Updates from: 10/13/2023 01:49:18
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Custom Policy Developer Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-developer-notes.md
Previously updated : 09/06/2023 Last updated : 10/05/2023
Azure Active Directory B2C [user flows and custom policies](user-flow-overview.m
| [Force password reset](force-password-reset.md) | GA | NA | | | [Phone sign-up and sign-in](phone-authentication-user-flows.md) | GA | GA | | | [Conditional Access and Identity Protection](conditional-access-user-flow.md) | GA | GA | Not available for SAML applications |
+| [Smart lockout](threat-management.md) | GA | GA | |
## OAuth 2.0 application authorization flows
active-directory-b2c Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/error-codes.md
Previously updated : 10/28/2022 Last updated : 10/11/2023
The following errors can be returned by the Azure Active Directory B2C service.
| `AADB2C99011` | The metadata value '{0}' has not been specified in TechnicalProfile '{1}' in policy '{2}'. | [Custom policy Technical profiles](technicalprofiles.md) | | `AADB2C99013` | The supplied grant_type [{0}] and token_type [{1}] combination is not supported. | | `AADB2C99015` | Profile '{0}' in policy '{1}' in tenant '{2}' is missing all InputClaims required for resource owner password credential flow. | [Create a resource owner policy](add-ropc-policy.md#create-a-resource-owner-policy) |
+|`AADB2C99002`| User doesn't exist. Please sign up before you can sign in. |
active-directory-b2c Identity Provider Azure Ad B2c https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-b2c.md
Previously updated : 09/16/2021 Last updated : 10/11/2023
zone_pivot_groups: b2c-policy-type
## Overview
-This article describes how to set up a federation with another Azure AD B2C tenant. When your applications are protected with your Azure AD B2C, this allows users from other Azure AD B2CΓÇÖs to login with their existing accounts. In the following diagram, users are able to sign-in to an Application protected by *Contoso*ΓÇÖs Azure AD B2C, with an account managed by *Fabrikam*ΓÇÖs Azure AD B2C tenant
+This article describes how to set up a federation with another Azure AD B2C tenant. When your applications are protected with your Azure AD B2C, this allows users from other Azure AD B2CΓÇÖs to login with their existing accounts. In the following diagram, users are able to sign in to an application protected by *Contoso*ΓÇÖs Azure AD B2C, with an account managed by *Fabrikam*ΓÇÖs Azure AD B2C tenant. In this case, user account must be present in *Fabrikam*ΓÇÖs tenant before an application protected by *Contoso*ΓÇÖs Azure AD B2C can attempt to sign in.
![Azure AD B2C federation with another Azure AD B2C tenant](./media/identity-provider-azure-ad-b2c/azure-ad-b2c-federation.png)
active-directory Auth Ssh https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-ssh.md
The system includes the following components:
## Next steps
-* To implement SSH with Microsoft Entra ID, see [Log in to a Linux VM by using Microsoft Entra credentials](../devices/howto-vm-sign-in-azure-ad-linux.md).
+* To implement SSH with Microsoft Entra ID for your users or guest users, see [Log in to a Linux VM by using Microsoft Entra credentials](../devices/howto-vm-sign-in-azure-ad-linux.md).
active-directory Concept Authentication Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-passwordless.md
The following providers offer FIDO2 security keys of different form factors that
| Provider | Biometric | USB | NFC | BLE | FIPS Certified | |:-|:-:|:-:|:-:|:-:|:-:| | [AuthenTrend](https://authentrend.com/about-us/#pg-35-3) | ![y] | ![y]| ![y]| ![y]| ![n] |
-| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![n]| ![n]| ![n] |
+| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![y]| ![n]| ![n] |
| [ATOS](https://atos.net/en/solutions/cyber-security/iot-and-ot-security/smart-card-solution-cardos-for-iot) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ciright](https://www.cyberonecard.com/) | ![n] | ![n]| ![y]| ![n]| ![n] |
+| [Composecure](https://www.composecure.com/arculus) | ![n] | ![n]| ![y]| ![n]| ![n] |
| [Crayonic](https://www.crayonic.com/keyvault) | ![y] | ![n]| ![y]| ![y]| ![n] | | [Cryptnox](https://cryptnox.com/) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ensurity](https://www.ensurity.com/contact) | ![y] | ![y]| ![n]| ![n]| ![n] |
active-directory Concept Fido2 Hardware Vendor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-fido2-hardware-vendor.md
The following table lists partners who are Microsoft-compatible FIDO2 security k
| Provider | Biometric | USB | NFC | BLE | FIPS Certified | |:-|:-:|:-:|:-:|:-:|:-:| | [AuthenTrend](https://authentrend.com/about-us/#pg-35-3) | ![y] | ![y]| ![y]| ![y]| ![n] |
-| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![n]| ![n]| ![n] |
+| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![y]| ![n]| ![n] |
| [ATOS](https://atos.net/en/solutions/cyber-security/iot-and-ot-security/smart-card-solution-cardos-for-iot) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ciright](https://www.cyberonecard.com/) | ![n] | ![n]| ![y]| ![n]| ![n] |
+| [Composecure](https://www.composecure.com/arculus) | ![n] | ![n]| ![y]| ![n]| ![n] |
| [Crayonic](https://www.crayonic.com/keyvault) | ![y] | ![n]| ![y]| ![y]| ![n] | | [Cryptnox](https://cryptnox.com/) | ![n] | ![y]| ![y]| ![n]| ![n] | | [Ensurity](https://www.ensurity.com/contact) | ![y] | ![y]| ![n]| ![n]| ![n] |
active-directory Clean Up Stale Guest Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/clean-up-stale-guest-accounts.md
There are a few recommended patterns that are effective at monitoring and cleani
Use the following instructions to learn how to enhance monitoring of inactive guest accounts at scale and create Access Reviews that follow these patterns. Consider the configuration recommendations and then make the needed changes that suit your environment.
+### License requirements
+ ## Monitor guest accounts at scale with inactive guest insights (Preview) [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
Use the following instructions to learn how to enhance monitoring of inactive gu
1. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date.
-### License requirements
-
-> [!NOTE]
-> When you access the report for the first time, the insights in this report may not be available immediately and may take some time to generate. If you are getting an error, please follow the instructions ensuring you have Microsoft Entra ID Governance license or wait for some time to see the report generated.
-> The inactive days calculation is based on the 2 parameters (last sign in date and creation date). If both of the dates are not available in the system, then we consider User state change date i.e. the date when the user state was last changed. This will give us the closest accurate inactivity duration for those special situations.
- ## Create a multi-stage review for guests to self-attest continued access
active-directory Overview Customers Ciam https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/overview-customers-ciam.md
If you've worked with Microsoft Entra ID, you're already familiar with using a M
- **Extensions**: If you need to add user attributes and data from external systems, you can create custom authentication extensions for your user flows. -- **Sign-in methods**: You can enable various options for signing in to your app, including username and password, one-time passcode, and Google or Facebook identities. Learn more
+- **Sign-in methods**: You can enable various options for signing in to your app, including username and password, one-time passcode, and Google or Facebook identities.
- **Encryption keys**: Add and manage encryption keys for signing and validating tokens, client secrets, certificates, and passwords.
+Learn more about [password and one-time passcode](how-to-enable-password-reset-customers.md) login, and about [Google](how-to-google-federation-customers.md) and [Facebook](how-to-facebook-federation-customers.md) federation.
