domain controller. +- Your session host is Microsoft Entra joined and your environment contains Active Directory Domain Controllers. You must have a Kerberos Server object for users to access on-premises resources, such as SMB shares, and Windows-integrated authentication to websites. > [!IMPORTANT]-> If you enable SSO on your hybrid Azure AD-joined VMs before you create a Kerberos server object, one of the following things can happen: +> If you enable SSO on your Microsoft Entra hybrid joined VMs before you create a Kerberos server object, one of the following things can happen: > > - You receive an error message saying the specific session doesn't exist. > - SSO will be skipped and you'll see a standard authentication dialog for the session host. You must [Create a Kerberos Server object](../active-directory/authentication/ho To enable SSO on your host pool, you must configure the following RDP property, which you can do using the Azure portal or PowerShell. You can find the steps to do this in [Customize Remote Desktop Protocol (RDP) properties for a host pool](customize-rdp-properties.md). -- In the Azure portal, set **Azure AD single sign-on** to **Connections will use Azure AD authentication to provide single sign-on**.+- In the Azure portal, set **Microsoft Entra single sign-on** to **Connections will use Microsoft Entra authentication to provide single sign-on**. - For PowerShell, set the **enablerdsaadauth** property to **1**. ## Next steps - Check out [In-session passwordless authentication (preview)](authentication.md#in-session-passwordless-authentication-preview) to learn how to enable passwordless authentication.-- For more information about Azure AD Kerberos, see [Deep dive: How Azure AD Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889)+- For more information about Microsoft Entra Kerberos, see [Deep dive: How Microsoft Entra Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889) - If you're accessing Azure Virtual Desktop from our Windows Desktop client, see [Connect with the Windows Desktop client](./users/connect-windows.md). - If you're accessing Azure Virtual Desktop from our web client, see [Connect with the web client](./users/connect-web.md).-- If you encounter any issues, go to [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).+- If you encounter any issues, go to [Troubleshoot connections to Microsoft Entra joined VMs](troubleshoot-azure-ad-connections.md). |
virtual-desktop | Create Fslogix Profile Container | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/create-fslogix-profile-container.md | The instructions in this guide are specifically for Azure Virtual Desktop users. ## Considerations -FSLogix profile containers on Azure NetApp Files can be accessed by users authenticating from Active Directory Domain Services (AD DS) and from [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md), allowing Azure AD users to access profile containers without requiring line-of-sight to domain controllers from hybrid Azure AD-joined and Azure AD-joined virtual machines (VMs). For more information, see [Access SMB volumes from Azure AD joined Windows VMs](../azure-netapp-files/access-smb-volume-from-windows-client.md). +FSLogix profile containers on Azure NetApp Files can be accessed by users authenticating from Active Directory Domain Services (AD DS) and from [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md), allowing Microsoft Entra users to access profile containers without requiring line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined virtual machines (VMs). For more information, see [Access SMB volumes from Microsoft Entra joined Windows VMs](../azure-netapp-files/access-smb-volume-from-windows-client.md). ## Prerequisites After that, you need to join an Active Directory connection. - For **AD DNS Domain Name**, enter your fully qualified domain name (FQDN). - For **AD Site Name**, enter the Active Directory Site name that the domain controller discovery will be limited to. This should match the Site name in Active Directory Sites and Services for the Site created to represent the Azure virtual network environment. This Site must be reachable by Azure NetApp Files in Azure. - For **SMB Server (Computer Account) Prefix**, enter the string you want to append to the computer account name.- - For **Organizational unit path**, this is the LDAP path for the organizational unit (OU) where SMB server machine accounts will be created. That is, OU=second level, OU=first level. If you are using Azure NetApp Files with Azure Active Directory Domain Services, the organizational unit path is OU=AADDC Computers when you configure Active Directory for your NetApp account. + - For **Organizational unit path**, this is the LDAP path for the organizational unit (OU) where SMB server machine accounts will be created. That is, OU=second level, OU=first level. If you are using Azure NetApp Files with Microsoft Entra Domain Services, the organizational unit path is OU=AADDC Computers when you configure Active Directory for your NetApp account. - For **Credentials**, insert username and password: ![A screenshot of the Join Active Directory connections menu for username and password.](media/active-directory-connections-credentials.png) |
virtual-desktop | Create Host Pool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/create-host-pool.md | In addition, you'll need: - If you want to use Azure PowerShell locally, see [Use Azure CLI and Azure PowerShell with Azure Virtual Desktop](cli-powershell.md) to make sure you have the [Az.DesktopVirtualization](/powershell/module/az.desktopvirtualization) PowerShell module installed. Alternatively, use the [Azure Cloud Shell](../cloud-shell/overview.md). > [!IMPORTANT]-> If you want to create Azure Active Directory-joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. +> If you want to create Microsoft Entra joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. # [Azure CLI](#tab/cli) In addition, you'll need: - If you want to use Azure CLI locally, see [Use Azure CLI and Azure PowerShell with Azure Virtual Desktop](cli-powershell.md) to make sure you have the [desktopvirtualization](/cli/azure/desktopvirtualization) Azure CLI extension installed. Alternatively, use the [Azure Cloud Shell](../cloud-shell/overview.md). > [!IMPORTANT]-> If you want to create Azure Active Directory-joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. +> If you want to create Microsoft Entra joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. Here's how to create a host pool using the Azure portal. |--|--| | Add Azure virtual machines | Select **Yes**. This shows several new options. | | Resource group | This automatically defaults to the resource group you chose your host pool to be in on the *Basics* tab, but you can also select an alternative. |- | Name prefix | Enter a name for your session hosts, for example **aad-hp01-sh**.<br /><br />This will be used as the prefix for your session host VMs. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example **aad-hp01-sh-0**.<br /><br />This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique. | + | Name prefix | Enter a name for your session hosts, for example **me-id-hp01-sh**.<br /><br />This will be used as the prefix for your session host VMs. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example **me-id-hp01-sh-0**.<br /><br />This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique. | | Virtual machine location | Select the Azure region where your session host VMs will be deployed. This must be the same region that your virtual network is in. | | Availability options | Select from **[availability zones](../reliability/availability-zones-overview.md)**, **[availability set](../virtual-machines/availability-set-overview.md)**, or **No infrastructure dependency required**. If you select availability zones or availability set, complete the extra parameters that appear. | | Security type | Select from **Standard**, **[Trusted launch virtual machines](../virtual-machines/trusted-launch.md)**, or **[Confidential virtual machines](../confidential-computing/confidential-vm-overview.md)**.<br /><br />- If you select **Trusted launch virtual machines**, options for **secure boot** and **vTPM** are automatically selected.<br /><br />- If you select **Confidential virtual machines**, options for **secure boot**, **vTPM**, and **integrity monitoring** are automatically selected. You can't opt out of vTPM when using a confidential VM. | Here's how to create a host pool using the Azure portal. | Network security group | Select whether you want to use a network security group (NSG).<br /><br />- **None** won't create a new NSG.<br /><br />- **Basic** will create a new NSG for the VM NIC.<br /><br />- **Advanced** enables you to select an existing NSG.<br /><br />We recommend that you don't create an NSG here, but [create an NSG on the subnet instead](../virtual-network/manage-network-security-group.md). | | Public inbound ports | You can select a port to allow from the list. Azure Virtual Desktop doesn't require public inbound ports, so we recommend you select **No**. | | **Domain to join** | |- | Select which directory you would like to join | Select from **Azure Active Directory** or **Active Directory** and complete the relevant parameters for the option you select. | + | Select which directory you would like to join | Select from **Microsoft Entra ID** or **Active Directory** and complete the relevant parameters for the option you select. | | **Virtual Machine Administrator account** | | | Username | Enter a name to use as the local administrator account for the new session host VMs. | | Password | Enter a password for the local administrator account. | Here's how to create a host pool using the Azure portal. | Parameter | Value/Description | |--|--| | Register desktop app group | Select **Yes**. This registers the default desktop application group to the selected workspace. |- | To this workspace | Select an existing workspace from the list, or select **Create new** and enter a name, for example **aad-ws01**. | + | To this workspace | Select an existing workspace from the list, or select **Create new** and enter a name, for example **Microsoft Entra ID-ws01**. | Once you've completed this tab, select **Next: Advanced**. |
virtual-desktop | Create Netapp Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/create-netapp-files.md | To start using Azure NetApp Files: 1. Set up your Azure NetApp Files account by following the instructions in [Set up your Azure NetApp Files account](create-fslogix-profile-container.md#set-up-your-azure-netapp-files-account). 2. Create a capacity pool by following the instructions in [Set up a capacity pool](../azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md).-3. Join an Azure Active Directory (Azure AD) connection by following the instructions in [Join an Active Directory connection](create-fslogix-profile-container.md#join-an-active-directory-connection). +3. Join a Microsoft Entra connection by following the instructions in [Join an Active Directory connection](create-fslogix-profile-container.md#join-an-active-directory-connection). 4. Create a new volume by following the instructions in [Create a new volume](create-fslogix-profile-container.md#create-a-new-volume) and [Configure volume access parameters](create-fslogix-profile-container.md#configure-volume-access-parameters). 5. Make sure your connection to the Azure NetApp Files share works by following the instructions in [Make sure users can access the Azure NetApp Files share](create-fslogix-profile-container.md#make-sure-users-can-access-the-azure-netapp-files-share). |
virtual-desktop | Create Profile Container Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/create-profile-container-azure-ad.md | Title: Create a profile container with Azure Files and Azure Active Directory -description: Set up an FSLogix profile container on an Azure file share in an existing Azure Virtual Desktop host pool with your Azure Active Directory domain. + Title: Create a profile container with Azure Files and Microsoft Entra ID +description: Set up an FSLogix profile container on an Azure file share in an existing Azure Virtual Desktop host pool with your Microsoft Entra domain. -# Create a profile container with Azure Files and Azure Active Directory +# Create a profile container with Azure Files and Microsoft Entra ID -In this article, you'll learn how to create and configure an Azure Files share for Azure Active Directory (Azure AD) Kerberos authentication. This configuration allows you to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined or Hybrid Azure AD-joined session hosts without requiring network line-of-sight to domain controllers. Azure AD Kerberos enables Azure AD to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol. +In this article, you'll learn how to create and configure an Azure Files share for Microsoft Entra Kerberos authentication. This configuration allows you to store FSLogix profiles that can be accessed by hybrid user identities from Microsoft Entra joined or Microsoft Entra hybrid joined session hosts without requiring network line-of-sight to domain controllers. Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol. This feature is supported in the Azure Public, Azure US Gov, and Azure operated by 21Vianet. ## Prerequisites -Before deploying this solution, verify that your environment [meets the requirements](../storage/files/storage-files-identity-auth-azure-active-directory-enable.md#prerequisites) to configure Azure Files with Azure AD Kerberos authentication. +Before deploying this solution, verify that your environment [meets the requirements](../storage/files/storage-files-identity-auth-azure-active-directory-enable.md#prerequisites) to configure Azure Files with Microsoft Entra Kerberos authentication. When used for FSLogix profiles in Azure Virtual Desktop, the session hosts don't need to have network line-of-sight to the domain controller (DC). However, a system with network line-of-sight to the DC is required to configure the permissions on the Azure Files share. To store your FSLogix profiles on an Azure file share: 1. [Create an Azure Storage account](../storage/files/storage-how-to-create-file-share.md#create-a-storage-account) if you don't already have one. > [!NOTE]- > Your Azure Storage account can't authenticate with both Azure AD and a second method like Active Directory Domain Services (AD DS) or Azure AD DS. You can only use one authentication method. + > Your Azure Storage account can't authenticate with both Microsoft Entra ID and a second method like Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services. You can only use one authentication method. 2. [Create an Azure Files share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) under your storage account to store your FSLogix profiles if you haven't already. -3. [Enable Azure Active Directory Kerberos authentication on Azure Files](../storage/files/storage-files-identity-auth-azure-active-directory-enable.md) to enable access from Azure AD-joined VMs. +3. [Enable Microsoft Entra Kerberos authentication on Azure Files](../storage/files/storage-files-identity-auth-azure-active-directory-enable.md) to enable access from Microsoft Entra joined VMs. - When configuring the directory and file-level permissions, review the recommended list of permissions for FSLogix profiles at [Configure the storage permissions for profile containers](/fslogix/fslogix-storage-config-ht). - Without proper directory-level permissions in place, a user can delete the user profile or access the personal information of a different user. It's important to make sure users have proper permissions to prevent accidental deletion from happening. ## Configure the session hosts -To access Azure file shares from an Azure AD-joined VM for FSLogix profiles, you must configure the session hosts. To configure session hosts: +To access Azure file shares from a Microsoft Entra joined VM for FSLogix profiles, you must configure the session hosts. To configure session hosts: -1. Enable the Azure AD Kerberos functionality using one of the following methods. +1. Enable the Microsoft Entra Kerberos functionality using one of the following methods. - Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the session host: [Kerberos/CloudKerberosTicketRetrievalEnabled](/windows/client-management/mdm/policy-csp-kerberos#kerberos-cloudkerberosticketretrievalenabled). To access Azure file shares from an Azure AD-joined VM for FSLogix profiles, you -2. When you use Azure AD with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This will let you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command: +2. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This will let you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command: ``` reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1 |
virtual-desktop | Delegated Access Virtual Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/delegated-access-virtual-desktop.md | Before you start, make sure to follow the instructions in [Set up the PowerShell Azure Virtual Desktop uses Azure role-based access control (Azure RBAC) while publishing application groups to users or user groups. The Desktop Virtualization User role is assigned to the user or user group and the scope is the application group. This role gives the user special data access on the application group. -Run the following cmdlet to add Azure Active Directory users to an application group: +Run the following cmdlet to add Microsoft Entra users to an application group: ```powershell New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' ``` -Run the following cmdlet to add Azure Active Directory user group to an application group: +Run the following cmdlet to add Microsoft Entra user group to an application group: ```powershell New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' |
virtual-desktop | Disaster Recovery Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/disaster-recovery-concepts.md | We'll go into more detail about the two main methods you can achieve these metho In this section, we'll discuss shared (or "pooled") host pools using an active-passive approach. The active-passive approach is when you divide up existing resources into a primary and secondary region. Normally, your organization would do all its work in the primary (or "active") region, but during a disaster, all it takes to switch over to the secondary (or "passive") region is to turn off the resources in the primary region (if you can do so, depending on the outage's extent) and turn on the ones in the secondary one. -The following diagram shows an example of a deployment with redundant infrastructure in a secondary region. "Redundant" means that a copy of the original infrastructure exists in this other region, and is standard in deployments to provide resiliency for all components. Beneath a single Azure Active Directory, there are two regions: West US and East US. Each region has two session hosts running a multi-session operating system (OS), A server running Azure AD Connect, an Active Directory Domain Controller, an Azure Files Premium File share for FSLogix profiles, a storage account, and a virtual network (VNET). In the primary region, West US, all resources are turned on. In the secondary region, East US, the session hosts in the host pool are either turned off or in drain mode, and the Azure AD Connect server is in staging mode. The two VNETs in both regions are connected by peering. +The following diagram shows an example of a deployment with redundant infrastructure in a secondary region. "Redundant" means that a copy of the original infrastructure exists in this other region, and is standard in deployments to provide resiliency for all components. Beneath a single Microsoft Entra ID, there are two regions: West US and East US. Each region has two session hosts running a multi-session operating system (OS), A server running Microsoft Entra Connect, an Active Directory Domain Controller, an Azure Files Premium File share for FSLogix profiles, a storage account, and a virtual network (VNET). In the primary region, West US, all resources are turned on. In the secondary region, East US, the session hosts in the host pool are either turned off or in drain mode, and the Microsoft Entra Connect server is in staging mode. The two VNETs in both regions are connected by peering. :::image type="content" source="media/shared-host-pool-recovery-new.png" alt-text="A diagram of a deployment using the recommended shared host pool disaster recovery strategy described in the previous paragraph."::: When using this disaster recovery strategy, it's important to keep the following - There may be requirements that the host pool VMs need to function in the secondary site, such as virtual networks, subnets, network security, or VPNs to access a directory such as on-premises Active Directory. >[!NOTE]- > Using an [Azure Active Directory-joined VM](deploy-azure-ad-joined-vm.md) fulfills some of these requirements automatically. + > Using an [Microsoft Entra joined VM](deploy-azure-ad-joined-vm.md) fulfills some of these requirements automatically. - You may experience integration, performance, or contention issues for resources if a large-scale disaster affects multiple customers or tenants. |
virtual-desktop | Fslogix Containers Azure Files | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/fslogix-containers-azure-files.md | To ensure your Azure Virtual Desktop environment follows best practices: - Learn more about storage options for FSLogix profile containers, see [Storage options for FSLogix profile containers in Azure Virtual Desktop](store-fslogix-profile.md). - [Set up FSLogix Profile Container with Azure Files and Active Directory](fslogix-profile-container-configure-azure-files-active-directory.md)-- [Set up FSLogix Profile Container with Azure Files and Azure Active Directory](create-profile-container-azure-ad.md)+- [Set up FSLogix Profile Container with Azure Files and Microsoft Entra ID](create-profile-container-azure-ad.md) - [Set up FSLogix Profile Container with Azure NetApp Files](create-fslogix-profile-container.md) |
virtual-desktop | Fslogix Profile Container Configure Azure Files Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory.md | Title: Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop -description: This article describes how to create a FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services. + Title: Set up FSLogix Profile Container with Azure Files and AD DS or Microsoft Entra Domain Services - Azure Virtual Desktop +description: This article describes how to create a FSLogix Profile Container with Azure Files and Active Directory Domain Services or Microsoft Entra Domain Services. Last updated 07/29/2022-# Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services +# Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Microsoft Entra Domain Services -This article will show you how to set up FSLogix Profile Container with Azure Files when your session host virtual machines (VMs) are joined to an Active Directory Domain Services (AD DS) domain or Azure Active Directory Domain Services (Azure AD DS) managed domain. +This article will show you how to set up FSLogix Profile Container with Azure Files when your session host virtual machines (VMs) are joined to an Active Directory Domain Services (AD DS) domain or Microsoft Entra Domain Services managed domain. ## Prerequisites You'll need the following: -- A host pool where the session hosts are joined to an AD DS domain or Azure AD DS managed domain and users are assigned.-- A security group in your domain that contains the users who will use Profile Container. If you're using AD DS, this must be synchronized to Azure AD.+- A host pool where the session hosts are joined to an AD DS domain or Microsoft Entra Domain Services managed domain and users are assigned. +- A security group in your domain that contains the users who will use Profile Container. If you're using AD DS, this must be synchronized to Microsoft Entra ID. - Permission on your Azure subscription to create a storage account and add role assignments. - A domain account to join computers to the domain and open an elevated PowerShell prompt. - The subscription ID of your Azure subscription where your storage account will be. To set up a storage account: ## Join your storage account to Active Directory -To use Active Directory accounts for the share permissions of your file share, you need to enable AD DS or Azure AD DS as a source. This process joins your storage account to a domain, representing it as a computer account. Select the relevant tab below for your scenario and follow the steps. +To use Active Directory accounts for the share permissions of your file share, you need to enable AD DS or Microsoft Entra Domain Services as a source. This process joins your storage account to a domain, representing it as a computer account. Select the relevant tab below for your scenario and follow the steps. # [AD DS](#tab/adds) To use Active Directory accounts for the share permissions of your file share, y > [!IMPORTANT] > If your domain enforces password expiration, you must update the password before it expires to prevent authentication failures when accessing Azure file shares. For more information, see [Update the password of your storage account identity in AD DS](../storage/files/storage-files-identity-ad-ds-update-password.md) for details. -# [Azure AD DS](#tab/aadds) +# [Microsoft Entra Domain Services](#tab/aadds) 1. From the Azure portal, open the storage account you created previously. To use Active Directory accounts for the share permissions of your file share, y 1. In the main section of the page, next to **Active Directory**, select **Not configured**. -1. In the box for **Azure Active Directory Domain Services**, select **Set up**. +1. In the box for **Microsoft Entra Domain Services**, select **Set up**. -1. Tick the box to **Enable Azure Active Directory Domain Services (Azure AD DS) for this file share**, then select **Save**. An Organizational Unit (OU) called **AzureFilesConfig** will be created at the root of your domain and a user account named the same as the storage account will be created in that OU. This account will be used as the Azure Files service account. +1. Tick the box to **Enable Microsoft Entra Domain Services for this file share**, then select **Save**. An Organizational Unit (OU) called **AzureFilesConfig** will be created at the root of your domain and a user account named the same as the storage account will be created in that OU. This account will be used as the Azure Files service account. To get the Storage account access key: 1. From the Azure portal, search for and select **storage account** in the search bar. -1. From the list of storage accounts, select the account that you enabled Azure AD DS and assigned the RBAC role for in the previous sections. +1. From the list of storage accounts, select the account that you enabled Microsoft Entra Domain Services and assigned the RBAC role for in the previous sections. 1. Under **Security + networking**, select **Access keys**, then show and copy the key from **key1**. |
virtual-desktop | Getting Started Feature | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/getting-started-feature.md | -You can quickly deploy Azure Virtual Desktop with the *getting started* feature in the Azure portal. This can be used in smaller scenarios with a few users and apps, or you can use it to evaluate Azure Virtual Desktop in larger enterprise scenarios. It works with existing Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS) deployments, or it can deploy Azure AD DS for you. Once you've finished, a user will be able to sign in to a full virtual desktop session, consisting of one host pool (with one or more session hosts), one application group, and one user. To learn about the terminology used in Azure Virtual Desktop, see [Azure Virtual Desktop terminology](environment-setup.md). +You can quickly deploy Azure Virtual Desktop with the *getting started* feature in the Azure portal. This can be used in smaller scenarios with a few users and apps, or you can use it to evaluate Azure Virtual Desktop in larger enterprise scenarios. It works with existing Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services deployments, or it can deploy Microsoft Entra Domain Services for you. Once you've finished, a user will be able to sign in to a full virtual desktop session, consisting of one host pool (with one or more session hosts), one application group, and one user. To learn about the terminology used in Azure Virtual Desktop, see [Azure Virtual Desktop terminology](environment-setup.md). -Joining session hosts to Azure Active Directory with the getting started feature is not supported. If you want to want to join session hosts to Azure Active Directory, follow the [tutorial to create a host pool](create-host-pools-azure-marketplace.md). +Joining session hosts to Microsoft Entra ID with the getting started feature is not supported. If you want to want to join session hosts to Microsoft Entra ID, follow the [tutorial to create a host pool](create-host-pools-azure-marketplace.md). > [!TIP] > Enterprises should plan an Azure Virtual Desktop deployment using information from [Enterprise-scale support for Microsoft Azure Virtual Desktop](/azure/cloud-adoption-framework/scenarios/wvd/enterprise-scale-landing-zone). You can also find more a granular deployment process in a [series of tutorials](create-host-pools-azure-marketplace.md), which also cover programmatic methods and less permission. You can see the list of [resources that will be deployed](#resources-that-will-b Please review the [Prerequisites for Azure Virtual Desktop](prerequisites.md) to start for a general idea of what's required, however there are some differences when using the getting started feature that you'll need to meet. Select a tab below to show instructions that are most relevant to your scenario. > [!TIP]-> If you don't already have other Azure resources, we recommend you select the **New Azure AD DS** tab. This scenario will deploy everything you need to be ready to connect to a full virtual desktop session. If you already have AD DS or Azure AD DS, select the relevant tab for your scenario instead. +> If you don't already have other Azure resources, we recommend you select the **New Microsoft Entra Domain Services** tab. This scenario will deploy everything you need to be ready to connect to a full virtual desktop session. If you already have AD DS or Microsoft Entra Domain Services, select the relevant tab for your scenario instead. -# [New Azure AD DS](#tab/new-aadds) +# [New Microsoft Entra Domain Services](#tab/new-aadds) At a high level, you'll need: - An Azure account with an active subscription-- An account with the [global administrator Azure AD role](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) assigned on the Azure tenant and the [owner role](../role-based-access-control/role-assignments-portal.md) assigned on subscription you're going to use.-- No existing Azure AD DS domain deployed in your Azure tenant.-- User names you choose must not include any keywords [that the username guideline list doesn't allow](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-), and you must use a unique user name that's not already in your Azure AD subscription.-- The user name for AD Domain join UPN should be a unique one that doesn't already exist in Azure AD. The getting started feature doesn't support using existing Azure AD user names when also deploying Azure AD DS.+- An account with the [global administrator Microsoft Entra role](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) assigned on the Azure tenant and the [owner role](../role-based-access-control/role-assignments-portal.md) assigned on subscription you're going to use. +- No existing Microsoft Entra Domain Services domain deployed in your Azure tenant. +- User names you choose must not include any keywords [that the username guideline list doesn't allow](../virtual-machines/windows/faq.yml#what-are-the-username-requirements-when-creating-a-vm-), and you must use a unique user name that's not already in your Microsoft Entra subscription. +- The user name for AD Domain join UPN should be a unique one that doesn't already exist in Microsoft Entra ID. The getting started feature doesn't support using existing Microsoft Entra user names when also deploying Microsoft Entra Domain Services. # [Existing AD DS](#tab/existing-adds) At a high level, you'll need: - An Azure account with an active subscription.-- An account with the [global administrator Azure AD role](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) assigned on the Azure tenant and the [owner role](../role-based-access-control/role-assignments-portal.md) assigned on subscription you're going to use.+- An account with the [global administrator Microsoft Entra role](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) assigned on the Azure tenant and the [owner role](../role-based-access-control/role-assignments-portal.md) assigned on subscription you're going to use. - An AD DS domain controller deployed in Azure in the same subscription as the one you choose to use with the getting started feature. Using multiple subscriptions isn't supported. Make sure you know the fully qualified domain name (FQDN). - Domain admin credentials for your existing AD DS domain-- You must configure [Azure AD connect](../active-directory/hybrid/whatis-azure-ad-connect.md) on your subscription and make sure the **Users** container is syncing with Azure AD. A security group called **AVDValidationUsers** will be created during deployment in the *Users* container by default. You can also pre-create the **AVDValidationUsers** security group in a different organization unit in your existing AD DS domain. You must make sure this group is then synchronized to Azure AD. -- A virtual network in the same Azure region you want to deploy Azure Virtual Desktop to. We recommend that you [create a new virtual network](../virtual-network/quick-create-portal.md) for Azure Virtual Desktop and use [virtual network peering](../virtual-network/virtual-network-peering-overview.md) to peer it with the virtual network for AD DS or Azure AD DS. You also need to make sure you can resolve your AD DS or Azure AD DS domain name from this new virtual network.+- You must configure [Microsoft Entra Connect](../active-directory/hybrid/whatis-azure-ad-connect.md) on your subscription and make sure the **Users** container is syncing with Microsoft Entra ID. A security group called **AVDValidationUsers** will be created during deployment in the *Users* container by default. You can also pre-create the **AVDValidationUsers** security group in a different organization unit in your existing AD DS domain. You must make sure this group is then synchronized to Microsoft Entra ID. +- A virtual network in the same Azure region you want to deploy Azure Virtual Desktop to. We recommend that you [create a new virtual network](../virtual-network/quick-create-portal.md) for Azure Virtual Desktop and use [virtual network peering](../virtual-network/virtual-network-peering-overview.md) to peer it with the virtual network for AD DS or Microsoft Entra Domain Services. You also need to make sure you can resolve your AD DS or Microsoft Entra Domain Services domain name from this new virtual network. - Internet access is required from your domain controller VM to download PowerShell DSC configuration from `https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/`. > [!NOTE] > The PowerShell Desired State Configuration (DSC) extension will be added to your domain controller VM. A configuration will be added called **AddADDSUser** that contains PowerShell scripts to create the security group and test user, and to populate the security group with any users you choose to add during deployment. -# [Existing Azure AD DS](#tab/existing-aadds) +# [Existing Microsoft Entra Domain Services](#tab/existing-aadds) At a high level, you'll need: - An Azure account with an active subscription.-- An account with the [global administrator Azure AD role](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) assigned on the Azure tenant and the [owner role](../role-based-access-control/role-assignments-portal.md) assigned on subscription you're going to use.-- Azure AD DS deployed in the same tenant and subscription. Peered subscriptions aren't supported. Make sure you know the fully qualified domain name (FQDN).-- Your domain admin user needs to have the same UPN suffix in Azure AD and Azure AD DS. This means your Azure AD DS name is the same as your `.onmicrosoft.com` tenant name or you've added the domain name used for Azure AD DS as a verified custom domain name to Azure AD.-- An Azure AD account that is a member of **AAD DC Administrators** group in Azure AD.-- The *forest type* for Azure AD DS must be **User**.-- A virtual network in the same Azure region you want to deploy Azure Virtual Desktop to. We recommend that you [create a new virtual network](../virtual-network/quick-create-portal.md) for Azure Virtual Desktop and use [virtual network peering](../virtual-network/virtual-network-peering-overview.md) to peer it with the virtual network or Azure AD DS. You also need to make sure you [configure DNS servers](../active-directory-domain-services/tutorial-configure-networking.md#configure-dns-servers-in-the-peered-virtual-network) to resolve your Azure AD DS domain name from this virtual network for Azure Virtual Desktop.+- An account with the [global administrator Microsoft Entra role](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) assigned on the Azure tenant and the [owner role](../role-based-access-control/role-assignments-portal.md) assigned on subscription you're going to use. +- Microsoft Entra Domain Services deployed in the same tenant and subscription. Peered subscriptions aren't supported. Make sure you know the fully qualified domain name (FQDN). +- Your domain admin user needs to have the same UPN suffix in Microsoft Entra ID and Microsoft Entra Domain Services. This means your Microsoft Entra Domain Services name is the same as your `.onmicrosoft.com` tenant name or you've added the domain name used for Microsoft Entra Domain Services as a verified custom domain name to Microsoft Entra ID. +- A Microsoft Entra account that is a member of **AAD DC Administrators** group in Microsoft Entra ID. +- The *forest type* for Microsoft Entra Domain Services must be **User**. +- A virtual network in the same Azure region you want to deploy Azure Virtual Desktop to. We recommend that you [create a new virtual network](../virtual-network/quick-create-portal.md) for Azure Virtual Desktop and use [virtual network peering](../virtual-network/virtual-network-peering-overview.md) to peer it with the virtual network or Microsoft Entra Domain Services. You also need to make sure you [configure DNS servers](../active-directory-domain-services/tutorial-configure-networking.md#configure-dns-servers-in-the-peered-virtual-network) to resolve your Microsoft Entra Domain Services domain name from this virtual network for Azure Virtual Desktop. > [!IMPORTANT]-> The getting started feature doesn't currently support accounts that use multi-factor authentication. It also does not support personal Microsoft accounts (MSA) or [Azure AD B2B collaboration](../active-directory/external-identities/user-properties.md) users (either member or guest accounts). +> The getting started feature doesn't currently support accounts that use multi-factor authentication. It also does not support personal Microsoft accounts (MSA) or [Microsoft Entra B2B collaboration](../active-directory/external-identities/user-properties.md) users (either member or guest accounts). ## Deployment steps -# [New Azure AD DS](#tab/new-aadds) +# [New Microsoft Entra Domain Services](#tab/new-aadds) -Here's how to deploy Azure Virtual Desktop and a new Azure AD DS domain using the getting started feature: +Here's how to deploy Azure Virtual Desktop and a new Microsoft Entra Domain Services domain using the getting started feature: 1. Sign in to [the Azure portal](https://portal.azure.com). Here's how to deploy Azure Virtual Desktop and a new Azure AD DS domain using th |--|--| | Subscription | The subscription you want to use from the drop-down list. | | Identity provider | No identity provider. |- | Identity service type | Azure AD Domain Services. | + | Identity service type | Microsoft Entra Domain Services. | | Resource group | Enter a name. This will be used as the prefix for the resource groups that are deployed. | | Location | The Azure region where your Azure Virtual Desktop resources will be deployed. |- | Azure admin user name | The user principal name (UPN) of the account with the global administrator Azure AD role assigned on the Azure tenant and the owner role on the subscription that you selected.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | + | Azure admin user name | The user principal name (UPN) of the account with the global administrator Microsoft Entra role assigned on the Azure tenant and the owner role on the subscription that you selected.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | | Azure admin password | The password for the Azure admin account. |- | Domain admin user name | The user principal name (UPN) for a new Azure AD account that will be added to a new *AAD DC Administrators* group and used to manage your Azure AD DS domain. The UPN suffix will be used as the Azure AD DS domain name.<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | + | Domain admin user name | The user principal name (UPN) for a new Microsoft Entra account that will be added to a new *AAD DC Administrators* group and used to manage your Microsoft Entra Domain Services domain. The UPN suffix will be used as the Microsoft Entra Domain Services domain name.<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | | Domain admin password | The password for the domain admin account. | 1. On the **Virtual machines** tab, complete the following information, then select **Next: Assignments >**: | Parameter | Value/Description | |--|--|- | Users per virtual machine | Select **Multiple users** or **One user at a time** depending on whether you want users to share a session host or assign a session host to an individual user. Learn more about [host pool types](environment-setup.md#host-pools). Selecting **Multiple users** will also create an Azure Files storage account joined to the same Azure AD DS domain. | + | Users per virtual machine | Select **Multiple users** or **One user at a time** depending on whether you want users to share a session host or assign a session host to an individual user. Learn more about [host pool types](environment-setup.md#host-pools). Selecting **Multiple users** will also create an Azure Files storage account joined to the same Microsoft Entra Domain Services domain. | | Image type | Select **Gallery** to choose from a predefined list, or **storage blob** to enter a URI to the image. | | Image | If you chose **Gallery** for image type, select the operating system image you want to use from the drop-down list. You can also select **See all images** to choose an image from the [Azure Compute Gallery](../virtual-machines/azure-compute-gallery.md).<br /><br />If you chose **Storage blob** for image type, enter the URI of the image. | | Virtual machine size | The [Azure virtual machine size](../virtual-machines/sizes.md) used for your session host(s) | Here's how to deploy Azure Virtual Desktop and a new Azure AD DS domain using th | Parameter | Value/Description | |--|--| | Create test user account | Tick the box if you want a new user account created during deployment for testing purposes. |- | Test user name | The user principal name (UPN) of the test account you want to be created, for example `testuser@contoso.com`. This user will be created in your new Azure AD tenant, synchronized to Azure AD DS, and made a member of the **AVDValidationUsers** security group that is also created during deployment. It must contain a valid UPN suffix for your domain that is also [added as a verified custom domain name in Azure AD](../active-directory/fundamentals/add-custom-domain.md).<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | + | Test user name | The user principal name (UPN) of the test account you want to be created, for example `testuser@contoso.com`. This user will be created in your new Microsoft Entra tenant, synchronized to Microsoft Entra Domain Services, and made a member of the **AVDValidationUsers** security group that is also created during deployment. It must contain a valid UPN suffix for your domain that is also [added as a verified custom domain name in Microsoft Entra ID](../active-directory/fundamentals/add-custom-domain.md).<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | | Test password | The password to be used for the test account. | | Confirm password | Confirmation of the password to be used for the test account. | Here's how to deploy Azure Virtual Desktop using the getting started feature whe | Location | The Azure region where your Azure Virtual Desktop resources will be deployed. | | Virtual network | The virtual network in the same Azure region you want to connect your Azure Virtual Desktop resources to. This must have connectivity to your AD DS domain controller in Azure and be able to resolve its FQDN. | | Subnet | The subnet of the virtual network you want to connect your Azure Virtual Desktop resources to. |- | Azure admin user name | The user principal name (UPN) of the account with the global administrator Azure AD role assigned on the Azure tenant and the owner role on the subscription that you selected.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | + | Azure admin user name | The user principal name (UPN) of the account with the global administrator Microsoft Entra role assigned on the Azure tenant and the owner role on the subscription that you selected.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | | Azure admin password | The password for the Azure admin account. | | Domain admin user name | The user principal name (UPN) of the domain admin account in your AD DS domain. The UPN suffix doesn't need to be added as a custom domain in Azure AD.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | | Domain admin password | The password for the domain admin account. | Here's how to deploy Azure Virtual Desktop using the getting started feature whe | Parameter | Value/Description | |--|--| | Create test user account | Tick the box if you want a new user account created during deployment for testing purposes. |- | Test user name | The user principal name (UPN) of the test account you want to be created, for example `testuser@contoso.com`. This user will be created in your AD DS domain, synchronized to Azure AD, and made a member of the **AVDValidationUsers** security group that is also created during deployment. It must contain a valid UPN suffix for your domain that is also [added as a verified custom domain name in Azure AD](../active-directory/fundamentals/add-custom-domain.md).<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | + | Test user name | The user principal name (UPN) of the test account you want to be created, for example `testuser@contoso.com`. This user will be created in your AD DS domain, synchronized to Microsoft Entra ID, and made a member of the **AVDValidationUsers** security group that is also created during deployment. It must contain a valid UPN suffix for your domain that is also [added as a verified custom domain name in Microsoft Entra ID](../active-directory/fundamentals/add-custom-domain.md).<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | | Test password | The password to be used for the test account. | | Confirm password | Confirmation of the password to be used for the test account. |- | Assign existing users or groups | You can select existing users or groups by ticking the box and selecting **Add Azure AD users or user groups**. Select Azure AD users or user groups, then select **Select**. These users and groups must be [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md), which means the user account is synchronized between your AD DS domain and Azure AD. Admin accounts arenΓÇÖt able to sign in to the virtual desktop. | + | Assign existing users or groups | You can select existing users or groups by ticking the box and selecting **Add Microsoft Entra users or user groups**. Select Microsoft Entra users or user groups, then select **Select**. These users and groups must be [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md), which means the user account is synchronized between your AD DS domain and Microsoft Entra ID. Admin accounts arenΓÇÖt able to sign in to the virtual desktop. | 1. On the **Review + create** tab, ensure validation passes and review the information that will be used during deployment. 1. Select **Create**. -# [Existing Azure AD DS](#tab/existing-aadds) +# [Existing Microsoft Entra Domain Services](#tab/existing-aadds) -Here's how to deploy Azure Virtual Desktop using the getting started feature where you already have Azure AD DS available: +Here's how to deploy Azure Virtual Desktop using the getting started feature where you already have Microsoft Entra Domain Services available: 1. Sign in to [the Azure portal](https://portal.azure.com). Here's how to deploy Azure Virtual Desktop using the getting started feature whe |--|--| | Subscription | The subscription you want to use from the drop-down list. | | Identity provider | Existing Active Directory. |- | Identity service type | Azure AD Domain Services. | + | Identity service type | Microsoft Entra Domain Services. | | Resource group | Enter a name. This will be used as the prefix for the resource groups that are deployed. | | Location | The Azure region where your Azure Virtual Desktop resources will be deployed. |- | Virtual network | The virtual network in the same Azure region you want to connect your Azure Virtual Desktop resources to. This must have connectivity to your Azure AD DS domain and be able to resolve its FQDN. | + | Virtual network | The virtual network in the same Azure region you want to connect your Azure Virtual Desktop resources to. This must have connectivity to your Microsoft Entra Domain Services domain and be able to resolve its FQDN. | | Subnet | The subnet of the virtual network you want to connect your Azure Virtual Desktop resources to. |- | Azure admin user name | The user principal name (UPN) of the account with the global administrator Azure AD role assigned on the Azure tenant and the owner role on the subscription that you selected.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | + | Azure admin user name | The user principal name (UPN) of the account with the global administrator Microsoft Entra role assigned on the Azure tenant and the owner role on the subscription that you selected.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | | Azure admin password | The password for the Azure admin account. |- | Domain admin user name | The user principal name (UPN) of the admin account to manage your Azure AD DS domain. The UPN suffix of the user in Azure AD must match the Azure AD DS domain name.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | + | Domain admin user name | The user principal name (UPN) of the admin account to manage your Microsoft Entra Domain Services domain. The UPN suffix of the user in Microsoft Entra ID must match the Microsoft Entra Domain Services domain name.<br /><br />Make sure this account meets the requirements noted in the [prerequisites](#prerequisites). | | Domain admin password | The password for the domain admin account. | 1. On the **Virtual machines** tab, complete the following information, then select **Next: Assignments >**: | Parameter | Value/Description | |--|--|- | Users per virtual machine | Select **Multiple users** or **One user at a time** depending on whether you want users to share a session host or assign a session host to an individual user. Learn more about [host pool types](environment-setup.md#host-pools). Selecting **Multiple users** will also create an Azure Files storage account joined to the same Azure AD DS domain. | + | Users per virtual machine | Select **Multiple users** or **One user at a time** depending on whether you want users to share a session host or assign a session host to an individual user. Learn more about [host pool types](environment-setup.md#host-pools). Selecting **Multiple users** will also create an Azure Files storage account joined to the same Microsoft Entra Domain Services domain. | | Image type | Select **Gallery** to choose from a predefined list, or **storage blob** to enter a URI to the image. | | Image | If you chose **Gallery** for image type, select the operating system image you want to use from the drop-down list. You can also select **See all images** to choose an image from the [Azure Compute Gallery](../virtual-machines/azure-compute-gallery.md).<br /><br />If you chose **Storage blob** for image type, enter the URI of the image. | | Virtual machine size | The [Azure virtual machine size](../virtual-machines/sizes.md) used for your session host(s) | Here's how to deploy Azure Virtual Desktop using the getting started feature whe | Parameter | Value/Description | |--|--| | Create test user account | Tick the box if you want a new user account created during deployment for testing purposes. |- | Test user name | The user principal name (UPN) of the test account you want to be created, for example `testuser@contoso.com`. This user will be created in your Azure AD tenant, synchronized to Azure AD DS, and made a member of the **AVDValidationUsers** security group that is also created during deployment. It must contain a valid UPN suffix for your domain that is also [added as a verified custom domain name in Azure AD](../active-directory/fundamentals/add-custom-domain.md).<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | + | Test user name | The user principal name (UPN) of the test account you want to be created, for example `testuser@contoso.com`. This user will be created in your Microsoft Entra tenant, synchronized to Microsoft Entra Domain Services, and made a member of the **AVDValidationUsers** security group that is also created during deployment. It must contain a valid UPN suffix for your domain that is also [added as a verified custom domain name in Microsoft Entra ID](../active-directory/fundamentals/add-custom-domain.md).<br /><br />Make sure this user name meets the requirements noted in the [prerequisites](#prerequisites). | | Test password | The password to be used for the test account. | | Confirm password | Confirmation of the password to be used for the test account. |- | Assign existing users or groups | You can select existing users or groups by ticking the box and selecting **Add Azure AD users or user groups**. Select Azure AD users or user groups, then select **Select**. These users and groups must be in the synchronization scope configured for Azure AD DS. Admin accounts arenΓÇÖt able to sign in to the virtual desktop. | + | Assign existing users or groups | You can select existing users or groups by ticking the box and selecting **Add Microsoft Entra users or user groups**. Select Microsoft Entra users or user groups, then select **Select**. These users and groups must be in the synchronization scope configured for Microsoft Entra Domain Services. Admin accounts arenΓÇÖt able to sign in to the virtual desktop. | 1. On the **Review + create** tab, ensure validation passes and review the information that will be used during deployment. If you didn't create a test account or assigned an existing user during deployme ## Resources that will be deployed -# [New Azure AD DS](#tab/new-aadds) +# [New Microsoft Entra Domain Services](#tab/new-aadds) | Resource type | Name | Resource group name | Notes | |--|--|--|--| | Resource group | *your prefix*-avd | N/A | This is a predefined name. | | Resource group | *your prefix*-deployment | N/A | This is a predefined name. | | Resource group | *your prefix*-prerequisite | N/A | This is a predefined name. |-| Azure AD DS | *your domain name* | *your prefix*-prerequisite | Deployed with the [Enterprise SKU](https://azure.microsoft.com/pricing/details/active-directory-ds/#pricing). You can [change the SKU](../active-directory-domain-services/change-sku.md) after deployment. | +| Microsoft Entra Domain Services | *your domain name* | *your prefix*-prerequisite | Deployed with the [Enterprise SKU](https://azure.microsoft.com/pricing/details/active-directory-ds/#pricing). You can [change the SKU](../active-directory-domain-services/change-sku.md) after deployment. | | Automation Account | ebautomation*random string* | *your prefix*-deployment | This is a predefined name. | | Automation Account runbook | inputValidationRunbook(*Automation Account name*) | *your prefix*-deployment | This is a predefined name. | | Automation Account runbook | prerequisiteSetupCompletionRunbook(*Automation Account name*) | *your prefix*-deployment | This is a predefined name. | If you didn't create a test account or assigned an existing user during deployme | Load balancer | aadds-*random string*-lb | *your prefix*-prerequisite | This is a predefined name. | | Public IP address | aadds-*random string*-pip | *your prefix*-prerequisite | This is a predefined name. | | Network security group | avdVnet-nsg | *your prefix*-prerequisite | This is a predefined name. |-| Group | AVDValidationUsers | N/A | Created in your new Azure AD tenant and synchronized to Azure AD DS. It contains a new test user (if created) and users you selected. This is a predefined name. | -| User | *your test user* | N/A | If you select to create a test user, it will be created in your new Azure AD tenant, synchronized to Azure AD DS, and made a member of the *AVDValidationUsers* security group. | +| Group | AVDValidationUsers | N/A | Created in your new Microsoft Entra tenant and synchronized to Microsoft Entra Domain Services. It contains a new test user (if created) and users you selected. This is a predefined name. | +| User | *your test user* | N/A | If you select to create a test user, it will be created in your new Microsoft Entra tenant, synchronized to Microsoft Entra Domain Services, and made a member of the *AVDValidationUsers* security group. | # [Existing AD DS](#tab/existing-adds) If you didn't create a test account or assigned an existing user during deployme | Virtual machine | *your prefix*-*number* | *your prefix*-avd | This is a predefined name. | | Network interface | *virtual machine name*-nic | *your prefix*-avd | This is a predefined name. | | Disk | *virtual machine name*\_OsDisk_1_*random string* | *your prefix*-avd | This is a predefined name. |-| Group | AVDValidationUsers | N/A | Created in your AD DS domain and synchronized to Azure AD. It contains a new test user (if created) and users you selected. This is a predefined name. | -| User | *your test user* | N/A | If you select to create a test user, it will be created in your AD DS domain, synchronized to Azure AD, and made a member of the *AVDValidationUsers* security group. | +| Group | AVDValidationUsers | N/A | Created in your AD DS domain and synchronized to Microsoft Entra ID. It contains a new test user (if created) and users you selected. This is a predefined name. | +| User | *your test user* | N/A | If you select to create a test user, it will be created in your AD DS domain, synchronized to Microsoft Entra ID, and made a member of the *AVDValidationUsers* security group. | -# [Existing Azure AD DS](#tab/existing-aadds) +# [Existing Microsoft Entra Domain Services](#tab/existing-aadds) | Resource type | Name | Resource group name | Notes | |--|--|--|--| If you didn't create a test account or assigned an existing user during deployme | Virtual machine | *your prefix*-*number* | *your prefix*-avd | This is a predefined name. | | Network interface | *virtual machine name*-nic | *your prefix*-avd | This is a predefined name. | | Disk | *virtual machine name*\_OsDisk_1_*random string* | *your prefix*-avd | This is a predefined name. |-| Group | AVDValidationUsers | N/A | Created in your Azure AD tenant and synchronized to Azure AD DS. It contains a new test user (if created) and users you selected. This is a predefined name. | -| User | *your test user* | N/A | If you select to create a test user, it will be created in your Azure AD tenant, synchronized to Azure AD DS, and made a member of the *AVDValidationUsers* security group. | +| Group | AVDValidationUsers | N/A | Created in your Microsoft Entra tenant and synchronized to Microsoft Entra Domain Services. It contains a new test user (if created) and users you selected. This is a predefined name. | +| User | *your test user* | N/A | If you select to create a test user, it will be created in your Microsoft Entra tenant, synchronized to Microsoft Entra Domain Services, and made a member of the *AVDValidationUsers* security group. | If you want to remove Azure Virtual Desktop resources from your environment, you - *your-prefix*-deployment - *your-prefix*-avd-- *your-prefix*-prerequisite (only if you deployed the getting started feature with a new Azure AD DS domain)+- *your-prefix*-prerequisite (only if you deployed the getting started feature with a new Microsoft Entra Domain Services domain) To delete the resource groups: |
virtual-desktop | Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/insights.md | Azure Virtual Desktop Insights allows you to monitor Azure Monitor alerts happen Microsoft automatically collects usage and performance data through your use of the Azure Virtual Desktop Insights service. Microsoft uses this data to improve the quality, security, and integrity of the service. -To provide accurate and efficient troubleshooting capabilities, the collected data includes the portal session ID, Azure Active Directory user ID, and the name of the portal tab where the event occurred. Microsoft doesn't collect names, addresses, or other contact information. +To provide accurate and efficient troubleshooting capabilities, the collected data includes the portal session ID, Microsoft Entra user ID, and the name of the portal tab where the event occurred. Microsoft doesn't collect names, addresses, or other contact information. For more information about data collection and usage, see the [Microsoft Online Services Privacy Statement](https://privacy.microsoft.com/privacystatement). |
virtual-desktop | Key Distribution Center Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/key-distribution-center-proxy.md | However, setting up the KDC proxy typically involves assigning the Windows Serve There are two components to the Azure Virtual Desktop service that need to be authenticated: -- The feed in the Azure Virtual Desktop client that gives users a list of available desktops or applications they have access to. This authentication process happens in Azure Active Directory, which means this component isn't the focus of this article.+- The feed in the Azure Virtual Desktop client that gives users a list of available desktops or applications they have access to. This authentication process happens in Microsoft Entra ID, which means this component isn't the focus of this article. - The RDP session that results from a user selecting one of those available resources. This component uses Kerberos authentication and requires a KDC proxy for remote users. This article will show you how to configure the feed in the Azure Virtual Desktop client in the Azure portal. If you want to learn how to configure the RD Gateway role, see [Deploy the RD Gateway role](/windows-server/remote/remote-desktop-services/remote-desktop-gateway-role). To configure the KDC proxy: To learn how to manage the Remote Desktop Services side of the KDC proxy and assign the RD Gateway role, see [Deploy the RD Gateway role](/windows-server/remote/remote-desktop-services/remote-desktop-gateway-role). -If you're interested in scaling your KDC proxy servers, learn how to set up high availability for KDC proxy at [Add high availability to the RD Web and Gateway web front](/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha). +If you're interested in scaling your KDC proxy servers, learn how to set up high availability for KDC proxy at [Add high availability to the RD Web and Gateway web front](/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha). |
virtual-desktop | Manage App Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/manage-app-groups.md | If you've already created a host pool and session host VMs using the Azure porta 7. Select **Next: Assignments >** tab. -8. To assign individual users or user groups to the application group, select **+Add Azure AD users or user groups**. +8. To assign individual users or user groups to the application group, select **+Add Microsoft Entra users or user groups**. 9. Select the users you want to have access to the apps. You can select single or multiple users and user groups. The deployment process will do the following things for you: Once a user connects to a RemoteApp, any other RemoteApp that they connect to during the same session will be from the same session host. >[!IMPORTANT]->You can only create 500 application groups for each Azure Active Directory tenant. We added this limit because of service limitations for retrieving feeds for our users. This limit doesn't apply to application groups created in Azure Virtual Desktop (classic). +>You can only create 500 application groups for each Microsoft Entra tenant. We added this limit because of service limitations for retrieving feeds for our users. This limit doesn't apply to application groups created in Azure Virtual Desktop (classic). ## Edit or remove an app |
virtual-desktop | Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/management.md | We recommend using [Microsoft Intune](https://www.microsoft.com/endpointmanager) ## Microsoft Configuration Manager -Microsoft Configuration Manager versions 1906 and later can manage your domain-joined and Hybrid Azure Active Directory (Azure AD)-joined session hosts. For more information, see [Supported OS versions for clients and devices for Configuration Manager](/mem/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices#azure-virtual-desktop). +Microsoft Configuration Manager versions 1906 and later can manage your domain-joined and Microsoft Entra hybrid joined session hosts. For more information, see [Supported OS versions for clients and devices for Configuration Manager](/mem/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices#azure-virtual-desktop). ## Microsoft Intune -Microsoft Intune can manage your Azure AD-joined and Hybrid Azure AD-joined session hosts. To learn more about using Intune to manage Windows 11 and Windows 10 single session hosts, see [Using Azure Virtual Desktop with Intune](/mem/intune/fundamentals/windows-virtual-desktop). +Microsoft Intune can manage your Microsoft Entra joined and Microsoft Entra hybrid joined session hosts. To learn more about using Intune to manage Windows 11 and Windows 10 single session hosts, see [Using Azure Virtual Desktop with Intune](/mem/intune/fundamentals/windows-virtual-desktop). For Windows 11 and Windows 10 multi-session hosts, Intune supports both device-based configurations and user-based configurations on Windows 11 and Windows 10. User-scope configuration on Windows 10 requires the update March 2023 Cumulative Update Preview (KB5023773) and OS version 19042.2788, 19044.2788, 19045.2788 or later. To learn more about using Intune to manage multi-session hosts, see [Using Azure Virtual Desktop multi-session with Intune](/mem/intune/fundamentals/windows-virtual-desktop-multi-session). |
virtual-desktop | Manual Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/manual-migration.md | Major updates can be inconvenient, especially ones you have to do manually. Howe Despite the hassle, migrating away from the classic version is still important. Here's what you can do after you migrate: - Manage Azure Virtual Desktop through the Azure portal.-- Assign Azure Active Directory (Azure AD) user groups to application groups.+- Assign Microsoft Entra user groups to application groups. - Use the improved Log Analytics feature to troubleshoot your deployment. - Use Azure-native role-based access control (Azure RBAC) to manage administrative access. |
virtual-desktop | Network Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/network-connectivity.md | Upon startup of the Azure Virtual Desktop session host, the Remote Desktop Agent Client connection sequence described below: 1. Using supported Azure Virtual Desktop client user subscribes to the Azure Virtual Desktop Workspace-2. Azure Active Directory authenticates the user and returns the token used to enumerate resources available to a user +2. Microsoft Entra authenticates the user and returns the token used to enumerate resources available to a user 3. Client passes token to the Azure Virtual Desktop feed subscription service 4. Azure Virtual Desktop feed subscription service validates the token 5. Azure Virtual Desktop feed subscription service passes the list of available desktops and applications back to the client in the form of digitally signed connection configuration |
virtual-desktop | Onedrive Remoteapp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/onedrive-remoteapp.md | Title: Use Microsoft OneDrive with a RemoteApp - Azure Virtual Desktop + Title: Use Microsoft OneDrive with a RemoteApp (preview) - Azure Virtual Desktop description: Learn how to use Microsoft OneDrive with a RemoteApp in Azure Virtual Desktop. -# Use Microsoft OneDrive with a RemoteApp in Azure Virtual Desktop +# Use Microsoft OneDrive with a RemoteApp in Azure Virtual Desktop (preview) -You can use Microsoft OneDrive alongside a RemoteApp in Azure Virtual Desktop, allowing users to access and synchronize their files while using a RemoteApp. When a user connects to a RemoteApp, OneDrive can automatically launch as a companion to the RemoteApp. This article describes how to configure OneDrive to automatically launch alongside a RemoteApp in Azure Virtual Desktop. +> [!IMPORTANT] +> Using Microsoft OneDrive with a RemoteApp in Azure Virtual Desktop is currently in PREVIEW. +> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. ++You can use Microsoft OneDrive alongside a RemoteApp in Azure Virtual Desktop (preview), allowing users to access and synchronize their files while using a RemoteApp. When a user connects to a RemoteApp, OneDrive can automatically launch as a companion to the RemoteApp. This article describes how to configure OneDrive to automatically launch alongside a RemoteApp in Azure Virtual Desktop. > [!IMPORTANT] > - You should only use OneDrive with a RemoteApp for testing purposes as it requires an Insider Preview build of Windows 11 for your session hosts. |
virtual-desktop | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/prerequisites.md | You also need to make sure you've registered the *Microsoft.DesktopVirtualizatio ## Identity -To access desktops and applications from your session hosts, your users need to be able to authenticate. [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) is Microsoft's centralized cloud identity service that enables this capability. Azure AD is always used to authenticate users for Azure Virtual Desktop. Session hosts can be joined to the same Azure AD tenant, or to an Active Directory domain using [Active Directory Domain Services](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) (AD DS) or [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) (Azure AD DS), providing you with a choice of flexible configuration options. +To access desktops and applications from your session hosts, your users need to be able to authenticate. [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) is Microsoft's centralized cloud identity service that enables this capability. Microsoft Entra ID is always used to authenticate users for Azure Virtual Desktop. Session hosts can be joined to the same Microsoft Entra tenant, or to an Active Directory domain using [Active Directory Domain Services](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) (AD DS) or [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) (Microsoft Entra Domain Services), providing you with a choice of flexible configuration options. ### Session hosts -You need to join session hosts that provide desktops and applications to the same Azure AD tenant as your users, or an Active Directory domain (either AD DS or Azure AD DS). +You need to join session hosts that provide desktops and applications to the same Microsoft Entra tenant as your users, or an Active Directory domain (either AD DS or Microsoft Entra Domain Services). -To join session hosts to Azure AD or an Active Directory domain, you need the following permissions: +To join session hosts to Microsoft Entra ID or an Active Directory domain, you need the following permissions: -- For Azure Active Directory (Azure AD), you need an account that can join computers to your tenant. For more information, see [Manage device identities](../active-directory/devices/manage-device-identities.md#configure-device-settings). To learn more about joining session hosts to Azure AD, see [Azure AD-joined session hosts](azure-ad-joined-session-hosts.md).+- For Microsoft Entra ID, you need an account that can join computers to your tenant. For more information, see [Manage device identities](../active-directory/devices/manage-device-identities.md#configure-device-settings). To learn more about joining session hosts to Microsoft Entra ID, see [Microsoft Entra joined session hosts](azure-ad-joined-session-hosts.md). -- For an Active Directory domain, you need a domain account that can join computers to your domain. For Azure AD DS, you would need to be a member of the [*AAD DC Administrators* group](../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group).+- For an Active Directory domain, you need a domain account that can join computers to your domain. For Microsoft Entra Domain Services, you would need to be a member of the [*AAD DC Administrators* group](../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group). ### Users -Your users need accounts that are in Azure AD. If you're also using AD DS or Azure AD DS in your deployment of Azure Virtual Desktop, these accounts will need to be [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md), which means the user accounts are synchronized. You'll need to keep the following things in mind based on which identity provider you use: +Your users need accounts that are in Microsoft Entra ID. If you're also using AD DS or Microsoft Entra Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md), which means the user accounts are synchronized. You'll need to keep the following things in mind based on which identity provider you use: -- If you're using Azure AD with AD DS, you'll need to configure [Azure AD Connect](../active-directory/hybrid/whatis-azure-ad-connect.md) to synchronize user identity data between AD DS and Azure AD.-- If you're using Azure AD with Azure AD DS, user accounts are synchronized one way from Azure AD to Azure AD DS. This synchronization process is automatic.+- If you're using Microsoft Entra ID with AD DS, you'll need to configure [Microsoft Entra Connect](../active-directory/hybrid/whatis-azure-ad-connect.md) to synchronize user identity data between AD DS and Microsoft Entra ID. +- If you're using Microsoft Entra ID with Microsoft Entra Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Microsoft Entra Domain Services. This synchronization process is automatic. ### Supported identity scenarios The following table summarizes identity scenarios that Azure Virtual Desktop cur | Identity scenario | Session hosts | User accounts | |--|--|--|-| Azure AD + AD DS | Joined to AD DS | In Azure AD and AD DS, synchronized | -| Azure AD + AD DS | Joined to Azure AD | In Azure AD and AD DS, synchronized | -| Azure AD + Azure AD DS | Joined to Azure AD DS | In Azure AD and Azure AD DS, synchronized | -| Azure AD + Azure AD DS + AD DS | Joined to Azure AD DS | In Azure AD and AD DS, synchronized | -| Azure AD + Azure AD DS | Joined to Azure AD | In Azure AD and Azure AD DS, synchronized| -| Azure AD only | Joined to Azure AD | In Azure AD | +| Microsoft Entra ID + AD DS | Joined to AD DS | In Microsoft Entra ID and AD DS, synchronized | +| Microsoft Entra ID + AD DS | Joined to Microsoft Entra ID | In Microsoft Entra ID and AD DS, synchronized | +| Microsoft Entra ID + Microsoft Entra Domain Services | Joined to Microsoft Entra Domain Services | In Microsoft Entra ID and Microsoft Entra Domain Services, synchronized | +| Microsoft Entra ID + Microsoft Entra Domain Services + AD DS | Joined to Microsoft Entra Domain Services | In Microsoft Entra ID and AD DS, synchronized | +| Microsoft Entra ID + Microsoft Entra Domain Services | Joined to Microsoft Entra ID | In Microsoft Entra ID and Microsoft Entra Domain Services, synchronized| +| Microsoft Entra-only | Joined to Microsoft Entra ID | In Microsoft Entra ID | -To use [FSLogix Profile Container](/fslogix/configure-profile-container-tutorial) when joining your session hosts to Azure AD, you will need to [store profiles on Azure Files](create-profile-container-azure-ad.md) and your user accounts must be [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md). This means you must create these accounts in AD DS and synchronize them to Azure AD. To learn more about deploying FSLogix Profile Container with different identity scenarios, see the following articles: +To use [FSLogix Profile Container](/fslogix/configure-profile-container-tutorial) when joining your session hosts to Microsoft Entra ID, you will need to [store profiles on Azure Files](create-profile-container-azure-ad.md) and your user accounts must be [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md). This means you must create these accounts in AD DS and synchronize them to Microsoft Entra ID. To learn more about deploying FSLogix Profile Container with different identity scenarios, see the following articles: -- [Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services](fslogix-profile-container-configure-azure-files-active-directory.md).-- [Set up FSLogix Profile Container with Azure Files and Azure Active Directory](create-profile-container-azure-ad.md).+- [Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Microsoft Entra Domain Services](fslogix-profile-container-configure-azure-files-active-directory.md). +- [Set up FSLogix Profile Container with Azure Files and Microsoft Entra ID](create-profile-container-azure-ad.md). > [!IMPORTANT]-> The user account must exist in the Azure AD tenant you use for Azure Virtual Desktop. Azure Virtual Desktop doesn't support [B2B](../active-directory/external-identities/what-is-b2b.md), [B2C](../active-directory-b2c/overview.md), or personal Microsoft accounts. +> The user account must exist in the Microsoft Entra tenant you use for Azure Virtual Desktop. Azure Virtual Desktop doesn't support [B2B](../active-directory/external-identities/what-is-b2b.md), [B2C](../active-directory-b2c/overview.md), or personal Microsoft accounts. >-> When using hybrid identities, either the UserPrincipalName (UPN) or the Security Identifier (SID) must match across Active Directory Domain Services and Azure Active Directory. For more information, see [Supported identities and authentication methods](authentication.md#hybrid-identity). +> When using hybrid identities, either the UserPrincipalName (UPN) or the Security Identifier (SID) must match across Active Directory Domain Services and Microsoft Entra ID. For more information, see [Supported identities and authentication methods](authentication.md#hybrid-identity). ### Deployment parameters You'll need to enter the following identity parameters when deploying session hosts: -- Domain name, if using AD DS or Azure AD DS.+- Domain name, if using AD DS or Microsoft Entra Domain Services. - Credentials to join session hosts to the domain. - Organizational Unit (OU), which is an optional parameter that lets you place session hosts in the desired OU at deployment time. To successfully deploy Azure Virtual Desktop, you'll need to meet the following - You'll need a virtual network and subnet for your session hosts. If you create your session hosts at the same time as a host pool, you must create this virtual network in advance for it to appear in the drop-down list. Your virtual network must be in the same Azure region as the session host. -- Make sure this virtual network can connect to your domain controllers and relevant DNS servers if you're using AD DS or Azure AD DS, since you'll need to join session hosts to the domain.+- Make sure this virtual network can connect to your domain controllers and relevant DNS servers if you're using AD DS or Microsoft Entra Domain Services, since you'll need to join session hosts to the domain. - Your session hosts and users need to be able to connect to the Azure Virtual Desktop service. These connections also use TCP on port 443 to a specific list of URLs. For more information, see [Required URL list](safe-url-list.md). You must make sure these URLs aren't blocked by network filtering or a firewall in order for your deployment to work properly and be supported. If your users need to access Microsoft 365, make sure your session hosts can connect to [Microsoft 365 endpoints](/microsoft-365/enterprise/microsoft-365-endpoints). Consider the following when managing session hosts: - Don't enable any policies or configurations that disable *Windows Installer*. If you disable Windows Installer, the service won't be able to install agent updates on your session hosts, and your session hosts won't function properly. -- If you're joining session hosts to an AD DS domain and you want to manage them using [Intune](/mem/intune/fundamentals/what-is-intune), you'll need to configure [Azure AD Connect](../active-directory/hybrid/whatis-azure-ad-connect.md) to enable [hybrid Azure AD join](../active-directory/devices/hybrid-join-plan.md).+- If you're joining session hosts to an AD DS domain and you want to manage them using [Intune](/mem/intune/fundamentals/what-is-intune), you'll need to configure [Microsoft Entra Connect](../active-directory/hybrid/whatis-azure-ad-connect.md) to enable [Microsoft Entra hybrid join](../active-directory/devices/hybrid-join-plan.md). -- If you're joining session hosts to an Azure AD DS domain, you can't manage them using [Intune](/mem/intune/fundamentals/what-is-intune).+- If you're joining session hosts to a Microsoft Entra Domain Services domain, you can't manage them using [Intune](/mem/intune/fundamentals/what-is-intune). -- If you're using Azure AD-join with Windows Server for your session hosts, you can't enroll them in Intune as Windows Server is not supported with Intune. You'll need to use hybrid Azure AD-join and Group Policy from an Active Directory domain, or local Group Policy on each session host.+- If you're using Microsoft Entra join with Windows Server for your session hosts, you can't enroll them in Intune as Windows Server is not supported with Intune. You'll need to use Microsoft Entra hybrid join and Group Policy from an Active Directory domain, or local Group Policy on each session host. ## Remote Desktop clients |
virtual-desktop | Rdp Shortpath | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/rdp-shortpath.md | Each RDP session uses a dynamically assigned UDP port from an ephemeral port ran > [!TIP] > RDP Shortpath for public networks will work automatically without any additional configuration, providing networks and firewalls allow the traffic through and RDP transport settings in the Windows operating system for session hosts and clients are using their default values. -The following diagram gives a high-level overview of the network connections when using RDP Shortpath for public networks where session hosts joined to Azure Active Directory (Azure AD). +The following diagram gives a high-level overview of the network connections when using RDP Shortpath for public networks where session hosts joined to Microsoft Entra ID. :::image type="content" source="media/rdp-shortpath/rdp-shortpath-public-networks.png" alt-text="Diagram of network connections when using RDP Shortpath for public networks." lightbox="media/rdp-shortpath/rdp-shortpath-public-networks.png"::: |
virtual-desktop | Architecture Recs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/remote-app-streaming/architecture-recs.md | If your Azure Virtual Desktop deployment will serve end-users outside your organ Azure Virtual Desktop doesn't currently support external identities, including business-to-business (B2B) or business-to-client (B2C) users. You'll need to create and manage these identities manually and provide the credentials to your users yourself. Users will then use these identities to access resources in Azure Virtual Desktop. -To provide a secure solution to your customers, Microsoft strongly recommends creating an Azure Active Directory (Azure AD) tenant and subscription for each customer with their own dedicated Active Directory. This separation means you'll have to create a separate Azure Virtual Desktop deployment for each organization that's totally isolated from the other deployments and their resources. The virtual machines that each organization uses shouldn't be able to access the resources of other companies to keep information secure. You can set up these separate deployments by using either a combination of Active Directory Domain Services (AD DS) and Azure AD Connect or by using Azure AD Domain Services. +To provide a secure solution to your customers, Microsoft strongly recommends creating a Microsoft Entra tenant and subscription for each customer with their own dedicated Active Directory. This separation means you'll have to create a separate Azure Virtual Desktop deployment for each organization that's totally isolated from the other deployments and their resources. The virtual machines that each organization uses shouldn't be able to access the resources of other companies to keep information secure. You can set up these separate deployments by using either a combination of Active Directory Domain Services (AD DS) and Microsoft Entra Connect or by using Microsoft Entra Domain Services. |
virtual-desktop | Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/remote-app-streaming/identities.md | Title: Create user accounts for RemoteApp streaming - Azure Virtual Desktop -description: How to create user accounts for RemoteApp streaming for your customers in Azure Virtual Desktop with Azure AD, Azure AD DS, or AD DS. +description: How to create user accounts for RemoteApp streaming for your customers in Azure Virtual Desktop with Microsoft Entra ID, Microsoft Entra Domain Services, or AD DS. Last updated 08/06/2021-Because Azure Virtual Desktop doesn't currently support external profiles, or "identities," your users won't be able to access the apps you host with their own corporate credentials. Instead, you'll need to create identities for them in the Active Directory Domain that you'll use for RemoteApp streaming and sync user objects to the associated Azure Active Directory (Azure AD) tenant. +Because Azure Virtual Desktop doesn't currently support external profiles, or "identities," your users won't be able to access the apps you host with their own corporate credentials. Instead, you'll need to create identities for them in the Active Directory Domain that you'll use for RemoteApp streaming and sync user objects to the associated Microsoft Entra tenant. In this article, we'll explain how you can manage user identities to provide a secure environment for your customers. We'll also talk about the different parts that make up an identity. In this article, we'll explain how you can manage user identities to provide a s The identities you create need to follow these guidelines: -- Identities must be [hybrid identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means they exist in both the [Active Directory (AD)](/previous-versions/windows/it-pro/windows-server-2003/cc781408(v=ws.10)) and [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md). You can use either [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/active-directory-domain-services) or [Azure Active Directory Domain Services (Azure AD DS)](https://azure.microsoft.com/services/active-directory-ds) to create these identities. To learn more about each method, see [Compare identity solutions](../../active-directory-domain-services/compare-identity-solutions.md).-- You should keep users from different organizations in separate Azure AD tenants to prevent security breaches. We recommend creating one Active Directory Domain and Azure Active Directory tenant per customer organization. That tenant should have its own associated Azure AD DS or AD DS subscription dedicated to that customer.+- Identities must be [hybrid identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means they exist in both the [Active Directory (AD)](/previous-versions/windows/it-pro/windows-server-2003/cc781408(v=ws.10)) and [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md). You can use either [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/active-directory-domain-services) or [Microsoft Entra Domain Services](https://azure.microsoft.com/services/active-directory-ds) to create these identities. To learn more about each method, see [Compare identity solutions](../../active-directory-domain-services/compare-identity-solutions.md). +- You should keep users from different organizations in separate Microsoft Entra tenants to prevent security breaches. We recommend creating one Active Directory Domain and Microsoft Entra tenant per customer organization. That tenant should have its own associated Microsoft Entra Domain Services or AD DS subscription dedicated to that customer. > [!NOTE]-> If you want to enable [single sign-on (SSO)](../configure-single-sign-on.md) and [Intune management](../management.md), you can do this for Azure AD-joined and Hybrid Azure AD-joined VMs. Azure Virtual Desktop doesn't support SSO and Intune with VMs joined to Azure AD Domain Services. +> If you want to enable [single sign-on (SSO)](../configure-single-sign-on.md) and [Intune management](../management.md), you can do this for Microsoft Entra joined and Microsoft Entra hybrid joined VMs. Azure Virtual Desktop doesn't support SSO and Intune with VMs joined to Microsoft Entra Domain Services. -The following two sections will tell you how to create identities with AD DS and Azure AD DS. To follow [the security guidelines for cross-organizational apps](security.md), you'll need to repeat the process for each customer. +The following two sections will tell you how to create identities with AD DS and Microsoft Entra Domain Services. To follow [the security guidelines for cross-organizational apps](security.md), you'll need to repeat the process for each customer. ## Create users with Active Directory Domain Services -In this method, you'll set up hybrid identities using an Active Directory Domain Controller to manage user identities and sync them to Azure AD. +In this method, you'll set up hybrid identities using an Active Directory Domain Controller to manage user identities and sync them to Microsoft Entra ID. -This method involves setting up Active Directory Domain Controllers to manage the user identities and syncing the users to Azure AD to create hybrid identities. These identities can then be used to access hosted applications in Azure Virtual Desktop. In this configuration, users are synced from Active Directory to Azure AD and the session host VMs are joined to the AD DS domain. +This method involves setting up Active Directory Domain Controllers to manage the user identities and syncing the users to Microsoft Entra ID to create hybrid identities. These identities can then be used to access hosted applications in Azure Virtual Desktop. In this configuration, users are synced from Active Directory to Microsoft Entra ID and the session host VMs are joined to the AD DS domain. To set up an identity in AD DS: -1. [Create an Azure AD tenant](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) and a subscription for your customer. +1. [Create a Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) and a subscription for your customer. 2. [Install Active Directory Domain Services](/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-) on the Windows Server virtual machine (VM) you're using for the customer. -3. Install and configure [Azure AD Connect](../../active-directory/hybrid/how-to-connect-install-roadmap.md) on a separate domain-joined VM to sync the user accounts from Active Directory to Azure Active Directory. +3. Install and configure [Microsoft Entra Connect](../../active-directory/hybrid/how-to-connect-install-roadmap.md) on a separate domain-joined VM to sync the user accounts from Active Directory to Microsoft Entra ID. -4. If you plan to manage the VMs using Intune, enable [Hybrid Azure AD-joined devices](../../active-directory/devices/hybrid-join-plan.md) with Azure AD Connect. +4. If you plan to manage the VMs using Intune, enable [Microsoft Entra hybrid joined devices](../../active-directory/devices/hybrid-join-plan.md) with Microsoft Entra Connect. -5. Once you've configured the environment, [create new users](/previous-versions/windows/it-pro/windows-server-2003/cc755607(v=ws.10)) in the Active Directory. These users should automatically be synced with Azure AD. +5. Once you've configured the environment, [create new users](/previous-versions/windows/it-pro/windows-server-2003/cc755607(v=ws.10)) in the Active Directory. These users should automatically be synced with Microsoft Entra ID. 6. When deploying session hosts in your host pool, use the Active Directory domain name to join the VMs and ensure the session hosts have line-of-sight to the domain controller. -This configuration will give you more control over your environment, but its complexity can make it less easy to manage. However, this option lets you provide your users with Azure AD-based apps. It also lets you manage your users' VMs with Intune. +This configuration will give you more control over your environment, but its complexity can make it less easy to manage. However, this option lets you provide your users with Microsoft Entra ID-based apps. It also lets you manage your users' VMs with Intune. -## Create users with Azure Active Directory Domain Services +<a name='create-users-with-azure-active-directory-domain-services'></a> -Azure AD DS identities are stored in a Microsoft managed Active Directory platform as a service (PaaS) where Microsoft manages two AD domain controllers that lets users use AD DS within their Azure subscriptions. In this configuration, users are synced from Azure AD to Azure AD DS, and the session hosts are joined to the Azure AD DS domain. Azure AD DS identities are easier to manage, but don't offer as much control as regular AD DS identities. You can only join the Azure Virtual Desktop VMs to the Azure AD DS domain, and you can't manage them with Intune. +## Create users with Microsoft Entra Domain Services -To create an identity with Azure AD DS: +Microsoft Entra Domain Services identities are stored in a Microsoft managed Active Directory platform as a service (PaaS) where Microsoft manages two AD domain controllers that lets users use AD DS within their Azure subscriptions. In this configuration, users are synced from Microsoft Entra ID to Microsoft Entra Domain Services, and the session hosts are joined to the Microsoft Entra Domain Services domain. Microsoft Entra Domain Services identities are easier to manage, but don't offer as much control as regular AD DS identities. You can only join the Azure Virtual Desktop VMs to the Microsoft Entra Domain Services domain, and you can't manage them with Intune. -1. [Create an Azure AD tenant](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) and subscription for your customer. +To create an identity with Microsoft Entra Domain -2. [Deploy Azure AD Directory Services](../../active-directory-domain-services/tutorial-create-instance.md) in the userΓÇÖs subscription. +1. [Create a Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) and subscription for your customer. -3. Once you've finished configuring the environment, [create new users](../../active-directory/fundamentals/add-users-azure-active-directory.md) in Azure Active Directory. These user objects will automatically sync with Azure AD DS. +2. [Deploy Microsoft Entra Directory Services](../../active-directory-domain-services/tutorial-create-instance.md) in the userΓÇÖs subscription. -4. When deploying session hosts in a host pool, use the Azure AD DS domain name to join the VMs. +3. Once you've finished configuring the environment, [create new users](../../active-directory/fundamentals/add-users-azure-active-directory.md) in Microsoft Entra ID. These user objects will automatically sync with Microsoft Entra Domain Services. ++4. When deploying session hosts in a host pool, use the Microsoft Entra Domain Services domain name to join the VMs. ## Next steps |
virtual-desktop | Licensing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/remote-app-streaming/licensing.md | Azure Virtual Desktop will issue at most one access charge for a given user in a Here's a summary of the two types of licenses for Azure Virtual Desktop you can choose from: - An eligible Windows or Microsoft 365 license:- - Grants Azure Virtual Desktop access rights for *internal users* only. It doesn't grant permission to external users, not even identities you create in your own Azure Active Directory tenant. + - Grants Azure Virtual Desktop access rights for *internal users* only. It doesn't grant permission to external users, not even identities you create in your own Microsoft Entra tenant. - Paid in advance through a subscription - Same cost per user each month regardless of user behavior - Includes entitlements to some other Microsoft products and services |
virtual-desktop | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/remote-app-streaming/overview.md | You can set up your deployment manually by following these tutorials: If you'd prefer an automatic process, you can use the getting started feature to set up your deployment for you. For more information, check out these articles: -- [Deploy Azure Virtual Desktop with the getting started feature](../getting-started-feature.md?toc=/azure/virtual-desktop/remote-app-streaming/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (When following these instructions, make sure to follow the instructions for existing Azure AD DS or AD DS. This method gives you better identity management and app compatibility while also giving you the power to fine-tune identity-related infrastructure costs. The method for subscriptions that don't already have Azure AD DS or AD DS doesn't give you these benefits.)+- [Deploy Azure Virtual Desktop with the getting started feature](../getting-started-feature.md?toc=/azure/virtual-desktop/remote-app-streaming/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) (When following these instructions, make sure to follow the instructions for existing Microsoft Entra Domain Services or AD DS. This method gives you better identity management and app compatibility while also giving you the power to fine-tune identity-related infrastructure costs. The method for subscriptions that don't already have Microsoft Entra Domain Services or AD DS doesn't give you these benefits.) - [Troubleshoot the getting started feature](../troubleshoot-getting-started.md?toc=/azure/virtual-desktop/remote-app-streaming/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) ## Customize and manage Azure Virtual Desktop Once you've set up Azure Virtual Desktop, you have lots of options to customize - [How to host custom apps with Azure Virtual Desktop](custom-apps.md) - [Enroll your subscription in per-user access pricing](per-user-access-pricing.md)-- [How to use Azure Active Directory](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md)+- [How to use Microsoft Entra ID](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) - [Using Windows 10 virtual machines with Intune](/mem/intune/fundamentals/windows-10-virtual-machines) - [How to deploy an app using MSIX app attach](msix-app-attach.md) - [Use Azure Virtual Desktop Insights to monitor your deployment](../insights.md?toc=/azure/virtual-desktop/remote-app-streaming/toc.json&bc=/azure/virtual-desktop/breadcrumb/toc.json) |
virtual-desktop | Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/remote-app-streaming/security.md | For more information about how to configure each of these areas, check out our [ You can protect workloads by using security features and controls from Microsoft 365, Azure, and Azure Virtual Desktop. -When the user connects to the service over the internet, Azure Active Directory (Azure AD) authenticates the user's credentials, enabling protective features like [multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) to help greatly reduce the risk of user identities being compromised. +When the user connects to the service over the internet, Microsoft Entra authenticates the user's credentials, enabling protective features like [multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) to help greatly reduce the risk of user identities being compromised. -Azure Virtual Desktop has features like [Reverse Connect](../network-connectivity.md#reverse-connect-transport) that allow users to access the session host without having to open inbound ports. This feature is designed with scalability and service in mind, so it shouldn't limit your ability to expand session hosts, either. You can also use existing GPOs with this feature to apply additional security with support for Active Directory-joined VMs or, for Windows 10 session hosts that might involve Azure Active Directory Join scenarios, [Microsoft Intune](/mem/intune/fundamentals/windows-virtual-desktop-multi-session). +Azure Virtual Desktop has features like [Reverse Connect](../network-connectivity.md#reverse-connect-transport) that allow users to access the session host without having to open inbound ports. This feature is designed with scalability and service in mind, so it shouldn't limit your ability to expand session hosts, either. You can also use existing GPOs with this feature to apply additional security with support for Active Directory-joined VMs or, for Windows 10 session hosts that might involve Microsoft Entra join scenarios, [Microsoft Intune](/mem/intune/fundamentals/windows-virtual-desktop-multi-session). ## Defense in depth You'll also need to make certain choices about security boundaries on a case-by- Users from the same organization, like knowledge workers with apps that don't require admin privileges, are great candidates for multi-session Remote Desktop session hosts like Windows 10 Enterprise multi-session. These session hosts reduce costs for your organization because multiple users can share a single VM, with only the overhead costs of a single OS. With profile technology like FSLogix, users can be assigned any VM in a host pool without noticing any service interruptions. This feature also lets you optimize costs by doing things like shutting down VMs during off-peak hours. -If your situation requires users from different organizations to connect to your deployment, we recommend you have a separate tenant for identity services like Active Directory and Azure AD. We also recommend you have a separate subscription for hosting Azure resources like Azure Virtual Desktop and VMs. +If your situation requires users from different organizations to connect to your deployment, we recommend you have a separate tenant for identity services like Active Directory and Microsoft Entra ID. We also recommend you have a separate subscription for hosting Azure resources like Azure Virtual Desktop and VMs. The following table lists our recommendations for each scenario. Let's take a look at our recommendations for some example scenarios. ### Should I share Identity resources to reduce costs? -We don't currently recommend using a shared identity system in Azure Virtual Desktop. We recommend that you have separate Identity resources that you deploy in a separate Azure subscription. These resources include Active Directories, Azure AD, and VM workloads. Every user working for an individual organization will need additional infrastructure and associated maintenance costs, but this is currently the most feasible solution for security purposes. +We don't currently recommend using a shared identity system in Azure Virtual Desktop. We recommend that you have separate Identity resources that you deploy in a separate Azure subscription. These resources include Active Directories, Microsoft Entra ID, and VM workloads. Every user working for an individual organization will need additional infrastructure and associated maintenance costs, but this is currently the most feasible solution for security purposes. ### Should I share a multi-session Remote Desktop (RD) session host VM to reduce costs? |
virtual-desktop | Safe Url List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/safe-url-list.md | The following table lists optional URLs that your session host virtual machines > 1. Open **Event viewer**, then go to **Windows logs** > **Application** > **WVD-Agent** and look for event ID **3701**. > 1. Unblock the URLs that you find under event ID 3701. The URLs under event ID 3701 are region-specific. You'll need to repeat this process with the relevant URLs for each Azure region you want to deploy your session host virtual machines in. -This list doesn't include URLs for other services like Azure Active Directory or Office 365. Azure Active Directory URLs can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). +This list doesn't include URLs for other services like Microsoft Entra ID or Office 365. Microsoft Entra URLs can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). ### Service tags and FQDN tags A [virtual network service tag](../virtual-network/service-tags-overview.md) rep Azure Firewall supports Azure Virtual Desktop as a [FQDN tag](../firewall/fqdn-tags.md). For more information, see [Use Azure Firewall to protect Azure Virtual Desktop deployments](../firewall/protect-azure-virtual-desktop.md). -We recommend you use FQDN tags or service tags instead of URLs to prevent service issues. The listed URLs and tags only correspond to Azure Virtual Desktop sites and resources. They don't include URLs for other services like Azure Active Directory. For other services, see [Available service tags](../virtual-network/service-tags-overview.md#available-service-tags). +We recommend you use FQDN tags or service tags instead of URLs to prevent service issues. The listed URLs and tags only correspond to Azure Virtual Desktop sites and resources. They don't include URLs for other services like Microsoft Entra ID. For other services, see [Available service tags](../virtual-network/service-tags-overview.md#available-service-tags). Azure Virtual Desktop currently doesn't have a list of IP address ranges that you can unblock to allow network traffic. We only support unblocking specific URLs. If you're using a Next Generation Firewall (NGFW), you'll need to use a dynamic list specifically made for Azure IPs to make sure you can connect. Any [Remote Desktop clients](users/connect-windows.md?toc=/azure/virtual-desktop -These URLs only correspond to client sites and resources. This list doesn't include URLs for other services like Azure Active Directory or Office 365. Azure Active Directory URLs can be found under IDs 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). +These URLs only correspond to client sites and resources. This list doesn't include URLs for other services like Microsoft Entra ID or Office 365. Microsoft Entra URLs can be found under IDs 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). ## Next steps |
virtual-desktop | Security Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/security-guide.md | Secure Score provides recommendations and best practice advice for improving you Azure Virtual Desktop has many built-in security controls. In this section, you'll learn about security controls you can use to keep your users and data safe. -### Require multi-factor authentication +<a name='require-multi-factor-authentication'></a> -Requiring multi-factor authentication for all users and admins in Azure Virtual Desktop improves the security of your entire deployment. To learn more, see [Enable Azure AD Multi-Factor Authentication for Azure Virtual Desktop](set-up-mfa.md). +### Require multifactor authentication ++Requiring multifactor authentication for all users and admins in Azure Virtual Desktop improves the security of your entire deployment. To learn more, see [Enable Microsoft Entra multifactor authentication for Azure Virtual Desktop](set-up-mfa.md). ### Enable Conditional Access Enabling [Conditional Access](../active-directory/conditional-access/overview.md Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop. Some examples of key audit logs are: - [Azure Activity Log](../azure-monitor/essentials/activity-log.md)-- [Azure Active Directory Activity Log](../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md)-- [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md)+- [Microsoft Entra Activity Log](../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md) +- [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) - [Session hosts](../azure-monitor/agents/agent-windows.md) - [Key Vault logs](../key-vault/general/logging.md) Software updates for the Remote Desktop clients you can use to access Azure Virt ## Next steps -- Learn how to [Set up multi-factor authentication](set-up-mfa.md).+- Learn how to [Set up multifactor authentication](set-up-mfa.md). - [Apply Zero Trust principles for an Azure Virtual Desktop deployment](/security/zero-trust/azure-infrastructure-avd). |
virtual-desktop | Service Principal Assign Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/service-principal-assign-roles.md | Here's how to assign a role to the Azure Virtual Desktop service principal using 1. Select the role you want to assign to the Azure Virtual Desktop service principal, then select **Next**. -1. Ensure **Assign access to** is set to **Azure AD user, group, or service principal**, then select **Select members**. +1. Ensure **Assign access to** is set to **Microsoft Entra user, group, or service principal**, then select **Select members**. 1. Enter the name of the enterprise application you made a note of earlier, either **Azure Virtual Desktop** or **Windows Virtual Desktop**. |
virtual-desktop | Set Up Golden Image | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/set-up-golden-image.md | There are other approaches to customizing your session hosts, such as using devi ## Create an image from an Azure VM When creating a new VM for your golden image, make sure to choose an OS that's in the list of [supported virtual machine OS images](prerequisites.md#operating-systems-and-licenses). We recommend using a Windows 10 or 11 multi-session (with or without Microsoft 365) or Windows Server image for pooled host pools. We recommend using Windows 10 or 11 Enterprise images for personal host pools. You can use either Generation 1 or Generation 2 VMs; Gen 2 VMs support features that aren't supported for Gen 1 machines. Learn more about Generation 1 and Generation 2 VMs at [Support for generation 2 VMs on Azure](../virtual-machines/generation-2.md). > [!IMPORTANT]-> The VM used for taking the image must be deployed without "Login with Azure AD" flag. During the deployment of Session Hosts in Azure Virtual Desktop, if you choose to add VMs to Azure Active Directory you are able to Login with AD Credentials too. +> The VM used for taking the image must be deployed without "Login with Microsoft Entra ID" flag. During the deployment of Session Hosts in Azure Virtual Desktop, if you choose to add VMs to Microsoft Entra ID you are able to Login with AD Credentials too. ### Take your first snapshot First, [create the base VM](../virtual-machines/windows/quick-create-portal.md) for your chosen image. After you've deployed the image, take a snapshot of the disk of your image VM. Snapshots are save states that will let you roll back any changes if you run into problems while building the image. Since you'll be taking many snapshots throughout the build process, make sure to give the snapshot a name you can easily identify. ### Customize your VM |
virtual-desktop | Set Up Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/set-up-mfa.md | Title: Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access - Azure -description: How to enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access to help make it more secure. + Title: Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access - Azure +description: How to enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access to help make it more secure. Last updated 08/24/2022 -# Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access +# Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access > [!IMPORTANT] > If you're visiting this page from the Azure Virtual Desktop (classic) documentation, make sure to [return to the Azure Virtual Desktop (classic) documentation](./virtual-desktop-fall-2019/tenant-setup-azure-active-directory.md) once you're finished. -Users can sign into Azure Virtual Desktop from anywhere using different devices and clients. However, there are certain measures you should take to help keep yourself and your users safe. Using Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) with Azure Virtual Desktop prompts users during the sign-in process for another form of identification in addition to their username and password. You can enforce MFA for Azure Virtual Desktop using Conditional Access, and can also configure whether it applies to the web client, mobile apps, desktop clients, or all clients. +Users can sign into Azure Virtual Desktop from anywhere using different devices and clients. However, there are certain measures you should take to help keep yourself and your users safe. Using Microsoft Entra multifactor authentication (MFA) with Azure Virtual Desktop prompts users during the sign-in process for another form of identification in addition to their username and password. You can enforce MFA for Azure Virtual Desktop using Conditional Access, and can also configure whether it applies to the web client, mobile apps, desktop clients, or all clients. -How often a user is prompted to reauthenticate depends on [Azure AD session lifetime configuration settings](../active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md#azure-ad-session-lifetime-configuration-settings). For example, if their Windows client device is registered with Azure AD, it will receive a [Primary Refresh Token](../active-directory/devices/concept-primary-refresh-token.md) (PRT) to use for single sign-on (SSO) across applications. Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device. +How often a user is prompted to reauthenticate depends on [Microsoft Entra session lifetime configuration settings](../active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md#azure-ad-session-lifetime-configuration-settings). For example, if their Windows client device is registered with Microsoft Entra ID, it will receive a [Primary Refresh Token](../active-directory/devices/concept-primary-refresh-token.md) (PRT) to use for single sign-on (SSO) across applications. Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device. -While remembering credentials is convenient, it can also make deployments for Enterprise scenarios using personal devices less secure. To protect your users, you can make sure the client keeps asking for Azure AD Multi-Factor Authentication credentials more frequently. You can use Conditional Access to configure this behavior. +While remembering credentials is convenient, it can also make deployments for Enterprise scenarios using personal devices less secure. To protect your users, you can make sure the client keeps asking for Microsoft Entra multifactor authentication credentials more frequently. You can use Conditional Access to configure this behavior. Learn how to enforce MFA for Azure Virtual Desktop and optionally configure sign-in frequency below. Learn how to enforce MFA for Azure Virtual Desktop and optionally configure sign Here's what you'll need to get started: -- Assign users a license that includes [Azure Active Directory Premium P1 or P2](../active-directory/authentication/concept-mfa-licensing.md).-- An [Azure Active Directory group](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) with your Azure Virtual Desktop users assigned as group members.-- Enable Azure AD Multi-Factor Authentication for your users. For more information about how to do that, see [Enable Azure AD Multi-Factor Authentication](../active-directory/authentication/tutorial-enable-azure-mfa.md).+- Assign users a license that includes [Microsoft Entra ID P1 or P2](../active-directory/authentication/concept-mfa-licensing.md). +- An [Microsoft Entra group](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) with your Azure Virtual Desktop users assigned as group members. +- Enable Microsoft Entra multifactor authentication for your users. For more information about how to do that, see [Enable Microsoft Entra multifactor authentication](../active-directory/authentication/tutorial-enable-azure-mfa.md). ## Create a Conditional Access policy -Here's how to create a Conditional Access policy that requires multi-factor authentication when connecting to Azure Virtual Desktop: +Here's how to create a Conditional Access policy that requires multifactor authentication when connecting to Azure Virtual Desktop: 1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator, security administrator, or Conditional Access administrator.-1. In the search bar, type *Azure Active Directory* and select the matching service entry. +1. In the search bar, type *Microsoft Entra ID* and select the matching service entry. 1. Browse to **Security** > **Conditional Access**. 1. Select **New policy** > **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. Here's how to create a Conditional Access policy that requires multi-factor auth > If you're using Azure Virtual Desktop (classic) and if the Conditional Access policy blocks all access excluding Azure Virtual Desktop app IDs, you can fix this by also adding the **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) to the policy. Not adding this app ID will block feed discovery of Azure Virtual Desktop (classic) resources. > [!IMPORTANT]- > Don't select the app called Azure Virtual Desktop Azure Resource Manager Provider (app ID 50e95039-b200-4007-bc97-8d5790743a63). This app is only used for retrieving the user feed and shouldn't have multi-factor authentication. + > Don't select the app called Azure Virtual Desktop Azure Resource Manager Provider (app ID 50e95039-b200-4007-bc97-8d5790743a63). This app is only used for retrieving the user feed and shouldn't have multifactor authentication. 1. Once you've selected your app, select **Select**. Here's how to create a Conditional Access policy that requires multi-factor auth > ![A screenshot of the Conditional Access Client apps page. The user has selected the mobile apps and desktop clients, and browser check boxes.](media/conditional-access-client-apps.png) 1. Once you've selected the client apps this policy will apply to, select **Done**.-1. Under **Assignments**, select **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and then select **Select**. +1. Under **Assignments**, select **Access controls** > **Grant**, select **Grant access**, **Require multifactor authentication**, and then select **Select**. 1. At the bottom of the page, set **Enable policy** to **On** and select **Create**. > [!NOTE] > When you use the web client to sign in to Azure Virtual Desktop through your browser, the log will list the client app ID as a85cf173-4192-42f8-81fa-777a763e6e2c (Azure Virtual Desktop client). This is because the client app is internally linked to the server app ID where the conditional access policy was set. > [!TIP]-> Some users may see a prompt titled *Stay signed in to all your apps* if the Windows device they're using is not already registered with Azure AD. If they deselect **Allow my organization to manage my device** and select **No, sign in to this app only**, this may reappear frequently. +> Some users may see a prompt titled *Stay signed in to all your apps* if the Windows device they're using is not already registered with Microsoft Entra ID. If they deselect **Allow my organization to manage my device** and select **No, sign in to this app only**, this may reappear frequently. ## Configure sign-in frequency To optionally configure the time period before a user is asked to sign-in again: 1. Open the policy you created previously.-1. Under **Assignments**, select **Access controls** > **Session**. On the right, select **Sign-in frequency**. Set the value for the time period before a user is asked to sign-in again, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, will require multi-factor authentication if a connection is launched over an hour after the last one. +1. Under **Assignments**, select **Access controls** > **Session**. On the right, select **Sign-in frequency**. Set the value for the time period before a user is asked to sign-in again, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, will require multifactor authentication if a connection is launched over an hour after the last one. 1. At the bottom of the page, under **Enable policy** select **Save**. -## Azure AD joined session host VMs +<a name='azure-ad-joined-session-host-vms'></a> -For connections to succeed, you must [disable the legacy per-user multi-factor authentication sign-in method](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required). If you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll also need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#enforce-conditional-access-policies) from your Conditional Access policy. +## Microsoft Entra joined session host VMs ++For connections to succeed, you must [disable the legacy per-user multifactor authentication sign-in method](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required). If you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll also need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#enforce-conditional-access-policies) from your Conditional Access policy. ## Next steps |