There are two types of user accounts you can manage in your customer tenant:
active-directory Hybrid Cloud To On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md
Previously updated : 11/17/2022 Last updated : 10/06/2023
Make sure that you have the correct Client Access Licenses (CALs) or External Co
- [Grant local users access to cloud apps](hybrid-on-premises-to-cloud.md) - [Microsoft Entra B2B collaboration for hybrid organizations](hybrid-organizations.md)-- For an overview of Microsoft Entra Connect, see [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md).
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md
Microsoft Entra ID (previously known as Azure AD) receives improvements on an on
- Deprecated functionality - Plans for changes
-> ![NOTE]
+> [!NOTE]
> If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md).
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md
# Plan a Microsoft Entra access reviews deployment
-[Microsoft Entra access reviews](access-reviews-overview.md) help your organization keep the network more secure by managing its [resource access lifecycle](identity-governance-overview.md). With access reviews, you can:
+[Microsoft Entra access reviews](access-reviews-overview.md) help your organization keep the Enterprise more secure by managing its [resource access lifecycle](identity-governance-overview.md). With access reviews, you can:
-* Schedule regular reviews or do ad-hoc reviews to see who has access to specific resources, such as applications and groups.
+* Schedule regular reviews or do ad-hoc reviews to discover who has access to specific resources, such as applications and groups.
* Track reviews for insights, compliance, or policy reasons. * Delegate reviews to specific admins, business owners, or users who can self-attest to the need for continued access. * Use the insights to efficiently determine if users should continue to have access.
![Diagram that shows the access reviews flow.](./media/deploy-access-review/1-planning-review.png)
-Access reviews are an [Microsoft Entra ID Governance](identity-governance-overview.md) capability. The other capabilities are [entitlement management](entitlement-management-overview.md), [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md), and [terms of use](../conditional-access/terms-of-use.md). Together, they help you address these four questions:
+Access reviews are an [Microsoft Entra ID Governance](identity-governance-overview.md) capability. The other capabilities are [entitlement management](entitlement-management-overview.md), [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md), lifecycle workflows, provisioning and [terms of use](../conditional-access/terms-of-use.md). Together, they help you address these four questions:
* Which users should have access to which resources? * What are those users doing with that access?
The following videos help you learn about access reviews:
[!INCLUDE [active-directory-p2-governance-license.md](../../../includes/active-directory-p2-governance-license.md)] >[!NOTE]
->Creating a review on inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.
+>To create a review of inactive users and with [user-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.
## Plan the access reviews deployment project
For access reviews, you'll likely include representatives from the following tea
* Reviews privileged access to infrastructure and apps, including Microsoft 365 and Microsoft Entra ID. * Schedules and runs access reviews on groups that are used to maintain exception lists or IT pilot projects to maintain up-to-date access lists. * Ensures that programmatic (scripted) access to resources through service principals is governed and reviewed.
+ * Automate processes like user onboarding and offboarding, access requests, and access certifications.
+
+* **Security teams** ensure the plan meets the security requirements of your organization and enforces Zero Trust. This team:
+ * Reduces risk and strengthens security
+ * Enforces least privilege access to resources and applications
+ * Uses tools to see a centralized authoritative source, of who has access to what, and for how long.
* **Development teams** build and maintain applications for your organization. This team:
For access reviews, you'll likely include representatives from the following tea
* Reviews and approves or denies access to groups and applications for internal and external users. * Schedules and does reviews to attest continued access for employees and external identities such as business partners.
+ * Need employees to have access to the apps required for their work.
+ * Permits departments to manage access for their users.
* **Corporate governance** ensures that the organization follows internal policy and complies with regulations. This team: * Requests or schedules new access reviews. * Assesses processes and procedures for reviewing access, which includes documentation and record keeping for compliance. * Reviews results of past reviews for most critical resources.
+ * Validates the right controls are in place to meet mandatory security and privacy policies.
+ * Requires repeatable access processes that are easy to audit and report.
> [!NOTE]
-> For reviews that require manual evaluations, plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality might be lost and too many or too few people might have access.
+> For reviews that require manual evaluations, plan for adequate reviewers and review cycles that meet your policy and compliance needs. If review cycles are too frequent, or there are too few reviewers, quality might be lost and too many or too few people might have access. We recommend you establish clear responsibilities for the various stakeholders and departments engaged in the access reviews. All teams and individuals participating should understand their respective roles and obligations to uphold the principle of least privilege.
### Plan communications
The creator of the access review decides at the time of creation who will do the
* Users who self-attest to their need for continued access. * Managers review their direct reports' access to the resource.
+>[!NOTE]
+>When you select Resource owners or Managers, administrators designate fallback reviewers, who are contacted if the primary contact isnΓÇÖt available.
+ When you create an access review, administrators can choose one or more reviewers. All reviewers can start and carry out a review by choosing users for continued access to a resource or removing them. ### Components of an access review
External identities can be granted access to company resources. They can be:
For more information, see [sample script](https://github.com/microsoft/access-reviews-samples/tree/master/ExternalIdentityUse). The script shows where external identities invited into the tenant are used. You can see an external user's group membership, role assignments, and application assignments in Microsoft Entra ID. The script won't show any assignments outside of Microsoft Entra ID, for example, direct rights assignment to SharePoint resources, without the use of groups.
-When you create an access review for groups or applications, you can choose to let the reviewer focus on **Everyone with access** or **Guest users only**. By selecting **Guest users only**, reviewers are given a focused list of external identities from Microsoft Entra business to business (B2B) that have access to the resource.
+When you create an access review for groups or applications, you can choose to let the reviewer focus on **All users** or **Guest users only**. By selecting **Guest users only**, reviewers are given a focused list of external identities from Microsoft Entra business to business (B2B) that have access to the resource.
![Screenshot that shows reviewing guest users.](./media/deploy-access-review/4-review-guest-users-admin-ui.png)
Review the following role assignments regularly:
Roles that are reviewed include permanent and eligible assignments.
-In the **Reviewers** section, select one or more people to review all the users. Or you can select **Members (self)** to have the members review their own access.
+In the **Reviewers** section, select one or more people to review all the users. Or you can select **Manager**, to have a manager review their employeesΓÇÖ access, or **Members (self)** to have the members review their own access.
![Screenshot that shows selecting reviewers.](./media/deploy-access-review/7-plan-azure-resources-reviewers-selection.png)
active-directory Entitlement Management Access Package Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-resources.md
For more information, see [Compare groups](/office365/admin/create-groups/compar
You can have Microsoft Entra ID automatically assign users access to a Microsoft Entra enterprise application, including both SaaS applications and your organization's applications integrated with Microsoft Entra ID, when a user is assigned an access package. For applications that integrate with Microsoft Entra ID through federated single sign-on, Microsoft Entra ID issues federation tokens for users assigned to the application.
-Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md).
+Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md). If you're using the Microsoft Authentication Libraries, there is also a [code sample](../develop/sample-v2-code.md) for how to use app roles for access control.
> [!NOTE] > If an application has multiple roles, and more than one role of that application are in an access package, then the user will receive all those application's roles. If instead you want users to only have some of the application's roles, then you will need to create multiple access packages in the catalog, with separate access packages for each of the application roles.
active-directory Entitlement Management Delegate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-delegate.md
In Microsoft Entra ID, you can use role models to manage access at scale through identity governance. * You can use access packages to represent [organizational roles](identity-governance-organizational-roles.md) in your organization, such as "sales representative". An access package representing that organizational role would include all the access rights that a sales representative might typically need, across multiple resources.
- * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md).
+ * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson" in its manifest, you could then [include that role from the app manifest in an access package](entitlement-management-access-package-resources.md). Applications can also use security groups in scenarios where a user could have multiple application-specific roles simultaneously.
* You can use roles for delegating administrative access. If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role. This article discusses how to use roles to manage aspects within Microsoft Entra entitlement management, for controlling access to the entitlement management resources.
active-directory Entitlement Management Verified Id Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-verified-id-settings.md
Once an access package is configured with a verified ID requirement, end-users w
The requestor steps are as follows:
-1. Go to [myaccess.microsoft.com](../develop/configure-app-multi-instancing.md) and sign in.
+1. Go to [myaccess.microsoft.com](HTTPS://myaccess.microsoft.com) and sign in.
1. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select **Request**.
active-directory Identity Governance Applications Integrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-integrate.md
Next, if the application implements a provisioning protocol, then you should con
| Integrated Windows Auth (IWA) | Deploy the [application proxy](../app-proxy/application-proxy.md), configure an application for [Integrated Windows authentication SSO](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md), and set firewall rules to prevent access to the application's endpoints except via the proxy.| | header-based authentication | Deploy the [application proxy](../app-proxy/application-proxy.md) and configure an application for [header-based SSO](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) |
-1. If your application has multiple roles, and relies upon Microsoft Entra ID to send a user's application-specific role as a claim of a user signing into the application, then configure those application roles in Microsoft Entra ID on your application. You can use the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest.
+1. If your application has multiple roles, each user has only one role in the application, and the application relies upon Microsoft Entra ID to send a user's single application-specific role as a claim of a user signing into the application, then configure those application roles in Microsoft Entra ID on your application, and then assign each user to the application role. You can use the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest. If you're using the Microsoft Authentication Libraries, there is a [code sample](../develop/sample-v2-code.md) for how to use app roles inside your application for access control. If a user could have multiple roles simultaneously, then you may wish to implement the application to check security groups, either in the token claims or available via Microsoft Graph, instead of using application roles from the app manifest for access control.
1. If the application supports provisioning, then [configure provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of assigned users and groups from Microsoft Entra ID to that application. If this is a private or custom application, you can also select the integration that's most appropriate, based on the location and capabilities of the application.
active-directory Identity Governance Applications Prepare https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-prepare.md
Microsoft Entra ID Governance allows you to balance your organization's need for
Organizations with compliance requirements or risk management plans have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. As part of your organization's controls for managing access, you can use Microsoft Entra features to * set up appropriate access
+* provision users to applications
* enforce access checks * produce reports to demonstrate how those controls are being used to meet your compliance and risk management objectives.
In addition to the application access governance scenario, you can also use iden
Microsoft Entra ID Governance can be integrated with many applications, using [standards](../architecture/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Microsoft Entra ID with many popular SaaS applications, on-premises applications, and applications that your organization has developed. Once you've prepared your Microsoft Entra environment, as described in the section below, the three step plan covers how to connect an application to Microsoft Entra ID and enable identity governance features to be used for that application. 1. [Define your organization's policies for governing access to the application](identity-governance-applications-define.md)
-1. [Integrate the application with Microsoft Entra ID](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed
+1. [Integrate the application with Microsoft Entra ID](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed. This allows authentication and user provisioning
1. [Deploy those policies](identity-governance-applications-deploy.md) for controlling single sign-on (SSO) and automating access assignments for that application <a name='prerequisites-before-configuring-azure-ad-for-identity-governance'></a>
active-directory Identity Governance Organizational Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-organizational-roles.md
Role-based access control (RBAC) provides a framework for classifying users and
In Microsoft Entra ID, you can use role models in several ways to manage access at scale through identity governance. * You can use access packages to represent organizational roles in your organization, such as "sales representative". An access package representing that organizational role would include all the access rights that a sales representative might typically need, across multiple resources.
- * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md).
+ * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson" in its manifest, you could then [include that role from the app manifest in an access package](entitlement-management-access-package-resources.md). Applications can also use security groups in scenarios where a user could have multiple application-specific roles simultaneously.
* You can use roles for [delegating administrative access](entitlement-management-delegate.md). If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role. This article discusses how to model organizational roles, using entitlement management access packages, so you can migrate your role definitions to Microsoft Entra ID to enforce access.
active-directory Lifecycle Workflows Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflows-deployment.md
na Previously updated : 01/31/2023 Last updated : 10/12/2023
Communication is critical to the success of any new business process. Proactivel
### Communicate changes in accountability
-Lifecycle Workflows support shifting responsibility of manual processes to business owners. Decoupling these processes from the IT department drives more accuracy and automation. This shift is a cultural change in the resource owner's accountability and responsibility. Proactively communicate this change and ensure resource owners are trained and able to use the insights to make good decisions.
+Lifecycle Workflows support shifting responsibility of manual processes to business owners. Establish clear process and understanding of each teamΓÇÖs responsibilities. Decoupling these processes from the IT department drives more accuracy and automation. This shift is a cultural change in the resource owner's accountability and responsibility. Proactively communicate this change and ensure resource owners are trained and able to use the insights to make good decisions.
The following information is important information about your organization and t
|Item|Description|Documentation| |--|--|--|
-|Inbound Provisioning|You have a process to create user accounts for employees in Microsoft Entra such as HR inbound, SuccessFactors, or MIM.<br><br> Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Microsoft Entra ID.|[Workday to Active Directory](../saas-apps/workday-inbound-tutorial.md)<br><br>[Workday to Microsoft Entra ID](../saas-apps/workday-inbound-tutorial.md)<br><br>[SuccessFactors to Active Directory](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)</br></br>[SuccessFactors to Microsoft Entra ID](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)<br><br>[Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect-v2.md)<br><br>[Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md)|
+|Inbound Provisioning|You have a process to create user accounts for employees in Microsoft Entra such as HR inbound, SuccessFactors, or MIM.<br><br> Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Microsoft Entra ID.|[Workday to Active Directory](../saas-apps/workday-inbound-tutorial.md)<br><br>[Workday to Microsoft Entra ID](../saas-apps/workday-inbound-tutorial.md)<br><br>[SuccessFactors to Active Directory](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)</br></br>[SuccessFactors to Microsoft Entra ID](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)<br><br>[Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect-v2.md)<br><br>[Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md)<br><br>[API-driven inbound provisioning (Public preview)](../app-provisioning/inbound-provisioning-api-configure-app.md)|
|Attribute synchronization|The accounts in Microsoft Entra ID have the employeeHireDate and employeeLeaveDateTime attributes populated. The values may be populated when the accounts are created from an HR system or synchronized from AD using Microsoft Entra Connect or cloud sync. You have extra attributes that are used to determine the scope such as department, populated or the ability to populate, with data.|[How to synchronize attributes for Lifecycle Workflows](how-to-lifecycle-workflow-sync-attributes.md) ## Understanding parts of a workflow
The following table provides information that you need to be aware of as you cre
The following is additional information you should be aware of.
+ - You can't enable the schedule for the Real-Time **Leaver** and **Mover** scenario. This is by design.