virtual-desktop | Set Up Scaling Script | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/set-up-scaling-script.md | First, you'll need an Azure Automation account to run the PowerShell runbook. Th ## Create a managed identity -Now that you have an Azure Automation account, you'll also need to set up a [managed identity](../automation/automation-security-overview.md#managed-identities) if you haven't already. Managed identities will help your runbook access other Azure AD-related resources as well as authenticate important automation processes. +Now that you have an Azure Automation account, you'll also need to set up a [managed identity](../automation/automation-security-overview.md#managed-identities) if you haven't already. Managed identities will help your runbook access other Microsoft Entra related resources as well as authenticate important automation processes. To set up a managed identity, follow the directions in [Using a system-assigned managed identity for an Azure Automation account](../automation/enable-managed-identity-for-automation.md). Once you're done, return to this article and [Create the Azure Logic App and execution schedule](#create-the-azure-logic-app-and-execution-schedule) to finish the initial setup process. |
virtual-desktop | Store Fslogix Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/store-fslogix-profile.md | The following tables compare the storage solutions Azure Storage offers for Azur |Access|Cloud, on-premises and hybrid (Azure file sync)|Cloud, on-premises|Cloud, on-premises| |Backup|Azure backup snapshot integration|Azure NetApp Files snapshots<br>Azure NetApp Files backup|Azure backup snapshot integration| |Security and compliance|[All Azure supported certificates](https://www.microsoft.com/trustcenter/compliance/complianceofferings)|[Azure supported certificates](https://www.microsoft.com/trustcenter/compliance/complianceofferings)|[All Azure supported certificates](https://www.microsoft.com/trustcenter/compliance/complianceofferings)|-|Azure Active Directory integration|[Native Active Directory and Azure Active Directory Domain Services](../storage/files/storage-files-active-directory-overview.md)|[Azure Active Directory Domain Services and Native Active Directory](../azure-netapp-files/faq-smb.md#does-azure-netapp-files-support-azure-active-directory)|Native Active Directory or Azure Active Directory Domain Services support only| +|Microsoft Entra integration|[Native Active Directory and Microsoft Entra Domain Services](../storage/files/storage-files-active-directory-overview.md)|[Microsoft Entra Domain Services and Native Active Directory](../azure-netapp-files/faq-smb.md#does-azure-netapp-files-support-azure-active-directory)|Native Active Directory or Microsoft Entra Domain Services support only| Once you've chosen your storage method, check out [Azure Virtual Desktop pricing](https://azure.microsoft.com/pricing/details/virtual-desktop/) for information about our pricing plans. |
virtual-desktop | Troubleshoot Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-authorization.md | -This article describes common issues related to Azure Files authentication with an Active Directory Domain Services (AD DS) domain or Azure Active Directory Domain Services (Azure AD DS) managed domain, and suggestions for how to fix them. +This article describes common issues related to Azure Files authentication with an Active Directory Domain Services (AD DS) domain or Microsoft Entra Domain Services managed domain, and suggestions for how to fix them. ## My group membership isn't working Here are the most common reasons users may come across issues: DC=storageAccounts,DC=wvdcontoso,DC=com ``` -- If the storage account doesn't instantly appear in your Azure AD, don't worry. It usually takes 30 minutes for a new storage account to sync with Azure AD, so be patient. If the sync doesn't happen after 30 minutes, see [the next section](#my-ad-ds-group-wont-sync-to-azure-ad).+- If the storage account doesn't instantly appear in your Microsoft Entra ID, don't worry. It usually takes 30 minutes for a new storage account to sync with Microsoft Entra ID, so be patient. If the sync doesn't happen after 30 minutes, see [the next section](#my-ad-ds-group-wont-sync-to-azure-ad). -## My AD DS group won't sync to Azure AD +<a name='my-ad-ds-group-wont-sync-to-azure-ad'></a> -If your storage account doesn't automatically sync with Azure AD after 30 minutes, you'll need to force the sync by using [this script](https://github.com/stgeorgi/msixappattach/blob/master/force%20AD%20DS%20to%20Azure%20AD%20sync/force%20sync.ps1). +## My AD DS group won't sync to Microsoft Entra ID ++If your storage account doesn't automatically sync with Microsoft Entra ID after 30 minutes, you'll need to force the sync by using [this script](https://github.com/stgeorgi/msixappattach/blob/master/force%20AD%20DS%20to%20Azure%20AD%20sync/force%20sync.ps1). ## My storage account says it needs additional permissions If your storage account needs additional permissions, you may not have assigned ## Next steps -If you need to refresh your memory about the Azure Files setup process, see [Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services](fslogix-profile-container-configure-azure-files-active-directory.md). +If you need to refresh your memory about the Azure Files setup process, see [Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Microsoft Entra Domain Services](fslogix-profile-container-configure-azure-files-active-directory.md). |
virtual-desktop | Troubleshoot Azure Ad Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-azure-ad-connections.md | Title: Troubleshoot connections to Azure AD-joined VMs - Azure Virtual Desktop -description: How to resolve issues when connecting to Azure AD-joined VMs in Azure Virtual Desktop. + Title: Troubleshoot connections to Microsoft Entra joined VMs - Azure Virtual Desktop +description: How to resolve issues when connecting to Microsoft Entra joined VMs in Azure Virtual Desktop. Last updated 08/24/2022 -# Troubleshoot connections to Azure AD-joined VMs +# Troubleshoot connections to Microsoft Entra joined VMs >[!IMPORTANT] >This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects. -Use this article to resolve issues with connections to Azure Active Directory (Azure AD)-joined session host VMs in Azure Virtual Desktop. +Use this article to resolve issues with connections to Microsoft Entra joined session host VMs in Azure Virtual Desktop. ## All clients |
virtual-desktop | Troubleshoot Client Macos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-client-macos.md | In this section you'll find troubleshooting guidance for authentication and iden ### Account switch detected -If you see the error **Account switch detected**, you need to refresh the Azure AD token. To refresh the Azure AD token, do the following: +If you see the error **Account switch detected**, you need to refresh the Microsoft Entra token. To refresh the Microsoft Entra token, do the following: 1. Delete any workspaces from the Remote Desktop client. For more information, see [Edit, refresh, or delete a workspace](users/client-features-macos.md#edit-refresh-or-delete-a-workspace). Using multiple monitors in certain topologies can cause issues such as blank scr ## Issue isn't listed here -If your issue isn't listed here, see [Troubleshooting overview, feedback, and support for Azure Virtual Desktop](troubleshoot-set-up-overview.md) for information about how to open an Azure support case for Azure Virtual Desktop. +If your issue isn't listed here, see [Troubleshooting overview, feedback, and support for Azure Virtual Desktop](troubleshoot-set-up-overview.md) for information about how to open an Azure support case for Azure Virtual Desktop. |
virtual-desktop | Troubleshoot Device Redirections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-device-redirections.md | If WebAuthn requests from the session aren't redirected to the local PC, check t - Are you using supported operating systems for [in-session passwordless authentication](authentication.md#in-session-passwordless-authentication-preview) on both the local PC and session host? - Have you enabled WebAuthn redirection as a [device redirection](configure-device-redirections.md#webauthn-redirection)? -If you've answered "yes" to both of the earlier questions but still don't see the option to use Windows Hello for Business or security keys when accessing Azure AD resources, make sure you've enabled the FIDO2 security key method for the user account in Azure AD. To enable this method, follow the directions in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method). +If you've answered "yes" to both of the earlier questions but still don't see the option to use Windows Hello for Business or security keys when accessing Microsoft Entra resources, make sure you've enabled the FIDO2 security key method for the user account in Microsoft Entra ID. To enable this method, follow the directions in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method). -If a user signs in to the session host with a single-factor credential like username and password, then tries to access an Azure AD resource that requires MFA, they may not be able to use Windows Hello for Business. The user should follow these instructions to authenticate properly: +If a user signs in to the session host with a single-factor credential like username and password, then tries to access a Microsoft Entra resource that requires MFA, they may not be able to use Windows Hello for Business. The user should follow these instructions to authenticate properly: 1. If the user isn't prompted for a user account, they should first sign out. 1. On the **account selection** page, select **Use another account**. |
virtual-desktop | Troubleshoot Getting Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-getting-started.md | -The Azure Virtual Desktop getting started feature uses nested templates to deploy Azure resources for validation and automation in Azure Virtual Desktop. The getting started feature creates either two or three resource groups based on whether the subscription it's running on has existing Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS) or not. All resource groups start with the same user-defined prefix. +The Azure Virtual Desktop getting started feature uses nested templates to deploy Azure resources for validation and automation in Azure Virtual Desktop. The getting started feature creates either two or three resource groups based on whether the subscription it's running on has existing Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services or not. All resource groups start with the same user-defined prefix. When you run the nested templates, they create three resource groups and a template that provisions Azure Resource Manager resources. The following lists show each resource group and the templates they run. The resource group that ends in "-prerequisite" runs these templates: - easy-button-prerequisite-resources-linked-template >[!NOTE]->This resource group is optional, and will only appear if your subscription doesn't have Azure AD DS or AD DS. +>This resource group is optional, and will only appear if your subscription doesn't have Microsoft Entra Domain Services or AD DS. ## No subscriptions To resolve this issue, either try a new word or add letters to the blocked word This error message appears when entering a password that is either too long or too short to meet the character length requirement. Azure password length and complexity requirements even apply to fields that you later use in Windows, which has less strict requirements. -To resolve this issue, make sure you use an account that follows [Microsoft's password guidelines](https://www.microsoft.com/research/publication/password-guidance) or uses [Azure AD Password Protection](../active-directory/authentication/concept-password-ban-bad.md). +To resolve this issue, make sure you use an account that follows [Microsoft's password guidelines](https://www.microsoft.com/research/publication/password-guidance) or uses [Microsoft Entra Password Protection](../active-directory/authentication/concept-password-ban-bad.md). ## Error messages for easy-button-prerequisite-user-setup-linked-template This error happens when the Azure admin UPN you entered isn't correct. To resolv ## Multiple VMExtensions per handler not supported -When you run the getting started feature on a subscription that has Azure AD DS or AD DS, then the feature will use a Microsoft.Powershell.DSC extension to create validation users and configure FSLogix. However, Windows VMs in Azure can't run more than one of the same type of extension at the same time. +When you run the getting started feature on a subscription that has Microsoft Entra Domain Services or AD DS, then the feature will use a Microsoft.Powershell.DSC extension to create validation users and configure FSLogix. However, Windows VMs in Azure can't run more than one of the same type of extension at the same time. If you try to run multiple versions of Microsoft.Powershell.DSC, you'll get an error message that looks like this: To resolve this issue, before you run the getting started feature, make sure to ## Failure in easy-button-prerequisitecompletion-job-linked-template -The user group for the validation users is located in the "USERS" container. However, the user group must be synced to Azure AD in order to work properly. If it isn't, you'll get an error message that looks like this: +The user group for the validation users is located in the "USERS" container. However, the user group must be synced to Microsoft Entra ID in order to work properly. If it isn't, you'll get an error message that looks like this: ```azure { To make sure the issue is caused by the validation user group not syncing, open To resolve this issue: -1. Enable syncing with Azure AD for the "USERS" container. +1. Enable syncing with Microsoft Entra ID for the "USERS" container. 2. Create the AVDValidationUsers group in an organization unit that's syncing with Azure. |
virtual-desktop | Troubleshoot Management Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-management-issues.md | The following table lists error messages that appear due to management-related i |Failed to change session host drain mode |Couldn't change drain mode on the VM. Check the VM status. If the VM isn't available, you can't change drain mode.| |Failed to disconnect user sessions |Couldn't disconnect the user from the VM. Check the VM status. If the VM isn't available, you can't disconnect the user session. If the VM is available, check the user session status to see if it's disconnected. | |Failed to log off all user(s) within the session host |Could not sign users out of the VM. Check the VM status. If unavailable, users can't be signed out. Check user session status to see if they're already signed out. You can force sign out with PowerShell. |-|Failed to unassign user from application group|Could not unpublish an application group for a user. Check to see if user is available on Azure AD. Check to see if the user is part of a user group that the application group is published to. | +|Failed to unassign user from application group|Could not unpublish an application group for a user. Check to see if user is available on Microsoft Entra ID. Check to see if the user is part of a user group that the application group is published to. | |There was an error retrieving the available locations |Check location of VM used in the create host pool wizard. If image is not available in that location, add image in that location or choose a different VM location. | ## Error: Can't add user assignments to an application group |
virtual-desktop | Troubleshoot Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-powershell.md | This section lists PowerShell commands that are typically used while setting up New-AzRoleAssignment -SignInName "admins@contoso.com" -RoleDefinitionName "Desktop Virtualization User" -ResourceName "0301HP-DAG" -ResourceGroupName 0301RG -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' ``` -**Cause:** The user specified by the *-SignInName* parameter can't be found in the Azure Active Directory tied to the Azure Virtual Desktop environment. +**Cause:** The user specified by the *-SignInName* parameter can't be found in the Microsoft Entra tied to the Azure Virtual Desktop environment. **Fix:** Make sure of the following things. -- The user should be synced to Azure Active Directory.+- The user should be synced to Microsoft Entra ID. - The user shouldn't be tied to business-to-consumer (B2C) or business-to-business (B2B) commerce.-- The Azure Virtual Desktop environment should be tied to correct Azure Active Directory.+- The Azure Virtual Desktop environment should be tied to correct Microsoft Entra ID. ### Error: New-AzRoleAssignment: "The client with object id does not have authorization to perform action over scope (code: AuthorizationFailed)" New-AzRoleAssignment -SignInName "admins@contoso.com" -RoleDefinitionName "Deskt **Fix 1:** A user with Owner permissions needs to execute the role assignment. Alternatively, the user needs to be assigned to the User Access Administrator role to assign a user to an application group. -**Cause 2:** The account being used has Owner permissions but isn't part of the environment's Azure Active Directory or doesn't have permissions to query the Azure Active Directory where the user is located. +**Cause 2:** The account being used has Owner permissions but isn't part of the environment's Microsoft Entra ID or doesn't have permissions to query the Microsoft Entra ID where the user is located. **Fix 2:** A user with Active Directory permissions needs to execute the role assignment. |
virtual-desktop | Troubleshoot Service Connection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-service-connection.md | A user can start Remote Desktop clients and is able to authenticate, however the 3. If the web client is being used, confirm that there are no cached credentials issues. -4. If the user is part of an Azure Active Directory user group, make sure the user group is a security group instead of a distribution group. Azure Virtual Desktop doesn't support Azure AD distribution groups. +4. If the user is part of a Microsoft Entra user group, make sure the user group is a security group instead of a distribution group. Azure Virtual Desktop doesn't support Microsoft Entra distribution groups. ## User loses existing feed and no remote resource is displayed (no feed) -This error usually appears after a user moved their subscription from one Azure Active Directory tenant to another. As a result, the service loses track of their user assignments, since those are still tied to the old Azure Active Directory tenant. +This error usually appears after a user moved their subscription from one Microsoft Entra tenant to another. As a result, the service loses track of their user assignments, since those are still tied to the old Microsoft Entra tenant. To resolve this, all you need to do is reassign the users to their application groups. |
virtual-desktop | Troubleshoot Set Up Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-set-up-issues.md | If your operation goes over the quota limit, you can do one of the following thi ### Error: Can't see user assignments in application groups. -**Cause**: This error usually happens after you've moved the subscription from one Azure Active Directory tenant to another. If your old assignments are still tied to the previous Azure Active Directory tenant, the Azure portal will lose track of them. +**Cause**: This error usually happens after you've moved the subscription from one Microsoft Entra tenant to another. If your old assignments are still tied to the previous Microsoft Entra tenant, the Azure portal will lose track of them. **Fix**: You'll need to reassign users to application groups. |
virtual-desktop | Troubleshoot Vm Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/troubleshoot-vm-configuration.md | Follow these instructions if you're having issues joining virtual machines (VMs) **Fix 1:** Create VNET peering between the VNET where VMs were provisioned and the VNET where the domain controller (DC) is running. See [Create a virtual network peering - Resource Manager, different subscriptions](../virtual-network/create-peering-different-subscriptions.md). -**Cause 2:** When using Azure Active Directory Domain Services (Azure AD DS), the virtual network doesn't have its DNS server settings updated to point to the managed domain controllers. +**Cause 2:** When using Microsoft Entra Domain Services, the virtual network doesn't have its DNS server settings updated to point to the managed domain controllers. -**Fix 2:** To update the DNS settings for the virtual network containing Azure AD DS, see [Update DNS settings for the Azure virtual network](../active-directory-domain-services/tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network). +**Fix 2:** To update the DNS settings for the virtual network containing Microsoft Entra Domain Services, see [Update DNS settings for the Azure virtual network](../active-directory-domain-services/tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network). **Cause 3:** The network interface's DNS server settings don't point to the appropriate DNS server on the virtual network. |
virtual-desktop | Tutorial Create Connect Personal Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/tutorial-create-connect-personal-desktop.md | You will deploy a sample infrastructure by: > [!div class="checklist"] > * Creating a personal host pool.-> * Creating a session host virtual machine (VM) joined to your Azure Active Directory tenant with Windows 11 Enterprise and add it to the host pool. +> * Creating a session host virtual machine (VM) joined to your Microsoft Entra tenant with Windows 11 Enterprise and add it to the host pool. > * Creating a workspace and an application group that publishes a desktop to the session host VM. > * Assigning users to the application group. > * Connecting to the desktop. You'll need: - A [virtual network](../virtual-network/quick-create-portal.md) in the same Azure region you want to deploy your session hosts to. -- A user account in Azure Active Directory you can use for connecting to the desktop. This account must be assigned the *Virtual Machine User Login* or *Virtual Machine Administrator Login* RBAC role on the subscription. Alternatively you can assign the role to the account on the session host VM or the resource group containing the VM after deployment.+- A user account in Microsoft Entra ID you can use for connecting to the desktop. This account must be assigned the *Virtual Machine User Login* or *Virtual Machine Administrator Login* RBAC role on the subscription. Alternatively you can assign the role to the account on the session host VM or the resource group containing the VM after deployment. - A Remote Desktop client installed on your device to connect to the desktop. You can find a list of supported clients in [Remote Desktop clients for Azure Virtual Desktop](users/remote-desktop-clients-overview.md). Alternatively you can use the [Remote Desktop Web client](users/connect-web.md), which you can use through a supported web browser without installing any extra software. To create a personal host pool, workspace, application group, and session host V | **Project details** | | | Subscription | Select the subscription you want to deploy your host pool, session hosts, workspace, and application group in from the drop-down list. | | Resource group | Select an existing resource group or select **Create new** and enter a name. |- | Host pool name | Enter a name for the host pool, for example *aad-hp01*. | + | Host pool name | Enter a name for the host pool, for example *me-id-hp01*. | | Location | Select the Azure region from the list where the host pool, workspace, and application group will be deployed. | | Validation environment | Select **No**. This setting enables your host pool to receive service updates before all other production host pools, but isn't needed for this tutorial.| | Preferred app group type | Select **Desktop**. With this personal host pool, you'll publish a desktop, but you won't also be able to add a RemoteApp application group to publish applications separately. See [Next steps](#next-steps) for more advanced scenarios. | To create a personal host pool, workspace, application group, and session host V |--|--| | Add Azure virtual machines | Select **Yes**. This shows several new options. | | Resource group | This automatically defaults to the resource group you chose your host pool to be in on the *Basics* tab. |- | Name prefix | Enter a name for your session hosts, for example **aad-hp01-sh**.<br /><br />This will be used as the prefix for your session host VMs. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example **aad-hp01-sh-0**.<br /><br />This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique. | + | Name prefix | Enter a name for your session hosts, for example **me-id-hp01-sh**.<br /><br />This will be used as the prefix for your session host VMs. Each session host has a suffix of a hyphen and then a sequential number added to the end, for example **me-id-hp01-sh-0**.<br /><br />This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique. | | Virtual machine location | Select the Azure region where your session host VMs will be deployed. This must be the same region that your virtual network is in. | | Availability options | Select **No infrastructure dependency required**. This means that your session host VMs won't be deployed in an availability set or in availability zones. | | Security type | Select **Trusted launch virtual machines**. Leave the subsequent defaults of **Enable secure boot** and **Enable vTPM** checked, and **Integrity monitoring** unchecked. For more information, see [Trusted launch](security-guide.md#trusted-launch). | To create a personal host pool, workspace, application group, and session host V | Network security group | Select **Basic**. | | Public inbound ports | Select **No** as you don't need to open inbound ports to connect to Azure Virtual Desktop. Learn more at [Understanding Azure Virtual Desktop network connectivity](network-connectivity.md). | | **Domain to join** | |- | Select which directory you would like to join | Select **Azure Active Directory**. | + | Select which directory you would like to join | Select **Microsoft Entra ID**. | | Enroll VM with Intune | Select **No.** | | **Virtual Machine Administrator account** | | | Username | Enter a name to use as the local administrator account for these session host VMs. | To create a personal host pool, workspace, application group, and session host V | Parameter | Value/Description | |--|--| | Register desktop app group | Select **Yes**. This registers the default desktop application group to the selected workspace. |- | To this workspace | Select **Create new** and enter a name, for example **aad-ws01**. | + | To this workspace | Select **Create new** and enter a name, for example **me-id-ws01**. | Once you've completed this tab, select **Next: Review + create**. You don't need to complete the other tabs. Once your host pool, workspace, application group, and session host VM(s) have b 1. From the host pool overview, select **Application groups**. -1. Select the application group from the list, for example **aad-hp01-DAG**. +1. Select the application group from the list, for example **me-id-hp01-DAG**. 1. From the application group overview, select **Assignments**. Once your host pool, workspace, application group, and session host VM(s) have b ## Enable connections from Remote Desktop clients > [!TIP]-> This section is optional if you're going to use a Windows device to connect to Azure Virtual Desktop that is joined to the same Azure AD tenant as your session host VMs and you're using the [Remote Desktop client for Windows](users/connect-windows.md?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json). +> This section is optional if you're going to use a Windows device to connect to Azure Virtual Desktop that is joined to the same Microsoft Entra tenant as your session host VMs and you're using the [Remote Desktop client for Windows](users/connect-windows.md?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json). To enable connections from all of the Remote Desktop clients, you'll need to add an RDP property to your host pool configuration. Now that you've created and connected to a Windows 11 desktop with Azure Virtual - [Understand network connectivity](network-connectivity.md). - Learn about [supported identities and authentication methods](authentication.md) - [Set up email discovery to subscribe to Azure Virtual Desktop](/windows-server/remote/remote-desktop-services/rds-email-discovery?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json).-- [Configure single sign-on for Azure Virtual Desktop using Azure AD Authentication](configure-single-sign-on.md).+- [Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication](configure-single-sign-on.md). - Learn about [session host virtual machine sizing guidelines](/windows-server/remote/remote-desktop-services/virtual-machine-recs?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json). - [Use Microsoft Teams on Azure Virtual Desktop](teams-on-avd.md). - [Monitor your deployment with Azure Virtual Desktop Insights](azure-monitor.md). |
virtual-desktop | Connect Web | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/users/connect-web.md | When you sign in to the Remote Desktop Web client, you'll see your workspaces. A 1. A prompt for **Access local resources** may be displayed asking you confirm which local resources you want to be available in the remote session. Make your selection, then select **Allow**. >[!TIP]->If you've already signed in to the web browser with a different Azure Active Directory account than the one you want to use for Azure Virtual Desktop, you should either sign out or use a private browser window. +>If you've already signed in to the web browser with a different Microsoft Entra account than the one you want to use for Azure Virtual Desktop, you should either sign out or use a private browser window. ## Preview features |
virtual-desktop | Connect Web 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/connect-web-2019.md | In a browser, navigate to the Azure Virtual Desktop web client at <https://clien >If you're using Azure Virtual Desktop with Azure Resource Manager integration, connect to your resources at <https://client.wvd.microsoft.com/arm/webclient/https://docsupdatetracker.net/index.html> instead. >[!NOTE]->If you've already signed in with a different Azure Active Directory account than the one you want to use for Azure Virtual Desktop, you should either sign out or use a private browser window. +>If you've already signed in with a different Microsoft Entra account than the one you want to use for Azure Virtual Desktop, you should either sign out or use a private browser window. After signing in, you should now see a list of resources. You can launch resources by selecting them like you would a normal app in the **All Resources** tab. |
virtual-desktop | Create Host Pools Arm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/create-host-pools-arm-template.md | After that, add users to the desktop application group with this cmdlet: Add-RdsAppGroupUser <tenantname> <hostpoolname> "Desktop Application Group" -UserPrincipalName <userupn> ``` -The user's UPN should match the user's identity in Azure Active Directory (for example, user1@contoso.com). If you want to add multiple users, you must run this cmdlet for each user. +The user's UPN should match the user's identity in Microsoft Entra ID (for example, user1@contoso.com). If you want to add multiple users, you must run this cmdlet for each user. After you've completed these steps, users added to the desktop application group can sign in to Azure Virtual Desktop with supported Remote Desktop clients and see a resource for a session desktop. |
virtual-desktop | Create Host Pools Azure Marketplace 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/create-host-pools-azure-marketplace-2019.md | Here's what you do for the **Basics** tab: 1. For **Service metadata location**, select the same location as the virtual network that has connectivity to the Active Directory server. >[!IMPORTANT]- >If you're using a pure Azure Active Directory Domain Services (Azure AD DS) and Azure Active Directory (Azure AD) solution, make sure to deploy your host pool in the same region as your Azure AD DS to avoid domain-join and credential errors. + >If you're using a pure Microsoft Entra Domain Services and Microsoft Entra solution, make sure to deploy your host pool in the same region as your Microsoft Entra Domain Services to avoid domain-join and credential errors. 1. Select **Next: Configure virtual machines**. For the **Virtual machine settings** tab: 1. Enter the user principal name and password. This account must be the domain account that will join the virtual machines to the Active Directory domain. This same username and password will be created on the virtual machines as a local account. You can reset these local accounts later. >[!NOTE]- > If you're joining your virtual machines to an Azure AD DS environment, ensure that your domain join user is a member of the [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group). + > If you're joining your virtual machines to a Microsoft Entra Domain Services environment, ensure that your domain join user is a member of the [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group). >- > The account must also be part of the Azure AD DS managed domain or Azure AD tenant. Accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process. + > The account must also be part of the Microsoft Entra Domain Services managed domain or Microsoft Entra tenant. Accounts from external directories associated with your Microsoft Entra tenant can't correctly authenticate during the domain-join process. 1. Select the **Virtual network** that has connectivity to the Active Directory server, and then choose a subnet to host the virtual machines. 1. Select **Next: Azure Virtual Desktop information**. For the **Azure Virtual Desktop tenant information** tab: If you completed the [Create service principals and role assignments with PowerShell tutorial](create-service-principal-role-powershell.md), select **Service principal**. -1. For **Service principal**, for **Azure AD tenant ID**, enter the tenant admin account for the Azure AD instance that contains the service principal. Only service principals with a password credential are supported. +1. For **Service principal**, for **Microsoft Entra tenant ID**, enter the tenant admin account for the Microsoft Entra instance that contains the service principal. Only service principals with a password credential are supported. 1. Select **Next: Review + create**. ## Complete setup and create the virtual machine To assign users to the desktop application group: Add-RdsAppGroupUser <tenantname> <hostpoolname> "Desktop Application Group" -UserPrincipalName <userupn> ``` - The user's UPN should match the user's identity in Azure AD, for example, *user1@contoso.com*. If you want to add multiple users, run the command for each user. + The user's UPN should match the user's identity in Microsoft Entra ID, for example, *user1@contoso.com*. If you want to add multiple users, run the command for each user. Users you add to the desktop application group can sign in to Azure Virtual Desktop with supported Remote Desktop clients and see a resource for a session desktop. |
virtual-desktop | Create Host Pools Powershell 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/create-host-pools-powershell-2019.md | Run the next cmdlet to create a registration token to authorize a session host t New-RdsRegistrationInfo -TenantName <tenantname> -HostPoolName <hostpoolname> -ExpirationHours <number of hours> | Select-Object -ExpandProperty Token | Out-File -FilePath <PathToRegFile> ``` -After that, run this cmdlet to add Azure Active Directory users to the default desktop application group for the host pool. +After that, run this cmdlet to add Microsoft Entra users to the default desktop application group for the host pool. ```powershell Add-RdsAppGroupUser -TenantName <tenantname> -HostPoolName <hostpoolname> -AppGroupName "Desktop Application Group" -UserPrincipalName <userupn> After you've created your session host virtual machines, [apply a Windows licens You need to do the following things to prepare your virtual machines before you can install the Azure Virtual Desktop agents and register the virtual machines to your Azure Virtual Desktop host pool: -- You must domain-join the machine. This allows incoming Azure Virtual Desktop users to be mapped from their Azure Active Directory account to their Active Directory account and be successfully allowed access to the virtual machine.+- You must domain-join the machine. This allows incoming Azure Virtual Desktop users to be mapped from their Microsoft Entra account to their Active Directory account and be successfully allowed access to the virtual machine. - You must install the Remote Desktop Session Host (RDSH) role if the virtual machine is running a Windows Server OS. The RDSH role allows the Azure Virtual Desktop agents to install properly. To successfully domain-join, do the following things on each virtual machine: To successfully domain-join, do the following things on each virtual machine: 5. Authenticate with a domain account that has privileges to domain-join machines. >[!NOTE]- > If you're joining your VMs to an Azure Active Directory Domain Services (Azure AD DS) environment, ensure that your domain join user is also a member of the [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group). + > If you're joining your VMs to a Microsoft Entra Domain Services environment, ensure that your domain join user is also a member of the [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-instance-advanced.md#configure-an-administrative-group). ## Register the virtual machines to the Azure Virtual Desktop host pool |
virtual-desktop | Create Service Principal Role Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/create-service-principal-role-powershell.md | -Service principals are identities that you can create in Azure Active Directory to assign roles and permissions for a specific purpose. In Azure Virtual Desktop, you can create a service principal to: +Service principals are identities that you can create in Microsoft Entra ID to assign roles and permissions for a specific purpose. In Azure Virtual Desktop, you can create a service principal to: - Automate specific Azure Virtual Desktop management tasks. - Use as credentials in place of MFA-required users when running any Azure Resource Manager template for Azure Virtual Desktop. Service principals are identities that you can create in Azure Active Directory In this tutorial, learn how to: > [!div class="checklist"]-> * Create a service principal in Azure Active Directory. +> * Create a service principal in Microsoft Entra ID. > * Create a role assignment in Azure Virtual Desktop. > * Sign in to Azure Virtual Desktop by using the service principal. Before you can create service principals and role assignments, you need to do th > [!IMPORTANT] > Follow all instructions in this article in the same PowerShell session. The process might not work if you interrupt your PowerShell session by closing the window and reopening it later. -## Create a service principal in Azure Active Directory +<a name='create-a-service-principal-in-azure-active-directory'></a> ++## Create a service principal in Microsoft Entra ID After you've fulfilled the prerequisites in your PowerShell session, run the following PowerShell cmdlets to create a multitenant service principal in Azure. |
virtual-desktop | Delegated Access Virtual Desktop 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/delegated-access-virtual-desktop-2019.md | You can run the following cmdlets to create, view, and remove role assignments: You can modify the basic three cmdlets with the following parameters: -* **AadTenantId**: specifies the Azure Active Directory tenant ID from which the service principal is a member. +* **AadTenantId**: specifies the Microsoft Entra tenant ID from which the service principal is a member. * **AppGroupName**: name of the Remote Desktop application group. * **Diagnostics**: indicates the diagnostics scope. (Must be paired with either the **Infrastructure** or **Tenant** parameters.) * **HostPoolName**: name of the Remote Desktop host pool. * **Infrastructure**: indicates the infrastructure scope. * **RoleDefinitionName**: name of the Remote Desktop Services role-based access control role assigned to the user, group, or app. (For example, Remote Desktop Services Owner, Remote Desktop Services Reader, and so on.)-* **ServerPrincipleName**: name of the Azure Active Directory application. +* **ServerPrincipleName**: name of the Microsoft Entra application. * **SignInName**: the user's email address or user principal name. * **TenantName**: name of the Remote Desktop tenant. |
virtual-desktop | Deploy Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/deploy-diagnostics.md | Here's what the diagnostics tool for Azure Virtual Desktop can do for you: ## Prerequisites -You need to create an Azure Active Directory App Registration and a Log Analytics workspace before you can deploy the Azure Resource Manager template for the tool. You or the administrator need these permissions to do that: +You need to create a Microsoft Entra App Registration and a Log Analytics workspace before you can deploy the Azure Resource Manager template for the tool. You or the administrator need these permissions to do that: - Owner of the Azure subscription - Permission to create resources in your Azure subscription-- Permission to create an Azure AD app+- Permission to create a Microsoft Entra app - RDS Owner or Contributor rights You also need to install these two PowerShell modules before you get started: You also need to install these two PowerShell modules before you get started: Make sure you have your Subscription ID ready for when you sign in. -After you have everything in order, you can create the Azure AD app registration. +After you have everything in order, you can create the Microsoft Entra app registration. -## Create an Azure Active Directory app registration +<a name='create-an-azure-active-directory-app-registration'></a> -This section will show you how to use PowerShell to create the Azure Active Directory app with a service principal and get API permissions for it. +## Create a Microsoft Entra app registration ++This section will show you how to use PowerShell to create the Microsoft Entra app with a service principal and get API permissions for it. >[!NOTE]->The API permissions are Azure Virtual Desktop, Log Analytics and Microsoft Graph API permissions are added to the Azure Active Directory Application. +>The API permissions are Azure Virtual Desktop, Log Analytics and Microsoft Graph API permissions are added to the Microsoft Entra Application. 1. Open PowerShell as an Administrator. 2. Sign in to Azure with an account that has Owner or Contributor permissions on the Azure subscription you would like to use for the diagnostics tool: ```powershell Login-AzAccount ```-3. Sign in to Azure AD with the same account: +3. Sign in to Microsoft Entra ID with the same account: ```powershell Connect-AzureAD ``` Learn more about the performance counters at [Windows and Linux performance data ## Validate the script results in the Azure portal -Before you continue deploying the diagnostics tool, we recommend that you verify that your Azure Active Directory application has API permissions and your Log Analytics workspace has the preconfigured Windows performance counters. +Before you continue deploying the diagnostics tool, we recommend that you verify that your Microsoft Entra application has API permissions and your Log Analytics workspace has the preconfigured Windows performance counters. ### Review your app registration To make sure your app registration has API permissions: 1. Open a browser and sign in to the [Azure portal](https://portal.azure.com/) with your administrative account.-2. Go to **Azure Active Directory**. +2. Go to **Microsoft Entra ID**. 3. Go to **App registrations** and select **All Applications**.-4. Look for your Azure AD app registration with the same app name you entered in step 5 of [Create an Azure Active Directory app registration](deploy-diagnostics.md#create-an-azure-active-directory-app-registration). +4. Look for your Microsoft Entra app registration with the same app name you entered in step 5 of [Create a Microsoft Entra app registration](deploy-diagnostics.md#create-an-azure-active-directory-app-registration). 5. On your Azure subscription, check that app registration has been assigned the *Contributor* role assignment. ### Review your Log Analytics workspace To set the Redirect URI: > ![The redirect URI page](../media/redirect-uri-page.png) 8. Now, go to your Azure resources, select the Azure App Services resource with the name you provided in the template and navigate to the URL associated with it. (For example, if the app name you used in the template was `contosoapp45`, then your associated URL is `http://contoso.azurewebsites.net`).-9. Sign in using the appropriate Azure Active Directory user account. +9. Sign in using the appropriate Microsoft Entra user account. 10. Select **Accept**. ## Distribute the diagnostics tool |
virtual-desktop | Diagnostics Role Service 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/diagnostics-role-service-2019.md | The following table lists common errors your admins might run into. |Numeric code|Error code|Suggested solution| ||||-|1322|ConnectionFailedNoMappingOfSIDinAD|The user isn't a member of Azure Active Directory. Follow the instructions in [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) to add them.| +|1322|ConnectionFailedNoMappingOfSIDinAD|The user isn't a member of Microsoft Entra ID. Follow the instructions in [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) to add them.| |3|UnauthorizedAccess|The user who tried to run the administrative PowerShell cmdlet either doesn't have permissions to do so or mistyped their username.| |1000|TenantNotFound|The tenant name you entered doesn't match any existing tenants. Review the tenant name for typos and try again.| |1006|TenantCannotBeRemovedHasSessionHostPools|You can't delete a tenant as long it contains objects. Delete the session host pools first, then try again.| The following table lists common errors your admins might run into. To learn more about roles within Azure Virtual Desktop, see [Azure Virtual Desktop environment](environment-setup-2019.md). -To see a list of available PowerShell cmdlets for Azure Virtual Desktop, see the [PowerShell reference](/powershell/windows-virtual-desktop/overview). +To see a list of available PowerShell cmdlets for Azure Virtual Desktop, see the [PowerShell reference](/powershell/windows-virtual-desktop/overview). |
virtual-desktop | Environment Setup 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/environment-setup-2019.md | Azure Virtual Desktop is a service that gives users easy and secure access to th ## Tenants -The Azure Virtual Desktop tenant is the primary interface for managing your Azure Virtual Desktop environment. Each Azure Virtual Desktop tenant must be associated with the Azure Active Directory containing the users who will sign in to the environment. From the Azure Virtual Desktop tenant, you can begin creating host pools to run your users' workloads. +The Azure Virtual Desktop tenant is the primary interface for managing your Azure Virtual Desktop environment. Each Azure Virtual Desktop tenant must be associated with the Microsoft Entra ID containing the users who will sign in to the environment. From the Azure Virtual Desktop tenant, you can begin creating host pools to run your users' workloads. ## Host pools |
virtual-desktop | Expand Existing Host Pool 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/expand-existing-host-pool-2019.md | All parameter values in this section should match what you provided when you fir 1. For *Azure Virtual Desktop tenant group name*, enter the name for the tenant group that contains your tenant. Leave it as the default unless you were provided a specific tenant group name. 2. For *Azure Virtual Desktop tenant name*, enter the name of the tenant where you'll be creating this host pool.-3. Specify the same credentials you used when you first created the host pool and session host VMs. If you are using a service principal, enter the ID of the Azure Active Directory instance where your service principal is located. +3. Specify the same credentials you used when you first created the host pool and session host VMs. If you are using a service principal, enter the ID of the Microsoft Entra instance where your service principal is located. 4. Select **Next : Review + create**. ## Run the GitHub Azure Resource Manager template |
virtual-desktop | Manage App Groups 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/manage-app-groups-2019.md | Title: Manage application groups for Azure Virtual Desktop (classic) - Azure -description: Learn how to set up Azure Virtual Desktop (classic) tenants in Azure Active Directory (Azure AD). +description: Learn how to set up Azure Virtual Desktop (classic) tenants in Microsoft Entra ID. Last updated 08/16/2021 |
virtual-desktop | Manage Resources Using Ui Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/manage-resources-using-ui-powershell.md | This article will show you how to deploy the management tool using PowerShell. ## Important considerations -Each Azure Active Directory (Azure AD) tenant's subscription needs its own separate deployment of the management tool. This tool doesn't support Azure AD Business-to-Business (B2B) scenarios. +Each Microsoft Entra tenant's subscription needs its own separate deployment of the management tool. This tool doesn't support Microsoft Entra Business-to-Business (B2B) scenarios. This management tool is a sample. Microsoft will provide important security and quality updates. [The source code is available in GitHub](https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy). Whether you're a customer or partner, we encourage you to customize the tool to satisfy your business needs. The following browsers are compatible with the management tool: ## What you need to deploy the management tool -Before deploying the management tool, you'll need an Azure Active Directory (Azure AD) user to create an app registration and deploy the management UI. This user must: +Before deploying the management tool, you'll need a Microsoft Entra user to create an app registration and deploy the management UI. This user must: - Have permission to create resources in your Azure subscription-- Have permission to create an Azure AD application. Follow these steps to check if your user has the required permissions by following the instructions in [Required permissions](../../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app).+- Have permission to create a Microsoft Entra application. Follow these steps to check if your user has the required permissions by following the instructions in [Required permissions](../../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). After you deploy and configure the management tool, we recommend you ask a user to launch the management UI to make sure everything works. The user who launches the management UI must have a role assignment that lets them view or edit the Azure Virtual Desktop tenant. Get started by signing in to both the Az and Azure AD PowerShell modules. Here's Login-AzAccount ``` -3. Run the following cmdlet to sign in to Azure AD with the same account you used for the Az PowerShell module: +3. Run the following cmdlet to sign in to Microsoft Entra ID with the same account you used for the Az PowerShell module: ```powershell Connect-AzureAD Get started by signing in to both the Az and Azure AD PowerShell modules. Here's Keep the PowerShell window you used to sign in open to run additional PowerShell cmdlets while signed in. -## Create an Azure Active Directory app registration +<a name='create-an-azure-active-directory-app-registration'></a> ++## Create a Microsoft Entra app registration In order to successfully deploy and configure the management tool, you first need to download the following PowerShell scripts from the [RDS-Templates GitHub repo](https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy/scripts) Get-AzSubscription -SubscriptionId $subscriptionId | Select-AzSubscription .\createWvdMgmtUxAppRegistration.ps1 -AppName $appName -SubscriptionId $subscriptionId ``` -Now that you've completed the Azure AD app registration, you can deploy the management tool. +Now that you've completed the Microsoft Entra app registration, you can deploy the management tool. ## Deploy the management tool New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName ` -Verbose ``` -After you've created the web app, you must add a redirect URI to the Azure AD application to successfully sign in users. +After you've created the web app, you must add a redirect URI to the Microsoft Entra application to successfully sign in users. ## Set the Redirect URI Run the following script to update the API URL configuration in the web applicat .\updateWvdMgmtUxApiUrl.ps1 -AppName $appName -SubscriptionId $subscriptionId ``` -Now that you've fully configured the management tool web app, it's time to verify the Azure AD application and provide consent. +Now that you've fully configured the management tool web app, it's time to verify the Microsoft Entra application and provide consent. ++<a name='verify-the-azure-ad-application-and-provide-consent'></a> -## Verify the Azure AD application and provide consent +## Verify the Microsoft Entra application and provide consent -To verify the Azure AD application configuration and provide consent: +To verify the Microsoft Entra application configuration and provide consent: 1. Open your internet browser and sign in to the [Azure portal](https://portal.azure.com/) with your administrative account. 2. From the search bar at the top of the Azure portal, search for **App registrations** and select the item under **Services**.-3. Select **All applications** and search the unique app name you provided for the PowerShell script in [Create an Azure Active Directory app registration](#create-an-azure-active-directory-app-registration). +3. Select **All applications** and search the unique app name you provided for the PowerShell script in [Create a Microsoft Entra app registration](#create-an-azure-active-directory-app-registration). 4. In the panel on the left side of the browser, select **Authentication** and make sure the redirect URI is the same as the web app URL for the management tool, as shown in the following image. [ ![The authentication page with the entered redirect URI](../media/management-ui-redirect-uri-inline.png) ](../media/management-ui-redirect-uri-expanded.png#lightbox) |