Before building a Lifecycle Workflow in the portal, you should determine which s
|Pre-Offboarding of an employee|Remove user from selected groups</br>Remove user from selected Teams| |Offboard an employee|Disable User Account</br>Remove user from all groups</br>Remove user from all Teams| |Post-Offboarding of an employee|Remove all licenses for user</br>Remove user from all Teams</br>Delete User Account|
+|Real-time employee change|Run a Custom Task Extension|
+|Real-time employee termination|Remove users from all Groups and Teams and delete the user account|
For more information on the built-in templates, see [Lifecycle Workflow templates.](lifecycle-workflow-templates.md)
Now that we've determined the scenario and the who and when, you should consider
|Task|Description|Relevant Scenarios| |--|--|--|
-|Add user to groups|Add user to selected groups| Joiner - Leaver|
-|Add user to selected teams| Add user to Teams| Joiner - Leaver|
+|Add user to groups|Add user to selected groups| Joiner - Leaver - Mover|
+|Add user to selected teams| Add user to Teams| Joiner - Leaver - Mover|
|Delete User Account| Delete user account in Microsoft Entra ID| Leaver| |Disable User Account| Disable user account in the directory| Joiner - Leaver| |Enable User Account| Enable user account in the directory| Joiner - Leaver|
Now that we've determined the scenario and the who and when, you should consider
|Remove all licenses of user| Remove all licenses assigned to the user| Leaver| |Remove user from all groups| Remove user from all Microsoft Entra group memberships| Leaver| |Remove user from all Teams| Remove user from all Teams memberships| Leaver|
-|Remove user from selected groups| Remove user from membership of selected Microsoft Entra groups| Joiner - Leaver|
-|Remove user from selected Teams| Remove user from membership of selected Teams| Joiner - Leaver|
-|Run a Custom Task Extension| Run a Custom Task Extension to callout to an external system| Joiner - Leaver|
+|Remove user from selected groups| Remove user from membership of selected Microsoft Entra groups| Joiner - Leaver - Mover|
+|Remove user from selected Teams| Remove user from membership of selected Teams| Joiner - Leaver - Mover|
+|Run a Custom Task Extension| Run a Custom Task Extension to callout to an external system| Joiner - Leaver - Mover|
|Send email after user's last day| Send offboarding email to user's manager after the last day of work| Leaver| |Send email before user's last day| Send offboarding email to user's manager before the last day of work| Leaver| |Send email on user's last day| Send offboarding email to user's manager on the last day of work| Leaver| |Send Welcome Email| Send welcome email to new hire| Joiner|
+|Send onboarding reminder email|Send onboarding reminder email to userΓÇÖs manager| Joiner|
+|Request user access package assignment|Request user assignement to selected access packages|Joiner-Mover|
+|Remove access package assignement for user|Remove user assignment from selected access packages| Leaver=Mover|
+|Remove all access package assignments for user|Remove all access packages assigned to the user|Leaver|
+|Cancel all pending access package assignement requests for users|Cancel all pending access package assignement requests for users|Leaver|
For more information on tasks, see [Lifecycle Workflow tasks](lifecycle-workflow-tasks.md).
active-directory Concept Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/concept-attributes.md
To view the schema and verify it, follow these steps.
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Concept How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/concept-how-it-works.md
Title: 'Microsoft Entra Connect cloud sync deep dive - how it works'
+ Title: 'Microsoft Entra Cloud Sync deep dive - how it works'
description: This topic provides deep dive information on how cloud sync works.
For more information, see [Supported topologies](plan-cloud-sync-topologies.md).
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Custom Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/custom-attribute-mapping.md
Title: 'Microsoft Entra Connect cloud sync directory extensions and custom attribute mapping'
+ Title: 'Microsoft Entra Cloud Sync directory extensions and custom attribute mapping'
description: This topic provides information on custom attribute mapping in cloud sync.
For additional information on directory extensions see [Using directory extensio
<a name='syncing-directory-extensions-for-azure-active-directory-connect-cloud-sync-'></a>
-## Syncing directory extensions for Microsoft Entra Connect cloud sync
+## Syncing directory extensions for Microsoft Entra Cloud Sync
You can use [directory extensions](/graph/api/resources/extensionproperty?view=graph-rest-1.0&preserve-view=true) to extend the synchronization schema directory definition in Microsoft Entra ID with your own attributes. >[!Important]
-> Directory extension for Microsoft Entra Connect cloud sync is only supported for applications with the identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Microsoft Entra Connect
+> Directory extension for Microsoft Entra Cloud Sync is only supported for applications with the identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Microsoft Entra Connect
### Create application and service principal for directory extension
For more information on extension attributes, see [Syncing extension attributes
- [Understand the Microsoft Entra schema and custom expressions](concept-attributes.md) - [Microsoft Entra Connect Sync: Directory extensions](../connect/how-to-connect-sync-feature-directory-extensions.md)-- [Attribute mapping in Microsoft Entra Connect cloud sync](how-to-attribute-mapping.md)
+- [Attribute mapping in Microsoft Entra Cloud Sync](how-to-attribute-mapping.md)
active-directory Exchange Hybrid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/exchange-hybrid.md
You can use MS Graph API to enable Exchange hybrid writeback. For more informat
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Accidental Deletes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-accidental-deletes.md
Title: 'Microsoft Entra Connect cloud sync accidental deletes'
+ Title: 'Microsoft Entra Cloud Sync accidental deletes'
description: This topic describes how to use the accidental delete feature to prevent deletions.
# Accidental delete prevention
-The following document describes the accidental deletion feature for Microsoft Entra Connect cloud sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to:
+The following document describes the accidental deletion feature for Microsoft Entra Cloud Sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to:
- configure the ability to prevent accidental deletes automatically. - Set the # of objects (threshold) beyond which the configuration takes effect
If you don't want to allow the deletions, you need to do the following actions:
## Next steps -- [Microsoft Entra Connect cloud sync troubleshooting?](how-to-troubleshoot.md)-- [Microsoft Entra Connect cloud sync error codes](reference-error-codes.md)
+- [Microsoft Entra Cloud Sync troubleshooting?](how-to-troubleshoot.md)
+- [Microsoft Entra Cloud Sync error codes](reference-error-codes.md)
active-directory How To Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-attribute-mapping.md
Title: 'Attribute mapping in Microsoft Entra Connect cloud sync'
+ Title: 'Attribute mapping in Microsoft Entra Cloud Sync'
description: This article describes how to use the cloud sync feature of Microsoft Entra Connect to map attributes.
-# Attribute mapping in Microsoft Entra Connect cloud sync
+# Attribute mapping in Microsoft Entra Cloud Sync
You can use the cloud sync attribute mapping feature to map attributes between your on-premises user or group objects and the objects in Microsoft Entra ID.
To test your attribute mapping, you can use [on-demand provisioning](how-to-on-d
## Next steps -- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
- [Writing expressions for attribute mappings](reference-expressions.md) - [How to use expression builder with cloud sync](how-to-expression-builder.md) - [Attributes synchronized to Microsoft Entra ID](../connect/reference-connect-sync-attributes-synchronized.md)
active-directory How To Automatic Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-automatic-upgrade.md
To verify your version, right-click the executable and select properties and the
To remove the agent, go to **Uninstall or change a program** and uninstall the following: - **Microsoft Entra Connect Agent Updater**-- **Microsoft Entra Connect Provisioning Agent**-- **Microsoft Entra Connect Provisioning Agent Package**
+- **Microsoft Entra Provisioning Agent**
+- **Microsoft Entra Provisioning Agent Package**
![Agent removal](media/how-to-automatic-upgrade/agent-3.png) ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Cloud Sync Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-cloud-sync-workbook.md
To learn more about alerts, see [Azure Monitor Log Alerts](../../../azure-monito
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
- [Known limitations](how-to-prerequisites.md#known-limitations) - [Error codes](reference-error-codes.md)
active-directory How To Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-configure.md
Title: 'Microsoft Entra Connect cloud sync new agent configuration'
+ Title: 'Microsoft Entra Cloud Sync new agent configuration'
description: This article describes how to install cloud sync.