virtual-desktop | Manage Resources Using Ui | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/manage-resources-using-ui.md | The instructions in this article will tell you how to deploy the UI by using an ## Important considerations -Since the app requires consent to interact with Azure Virtual Desktop, this tool doesn't support Business-to-Business (B2B) scenarios. Each Azure Active Directory (AAD) tenant's subscription will need its own separate deployment of the management tool. +Since the app requires consent to interact with Azure Virtual Desktop, this tool doesn't support Business-to-Business (B2B) scenarios. Each Microsoft Entra tenant's subscription will need its own separate deployment of the management tool. This management tool is a sample. Microsoft will provide important security and quality updates. The [source code is available in GitHub](https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy). Microsoft Support is not handling issues for the management tool. If you come across any issues, follow the directions in Azure Resource Manager templates for Remote Desktop Services to report them on [GitHub](https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy). To following browsers are compatible with the management tool: ## What you need to deploy the management tool -Before deploying the management tool, you'll need an Azure Active Directory (Azure AD) user to create an app registration and deploy the management UI. This user must: +Before deploying the management tool, you'll need a Microsoft Entra user to create an app registration and deploy the management UI. This user must: -- Have Azure AD Multi-Factor Authentication (MFA) disabled+- Have Microsoft Entra multifactor authentication (MFA) disabled - Have permission to create resources in your Azure subscription-- Have permission to create an Azure AD application. Follow these steps to check if your user has the required permissions by following the instructions in [Required permissions](../../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app).+- Have permission to create a Microsoft Entra application. Follow these steps to check if your user has the required permissions by following the instructions in [Required permissions](../../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app). After you deploy and configure the management tool, we recommend you ask a user to launch the management UI to make sure everything works. The user who launches the management UI must have a role assignment that lets them view or edit the Azure Virtual Desktop tenant. ## Deploy the management tool -Before you start, ensure the server and client apps have consent by visiting the [Azure Virtual Desktop Consent Page](https://rdweb.wvd.microsoft.com) for the Azure Active Directory (AAD) represented. +Before you start, ensure the server and client apps have consent by visiting the [Azure Virtual Desktop Consent Page](https://rdweb.wvd.microsoft.com) for the Microsoft Entra ID represented. Follow these instructions to deploy the Azure Resource Manager template: Follow these instructions to deploy the Azure Resource Manager template: 5. Paste the link you copied to the text editor into the address bar. 3. When entering the parameters, do the following: - For the **isServicePrincipal** parameter, select **false**.- - For the credentials, enter your Azure AD credentials with multi-factor authentication disabled. These credentials will be used to create the Azure AD application and Azure resources. To learn more, see the [What you need to deploy the management tool](#what-you-need-to-deploy-the-management-tool). - - For the **applicationName**, use a unique name for your app that will be registered in your Azure Active Directory. This name will also be used for the web app URL. For example, you can use a name like "Apr3UX." + - For the credentials, enter your Microsoft Entra credentials with multifactor authentication disabled. These credentials will be used to create the Microsoft Entra application and Azure resources. To learn more, see the [What you need to deploy the management tool](#what-you-need-to-deploy-the-management-tool). + - For the **applicationName**, use a unique name for your app that will be registered in your Microsoft Entra ID. This name will also be used for the web app URL. For example, you can use a name like "Apr3UX." 4. Once you provide the parameters, accept the terms and conditions and select **Purchase**. ## Provide consent for the management tool After the GitHub Azure Resource Manager template completes, you'll find a resource group containing two app services along with one app service plan in the Azure portal. -Before you sign in and use the management tool, you must provide consent for the new Azure AD application associated with the management tool. Providing consent lets the management tool make Azure Virtual Desktop management calls on behalf of the user currently signed in to the tool. +Before you sign in and use the management tool, you must provide consent for the new Microsoft Entra application associated with the management tool. Providing consent lets the management tool make Azure Virtual Desktop management calls on behalf of the user currently signed in to the tool. > [!div class="mx-imgBorder"] > ![A screenshot showing the permissions being provided when you consent to the UI management tool.](../media/management-ui-delegated-permissions.png) -To determine which user you can use to sign in to the tool, go to your [Azure Active Directory user settings page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/) and take note of the value for **Users can consent to apps accessing company data on their behalf**. +To determine which user you can use to sign in to the tool, go to your [Microsoft Entra user settings page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/) and take note of the value for **Users can consent to apps accessing company data on their behalf**. > [!div class="mx-imgBorder"] > ![A screenshot showing if users can grant consent to applications for just their user.](../media/management-ui-user-consent-allowed.png) -- If the value is set to **Yes**, you can sign in with any user account in the Azure Active Directory and provide consent for that user only. However, if you sign in to the management tool with a different user later, you must perform the same consent again.-- If the value is set to **No**, you must sign in as a Global Administrator in the Azure Active Directory and provide admin consent for all users in the directory. No other users will face a consent prompt.+- If the value is set to **Yes**, you can sign in with any user account in the Microsoft Entra ID and provide consent for that user only. However, if you sign in to the management tool with a different user later, you must perform the same consent again. +- If the value is set to **No**, you must sign in as a Global Administrator in the Microsoft Entra ID and provide admin consent for all users in the directory. No other users will face a consent prompt. Once you decide which user you'll use to provide consent, follow these instructions to provide consent to the tool: 1. Go to your Azure resources, select the Azure App Services resource with the name you provided in the template (for example, Apr3UX) and navigate to the URL associated with it; for example, `https://rdmimgmtweb-210520190304.azurewebsites.net`.-2. Sign in using the appropriate Azure Active Directory user account. +2. Sign in using the appropriate Microsoft Entra user account. 3. If you authenticated with a Global Administrator, you can now select the checkbox to **Consent on behalf of your organization**. Select **Accept** to provide consent. > [!div class="mx-imgBorder"] |
virtual-desktop | Manual Delete | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/manual-delete.md | This article describes how to delete Azure Virtual Desktop (classic). Before you begin, make sure you have the following things ready: -- A global administrator account within the Azure Active Directory tenant+- A global administrator account within the Microsoft Entra tenant - [Download and import the Azure Virtual Desktop module](/powershell/windows-virtual-desktop/overview/) to use in your PowerShell session if you haven't already Before you begin, make sure you have the following things ready: Remove-RDSSessionHost -TenantName <tenantname> -HostPoolName <hostpoolname> -Name <sessionhostname> Remove-RDSHostPool -TenantName <tenantname> -Name <hostpoolname> Remove-RDSTenant -Name <tenantname>- ``` + ``` |
virtual-desktop | Set Up Scaling Script | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/set-up-scaling-script.md | First, you'll need an Azure Automation account to run the PowerShell runbook. Th Now that you have an Azure Automation account, you'll also need to create an Azure Automation Run As account if you don't have one already. This account will let the tool access your Azure resources. -An Azure Automation Run As account provides authentication for managing resources in Azure with Azure cmdlets. When you create a Run As account, it creates a new service principal user in Azure Active Directory and assigns the Contributor role to the service principal user at the subscription level. An Azure Run As account is a great way to authenticate securely with certificates and a service principal name without needing to store a username and password in a credential object. +An Azure Automation Run As account provides authentication for managing resources in Azure with Azure cmdlets. When you create a Run As account, it creates a new service principal user in Microsoft Entra ID and assigns the Contributor role to the service principal user at the subscription level. An Azure Run As account is a great way to authenticate securely with certificates and a service principal name without needing to store a username and password in a credential object. Any user who's a member of the Subscription Admins role and coadministrator of the subscription can create a Run As account. |
virtual-desktop | Tenant Setup Azure Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory.md | Title: Create a tenant in Azure Virtual Desktop (classic) - Azure -description: Describes how to set up Azure Virtual Desktop (classic) tenants in Azure Active Directory. +description: Describes how to set up Azure Virtual Desktop (classic) tenants in Microsoft Entra ID. Last updated 03/30/2020 Creating a tenant in Azure Virtual Desktop is the first step toward building you In this tutorial, learn how to: > [!div class="checklist"]-> * Grant Azure Active Directory permissions to the Azure Virtual Desktop service. -> * Assign the TenantCreator application role to a user in your Azure Active Directory tenant. +> * Grant Microsoft Entra permissions to the Azure Virtual Desktop service. +> * Assign the TenantCreator application role to a user in your Microsoft Entra tenant. > * Create a Azure Virtual Desktop tenant. ## What you need to set up a tenant Before you start setting up your Azure Virtual Desktop tenant, make sure you have these things: -* The [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) tenant ID for Azure Virtual Desktop users. -* A global administrator account within the Azure Active Directory tenant. - * This also applies to Cloud Solution Provider (CSP) organizations that are creating a Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in as global administrator of the customer's Azure Active Directory instance. - * The administrator account must be sourced from the Azure Active Directory tenant in which you're trying to create the Azure Virtual Desktop tenant. This process doesn't support Azure Active Directory B2B (guest) accounts. +* The [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) tenant ID for Azure Virtual Desktop users. +* A global administrator account within the Microsoft Entra tenant. + * This also applies to Cloud Solution Provider (CSP) organizations that are creating a Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in as global administrator of the customer's Microsoft Entra instance. + * The administrator account must be sourced from the Microsoft Entra tenant in which you're trying to create the Azure Virtual Desktop tenant. This process doesn't support Microsoft Entra B2B (guest) accounts. * The administrator account must be a work or school account. * An Azure subscription. You must have the tenant ID, global administrator account, and Azure subscriptio ## Grant permissions to Azure Virtual Desktop -If you have already granted permissions to Azure Virtual Desktop for this Azure Active Directory instance, skip this section. +If you have already granted permissions to Azure Virtual Desktop for this Microsoft Entra instance, skip this section. -Granting permissions to the Azure Virtual Desktop service lets it query Azure Active Directory for administrative and end-user tasks. +Granting permissions to the Azure Virtual Desktop service lets it query Microsoft Entra ID for administrative and end-user tasks. To grant the service permissions: 1. Open a browser and begin the admin consent flow to the [Azure Virtual Desktop server app](https://login.microsoftonline.com/common/adminconsent?client_id=5a0aa725-4958-4b0c-80a9-34562e23f3b7&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback). > [!NOTE]- > If you manage a customer and need to grant admin consent for the customer's directory, enter the following URL into the browser and replace {tenant} with the Azure AD domain name of the customer. For example, if the customer's organization has registered the Azure AD domain name of contoso.onmicrosoft.com, replace {tenant} with contoso.onmicrosoft.com. + > If you manage a customer and need to grant admin consent for the customer's directory, enter the following URL into the browser and replace {tenant} with the Microsoft Entra domain name of the customer. For example, if the customer's organization has registered the Microsoft Entra domain name of contoso.onmicrosoft.com, replace {tenant} with contoso.onmicrosoft.com. >``` >https://login.microsoftonline.com/{tenant}/adminconsent?client_id=5a0aa725-4958-4b0c-80a9-34562e23f3b7&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback >``` 2. Sign in to the Azure Virtual Desktop consent page with a global administrator account. For example, if you were with the Contoso organization, your account might be admin@contoso.com or admin@contoso.onmicrosoft.com. 3. Select **Accept**.-4. Wait for one minute so Azure AD can record consent. +4. Wait for one minute so Microsoft Entra ID can record consent. 5. Open a browser and begin the admin consent flow to the [Azure Virtual Desktop client app](https://login.microsoftonline.com/common/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback). >[!NOTE]- > If you manage a customer and need to grant admin consent for the customer's directory, enter the following URL into the browser and replace {tenant} with the Azure AD domain name of the customer. For example, if the customer's organization has registered the Azure AD domain name of contoso.onmicrosoft.com, replace {tenant} with contoso.onmicrosoft.com. + > If you manage a customer and need to grant admin consent for the customer's directory, enter the following URL into the browser and replace {tenant} with the Microsoft Entra domain name of the customer. For example, if the customer's organization has registered the Microsoft Entra domain name of contoso.onmicrosoft.com, replace {tenant} with contoso.onmicrosoft.com. >``` > https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback >``` To grant the service permissions: ## Assign the TenantCreator application role -Assigning an Azure Active Directory user the TenantCreator application role allows that user to create a Azure Virtual Desktop tenant associated with the Azure Active Directory instance. You'll need to use your global administrator account to assign the TenantCreator role. +Assigning a Microsoft Entra user the TenantCreator application role allows that user to create a Azure Virtual Desktop tenant associated with the Microsoft Entra instance. You'll need to use your global administrator account to assign the TenantCreator role. To assign the TenantCreator application role: -1. Go to the [Azure portal](https://portal.azure.com) to manage the TenantCreator application role. Search for and select **Enterprise applications**. If you're working with multiple Azure Active Directory tenants, it's a best practice to open a private browser session and copy and paste the URLs into the address bar. +1. Go to the [Azure portal](https://portal.azure.com) to manage the TenantCreator application role. Search for and select **Enterprise applications**. If you're working with multiple Microsoft Entra tenants, it's a best practice to open a private browser session and copy and paste the URLs into the address bar. > [!div class="mx-imgBorder"] > ![Screenshot of searching for Enterprise applications in the Azure portal](../media/azure-portal-enterprise-applications.png) To assign the TenantCreator application role: > ![A screenshot of selecting a user to add as "TenantCreator."](../media/tenant-assign-user.png) > [!NOTE]- > You must select a user (or a group that contains a user) that's sourced from this Azure Active Directory instance. You can't choose a guest (B2B) user or a service principal. + > You must select a user (or a group that contains a user) that's sourced from this Microsoft Entra instance. You can't choose a guest (B2B) user or a service principal. 6. Select the user account, choose the **Select** button, and then select **Assign**. 7. On the **Azure Virtual Desktop - Users and groups** page, verify that you see a new entry with the **TenantCreator** role assigned to the user who will create the Azure Virtual Desktop tenant. Before you continue on to create your Azure Virtual Desktop tenant, you need two pieces of information: - - Your Azure Active Directory tenant ID (or **Directory ID**) + - Your Microsoft Entra tenant ID (or **Directory ID**) - Your Azure subscription ID -To find your Azure Active Directory tenant ID (or **Directory ID**): -1. In the same [Azure portal](https://portal.azure.com) session, search for and select **Azure Active Directory**. +To find your Microsoft Entra tenant ID (or **Directory ID**): +1. In the same [Azure portal](https://portal.azure.com) session, search for and select **Microsoft Entra ID**. > [!div class="mx-imgBorder"]- > ![A screenshot of the search results for "Azure Active Directory" in the Azure portal. The search result under "Services" is highlighted.](../media/tenant-search-azure-active-directory.png) + > ![A screenshot of the search results for "Microsoft Entra ID" in the Azure portal. The search result under "Services" is highlighted.](../media/tenant-search-azure-active-directory.png) 2. Scroll down until you find **Properties**, and then select it. 3. Look for **Directory ID**, and then select the clipboard icon. Paste it in a handy location so you can use it later as the **AadTenantId** value. > [!div class="mx-imgBorder"]- > ![A screenshot of the Azure Active Directory properties. The mouse is hovering over the clipboard icon for "Directory ID" to copy and paste.](../media/tenant-directory-id.png) + > ![A screenshot of the Microsoft Entra properties. The mouse is hovering over the clipboard icon for "Directory ID" to copy and paste.](../media/tenant-directory-id.png) To find your Azure subscription ID: 1. In the same [Azure portal](https://portal.azure.com) session, search for and select **Subscriptions**. > [!div class="mx-imgBorder"]- > ![A screenshot of the search results for "Azure Active Directory" in the Azure portal. The search result for "Services" is highlighted.](../media/tenant-search-subscription.png) + > ![A screenshot of the search results for "Microsoft Entra ID" in the Azure portal. The search result for "Services" is highlighted.](../media/tenant-search-subscription.png) 2. Select the Azure subscription you want to use to receive Azure Virtual Desktop service notifications. 3. Look for **Subscription ID**, and then hover over the value until a clipboard icon appears. Select the clipboard icon and paste it in a handy location so you can use it later as the **AzureSubscriptionId** value. To find your Azure subscription ID: ## Create a Azure Virtual Desktop tenant -Now that you've granted the Azure Virtual Desktop service permissions to query Azure Active Directory and assigned the TenantCreator role to a user account, you can create a Azure Virtual Desktop tenant. +Now that you've granted the Azure Virtual Desktop service permissions to query Microsoft Entra ID and assigned the TenantCreator role to a user account, you can create a Azure Virtual Desktop tenant. First, [download and import the Azure Virtual Desktop module](/powershell/windows-virtual-desktop/overview/) to use in your PowerShell session if you haven't already. Sign in to Azure Virtual Desktop by using the TenantCreator user account with th Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" ``` -After that, create a new Azure Virtual Desktop tenant associated with the Azure Active Directory tenant: +After that, create a new Azure Virtual Desktop tenant associated with the Microsoft Entra tenant: ```powershell New-RdsTenant -Name <TenantName> -AadTenantId <DirectoryID> -AzureSubscriptionId <SubscriptionID> New-RdsRoleAssignment -TenantName <TenantName> -SignInName <Upn> -RoleDefinition ``` ## Next steps-After you've created your tenant, you'll need to create a service principal in Azure Active Directory and assign it a role within Azure Virtual Desktop. The service principal will allow you to successfully deploy the Azure Virtual Desktop Azure Marketplace offering to create a host pool. To learn more about host pools, continue to the tutorial for creating a host pool in Azure Virtual Desktop. +After you've created your tenant, you'll need to create a service principal in Microsoft Entra ID and assign it a role within Azure Virtual Desktop. The service principal will allow you to successfully deploy the Azure Virtual Desktop Azure Marketplace offering to create a host pool. To learn more about host pools, continue to the tutorial for creating a host pool in Azure Virtual Desktop. > [!div class="nextstepaction"] > [Create service principals and role assignments with PowerShell](create-service-principal-role-powershell.md) |
virtual-desktop | Troubleshoot Management Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/troubleshoot-management-tool.md | This usually means one of the following two things: To fix this: -1. Make sure the user you created for the Azure Active Directory User Principal Name has the "Contributor" subscription level. +1. Make sure the user you created for the Microsoft Entra user Principal Name has the "Contributor" subscription level. 2. Sign in to <portal.azure.com> with the UPN account to check the account settings and make sure multi-factor authentication isn't on. If it's turned on, turn it off. 3. Visit the Azure Virtual Desktop Consent page and make sure the server and client apps have consent. 4. Review the [Deploy a management tool](manage-resources-using-ui.md) tutorial if the issue continues and redeploy the tool. To fix this, deploy the management tool in a different region. Redeploying the t - Learn about escalation tracks at [Troubleshooting overview, feedback, and support](troubleshoot-set-up-overview-2019.md). - Learn how to report issues with Azure Virtual Desktop tools at [ARM Templates for Remote Desktop Services](https://github.com/Azure/RDS-Templates/blob/master/README.md).-- To learn how to deploy the management tool, see [Deploy a management tool](manage-resources-using-ui.md).+- To learn how to deploy the management tool, see [Deploy a management tool](manage-resources-using-ui.md). |
virtual-desktop | Troubleshoot Powershell 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/troubleshoot-powershell-2019.md | Add-RdsAppGroupUser -TenantName <TenantName> -HostPoolName <HostPoolName> -AppGr **Fix:** If user needs both a RemoteApp and desktop, create different host pools or only grant user access to the remote desktop, which will permit the use of any application on the session host VM. -### Error: Add-RdsAppGroupUser command -- The specified UserPrincipalName doesn't exist in the Azure Active Directory associated with the Remote Desktop tenant +<a name='error-add-rdsappgroupuser-command-the-specified-userprincipalname-doesnt-exist-in-the-azure-active-directory-associated-with-the-remote-desktop-tenant'></a> ++### Error: Add-RdsAppGroupUser command -- The specified UserPrincipalName doesn't exist in the Microsoft Entra ID associated with the Remote Desktop tenant ```powershell Add-RdsAppGroupUser -TenantName <TenantName> -HostPoolName <HostPoolName> -AppGroupName "Desktop Application Group" -UserPrincipalName <UserPrincipalName> ``` -**Cause:** The user specified by the -UserPrincipalName cannot be found in the Azure Active Directory tied to the Azure Virtual Desktop tenant. +**Cause:** The user specified by the -UserPrincipalName cannot be found in the Microsoft Entra tied to the Azure Virtual Desktop tenant. **Fix:** Confirm the items in the following list. -- The user is synched to Azure Active Directory.+- The user is synched to Microsoft Entra ID. - The user isn't tied to business to consumer (B2C) or business-to-business (B2B) commerce.-- The Azure Virtual Desktop tenant is tied to correct Azure Active Directory.+- The Azure Virtual Desktop tenant is tied to correct Microsoft Entra ID. ### Error: Get-RdsDiagnosticActivities -- User isn't authorized to query the management service Get-RdsDiagnosticActivities -Deployment -username <username> **Fix 1:** A user with Remote Desktop Services owner permissions needs to execute the role assignment. -**Cause 2:** The account being used has Remote Desktop Services owner permissions but isn't part of the tenant's Azure Active Directory or doesn't have permissions to query the Azure Active Directory where the user is located. +**Cause 2:** The account being used has Remote Desktop Services owner permissions but isn't part of the tenant's Microsoft Entra ID or doesn't have permissions to query the Microsoft Entra ID where the user is located. **Fix 2:** A user with Active Directory permissions needs to execute the role assignment. > [!NOTE]-> New-RdsRoleAssignment cannot give permissions to a user that doesn't exist in the Azure Active Directory (Azure AD). +> New-RdsRoleAssignment cannot give permissions to a user that doesn't exist in the Microsoft Entra ID. ## Error: SessionHostPool could not be deleted |
virtual-desktop | Troubleshoot Set Up Issues 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/troubleshoot-set-up-issues-2019.md | configuration of your service subscriptions.650052 Message The app needs access Contact your IT Admin to review the configuration of your service subscriptions. ``` -**Cause:** Consent not granted to Azure Virtual Desktop in the Azure Active directory instance. +**Cause:** Consent not granted to Azure Virtual Desktop in the Microsoft Entra instance. **Fix:** [Follow this guide](./tenant-setup-azure-active-directory.md#grant-permissions-to-azure-virtual-desktop) to grant consent. Example of raw error: + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Tenant.NewRdsTenant ``` -**Cause:** The user who's signed in hasn't been assigned the TenantCreator role in their Azure Active Directory. +**Cause:** The user who's signed in hasn't been assigned the TenantCreator role in their Microsoft Entra ID. -**Fix:** Follow the instructions in [Assign the TenantCreator application role to a user in your Azure Active Directory tenant](tenant-setup-azure-active-directory.md#assign-the-tenantcreator-application-role). After following the instructions, you'll have a user assigned to the TenantCreator role. +**Fix:** Follow the instructions in [Assign the TenantCreator application role to a user in your Microsoft Entra tenant](tenant-setup-azure-active-directory.md#assign-the-tenantcreator-application-role). After following the instructions, you'll have a user assigned to the TenantCreator role. > [!div class="mx-imgBorder"] > ![Screenshot of TenantCreator role assigned.](../media/TenantCreatorRoleAssigned.png) Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" New-RdsRoleAssignment -TenantName <Azure Virtual Desktop tenant name> -RoleDefinitionName "RDS Contributor" -SignInName <UPN> ``` -### Error: User requires Azure AD Multi-Factor Authentication (MFA) +<a name='error-user-requires-azure-ad-multi-factor-authentication-mfa'></a> ++### Error: User requires Microsoft Entra multifactor authentication (MFA) > [!div class="mx-imgBorder"]-> ![Screenshot of your deployment failed due to lack of Multi-Factor Authentication (MFA)](../media/MFARequiredError.png) +> ![Screenshot of your deployment failed due to lack of multifactor authentication (MFA)](../media/MFARequiredError.png) Example of raw error: Example of raw error: "message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'dscextension'. Error message: \\\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: One or more errors occurred. The SendConfigurationApply function did not succeed.\\\".\"\r\n }\r\n ]\r\n }\r\n}" ``` -**Cause:** The specified Azure Virtual Desktop tenant admin requires Azure AD Multi-Factor Authentication (MFA) to sign in. +**Cause:** The specified Azure Virtual Desktop tenant admin requires Microsoft Entra multifactor authentication (MFA) to sign in. **Fix:** Create a service principal and assign it a role for your Azure Virtual Desktop tenant by following the steps in [Tutorial: Create service principals and role assignments with PowerShell](create-service-principal-role-powershell.md). After verifying that you can sign in to Azure Virtual Desktop with the service principal, rerun the Azure Marketplace offering or the GitHub Azure Resource Manager template, depending on which method you're using. Follow the instructions below to enter the correct parameters for your method. If you're running the Azure Marketplace offering, provide values for the followi - Azure Virtual Desktop tenant RDS Owner: Service principal - Application ID: The application identification of the new service principal you created - Password/Confirm Password: The password secret you generated for the service principal-- Azure AD Tenant ID: The Azure AD Tenant ID of the service principal you created+- Microsoft Entra tenant ID: The Microsoft Entra tenant ID of the service principal you created If you're running the GitHub Azure Resource Manager template, provide values for the following parameters to properly authenticate to Azure Virtual Desktop: - Tenant Admin user principal name (UPN) or Application ID: The application identification of the new service principal you created - Tenant Admin Password: The password secret you generated for the service principal - IsServicePrincipal: **true**-- AadTenantId: The Azure AD Tenant ID of the service principal you created+- AadTenantId: The Microsoft Entra tenant ID of the service principal you created ### Error: vmSubnet not available when configuring virtual networks |
virtual-desktop | Troubleshoot Vm Configuration 2019 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/virtual-desktop-fall-2019/troubleshoot-vm-configuration-2019.md | Follow these instructions if you're having issues joining VMs to the domain. **Fix 1:** Create VNET peering between the VNET where VMs were provisioned and the VNET where the domain controller (DC) is running. See [Create a virtual network peering - Resource Manager, different subscriptions](../../virtual-network/create-peering-different-subscriptions.md). -**Cause 2:** When using Azure Active Directory Domain Services (Azure AD DS), the virtual network doesn't have its DNS server settings updated to point to the managed domain controllers. +**Cause 2:** When using Microsoft Entra Domain Services, the virtual network doesn't have its DNS server settings updated to point to the managed domain controllers. -**Fix 2:** To update the DNS settings for the virtual network containing Azure AD DS, see [Update DNS settings for the Azure virtual network](../../active-directory-domain-services/tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network). +**Fix 2:** To update the DNS settings for the virtual network containing Microsoft Entra Domain Services, see [Update DNS settings for the Azure virtual network](../../active-directory-domain-services/tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network). **Cause 3:** The network interface's DNS server settings do not point to the appropriate DNS server on the virtual network. |
virtual-machine-scale-sets | Virtual Machine Scale Sets Manage Fault Domains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/virtual-machine-scale-sets-manage-fault-domains.md | az vmss create \ --name myScaleSet \ --orchestration-mode Flexible \ --image Ubuntu2204 \- --upgrade-policy-mode automatic \ --admin-username azureuser \ --platform-fault-domain-count 3\ --generate-ssh-keys |
virtual-machines | Disk Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disk-encryption.md | For now, customer-managed keys have the following restrictions: Customer-managed keys are available in all regions that managed disks are available. > [!IMPORTANT]-> Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Azure AD directories](../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks isn't transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Microsoft Entra directories](../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). To enable customer-managed keys for managed disks, see our articles covering how to enable it with either the [Azure PowerShell module](windows/disks-enable-customer-managed-keys-powershell.md), the [Azure CLI](linux/disks-enable-customer-managed-keys-cli.md) or the [Azure portal](disks-enable-customer-managed-keys-portal.md). To enable double encryption at rest for managed disks, see our articles covering [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) leverages either the [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux or the [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview) feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service. > [!IMPORTANT]-> Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Azure AD directories](../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Microsoft Entra directories](../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ## Next steps |
virtual-machines | Disks Cross Tenant Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-cross-tenant-customer-managed-keys.md | Title: Use a disk encryption set across Azure AD tenants -description: Learn how to use customer-managed keys with your Azure disks in different Azure AD tenants. + Title: Use a disk encryption set across Microsoft Entra tenants +description: Learn how to use customer-managed keys with your Azure disks in different Microsoft Entra tenants. -This article covers building a solution where you encrypt managed disks with customer-managed keys using Azure Key Vaults stored in a different Azure Active Directory (Azure AD) tenant. This configuration can be ideal for several scenarios, one example being Azure support for service providers that want to offer bring-your-own encryption keys to their customers where resources from the service provider's tenant are encrypted with keys from their customer's tenant. +This article covers building a solution where you encrypt managed disks with customer-managed keys using Azure Key Vaults stored in a different Microsoft Entra tenant. This configuration can be ideal for several scenarios, one example being Azure support for service providers that want to offer bring-your-own encryption keys to their customers where resources from the service provider's tenant are encrypted with keys from their customer's tenant. A disk encryption set with federated identity in a cross-tenant CMK workflow spans service provider/ISV tenant resources (disk encryption set, managed identities, and app registrations) and customer tenant resources (enterprise apps, user role assignments, and key vault). In this case, the source Azure resource is the service provider's disk encryption set. If you have questions about cross-tenant customer-managed keys with managed disk ## Create a disk encryption set -Now that you've created your Azure Key Vault and performed the required Azure AD configurations, deploy a disk encryption set configured to work across tenants and associate it with a key in the key vault. You can do this using the Azure portal, Azure PowerShell, or Azure CLI. You can also use an [ARM template](#use-an-arm-template) or [REST API](#use-rest-api). +Now that you've created your Azure Key Vault and performed the required Microsoft Entra configurations, deploy a disk encryption set configured to work across tenants and associate it with a key in the key vault. You can do this using the Azure portal, Azure PowerShell, or Azure CLI. You can also use an [ARM template](#use-an-arm-template) or [REST API](#use-rest-api). # [Portal](#tab/azure-portal) |
virtual-machines | Disks Enable Customer Managed Keys Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-enable-customer-managed-keys-portal.md | The VM deployment process is similar to the standard deployment process, the onl 1. When your disks finish switching over to customer-managed keys, if there are no other attached disks you'd like to encrypt, start your VM. > [!IMPORTANT]-> Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Azure AD directories](../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Microsoft Entra directories](../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ### Enable automatic key rotation on an existing disk encryption set |
virtual-machines | Disks Restrict Import Export Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/disks-restrict-import-export-overview.md | To limit the number of people who can import or export managed disks or snapshot Any custom role without those permissions can't upload or download managed disks. -## Azure AD authentication +<a name='azure-ad-authentication'></a> -If you're using Azure Active Directory (Azure AD) to control resource access, you can also use it to restrict uploading of Azure managed disks. When a user attempts to upload a disk, Azure validates the identity of the requesting user in Azure AD, and confirms that user has the required permissions. To learn more, see either the [PowerShell](windows/disks-upload-vhd-to-managed-disk-powershell.md#secure-uploads-with-azure-ad) or [CLI](linux/disks-upload-vhd-to-managed-disk-cli.md#secure-uploads-with-azure-ad) articles. +## Microsoft Entra authentication ++If you're using Microsoft Entra ID to control resource access, you can also use it to restrict uploading of Azure managed disks. When a user attempts to upload a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. To learn more, see either the [PowerShell](windows/disks-upload-vhd-to-managed-disk-powershell.md#secure-uploads-with-azure-ad) or [CLI](linux/disks-upload-vhd-to-managed-disk-cli.md#secure-uploads-with-azure-ad) articles. ## Private links |
virtual-machines | Azure Disk Enc Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/azure-disk-enc-linux.md | For a full list of prerequisites, see [Azure Disk Encryption for Linux VMs](../l ## Extension Schema There are two versions of extension schema for Azure Disk Encryption (ADE):-- v1.1 - A newer recommended schema that does not use Azure Active Directory (Azure AD) properties.-- v0.1 - An older schema that requires Azure Active Directory (Azure AD) properties.+- v1.1 - A newer recommended schema that does not use Microsoft Entra properties. +- v0.1 - An older schema that requires Microsoft Entra properties. To select a target schema, the `typeHandlerVersion` property must be set equal to version of schema you want to use. -### Schema v1.1: No Azure AD (recommended) +<a name='schema-v11-no-azure-ad-recommended'></a> -The v1.1 schema is recommended and does not require Azure Active Directory (Azure AD) properties. +### Schema v1.1: No Microsoft Entra ID (recommended) ++The v1.1 schema is recommended and does not require Microsoft Entra properties. > [!NOTE] > The `DiskFormatQuery` parameter is deprecated. Its functionality has been replaced by the EncryptFormatAll option instead, which is the recommended way to format data disks at time of encryption. The v1.1 schema is recommended and does not require Azure Active Directory (Azur ``` -### Schema v0.1: with Azure AD +<a name='schema-v01-with-azure-ad'></a> ++### Schema v0.1: with Microsoft Entra ID The 0.1 schema requires `AADClientID` and either `AADClientSecret` or `AADClientCertificate`. For an example of template deployment based on schema v1.1, see the Azure Quicks For an example of template deployment based on schema v0.1, see the Azure Quickstart Template [encrypt-running-linux-vm](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/encrypt-running-linux-vm). >[!WARNING]-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. +> - If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. > - When encrypting Linux OS volumes, the VM should be considered unavailable. We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. To check progress, use the [Get-AzVMDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) PowerShell cmdlet or the [vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) CLI command. This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time will be proportional to the size and quantity of the data volumes; the `encrypt format all` option is faster than in-place encryption, but will result in the loss of all data on the disks. > - Disabling encryption on Linux VMs is only supported for data volumes. It is not supported on data or OS volumes if the OS volume has been encrypted. |
virtual-machines | Azure Disk Enc Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/azure-disk-enc-windows.md | For a full list of prerequisites, see [Azure Disk Encryption for Windows VMs](.. ## Extension Schema There are two versions of extension schema for Azure Disk Encryption (ADE):-- v2.2 - A newer recommended schema that does not use Azure Active Directory (Azure AD) properties.-- v1.1 - An older schema that requires Azure Active Directory (Azure AD) properties.+- v2.2 - A newer recommended schema that does not use Microsoft Entra properties. +- v1.1 - An older schema that requires Microsoft Entra properties. To select a target schema, the `typeHandlerVersion` property must be set equal to version of schema you want to use. -### Schema v2.2: No Azure AD (recommended) +<a name='schema-v22-no-azure-ad-recommended'></a> -The v2.2 schema is recommended for all new VMs and does not require Azure Active Directory properties. +### Schema v2.2: No Microsoft Entra ID (recommended) ++The v2.2 schema is recommended for all new VMs and does not require Microsoft Entra properties. ```json { The v2.2 schema is recommended for all new VMs and does not require Azure Active } ``` -### Schema v1.1: with Azure AD +<a name='schema-v11-with-azure-ad'></a> ++### Schema v1.1: with Microsoft Entra ID The 1.1 schema requires `aadClientID` and either `aadClientSecret` or `AADClientCertificate` and is not recommended for new VMs. |
virtual-machines | Features Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/features-windows.md | If you use a [supported version of the Azure VM Agent](/troubleshoot/azure/virtu > [!IMPORTANT] > If you block access to IP address 168.63.129.16 by using the guest firewall or via a proxy, extensions fail. Failure occurs even if you use a supported version of the VM Agent or you configure outbound access. Ports 80 and 32526 are required. -Agents can only be used to download extension packages and report status. For example, if an extension installation needs to download a script from GitHub (Custom Script Extension) or requires access to Azure Storage (Azure Backup), then you need to open other firewall or network security group (NSG) ports. Different extensions have different requirements because they're applications in their own right. For extensions that require access to Azure Storage or Azure Active Directory, you can allow access by using Azure NSG [service tags](/azure/virtual-network/network-security-groups-overview#service-tags). +Agents can only be used to download extension packages and report status. For example, if an extension installation needs to download a script from GitHub (Custom Script Extension) or requires access to Azure Storage (Azure Backup), then you need to open other firewall or network security group (NSG) ports. Different extensions have different requirements because they're applications in their own right. For extensions that require access to Azure Storage or Microsoft Entra ID, you can allow access by using Azure NSG [service tags](/azure/virtual-network/network-security-groups-overview#service-tags). The Azure VM Agent doesn't provide proxy server support to enable redirection of agent traffic requests. The VM Agent relies on your custom proxy (if you have one) to access resources on the internet or on the host through IP address 168.63.129.16. |
virtual-machines | Vmaccess | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/extensions/vmaccess.md | This article shows you how to: If you need to manage Classic virtual machines, see [Using the VMAccess extension](/previous-versions/azure/virtual-machines/linux/classic/reset-access-classic). > [!NOTE]-> If you use the VMAccess extension to reset the password of your VM after you install the Azure Active Directory (Azure AD) Login extension, rerun the Azure AD Login extension to re-enable Azure AD Login for your VM. +> If you use the VMAccess extension to reset the password of your VM after you install the Microsoft Entra Login extension, rerun the Microsoft Entra Login extension to re-enable Microsoft Entra Login for your VM. ## Prerequisites |
virtual-machines | Image Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/image-version.md | -The Azure Compute Gallery lets you share your custom VM images with others in your organization, within or across regions, within an Azure AD tenant, or publicly using a [community gallery](azure-compute-gallery.md#community). Choose which images you want to share, which regions you want to make them available in, and who you want to share them with. You can create multiple galleries so that you can logically group images. Many new features like ARM64, Accelerated Networking and TrustedVM are only supported through Azure Compute Gallery and not available for managed images. +The Azure Compute Gallery lets you share your custom VM images with others in your organization, within or across regions, within a Microsoft Entra tenant, or publicly using a [community gallery](azure-compute-gallery.md#community). Choose which images you want to share, which regions you want to make them available in, and who you want to share them with. You can create multiple galleries so that you can logically group images. Many new features like ARM64, Accelerated Networking and TrustedVM are only supported through Azure Compute Gallery and not available for managed images. The Azure Compute Gallery feature has multiple resource types: |
virtual-machines | Create Upload Generic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/create-upload-generic.md | Title: Prepare Linux for imaging -description: Learn to prepare a Linux system to be used for an image in Azure. +description: Learn how to prepare a Linux system to be used for an image in Azure. Last updated 12/14/2022 -# Information for community supported and non-endorsed distributions +# Prepare Linux for imaging in Azure -**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets +**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets -The Azure platform SLA applies to virtual machines running the Linux OS only when one of the [endorsed distributions](endorsed-distros.md) is used. For these endorsed distributions, pre-configured Linux images are provided in the Azure Marketplace. +The Azure platform service-level agreement (SLA) applies to virtual machines (VMs) running the Linux operating system only when you're using one of the endorsed distributions. For endorsed distributions, Azure Marketplace provides preconfigured Linux images. For more information, see: -* [Linux on Azure - Endorsed Distributions](endorsed-distros.md) -* [Support for Linux images in Microsoft Azure](https://support.microsoft.com/kb/2941892) +* [Endorsed Linux distributions on Azure](endorsed-distros.md) +* [Support for Linux and open-source technology in Azure](https://support.microsoft.com/kb/2941892) -All other, non-Azure Marketplace, distributions running on Azure have a number of prerequisites. This article can't be comprehensive, as every distribution is different. Even if you meet all the criteria below, you may need to significantly tweak your Linux system for it to run properly. +All other distributions running on Azure, including community-supported and non-endorsed distributions, have some prerequisites. -This article focuses on general guidance for running your Linux distribution on Azure. +This article focuses on general guidance for running your Linux distribution on Azure. This article can't be comprehensive, because every distribution is different. Even if you meet all the criteria that this article describes, you might need to significantly tweak your Linux system for it to run properly. -## General Linux Installation Notes -1. The Hyper-V virtual hard disk (VHDX) format isn't supported in Azure, only *fixed VHD*. You can convert the disk to VHD format using Hyper-V Manager or the [Convert-VHD](/powershell/module/hyper-v/convert-vhd) cmdlet. If you're using VirtualBox, select **Fixed size** rather than the default (dynamically allocated) when creating the disk. +## General Linux installation notes -2. Azure supports Gen1 (BIOS boot) & Gen2 (UEFI boot) Virtual machines. +* Azure doesn't support the Hyper-V virtual hard disk (VHDX) format. Azure supports only *fixed VHD*. You can convert the disk to VHD format by using Hyper-V Manager or the [Convert-VHD](/powershell/module/hyper-v/convert-vhd) cmdlet. If you're using VirtualBox, select **Fixed size** rather than the default (**Dynamically allocated**) when you're creating the disk. -3. The vfat kernel module must be enabled in the kernel +* Azure supports Gen1 (BIOS boot) and Gen2 (UEFI boot) virtual machines. -4. The maximum size allowed for the VHD is 1,023 GB. +* The virtual file allocation table (VFAT) kernel module must be enabled in the kernel. -5. When installing the Linux system, we recommend that you use standard partitions, rather than Logical Volume Manager (LVM) which is the default for many installations. Using standard partitions will avoid LVM name conflicts with cloned VMs, particularly if an OS disk is ever attached to another identical VM for troubleshooting. [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) or [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) may be used on data disks. +* The maximum size allowed for the VHD is 1,023 GB. -6. Kernel support for mounting UDF file systems is necessary. At first boot on Azure the provisioning configuration is passed to the Linux VM by using UDF-formatted media that is attached to the guest. The Azure Linux agent must mount the UDF file system to read its configuration and provision the VM. +* When you're installing the Linux system, we recommend that you use standard partitions rather than Logical Volume Manager (LVM). LMV is the default for many installations. -7. Linux kernel versions earlier than 2.6.37 don't support NUMA on Hyper-V with larger VM sizes. This issue primarily impacts older distributions using the upstream Red Hat 2.6.32 kernel and was fixed in Red Hat Enterprise Linux (RHEL) 6.6 (kernel-2.6.32-504). Systems running custom kernels older than 2.6.37, or RHEL-based kernels older than 2.6.32-504 must set the boot parameter `numa=off` on the kernel command line in grub.conf. For more information, see [Red Hat KB 436883](https://access.redhat.com/solutions/436883). + Using standard partitions will avoid LVM name conflicts with cloned VMs, particularly if an OS disk is ever attached to another identical VM for troubleshooting. You can use [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) or [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) on data disks. -8. Don't configure a swap partition on the OS disk. The Linux agent can be configured to create a swap file on the temporary resource disk, as described in the following steps. +* Kernel support for mounting user-defined function (UDF) file systems is necessary. At first boot on Azure, the provisioning configuration is passed to the Linux VM via UDF-formatted media that are attached to the guest. The Azure Linux agent must mount the UDF file system to read its configuration and provision the VM. -10. All VHDs on Azure must have a virtual size aligned to 1 MB (1024 × 1024 bytes). When converting from a raw disk to VHD you must ensure that the raw disk size is a multiple of 1 MB before conversion, as described in the following steps. +* Linux kernel versions earlier than 2.6.37 don't support Non-Uniform Memory Access (NUMA) on Hyper-V with larger VM sizes. This issue primarily affects older distributions that use the upstream Red Hat 2.6.32 kernel. It was fixed in Red Hat Enterprise Linux (RHEL) 6.6 (kernel-2.6.32-504). -11. Use the most up-to-date distribution version, packages, and software. + Systems running custom kernels older than 2.6.37, or RHEL-based kernels older than 2.6.32-504, must set the boot parameter `numa=off` on the kernel command line in *grub.conf*. For more information, see [Red Hat KB 436883](https://access.redhat.com/solutions/436883). -12. Remove users and system accounts, public keys, sensitive data, unnecessary software, and application. +* Don't configure a swap partition on the OS disk. You can configure the Linux agent to create a swap file on the temporary resource disk, as described later in this article. +* All VHDs on Azure must have a virtual size aligned to 1 MB (1024 x 1024 bytes). When you're converting from a raw disk to VHD, ensure that the raw disk size is a multiple of 1 MB before conversion, as described later in this article. ++* Use the most up-to-date distribution version, packages, and software. ++* Remove users and system accounts, public keys, sensitive data, unnecessary software, and applications. > [!NOTE]-> **(_Cloud-init >= 21.2 removes the udf requirement._)** however without the udf module enabled the cdrom will not mount during provisioning preventing custom data from being applied. A workaround for this would be to apply custom data using user data however, unlike custom data user data is not encrypted. https://cloudinit.readthedocs.io/en/latest/topics/format.html +> Cloud-init version 21.2 or later removes the UDF requirement. But without the `udf` module enabled, the CD-ROM won't mount during provisioning, which prevents the custom data from being applied. A workaround is to apply user data. However, unlike custom data, user data isn't encrypted. For more information, see [User data formats](https://cloudinit.readthedocs.io/en/latest/topics/format.html) in the cloud-init documentation. +### Install kernel modules without Hyper-V +Azure runs on the Hyper-V hypervisor, so Linux requires certain kernel modules to run in Azure. If you have a VM that was created outside Hyper-V, the Linux installers might not include the drivers for Hyper-V in the initial RAM disk (initrd or initramfs), unless the VM detects that it's running in a Hyper-V environment. -### Installing kernel modules without Hyper-V -Azure runs on the Hyper-V hypervisor, so Linux requires certain kernel modules to run in Azure. If you have a VM that was created outside of Hyper-V, the Linux installers may not include the drivers for Hyper-V in the initial ramdisk (initrd or initramfs), unless the VM detects that it's running on a Hyper-V environment. When using a different virtualization system (such as VirtualBox, KVM, and so on) to prepare your Linux image, you may need to rebuild the initrd so that at least the hv_vmbus and hv_storvsc kernel modules are available on the initial ramdisk. This known issue is for systems based on the upstream Red Hat distribution, and possibly others. +When you're using a different virtualization system (such as VirtualBox or KVM) to prepare your Linux image, you might need to rebuild initrd so that at least the `hv_vmbus` and `hv_storvsc` kernel modules are available on the initial RAM disk. This known issue is for systems based on the upstream Red Hat distribution, and possibly others. -The mechanism for rebuilding the initrd or initramfs image may vary depending on the distribution. Consult your distribution's documentation or support for the proper procedure. Here is one example for rebuilding the initrd by using the `mkinitrd` utility: +The mechanism for rebuilding the initrd or initramfs image can vary, depending on the distribution. Consult your distribution's documentation or support for the proper procedure. Here's one example for rebuilding initrd by using the `mkinitrd` utility: 1. Back up the existing initrd image: The mechanism for rebuilding the initrd or initramfs image may vary depending on sudo cp initrd-`uname -r`.img initrd-`uname -r`.img.bak ``` -2. Rebuild the `initrd` with the `hv_vmbus` and `hv_storvsc` kernel modules: +2. Rebuild initrd by using the `hv_vmbus` and `hv_storvsc` kernel modules: ```bash sudo mkinitrd --preload=hv_storvsc --preload=hv_vmbus -v -f initrd-`uname -r`.img `uname -r` ``` -### Resizing VHDs -VHD images on Azure must have a virtual size aligned to 1 MB. Typically, VHDs created using Hyper-V are aligned correctly. If the VHD isn't aligned correctly, you may receive an error message similar to the following when you try to create an image from your VHD. - ```config - The VHD http:\//\<mystorageaccount>.blob.core.windows.net/vhds/MyLinuxVM.vhd has an unsupported virtual size of 21475270656 bytes. The size must be a whole number (in MBs). - ``` -In this case, resize the VM using either the Hyper-V Manager console or the [Resize-VHD](/powershell/module/hyper-v/resize-vhd) PowerShell cmdlet. If you aren't running in a Windows environment, we recommend using `qemu-img` to convert (if needed) and resize the VHD. +### Resize VHDs ++VHD images on Azure must have a virtual size aligned to 1 MB. Typically, VHDs created through Hyper-V are aligned correctly. If the VHD isn't aligned correctly, you might get an error message similar to the following example when you try to create an image from your VHD: ++```config +The VHD http://<mystorageaccount>.blob.core.windows.net/vhds/MyLinuxVM.vhd has an unsupported virtual size of 21475270656 bytes. The size must be a whole number (in MBs). +``` ++In this case, resize the VM by using either the Hyper-V Manager console or the [Resize-VHD](/powershell/module/hyper-v/resize-vhd) PowerShell cmdlet. If you aren't running in a Windows environment, we recommend using `qemu-img` to convert (if needed) and resize the VHD. > [!NOTE]-> There is a [known bug in qemu-img](https://bugs.launchpad.net/qemu/+bug/1490611) versions >=2.2.1 that results in an improperly formatted VHD. The issue has been fixed in QEMU 2.6. We recommend using either `qemu-img` 2.2.0 or lower, or 2.6 or higher. -> +> There's a [known bug in qemu-img](https://bugs.launchpad.net/qemu/+bug/1490611) for QEMU version 2.2.1 and some later versions that results in an improperly formatted VHD. The issue was fixed in QEMU 2.6. We recommend using version 2.2.0 or earlier, or using version 2.6 or later. ++1. Resizing the VHD directly by using tools such as `qemu-img` or `vbox-manage` might result in an unbootable VHD. We recommend first converting the VHD to a raw disk image by using the following code. ++ If the VM image was created as a raw disk image, you can skip this step. Creating the VM image as a raw disk image is the default in some hypervisors, such as KVM. -1. Resizing the VHD directly using tools such as `qemu-img` or `vbox-manage` may result in an unbootable VHD. We recommend first converting the VHD to a RAW disk image. If the VM image was created as a RAW disk image (the default for some hypervisors such as KVM), then you may skip this step. - ```bash sudo qemu-img convert -f vpc -O raw MyLinuxVM.vhd MyLinuxVM.raw ``` -2. Calculate the required size of the disk image so that the virtual size is aligned to 1 MB. The following bash shell script uses `qemu-img info` to determine the virtual size of the disk image, and then calculates the size to the next 1 MB. +2. Calculate the required size of the disk image so that the virtual size is aligned to 1 MB. The following Bash shell script uses `qemu-img info` to determine the virtual size of the disk image, and then calculates the size to the next 1 MB: ```bash rawdisk="MyLinuxVM.raw" In this case, resize the VM using either the Hyper-V Manager console or the [Res echo "Rounded Size = $rounded_size" ``` -3. Resize the raw disk using `$rounded_size` as set above. +3. Resize the raw disk by using `$rounded_size`: ```bash sudo qemu-img resize MyLinuxVM.raw $rounded_size ``` -4. Now, convert the RAW disk back to a fixed-size VHD. +4. Convert the raw disk back to a fixed-size VHD: ```bash sudo qemu-img convert -f raw -o subformat=fixed,force_size -O vpc MyLinuxVM.raw MyLinuxVM.vhd ``` - Or, with qemu versions before 2.6, remove the `force_size` option. + Or, with QEMU versions before 2.6, remove the `force_size` option: ```bash sudo qemu-img convert -f raw -o subformat=fixed -O vpc MyLinuxVM.raw MyLinuxVM.vhd ``` -## Linux Kernel Requirements +## Linux kernel requirements -The Linux Integration Services (LIS) drivers for Hyper-V and Azure are contributed directly to the upstream Linux kernel. Many distributions that include a recent Linux kernel version (such as 3.x) have these drivers available already, or otherwise provide backported versions of these drivers with their kernels. These drivers are constantly being updated in the upstream kernel with new fixes and features, so when possible, we recommend running an [endorsed distribution](endorsed-distros.md) that includes these fixes and updates. +The Linux Integration Services (LIS) drivers for Hyper-V and Azure are contributed directly to the upstream Linux kernel. Many distributions that include a recent Linux kernel version (such as 3.x) have these drivers available already, or otherwise provide backported versions of these drivers with their kernels. -If you're running a variant of Red Hat Enterprise Linux versions 6.0 to 6.3, then you'll need to install the [latest LIS drivers for Hyper-V](https://go.microsoft.com/fwlink/p/?LinkID=254263&clcid=0x409). Beginning with RHEL 6.4+ (and derivatives), the LIS drivers are already included with the kernel so no additional installation packages are needed. +LIS drivers are constantly being updated in the upstream kernel with new fixes and features. When possible, we recommend running an [endorsed distribution](endorsed-distros.md) that includes these fixes and updates. -If a custom kernel is required, we recommend a recent kernel version (such as 3.8+). For distributions or vendors who maintain their own kernel, you'll need to regularly backport the LIS drivers from the upstream kernel to your custom kernel. Even if you're already running a relatively recent kernel version, we highly recommend keeping track of any upstream fixes in the LIS drivers and backporting them as needed. The locations of the LIS driver source files are specified in the [MAINTAINERS](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/MAINTAINERS) file in the Linux kernel source tree: -``` +If you're running a variant of RHEL versions 6.0 to 6.3, you need to install the [latest LIS drivers for Hyper-V](https://go.microsoft.com/fwlink/p/?LinkID=254263&clcid=0x409). Beginning with RHEL 6.4+ (and derivatives), the LIS drivers are already included with the kernel, so you don't need additional installation packages. ++If a custom kernel is required, we recommend a recent kernel version (such as 3.8+). For distributions or vendors that maintain their own kernel, you need to regularly backport the LIS drivers from the upstream kernel to your custom kernel. ++Even if you're already running a relatively recent kernel version, we highly recommend keeping track of any upstream fixes in the LIS drivers and backporting them as needed. The locations of the LIS driver source files are specified in the [MAINTAINERS](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/MAINTAINERS) file in the Linux kernel source tree: ++```config F: arch/x86/include/asm/mshyperv.h F: arch/x86/include/uapi/asm/hyperv.h F: arch/x86/kernel/cpu/mshyperv.c If a custom kernel is required, we recommend a recent kernel version (such as 3. F: include/linux/hyperv.h F: tools/hv/ ```-The following patches must be included in the kernel. This list can't be complete for all distributions. ++The VM's active kernel must include the following patches. This list can't be complete for all distributions. * [ata_piix: defer disks to the Hyper-V drivers by default](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/ata/ata_piix.c?id=cd006086fa5d91414d8ff9ff2b78fbb593878e3c) * [storvsc: Account for in-transit packets in the RESET path](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/scsi/storvsc_drv.c?id=5c1b10ab7f93d24f29b5630286e323d1c5802d5c) The following patches must be included in the kernel. This list can't be complet * [storvsc: ring buffer failures may result in I/O freeze](https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/drivers/scsi/storvsc_drv.c?id=e86fb5e8ab95f10ec5f2e9430119d5d35020c951) * [scsi_sysfs: protect against double execution of __scsi_remove_device](https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/drivers/scsi/scsi_sysfs.c?id=be821fd8e62765de43cc4f0e2db363d0e30a7e9b) -## The Azure Linux Agent -The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Linux virtual machine in Azure. You can get the latest version, file issues, or submit pull requests at the [Linux Agent GitHub repo](https://github.com/Azure/WALinuxAgent). +## Azure Linux Agent ++The [Azure Linux Agent](../extensions/agent-linux.md) (`waagent`) provisions a Linux virtual machine in Azure. You can get the latest version, report problems, or submit pull requests at the [Linux Agent GitHub repo](https://github.com/Azure/WALinuxAgent). -* The Linux agent is released under the Apache 2.0 license. Many distributions already provide RPM or .deb packages for the agent, and these packages can easily be installed and updated. +Here are some considerations for using the Azure Linux Agent: ++* The Linux agent is released under the Apache 2.0 license. Many distributions already provide .rpm or .deb packages for the agent. You can easily install and update these packages. * The Azure Linux Agent requires Python v2.6+.-* The agent also requires the python-pyasn1 module. Most distributions provide this module as a separate package to be installed. -* In some cases, the Azure Linux Agent may not be compatible with NetworkManager. Many of the RPM/deb packages provided by distributions configure NetworkManager as a conflict to the waagent package. In these cases, it will uninstall NetworkManager when you install the Linux agent package. +* The agent also requires the `python-pyasn1` module. Most distributions provide this module as a separate package to be installed. +* In some cases, the Azure Linux Agent might not be compatible with NetworkManager. Many of the packages (.rpm or .deb) provided by distributions configure NetworkManager as a conflict to the `waagent` package. In these cases, the agent will uninstall NetworkManager when you install the Linux agent package. * The Azure Linux Agent must be at or above the [minimum supported version](https://support.microsoft.com/en-us/help/4049215/extensions-and-virtual-machine-agent-minimum-version-support). > [!NOTE]-> Make sure **'udf'** and **'vfat'** modules are enabled. Disabling the UDF module will cause a provisioning failure. Disabling the VFAT module will cause both provisioning and boot failures. Cloud-init >= 21.2 can provision VMs without requiring UDF if: 1) the VM was created using SSH public keys and not password and 2) no custom data was provided. --> +> Make sure the `udf` and `vfat` modules are enabled. Disabling the `udf` module will cause a provisioning failure. Disabling the `vfat` module will cause both provisioning and boot failures. Cloud-init version 21.2 or later can provision VMs without requiring UDF if both of these conditions exist: +> +> * You created the VM by using SSH public keys and not passwords. +> * You didn't provide any custom data. -## General Linux System Requirements +## General Linux system requirements 1. Modify the kernel boot line in GRUB or GRUB2 to include the following parameters, so that all console messages are sent to the first serial port. These messages can assist Azure support with debugging any issues.- ```config ++ ```config GRUB_CMDLINE_LINUX="rootdelay=300 console=ttyS0 earlyprintk=ttyS0 net.ifnames=0" ```- We also recommend *removing* the following parameters if they exist. ++ We also recommend *removing* the following parameters if they exist: + ```config rhgb quiet crashkernel=auto ```- Graphical and quiet boot isn't useful in a cloud environment, where we want all logs sent to the serial port. The `crashkernel` option may be left configured if needed but note that this parameter reduces the amount of available memory in the VM by at least 128 MB, which may be problematic for smaller VM sizes. -2. After you are done editing /etc/default/grub, run the following command to rebuild the grub configuration: + Graphical and quiet boot aren't useful in a cloud environment, where you want all logs sent to the serial port. You can leave the `crashkernel` option configured if needed, but this parameter reduces the amount of available memory in the VM by at least 128 MB. Reducing available memory might be problematic for smaller VM sizes. ++2. After you finish editing */etc/default/grub*, run the following command to rebuild the GRUB configuration: + ```bash sudo grub2-mkconfig -o /boot/grub2/grub.cfg ```-3. Add Hyper-V modules both initrd and initramfs instructions using `dracut` or `mkinitramfs`. - **Initramfs** +3. Add the Hyper-V module for initramfs by using `dracut`: ```bash cd /boot The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Lin sudo grub2-mkconfig -o /boot/grub2/grub.cfg ``` - **Initrd** + Add the Hyper-V module for initrd by using `mkinitramfs`: ```bash cd /boot The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Lin sudo mkinitramfs -o initrd.img-<kernel-version> <kernel-version> --with=hv_vmbus,hv_netvsc,hv_storvsc sudo update-grub ```+ 4. Ensure that the SSH server is installed and configured to start at boot time. This configuration is usually the default. 5. Install the Azure Linux Agent.- The Azure Linux Agent is required for provisioning a Linux image on Azure. Many distributions provide the agent as an RPM or .deb package (the package is typically called WALinuxAgent or walinuxagent). The agent can also be installed manually by following the steps in the [Linux Agent Guide](../extensions/agent-linux.md). - ++ The Azure Linux Agent is required for provisioning a Linux image on Azure. Many distributions provide the agent as an .rpm or .deb package. The package is typically called `WALinuxAgent` or `walinuxagent`. You can also install the agent manually by following the steps in the [Azure Linux Agent guide](../extensions/agent-linux.md). + > [!NOTE]- > Make sure 'udf' and 'vfat' modules are enabled. Removing/disabling them will cause a provisioning/boot failure. **(_Cloud-init >= 21.2 removes the udf requirement. Please read top of document for more detail)** + > Make sure the `udf` and `vfat` modules are enabled. Removing or disabling them will cause a provisioning or boot failure. Cloud-init version 21.2 or later removes the UDF requirement. - - Install the Azure Linux Agent, cloud-init and other necessary utilities by running the following command: + Install the Azure Linux Agent, cloud-init, and other necessary utilities by running one of the following commands. ++ Use this command for Red Hat or CentOS: - **Red Hat/Centos** ```bash sudo yum install -y WALinuxAgent cloud-init cloud-utils-growpart gdisk hyperv-daemons ```- **Ubuntu/Debian** ++ Use this command for Ubuntu/Debian: + ```bash sudo apt install walinuxagent cloud-init cloud-utils-growpart gdisk hyperv-daemons ```- **SUSE** ++ Use this command for SUSE: + ```bash sudo zypper install python-azure-agent cloud-init cloud-utils-growpart gdisk hyperv-daemons ```- Then enable the agent and cloud-init on all distributions using: ++ Then enable the agent and cloud-init on all distributions: + ```bash sudo systemctl enable waagent.service sudo systemctl enable cloud-init.service ``` -6. Swap: Do not create swap space on the OS disk. +6. Don't create swap space on the OS disk. - The Azure Linux Agent or Cloud-init can be used to configure swap space using the local resource disk. This resource disk is attached to the VM after provisioning on Azure. The local resource disk is a temporary disk and might be emptied when the VM is deprovisioned. The following blocks show how to configure this swap. + You can use the Azure Linux Agent or cloud-init to configure swap space via the local resource disk. This resource disk is attached to the VM after provisioning on Azure. The local resource disk is a temporary disk and might be emptied when the VM is deprovisioned. The following blocks show how to configure this swap. - Azure Linux Agent - Modify the following parameters in /etc/waagent.conf + If you choose Azure Linux Agent, modify the following parameters in */etc/waagent.conf*: ```config ResourceDisk.Format=y The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Lin ResourceDisk.SwapSizeMB=2048 ## NOTE: Set this to your desired size. ``` - Cloud-init - Configure cloud-init to handle the provisioning: - + If you choose cloud-init, configure cloud-init to handle the provisioning: + ```bash sudo sed -i 's/Provisioning.Agent=auto/Provisioning.Agent=cloud-auto/g' /etc/waagent.conf sudo sed -i 's/ResourceDisk.Format=y/ResourceDisk.Format=n/g' /etc/waagent.conf sudo sed -i 's/ResourceDisk.EnableSwap=y/ResourceDisk.EnableSwap=n/g' /etc/waagent.conf ``` - Configure Cloud-init to create swap. -- To format and create swap you have 2 options either: + To configure cloud-init to format and create swap space, you have two options: - 1. Pass this in as a cloud-init config every time you create a VM through `customdata`. This is the recommended method. + * Pass in a cloud-init configuration every time you create a VM through `customdata`. We recommend this method. + * Use a cloud-init directive in the image to configure swap space every time the VM is created. - 2. Use a cloud-init directive baked into the image that will do this every time the VM is created. -- Create cfg file to configure swap using Cloud-init: + Create a .cfg file to configure swap space by using cloud-init: ```bash sudo echo 'DefaultEnvironment="CLOUD_CFG=/etc/cloud/cloud.cfg.d/00-azure-swap.cfg"' >> /etc/systemd/system.conf The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Lin - ["ephemeral0.2", "none", "swap", "sw,nofail,x-systemd.requires=cloud-init.service,x-systemd.device-timeout=2", "0", "0"] EOF ```- -7. Configure cloud-init to handle the provisioning: - 1. Configure waagent for cloud-init: +7. Configure cloud-init to handle the provisioning: + 1. Configure `waagent` for cloud-init: + ```bash sudo sed -i 's/Provisioning.Agent=auto/Provisioning.Agent=cloud-init/g' /etc/waagent.conf sudo sed -i 's/ResourceDisk.Format=y/ResourceDisk.Format=n/g' /etc/waagent.conf sudo sed -i 's/ResourceDisk.EnableSwap=y/ResourceDisk.EnableSwap=n/g' /etc/waagent.conf ```- If you are migrating a specific virtual machine and do not wish to create a generalized image, set `Provisioning.Agent=disabled` in the `/etc/waagent.conf` config. ++ If you're migrating a specific virtual machine and don't want to create a generalized image, set `Provisioning.Agent=disabled` in the */etc/waagent.conf* configuration. 1. Configure mounts:+ ```bash sudo echo "Adding mounts and disk_setup to init stage" sudo sed -i '/ - mounts/d' /etc/cloud/cloud.cfg sudo sed -i '/ - disk_setup/d' /etc/cloud/cloud.cfg sudo sed -i '/cloud_init_modules/a\\ - mounts' /etc/cloud/cloud.cfg sudo sed -i '/cloud_init_modules/a\\ - disk_setup' /etc/cloud/cloud.cfg- 1. Configure Azure datasource: ++ 1. Configure the Azure data source: + ```bash sudo echo "Allow only Azure datasource, disable fetching network setting via IMDS" sudo cat > /etc/cloud/cloud.cfg.d/91-azure_datasource.cfg <<EOF The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Lin apply_network_config: False EOF ```- 1. If configured, remove existing swapfile: ++ 1. Remove the existing swap file if you configured one: + ```bash if [[ -f /mnt/resource/swapfile ]]; then- echo "Removing swapfile" #RHEL uses a swapfile by defaul + echo "Removing swapfile" #RHEL uses a swap file by default swapoff /mnt/resource/swapfile rm /mnt/resource/swapfile -f fi ```- 1. Configure cloud-init logging: - ```bash - sudo echo "Add console log file" - sudo cat >> /etc/cloud/cloud.cfg.d/05_logging.cfg <<EOF -- # This tells cloud-init to redirect its stdout and stderr to - # 'tee -a /var/log/cloud-init-output.log' so the user can see output - # there without needing to look on the console. - output: {all: '| tee -a /var/log/cloud-init-output.log'} - EOF - ``` -- -8. Deprovision. ++ 1. Configure cloud-init logging: ++ ```bash + sudo echo "Add console log file" + sudo cat >> /etc/cloud/cloud.cfg.d/05_logging.cfg <<EOF ++ # This tells cloud-init to redirect its stdout and stderr to + # 'tee -a /var/log/cloud-init-output.log' so the user can see output + # there without needing to look on the console. + output: {all: '| tee -a /var/log/cloud-init-output.log'} + EOF + ``` ++8. Run the following commands to deprovision the virtual machine. + > [!CAUTION]- > If you are migrating a specific virtual machine and do not wish to create a generalized image, skip the deprovision step. Running the command waagent -force -deprovision+user will render the source machine unusable. This step is intended only to create a generalized image. + > If you're migrating a specific virtual machine and don't want to create a generalized image, skip the deprovisioning step. Running the command `waagent -force -deprovision+user` will render the source machine unusable. This step is intended only to create a generalized image. - Run the following commands to deprovision the virtual machine. - ```bash sudo rm -f /var/log/waagent.log sudo cloud-init clean The [Azure Linux Agent](../extensions/agent-linux.md) `waagent` provisions a Lin sudo rm -f ~/.bash_history sudo export HISTSIZE=0 ``` - - > [!NOTE] - > On Virtualbox you may see the following error after running `waagent -force -deprovision` that says `[Errno 5] Input/output error`. This error message is not critical and can be ignored. ++ On VirtualBox, you might see an error message after you run `waagent -force -deprovision` that says `[Errno 5] Input/output error`. This error message is not critical, and you can ignore it. 9. Shut down the virtual machine and upload the VHD to Azure. -## Next Steps -[Create a Linux VM from a custom disk with the Azure CLI](upload-vhd.md). +## Next steps ++[Create a Linux VM from a custom disk by using the Azure CLI](upload-vhd.md) |
virtual-machines | Disk Encryption Isolated Network | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-isolated-network.md | When packages are installed manually, they must also be manually upgraded as new ## Network security groups Any network security group settings that are applied must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption. See [Azure Disk Encryption: Networking requirements](disk-encryption-overview.md#networking-requirements) -## Azure Disk Encryption with Azure AD (previous version) +<a name='azure-disk-encryption-with-azure-ad-previous-version'></a> -If using [Azure Disk Encryption with Azure AD (previous version)](disk-encryption-overview-aad.md), the [Microsoft Authentication Library](../../active-directory/develop/msal-overview.md) will need to be installed manually for all distros (in addition to the [packages appropriate for the distro](#package-management)). +## Azure Disk Encryption with Microsoft Entra ID (previous version) -When encryption is being enabled with [Azure AD credentials](disk-encryption-linux-aad.md), the target VM must allow connectivity to both Azure Active Directory endpoints and Key Vault endpoints. Current Azure Active Directory authentication endpoints are maintained in sections 56 and 59 of the [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) documentation. Key Vault instructions are provided in the documentation on how to [Access Azure Key Vault behind a firewall](../../key-vault/general/access-behind-firewall.md). +If using [Azure Disk Encryption with Microsoft Entra ID (previous version)](disk-encryption-overview-aad.md), the [Microsoft Authentication Library](../../active-directory/develop/msal-overview.md) will need to be installed manually for all distros (in addition to the [packages appropriate for the distro](#package-management)). ++When encryption is being enabled with [Microsoft Entra credentials](disk-encryption-linux-aad.md), the target VM must allow connectivity to both Microsoft Entra endpoints and Key Vault endpoints. Current Microsoft Entra authentication endpoints are maintained in sections 56 and 59 of the [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) documentation. Key Vault instructions are provided in the documentation on how to [Access Azure Key Vault behind a firewall](../../key-vault/general/access-behind-firewall.md). ### Azure Instance Metadata Service |
virtual-machines | Disk Encryption Key Vault Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-key-vault-aad.md | Title: Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release) + Title: Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release) description: This article provides prerequisites for using Microsoft Azure Disk Encryption for Linux VMs. -# Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release) for Linux VMs +# Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release) for Linux VMs **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets -**The new release of Azure Disk Encryption eliminates the requirement for providing an Azure AD application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see [Azure Disk Encryption](disk-encryption-overview.md). VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax.** +**The new release of Azure Disk Encryption eliminates the requirement for providing a Microsoft Entra application parameter to enable VM disk encryption. With the new release, you are no longer required to provide Microsoft Entra credentials during the enable encryption step. All new VMs must be encrypted without the Microsoft Entra application parameters using the new release. To view instructions to enable VM disk encryption using the new release, see [Azure Disk Encryption](disk-encryption-overview.md). VMs that were already encrypted with Microsoft Entra application parameters are still supported and should continue to be maintained with the Microsoft Entra syntax.** Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets. For more information about key vaults, see [Get started with Azure Key Vault](../../key-vault/general/overview.md) and [Secure your key vault](../../key-vault/general/security-features.md). -Creating and configuring a key vault for use with Azure Disk Encryption with Azure AD (previous release) involves three steps: +Creating and configuring a key vault for use with Azure Disk Encryption with Microsoft Entra ID (previous release) involves three steps: 1. Create a key vault.-2. Set up an Azure AD application and service principal. -3. Set the key vault access policy for the Azure AD app. +2. Set up a Microsoft Entra application and service principal. +3. Set the key vault access policy for the Microsoft Entra app. 4. Set key vault advanced access policies. You may also, if you wish, generate or import a key encryption key (KEK). You can create a key vault by using the [Resource Manager template](https://gith 2. Select the subscription, resource group, resource group location, Key Vault name, Object ID, legal terms, and agreement, and then select **Purchase**. -## <a name="bkmk_ADapp"></a> Set up an Azure AD app and service principal -When you need encryption to be enabled on a running VM in Azure, Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Azure AD authentication. Create an Azure AD application for this purpose. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Azure AD authentication](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md). +## <a name="bkmk_ADapp"></a> Set up a Microsoft Entra app and service principal +When you need encryption to be enabled on a running VM in Azure, Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Microsoft Entra authentication. Create a Microsoft Entra application for this purpose. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Microsoft Entra authentication](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md). -### <a name="bkmk_ADappPSH"></a> Set up an Azure AD app and service principal with Azure PowerShell +### <a name="bkmk_ADappPSH"></a> Set up a Microsoft Entra app and service principal with Azure PowerShell To execute the following commands, get and use the [Azure AD PowerShell module](/powershell/azure/active-directory/install-adv2). -1. Use the [New-AzADApplication](/powershell/module/az.resources/new-azadapplication) PowerShell cmdlet to create an Azure AD application. MyApplicationHomePage and the MyApplicationUri can be any values you wish. +1. Use the [New-AzADApplication](/powershell/module/az.resources/new-azadapplication) PowerShell cmdlet to create a Microsoft Entra application. MyApplicationHomePage and the MyApplicationUri can be any values you wish. ```azurepowershell $aadClientSecret = "My AAD client secret" To execute the following commands, get and use the [Azure AD PowerShell module]( $servicePrincipal = New-AzADServicePrincipal ΓÇôApplicationId $azureAdApplication.ApplicationId -Role Contributor ``` -3. The $azureAdApplication.ApplicationId is the Azure AD ClientID and the $aadClientSecret is the client secret that you'll use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately. Running `$azureAdApplication.ApplicationId` will show you the ApplicationID. +3. The $azureAdApplication.ApplicationId is the Microsoft Entra ClientID and the $aadClientSecret is the client secret that you'll use later to enable Azure Disk Encryption. Safeguard the Microsoft Entra client secret appropriately. Running `$azureAdApplication.ApplicationId` will show you the ApplicationID. -### <a name="bkmk_ADappCLI"></a> Set up an Azure AD app and service principal with Azure CLI +### <a name="bkmk_ADappCLI"></a> Set up a Microsoft Entra app and service principal with Azure CLI You can manage your service principals with Azure CLI using the [az ad sp](/cli/azure/ad/sp) commands. For more information, see [Create an Azure service principal](/cli/azure/create-an-azure-service-principal-azure-cli). You can manage your service principals with Azure CLI using the [az ad sp](/cli/ ```azurecli-interactive az ad sp create-for-rbac --name "ServicePrincipalName" --password "My-AAD-client-secret" --role Contributor --scopes /subscriptions/<subscription_id> ```-3. The appId returned is the Azure AD ClientID used in other commands. It's also the SPN you'll use for az keyvault set-policy. The password is the client secret that you should use later to enable Azure Disk Encryption. Safeguard the Azure AD client secret appropriately. +3. The appId returned is the Microsoft Entra ClientID used in other commands. It's also the SPN you'll use for az keyvault set-policy. The password is the client secret that you should use later to enable Azure Disk Encryption. Safeguard the Microsoft Entra client secret appropriately. -### <a name="bkmk_ADappRM"></a> Set up an Azure AD app and service principal through the Azure portal -Use the steps from the [Use portal to create an Azure Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md) article to create an Azure AD application. Each step listed below will take you directly to the article section to complete. +### <a name="bkmk_ADappRM"></a> Set up a Microsoft Entra app and service principal through the Azure portal +Use the steps from the [Use portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md) article to create a Microsoft Entra application. Each step listed below will take you directly to the article section to complete. 1. [Verify required permissions](../../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app)-2. [Create an Azure Active Directory application](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) +2. [Create a Microsoft Entra application](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) - You can use any name and sign-on URL you would like when creating the application. 3. [Get the application ID and the authentication key](../../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application). - The authentication key is the client secret and is used as the AadClientSecret for Set-AzVMDiskEncryptionExtension.- - The authentication key is used by the application as a credential to sign in to Azure AD. In the Azure portal, this secret is called keys, but has no relation to key vaults. Secure this secret appropriately. + - The authentication key is used by the application as a credential to sign in to Microsoft Entra ID. In the Azure portal, this secret is called keys, but has no relation to key vaults. Secure this secret appropriately. - The application ID will be used later as the AadClientId for Set-AzVMDiskEncryptionExtension and as the ServicePrincipalName for Set-AzKeyVaultAccessPolicy. -## <a name="bkmk_KVAP"></a> Set the key vault access policy for the Azure AD app -To write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Azure Active Directory application that has permissions to write secrets to the Key Vault. +## <a name="bkmk_KVAP"></a> Set the key vault access policy for the Microsoft Entra app +To write encryption secrets to a specified Key Vault, Azure Disk Encryption needs the Client ID and the Client Secret of the Microsoft Entra application that has permissions to write secrets to the Key Vault. > [!NOTE]-> Azure Disk Encryption requires you to configure the following access policies to your Azure AD client application: _WrapKey_ and _Set_ permissions. +> Azure Disk Encryption requires you to configure the following access policies to your Microsoft Entra client application: _WrapKey_ and _Set_ permissions. -### <a name="bkmk_KVAPPSH"></a> Set the key vault access policy for the Azure AD app with Azure PowerShell -Your Azure AD application needs rights to access the keys or secrets in the vault. Use the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) cmdlet to grant permissions to the application, using the client ID (which was generated when the application was registered) as the _ΓÇôServicePrincipalName_ parameter value. To learn more, see the blog post [Azure Key Vault - Step by Step](/archive/blogs/kv/azure-key-vault-step-by-step). +### <a name="bkmk_KVAPPSH"></a> Set the key vault access policy for the Microsoft Entra app with Azure PowerShell +Your Microsoft Entra application needs rights to access the keys or secrets in the vault. Use the [Set-AzKeyVaultAccessPolicy](/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy) cmdlet to grant permissions to the application, using the client ID (which was generated when the application was registered) as the _ΓÇôServicePrincipalName_ parameter value. To learn more, see the blog post [Azure Key Vault - Step by Step](/archive/blogs/kv/azure-key-vault-step-by-step). 1. Set the key vault access policy for the AD application with PowerShell. Your Azure AD application needs rights to access the keys or secrets in the vaul Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $KVRGname ``` -### <a name="bkmk_KVAPCLI"></a> Set the key vault access policy for the Azure AD app with Azure CLI +### <a name="bkmk_KVAPCLI"></a> Set the key vault access policy for the Microsoft Entra app with Azure CLI Use [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy) to set the access policy. For more information, see [Manage Key Vault using CLI 2.0](../../key-vault/general/manage-with-cli2.md#authorizing-an-application-to-use-a-key-or-secret). Give the service principal you created via the Azure CLI access to get secrets and wrap keys with the following command: Give the service principal you created via the Azure CLI access to get secrets a az keyvault set-policy --name "MySecureVault" --spn "<spn created with CLI/the Azure AD ClientID>" --key-permissions wrapKey --secret-permissions set ``` -### <a name="bkmk_KVAPRM"></a> Set the key vault access policy for the Azure AD app with the portal +### <a name="bkmk_KVAPRM"></a> Set the key vault access policy for the Microsoft Entra app with the portal 1. Open the resource group with your key vault. 2. Select your key vault, go to **Access Policies**, then select **Add new**.-3. Under **Select principal**, search for the Azure AD application you created and select it. +3. Under **Select principal**, search for the Microsoft Entra application you created and select it. 4. For **Key permissions**, check **Wrap Key** under **Cryptographic Operations**. 5. For **Secret permissions**, check **Set** under **Secret Management Operations**. 6. Select **OK** to save the access policy. Before using the PowerShell script, you should be familiar with the Azure Disk E $servicePrincipal = New-AzADServicePrincipal ΓÇôApplicationId $azureAdApplication.ApplicationId -Role Contributor; $aadClientID = $azureAdApplication.ApplicationId; - #Step 3: Enable the vault for disk encryption and set the access policy for the Azure AD application. + #Step 3: Enable the vault for disk encryption and set the access policy for the Microsoft Entra application. Set-AzKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $KVRGname -EnabledForDiskEncryption; Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys 'WrapKey' -PermissionsToSecrets 'Set' -ResourceGroupName $KVRGname; If you would like to use certificate authentication, you can upload one to your $DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri $KeyVaultResourceId = $KeyVault.ResourceId - # Create the Azure AD application and associate the certificate with it. + # Create the Microsoft Entra application and associate the certificate with it. # Fill in "C:\certificates\mycert.pfx", "Password", "<My Application Display Name>", "<https://MyApplicationHomePage>", and "<https://MyApplicationUri>" with your values. # MyApplicationHomePage and the MyApplicationUri can be any values you wish If you would like to use certificate authentication, you can upload one to your $VM = Add-AzVMSecret -VM $VM -SourceVaultId $SourceVaultId -CertificateStore "My" -CertificateUrl $CertUrl Update-AzVM -VM $VM -ResourceGroupName $VMRGName - #Enable encryption on the VM using Azure AD client ID and the client certificate thumbprint + #Enable encryption on the VM using Microsoft Entra client ID and the client certificate thumbprint Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGName -VMName $VMName -AadClientID $AADClientID -AadClientCertThumbprint $AADClientCertThumbprint -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId ``` If you would like to use certificate authentication, you can upload one to your If you would like to use certificate authentication and wrap the encryption key with a KEK, you can use the below script as an example. Before using the PowerShell script, you should be familiar with all of the previous Azure Disk Encryption prerequisites to understand the steps in the script. The sample script might need changes for your environment. > [!IMPORTANT]-> Azure AD certificate-based authentication is currently not supported on Linux VMs. +> Microsoft Entra certificate-based authentication is currently not supported on Linux VMs. ```powershell # Fill in 'MyKeyVaultResourceGroup', 'MySecureVault', and 'MyLocation' (if needed) If you would like to use certificate authentication and wrap the encryption key ## Next steps -[Enable Azure Disk Encryption with Azure AD on Linux VMs (previous release)](disk-encryption-linux-aad.md) +[Enable Azure Disk Encryption with Microsoft Entra ID on Linux VMs (previous release)](disk-encryption-linux-aad.md) |
virtual-machines | Disk Encryption Key Vault | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-key-vault.md | Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption > [!WARNING]-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. See [Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)](disk-encryption-key-vault-aad.md) for details. +> - If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See [Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-key-vault-aad.md) for details. Creating and configuring a key vault for use with Azure Disk Encryption involves three steps: |
virtual-machines | Disk Encryption Linux Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-linux-aad.md | Title: Azure Disk Encryption with Azure AD App Linux IaaS VMs (previous release) + Title: Azure Disk Encryption with Microsoft Entra App Linux IaaS VMs (previous release) description: This article provides instructions on enabling Microsoft Azure Disk Encryption for Linux IaaS VMs. Last updated 01/04/2023 -# Enable Azure Disk Encryption with Azure AD on Linux VMs (previous release) +# Enable Azure Disk Encryption with Microsoft Entra ID on Linux VMs (previous release) **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets -The new release of Azure Disk Encryption eliminates the requirement for providing an Azure Active Directory (Azure AD) application parameter to enable VM disk encryption. With the new release, you're no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters by using the new release. For instructions on how to enable VM disk encryption by using the new release, see [Azure Disk Encryption for Linux VMS](disk-encryption-linux.md). VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax. +The new release of Azure Disk Encryption eliminates the requirement for providing a Microsoft Entra application parameter to enable VM disk encryption. With the new release, you're no longer required to provide Microsoft Entra credentials during the enable encryption step. All new VMs must be encrypted without the Microsoft Entra application parameters by using the new release. For instructions on how to enable VM disk encryption by using the new release, see [Azure Disk Encryption for Linux VMS](disk-encryption-linux.md). VMs that were already encrypted with Microsoft Entra application parameters are still supported and should continue to be maintained with the Microsoft Entra syntax. You can enable many disk-encryption scenarios, and the steps might vary according to the scenario. The following sections cover the scenarios in greater detail for Linux infrastructure as a service (IaaS) VMs. You can only apply disk encryption to virtual machines of [supported VM sizes and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems). You must also meet the following prerequisites: You can enable many disk-encryption scenarios, and the steps might vary accordin Take a [snapshot](snapshot-copy-managed-disk.md), make a backup, or both before you encrypt the disks. Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. VMs with managed disks require a backup before encryption occurs. After a backup is made, you can use the Set-AzVMDiskEncryptionExtension cmdlet to encrypt managed disks by specifying the -skipVmBackup parameter. For more information about how to back up and restore encrypted VMs, see [Azure Backup](../../backup/backup-azure-vms-encryption.md). >[!WARNING]- > - If you previously used [Azure Disk Encryption with the Azure AD app](disk-encryption-overview-aad.md) to encrypt this VM, you must continue to use this option to encrypt your VM. You can't use [Azure Disk Encryption](disk-encryption-overview.md) on this encrypted VM because this isn't a supported scenario, which means switching away from the Azure AD application for this encrypted VM isn't supported yet. + > - If you previously used [Azure Disk Encryption with the Microsoft Entra app](disk-encryption-overview-aad.md) to encrypt this VM, you must continue to use this option to encrypt your VM. You can't use [Azure Disk Encryption](disk-encryption-overview.md) on this encrypted VM because this isn't a supported scenario, which means switching away from the Microsoft Entra application for this encrypted VM isn't supported yet. > - To make sure the encryption secrets don't cross regional boundaries, Azure Disk Encryption needs the key vault and the VMs to be co-located in the same region. Create and use a key vault that's in the same region as the VM to be encrypted. > - When you encrypt Linux OS volumes, the process can take a few hours. It's normal for Linux OS volumes to take longer than data volumes to encrypt. > - When you encrypt Linux OS volumes, the VM should be considered unavailable. We strongly recommend that you avoid SSH logins while the encryption is in progress to avoid blocking any open files that need to be accessed during the encryption process. To check progress, use the [Get-AzVMDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) or [vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) commands. You can expect this process to take a few hours for a 30-GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time is proportional to the size and quantity of the data volumes unless the **encrypt format all** option is used. https://[keyvault-name].vault.azure.net/keys/[kekname]/[kek-unique-id]. ### <a name="bkmk_RunningLinuxPSH"> </a> Enable encryption on an existing or running Linux VM by using PowerShell Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) cmdlet to enable encryption on a running IaaS virtual machine in Azure. Take a [snapshot](snapshot-copy-managed-disk.md) or make a backup of the VM with [Azure Backup](../../backup/backup-azure-vms-encryption.md) before the disks are encrypted. The -skipVmBackup parameter is already specified in the PowerShell scripts to encrypt a running Linux VM. -- **Encrypt a running VM by using a client secret:** The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. Modify the -VolumeType parameter to specify which disks you're encrypting.+- **Encrypt a running VM by using a client secret:** The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, key vault, Microsoft Entra app, and client secret should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. Modify the -VolumeType parameter to specify which disks you're encrypting. ```azurepowershell $VMRGName = 'MyVirtualMachineResourceGroup'; You can enable disk encryption on an existing or running IaaS Linux VM in Azure 2. Select the subscription, resource group, resource group location, parameters, legal terms, and agreement. Select **Create** to enable encryption on the existing or running IaaS VM. -The following table lists Resource Manager template parameters for existing or running VMs that use an Azure AD client ID: +The following table lists Resource Manager template parameters for existing or running VMs that use a Microsoft Entra client ID: | Parameter | Description | | | |-| AADClientID | Client ID of the Azure AD application that has permissions to write secrets to the key vault. | -| AADClientSecret | Client secret of the Azure AD application that has permissions to write secrets to your key vault. | +| AADClientID | Client ID of the Microsoft Entra application that has permissions to write secrets to the key vault. | +| AADClientSecret | Client secret of the Microsoft Entra application that has permissions to write secrets to your key vault. | | keyVaultName | Name of the key vault that the key should be uploaded to. You can get it by using the Azure CLI command `az keyvault show --name "MySecureVault" --query KVresourceGroup`. | | keyEncryptionKeyURL | URL of the key encryption key that's used to encrypt the generated key. This parameter is optional if you select **nokek** in the **UseExistingKek** drop-down list. If you select **kek** in the **UseExistingKek** drop-down list, you must enter the _keyEncryptionKeyURL_ value. | | volumeType | Type of volume that the encryption operation is performed on. Valid supported values are _OS_ or _All_. (See supported Linux distributions and their versions for OS and data disks in the prerequisites section earlier.) | To use the EncryptFormatAll option, use any preexisting Azure Resource Manager t ### <a name="bkmk_EFAPSH"> </a> Use the EncryptFormatAll parameter with a PowerShell cmdlet Use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) cmdlet with the EncryptFormatAll parameter. -**Encrypt a running VM by using a client secret and EncryptFormatAll:** As an example, the following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter. The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. Replace MyKeyVaultResourceGroup, MyVirtualMachineResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. +**Encrypt a running VM by using a client secret and EncryptFormatAll:** As an example, the following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet with the EncryptFormatAll parameter. The resource group, VM, key vault, Microsoft Entra app, and client secret should have already been created as prerequisites. Replace MyKeyVaultResourceGroup, MyVirtualMachineResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. ```azurepowershell $KVRGname = 'MyKeyVaultResourceGroup'; In contrast to PowerShell syntax, the CLI doesn't require you to provide a uniqu When you use PowerShell to encrypt a new disk for Linux, a new sequence version needs to be specified. The sequence version has to be unique. The following script generates a GUID for the sequence version. -- **Encrypt a running VM by using a client secret:** The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, key vault, Azure AD app, and client secret should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. The -VolumeType parameter is set to data disks and not the OS disk. If the VM was previously encrypted with a volume type of "OS" or "All," then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included.+- **Encrypt a running VM by using a client secret:** The following script initializes your variables and runs the Set-AzVMDiskEncryptionExtension cmdlet. The resource group, VM, key vault, Microsoft Entra app, and client secret should have already been created as prerequisites. Replace MyVirtualMachineResourceGroup, MyKeyVaultResourceGroup, MySecureVM, MySecureVault, My-AAD-client-ID, and My-AAD-client-secret with your values. The -VolumeType parameter is set to data disks and not the OS disk. If the VM was previously encrypted with a volume type of "OS" or "All," then the -VolumeType parameter should be changed to All so that both the OS and the new data disk will be included. ```azurepowershell $KVRGname = 'MyKeyVaultResourceGroup'; You can disable encryption by using Azure PowerShell, the Azure CLI, or a Resour ## Next steps - [Azure Disk Encryption for Linux overview](disk-encryption-overview-aad.md)-- [Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)](disk-encryption-key-vault-aad.md)+- [Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-key-vault-aad.md) |
virtual-machines | Disk Encryption Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-linux.md | You can only apply disk encryption to virtual machines of [supported VM sizes an In all cases, you should [take a snapshot](snapshot-copy-managed-disk.md) and/or create a backup before disks are encrypted. Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. VMs with managed disks require a backup before encryption occurs. Once a backup is made, you can use the [Set-AzVMDiskEncryptionExtension cmdlet](/powershell/module/az.compute/set-azvmdiskencryptionextension) to encrypt managed disks by specifying the -skipVmBackup parameter. For more information about how to back up and restore encrypted VMs, see the [Azure Backup](../../backup/backup-azure-vms-encryption.md) article. >[!WARNING]-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Azure AD (previous release)](disk-encryption-overview-aad.md) for details. +> - If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-overview-aad.md) for details. > > - When encrypting Linux OS volumes, the VM should be considered unavailable. We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. To check progress, use the [Get-AzVMDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) PowerShell cmdlet or the [vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) CLI command. This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time will be proportional to the size and quantity of the data volumes unless the encrypt format all option is used. > - Disabling encryption on Linux VMs is only supported for data volumes. It is not supported on data or OS volumes if the OS volume has been encrypted. |
virtual-machines | Disk Encryption Overview Aad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-overview-aad.md | Title: Azure Disk Encryption with Azure AD app prerequisites (previous release) -description: This article provides supplements to Azure Disk Encryption for Linux VMs with additional requirements and prerequisites for Azure Disk Encryption with Azure AD. + Title: Azure Disk Encryption with Microsoft Entra app prerequisites (previous release) +description: This article provides supplements to Azure Disk Encryption for Linux VMs with additional requirements and prerequisites for Azure Disk Encryption with Microsoft Entra ID. Last updated 01/04/2023 -# Azure Disk Encryption with Azure Active Directory (AD) (previous release) +# Azure Disk Encryption with Microsoft Entra ID (previous release) **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets -The new release of Azure Disk Encryption eliminates the requirement for providing an Azure Active Directory (Azure AD) application parameter to enable VM disk encryption. With the new release, you're no longer required to provide Azure AD credentials during the enable encryption step. All new VMs must be encrypted without the Azure AD application parameters by using the new release. For instructions on how to enable VM disk encryption by using the new release, see [Azure Disk Encryption for Linux VMs](disk-encryption-overview.md). VMs that were already encrypted with Azure AD application parameters are still supported and should continue to be maintained with the AAD syntax. +The new release of Azure Disk Encryption eliminates the requirement for providing a Microsoft Entra application parameter to enable VM disk encryption. With the new release, you're no longer required to provide Microsoft Entra credentials during the enable encryption step. All new VMs must be encrypted without the Microsoft Entra application parameters by using the new release. For instructions on how to enable VM disk encryption by using the new release, see [Azure Disk Encryption for Linux VMs](disk-encryption-overview.md). VMs that were already encrypted with Microsoft Entra application parameters are still supported and should continue to be maintained with the Microsoft Entra syntax. -This article provides supplements to [Azure Disk Encryption for Linux VMs](disk-encryption-overview.md) with additional requirements and prerequisites for Azure Disk Encryption with Azure AD (previous release). +This article provides supplements to [Azure Disk Encryption for Linux VMs](disk-encryption-overview.md) with additional requirements and prerequisites for Azure Disk Encryption with Microsoft Entra ID (previous release). The information in these sections remains the same: The information in these sections remains the same: ## Networking and Group Policy -To enable the Azure Disk Encryption feature by using the older AAD parameter syntax, the infrastructure as a service (IaaS) VMs must meet the following network endpoint configuration requirements: - - To get a token to connect to your key vault, the IaaS VM must be able to connect to an Azure AD endpoint, \[login.microsoftonline.com\]. +To enable the Azure Disk Encryption feature by using the older Microsoft Entra parameter syntax, the infrastructure as a service (IaaS) VMs must meet the following network endpoint configuration requirements: + - To get a token to connect to your key vault, the IaaS VM must be able to connect to a Microsoft Entra endpoint, \[login.microsoftonline.com\]. - To write the encryption keys to your key vault, the IaaS VM must be able to connect to the key vault endpoint. - The IaaS VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files. - If your security policy limits access from Azure VMs to the internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. For more information, see [Azure Key Vault behind a firewall](../../key-vault/general/access-behind-firewall.md). To enable the Azure Disk Encryption feature by using the older AAD parameter syn Azure Disk Encryption requires Azure Key Vault to control and manage disk encryption keys and secrets. Your key vault and VMs must reside in the same Azure region and subscription. -For more information, see [Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)](disk-encryption-key-vault-aad.md). +For more information, see [Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-key-vault-aad.md). ## Next steps -- [Creating and configuring a key vault for Azure Disk Encryption with Azure AD (previous release)](disk-encryption-key-vault-aad.md)-- [Enable Azure Disk Encryption with Azure AD on Linux VMs (previous release)](disk-encryption-linux-aad.md)+- [Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-key-vault-aad.md) +- [Enable Azure Disk Encryption with Microsoft Entra ID on Linux VMs (previous release)](disk-encryption-linux-aad.md) - [Azure Disk Encryption prerequisites CLI script](https://github.com/ejarvi/ade-cli-getting-started) - [Azure Disk Encryption prerequisites PowerShell script](https://github.com/Azure/azure-powershell/tree/master/src/Compute/Compute/Extension/AzureDiskEncryption/Scripts) |
virtual-machines | Disk Encryption Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-overview.md | If you use [Microsoft Defender for Cloud](../../security-center/index.yml), you' ![Microsoft Defender for Cloud disk encryption alert](media/disk-encryption/security-center-disk-encryption-fig1.png) > [!WARNING]-> - If you have previously used Azure Disk Encryption with Azure AD to encrypt a VM, you must continue to use this option to encrypt your VM. See [Azure Disk Encryption with Azure AD (previous release)](disk-encryption-overview-aad.md) for details. +> - If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue to use this option to encrypt your VM. See [Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-overview-aad.md) for details. > - Certain recommendations might increase data, network, or compute resource usage, resulting in additional license or subscription costs. You must have a valid active Azure subscription to create resources in Azure in the supported regions. You can learn the fundamentals of Azure Disk Encryption for Linux in just a few minutes with the [Create and encrypt a Linux VM with Azure CLI quickstart](disk-encryption-cli-quickstart.md) or the [Create and encrypt a Linux VM with Azure PowerShell quickstart](disk-encryption-powershell-quickstart.md). Linux server distributions that are not endorsed by Azure do not support Azure D > > All distros: > - ADE support for a particular offer type does not extend beyond the end-of-life date provided by the publisher. -> - The legacy ADE solution (using AAD credentials) is not recommended for new VMs and is not compatible with RHEL versions later than RHEL 7.8 or with Phyton 3 as default. +> - The legacy ADE solution (using Microsoft Entra credentials) is not recommended for new VMs and is not compatible with RHEL versions later than RHEL 7.8 or with Phyton 3 as default. ## Additional VM requirements sudo mount -a To enable the Azure Disk Encryption feature, the Linux VMs must meet the following network endpoint configuration requirements: - - To get a token to connect to your key vault, the Linux VM must be able to connect to an Azure Active Directory endpoint, \[login.microsoftonline.com\]. + - To get a token to connect to your key vault, the Linux VM must be able to connect to a Microsoft Entra endpoint, \[login.microsoftonline.com\]. - To write the encryption keys to your key vault, the Linux VM must be able to connect to the key vault endpoint. - The Linux VM must be able to connect to an Azure storage endpoint that hosts the Azure extension repository and an Azure storage account that hosts the VHD files. - If your security policy limits access from Azure VMs to the Internet, you can resolve the preceding URI and configure a specific rule to allow outbound connectivity to the IPs. For more information, see [Azure Key Vault behind a firewall](../../key-vault/general/access-behind-firewall.md). |