-# Create a new configuration for Microsoft Entra Connect cloud sync
+# Create a new configuration for Microsoft Entra Cloud Sync
-The following document will guide you through configuring Microsoft Entra Connect cloud sync.
+The following document will guide you through configuring Microsoft Entra Cloud Sync.
-The following documentation demonstrates the new guided user experience for Microsoft Entra Connect cloud sync. If you are not seeing the images below, you need to select the **Preview features** at the top. You can select this again to revert back to the old experience.
+The following documentation demonstrates the new guided user experience for Microsoft Entra Cloud Sync. If you are not seeing the images below, you need to select the **Preview features** at the top. You can select this again to revert back to the old experience.
:::image type="content" source="media/how-to-configure/new-ux-configure-19.png" alt-text="Screenshot of enable preview features." lightbox="media/how-to-configure/new-ux-configure-19.png":::
You can configure groups and organizational units within a configuration.
7. Once you've changed the scope, you should [restart provisioning](#restart-provisioning) to initiate an immediate synchronization of the changes. ## Attribute mapping
-Microsoft Entra Connect cloud sync allows you to easily map attributes between your on-premises user/group objects and the objects in Microsoft Entra ID.
+Microsoft Entra Cloud Sync allows you to easily map attributes between your on-premises user/group objects and the objects in Microsoft Entra ID.
:::image type="content" source="media/how-to-configure/new-ux-configure-6.png" alt-text="Screenshot of map attributes icon." lightbox="media/how-to-configure/new-ux-configure-6.png":::
After saving, you should see a message telling you what you still need to do to
For more information, see [attribute mapping](how-to-attribute-mapping.md). ## Directory extensions and custom attribute mapping.
-Microsoft Entra Connect cloud sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md).
+Microsoft Entra Cloud Sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md).
## On-demand provisioning
-Microsoft Entra Connect cloud sync allows you to test configuration changes, by applying these changes to a single user or group.
+Microsoft Entra Cloud Sync allows you to test configuration changes, by applying these changes to a single user or group.
:::image type="content" source="media/how-to-configure/new-ux-configure-8.png" alt-text="Screenshot of test icon." lightbox="media/how-to-configure/new-ux-configure-8.png":::
To delete a configuration, follow these steps.
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-expression-builder.md
Title: 'Use the expression builder with Microsoft Entra Connect cloud sync'
+ Title: 'Use the expression builder with Microsoft Entra Cloud Sync'
description: This article describes how to use the expression builder with cloud sync.
active-directory How To Gmsa Cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-gmsa-cmdlets.md
# Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets
-The purpose of this document is to describe the Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Microsoft Entra Connect cloud sync applies all permissions similar to Microsoft Entra Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install.
+The purpose of this document is to describe the Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Microsoft Entra Cloud Sync applies all permissions similar to Microsoft Entra Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install.
This document will cover the following cmdlets:
active-directory How To Inbound Synch Ms Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md
Look under the 'status' section of the return object for relevant details
## Next steps -- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
- [Transformations](how-to-transformation.md) - [Microsoft Entra Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)
active-directory How To Install Pshell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install-pshell.md
-# Install the Microsoft Entra Connect provisioning agent by using a CLI and PowerShell
-This article shows you how to install the Microsoft Entra Connect provisioning agent by using PowerShell cmdlets.
+# Install the Microsoft Entra Provisioning Agent by using a CLI and PowerShell
+This article shows you how to install the Microsoft Entra Provisioning Agent by using PowerShell cmdlets.
>[!NOTE]
->This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Microsoft Entra Connect provisioning agent by using the wizard, see [Install the Microsoft Entra Connect provisioning agent](how-to-install.md).
+>This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Microsoft Entra Provisioning Agent by using the wizard, see [Install the Microsoft Entra Provisioning Agent](how-to-install.md).
## Prerequisite
-The Windows server must have TLS 1.2 enabled before you install the Microsoft Entra Connect provisioning agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in [Prerequisites for Microsoft Entra Connect cloud sync](how-to-prerequisites.md#tls-requirements).
+The Windows server must have TLS 1.2 enabled before you install the Microsoft Entra Provisioning Agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in [Prerequisites for Microsoft Entra Cloud Sync](how-to-prerequisites.md#tls-requirements).
>[!IMPORTANT] >The following installation instructions assume that all the [prerequisites](how-to-prerequisites.md) were met. <a name='install-the-azure-ad-connect-provisioning-agent-by-using-powershell-cmdlets-'></a>
-## Install the Microsoft Entra Connect provisioning agent by using PowerShell cmdlets
+## Install the Microsoft Entra Provisioning Agent by using PowerShell cmdlets
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
The Windows server must have TLS 1.2 enabled before you install the Microsoft En
Now that you've installed the agent, you can apply more granular permissions to the gMSA. For information and step-by-step instructions on how to configure the permissions, see [Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md). ## Installing against US government cloud
-By default, the Microsoft Entra Connect provisioning agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following:
+By default, the Microsoft Entra Provisioning Agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following:
- In step #8, add **ENVIRONMENTNAME=AzureUSGovernment** to the command line like the example. ```
By default, the Microsoft Entra Connect provisioning agent installs against the
- [What is provisioning?](../what-is-provisioning.md) - [Microsoft Entra Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install.md
Title: 'Install the Microsoft Entra Connect provisioning agent'
-description: Learn how to install the Microsoft Entra Connect provisioning agent and how to configure it in the Microsoft Entra admin center.
+ Title: 'Install the Microsoft Entra Provisioning Agent'
+description: Learn how to install the Microsoft Entra Provisioning Agent and how to configure it in the Microsoft Entra admin center.
-# Install the Microsoft Entra Connect provisioning agent
+# Install the Microsoft Entra Provisioning Agent
-This article walks you through the installation process for the Microsoft Entra Connect provisioning agent and how to initially configure it in the Microsoft Entra admin center.
+This article walks you through the installation process for the Microsoft Entra Provisioning Agent and how to initially configure it in the Microsoft Entra admin center.
> [!IMPORTANT] > The following installation instructions assume that you've met all the [prerequisites](how-to-prerequisites.md). >[!NOTE]
->This article deals with installing the provisioning agent by using the wizard. For information about installing the Microsoft Entra Connect provisioning agent by using a CLI, see [Install the Microsoft Entra Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).
+>This article deals with installing the provisioning agent by using the wizard. For information about installing the Microsoft Entra Provisioning Agent by using a CLI, see [Install the Microsoft Entra Provisioning Agent by using a CLI and PowerShell](how-to-install-pshell.md).
For more information and an example, view the following video: > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR] ## Group Managed Service Accounts
-A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Microsoft Entra Connect cloud sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
+A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
### Update an existing agent to use the gMSA
To update an existing agent to use the Group Managed Service Account created dur
[!INCLUDE [active-directory-cloud-sync-how-to-verify-installation](../../../../includes/active-directory-cloud-sync-how-to-verify-installation.md)] >[!IMPORTANT]
-> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Microsoft Entra Connect cloud sync](how-to-configure.md).
+> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Microsoft Entra Cloud Sync](how-to-configure.md).
To use *password writeback* and enable the self-service password reset (SSPR) se
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../../roles/permissions-reference.md#hybrid-identity-administrator). 2. On the left, select **Protection**, select **Password reset**, then choose **On-premises integration**. 3. Check the option for **Enable password write back for synced users** .
- 4. (optional) If Microsoft Entra Connect provisioning agents are detected, you can additionally check the option for **Write back passwords with Microsoft Entra Connect cloud sync**.
+ 4. (optional) If Microsoft Entra Connect provisioning agents are detected, you can additionally check the option for **Write back passwords with Microsoft Entra Cloud Sync**.
5. Check the option for **Allow users to unlock accounts without resetting their password** to *Yes*. 6. When ready, select **Save**.
To use *password writeback* and enable the self-service password reset (SSPR) se
Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential) ```
-For more information about using password writeback with Microsoft Entra Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
+For more information about using password writeback with Microsoft Entra Cloud Sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
## Install an agent in the US government cloud
-By default, the Microsoft Entra Connect provisioning agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure:
+By default, the Microsoft Entra Provisioning Agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure:
- Instead of selecting **Open file**, select **Start** > **Run**, and then go to the *AADConnectProvisioningAgentSetup.exe* file. In the **Run** box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment**, and then select **OK**.
For information about security and FIPS, see [Microsoft Entra password hash sync
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)-- [Create a new configuration for Microsoft Entra Connect cloud sync](how-to-configure.md).
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
+- [Create a new configuration for Microsoft Entra Cloud Sync](how-to-configure.md).
active-directory How To Manage Registry Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-manage-registry-options.md
# Manage agent registry options
-This section describes registry options that you can set to control the runtime processing behavior of the Microsoft Entra Connect provisioning agent.
+This section describes registry options that you can set to control the runtime processing behavior of the Microsoft Entra Provisioning Agent.
## Configure LDAP connection timeout When performing LDAP operations on configured Active Directory domain controllers, by default, the provisioning agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may see the following error message in the agent log file:
System.DirectoryServices.Protocols.LdapException: The operation was aborted beca
LDAP search operations can take longer if the search attribute is not indexed. As a first step, if you get the above error, first check if the search/lookup attribute is [indexed](/windows/win32/ad/indexed-attributes). If the search attributes are indexed and the error persists, you can increase the LDAP connection timeout using the following steps:
-1. Log on as Administrator on the Windows server running the Microsoft Entra Connect Provisioning Agent.
+1. Log on as Administrator on the Windows server running the Microsoft Entra Provisioning Agent.
1. Use the *Run* menu item to open the registry editor (regedit.exe) 1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent** 1. Right-click and select "New -> String Value"
LDAP search operations can take longer if the search attribute is not indexed. A
1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency. ## Configure referral chasing
-By default, the Microsoft Entra Connect provisioning agent does not chase [referrals](/windows/win32/ad/referrals).
+By default, the Microsoft Entra Provisioning Agent does not chase [referrals](/windows/win32/ad/referrals).
You may want to enable referral chasing, to support certain HR inbound provisioning scenarios such as: * Checking uniqueness of UPN across multiple domains * Resolving cross-domain manager references Use the following steps to turn on referral chasing:
-1. Log on as Administrator on the Windows server running the Microsoft Entra Connect Provisioning Agent.
+1. Log on as Administrator on the Windows server running the Microsoft Entra Provisioning Agent.
1. Use the *Run* menu item to open the registry editor (regedit.exe) 1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent** 1. Right-click and select "New -> String Value"
Use the following steps to turn on referral chasing:
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Map Usertype https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-map-usertype.md
Title: 'Use map UserType with Microsoft Entra Connect cloud sync'
+ Title: 'Use map UserType with Microsoft Entra Cloud Sync'
description: This article describes how to map the UserType attribute with cloud sync.
active-directory How To On Demand Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-on-demand-provision.md
Title: 'On-demand provisioning in Microsoft Entra Connect cloud sync'
+ Title: 'On-demand provisioning in Microsoft Entra Cloud Sync'
description: This article describes how to use the cloud sync feature of Microsoft Entra Connect to test configuration changes.
-# On-demand provisioning in Microsoft Entra Connect cloud sync
+# On-demand provisioning in Microsoft Entra Cloud Sync
You can use the cloud sync feature of Microsoft Entra Connect to test configuration changes by applying these changes to a single user. This on-demand provisioning helps you validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Microsoft Entra ID.
This process enables you to trace the attribute transformation as it moves throu
## Next steps -- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)-- [Install Microsoft Entra Connect cloud sync](how-to-install.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
+- [Install Microsoft Entra Cloud Sync](how-to-install.md)
active-directory How To Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-prerequisites.md
Title: 'Prerequisites for Microsoft Entra Connect cloud sync in Microsoft Entra ID'
+ Title: 'Prerequisites for Microsoft Entra Cloud Sync in Microsoft Entra ID'
description: This article describes the prerequisites and hardware requirements you need for cloud sync.
-# Prerequisites for Microsoft Entra Connect cloud sync
-This article provides guidance on how to choose and use Microsoft Entra Connect cloud sync as your identity solution.
+# Prerequisites for Microsoft Entra Cloud Sync
+This article provides guidance on how to choose and use Microsoft Entra Cloud Sync as your identity solution.
## Cloud provisioning agent requirements
-You need the following to use Microsoft Entra Connect cloud sync:
+You need the following to use Microsoft Entra Cloud Sync:
-- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Connect Cloud Sync gMSA (group Managed Service Account) to run the agent service.
+- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Cloud Sync gMSA (group Managed Service Account) to run the agent service.
- A hybrid identity administrator account for your Microsoft Entra tenant that is not a guest user. - An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). Installing the agent on a domain controller is supported.-- High availability refers to the Microsoft Entra Connect cloud sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Microsoft Entra Connect cloud sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability.
+- High availability refers to the Microsoft Entra Cloud Sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Microsoft Entra Cloud Sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability.
- On-premises firewall configurations. ## Group Managed Service Accounts
-A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Connect cloud sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Microsoft Entra Cloud Sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
### Prerequisites for gMSA: 1. The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
If there's a firewall between your servers and Microsoft Entra ID, configure the
## NTLM requirement
-You should not enable NTLM on the Windows Server that is running the Microsoft Entra Connect Provisioning Agent and if it is enabled you should make sure you disable it.
+You should not enable NTLM on the Windows Server that is running the Microsoft Entra Provisioning Agent and if it is enabled you should make sure you disable it.
## Known limitations
When using OU scoping filter
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-sso.md
The following document describes how to use single sign-on with cloud sync.
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Transformation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-transformation.md
Title: Microsoft Entra Connect cloud sync transformations
+ Title: Microsoft Entra Cloud Sync transformations
description: This article describes how to use transformations to alter the default attribute mappings.
For information on the syntax and examples of expressions, see [Writing expressi
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory How To Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-troubleshoot.md
Title: Microsoft Entra Connect cloud sync troubleshooting
+ Title: Microsoft Entra Cloud Sync troubleshooting
description: This article describes how to troubleshoot problems that might arise with the cloud provisioning agent.