virtual-machines | Disk Encryption Sample Scripts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-sample-scripts.md | The following table shows which parameters can be used in the PowerShell script: |$keyVaultName|Name of the KeyVault in which encryption keys are to be placed. A new vault with this name will be created if one doesn't exist.| True| |$location|Location of the KeyVault. Make sure the KeyVault and VMs to be encrypted are in the same location. Get a location list with `Get-AzLocation`.|True| |$subscriptionId|Identifier of the Azure subscription to be used. You can get your Subscription ID with `Get-AzSubscription`.|True|-|$aadAppName|Name of the Azure AD application that will be used to write secrets to KeyVault. A new application with this name will be created if one doesn't exist. If this app already exists, pass aadClientSecret parameter to the script.|False| -|$aadClientSecret|Client secret of the Azure AD application that was created earlier.|False| +|$aadAppName|Name of the Microsoft Entra application that will be used to write secrets to KeyVault. A new application with this name will be created if one doesn't exist. If this app already exists, pass aadClientSecret parameter to the script.|False| +|$aadClientSecret|Client secret of the Microsoft Entra application that was created earlier.|False| |$keyEncryptionKeyName|Name of optional key encryption key in KeyVault. A new key with this name will be created if one doesn't exist.|False| -### Encrypt or decrypt VMs without an Azure AD app +<a name='encrypt-or-decrypt-vms-without-an-azure-ad-app'></a> ++### Encrypt or decrypt VMs without a Microsoft Entra app - [Enable disk encryption on an existing or running Linux VM](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/encrypt-running-linux-vm-without-aad) - [Disable encryption on a running Linux VM](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/encrypt-running-linux-vm) - Disabling encryption is only allowed on Data volumes for Linux VMs. -### Encrypt or decrypt VMs with an Azure AD app (previous release) +<a name='encrypt-or-decrypt-vms-with-an-azure-ad-app-previous-release'></a> ++### Encrypt or decrypt VMs with a Microsoft Entra app (previous release) - [Enable disk encryption on an existing or running Linux VM](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/encrypt-running-linux-vm) - [Disable encryption on a running Linux VM](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/decrypt-running-linux-vm) After DM-Crypt encryption is enabled, the local encrypted VHD needs to be upload ## Upload the secret for the pre-encrypted VM to your key vault -When encrypting using an Azure AD app (previous release), the disk-encryption secret that you obtained previously must be uploaded as a secret in your key vault. The key vault needs to have disk encryption and permissions enabled for your Azure AD client. +When encrypting using a Microsoft Entra app (previous release), the disk-encryption secret that you obtained previously must be uploaded as a secret in your key vault. The key vault needs to have disk encryption and permissions enabled for your Microsoft Entra client. ```azurepowershell-interactive $AadClientId = "My-AAD-Client-Id" |
virtual-machines | Disk Encryption Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disk-encryption-upgrade.md | -The first version of Azure Disk Encryption (ADE) relied on Azure Active Directory (Azure AD) for authentication; the current version does not. We strongly encourage the use of the newest version. +The first version of Azure Disk Encryption (ADE) relied on Microsoft Entra ID for authentication; the current version does not. We strongly encourage the use of the newest version. ## Determine ADE version Choose the "AzureDiskEncryption" extension for Windows or "AzureDiskEncryptionFo ## How to migrate -Migration from Azure Disk Encryption (with Azure AD) to Azure Disk Encryption (without Azure AD) is only available through Azure PowerShell. Ensure you have the latest version of Azure PowerShell and at least the [Azure PowerShell Az module version 5.9.0](/powershell/azure/new-azureps-module-az) installed . +Migration from Azure Disk Encryption (with Microsoft Entra ID) to Azure Disk Encryption (without Microsoft Entra ID) is only available through Azure PowerShell. Ensure you have the latest version of Azure PowerShell and at least the [Azure PowerShell Az module version 5.9.0](/powershell/azure/new-azureps-module-az) installed . -To upgrade from Azure Disk Encryption (with Azure AD) to Azure Disk Encryption (without Azure AD), use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) PowerShell cmdlet. +To upgrade from Azure Disk Encryption (with Microsoft Entra ID) to Azure Disk Encryption (without Microsoft Entra ID), use the [Set-AzVMDiskEncryptionExtension](/powershell/module/az.compute/set-azvmdiskencryptionextension) PowerShell cmdlet. > [!WARNING]-> The Set-AzVMDiskEncryptionExtension cmdlet must only be used on VMs encrypted with Azure Disk Encryption (with Azure AD). Attempting to migrate an unencrypted VM, or a VM encrypted with Azure Disk Encryption (without Azure AD), will result in a terminal error. +> The Set-AzVMDiskEncryptionExtension cmdlet must only be used on VMs encrypted with Azure Disk Encryption (with Microsoft Entra ID). Attempting to migrate an unencrypted VM, or a VM encrypted with Azure Disk Encryption (without Microsoft Entra ID), will result in a terminal error. ```azurepowershell-interactive Set-AzVMDiskEncryptionExtension -ResourceGroupName <resourceGroupName> -VMName <vmName> -Migrate |
virtual-machines | Disks Enable Customer Managed Keys Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disks-enable-customer-managed-keys-cli.md | az disk-encryption-set update -n keyrotationdes -g keyrotationtesting --key-url [!INCLUDE [virtual-machines-disks-encryption-status-cli](../../../includes/virtual-machines-disks-encryption-status-cli.md)] > [!IMPORTANT]-> Customer-managed keys rely on managed identities for Azure resources, a feature of Azure Active Directory (Azure AD). When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Azure AD directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Azure AD directories](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). +> Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with the managed disks is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see [Transferring a subscription between Microsoft Entra directories](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories). ## Next steps |
virtual-machines | Disks Enable Double Encryption At Rest Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disks-enable-double-encryption-at-rest-cli.md | Install the latest [Azure CLI](/cli/azure/install-az-cli2) and sign in to an Azu 1. Grant the DiskEncryptionSet resource access to the key vault. > [!NOTE]- > It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Azure Active Directory. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again. + > It may take few minutes for Azure to create the identity of your DiskEncryptionSet in your Microsoft Entra ID. If you get an error like "Cannot find the Active Directory object" when running the following command, wait a few minutes and try again. ```azurecli desIdentity=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [identity.principalId] -o tsv) |
virtual-machines | Disks Upload Vhd To Managed Disk Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/disks-upload-vhd-to-managed-disk-cli.md | This article explains how to either upload a VHD from your local machine to an A If you're providing a backup solution for IaaS VMs in Azure, you should use direct upload to restore customer backups to managed disks. When uploading a VHD from a source external to Azure, speeds depend on your local bandwidth. When uploading or copying from an Azure VM, your bandwidth would be the same as standard HDDs. -## Secure uploads with Azure AD +<a name='secure-uploads-with-azure-ad'></a> -If you're using [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md) to control resource access, you can now use it to restrict uploading of Azure managed disks. This feature is available as a GA offering in all regions. When a user attempts to upload a disk, Azure validates the identity of the requesting user in Azure AD, and confirms that user has the required permissions. At a higher level, a system administrator could set a policy at the Azure account or subscription level, to ensure that an Azure AD identity has the necessary permissions for uploading before allowing a disk or a disk snapshot to be uploaded. If you have any questions on securing uploads with Azure AD, reach out to this email: azuredisks@microsoft .com +## Secure uploads with Microsoft Entra ID ++If you're using [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) to control resource access, you can now use it to restrict uploading of Azure managed disks. This feature is available as a GA offering in all regions. When a user attempts to upload a disk, Azure validates the identity of the requesting user in Microsoft Entra ID, and confirms that user has the required permissions. At a higher level, a system administrator could set a policy at the Azure account or subscription level, to ensure that a Microsoft Entra identity has the necessary permissions for uploading before allowing a disk or a disk snapshot to be uploaded. If you have any questions on securing uploads with Microsoft Entra ID, reach out to this email: azuredisks@microsoft .com ### Prerequisites - [Install the Azure CLI](/cli/azure/install-azure-cli). If you're using [Azure Active Directory (Azure AD)](../../active-directory/funda ### Assign RBAC role -To access managed disks secured with Azure AD, the requesting user must have either the [Data Operator for Managed Disks](../../role-based-access-control/built-in-roles.md#data-operator-for-managed-disks) role, or a [custom role](../../role-based-access-control/custom-roles-powershell.md) with the following permissions: +To access managed disks secured with Microsoft Entra ID, the requesting user must have either the [Data Operator for Managed Disks](../../role-based-access-control/built-in-roles.md#data-operator-for-managed-disks) role, or a [custom role](../../role-based-access-control/custom-roles-powershell.md) with the following permissions: - **Microsoft.Compute/disks/download/action** - **Microsoft.Compute/disks/upload/action** Replace `<yourdiskname>`, `<yourresourcegroupname>`, `<yourregion>` with values > [!IMPORTANT] > If you're creating an OS disk, add `--hyper-v-generation <yourGeneration>` to `az disk create`. > -> If you're using Azure AD to secure disk uploads, add `-dataAccessAuthmode 'AzureActiveDirectory'`. +> If you're using Microsoft Entra ID to secure disk uploads, add `-dataAccessAuthmode 'AzureActiveDirectory'`. > When uploading to an Ultra Disk or Premium SSD v2 you need to select the correct sector size of the target disk. If you're using a VHDX file with a 4k logical sector size, the target disk must be set to 4k. If you're using a VHD file with a 512 logical sector size, the target disk must be set to 512. > > VHDX files with logical sector size of 512k aren't supported. If you would like to upload a different disk type, replace **standard_lrs** with ### (Optional) Grant access to the disk -If you're using Azure AD to secure uploads, you'll need to [assign RBAC permissions](../../role-based-access-control/role-assignments-cli.md) to grant access to the disk and generate a writeable SAS. +If you're using Microsoft Entra ID to secure uploads, you'll need to [assign RBAC permissions](../../role-based-access-control/role-assignments-cli.md) to grant access to the disk and generate a writeable SAS. ```azurecli az role assignment create --assignee "{assignee}" \ az disk revoke-access -n $targetDiskName -g $targetRG Now that you've successfully uploaded a VHD to a managed disk, you can attach the disk as a [data disk to an existing VM](add-disk.md) or [attach the disk to a VM as an OS disk](upload-vhd.md#create-the-vm), to create a new VM. -If you've additional questions, see the [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) section in the FAQ. +If you've additional questions, see the [uploading a managed disk](../faq-for-disks.yml#uploading-to-a-managed-disk) section in the FAQ. |
virtual-machines | Download Vhd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/download-vhd.md | Your snapshot will be created shortly, and can then be used to download or creat > > This method is only recommended for VMs with a single OS disk. VMs with one or more data disks should be stopped before download or before creating a snapshot for the OS disk and each data disk. -## Secure downloads and uploads with Azure AD +<a name='secure-downloads-and-uploads-with-azure-ad'></a> ++## Secure downloads and uploads with Microsoft Entra ID [!INCLUDE [disks-azure-ad-upload-download-portal](../../../includes/disks-azure-ad-upload-download-portal.md)] az disk grant-access --duration-in-seconds 86400 --access-level Read --name your ## Download VHD > [!NOTE]-> If you're using Azure AD to secure managed disk downloads, the user downloading the VHD must have the appropriate [RBAC permissions](#assign-rbac-role). +> If you're using Microsoft Entra ID to secure managed disk downloads, the user downloading the VHD must have the appropriate [RBAC permissions](#assign-rbac-role). # [Portal](#tab/azure-portal) When the download finishes, revoke access to your disk using `Revoke-AzDiskAcces Replace `yourPathhere` and `sas-URI` with your values, then use the following script to download your VHD: > [!NOTE]-> If you're using Azure AD to secure your managed disk uploads and downloads, add `--auth-mode login` to `az storage blob download`. +> If you're using Microsoft Entra ID to secure your managed disk uploads and downloads, add `--auth-mode login` to `az storage blob download`. ```azurecli |
virtual-machines | Openshift Container Platform 4X | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/openshift-container-platform-4x.md | Deployment of OpenShift Container Platform (OCP) 4.2 is now supported in Azure v ## Notes + - A Microsoft Entra service principal (SP) is required to install and run OCP 4.x in Azure - The SP must be granted the API permission of **Application.ReadWrite.OwnedBy** for Azure Active Directory Graph- - An AAD Tenant Administrator must grant Admin Consent for this API permission to take effect + - A Microsoft Entra tenant administrator must grant Admin Consent for this API permission to take effect - The SP must be granted **Contributor** and **User Access Administrator** roles to the subscription - The installation model for OCP 4.x is different than 3.x and there are no Azure Resource Manager templates available for deploying OCP 4.x in Azure - If issues are encountered during the installation process, contact the appropriate company (Microsoft or Red Hat) | Issue Description | Contact Point | |-||-| Azure specific issues (AAD, SP, Azure Subscription, etc.) | Microsoft | +| Azure specific issues (Microsoft Entra ID, SP, Azure Subscription, etc.) | Microsoft | | OpenShift-specific issues (Installation failures / errors, Red Hat subscription, etc.) | Red Hat | |
virtual-machines | Shared Images Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/shared-images-portal.md | -The Azure Compute Gallery lets you share your custom VM images with others in your organization, within or across regions, within an Azure AD tenant. Choose which images you want to share, which regions you want to make them available in, and who you want to share them with. You can create multiple galleries so that you can logically group images. +The Azure Compute Gallery lets you share your custom VM images with others in your organization, within or across regions, within a Microsoft Entra tenant. Choose which images you want to share, which regions you want to make them available in, and who you want to share them with. You can create multiple galleries so that you can logically group images. The gallery is a top-level resource that provides full Azure role-based access control (Azure RBAC). Images can be versioned, and you can choose to replicate each image version to a different set of Azure regions. The gallery only works with Managed Images. You can also create Azure Compute Gallery resource using templates. There are se - [Create an Image Definition in an Azure Compute Gallery](https://azure.microsoft.com/resources/templates/sig-image-definition-create/) - [Create an Image Version in an Azure Compute Gallery](https://azure.microsoft.com/resources/templates/sig-image-version-create/) -For more information about Azure Compute Galleries, see the [Overview](../shared-image-galleries.md). If you run into issues, see [Troubleshooting galleries](../troubleshooting-shared-images.md). +For more information about Azure Compute Galleries, see the [Overview](../shared-image-galleries.md). If you run into issues, see [Troubleshooting galleries](../troubleshooting-shared-images.md). |
virtual-machines | Suse Create Upload Vhd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/suse-create-upload-vhd.md | Title: Create and upload a SUSE Linux VHD in Azure -description: Learn to create and upload an Azure virtual hard disk (VHD) that contains a SUSE Linux operating system. +description: Learn how to create and upload an Azure virtual hard disk (VHD) that contains a SUSE Linux operating system. -In some cases, you may want to use customized SUSE or openSUSE Leap Linux VMs in your Azure environment and be able to build these types of VMs through automation. This article demonstrates how to create and upload a custom Azure virtual hard disk (VHD) that contains a SUSE Linux operating system. +In some cases, you might want to use customized SUSE Linux Enterprise Server (SLES) or openSUSE Leap Linux virtual machines (VMs) in your Azure environment and be able to build these types of VMs through automation. This article demonstrates how to create and upload a custom Azure virtual hard disk (VHD) that contains a SUSE Linux operating system. ## Prerequisites -This article assumes that you have already installed a SUSE or openSUSE Leap Linux operating system to a virtual hard disk. Multiple tools exist to create .vhd files, for example a virtualization solution such as Hyper-V. For instructions, see [Install the Hyper-V Role and Configure a Virtual Machine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh846766(v=ws.11)). +This article assumes that you already installed a SLES or openSUSE Leap Linux operating system on a virtual hard disk. Multiple tools exist to create .vhd files. For example, you can use a virtualization solution such as Hyper-V. For instructions, see [Install Hyper-V and create a virtual machine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh846766(v=ws.11)). -## SLES / openSUSE Leap installation notes +## SLES/openSUSE Leap installation notes -* For more tips on preparing Linux images for Azure, see [General Linux Installation Notes](create-upload-generic.md#general-linux-installation-notes) -* The VHDX format isn't supported in Azure, only **fixed VHD**. You can convert the disk to VHD format using Hyper-V Manager or the convert-vhd cmdlet. +* For more tips on preparing Linux images for Azure, see [General Linux installation notes](create-upload-generic.md#general-linux-installation-notes). +* Azure doesn't support Windows Hard Disk Image (.vhdx) files. Only VHD (.vhd) files are supported outside virtual machines. You can convert the disk to VHD format by using Hyper-V Manager or the `Convert-VHD` cmdlet. * Azure supports Gen1 (BIOS boot) and Gen2 (UEFI boot) virtual machines.-* The `vfat` kernel module must be enabled in the kernel -* Don't configure a swap partition on the OS disk. The Linux agent can be configured to create a swap file on the temporary resource disk. More information about configuring swap space can be found in the steps below. -* All VHDs on Azure must have a virtual size aligned to 1 MB. When converting from a raw disk to VHD, you must ensure that the raw disk size is a multiple of 1 MB before conversion. See [Linux Installation Notes](create-upload-generic.md#general-linux-installation-notes) for more information. -+* The virtual file allocation table (VFAT) kernel module must be enabled in the kernel. +* Don't configure a swap partition on the OS disk. You can configure the Linux agent to create a swap file on the temporary resource disk. Steps later in this article give more information about configuring swap space. +* All VHDs on Azure must have a virtual size aligned to 1 MB. When you're converting from a raw disk to VHD, ensure that the raw disk size is a multiple of 1 MB before conversion. For more information, see [General Linux installation notes](create-upload-generic.md#general-linux-installation-notes). > [!NOTE]-> **(_Cloud-init >= 21.2 removes the udf requirement._)** however without the udf module enabled the cdrom won't mount during provisioning, preventing custom data from being applied. A workaround for this is to apply custom data. However, unlike custom data user data, isn't encrypted. https://cloudinit.readthedocs.io/en/latest/topics/format.html -+> Cloud-init version 21.2 or later removes the user-defined function (UDF) requirement. But without the `udf` module enabled, the CD-ROM won't mount during provisioning, which prevents the custom data from being applied. A workaround is to apply user data. However, unlike custom data, user data isn't encrypted. For more information, see [User data formats](https://cloudinit.readthedocs.io/en/latest/topics/format.html) in the cloud-init documentation. ## Use SUSE Studio [SUSE Studio](https://studioexpress.opensuse.org/) can easily create and manage your SLES and openSUSE Leap images for Azure and Hyper-V. SUSE Studio is the recommended approach for customizing your own SLES and openSUSE Leap images. -As an alternative to building your own VHD, SUSE also publishes BYOS (Bring Your Own Subscription) images for SLES at [VM Depot](https://www.microsoft.com/research/wp-content/uploads/2016/04/using-and-contributing-vms-to-vm-depot.pdf). +As an alternative to building your own VHD, SUSE also publishes BYOS (bring your own subscription) images for SLES at [VM Depot](https://www.microsoft.com/research/wp-content/uploads/2016/04/using-and-contributing-vms-to-vm-depot.pdf). ++## Prepare SLES for Azure ++1. Configure the Azure and Hyper-V modules if required. -## Prepare SUSE Linux Enterprise Server for Azure + If your software hypervisor is not Hyper-V, other modules need to be added into the initial RAM disk (initramfs) to successfully boot in Azure. -1. Configure the Azure/Hyper-v modules if required. + Edit the */etc/dracut.conf* file and add the following line to the file: - If your software hypervisor is not Hyper-V, other modules need to be added into the initramfs to successfully boot in Azure + ```config + add_drivers+=" hv_vmbus hv_netvsc hv_storvsc " + ``` - Edit the "/etc/dracut.conf" file and add the following line to the file then executeh the ```dracut```command to rebuild the initramfs file: + Run the `dracut` command to rebuild the initramfs file: -```config -add_drivers+=" hv_vmbus hv_netvsc hv_storvsc " -``` + ```bash + sudo dracut --verbose --force + ``` -```bash -sudo dracut --verbose --force -``` +2. Set up the serial console. -2. Setup the Serial Console. + To successfully work with the serial console, you must set up several variables in the */etc/defaults/grub* file and re-create GRUB on the server: - In order to successfully work with the serial console, it's required to set up several variables in the "/etc/defaults/grub" file and recreate the grub on the server. + ```config + # Add console=ttyS0 and earlyprintk=ttS0 to the variable. + # Remove "splash=silent" and "quiet" options. + GRUB_CMDLINE_LINUX_DEFAULT="audit=1 no-scroll fbcon=scrollback:0 mitigations=auto security=apparmor crashkernel=228M,high crashkernel=72M,low console=ttyS0 earlyprintk=ttyS0" -```config -# Add console=ttyS0 and earlyprintk=ttS0 to the variable -# remove "splash=silent" and "quiet" options. -GRUB_CMDLINE_LINUX_DEFAULT="audit=1 no-scroll fbcon=scrollback:0 mitigations=auto security=apparmor crashkernel=228M,high crashkernel=72M,low console=ttyS0 earlyprintk=ttyS0" + # Add "console serial" to GRUB_TERMINAL. + GRUB_TERMINAL="console serial" -# Add "console serial" to GRUB_TERMINAL -GRUB_TERMINAL="console serial" + # Set the GRUB_SERIAL_COMMAND variable. -# Set the GRUB_SERIAL_COMMAND variable + GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" + ``` -GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" -``` + ```shell + /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg + ``` -```shell -/usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg -``` - 3. Register your SUSE Linux Enterprise system to allow it to download updates and install packages. 4. Update the system with the latest patches: -```bash -sudo zypper update -``` - -5. Install Azure Linux Agent and cloud-init --```bash -sudo SUSEConnect -p sle-module-public-cloud/15.2/x86_64 (SLES 15 SP2) -sudo zypper refresh -sudo zypper install python-azure-agent -sudo zypper install cloud-init -``` --6. Enable waagent & cloud-init to start on boot --```bash -sudo systemctl enable waagent -sudo systemctl enable cloud-init-local.service -sudo systemctl enable cloud-init.service -sudo systemctl enable cloud-config.service -sudo systemctl enable cloud-final.service -sudo systemctl daemon-reload -sudo cloud-init clean -``` --7. Update the cloud-init configuration --```bash -cat <<EOF | sudo /etc/cloud/cloud.cfg.d/91-azure_datasource.cfg -datasource_list: [ Azure ] -datasource: - Azure: - apply_network_config: False --EOF -``` --```bash -sudo cat <<EOF | sudo tee /etc/cloud/cloud.cfg.d/05_logging.cfg -# This tells cloud-init to redirect its stdout and stderr to -# 'tee -a /var/log/cloud-init-output.log' so the user can see output -# there without needing to look on the console. -output: {all: '| tee -a /var/log/cloud-init-output.log'} -EOF --# Make sure mounts and disk_setup are in the init stage: -echo "Adding mounts and disk_setup to init stage" -sudo sed -i '/ - mounts/d' /etc/cloud/cloud.cfg -sudo sed -i '/ - disk_setup/d' /etc/cloud/cloud.cfg -sudo sed -i '/cloud_init_modules/a\\ - mounts' /etc/cloud/cloud.cfg -sudo sed -i '/cloud_init_modules/a\\ - disk_setup' /etc/cloud/cloud.cfg -``` --8. If you want to mount, format, and create a swap partition you can either: - * Pass this configuration in as a cloud-init config every time you create a VM. - * Use a cloud-init directive baked into the image that configures swap space every time the VM is created: - --```bash -cat <<EOF | sudo tee -a /etc/systemd/system.conf -'DefaultEnvironment="CLOUD_CFG=/etc/cloud/cloud.cfg.d/00-azure-swap.cfg"' -EOF --cat <<EOF | sudo tee /etc/cloud/cloud.cfg.d/00-azure-swap.cfg -#cloud-config -# Generated by Azure cloud image build -disk_setup: - ephemeral0: - table_type: mbr - layout: [66, [33, 82]] - overwrite: True -fs_setup: - - device: ephemeral0.1 - filesystem: ext4 - - device: ephemeral0.2 - filesystem: swap -mounts: - - ["ephemeral0.1", "/mnt"] - - ["ephemeral0.2", "none", "swap", "sw,nofail,x-systemd.requires=cloud-init.service,x-systemd.device-timeout=2", "0", "0"] -EOF -``` - -9. Previously, the Azure Linux Agent was used to automatically configure swap space by using the local resource disk that is attached to the virtual machine after the virtual machine is provisioned on Azure. However, this step is now handled by cloud-init, you **must not** use the Linux Agent to format the resource disk or create the swap file. Use these commands to modify `/etc/waagent.conf` appropriately: ---```bash -sudo sed -i 's/Provisioning.UseCloudInit=n/Provisioning.UseCloudInit=auto/g' /etc/waagent.conf -sudo sed -i 's/Provisioning.Enabled=y/Provisioning.Enabled=n/g' /etc/waagent.conf -sudo sed -i 's/ResourceDisk.Format=y/ResourceDisk.Format=n/g' /etc/waagent.conf -sudo sed -i 's/ResourceDisk.EnableSwap=y/ResourceDisk.EnableSwap=n/g' /etc/waagent.conf -``` + ```bash + sudo zypper update + ``` -> [!NOTE] -> Make sure the **'udf'** module is enabled. Removing/disabling them will cause a provisioning/boot failure. **(_Cloud-init >= 21.2 removes the udf requirement. Please read top of document for more detail)** +5. Install the Azure Linux VM Agent (`waagent`) and cloud-init: -10. Ensure the "/etc/fstab" file references the disk using its UUID (by-uuid) + ```bash + sudo SUSEConnect -p sle-module-public-cloud/15.2/x86_64 (SLES 15 SP2) + sudo zypper refresh + sudo zypper install python-azure-agent + sudo zypper install cloud-init + ``` -11. Remove udev rules and network adapter configuration files to avoid generating static rules for the Ethernet interface(s). These rules can cause problems when cloning a virtual machine in Microsoft Azure or Hyper-V: +6. Enable `waagent` and cloud-init to start on boot: -```bash -sudo rm -f /etc/udev/rules.d/70-persistent-net.rules -sudo rm -f /etc/udev/rules.d/85-persistent-net-cloud-init.rules -sudo rm -f /etc/sysconfig/network/ifcfg-eth* -``` + ```bash + sudo systemctl enable waagent + sudo systemctl enable cloud-init-local.service + sudo systemctl enable cloud-init.service + sudo systemctl enable cloud-config.service + sudo systemctl enable cloud-final.service + sudo systemctl daemon-reload + sudo cloud-init clean + ``` -12. It's recommended to edit the "/etc/sysconfig/network/dhcp" file and change the `DHCLIENT_SET_HOSTNAME` parameter to the following: +7. Update the cloud-init configuration: -```config -DHCLIENT_SET_HOSTNAME="no" -``` + ```bash + cat <<EOF | sudo tee /etc/cloud/cloud.cfg.d/91-azure_datasource.cfg + datasource_list: [ Azure ] + datasource: + Azure: + apply_network_config: False -13. In the "/etc/sudoers" file, comment out or remove the following lines if they exist: + EOF + ``` -```output -Defaults targetpw # ask for the password of the target user i.e. root -ALL ALL=(ALL) ALL # WARNING! Only use this setting together with 'Defaults targetpw'! -``` + ```bash + sudo cat <<EOF | sudo tee /etc/cloud/cloud.cfg.d/05_logging.cfg + # This tells cloud-init to redirect its stdout and stderr to + # 'tee -a /var/log/cloud-init-output.log' so the user can see output + # there without needing to look on the console. + output: {all: '| tee -a /var/log/cloud-init-output.log'} + EOF ++ # Make sure mounts and disk_setup are in the init stage: + echo "Adding mounts and disk_setup to init stage" + sudo sed -i '/ - mounts/d' /etc/cloud/cloud.cfg + sudo sed -i '/ - disk_setup/d' /etc/cloud/cloud.cfg + sudo sed -i '/cloud_init_modules/a\\ - mounts' /etc/cloud/cloud.cfg + sudo sed -i '/cloud_init_modules/a\\ - disk_setup' /etc/cloud/cloud.cfg + ``` +8. If you want to mount, format, and create a swap partition, one option is to pass in a cloud-init configuration every time you create a VM. -14. Ensure that the SSH server is installed and configured to start at boot time. + Another option is to use a cloud-init directive in the image to configure swap space every time the VM is created: -```bash -sudo systemctl enable sshd -``` + ```bash + cat <<EOF | sudo tee -a /etc/systemd/system.conf + 'DefaultEnvironment="CLOUD_CFG=/etc/cloud/cloud.cfg.d/00-azure-swap.cfg"' + EOF ++ cat <<EOF | sudo tee /etc/cloud/cloud.cfg.d/00-azure-swap.cfg + #cloud-config + # Generated by Azure cloud image build + disk_setup: + ephemeral0: + table_type: mbr + layout: [66, [33, 82]] + overwrite: True + fs_setup: + - device: ephemeral0.1 + filesystem: ext4 + - device: ephemeral0.2 + filesystem: swap + mounts: + - ["ephemeral0.1", "/mnt"] + - ["ephemeral0.2", "none", "swap", "sw,nofail,x-systemd.requires=cloud-init.service,x-systemd.device-timeout=2", "0", "0"] + EOF + ``` -15. Make sure to clean cloud-init stage; +9. Previously, the Azure Linux Agent was used to automatically configure swap space by using the local resource disk that's attached to the virtual machine after the virtual machine is provisioned on Azure. Because cloud-init now handles this step, you *must not* use the Azure Linux Agent to format the resource disk or create the swap file. Use these commands to modify */etc/waagent.conf* appropriately: -```bash -sudo cloud-init clean --seed --logs -``` + ```bash + sudo sed -i 's/Provisioning.UseCloudInit=n/Provisioning.UseCloudInit=auto/g' /etc/waagent.conf + sudo sed -i 's/Provisioning.Enabled=y/Provisioning.Enabled=n/g' /etc/waagent.conf + sudo sed -i 's/ResourceDisk.Format=y/ResourceDisk.Format=n/g' /etc/waagent.conf + sudo sed -i 's/ResourceDisk.EnableSwap=y/ResourceDisk.EnableSwap=n/g' /etc/waagent.conf + ``` -16. Run the following commands to deprovision the virtual machine and prepare it for provisioning on Azure: + > [!NOTE] + > If you're using a cloud-init version earlier than 21.2, make sure the `udf` module is enabled. Removing or disabling it will cause a provisioning or boot failure. Cloud-init version 21.2 or later removes the UDF requirement. ->[!NOTE] -> If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step +10. Ensure that the */etc/fstab* file references the disk by using its UUID (`by-uuid`). -```bash -sudo rm -f /var/log/waagent.log -sudo waagent -force -deprovision+user -sudo export HISTSIZE=0 -sudo rm -f ~/.bash_history -``` - -+11. Remove udev rules and network adapter configuration files to avoid generating static rules for the Ethernet interfaces. These rules can cause problems when you're cloning a virtual machine in Microsoft Azure or Hyper-V. ++ ```bash + sudo rm -f /etc/udev/rules.d/70-persistent-net.rules + sudo rm -f /etc/udev/rules.d/85-persistent-net-cloud-init.rules + sudo rm -f /etc/sysconfig/network/ifcfg-eth* + ``` ++12. We recommend that you edit the */etc/sysconfig/network/dhcp* file and change the `DHCLIENT_SET_HOSTNAME` parameter to the following: ++ ```config + DHCLIENT_SET_HOSTNAME="no" + ``` ++13. In the */etc/sudoers* file, comment out or remove the following lines if they exist: ++ ```output + Defaults targetpw # Ask for the password of the target user i.e. root + ALL ALL=(ALL) ALL # WARNING! Only use this setting together with 'Defaults targetpw'! + ``` ++14. Ensure that the Secure Shell (SSH) server is installed and configured to start at boot time: ++ ```bash + sudo systemctl enable sshd + ``` ++15. Clean the cloud-init stage: ++ ```bash + sudo cloud-init clean --seed --logs + ``` ++16. Run the following commands to deprovision the virtual machine and prepare it for provisioning on Azure. ++ If you're migrating a specific virtual machine and don't want to create a generalized image, skip the deprovisioning step. ++ ```bash + sudo rm -f /var/log/waagent.log + sudo waagent -force -deprovision+user + sudo export HISTSIZE=0 + sudo rm -f ~/.bash_history + ``` ## Prepare openSUSE 15.2+ -1. In the center pane of Hyper-V Manager, select the virtual machine. -2. Click **Connect** to open the window for the virtual machine. -3. In a terminal, run the command '`zypper lr`'. If this command returns output similar to the following, then the repositories are configured as expected and no adjustments are necessary (note that version numbers may vary): +1. On the center pane of Hyper-V Manager, select the virtual machine. +2. Select **Connect** to open the window for the virtual machine. +3. In a terminal, run the command `zypper lr`. If this command returns output similar to the following example, the repositories are configured as expected and no adjustments are necessary. (Version numbers might vary.) | # | Alias | Name | Enabled | Refresh | - | :-- | :-- | : | : sudo rm -f ~/.bash_history | 2 | openSUSE_15.2_OSS | openSUSE_15.2_OSS | Yes | Yes | 3 | openSUSE_15.2_Updates | openSUSE_15.2_Updates | Yes | Yes - If the command returns "No repositories defined..." then use the following commands to add these repos: + If the command returns "No repositories defined," use the following commands to add these repos: ```bash sudo zypper ar -f http://download.opensuse.org/repositories/Cloud:Tools/openSUSE_15.2 Cloud:Tools_15.2 sudo rm -f ~/.bash_history sudo zypper ar -f http://download.opensuse.org/update/15.2 openSUSE_15.2_Updates ``` - You can then verify the repositories have been added by running the command '`zypper lr`' again. If one of the relevant update repositories isn't enabled, enable it with the following command: + You can then verify that the repositories have been added by running the command `zypper lr` again. If one of the relevant update repositories isn't enabled, enable it by using the following command: ```bash sudo zypper mr -e [NUMBER OF REPOSITORY] sudo rm -f ~/.bash_history sudo zypper up kernel-default ``` - Or to update the operating system with all the latest patches: + Or update the operating system with all the latest patches: ```bash sudo zypper update ``` -5. Install the Azure Linux Agent. +5. Install the Azure Linux Agent: ```bash sudo zypper install WALinuxAgent ``` -6. Modify the kernel boot line in your grub configuration to include other kernel parameters for Azure. To do this, open "/boot/grub/menu.lst" in a text editor and ensure that the default kernel includes the following parameters: +6. Modify the kernel boot line in your GRUB configuration to include other kernel parameters for Azure. To do this, open */boot/grub/menu.lst* in a text editor and ensure that the default kernel includes the following parameters: ```config-grub console=ttyS0 earlyprintk=ttyS0 ``` - This option ensures all console messages are sent to the first serial port, which can assist Azure support with debugging issues. In addition, remove the following parameters from the kernel boot line if they exist: + This option ensures that all console messages are sent to the first serial port, which can assist Azure support with debugging issues. In addition, remove the following parameters from the kernel boot line if they exist: ```config-grub libata.atapi_enabled=0 reserve=0x1f0,0x8 ``` -7. It's recommended to edit the "/etc/sysconfig/network/dhcp" file and change the `DHCLIENT_SET_HOSTNAME` parameter to the following setting: +7. We recommend that you edit the */etc/sysconfig/network/dhcp* file and change the `DHCLIENT_SET_HOSTNAME` parameter to the following setting: ```config DHCLIENT_SET_HOSTNAME="no" ``` -8. **Important:** In the "/etc/sudoers" file, comment out or remove the following lines if they exist: +8. In the */etc/sudoers* file, comment out or remove the following lines if they exist. This is an important step. ```output Defaults targetpw # ask for the password of the target user i.e. root sudo rm -f ~/.bash_history 9. Ensure that the SSH server is installed and configured to start at boot time. 10. Don't create swap space on the OS disk. - The Azure Linux Agent can automatically configure swap space using the local resource disk that is attached to the VM after provisioning on Azure. The local resource disk is a *temporary* disk and will be emptied when the VM is deprovisioned. After installing the Azure Linux Agent (see previous step), modify the following parameters in the "/etc/waagent.conf" as follows: + The Azure Linux Agent can automatically configure swap space by using the local resource disk that's attached to the VM after provisioning on Azure. The local resource disk is a *temporary* disk and will be emptied when the VM is deprovisioned. ++ After you install the Azure Linux Agent, modify the parameters in */etc/waagent.conf* as follows: ```config-conf ResourceDisk.Format=n sudo rm -f ~/.bash_history ResourceDisk.SwapSizeMB=2048 ## NOTE: set the size to whatever you need it to be. ``` -11. Ensure the Azure Linux Agent runs at startup: +11. Ensure that the Azure Linux Agent runs at startup: ```bash sudo systemctl enable waagent.service ``` -12. Run the following commands to deprovision the virtual machine and prepare it for provisioning on Azure: +12. Run the following commands to deprovision the virtual machine and prepare it for provisioning on Azure. -> [!NOTE] -> If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step. + If you're migrating a specific virtual machine and don't want to create a generalized image, skip the deprovisioning step. -```bash - sudo rm -f ~/.bash_history # Remove current user history - sudo -i - sudo rm -rf /var/lib/waagent/ - sudo rm -f /var/log/waagent.log - sudo waagent -force -deprovision+user - sudo rm -f ~/.bash_history # Remove root user history - sudo export HISTSIZE=0 -``` + ```bash + sudo rm -f ~/.bash_history # Remove current user history + sudo rm -rf /var/lib/waagent/ + sudo rm -f /var/log/waagent.log + sudo waagent -force -deprovision+user + sudo rm -f ~/.bash_history # Remove root user history + sudo export HISTSIZE=0 + ``` -13. Click **Action -> Shut Down** in Hyper-V Manager. Your Linux VHD is now ready to be [**uploaded to Azure**](./upload-vhd.md#option-1-upload-a-vhd). +13. Select **Action** > **Shut Down** in Hyper-V Manager. ## Next steps -You're now ready to use your SUSE Linux virtual hard disk to create new virtual machines in Azure. If this is the first time that you're uploading the .vhd file to Azure, see [Create a Linux VM from a custom disk](upload-vhd.md#option-1-upload-a-vhd). +You're now ready to use your SUSE Linux VHD to create new virtual machines in Azure. If this is the first time that you're uploading the .vhd file to Azure, see [Create a Linux VM from a custom disk](upload-vhd.md#option-1-upload-a-vhd). |
virtual-machines | Tutorial Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/tutorial-disaster-recovery.md | If you don't have an Azure subscription, create a [free account](https://azure.m **Name** | **Public cloud** | **Government cloud** | **Details** | | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net`| Write data from the VM to the cache storage account in the source region. - Azure AD | `login.microsoftonline.com` | `login.microsoftonline.us`| Authorize and authenticate to Site Recovery service URLs. + Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us`| Authorize and authenticate to Site Recovery service URLs. Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.com` |VM communication with the Site Recovery service. Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | VM writes to Site Recovery for monitoring and diagnostic data. If you don't have an Azure subscription, create a [free account](https://azure.m **Tag** | **Allow** | Storage tag | Allows data to be written from the VM to the cache storage account.- Azure AD tag | Allows access to all IP addresses that correspond to Azure AD. + Microsoft Entra ID tag | Allows access to all IP addresses that correspond to Microsoft Entra ID. Events Hub tag | Allows access to Site Recovery monitoring. Azure Site Recovery tag | Allows access to the Site Recovery service in any region. GuestAndHybridManagement | Use if you want to automatically upgrade the Site Recovery Mobility agent that's running on VMs enabled for replication. If you want to enable disaster recovery on an existing VM, use this procedure. :::image type="content" source="./media/tutorial-disaster-recovery/existing-vm.png" alt-text="Open disaster recovery options for an existing VM."::: 3. In **Basics**, if the VM is deployed in an availability zone, you can select disaster recovery between availability zones.-4. In **Target region**, select the region to which you want to replicate the VM. The source and target regions must be in the same Azure Active Directory tenant. +4. In **Target region**, select the region to which you want to replicate the VM. The source and target regions must be in the same Microsoft Entra tenant. :::image type="content" source="./media/tutorial-disaster-recovery/basics.png" alt-text="Set the basic disaster recovery options for a VM."::: |
virtual-machines | Managed Disks Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/managed-disks-overview.md | description: Overview of Azure managed disks, which handle the storage accounts Previously updated : 08/01/2023 Last updated : 10/12/2023 There are three main disk roles in Azure: the data disk, the OS disk, and the te ### Data disk -A data disk is a managed disk that's attached to a virtual machine to store application data, or other data you need to keep. Data disks are registered as SCSI drives and are labeled with a letter that you choose. Each data disk has a maximum capacity of 32,767 gibibytes (GiB). The size of the virtual machine determines how many data disks you can attach to it and the type of storage you can use to host the disks. +A data disk is a managed disk that's attached to a virtual machine to store application data, or other data you need to keep. Data disks are registered as SCSI drives and are labeled with a letter that you choose. The size of the virtual machine determines how many data disks you can attach to it and the type of storage you can use to host the disks. ### OS disk |
virtual-machines | Migration Classic Resource Manager Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/migration-classic-resource-manager-overview.md | These classic IaaS resources are supported during migration | Service | Configuration | | | |-| Azure AD Domain Services | [Virtual networks that contain Azure AD Domain services](../active-directory-domain-services/overview.md) | +| Microsoft Entra Domain Services | [Virtual networks that contain Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) | ## Supported scopes of migration There are four different ways to complete migration of compute, network, and storage resources: |
virtual-machines | Move Virtual Machines Regional Zonal Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/move-virtual-machines-regional-zonal-faq.md | There are a couple of reasons you might not have the permissions. Consider the f ### How is managed identity used? -Managed identity previously known as Managed Service Identity (MSI), is a feature that provides Azure services with an automatically managed identity in Azure AD. This identity is used to access Azure subscriptions and perform various tasks, such as moving resources to Availability Zones. +Managed identity previously known as Managed Service Identity (MSI), is a feature that provides Azure services with an automatically managed identity in Microsoft Entra ID. This identity is used to access Azure subscriptions and perform various tasks, such as moving resources to Availability Zones. - Managed identity is used so that you can access Azure subscriptions to move resources to availability zones. - To move resources using a move collection, you need a system-assigned identity that has access to the subscription containing the resources you want to move. Review the following scenarios where you can or can't retain Public IP addresses ## Next steps -- Learn more about [moving single instance Azure VMs from regional to zonal configuration](../reliability/migrate-vm.md#migration-option-2-vm-regional-to-zonal-move).+- Learn more about [moving single instance Azure VMs from regional to zonal configuration](../reliability/migrate-vm.md#migration-option-2-vm-regional-to-zonal-move). |
virtual-network | Create Peering Different Deployment Models Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-peering-different-deployment-models-subscriptions.md | The steps to create a virtual network peering are different, depending on whethe A virtual network peering cannot be created between two virtual networks deployed through the classic deployment model. This tutorial uses virtual networks that exist in the same region. This tutorial peers virtual networks in the same region. You can also peer virtual networks in different [supported regions](virtual-network-manage-peering.md#cross-region). It's recommended that you familiarize yourself with the [peering requirements and constraints](virtual-network-manage-peering.md#requirements-and-constraints) before peering virtual networks. -When creating a virtual network peering between virtual networks that exist in different subscriptions, the subscriptions can associated to the same Azure Active Directory tenant. If you don't already have an Azure Active Directory tenant, you can quickly [create one](../active-directory/develop/quickstart-create-new-tenant.md?toc=%2fazure%2fvirtual-network%2ftoc.json#create-a-new-azure-ad-tenant). +When creating a virtual network peering between virtual networks that exist in different subscriptions, the subscriptions can associated to the same Microsoft Entra tenant. If you don't already have a Microsoft Entra tenant, you can quickly [create one](../active-directory/develop/quickstart-create-new-tenant.md?toc=%2fazure%2fvirtual-network%2ftoc.json#create-a-new-azure-ad-tenant). You can use the [Azure portal](#portal), the [Azure CLI](#cli), or [Azure PowerShell](#powershell) to create a virtual network peering. Click any of the previous tool links to go directly to the steps for creating a virtual network peering using your tool of choice. This tutorial uses different accounts for each subscription. If you're using an 5. In the **myVnetA** blade that appears, click **Access control (IAM)** from the vertical list of options on the left side of the blade. 6. In the **myVnetA - Access control (IAM)** blade that appears, click **+ Add role assignment**. 7. In the **Add role assignment** blade that appears, select **Network contributor** in the **Role** box.-8. In the **Select** box, select UserB, or type UserB's email address to search for it. The list of users shown is from the same Azure Active Directory tenant as the virtual network you're setting up the peering for. Click UserB when it appears in the list. +8. In the **Select** box, select UserB, or type UserB's email address to search for it. The list of users shown is from the same Microsoft Entra tenant as the virtual network you're setting up the peering for. Click UserB when it appears in the list. 9. Click **Save**. 10. Log out of the portal as UserA, then log in as UserB. 11. Click **+ New**, type *Virtual network* in the **Search the Marketplace** box, then click **Virtual network** in the search results. |
virtual-network | Create Peering Different Subscriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-peering-different-subscriptions.md | Title: Create a virtual network peering between different subscriptions -description: Learn how to create a virtual network peering between virtual networks created through Resource Manager that exist in different Azure subscriptions in the same or different Azure Active Directory tenant. +description: Learn how to create a virtual network peering between virtual networks created through Resource Manager that exist in different Azure subscriptions in the same or different Microsoft Entra tenant. Last updated 08/23/2023 -# Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants +# Create a virtual network peering - Resource Manager, different subscriptions and Microsoft Entra tenants -In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource Manager. The virtual networks exist in different subscriptions that may belong to different Azure Active Directory (Azure AD) tenants. Peering two virtual networks enables resources in different virtual networks to communicate with each other with the same bandwidth and latency as though the resources were in the same virtual network. Learn more about [Virtual network peering](virtual-network-peering-overview.md). +In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource Manager. The virtual networks exist in different subscriptions that may belong to different Microsoft Entra tenants. Peering two virtual networks enables resources in different virtual networks to communicate with each other with the same bandwidth and latency as though the resources were in the same virtual network. Learn more about [Virtual network peering](virtual-network-peering-overview.md). Depending on whether, the virtual networks are in the same, or different subscriptions the steps to create a virtual network peering are different. Steps to peer networks created with the classic deployment model are different. For more information about deployment models, see [Azure deployment model](../azure-resource-manager/management/deployment-models.md?toc=%2fazure%2fvirtual-network%2ftoc.json). This tutorial peers virtual networks in the same region. You can also peer virtu - To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription. - - For more information about guest users, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory). + - For more information about guest users, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory). - - Each user must accept the guest user invitation from the opposite Azure Active Directory tenant. + - Each user must accept the guest user invitation from the opposite Microsoft Entra tenant. - Sign-in to the [Azure portal](https://portal.azure.com). This tutorial peers virtual networks in the same region. You can also peer virtu - To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription. - - For more information about guest users, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory). + - For more information about guest users, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory). - - Each user must accept the guest user invitation from the opposite Azure Active Directory tenant. + - Each user must accept the guest user invitation from the opposite Microsoft Entra tenant. - Azure PowerShell installed locally or Azure Cloud Shell. If you choose to install and use PowerShell locally, this article requires the A - To establish a network peering when you don't intend to separate the duty of managing the network belonging to each tenant, add the user from tenant A as a guest in the opposite tenant. Then, assign them the Network Contributor role to initiate and connect the network peering from each subscription. With these permissions, the user is able to establish the network peering from each subscription. - - For more information about guest users, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory). + - For more information about guest users, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory). - - Each user must accept the guest user invitation from the opposite Azure Active Directory tenant. + - Each user must accept the guest user invitation from the opposite Microsoft Entra tenant. [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)] If you choose to install and use PowerShell locally, this article requires the A -In the following steps, learn how to peer virtual networks in different subscriptions and Azure Active Directory tenants. +In the following steps, learn how to peer virtual networks in different subscriptions and Microsoft Entra tenants. You can use the same account that has permissions in both subscriptions or you can use separate accounts for each subscription to set up the peering. An account with permissions in both subscriptions can complete all of the steps without signing out and signing in to portal and assigning permissions. |
virtual-network | Public Ip Upgrade Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/public-ip-upgrade-vm.md | PS C:\> Install-Module -Name AzureVMPublicIPUpgrade -Scope CurrentUser -Reposito ## Use the module -1. Use `Connect-AzAccount` to connect to the required Azure AD tenant and Azure subscription +1. Use `Connect-AzAccount` to connect to the required Microsoft Entra tenant and Azure subscription ```powershell PS C:\> Connect-AzAccount -Tenant <TenantId> -Subscription <SubscriptionId> |
virtual-network | Migrate Classic Vnet Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/migrate-classic-vnet-powershell.md | The following scenarios are supported for a classic to Resource Manager migratio * Classic Virtual Networks with one availability set per cloud service at the most. -* Classic Virtual Networks that contain Azure AD Domain services. +* Classic Virtual Networks that contain Microsoft Entra Domain Services. * Classic Virtual Networks with a single VPN gateway or a single Express Route circuit. |
virtual-network | Service Tags Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/service-tags-overview.md | By default, service tags reflect the ranges for the entire cloud. Some service t | **AppService** | Azure App Service. This tag is recommended for outbound security rules to web apps and Function apps.<br/><br/>**Note**: This tag doesn't include IP addresses assigned when using IP-based SSL (App-assigned address). | Outbound | Yes | Yes | | **AppServiceManagement** | Management traffic for deployments dedicated to App Service Environment. | Both | No | Yes | | **AutonomousDevelopmentPlatform** | Autonomous Development Platform | Both | Yes | Yes |-| **AzureActiveDirectory** | Azure Active Directory. | Outbound | No | Yes | -| **AzureActiveDirectoryDomainServices** | Management traffic for deployments dedicated to Azure Active Directory Domain Services. | Both | No | Yes | +| **AzureActiveDirectory** | Microsoft Entra ID. | Outbound | No | Yes | +| **AzureActiveDirectoryDomainServices** | Management traffic for deployments dedicated to Microsoft Entra Domain Services. | Both | No | Yes | | **AzureAdvancedThreatProtection** | Azure Advanced Threat Protection. | Outbound | No | Yes | | **AzureArcInfrastructure** | Azure Arc-enabled servers, Azure Arc-enabled Kubernetes, and Guest Configuration traffic.<br/><br/>**Note**: This tag has a dependency on the **AzureActiveDirectory**,**AzureTrafficManager**, and **AzureResourceManager** tags. | Outbound | No | Yes | | **AzureAttestation** | Azure Attestation. | Outbound | No | Yes | By default, service tags reflect the ranges for the entire cloud. Some service t | **LogicApps** | Logic Apps. | Both | No | Yes | | **LogicAppsManagement** | Management traffic for Logic Apps. | Inbound | No | Yes | | **Marketplace** | Represents the entire suite of Azure 'Commercial Marketplace Experiences' services. | Both | No | Yes |-| **M365ManagementActivityApi** | The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs. Customers and partners can use this information to create new or enhance existing operations, security, and compliance-monitoring solutions for the enterprise.<br/><br/>**Note**: This tag has a dependency on the **AzureActiveDirectory** tag. | Outbound | Yes | Yes | +| **M365ManagementActivityApi** | The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Microsoft Entra activity logs. Customers and partners can use this information to create new or enhance existing operations, security, and compliance-monitoring solutions for the enterprise.<br/><br/>**Note**: This tag has a dependency on the **AzureActiveDirectory** tag. | Outbound | Yes | Yes | | **M365ManagementActivityApiWebhook** | Notifications are sent to the configured webhook for a subscription as new content becomes available. | Inbound | Yes | Yes | | **MicrosoftAzureFluidRelay** | This tag represents the IP addresses used for Azure Microsoft Fluid Relay Server. </br> **Note**: This tag has a dependency on the **AzureFrontDoor.Frontend** tag. | Outbound | No | Yes | | **MicrosoftCloudAppSecurity** | Microsoft Defender for Cloud Apps. | Outbound | No | Yes | |
virtual-network | Virtual Network For Azure Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-for-azure-services.md | Deploying services within a virtual network provides the following capabilities: | Network | [Application Gateway - WAF](../application-gateway/application-gateway-ilb-arm.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure Bastion](../bastion/bastion-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure Firewall](../firewall/overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) <br/>[Azure Route Server](../route-server/overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[ExpressRoute Gateway](../expressroute/expressroute-about-virtual-network-gateways.md)<br/>[Network Virtual Appliances](/windows-server/networking/sdn/manage/use-network-virtual-appliances-on-a-vn)<br/>[VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md?toc=%2fazure%2fvirtual-network%2ftoc.json) | Yes <br/> Yes <br/> Yes <br/> Yes <br/> Yes <br/> No <br/> Yes |Data|[RedisCache](../azure-cache-for-redis/cache-how-to-premium-vnet.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure SQL Managed Instance](/azure/azure-sql/managed-instance/connectivity-architecture-overview?toc=%2fazure%2fvirtual-network%2ftoc.json) </br> [Azure Database for MySQL - Flexible Server](../mysql/flexible-server/concepts-networking-vnet.md) </br> [Azure Database for PostgreSQL - Flexible Server](../postgresql/flexible-server/concepts-networking.md#private-access-vnet-integration)| Yes <br/> Yes <br/> Yes </br> Yes | |Analytics | [Azure HDInsight](../hdinsight/hdinsight-plan-virtual-network-deployment.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure Databricks](/azure/databricks/scenarios/what-is-azure-databricks?toc=%2fazure%2fvirtual-network%2ftoc.json) |No<sup>2</sup> <br/> No<sup>2</sup> <br/> -| Identity | [Azure Active Directory Domain Services](../active-directory-domain-services/tutorial-create-instance.md?toc=%2fazure%2fvirtual-network%2ftoc.json) |No <br/> +| Identity | [Microsoft Entra Domain Services](../active-directory-domain-services/tutorial-create-instance.md?toc=%2fazure%2fvirtual-network%2ftoc.json) |No <br/> | Containers | [Azure Kubernetes Service (AKS)](../aks/concepts-network.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure Container Instance (ACI)](https://www.aka.ms/acivnet)<br/>[Azure Container Service Engine](https://github.com/Azure/acs-engine) with Azure Virtual Network CNI [plug-in](https://github.com/Azure/acs-engine/tree/master/examples/vnet)<br/>[Azure Functions](../azure-functions/functions-networking-options.md#virtual-network-integration) |No<sup>2</sup><br/> Yes <br/> No <br/> Yes | Web | [API Management](../api-management/api-management-using-with-vnet.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Web Apps](../app-service/overview-vnet-integration.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[App Service Environment](../app-service/overview-vnet-integration.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure Logic Apps](../logic-apps/connect-virtual-network-vnet-isolated-environment-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure Container Apps environments](../container-apps/networking.md)<br/>|Yes <br/> Yes <br/> Yes <br/> Yes <br/> Yes | Hosted | [Azure Dedicated HSM](../dedicated-hsm/index.yml?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>[Azure NetApp Files](../azure-netapp-files/azure-netapp-files-introduction.md?toc=%2fazure%2fvirtual-network%2ftoc.json)<br/>|Yes <br/> Yes <br/> |
virtual-network | Virtual Network Manage Peering | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-manage-peering.md | Before creating a peering, familiarize yourself with the [requirements and const | Peering link name | The name of the peering from the remote virtual network. The name must be unique within the virtual network. | | Virtual network deployment model | Select which deployment model the virtual network you want to peer with was deployed through. | | I know my resource ID | If you have read access to the virtual network you want to peer with, leave this checkbox unchecked. If you don't have read access to the virtual network or subscription you want to peer with, select this checkbox. |- | Resource ID | This field appears when you check **I know my resource ID** checkbox. The resource ID you enter must be for a virtual network that exists in the same, or [supported different](#requirements-and-constraints) Azure [region](https://azure.microsoft.com/regions) as this virtual network. </br></br> The full resource ID looks similar to `/subscriptions/<Id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>`. </br></br> You can get the resource ID for a virtual network by viewing the properties for a virtual network. To learn how to view the properties for a virtual network, see [Manage virtual networks](manage-virtual-network.md#view-virtual-networks-and-settings). User permissions must be assigned if the subscription is associated to a different Azure Active Directory tenant than the subscription with the virtual network you're peering. Add a user from each tenant as a [guest user](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory) in the opposite tenant. + | Resource ID | This field appears when you check **I know my resource ID** checkbox. The resource ID you enter must be for a virtual network that exists in the same, or [supported different](#requirements-and-constraints) Azure [region](https://azure.microsoft.com/regions) as this virtual network. </br></br> The full resource ID looks similar to `/subscriptions/<Id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>`. </br></br> You can get the resource ID for a virtual network by viewing the properties for a virtual network. To learn how to view the properties for a virtual network, see [Manage virtual networks](manage-virtual-network.md#view-virtual-networks-and-settings). User permissions must be assigned if the subscription is associated to a different Microsoft Entra tenant than the subscription with the virtual network you're peering. Add a user from each tenant as a [guest user](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory) in the opposite tenant. | Subscription | Select the [subscription](../azure-glossary-cloud-terminology.md#subscription) of the virtual network you want to peer with. One or more subscriptions are listed, depending on how many subscriptions your account has read access to. If you checked the **I know my resource ID** checkbox, this setting isn't available. | | Virtual network | Select the virtual network you want to peer with. You can select a virtual network created through either Azure deployment model. If you want to select a virtual network in a different region, you must select a virtual network in a [supported region](#cross-region). You must have read access to the virtual network for it to be visible in the list. If a virtual network is listed, but grayed out, it may be because the address space for the virtual network overlaps with the address space for this virtual network. If virtual network address spaces overlap, they can't be peered. If you checked the **I know my resource ID** checkbox, this setting isn't available. | | Allow 'vnet-2' to access 'vnet-1' | By **default**, this option is selected. </br></br> - Select **Allow 'vnet-2' to access 'vnet-1'** if you want to enable communication between the two virtual networks through the default `VirtualNetwork` flow. Enabling communication between virtual networks allows resources that are connected to either virtual network to communicate with each other over the Azure private network. The **VirtualNetwork** service tag for network security groups encompasses the virtual network and peered virtual network when this setting is set to **Selected**. To learn more about service tags, see [Azure service tags](./service-tags-overview.md). | az network vnet peering delete \ - You can use remote gateways or allow gateway transit in globally peered virtual networks and locally peered virtual networks. -- The virtual networks can be in the same, or different [subscriptions](#next-steps). When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant. If you don't already have an AD tenant, you can [create one](../active-directory/develop/quickstart-create-new-tenant.md).+- The virtual networks can be in the same, or different [subscriptions](#next-steps). When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Microsoft Entra tenant. If you don't already have an AD tenant, you can [create one](../active-directory/develop/quickstart-create-new-tenant.md). - The virtual networks you peer must have nonoverlapping IP address spaces. |
virtual-network | Virtual Network Peering Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-peering-overview.md | The benefits of using virtual network peering, whether local or global, include: * The ability for resources in one virtual network to communicate with resources in a different virtual network. -* The ability to transfer data between virtual networks across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure regions. +* The ability to transfer data between virtual networks across Azure subscriptions, Microsoft Entra tenants, deployment models, and Azure regions. * The ability to peer virtual networks created through the Azure Resource Manager. |
virtual-network | Virtual Network Service Endpoint Policies Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-service-endpoint-policies-overview.md | Let's take a quick look at the Service Endpoint Policy object. - RA-GRS secondary access is automatically allowed if the primary account is listed. -- Storage accounts can be in the same or a different subscription or Azure Active Directory tenant as the virtual network.+- Storage accounts can be in the same or a different subscription or Microsoft Entra tenant as the virtual network. ## Scenarios No centralized logging is available for service endpoint policies. For service r A user with write access to a virtual network configures service endpoint policies on subnets. Learn more about Azure [built-in roles](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json) and assigning specific permissions to [custom roles](../role-based-access-control/custom-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json). -Virtual networks and Azure Storage accounts can be in the same or different subscriptions, or Azure Active Directory tenants. +Virtual networks and Azure Storage accounts can be in the same or different subscriptions, or Microsoft Entra tenants. ## Limitations Virtual networks and Azure Storage accounts can be in the same or different subs - You can't use service endpoint policies for traffic from your on-premises network to Azure services. -- Azure managed services other than Azure SQL Managed Instance don't currently support endpoint policies. This limitation includes managed services deployed into shared subnets (such as *Azure Batch, Azure AD DS, Azure Application Gateway, Azure VPN Gateway, Azure Firewall*) or into dedicated subnets (such as *Azure App Service Environment, Azure Redis Cache, Azure API Management, classic managed services*).+- Azure managed services other than Azure SQL Managed Instance don't currently support endpoint policies. This limitation includes managed services deployed into shared subnets (such as *Azure Batch, Microsoft Entra Domain Services, Azure Application Gateway, Azure VPN Gateway, Azure Firewall*) or into dedicated subnets (such as *Azure App Service Environment, Azure Redis Cache, Azure API Management, classic managed services*). > [!WARNING] > Azure services deployed into your virtual network, such as Azure HDInsight, access other Azure services, such as Azure Storage, for infrastructure requirements. Restricting endpoint policy to specific resources could break access to these infrastructure resources for the Azure services deployed in your virtual network. |
virtual-network | Virtual Network Service Endpoints Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-service-endpoints-overview.md | Service endpoints provide the following benefits: - The feature is available only to virtual networks deployed through the Azure Resource Manager deployment model. - Endpoints are enabled on subnets configured in Azure virtual networks. Endpoints can't be used for traffic from your on-premises services to Azure services. For more information, see [Secure Azure service access from on-premises](#secure-azure-services-to-virtual-networks) - For Azure SQL, a service endpoint applies only to Azure service traffic within a virtual network's region.-- For Azure Data Lake Storage (ADLS) Gen 1, the VNet Integration capability is only available for virtual networks within the same region. Also note that virtual network integration for ADLS Gen1 uses the virtual network service endpoint security between your virtual network and Azure Active Directory (Azure AD) to generate extra security claims in the access token. These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access. The *Microsoft.AzureActiveDirectory* tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Azure AD doesn't support service endpoints natively. For more information about Azure Data Lake Store Gen 1 VNet integration, see [Network security in Azure Data Lake Storage Gen1](../data-lake-store/data-lake-store-network-security.md?toc=%2fazure%2fvirtual-network%2ftoc.json).+- For Azure Data Lake Storage (ADLS) Gen 1, the VNet Integration capability is only available for virtual networks within the same region. Also note that virtual network integration for ADLS Gen1 uses the virtual network service endpoint security between your virtual network and Microsoft Entra ID to generate extra security claims in the access token. These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access. The *Microsoft.AzureActiveDirectory* tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Microsoft Entra ID doesn't support service endpoints natively. For more information about Azure Data Lake Store Gen 1 VNet integration, see [Network security in Azure Data Lake Storage Gen1](../data-lake-store/data-lake-store-network-security.md?toc=%2fazure%2fvirtual-network%2ftoc.json). - A virtual network can be associated with up to 200 different subscriptions and regions by each supported service with active VNet rules configured. ## Secure Azure services to virtual networks |
virtual-network | Virtual Network Tap Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-tap-overview.md | The following diagram shows how virtual network TAP works. You can add a TAP con Before you can create a virtual network TAP, ensure you've received the confirmation email that you're enrolled in the preview. You must have one or more virtual machines created with [Azure Resource Manager](../azure-resource-manager/management/overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) and a partner solution for aggregating the TAP traffic in the same Azure region. If you don't have a partner solution in your virtual network, see [partner solutions](#virtual-network-tap-partner-solutions) to deploy one. -You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions. If the monitored network interfaces are in different subscriptions, the subscriptions must be associated to the same Azure Active Directory tenant. Additionally, the monitored network interfaces and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the same region. If you're using this deployment model, ensure that the [virtual network peering](virtual-network-peering-overview.md) is enabled before you configure virtual network TAP. +You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions. If the monitored network interfaces are in different subscriptions, the subscriptions must be associated to the same Microsoft Entra tenant. Additionally, the monitored network interfaces and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the same region. If you're using this deployment model, ensure that the [virtual network peering](virtual-network-peering-overview.md) is enabled before you configure virtual network TAP. ## Permissions |
virtual-network | Virtual Network Troubleshoot Cannot Delete Vnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-troubleshoot-cannot-delete-vnet.md | You might receive errors when you try to delete a virtual network in Microsoft A 1. [Check whether a virtual network gateway is running in the virtual network](#check-whether-a-virtual-network-gateway-is-running-in-the-virtual-network). 2. [Check whether an application gateway is running in the virtual network](#check-whether-an-application-gateway-is-running-in-the-virtual-network). 3. [Check whether Azure container instances still exist in the virtual network](#check-whether-azure-container-instances-still-exist-in-the-virtual-network).-4. [Check whether Azure Active Directory Domain Service is enabled in the virtual network](#check-whether-azure-active-directory-domain-service-is-enabled-in-the-virtual-network). +4. [Check whether Microsoft Entra Domain Service is enabled in the virtual network](#check-whether-azure-active-directory-domain-service-is-enabled-in-the-virtual-network). 5. [Check whether the virtual network is connected to other resource](#check-whether-the-virtual-network-is-connected-to-other-resource). 6. [Check whether a virtual machine is still running in the virtual network](#check-whether-a-virtual-machine-is-still-running-in-the-virtual-network). 7. [Check whether the virtual network is stuck in migration](#check-whether-the-virtual-network-is-stuck-in-migration). If there is an application gateway, you must remove it before you can delete the If these steps don't resolve the issue, use these [Azure CLI commands](../container-instances/container-instances-vnet.md#clean-up-resources) to clean up resources. -### Check whether Azure Active Directory Domain Service is enabled in the virtual network +<a name='check-whether-azure-active-directory-domain-service-is-enabled-in-the-virtual-network'></a> ++### Check whether Microsoft Entra Domain Service is enabled in the virtual network If the Active Directory Domain Service is enabled and connected to the virtual network, you cannot delete this virtual network. -![Screenshot of the Azure AD Domain Services screen in Azure portal. The Available in Virtual Network/Subnet field is highlighted.](media/virtual-network-troubleshoot-cannot-delete-vnet/enable-domain-services.png) +![Screenshot of the Microsoft Entra Domain Services screen in Azure portal. The Available in Virtual Network/Subnet field is highlighted.](media/virtual-network-troubleshoot-cannot-delete-vnet/enable-domain-services.png) -To disable the service, see [Disable Azure Active Directory Domain Services using the Azure portal](../active-directory-domain-services/delete-aadds.md). +To disable the service, see [Disable Microsoft Entra Domain Services using the Azure portal](../active-directory-domain-services/delete-aadds.md). ### Check whether the virtual network is connected to other resource |
virtual-network | Virtual Network Troubleshoot Peering Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-troubleshoot-peering-issues.md | To configure virtual network peering for the virtual networks that are in the sa > * SQL Server Always On (uses Basic ILB SKU) > * Azure App Service Environment for Power Apps (uses Basic ILB SKU) > * Azure API Management (uses Basic ILB SKU)-> * Azure Active Directory Domain Services (Azure AD DS) (uses Basic ILB SKU) +> * Microsoft Entra Domain Services (uses Basic ILB SKU) For more information, see the [requirements and constraints](./virtual-network-peering-overview.md#requirements-and-constraints) of global peering. Transit over global virtual network peering is now supported. Connectivity does * SQL Server Always On (uses Basic ILB SKU) * App Service Environment (uses Basic ILB SKU) * API Management (uses Basic ILB SKU)-* Azure AD DS (uses Basic ILB SKU) +* Microsoft Entra Domain Services (uses Basic ILB SKU) To learn more about global peering requirements and restraints, see [Virtual network peering](./virtual-network-peering-overview.md#requirements-and-constraints). To troubleshoot this issue: > * SQL Server Always On (uses Basic ILB SKU) > * App Service Environment (uses Basic ILB SKU) > * API Management (uses Basic ILB SKU)- > * Azure AD DS (uses Basic ILB SKU) + > * Microsoft Entra Domain Services (uses Basic ILB SKU) For more information, see the [requirements and constraints](./virtual-network-peering-overview.md#requirements-and-constraints) of global peering. Transit over global virtual network peering is now supported. Connectivity doesn * SQL Server Always On (uses Basic ILB SKU) * App Service Environment (uses Basic ILB SKU) * API Management (uses Basic ILB SKU)-* Azure AD DS (uses Basic ILB SKU) +* Microsoft Entra Domain Services (uses Basic ILB SKU) For more information, see the [requirements and constraints](./virtual-network-peering-overview.md#requirements-and-constraints) of global peering and [Different VPN Topologies](/archive/blogs/igorpag/hubspoke-daisy-chain-and-full-mesh-vnet-topologies-in-azure-arm-v2). There are two ways to resolve the issue: ## Next steps -* [Troubleshooting connectivity problems between Azure VMs](./virtual-network-troubleshoot-connectivity-problem-between-vms.md) +* [Troubleshooting connectivity problems between Azure VMs](./virtual-network-troubleshoot-connectivity-problem-between-vms.md) |
virtual-network | Virtual Network Vnet Plan Design Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-vnet-plan-design-arm.md | You can connect a virtual network to other virtual networks using virtual networ ### Peering -When using [virtual network peering](virtual-network-peering-overview.md), the virtual networks can be in the same, or different, supported Azure regions. The virtual networks can be in the same or different Azure subscriptions (even subscriptions belonging to different Azure Active Directory tenants). Before creating a peering, it's recommended that you familiarize yourself with all of the peering [requirements and constraints](virtual-network-manage-peering.md#requirements-and-constraints). Bandwidth between resources in virtual networks peered in the same region is the same as if the resources were in the same virtual network. +When using [virtual network peering](virtual-network-peering-overview.md), the virtual networks can be in the same, or different, supported Azure regions. The virtual networks can be in the same or different Azure subscriptions (even subscriptions belonging to different Microsoft Entra tenants). Before creating a peering, it's recommended that you familiarize yourself with all of the peering [requirements and constraints](virtual-network-manage-peering.md#requirements-and-constraints). Bandwidth between resources in virtual networks peered in the same region is the same as if the resources were in the same virtual network. ### VPN gateway Policies are applied to the following hierarchy: management group, subscription, ## Next steps -Learn about all tasks, settings, and options for a [virtual network](manage-virtual-network.md), [subnet and service endpoint](virtual-network-manage-subnet.md), [network interface](virtual-network-network-interface.md), [peering](virtual-network-manage-peering.md), [network and application security group](manage-network-security-group.md), or [route table](manage-route-table.md). +Learn about all tasks, settings, and options for a [virtual network](manage-virtual-network.md), [subnet and service endpoint](virtual-network-manage-subnet.md), [network interface](virtual-network-network-interface.md), [peering](virtual-network-manage-peering.md), [network and application security group](manage-network-security-group.md), or [route table](manage-route-table.md). |
virtual-network | Virtual Networks Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-faq.md | The following resources can use basic load balancers, which means you can't reac * Azure Application Gateway v1 * Azure Service Fabric * Azure API Management stv1-* Azure Active Directory Domain Services (AD DS) +* Microsoft Entra Domain Services * Azure Logic Apps * Azure HDInsight * Azure Batch |
virtual-network | Virtual Networks Viewing And Modifying Hostnames | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-viewing-and-modifying-hostnames.md | You can connect to your VM using a remote desktop tool like Remote Desktop (Wind ### Azure API From a REST client, follow these instructions: -1. Ensure that you have an authenticated connection to the Azure portal. Follow the steps presented in [Create an Azure Active Directory application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal). +1. Ensure that you have an authenticated connection to the Azure portal. Follow the steps presented in [Create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal). 2. Send a request in the following format: ```http |
virtual-wan | About Nva Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/about-nva-hub.md | NVA Partners may create different resources depending on their appliance deploym ### Managed resource group permissions -By default, all managed resource groups have a deny-all Azure Active Directory assignment. Deny-all assignments prevent customers from calling write operations on any resources in the managed resource group, including Network Virtual Appliance resources. +By default, all managed resource groups have a deny-all Microsoft Entra assignment. Deny-all assignments prevent customers from calling write operations on any resources in the managed resource group, including Network Virtual Appliance resources. However, partners may create exceptions for specific actions that customers are allowed to perform on resources deployed in managed resource groups. |
virtual-wan | Azure Vpn Client Optional Configurations Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/azure-vpn-client-optional-configurations-windows.md | Modify the downloaded profile xml file and add the **\<dnsservers>\<dnsserver> \ ``` > [!NOTE]-> The OpenVPN Azure AD client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of `ipconfig /all`. To confirm your in-use DNS settings, please consult [Get-DnsClientNrptPolicy](/powershell/module/dnsclient/get-dnsclientnrptpolicy) in PowerShell. +> The OpenVPN Microsoft Entra client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of `ipconfig /all`. To confirm your in-use DNS settings, please consult [Get-DnsClientNrptPolicy](/powershell/module/dnsclient/get-dnsclientnrptpolicy) in PowerShell. > ## Routing Modify the downloaded profile xml file and add the **\<excluderoutes>\<route>\<d ## Next steps -For more information, see [Create an Azure Active Directory tenant for P2S Open VPN connections that use Azure AD authentication](openvpn-azure-ad-tenant.md). +For more information, see [Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication](openvpn-azure-ad-tenant.md). |
virtual-wan | Manage Secure Access Resources Spoke P2s | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/manage-secure-access-resources-spoke-p2s.md | The steps in this article help you create the architecture in the following diag [!INCLUDE [Prerequisites](../../includes/virtual-wan-before-include.md)] -* You have the values available for the authentication configuration that you want to use. For example, a RADIUS server, Azure Active Directory authentication, or [Generate and export certificates](certificates-point-to-site.md). +* You have the values available for the authentication configuration that you want to use. For example, a RADIUS server, Microsoft Entra authentication, or [Generate and export certificates](certificates-point-to-site.md). ## Create a virtual WAN The point-to-site (P2S) configuration defines the parameters for connecting remo When selecting the authentication method, you have three choices. Each method has specific requirements. Select one of the following methods, and then complete the steps. -* **Azure Active Directory authentication:** Obtain the following: +* **Microsoft Entra authentication:** Obtain the following: - * The **Application ID** of the Azure VPN Enterprise Application registered in your Azure AD tenant. + * The **Application ID** of the Azure VPN Enterprise Application registered in your Microsoft Entra tenant. * The **Issuer**. Example: `https://sts.windows.net/your-Directory-ID`.- * The **Azure AD tenant**. Example: `https://login.microsoftonline.com/your-Directory-ID`. + * The **Microsoft Entra tenant**. Example: `https://login.microsoftonline.com/your-Directory-ID`. * **Radius-based authentication:** Obtain the Radius server IP, Radius server secret, and certificate information. |
virtual-wan | Openvpn Azure Ad Client Mac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/openvpn-azure-ad-client-mac.md | Title: 'Configure VPN clients for P2S OpenVPN protocol connections: Azure AD authentication: macOS: Preview' -description: 'Preview: Learn how to configure a macOS VPN client to connect to a virtual network using point-to-site VPN and Azure Active Directory authentication.' + Title: 'Configure VPN clients for P2S OpenVPN protocol connections: Microsoft Entra authentication: macOS: Preview' +description: 'Preview: Learn how to configure a macOS VPN client to connect to a virtual network using point-to-site VPN and Microsoft Entra authentication.' Last updated 05/14/2021 -# Azure Active Directory authentication: Configure VPN clients for P2S OpenVPN protocol connections - macOS +# Microsoft Entra authentication: Configure VPN clients for P2S OpenVPN protocol connections - macOS -This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md). +This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Microsoft Entra authentication. Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md). > [!NOTE] > * The Azure VPN Client may not be available in all regions due to local regulations.-> * Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN client. +> * Microsoft Entra authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN client. > For every computer that you want to connect to a VNet using a Point-to-Site VPN connection, you need to do the following: If you want to configure multiple computers, you can create a client profile on ## Prerequisites -Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md). +Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md). ## <a name="download"></a>To download the Azure VPN client Before you can connect and authenticate using Azure AD, you must first configure * **Certificate Information:** The certificate CA. * **Server Secret:** The server secret. * **Client Authentication**- * **Authentication Type:** Azure Active Directory + * **Authentication Type:** Microsoft Entra ID * **Tenant:** Name of the tenant. * **Issuer:** Name of the issuer. 1. After filling in the fields, click **Save**. You can remove the VPN connection profile from your computer. ## Next steps -For more information, see [Create an Azure Active Directory tenant for P2S Open VPN connections that use Azure AD authentication](openvpn-azure-ad-tenant.md). +For more information, see [Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication](openvpn-azure-ad-tenant.md). |
virtual-wan | Openvpn Azure Ad Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/openvpn-azure-ad-client.md | Title: 'VPN client for OpenVPN protocol P2S connections: Azure AD authentication' + Title: 'VPN client for OpenVPN protocol P2S connections: Microsoft Entra authentication' -description: Learn how to use P2S VPN to connect to your VNet using Azure AD authentication. +description: Learn how to use P2S VPN to connect to your VNet using Microsoft Entra authentication. Last updated 07/28/2023 -# Configure a VPN client for P2S OpenVPN protocol connections: Azure AD authentication +# Configure a VPN client for P2S OpenVPN protocol connections: Microsoft Entra authentication -This article helps you configure a VPN client to connect using point-to-site VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md). +This article helps you configure a VPN client to connect using point-to-site VPN and Microsoft Entra authentication. Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md). > [!NOTE]-> Azure AD authentication is supported only for OpenVPN® protocol connections. +> Microsoft Entra authentication is supported only for OpenVPN® protocol connections. > ## <a name="profile"></a>Working with client profiles You can configure optional settings for the Azure VPN Client, such as forced tun ## Next steps -For more information, see [Create an Azure Active Directory tenant for P2S Open VPN connections that use Azure AD authentication](openvpn-azure-ad-tenant.md). +For more information, see [Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication](openvpn-azure-ad-tenant.md). |
virtual-wan | Openvpn Azure Ad Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/openvpn-azure-ad-mfa.md | Title: 'Enable MFA for VPN users by using Azure AD authentication' -description: Learn how to enable Azure AD Multi-Factor Authentication (MFA) for VPN users by using Azure AD authentication. + Title: 'Enable MFA for VPN users by using Microsoft Entra authentication' +description: Learn how to enable Microsoft Entra multifactor authentication (MFA) for VPN users by using Microsoft Entra authentication. Last updated 08/23/2023 -# Enable Azure AD Multi-Factor Authentication (MFA) for VPN users by using Azure AD authentication +# Enable Microsoft Entra multifactor authentication (MFA) for VPN users by using Microsoft Entra authentication [!INCLUDE [overview](../../includes/vpn-gateway-vwan-openvpn-enable-mfa-overview.md)] -To connect to your virtual network, you must create and configure a VPN client profile. See [Configure Azure AD authentication for Point-to-Site connection to Azure](virtual-wan-point-to-site-azure-ad.md). +To connect to your virtual network, you must create and configure a VPN client profile. See [Configure Microsoft Entra authentication for Point-to-Site connection to Azure](virtual-wan-point-to-site-azure-ad.md). |
virtual-wan | Openvpn Azure Ad Tenant Multi App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/openvpn-azure-ad-tenant-multi-app.md | Title: 'Virtual WAN: Azure AD tenant for different user groups: Azure AD authentication' -description: Set up an Azure AD tenant for P2S OpenVPN authentication, and create and register multiple apps in Azure AD to allow different access for different users and groups. + Title: 'Virtual WAN: Microsoft Entra tenant for different user groups: Microsoft Entra authentication' +description: Set up a Microsoft Entra tenant for P2S OpenVPN authentication, and create and register multiple apps in Microsoft Entra ID to allow different access for different users and groups. Last updated 04/24/2023 -# Create an Azure Active Directory (AD) tenant for P2S OpenVPN protocol connections +# Create a Microsoft Entra tenant for P2S OpenVPN protocol connections -When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. However, when you use the Open VPN protocol, you can also use Azure Active Directory authentication. If you want different set of users to be able to connect to different gateways, you can register multiple apps in AD and link them to different gateways. +When connecting to your VNet, you can use certificate-based authentication or RADIUS authentication. However, when you use the Open VPN protocol, you can also use Microsoft Entra authentication. If you want different set of users to be able to connect to different gateways, you can register multiple apps in AD and link them to different gateways. -This article helps you set up an Azure AD tenant for P2S OpenVPN authentication, and create and register multiple apps in Azure AD to allow different access for different users and groups. +This article helps you set up a Microsoft Entra tenant for P2S OpenVPN authentication, and create and register multiple apps in Microsoft Entra ID to allow different access for different users and groups. > [!NOTE]-> Azure AD authentication is supported only for OpenVPN® protocol connections. +> Microsoft Entra authentication is supported only for OpenVPN® protocol connections. > [!INCLUDE [create](../../includes/openvpn-azure-ad-tenant-multi-app.md)] Use the VPN profile to configure your clients. 6. Browse to the unzipped "AzureVPN" folder. -7. Make a note of the location of the "azurevpnconfig.xml" file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully. +7. Make a note of the location of the "azurevpnconfig.xml" file. The azurevpnconfig.xml contains the setting for the VPN connection and can be imported directly into the Azure VPN Client application. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Microsoft Entra credentials to connect successfully. ## 9. Configure User VPN clients To connect, you need to download the Azure VPN Client and import the VPN client profile that was downloaded in the previous steps on every computer that wants to connect to the VNet. > [!NOTE]-> Azure AD authentication is supported only for OpenVPN® protocol connections. +> Microsoft Entra authentication is supported only for OpenVPN® protocol connections. > #### To download the Azure VPN client |
virtual-wan | Openvpn Azure Ad Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/openvpn-azure-ad-tenant.md | Title: 'Azure AD tenant for User VPN connections: Azure AD authentication -OpenVPN' -description: You can use Azure Virtual WAN User VPN (point-to-site) to connect to your VNet using Azure AD authentication + Title: 'Microsoft Entra tenant for User VPN connections: Microsoft Entra authentication -OpenVPN' +description: You can use Azure Virtual WAN User VPN (point-to-site) to connect to your VNet using Microsoft Entra authentication -# Configure an Azure AD tenant for P2S User VPN OpenVPN protocol connections +# Configure a Microsoft Entra tenant for P2S User VPN OpenVPN protocol connections -When you connect to your VNet using Virtual WAN User VPN (point-to-site), you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Azure Active Directory authentication is one of the authentication options available for you to use. This article helps you configure an Azure AD tenant for Virtual WAN User VPN (point-to-site) using OpenVPN authentication. +When you connect to your VNet using Virtual WAN User VPN (point-to-site), you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Microsoft Entra authentication is one of the authentication options available for you to use. This article helps you configure a Microsoft Entra tenant for Virtual WAN User VPN (point-to-site) using OpenVPN authentication. [!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)] -## <a name="tenant"></a>1. Create the Azure AD tenant +<a name='a-nametenanta1-create-the-azure-ad-tenant'></a> -Verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article: +## <a name="tenant"></a>1. Create the Microsoft Entra tenant ++Verify that you have a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article: * Organization name * Initial domain name -## <a name="users"></a>2. Create Azure AD tenant users +<a name='a-nameusersa2-create-azure-ad-tenant-users'></a> ++## <a name="users"></a>2. Create Microsoft Entra tenant users -1. Create two accounts in the newly created Azure AD tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md). +1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md). * Global administrator account * User account The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.-1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md). +1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Microsoft Entra ID](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md). ## <a name="enable-authentication"></a>3. Grant consent to the Azure VPN app registration Verify that you have an Azure AD tenant. If you don't have an Azure AD tenant, y ## Next steps -In order to connect to your virtual networks using Azure AD authentication, you must create a User VPN configuration and associate it to a Virtual Hub. See [Configure Azure AD authentication for point-to-site connection to Azure](virtual-wan-point-to-site-azure-ad.md). +In order to connect to your virtual networks using Microsoft Entra authentication, you must create a User VPN configuration and associate it to a Virtual Hub. See [Configure Microsoft Entra authentication for point-to-site connection to Azure](virtual-wan-point-to-site-azure-ad.md). |
virtual-wan | Point To Site Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/point-to-site-concepts.md | VPN server configurations define the authentication, encryption and user group p | Concept | Description | Notes| |--| --|--|-| Tunnel Type | Protocol(s) used between the P2S VPN gateway and connecting users.| Available parameters: IKEv2, OpenVPN or both. For IKEv2 server configurations, only RADIUS and certificate-based authentication is available. For Open VPN server configurations, RADIUS, certificate-based and Azure Active Directory based authentication are available. Additionally, multiple authentication methods on the same server configuration (for example, certificate and RADIUS on the same configuration) are only supported for OpenVPN. IKEv2 also has a protocol-level limit of 255 routes, while OpenVPN has a limit of 1000 routes. | +| Tunnel Type | Protocol(s) used between the P2S VPN gateway and connecting users.| Available parameters: IKEv2, OpenVPN or both. For IKEv2 server configurations, only RADIUS and certificate-based authentication is available. For Open VPN server configurations, RADIUS, certificate-based and Microsoft Entra ID based authentication are available. Additionally, multiple authentication methods on the same server configuration (for example, certificate and RADIUS on the same configuration) are only supported for OpenVPN. IKEv2 also has a protocol-level limit of 255 routes, while OpenVPN has a limit of 1000 routes. | | Custom IPsec Parameters| Encryption parameters used by the P2S VPN gateway for gateways that use IKEv2.| For available parameters, see [Custom IPsec parameters for point-to-site VPN](point-to-site-ipsec.md). This parameter doesn't apply for gateways using OpenVPN authentication.| ### Azure Certificate Authentication concepts If a P2S VPN gateway is configured to use RADIUS-based authentication, the P2S V |RADIUS server root certificate | RADIUS server root certificate public data.| This field is optional. Input the string(s) corresponding to the RADIUS root certificate public data. You may input multiple root certificates. All client certificates presented for authentication must be issued from the specified root certificates. For an example for how to get certificate public data, see the step 8 in the following document about [generating certificates](certificates-point-to-site.md).| |Revoked client certificates |Thumbprint(s) of revoked RADIUS client certificates. Clients presenting revoked certificates won't be able to connect. |This field is optional. Every user certificate must be revoked individually. Revoking an intermediate certificate or a root certificate won't automatically revoke all children certificates.| -### Azure Active Directory Authentication concepts +<a name='azure-active-directory-authentication-concepts'></a> -The following concepts are related to server configurations that use Azure Active Directory-based authentication. Azure Active Directory-based authentication is only available if the tunnel type is OpenVPN. +### Microsoft Entra authentication concepts ++The following concepts are related to server configurations that use Microsoft Entra ID-based authentication. Microsoft Entra ID-based authentication is only available if the tunnel type is OpenVPN. | Concept | Description | Available Parameters| |--| --|--|- Audience| Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant. | For more information on how to register the Azure VPN application in your tenant and finding the application ID, see [configuring a tenant for P2S user VPN OpenVPN protocol connections](openvpn-azure-ad-tenant.md)| + Audience| Application ID of the Azure VPN Enterprise Application registered in your Microsoft Entra tenant. | For more information on how to register the Azure VPN application in your tenant and finding the application ID, see [configuring a tenant for P2S user VPN OpenVPN protocol connections](openvpn-azure-ad-tenant.md)| | Issuer|Full URL corresponding to Security Token Service (STS) associated to your Active Directory.| String in the following format: ```https://sts.windows.net/<your Directory ID>/```-| Azure Active Directory Tenant| Full URL corresponding to the Active Directory Tenant used for authentication on the gateway.| Varies based on which cloud the Active Directory Tenant is deployed in. See below for per-cloud details.| +| Microsoft Entra tenant| Full URL corresponding to the Active Directory Tenant used for authentication on the gateway.| Varies based on which cloud the Active Directory Tenant is deployed in. See below for per-cloud details.| ++<a name='azure-ad-tenant-id'></a> -#### Azure AD Tenant ID +#### Microsoft Entra tenant ID -The following table describes the format of the Azure Active Directory URL based on which cloud Azure Active Directory is deployed in. +The following table describes the format of the Microsoft Entra URL based on which cloud Microsoft Entra ID is deployed in. | Cloud | Parameter Format| |--|--| |
virtual-wan | User Groups About | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/user-groups-about.md | In this example, the VPN server configuration has the following groups configure |Default|Priority|Group name|Authentication type|Member value| ||||||-|Yes|0|Engineering|Azure Active Directory|groupObjectId1| -|No|1|Finance|Azure Active Directory|groupObjectId2| -|No|2|PM|Azure Active Directory|groupObjectId3| +|Yes|0|Engineering|Microsoft Entra ID|groupObjectId1| +|No|1|Finance|Microsoft Entra ID|groupObjectId2| +|No|2|PM|Microsoft Entra ID|groupObjectId3| This VPN server configuration can be assigned to a P2S VPN gateway in Virtual WAN with: This VPN server configuration can be assigned to a P2S VPN gateway in Virtual WA The following result is: -* Users who are connecting to this P2S VPN gateway will be assigned an address from x.x.x.x/yy if they're part of the Engineering or PM Azure Active Directory groups. -* Users who are part of Finance Azure Active Directory group are assigned IP addresses from a.a.a.a/bb. +* Users who are connecting to this P2S VPN gateway will be assigned an address from x.x.x.x/yy if they're part of the Engineering or PM Microsoft Entra groups. +* Users who are part of Finance Microsoft Entra group are assigned IP addresses from a.a.a.a/bb. * Because Engineering is the default group, users who aren't part of any configured group are assumed to be part of Engineering and assigned an IP address from x.x.x.x/yy. ## Configuration considerations |
virtual-wan | User Groups Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/user-groups-create.md | This section lists configuration requirements and limitations for user groups an The following sections list available authentication mechanisms that can be used while creating user groups. -### Azure Active Directory groups +<a name='azure-active-directory-groups'></a> -To create and manage Active Directory groups, see [Manage Azure Active Directory groups and group membership](../active-directory/fundamentals/how-to-manage-groups.md). +### Microsoft Entra groups -* The Azure Active Directory group object ID (and not the group name) needs to be specified as part of the Virtual WAN point-to-site User VPN configuration. -* Azure Active Directory users can be assigned to be part of multiple Active Directory groups, but Virtual WAN considers users to be part of the Virtual WAN user/policy group that has the lowest numerical priority. +To create and manage Active Directory groups, see [Manage Microsoft Entra groups and group membership](../active-directory/fundamentals/how-to-manage-groups.md). ++* The Microsoft Entra group object ID (and not the group name) needs to be specified as part of the Virtual WAN point-to-site User VPN configuration. +* Microsoft Entra users can be assigned to be part of multiple Active Directory groups, but Virtual WAN considers users to be part of the Virtual WAN user/policy group that has the lowest numerical priority. ### RADIUS - NPS vendor-specific attributes Use the following steps to create a user group. 1. **Having issues with address pools?** Every address pool is specified on the gateway. Address pools are split into two address pools and assigned to each active-active instance in a point-to-site VPN gateway pair. These split addresses should show up in the effective route table. For example, if you specify "10.0.0.0/24", you should see two "/25" routes in the effective route table. If this isn't the case, try changing the address pools defined on the gateway. 1. **P2S client not able to receive routes?** Make sure all point-to-site VPN connection configurations are associated to the defaultRouteTable and propagate to the same set of route tables. This should be configured automatically if you're using portal, but if you're using REST, PowerShell or CLI, make sure all propagations and associations are set appropriately. 1. **Not able to enable Multipool using Azure VPN client?** If you're using the Azure VPN client, make sure the Azure VPN client installed on user devices is the latest version. You need to download the client again to enable this feature.-1. **All users getting assigned to Default group?** If you're using Azure Active Directory authentication, make sure the tenant URL input in the server configuration `(https://login.microsoftonline.com/<tenant ID>)` doesn't end in a `\`. If the URL is input to end with `\`, the gateway won't be able to properly process Azure Active Directory user groups, and all users are assigned to the default group. To remediate, modify the server configuration to remove the trailing `\` and modify the address pools configured on the gateway to apply the changes to the gateway. This is a known issue. -1. **Trying to invite external users to use Multipool feature?** If you're using Azure Active Directory authentication and you plan to invite users who are external (users who aren't part of the Azure Active Directory domain configured on the VPN gateway) to connect to the Virtual WAN Point-to-site VPN gateway, make sure that the user type of the external user is "Member" and not "Guest". Also, make sure that the "Name" of the user is set to the user's email address. If the user type and name of the connecting user isn't set correctly as described above, or you can't set an external member to be a "Member" of your Azure Active Directory domain, the connecting user is assigned to the default group and assigned an IP from the default IP address pool. +1. **All users getting assigned to Default group?** If you're using Microsoft Entra authentication, make sure the tenant URL input in the server configuration `(https://login.microsoftonline.com/<tenant ID>)` doesn't end in a `\`. If the URL is input to end with `\`, the gateway won't be able to properly process Microsoft Entra user groups, and all users are assigned to the default group. To remediate, modify the server configuration to remove the trailing `\` and modify the address pools configured on the gateway to apply the changes to the gateway. This is a known issue. +1. **Trying to invite external users to use Multipool feature?** If you're using Microsoft Entra authentication and you plan to invite users who are external (users who aren't part of the Microsoft Entra domain configured on the VPN gateway) to connect to the Virtual WAN Point-to-site VPN gateway, make sure that the user type of the external user is "Member" and not "Guest". Also, make sure that the "Name" of the user is set to the user's email address. If the user type and name of the connecting user isn't set correctly as described above, or you can't set an external member to be a "Member" of your Microsoft Entra domain, the connecting user is assigned to the default group and assigned an IP from the default IP address pool. ## Next steps |
virtual-wan | Virtual Wan Configure Automation Providers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-configure-automation-providers.md | Understand the expected customer experience in conjunction with Azure Virtual WA Customers must be able to set up appropriate access control for Virtual WAN in the device UI. This is recommended using an Azure Service Principal. Service principal-based access provides the device controller appropriate authentication to upload branch information. For more information, see [Create service principal](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). While this functionality is outside of the Azure Virtual WAN offering, we list below the typical steps taken to set up access in Azure after which the relevant details are inputted into the device management dashboard -* Create an Azure Active Directory application for your on-premises device controller. +* Create a Microsoft Entra application for your on-premises device controller. * Get application ID and authentication key * Get tenant ID * Assign application to role "Contributor" |
virtual-wan | Virtual Wan Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-faq.md | While the concept of Virtual WAN is global, the actual Virtual WAN resource is R ### What client does the Azure Virtual WAN User VPN (point-to-site) support? -Virtual WAN supports [Azure VPN client](https://go.microsoft.com/fwlink/?linkid=2117554), OpenVPN Client, or any IKEv2 client. Azure AD authentication is supported with Azure VPN Client.A minimum of Windows 10 client OS version 17763.0 or higher is required. OpenVPN client(s) can support certificate-based authentication. Once cert-based auth is selected on the gateway, you'll see the.ovpn* file to download to your device. IKEv2 supports both certificate and RADIUS authentication. +Virtual WAN supports [Azure VPN client](https://go.microsoft.com/fwlink/?linkid=2117554), OpenVPN Client, or any IKEv2 client. Microsoft Entra authentication is supported with Azure VPN Client.A minimum of Windows 10 client OS version 17763.0 or higher is required. OpenVPN client(s) can support certificate-based authentication. Once cert-based auth is selected on the gateway, you'll see the.ovpn* file to download to your device. IKEv2 supports both certificate and RADIUS authentication. ### For User VPN (point-to-site)- why is the P2S client pool split into two routes? |
virtual-wan | Virtual Wan Point To Site Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-point-to-site-azure-ad.md | Title: 'Create a P2S User VPN connection - Azure AD authentication' + Title: 'Create a P2S User VPN connection - Microsoft Entra authentication' -description: Learn how to configure Azure Active Directory authentication for Virtual WAN User VPN (point-to-site). +description: Learn how to configure Microsoft Entra authentication for Virtual WAN User VPN (point-to-site). Last updated 10/19/2022 -# Create a P2S User VPN connection using Azure Virtual WAN - Azure AD authentication +# Create a P2S User VPN connection using Azure Virtual WAN - Microsoft Entra authentication -This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection to Virtual WAN that uses Azure Active Directory (Azure AD) authentication. Azure AD authentication is only available for gateways that use the OpenVPN protocol. +This article shows you how to use Virtual WAN to connect to your resources in Azure. In this article, you create a point-to-site User VPN connection to Virtual WAN that uses Microsoft Entra authentication. Microsoft Entra authentication is only available for gateways that use the OpenVPN protocol. [!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)] A User VPN configuration defines the parameters for connecting remote clients. I * **Configuration name** - Enter the name you want to call your User VPN Configuration. * **Tunnel type** - Select OpenVPN from the dropdown menu. -1. Click **Azure Active Directory** to open the page. +1. Click **Microsoft Entra ID** to open the page. - :::image type="content" source="./media/virtual-wan-point-to-site-azure-ad/values.png" alt-text="Screenshot of the Azure Active Directory page." lightbox="./media/virtual-wan-point-to-site-azure-ad/values.png"::: + :::image type="content" source="./media/virtual-wan-point-to-site-azure-ad/values.png" alt-text="Screenshot of the Microsoft Entra ID page." lightbox="./media/virtual-wan-point-to-site-azure-ad/values.png"::: - Toggle **Azure Active Directory** to **Yes** and supply the following values based on your tenant details. You can view the necessary values on the Azure Active Directory page for Enterprise applications in the portal. - * **Authentication method** - Select Azure Active Directory. - * **Audience** - Type in the Application ID of the [Azure VPN](openvpn-azure-ad-tenant.md) Enterprise Application registered in your Azure AD tenant. + Toggle **Microsoft Entra ID** to **Yes** and supply the following values based on your tenant details. You can view the necessary values on the Microsoft Entra ID page for Enterprise applications in the portal. + * **Authentication method** - Select Microsoft Entra ID. + * **Audience** - Type in the Application ID of the [Azure VPN](openvpn-azure-ad-tenant.md) Enterprise Application registered in your Microsoft Entra tenant. * **Issuer** - `https://sts.windows.net/<your Directory ID>/`- * **AAD Tenant:** TenantID for the Azure AD tenant. Make sure there is no `/` at the end of the AAD tenant URL. + * **Microsoft Entra tenant:** TenantID for the Microsoft Entra tenant. Make sure there is no `/` at the end of the Microsoft Entra tenant URL. * Enter `https://login.microsoftonline.com/{AzureAD TenantID}` for Azure Public AD * Enter `https://login.microsoftonline.us/{AzureAD TenantID}` for Azure Government AD |