To verify that Azure detects the agent, and that the agent is healthy, follow th
### Verify the required open ports
-Verify that the Microsoft Entra Connect provisioning agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open:
+Verify that the Microsoft Entra Provisioning Agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open:
| Port number | How it's used | | -- | |
However, during the name resolution, the CNAME records might contain DNS records
To verify that the agent is running, follow these steps: 1. On the server with the agent installed, open **Services**. Do this by going to **Start** > **Run** > **Services.msc**.
-1. Under **Services**, make sure **Microsoft Entra Connect Agent Updater** and **Microsoft Entra Connect Provisioning Agent** are there. Also confirm that their status is *Running*.
+1. Under **Services**, make sure **Microsoft Entra Connect Agent Updater** and **Microsoft Entra Provisioning Agent** are there. Also confirm that their status is *Running*.
![Screenshot of local services and their status.](media/how-to-troubleshoot/troubleshoot-1.png)
The following sections describe some common agent installation problems, and typ
You might receive an error message that states:
-*Service 'Microsoft Entra Connect Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.*
+*Service 'Microsoft Entra Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.*
This problem is typically caused by a group policy. The policy prevented permissions from being applied to the local NT Service sign-in account created by the installer (`NT SERVICE\AADConnectProvisioningAgent`). These permissions are required to start the service.
To resolve this problem, follow these steps:
1. Sign in to the server with an administrator account. 1. Open **Services** by going to **Start** > **Run** > **Services.msc**.
-1. Under **Services**, double-click **Microsoft Entra Connect Provisioning Agent**.
+1. Under **Services**, double-click **Microsoft Entra Provisioning Agent**.
1. On the **Log On** tab, change **This account** to a domain admin. Then restart the service. ![Screenshot that shows options available from the log on tab.](media/how-to-troubleshoot/troubleshoot-3.png)
This information provides detailed steps and where the synchronization problem i
#### Microsoft Entra ID object deletion threshold
-If you have an implementation topology with Microsoft Entra Connect and Microsoft Entra Connect cloud sync, both exporting to the same Microsoft Entra ID Tenant, or if you completely moved from using Microsoft Entra Connect to Microsoft Entra Connect cloud sync, you might get the following export error message when you're deleting or moving multiple objects out of the defined scope:
+If you have an implementation topology with Microsoft Entra Connect and Microsoft Entra Cloud Sync, both exporting to the same Microsoft Entra ID Tenant, or if you completely moved from using Microsoft Entra Connect to Microsoft Entra Cloud Sync, you might get the following export error message when you're deleting or moving multiple objects out of the defined scope:
![Screenshot that shows the export error.](media/how-to-troubleshoot/log-4.png)
-This error isn't related to the [Microsoft Entra Connect Cloud Sync accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md). It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra ID directory from Microsoft Entra Connect.
-If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Connect cloud sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command:
+This error isn't related to the [Microsoft Entra Cloud Sync accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md). It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra ID directory from Microsoft Entra Connect.
+If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Cloud Sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command:
```PowerShell Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039-c6b1-48a5-9ba7-28fe88f83980"
active-directory Migrate Azure Ad Connect To Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md
Title: 'Migrate Microsoft Entra Connect to Microsoft Entra Connect cloud sync| Microsoft Docs'
-description: Describes steps to migrate Microsoft Entra Connect to Microsoft Entra Connect cloud sync.
+ Title: 'Migrate Microsoft Entra Connect to Microsoft Entra Cloud Sync| Microsoft Docs'
+description: Describes steps to migrate Microsoft Entra Connect to Microsoft Entra Cloud Sync.
-# Migrating from Microsoft Entra Connect to Microsoft Entra Connect cloud sync
+# Migrating from Microsoft Entra Connect to Microsoft Entra Cloud Sync
-Microsoft Entra Connect cloud sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. If you're currently using Microsoft Entra Connect and wish to move to cloud sync, the following document provides guidance.
+Microsoft Entra Cloud Sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. If you're currently using Microsoft Entra Connect and wish to move to cloud sync, the following document provides guidance.
<a name='steps-for-migrating-from-azure-ad-connect-to-cloud-sync'></a>
Microsoft Entra Connect cloud sync is the future for accomplishing your hybrid i
|Choose the best sync tool|Before moving to cloud sync, you should verify that cloud sync is currently the best synchronization tool for you. You can do this task by going through the wizard [here](https://aka.ms/EvaluateSyncOptions).| |Verify the pre-requisites for migrating|The following guidance is only for users who have installed Microsoft Entra Connect using the Express settings and aren't synchronizing devices. Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).| |Back up your Microsoft Entra Connect configuration|Before making any changes, you should back up your Microsoft Entra Connect configuration. This way, you can role-back. For more information, see [Import and export Microsoft Entra Connect configuration settings](../connect/how-to-connect-import-export-config.md).|
-|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.|
+|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.|
|Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on.| |Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now. Before continuing, let Microsoft Entra Connect pick up the changes so that it's synchronizing them in the new OU.| |Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU. </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`| |Stop the scheduler|Before creating new sync rules, you need to stop the Microsoft Entra Connect scheduler. For more information, see [how to stop the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).
-|Create the custom sync rules|In the Microsoft Entra Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.|
+|Create the custom sync rules|In the Microsoft Entra Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.|
|Install the provisioning agent|If you haven't done so, install the provisioning agent. For more information, see [how to install the agent](how-to-install.md).| |Configure cloud sync|Once the agent is installed, you need to configure cloud sync. In the configuration, you need to create a scope to the OU that was created or identified previously. For more information, see [Configuring cloud sync](how-to-configure.md).| |Verify pilot users are synchronizing and being provisioned|Verify that the users are now being synchronized in the portal. You can use the PowerShell script below to get a count of the number of users that have the on-premises pilot OU in their distinguished name. This number should match the count of users in the previous step. If you create a new user in this OU, verify that it's being provisioned.|
Write-Host "Total Users found:" + $counter
## More information - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)-- [Create a new configuration for Microsoft Entra Connect cloud sync](how-to-configure.md).-- [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
+- [Create a new configuration for Microsoft Entra Cloud Sync](how-to-configure.md).
+- [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
``
active-directory Plan Cloud Sync Topologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/plan-cloud-sync-topologies.md
Title: Microsoft Entra Connect cloud sync supported topologies and scenarios
-description: Learn about various on-premises and Microsoft Entra topologies that use Microsoft Entra Connect cloud sync.
+ Title: Microsoft Entra Cloud Sync supported topologies and scenarios
+description: Learn about various on-premises and Microsoft Entra topologies that use Microsoft Entra Cloud Sync.
-# Microsoft Entra Connect cloud sync supported topologies and scenarios
-This article describes various on-premises and Microsoft Entra topologies that use Microsoft Entra Connect cloud sync. This article includes only supported configurations and scenarios.
+# Microsoft Entra Cloud Sync supported topologies and scenarios
+This article describes various on-premises and Microsoft Entra topologies that use Microsoft Entra Cloud Sync. This article includes only supported configurations and scenarios.
> [!IMPORTANT]
-> Microsoft doesn't support modifying or operating Microsoft Entra Connect cloud sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Microsoft Entra Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments.
+> Microsoft doesn't support modifying or operating Microsoft Entra Cloud Sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Microsoft Entra Cloud Sync. As a result, Microsoft can't provide technical support for such deployments.