virtual-wan | Virtual Wan Point To Site Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-point-to-site-portal.md | -* This article applies to certificate and RADIUS authentication. For Azure AD authentication, see [Configure a User VPN connection - Azure Active Directory authentication](virtual-wan-point-to-site-azure-ad.md). +* This article applies to certificate and RADIUS authentication. For Microsoft Entra authentication, see [Configure a User VPN connection - Microsoft Entra authentication](virtual-wan-point-to-site-azure-ad.md). * For more information about Virtual WAN, see the [Virtual WAN Overview](virtual-wan-about.md). In this tutorial, you learn how to: The instructions you follow depend on the authentication method you want to use. * **Radius-based authentication:** Obtain the Radius server IP, Radius server secret, and certificate information. -* **Azure Active Directory authentication:** See [Configure a User VPN connection - Azure Active Directory authentication](virtual-wan-point-to-site-azure-ad.md). +* **Microsoft Entra authentication:** See [Configure a User VPN connection - Microsoft Entra authentication](virtual-wan-point-to-site-azure-ad.md). ### Configuration steps |
virtual-wan | Virtual Wan Point To Site Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/virtual-wan-point-to-site-powershell.md | In the following steps, when selecting the authentication method, you have three * **Radius-based authentication:** Obtain the Radius server IP, Radius server secret, and certificate information. -* **Azure Active Directory authentication:** See [Configure a User VPN connection - Azure Active Directory authentication](virtual-wan-point-to-site-azure-ad.md). +* **Microsoft Entra authentication:** See [Configure a User VPN connection - Microsoft Entra authentication](virtual-wan-point-to-site-azure-ad.md). ### Configuration steps using Azure Certificate authentication |
virtual-wan | Vpn Client Certificate Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-wan/vpn-client-certificate-windows.md | This article helps you configure Virtual WAN User VPN clients on a Windows opera The VPN client configuration files that you generate are specific to the P2S User VPN gateway configuration. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect. -This article applies to Windows operating system clients. For macOS/iOS IKEv2 steps, use [this section](../vpn-gateway/point-to-site-vpn-client-cert-mac.md) of the VPN Gateway article. For Azure AD authentication steps, see [Configure a VPN client for P2S connections that use Azure AD authentication](openvpn-azure-ad-client.md). +This article applies to Windows operating system clients. For macOS/iOS IKEv2 steps, use [this section](../vpn-gateway/point-to-site-vpn-client-cert-mac.md) of the VPN Gateway article. For Microsoft Entra authentication steps, see [Configure a VPN client for P2S connections that use Microsoft Entra authentication](openvpn-azure-ad-client.md). ## <a name="generate"></a>Before you begin The following steps help you download, install, and configure the Azure VPN Clie When you open the zip file, you'll see the **AzureVPN** folder. Locate the **azurevpnconfig.xml** file. This file contains the settings you use to configure the VPN client profile. If you don't see the file, verify the following items: * Verify that your User VPN gateway is configured to use the OpenVPN tunnel type.-* If you're using Azure AD authentication, you may not have an AzureVPN folder. See the [Azure AD](openvpn-azure-ad-client.md) configuration article instead. +* If you're using Microsoft Entra authentication, you may not have an AzureVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. For more information about User VPN client profile files, see [Working with User VPN client profile files](about-vpn-profile-download.md). |
vpn-gateway | About Vpn Profile Download | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/about-vpn-profile-download.md | Title: 'P2S VPN client profile configuration files - Azure AD authentication' + Title: 'P2S VPN client profile configuration files - Microsoft Entra authentication' -description: Learn how to generate P2S VPN client profile configuration files for Azure AD authentication. +description: Learn how to generate P2S VPN client profile configuration files for Microsoft Entra authentication. Last updated 08/24/2022 -# Generate P2S Azure VPN Client profile configuration files - Azure AD authentication +# Generate P2S Azure VPN Client profile configuration files - Microsoft Entra authentication -This article helps you generate and extract VPN client profile configuration files. Client profile configuration files contain information that's used to configure your VPN client. The sections in this article explain the information needed to configure the Azure VPN Client profile for Azure VPN Gateway point-to-site configurations that use Azure AD authentication. +This article helps you generate and extract VPN client profile configuration files. Client profile configuration files contain information that's used to configure your VPN client. The sections in this article explain the information needed to configure the Azure VPN Client profile for Azure VPN Gateway point-to-site configurations that use Microsoft Entra authentication. ## <a name="generate"></a>Generate profile files In the **AzureVPN** folder, go to the ***azurevpnconfig.xml*** file and open it When you add a connection, use the information you collected in the previous step for the profile details page. The fields correspond to the following information: * **Audience:** Identifies the recipient resource the token is intended for.-* **Issuer:** Identifies the Security Token Service (STS) that emitted the token, and the Azure AD tenant. +* **Issuer:** Identifies the Security Token Service (STS) that emitted the token, and the Microsoft Entra tenant. * **Tenant:** Contains an immutable, unique identifier of the directory tenant that issued the token. * **FQDN:** The fully qualified domain name (FQDN) on the Azure VPN gateway. * **ServerSecret:** The VPN gateway preshared key. When you add a connection, use the information you collected in the previous ste Configure VPN clients. -* [Windows - Azure VPN Client - Azure AD](openvpn-azure-ad-client.md). -* [macOS - Azure VPN Client - Azure AD](openvpn-azure-ad-client-mac.md). +* [Windows - Azure VPN Client - Microsoft Entra ID](openvpn-azure-ad-client.md). +* [macOS - Azure VPN Client - Microsoft Entra ID](openvpn-azure-ad-client-mac.md). For more information about point-to-site, see [About point-to-site](point-to-site-about.md). |
vpn-gateway | Azure Vpn Client Optional Configurations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/azure-vpn-client-optional-configurations.md | If you haven't already done so, make sure you complete the following items: * Download and install the Azure VPN Client. For steps, see one of the following articles: * [Certificate authentication](point-to-site-vpn-client-cert-windows.md#download-the-azure-vpn-client)- * [Azure AD authentication](openvpn-azure-ad-client.md#download) + * [Microsoft Entra authentication](openvpn-azure-ad-client.md#download) ## Working with VPN client profile configuration files To add custom DNS servers, modify the downloaded profile XML file and add the ** ``` > [!NOTE]-> The OpenVPN Azure AD client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of `ipconfig /all`. To confirm your in-use DNS settings, please consult [Get-DnsClientNrptPolicy](/powershell/module/dnsclient/get-dnsclientnrptpolicy) in PowerShell. +> The OpenVPN Microsoft Entra client utilizes DNS Name Resolution Policy Table (NRPT) entries, which means DNS servers will not be listed under the output of `ipconfig /all`. To confirm your in-use DNS settings, please consult [Get-DnsClientNrptPolicy](/powershell/module/dnsclient/get-dnsclientnrptpolicy) in PowerShell. > ## Routing For more information about P2S VPN, see the following articles: * [About point-to-site VPN](point-to-site-about.md) * [About point-to-site VPN routing](vpn-gateway-about-point-to-site-routing.md)- |
vpn-gateway | Azure Vpn Client Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/azure-vpn-client-versions.md | Each version is listed in the following sections. New in this Release: -* Microsoft Entra ID (Azure AD) Authentication is now available from the settings page. +* Microsoft Entra authentication is now available from the settings page. * Server High Availability(HA), releasing on a rolling basis until October 20. * Accessibility Improvements * Connection logs in UTC New in this Release: ## Next steps -For more information about VPN point-to-site, see [About point-to-site configurations](point-to-site-about.md). +For more information about VPN point-to-site, see [About point-to-site configurations](point-to-site-about.md). |
vpn-gateway | Howto Point To Site Multi Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/howto-point-to-site-multi-auth.md | For **Authentication type**, select the desired types. Options are: * Azure certificate * RADIUS-* Azure Active Directory +* Microsoft Entra ID See the below table to check what authentication mechanisms are compatible with selected tunnel types. [!INCLUDE [All client articles](../../includes/vpn-gateway-vpn-multiauth-tunnel-mapping.md)] >[!NOTE]->For tunnel type "IKEv2 and OpenVPN" and selected authentication mechanisms "Azure AD and Radius" or "Azure AD and Azure ->Certificate", Azure AD will only work for OpenVPN since it is not supported by IKEv2 +>For tunnel type "IKEv2 and OpenVPN" and selected authentication mechanisms "Microsoft Entra ID and Radius" or "Microsoft Entra ID and Azure +>Certificate", Microsoft Entra ID will only work for OpenVPN since it is not supported by IKEv2 > Depending on the authentication type(s) selected, you will see different configuration setting fields that will have to be filled in. Fill in the required information and select **Save** at the top of the page to save all of the configuration settings. For more information about authentication type, see: * [Azure certificate](vpn-gateway-howto-point-to-site-resource-manager-portal.md#type) * [RADIUS](point-to-site-how-to-radius-ps.md)-* [Azure Active Directory](openvpn-azure-ad-tenant.md) +* [Microsoft Entra ID](openvpn-azure-ad-tenant.md) ## <a name="clientconfig"></a>VPN client configuration package |
vpn-gateway | Openvpn Azure Ad Client Mac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/openvpn-azure-ad-client-mac.md | Title: 'Configure Azure VPN Client - Azure AD authentication - macOS' -description: 'Learn how to configure a macOS VPN client to connect to a virtual network using VPN Gateway Point-to-Site and Azure Active Directory authentication.' + Title: 'Configure Azure VPN Client - Microsoft Entra authentication - macOS' +description: 'Learn how to configure a macOS VPN client to connect to a virtual network using VPN Gateway Point-to-Site and Microsoft Entra authentication.' Last updated 04/07/2023 -# Configure the Azure VPN Client - Azure AD authentication - macOS +# Configure the Azure VPN Client - Microsoft Entra authentication - macOS -This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md). For more information about Point-to-Site connections, see [About Point-to-Site connections](point-to-site-about.md). +This article helps you configure a VPN client for a computer running macOS 10.15 and later to connect to a virtual network using Point-to-Site VPN and Microsoft Entra authentication. Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md). For more information about Point-to-Site connections, see [About Point-to-Site connections](point-to-site-about.md). > [!NOTE]-> * Azure AD authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client. +> * Microsoft Entra authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client. > * The Azure VPN client for macOS is currently not available in France and China due to local regulations and requirements. > If you want to configure multiple computers, you can create a client profile on ## Prerequisites -Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md). +Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md). ## Download the Azure VPN Client Before you can connect and authenticate using Azure AD, you must first configure * **Certificate Information:** The certificate CA. * **Server Secret:** The server secret. * **Client Authentication**- * **Authentication Type:** Azure Active Directory + * **Authentication Type:** Microsoft Entra ID * **Tenant:** Name of the tenant. * **Issuer:** Name of the issuer. 1. After filling in the fields, click **Save**. You can configure the Azure VPN Client with optional configuration settings such ## Next steps -For more information, see [Create an Azure AD tenant for P2S Open VPN connections that use Azure AD authentication](openvpn-azure-ad-tenant.md). +For more information, see [Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication](openvpn-azure-ad-tenant.md). |
vpn-gateway | Openvpn Azure Ad Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/openvpn-azure-ad-client.md | Title: 'Configure Azure VPN Client - Azure AD authentication - Windows' -description: Learn how to configure the Azure VPN Client to connect to a VNet using VPN Gateway point-to-site VPN, OpenVPN protocol connections, and Azure AD authentication from a Windows computer. + Title: 'Configure Azure VPN Client - Microsoft Entra authentication - Windows' +description: Learn how to configure the Azure VPN Client to connect to a VNet using VPN Gateway point-to-site VPN, OpenVPN protocol connections, and Microsoft Entra authentication from a Windows computer. Last updated 11/22/2022 -# Configure the Azure VPN Client - Azure AD authentication - Windows +# Configure the Azure VPN Client - Microsoft Entra authentication - Windows -This article helps you configure the Azure VPN Client on a Windows computer to connect to a virtual network using a VPN Gateway point-to-site (P2S) VPN and Azure Active Directory authentication. Before you can connect and authenticate using Azure AD, you must first configure your Azure AD tenant. For more information, see [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md). For more information about point-to-site, see [About point-to-site VPN](point-to-site-about.md). The Azure VPN Client supported with Windows FIPS mode with the [KB4577063](https://support.microsoft.com/help/4577063/windows-10-update-kb4577063) hotfix. +This article helps you configure the Azure VPN Client on a Windows computer to connect to a virtual network using a VPN Gateway point-to-site (P2S) VPN and Microsoft Entra authentication. Before you can connect and authenticate using Microsoft Entra ID, you must first configure your Microsoft Entra tenant. For more information, see [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md). For more information about point-to-site, see [About point-to-site VPN](point-to-site-about.md). The Azure VPN Client supported with Windows FIPS mode with the [KB4577063](https://support.microsoft.com/help/4577063/windows-10-update-kb4577063) hotfix. [!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)] After your Azure VPN Gateway P2S configuration is complete, your next steps are ## <a name="import"></a>Import VPN client profile configuration files -For Azure AD authentication configurations, the **azurevpnconfig.xml** is used. The file is located in the **AzureVPN** folder of the VPN client profile configuration package. +For Microsoft Entra authentication configurations, the **azurevpnconfig.xml** is used. The file is located in the **AzureVPN** folder of the VPN client profile configuration package. 1. On the page, select **Import**. For Azure VPN Client version information, see [Azure VPN Client versions](azure- ## Next steps -For more information, see [Create an Azure AD tenant for P2S Open VPN connections that use Azure AD authentication](openvpn-azure-ad-tenant.md). +For more information, see [Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication](openvpn-azure-ad-tenant.md). |
vpn-gateway | Openvpn Azure Ad Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/openvpn-azure-ad-mfa.md | Title: 'Enable MFA for VPN users: Azure AD authentication' + Title: 'Enable MFA for VPN users: Microsoft Entra authentication' -description: Learn how to enable multi-factor authentication (MFA) for VPN users. +description: Learn how to enable multifactor authentication (MFA) for VPN users. Last updated 07/28/2023 -# Enable Azure AD Multi-Factor Authentication (MFA) for VPN users +# Enable Microsoft Entra multifactor authentication (MFA) for VPN users [!INCLUDE [overview](../../includes/vpn-gateway-vwan-openvpn-enable-mfa-overview.md)] |
vpn-gateway | Openvpn Azure Ad Tenant Multi App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/openvpn-azure-ad-tenant-multi-app.md | Title: 'Configure P2S for different user and group access: Azure AD authentication and multi app' + Title: 'Configure P2S for different user and group access: Microsoft Entra authentication and multi app' -description: Learn how to set up an Azure AD tenant for P2S OpenVPN authentication and register multiple apps in Azure AD to allow different access for different users and groups. +description: Learn how to set up a Microsoft Entra tenant for P2S OpenVPN authentication and register multiple apps in Microsoft Entra ID to allow different access for different users and groups. -# Configure P2S for access based on users and groups - Azure AD authentication +# Configure P2S for access based on users and groups - Microsoft Entra authentication -When you use Azure AD as the authentication method for P2S, you can configure P2S to allow different access for different users and groups. If you want different sets of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. This article helps you set up an Azure AD tenant for P2S Azure AD authentication and create and register multiple apps in Azure AD for allowing different access for different users and groups. For more information about point-to-site protocols and authentication, see [About point-to-site VPN](point-to-site-about.md). +When you use Microsoft Entra ID as the authentication method for P2S, you can configure P2S to allow different access for different users and groups. If you want different sets of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. This article helps you set up a Microsoft Entra tenant for P2S Microsoft Entra authentication and create and register multiple apps in Microsoft Entra ID for allowing different access for different users and groups. For more information about point-to-site protocols and authentication, see [About point-to-site VPN](point-to-site-about.md). [!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)] -## Azure AD tenant +<a name='azure-ad-tenant'></a> -The steps in this article require an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article. Note the following fields when creating your directory: +## Microsoft Entra tenant ++The steps in this article require a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article. Note the following fields when creating your directory: * Organizational name * Initial domain name -## Create Azure AD tenant users +<a name='create-azure-ad-tenant-users'></a> ++## Create Microsoft Entra tenant users -1. Create two accounts in the newly created Azure AD tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md). +1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md). * Global administrator account * User account The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication. -1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md). +1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Microsoft Entra ID](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md). ## Authorize the Azure VPN application In this section, you can register additional applications for various users and ### Add a scope -1. In the Azure portal, select **Azure Active Directory**. +1. In the Azure portal, select **Microsoft Entra ID**. 1. In the left pane, select **App registrations**. 1. At the top of the **App registrations** page, select **+ New registration**. 1. On the **Register an application** page, enter the **Name**. For example, MarketingVPN. You can always change the name later. In this section, you can register additional applications for various users and * Click **Save and continue**. 1. The page returns back to the **Add a scope** page. Fill in the required fields and ensure that **State** is **Enabled**. - :::image type="content" source="./media/openvpn-azure-ad-tenant-multi-app/add-scope.png" alt-text="Screenshot of Azure Active Directory add a scope page." lightbox="./media/openvpn-azure-ad-tenant-multi-app/add-scope.png"::: + :::image type="content" source="./media/openvpn-azure-ad-tenant-multi-app/add-scope.png" alt-text="Screenshot of Microsoft Entra ID add a scope page." lightbox="./media/openvpn-azure-ad-tenant-multi-app/add-scope.png"::: 1. When you're done filling out the fields, click **Add scope**. ### Add a client application In this section, you can register additional applications for various users and * Microsoft Azure operated by 21Vianet: `49f817b6-84ae-4cc0-928c-73f27289b3aa` 1. Select the checkbox for the **Authorized scopes** to include. Then, click **Add application**. - :::image type="content" source="./media/openvpn-azure-ad-tenant-multi-app/add-application.png" alt-text="Screenshot of Azure Active Directory add client application page." lightbox="./media/openvpn-azure-ad-tenant-multi-app/add-application.png"::: + :::image type="content" source="./media/openvpn-azure-ad-tenant-multi-app/add-application.png" alt-text="Screenshot of Microsoft Entra ID add client application page." lightbox="./media/openvpn-azure-ad-tenant-multi-app/add-application.png"::: 1. Click **Add application**. When you enable authentication on the VPN gateway, you'll need the **Application Assign the users to your applications. -1. Go to your Azure Active Directory and select **Enterprise applications**. +1. Go to your Microsoft Entra ID and select **Enterprise applications**. 1. From the list, locate the application you just registered and click to open it. 1. Click **Properties**. On the **Properties** page, verify that **Enabled for users to sign in** is set to **Yes**. If not, change the value to **Yes**. 1. For **Assignment required**, change the value to **Yes**. For more information about this setting, see [Application properties](../active-directory/manage-apps/application-properties.md#enabled-for-users-to-sign-in). Assign the users to your applications. ## Configure authentication for the gateway -In this step, you configure P2S Azure AD authentication for the virtual network gateway. +In this step, you configure P2S Microsoft Entra authentication for the virtual network gateway. 1. Go to the virtual network gateway. In the left pane, click **Point-to-site configuration**. In this step, you configure P2S Azure AD authentication for the virtual network * **Address pool**: client address pool * **Tunnel type:** OpenVPN (SSL)- * **Authentication type**: Azure Active Directory + * **Authentication type**: Microsoft Entra ID - For **Azure Active Directory** values, use the following guidelines for **Tenant**, **Audience**, and **Issuer** values. + For **Microsoft Entra ID** values, use the following guidelines for **Tenant**, **Audience**, and **Issuer** values. * **Tenant**: `https://login.microsoftonline.com/{TenantID}`- * **Audience ID**: Use the value that you created in the previous section that corresponds to **Application (client) ID**. Don't use the application ID for "Azure VPN" Azure AD Enterprise App - use application ID that you created and registered. If you use the application ID for the "Azure VPN" Azure AD Enterprise App instead, this will grant all users access to the VPN gateway (which would be the default way to set up access), instead of granting only the users that you assigned to the application that you created and registered. + * **Audience ID**: Use the value that you created in the previous section that corresponds to **Application (client) ID**. Don't use the application ID for "Azure VPN" Microsoft Entra Enterprise App - use application ID that you created and registered. If you use the application ID for the "Azure VPN" Microsoft Entra Enterprise App instead, this will grant all users access to the VPN gateway (which would be the default way to set up access), instead of granting only the users that you assigned to the application that you created and registered. * **Issuer**: `https://sts.windows.net/{TenantID}` For the Issuer value, make sure to include a trailing **/** at the end. 1. Once you finish configuring settings, click **Save** at the top of the page. |
vpn-gateway | Openvpn Azure Ad Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/openvpn-azure-ad-tenant.md | Title: 'Configure Azure AD tenant and settings for P2S VPN connections: Azure AD authentication: OpenVPN' + Title: 'Configure Microsoft Entra tenant and settings for P2S VPN connections: Microsoft Entra authentication: OpenVPN' -description: Learn how to set up an Azure AD tenant for P2S Azure AD authentication - OpenVPN protocol. +description: Learn how to set up a Microsoft Entra tenant for P2S Microsoft Entra authentication - OpenVPN protocol. Last updated 09/07/2023 -# Configure an Azure AD tenant and P2S settings for VPN Gateway connections +# Configure a Microsoft Entra tenant and P2S settings for VPN Gateway connections -This article helps you configure your AD tenant and P2S settings for Azure AD authentication. For more information about point-to-site protocols and authentication, see [About VPN Gateway point-to-site VPN](point-to-site-about.md). To authenticate using the Azure AD authentication type, you must include the OpenVPN tunnel type in your point-to-site configuration. +This article helps you configure your AD tenant and P2S settings for Microsoft Entra authentication. For more information about point-to-site protocols and authentication, see [About VPN Gateway point-to-site VPN](point-to-site-about.md). To authenticate using the Microsoft Entra authentication type, you must include the OpenVPN tunnel type in your point-to-site configuration. [!INCLUDE [OpenVPN note](../../includes/vpn-gateway-openvpn-auth-include.md)] -## <a name="tenant"></a> Azure AD tenant +## <a name="tenant"></a> Microsoft Entra tenant -The steps in this article require an Azure AD tenant. If you don't have an Azure AD tenant, you can create one using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article. Note the following fields when creating your directory: +The steps in this article require a Microsoft Entra tenant. If you don't have a Microsoft Entra tenant, you can create one using the steps in the [Create a new tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md) article. Note the following fields when creating your directory: * Organizational name * Initial domain name -## Create Azure AD tenant users +<a name='create-azure-ad-tenant-users'></a> -1. Create two accounts in the newly created Azure AD tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md). +## Create Microsoft Entra tenant users ++1. Create two accounts in the newly created Microsoft Entra tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md). * Global administrator account * User account The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.-1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Azure Active Directory](/azure/active-directory-b2c/tenant-management-read-tenant-name). +1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Microsoft Entra ID](/azure/active-directory-b2c/tenant-management-read-tenant-name). ## Authorize the Azure VPN application The steps in this article require an Azure AD tenant. If you don't have an Azure ## <a name="enable-authentication"></a>Configure authentication for the gateway -1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see [How to find your Azure Active Directory tenant ID](../active-directory/fundamentals/how-to-find-tenant.md). +1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see [How to find your Microsoft Entra tenant ID](../active-directory/fundamentals/how-to-find-tenant.md). 1. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See [Create a point-to-site VPN](vpn-gateway-howto-point-to-site-resource-manager-portal.md) to create and configure a point-to-site VPN gateway. The steps in this article require an Azure AD tenant. If you don't have an Azure 1. Go to the virtual network gateway. In the left pane, click **Point-to-site configuration**. - :::image type="content" source="./media/openvpn-create-azure-ad-tenant/configuration.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Azure Active Directory settings."::: + :::image type="content" source="./media/openvpn-create-azure-ad-tenant/configuration.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra settings."::: Configure the following values: * **Address pool**: client address pool * **Tunnel type:** OpenVPN (SSL)- * **Authentication type**: Azure Active Directory + * **Authentication type**: Microsoft Entra ID - For **Azure Active Directory** values, use the following guidelines for **Tenant**, **Audience**, and **Issuer** values. Replace {AzureAD TenantID} with your tenant ID, taking care to remove **{}** from the examples when you replace this value. + For **Microsoft Entra ID** values, use the following guidelines for **Tenant**, **Audience**, and **Issuer** values. Replace {AzureAD TenantID} with your tenant ID, taking care to remove **{}** from the examples when you replace this value. - * **Tenant:** TenantID for the Azure AD tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL does not have a `\` at the end. + * **Tenant:** TenantID for the Microsoft Entra tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL does not have a `\` at the end. * Azure Public AD: `https://login.microsoftonline.com/{AzureAD TenantID}` * Azure Government AD: `https://login.microsoftonline.us/{AzureAD TenantID}` * Azure Germany AD: `https://login-us.microsoftonline.de/{AzureAD TenantID}` * China 21Vianet AD: `https://login.chinacloudapi.cn/{AzureAD TenantID}` - * **Audience**: The Application ID of the "Azure VPN" Azure AD Enterprise App. + * **Audience**: The Application ID of the "Azure VPN" Microsoft Entra Enterprise App. * Azure Public: `41b23e61-6c1e-4545-b367-cd054e0ed4b4` * Azure Government: `51bb15d4-3a4f-4ebf-9dca-40096fe32426` |
vpn-gateway | Point To Site About | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/point-to-site-about.md | When using the native Azure certificate authentication, a client certificate tha The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. The root certificate is required for the validation and must be uploaded to Azure. -### Azure Active Directory authentication +<a name='azure-active-directory-authentication'></a> -Azure AD authentication allows users to connect to Azure using their Azure Active Directory credentials. Native Azure AD authentication is only supported for OpenVPN protocol and also requires the use of the [Azure VPN Client](https://go.microsoft.com/fwlink/?linkid=2117554). The supported client operation systems are Windows 10 or later and macOS. +### Microsoft Entra authentication -With native Azure AD authentication, you can use Azure AD's conditional access and multifactor authentication (MFA) features for VPN. +Microsoft Entra authentication allows users to connect to Azure using their Microsoft Entra credentials. Native Microsoft Entra authentication is only supported for OpenVPN protocol and also requires the use of the [Azure VPN Client](https://go.microsoft.com/fwlink/?linkid=2117554). The supported client operation systems are Windows 10 or later and macOS. -At a high level, you need to perform the following steps to configure Azure AD authentication: +With native Microsoft Entra authentication, you can use Microsoft Entra Conditional Access and multifactor authentication (MFA) features for VPN. -1. [Configure an Azure AD tenant](openvpn-azure-ad-tenant.md) +At a high level, you need to perform the following steps to configure Microsoft Entra authentication: -2. [Enable Azure AD authentication on the gateway](openvpn-azure-ad-tenant.md#enable-authentication) +1. [Configure a Microsoft Entra tenant](openvpn-azure-ad-tenant.md) ++2. [Enable Microsoft Entra authentication on the gateway](openvpn-azure-ad-tenant.md#enable-authentication) 3. Download the latest version of the Azure VPN Client install files using one of the following links: |
vpn-gateway | Point To Site How To Radius Ps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/point-to-site-how-to-radius-ps.md | A point-to-site VPN gateway lets you create a secure connection to your virtual A P2S VPN connection is started from Windows and Mac devices. This article helps you configure a P2S configuration that uses a RADIUS server for authentication. If you want to authenticate using a different method, see the following articles: * [Certificate authentication](vpn-gateway-howto-point-to-site-resource-manager-portal.md)-* [Azure AD authentication](openvpn-azure-ad-tenant.md) +* [Microsoft Entra authentication](openvpn-azure-ad-tenant.md) P2S connections don't require a VPN device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), OpenVPN or IKEv2. |
vpn-gateway | Point To Site Vpn Client Cert Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/point-to-site-vpn-client-cert-windows.md | You can use the same VPN client configuration package on each Windows client com ## <a name="azurevpn"></a>OpenVPN: Azure VPN Client steps -This section applies to certificate authentication configurations that use the OpenVPN tunnel type. The following steps help you download, install, and configure the Azure VPN Client to connect to your VNet. Note that these steps apply to certificate authentication. If you're using OpenVPN with Azure AD authentication, see the [Azure AD](openvpn-azure-ad-client.md) configuration article instead. +This section applies to certificate authentication configurations that use the OpenVPN tunnel type. The following steps help you download, install, and configure the Azure VPN Client to connect to your VNet. Note that these steps apply to certificate authentication. If you're using OpenVPN with Microsoft Entra authentication, see the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. To connect, each client computer requires the following items: When you open the zip file, you'll see the **AzureVPN** folder. Locate the **azu If you don't see the file, verify the following items: * Verify that your VPN gateway is configured to use the OpenVPN tunnel type.-* If you're using Azure AD authentication, you may not have an AzureVPN folder. See the [Azure AD](openvpn-azure-ad-client.md) configuration article instead. +* If you're using Microsoft Entra authentication, you may not have an AzureVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. ### Download the Azure VPN Client This section applies to certificate authentication configurations that are confi When you open the VPN client configuration package zip file, you should see an OpenVPN folder. If you don't see the folder, verify the following items: * Verify that your VPN gateway is configured to use the OpenVPN tunnel type.-* If you're using Azure AD authentication, you may not have an OpenVPN folder. See the [Azure AD](openvpn-azure-ad-client.md) configuration article instead. +* If you're using Microsoft Entra authentication, you may not have an OpenVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead. [!INCLUDE [Configuration steps](../../includes/vpn-gateway-vwan-config-openvpn-windows.md)] |
vpn-gateway | Troubleshoot Ad Vpn Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/troubleshoot-ad-vpn-client.md | Title: 'Troubleshoot Point-to-Site VPN clients - Azure AD authentication' + Title: 'Troubleshoot Point-to-Site VPN clients - Microsoft Entra authentication' -description: Learn how to troubleshoot VPN Gateway Point-to-Site clients that use Azure AD authentication. +description: Learn how to troubleshoot VPN Gateway Point-to-Site clients that use Microsoft Entra authentication. Last updated 04/29/2021 -# Troubleshoot an Azure AD authentication VPN client +# Troubleshoot a Microsoft Entra authentication VPN client -This article helps you troubleshoot a VPN client to connect to a virtual network using Point-to-Site VPN and Azure Active Directory authentication. +This article helps you troubleshoot a VPN client to connect to a virtual network using Point-to-Site VPN and Microsoft Entra authentication. ## <a name="status"></a>View Status Log Run diagnostics on the VPN client. 2. The client will run a series of tests and display the result of the test * Internet Access ΓÇô Checks to see if the client has Internet connectivity- * Client Credentials ΓÇô Check to see if the Azure Active Directory authentication endpoint is reachable + * Client Credentials ΓÇô Check to see if the Microsoft Entra authentication endpoint is reachable * Server Resolvable ΓÇô Contacts the DNS server to resolve the IP address of the configured VPN server * Server Reachable ΓÇô Checks to see if the VPN server is responding or not 3. If any of the tests fail, contact your network administrator to resolve the issue. Collect the VPN client log files. The log files can be sent to support/administr ## Next steps -For more information, see [Create an Azure Active Directory tenant for P2S Open VPN connections that use Azure AD authentication](openvpn-azure-ad-tenant.md). +For more information, see [Create a Microsoft Entra tenant for P2S Open VPN connections that use Microsoft Entra authentication](openvpn-azure-ad-tenant.md). |
vpn-gateway | Vpn Gateway Howto Point To Site Resource Manager Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal.md | This article helps you configure the necessary VPN Gateway point-to-site (P2S) s :::image type="content" source="./media/vpn-gateway-howto-point-to-site-rm-ps/point-to-site-diagram.png" alt-text="Diagram of point-to-site connection showing how to connect from a computer to an Azure VNet."::: -There are various different configuration options available for P2S. For more information about point-to-site VPN, see [About point-to-site VPN](point-to-site-about.md). This article helps you create a P2S configuration that uses **certificate authentication** and the Azure portal. To create this configuration using the Azure PowerShell, see the [Configure P2S - Certificate - PowerShell](vpn-gateway-howto-point-to-site-rm-ps.md) article. For RADIUS authentication, see the [P2S RADIUS](point-to-site-how-to-radius-ps.md) article. For Azure Active Directory authentication, see the [P2S Azure AD](openvpn-azure-ad-tenant.md) article. +There are various different configuration options available for P2S. For more information about point-to-site VPN, see [About point-to-site VPN](point-to-site-about.md). This article helps you create a P2S configuration that uses **certificate authentication** and the Azure portal. To create this configuration using the Azure PowerShell, see the [Configure P2S - Certificate - PowerShell](vpn-gateway-howto-point-to-site-rm-ps.md) article. For RADIUS authentication, see the [P2S RADIUS](point-to-site-how-to-radius-ps.md) article. For Microsoft Entra authentication, see the [P2S Microsoft Entra ID](openvpn-azure-ad-tenant.md) article. [!INCLUDE [P2S basic architecture](../../includes/vpn-gateway-p2s-architecture.md)] The client address pool is a range of private IP addresses that you specify. The In this section, you specify the tunnel type and the authentication type. These settings can become complex, depending on the tunnel type you require and the VPN client software that will be used to make the connection from the user's operating system. The steps in this article will walk you through basic configuration settings and choices. -You can select options that contain multiple tunnel types from the dropdown - such as *IKEv2 and OpenVPN(SSL)* or *IKEv2 and SSTP (SSL)*, however, only certain combinations of tunnel types and authentication types are supported. For example, Azure Active Directory authentication can only be used when you select *OpenVPN (SSL)* from the tunnel type dropdown, and not *IKEv2 and OpenVPN(SSL)*. +You can select options that contain multiple tunnel types from the dropdown - such as *IKEv2 and OpenVPN(SSL)* or *IKEv2 and SSTP (SSL)*, however, only certain combinations of tunnel types and authentication types are supported. For example, Microsoft Entra authentication can only be used when you select *OpenVPN (SSL)* from the tunnel type dropdown, and not *IKEv2 and OpenVPN(SSL)*. Additionally, the tunnel type and the authentication type you choose impact the VPN client software that can be used to connect to Azure. Some VPN client software can only connect via IKEv2, others can only connect via OpenVPN. And some client software, while it supports a certain tunnel type, may not support the authentication type you choose. As you can tell, planning the tunnel type and authentication type is important w * The native VPN client for iOS and macOS can only use the IKEv2 tunnel type to connect to Azure. * The Azure VPN Client isn't supported for certificate authentication at this time, even if you select the OpenVPN tunnel type. * If you want to use the OpenVPN tunnel type with certificate authentication, you can use an OpenVPN client.- * For macOS, you can use the Azure VPN Client with the OpenVPN tunnel type and Azure AD authentication (not certificate authentication). + * For macOS, you can use the Azure VPN Client with the OpenVPN tunnel type and Microsoft Entra authentication (not certificate authentication). * **Android and Linux**: On the **Point-to-site configuration** page, select the **Tunnel type**. For thi ### <a name="authenticationtype"></a>Authentication type -For this exercise, select **Azure certificate** for the authentication type. If you're interested in other authentication types, see the articles for [Azure AD](openvpn-azure-ad-tenant.md) and [RADIUS](point-to-site-how-to-radius-ps.md). +For this exercise, select **Azure certificate** for the authentication type. If you're interested in other authentication types, see the articles for [Microsoft Entra ID](openvpn-azure-ad-tenant.md) and [RADIUS](point-to-site-how-to-radius-ps.md). :::image type="content" source="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/configuration-authentication-type.png" alt-text="Screenshot of Point-to-site configuration page - authentication type." lightbox="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/configuration-authentication-type.png"::: |
vpn-gateway | Vpn Gateway Radius Mfa Nsp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/vpn-gateway-radius-mfa-nsp.md | Title: 'Integrate NPS with VPN Gateway RADIUS authentication for MFA' -description: Learn about integrating Azure VPN Gateway RADIUS authentication with NPS server for Multi-Factor Authentication. +description: Learn about integrating Azure VPN Gateway RADIUS authentication with NPS server for multifactor authentication. Last updated 09/16/2019 -# Integrate Azure VPN gateway RADIUS authentication with NPS server for Multi-Factor Authentication +# Integrate Azure VPN gateway RADIUS authentication with NPS server for multifactor authentication -The article describes how to integrate Network Policy Server (NPS) with Azure VPN gateway RADIUS authentication to deliver Multi-Factor Authentication (MFA) for point-to-site VPN connections. +The article describes how to integrate Network Policy Server (NPS) with Azure VPN gateway RADIUS authentication to deliver multifactor authentication (MFA) for point-to-site VPN connections. ## Prerequisite -To enable MFA, the users must be in Azure Active Directory (Azure AD), which must be synced from either the on-premises or cloud environment. Also, the user must have already completed the auto-enrollment process for MFA. For more information, see [Set up my account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) +To enable MFA, the users must be in Microsoft Entra ID, which must be synced from either the on-premises or cloud environment. Also, the user must have already completed the auto-enrollment process for MFA. For more information, see [Set up my account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) ## Detailed steps To enable MFA, the users must be in Azure Active Directory (Azure AD), which mus -### Step 2: Configure the NPS for Azure AD MFA +<a name='step-2-configure-the-nps-for-azure-ad-mfa'></a> -1. On the NPS server, [install the NPS extension for Azure AD MFA](../active-directory/authentication/howto-mfa-nps-extension.md#install-the-nps-extension). +### Step 2: Configure the NPS for Microsoft Entra multifactor authentication ++1. On the NPS server, [install the NPS extension for Microsoft Entra multifactor authentication](../active-directory/authentication/howto-mfa-nps-extension.md#install-the-nps-extension). 2. Open the NPS console, right-click **RADIUS Clients**, and then select **New**. Create the RADIUS client by specifying the following settings: - **Friendly Name**: Type any name. To enable MFA, the users must be in Azure Active Directory (Azure AD), which mus ## Next steps -- [Azure AD Multi-Factor Authentication](../active-directory/authentication/concept-mfa-howitworks.md)-- [Integrate your existing NPS infrastructure with Azure AD Multi-Factor Authentication](../active-directory/authentication/howto-mfa-nps-extension.md)+- [Microsoft Entra multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md) +- [Integrate your existing NPS infrastructure with Microsoft Entra multifactor authentication](../active-directory/authentication/howto-mfa-nps-extension.md) |
vpn-gateway | Vpn Gateway Troubleshoot Vpn Point To Site Connection Problems | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md | This error occurs if the RADIUS server that you used for authenticating VPN clie ### Solution -Make sure that RADIUS server is configured correctly. For More information, see [Integrate RADIUS authentication with Azure AD Multi-Factor Authentication Server](../active-directory/authentication/howto-mfaserver-dir-radius.md). +Make sure that RADIUS server is configured correctly. For More information, see [Integrate RADIUS authentication with Azure Multi-Factor Authentication Server](../active-directory/authentication/howto-mfaserver-dir-radius.md). ## "Error 405" when you download root certificate from VPN Gateway |
vpn-gateway | Work Remotely Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/work-remotely-support.md | At a high level, the following steps are needed to enable users to connect to Az * For certificate authentication, follow [this link](vpn-gateway-howto-point-to-site-resource-manager-portal.md#creategw). * For OpenVPN, follow [this link](vpn-gateway-howto-openvpn.md).- * For Azure AD authentication, follow [this link](openvpn-azure-ad-tenant.md). + * For Microsoft Entra authentication, follow [this link](openvpn-azure-ad-tenant.md). * For troubleshooting point-to-site connections, follow [this link](vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md). 3. Download and distribute the VPN client configuration. 4. Distribute the certificates (if certificate authentication is selected) to the clients. To learn how to set up a site-to-site VPN tunnel, see [this link](./tutorial-sit ## Next Steps -* [Configure a P2S connection - Azure AD authentication](openvpn-azure-ad-tenant.md) +* [Configure a P2S connection - Microsoft Entra authentication](openvpn-azure-ad-tenant.md) * [Configure a P2S connection - RADIUS authentication](point-to-site-how-to-radius-ps.md) * [Configure a P2S connection - Azure native certificate authentication](vpn-gateway-howto-point-to-site-rm-ps.md) -**"OpenVPN" is a trademark of OpenVPN Inc.** +**"OpenVPN" is a trademark of OpenVPN Inc.** |
vpn-gateway | Work Remotely Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vs-azure-tools-storage-manage-with-storage-explorer.md | Storage Explorer provides several ways to connect to Azure resources: ### Sign in to Azure > [!NOTE]-> To fully access resources after you sign in, Storage Explorer requires both management (Azure Resource Manager) and data layer permissions. This means that you need Azure Active Directory (Azure AD) permissions to access your storage account, the containers in the account, and the data in the containers. If you have permissions only at the data layer, consider choosing the **Sign in using Azure Active Directory (Azure AD)** option when attaching to a resource. For more information about the specific permissions Storage Explorer requires, see the [Azure Storage Explorer troubleshooting guide](./storage/common/storage-explorer-troubleshooting.md#azure-rbac-permissions-issues). +> To fully access resources after you sign in, Storage Explorer requires both management (Azure Resource Manager) and data layer permissions. This means that you need Microsoft Entra permissions to access your storage account, the containers in the account, and the data in the containers. If you have permissions only at the data layer, consider choosing the **Sign in using Microsoft Entra ID** option when attaching to a resource. For more information about the specific permissions Storage Explorer requires, see the [Azure Storage Explorer troubleshooting guide](./storage/common/storage-explorer-troubleshooting.md#azure-rbac-permissions-issues). 1. In Storage Explorer, select **View** > **Account Management** or select the **Manage Accounts** button. Storage Explorer provides several ways to connect to Azure resources: Storage Explorer lets you connect to individual resources, such as an Azure Data Lake Storage Gen2 container, using various authentication methods. Some authentication methods are only supported for certain resource types. -| Resource type | Azure AD | Account Name and Key | Shared Access Signature (SAS) | Public (anonymous) | +| Resource type | Microsoft Entra ID | Account Name and Key | Shared Access Signature (SAS) | Public (anonymous) | ||-|-|--|--| | Storage accounts | Yes | Yes | Yes (connection string or URL) | No | | Blob containers | Yes | No | Yes (URL) | Yes | If Storage Explorer couldn't add your connection, or if you can't access your da The following sections describe the different authentication methods you can use to connect to individual resources. -#### Azure AD +<a name='azure-ad'></a> ++#### Microsoft Entra ID Storage Explorer can use your Azure account to connect to the following resource types: * Blob containers Storage Explorer can use your Azure account to connect to the following resource * Azure Data Lake Storage Gen2 directories * Queues -Azure AD is the preferred option if you have data layer access to your resource but no management layer access. +Microsoft Entra ID is the preferred option if you have data layer access to your resource but no management layer access. 1. Sign in to at least one Azure account using the [steps described above](#sign-in-to-azure). 1. In the **Select Resource** panel of the **Connect to Azure Storage** dialog, select **Blob container**, **ADLS Gen2 container**, or **Queue**.-1. Select **Sign in using Azure Active Directory (Azure AD)** and select **Next**. +1. Select **Sign in using Microsoft Entra ID** and select **Next**. 1. Select an Azure account and tenant. The account and tenant must have access to the Storage resource you want to attach to. Select **Next**. 1. Enter a display name for your connection and the URL of the resource. Select **Next**. 1. Review your connection information in the **Summary** panel. If the connection information is correct, select **Connect**. |
web-application-firewall | Waf Front Door Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-best-practices.md | For more information, see the following resources: ### Use a high threshold for rate limits -Usually it's good practice to set your rate limit threshold to be quite high. For example, if you know that a single client IP address might send around 10 requests to your server each minute, consider specifying a threshold of 20 requests per minute. +Usually it's good practice to set your rate limit threshold to be high. For example, if you know that a single client IP address might send around 10 requests to your server each minute, consider specifying a threshold of 20 requests per minute. -High rate-limit thresholds avoid blocking legitimate traffic. These thresholds still provide protection against extremely high numbers of requests that might overwhelm your infrastructure. +High rate-limit thresholds avoid blocking legitimate traffic. These thresholds still provide protection against very high numbers of requests that might overwhelm your infrastructure. ## Geo-filtering best practices |
web-application-firewall | Waf Front Door Policy Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-policy-settings.md | |
web-application-firewall | Application Gateway Waf Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/ag/application-gateway-waf-configuration.md | The below table shows some examples of how you might structure your exclusion fo | Attribute to Exclude | matchVariable | selectorMatchOperator | Example selector | Example request | What gets excluded | |-|-|-|-|-|-| | Query string | RequestArgKeys | Equals | `/etc/passwd` | Uri: `http://localhost:8080/?/etc/passwd=test` | `/etc/passwd` |-| Query string | RequestArgKeys | EqualsAny | "" | Uri: `http://localhost:8080/?/etc/passwd=test&.htaccess=test2` | `/etc/passwd` and `.htaccess` | +| Query string | RequestArgKeys | EqualsAny | N/A | Uri: `http://localhost:8080/?/etc/passwd=test&.htaccess=test2` | `/etc/passwd` and `.htaccess` | | Query string | RequestArgNames | Equals | `text` | Uri: `http://localhost:8080/?text=/etc/passwd` | `/etc/passwd` |-| Query string | RequestArgNames | EqualsAny | "" | Uri: `http://localhost:8080/?text=/etc/passwd&text2=.cshrc` | `/etc/passwd` and `.cshrc` | +| Query string | RequestArgNames | EqualsAny | N/A | Uri: `http://localhost:8080/?text=/etc/passwd&text2=.cshrc` | `/etc/passwd` and `.cshrc` | | Query string | RequestArgValues | Equals | `text` | Uri: `http://localhost:8080/?text=/etc/passwd` | `/etc/passwd` |-| Query string | RequestArgValues | EqualsAny | "" | Uri: `http://localhost:8080/?text=/etc/passwd&text2=.cshrc` | `/etc/passwd` and `.cshrc` | +| Query string | RequestArgValues | EqualsAny | N/A | Uri: `http://localhost:8080/?text=/etc/passwd&text2=.cshrc` | `/etc/passwd` and `.cshrc` | | Request body | RequestArgKeys | Contains | `sleep` | Request body: `{"sleep(5)": "test"}` | `sleep(5)` |-| Request body | RequestArgKeys | EqualsAny | "" | Request body: `{".zshrc": "value", "sleep(5)":"value2"}` | `.zshrc` and `sleep(5)` | +| Request body | RequestArgKeys | EqualsAny | N/A | Request body: `{".zshrc": "value", "sleep(5)":"value2"}` | `.zshrc` and `sleep(5)` | | Request body | RequestArgNames | Equals | `test` | Request body: `{"test": ".zshrc"}` | `.zshrc` |-| Request body | RequestArgNames | EqualsAny | "" | Request body: `{"key1": ".zshrc", "key2":"sleep(5)"}` | `.zshrc` and `sleep(5)` | +| Request body | RequestArgNames | EqualsAny | N/A | Request body: `{"key1": ".zshrc", "key2":"sleep(5)"}` | `.zshrc` and `sleep(5)` | | Request body | RequestArgValues | Equals | `test` | Request body: `{"test": ".zshrc"}` | `.zshrc` |-| Request body | RequestArgValues | EqualsAny | "" | Request body: `{"key1": ".zshrc", "key2":"sleep(5)"}` | `.zshrc` and `sleep(5)` | +| Request body | RequestArgValues | EqualsAny | N/A | Request body: `{"key1": ".zshrc", "key2":"sleep(5)"}` | `.zshrc` and `sleep(5)` | | Header | RequestHeaderKeys | Equals | `X-Scanner` | Header: `{"X-Scanner": "test"}` | `X-scanner` |-| Header | RequestHeaderKeys | EqualsAny | "" | Header: `{"X-Scanner": "test", "x-ratproxy-loop": "value"}` | `X-Scanner` and `x-ratproxy-loop` | +| Header | RequestHeaderKeys | EqualsAny | N/A | Header: `{"X-Scanner": "test", "x-ratproxy-loop": "value"}` | `X-Scanner` and `x-ratproxy-loop` | | Header | RequestHeaderNames | Equals | `head1` | Header: `{"head1": "X-Scanner"}` | `X-scanner` |-| Header | RequestHeaderNames | EqualsAny | "" | Header: `{"head1": "myvar=1234", "User-Agent": "(hydra)"}` | `myvar=1234` and `(hydra)` | +| Header | RequestHeaderNames | EqualsAny | N/A | Header: `{"head1": "myvar=1234", "User-Agent": "(hydra)"}` | `myvar=1234` and `(hydra)` | | Header | RequestHeaderValues | Equals | `head1` | Header: `{"head1": "X-Scanner"}` | `X-scanner` |-| Header | RequestHeaderValues | EqualsAny | "" | Header: `{"head1": "myvar=1234", "User-Agent": "(hydra)"}` | `myvar=1234` and `(hydra)` | +| Header | RequestHeaderValues | EqualsAny | N/A | Header: `{"head1": "myvar=1234", "User-Agent": "(hydra)"}` | `myvar=1234` and `(hydra)` | | Cookie | RequestCookieKeys | Contains | `/etc/passwd` | Header: `{"Cookie": "/etc/passwdtest=hello1"}` | `/etc/passwdtest` |-| Cookie | RequestCookieKeys | EqualsAny | "" | Header: `{"Cookie": "/etc/passwdtest=hello1", "Cookie": ".htaccess=test1"}` | `/etc/passwdtest` and `.htaccess` | +| Cookie | RequestCookieKeys | EqualsAny | N/A | Header: `{"Cookie": "/etc/passwdtest=hello1", "Cookie": ".htaccess=test1"}` | `/etc/passwdtest` and `.htaccess` | | Cookie | RequestCookieNames | Equals | `arg1` | Header: `{"Cookie": "arg1=/etc/passwd"}` | `/etc/passwd` |-| Cookie | RequestCookieNames | EqualsAny | "" | Header: `{"Cookie": "arg1=/etc/passwd", "Cookie": "arg1=.cshrc"}` | `/etc/passwd` and `.cshrc` | +| Cookie | RequestCookieNames | EqualsAny | N/A | Header: `{"Cookie": "arg1=/etc/passwd", "Cookie": "arg1=.cshrc"}` | `/etc/passwd` and `.cshrc` | | Cookie | RequestCookieValues | Equals | `arg1` | Header: `{"Cookie": "arg1=/etc/passwd"}` | `/etc/passwd` |-| Cookie | RequestCookieValues | EqualsAny | "" | Header: `{"Cookie": "arg1=/etc/passwd", "Cookie": "arg1=.cshrc"}` | `/etc/passwd` and `.cshrc` | +| Cookie | RequestCookieValues | EqualsAny | N/A | Header: `{"Cookie": "arg1=/etc/passwd", "Cookie": "arg1=.cshrc"}` | `/etc/passwd` and `.cshrc` | ## Exclusion scopes |
web-application-firewall | Bot Protection Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/ag/bot-protection-overview.md | description: This article provides an overview of web application firewall (WAF) Previously updated : 04/21/2022 Last updated : 10/12/2023 You can enable a managed bot protection rule set for your WAF to block or log re ## Use with OWASP rulesets -You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU. Only one OWASP ruleset can be used at any given time. The bot protection ruleset contains an additional rule that appears in its own ruleset. It's titled **Microsoft_BotManagerRuleSet_1.0**, and you can enable or disable it like the other OWASP rules. +You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU. Only one OWASP ruleset can be used at any given time. The bot protection ruleset contains another rule that appears in its own ruleset. It's titled **Microsoft_BotManagerRuleSet_1.0**, and you can enable or disable it like the other OWASP rules. :::image type="content" source="../media/bot-protection-overview/bot-ruleset.png" alt-text="Screenshot show bot protection ruleset." lightbox="../media/bot-protection-overview/bot-ruleset.png"::: |