For more information, see the following video.
Multiple AD forests is a common topology, with one or multiple domains, and a si
## Existing forest with Microsoft Entra Connect, new forest with cloud Provisioning ![Diagram that shows the topology for an existing forest and a new forest.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
-This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Microsoft Entra Connect environment and then bringing on a new forest using Microsoft Entra Connect cloud sync. For an example of this scenario see [Tutorial: An existing forest with a single Microsoft Entra tenant](tutorial-existing-forest.md)
+This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Microsoft Entra Connect environment and then bringing on a new forest using Microsoft Entra Cloud Sync. For an example of this scenario see [Tutorial: An existing forest with a single Microsoft Entra tenant](tutorial-existing-forest.md)
<a name='piloting-azure-ad-connect-cloud-sync-in-an-existing-hybrid-ad-forest'></a>
-## Piloting Microsoft Entra Connect cloud sync in an existing hybrid AD forest
+## Piloting Microsoft Entra Cloud Sync in an existing hybrid AD forest
![Topology for a single forest and a single tenant](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
-The piloting scenario involves the existence of both Microsoft Entra Connect and Microsoft Entra Connect cloud sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools.
+The piloting scenario involves the existence of both Microsoft Entra Connect and Microsoft Entra Cloud Sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools.
-For an example of this scenario see [Tutorial: Pilot Microsoft Entra Connect cloud sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
+For an example of this scenario see [Tutorial: Pilot Microsoft Entra Cloud Sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
## Merging objects from disconnected sources ### (Public Preview)
This configuration is advanced and there are a few caveats to this topology:
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Reference Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-error-codes.md
Title: Microsoft Entra Connect cloud sync error codes and descriptions
+ Title: Microsoft Entra Cloud Sync error codes and descriptions
description: reference article for cloud sync error codes
-# Microsoft Entra Connect cloud sync error codes and descriptions
+# Microsoft Entra Cloud Sync error codes and descriptions
The following is a list of error codes and their description
The following is a list of error codes and their description
|HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from portal.| |HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus isn't able to send a message to the agent. Could be an outage in service bus, or the agent isn't responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| |AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Microsoft Entra ID is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Microsoft Entra ID is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.|
-|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Microsoft Entra Connect cloud sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} doesn't exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.|
+|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Microsoft Entra Cloud Sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} doesn't exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.|
|AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code doesn't indicate success: 401 (Unauthorized).<br> Azure AD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Microsoft Entra tenant credentials were exchanged for an OAuth token that has since expired."| |AzureActiveDirectoryAuthenticationFailed|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.60b943e88f234db2b887f8cb91dee87c.707be0d2-c6a9-405d-a3b9-de87761dc3ac. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: UnexpectedError.|Unknown error.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| ## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Reference Expressions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-expressions.md
Title: Microsoft Entra Connect cloud sync expressions and function reference
+ Title: Microsoft Entra Cloud Sync expressions and function reference
description: reference
Based on the user's first name, middle name and last name, you need to generate
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md
Title: 'AADCloudSyncTools PowerShell module for Microsoft Entra Connect cloud sync'
+ Title: 'AADCloudSyncTools PowerShell module for Microsoft Entra Cloud Sync'
description: This article describes how to install the Microsoft Entra Connect cloud provisioning agent.
-# AADCloudSyncTools PowerShell module for Microsoft Entra Connect cloud sync
+# AADCloudSyncTools PowerShell module for Microsoft Entra Cloud Sync
-The AADCloudSyncTools module provides a set of useful tools that can help you manage your deployments of Microsoft Entra Connect cloud sync.
+The AADCloudSyncTools module provides a set of useful tools that can help you manage your deployments of Microsoft Entra Cloud Sync.
## Prerequisites
Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Tutorial Basic Ad Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-basic-ad-azure.md
Now you have an environment that can be used for existing tutorials and to test
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Tutorial Existing Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-existing-forest.md
Title: Tutorial - Integrate an existing forest and a new forest with a single Microsoft Entra tenant using Microsoft Entra Connect cloud sync.
+ Title: Tutorial - Integrate an existing forest and a new forest with a single Microsoft Entra tenant using Microsoft Entra Cloud Sync.
description: Learn how to add cloud sync to an existing hybrid identity environment.
This tutorial walks you through adding cloud sync to an existing hybrid identity environment.
-![Diagram that shows the Microsoft Entra Connect cloud sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+![Diagram that shows the Microsoft Entra Cloud Sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works.
In this scenario, there's an existing forest synced using Microsoft Entra Connec
<a name='install-the-azure-ad-connect-provisioning-agent'></a>
-## Install the Microsoft Entra Connect provisioning agent
+## Install the Microsoft Entra Provisioning Agent
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md
<a name='configure-azure-ad-connect-cloud-sync'></a>
-## Configure Microsoft Entra Connect cloud sync
+## Configure Microsoft Entra Cloud Sync
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
You have now successfully set up a hybrid identity environment that you can use
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Tutorial Pilot Aadc Aadccp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp.md
Title: Tutorial - Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest
+ Title: Tutorial - Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest
description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced using Microsoft Entra Connect Sync.
-# Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest
+# Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest
This tutorial walks you through how you would migrate to cloud sync for a test Active Directory forest that is already synced using Microsoft Entra Connect Sync. > [!NOTE] > This article provides information for a basic migration and you should review the [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
-![Diagram that shows the Microsoft Entra Connect cloud sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+![Diagram that shows the Microsoft Entra Cloud Sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
## Considerations
Same steps need to be followed for all object types (user, group and contact).
<a name='install-the-azure-ad-connect-provisioning-agent'></a>
-## Install the Microsoft Entra Connect provisioning agent
+## Install the Microsoft Entra Provisioning Agent
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be CP1. To install the agent, follow these steps:
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md
<a name='configure-azure-ad-connect-cloud-sync'></a>
-## Configure Microsoft Entra Connect cloud sync
+## Configure Microsoft Entra Cloud Sync
Use the following steps to configure provisioning:
In case the pilot doesn't work as expected, you can go back to the Microsoft Ent
## Next steps - [What is provisioning?](../what-is-provisioning.md)-- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md)
active-directory Tutorial Single Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-single-forest.md
# Tutorial: Integrate a single forest with a single Microsoft Entra tenant
-This tutorial walks you through creating a hybrid identity environment using Microsoft Entra Connect cloud sync.
+This tutorial walks you through creating a hybrid identity environment using Microsoft Entra Cloud Sync.
-![Diagram that shows the Microsoft Entra Connect cloud sync flow.](media/tutorial-single-forest/diagram-2.png)
+![Diagram that shows the Microsoft Entra Cloud Sync flow.](media/tutorial-single-forest/diagram-2.png)
You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync.
You can use the environment you create in this tutorial for testing or for getti
<a name='install-the-azure-ad-connect-provisioning-agent'></a>
-## Install the Microsoft Entra Connect provisioning agent
+## Install the Microsoft Entra Provisioning Agent
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md
<a name='configure-azure-ad-connect-cloud-sync'></a>
-## Configure Microsoft Entra Connect cloud sync
+## Configure Microsoft Entra Cloud Sync
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
You'll now verify that the users that you had in your on-premises directory have
![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
-You've now successfully configured a hybrid identity environment using Microsoft Entra Connect cloud sync.
+You've now successfully configured a hybrid identity environment using Microsoft Entra Cloud Sync.
## Next steps
active-directory What Is Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/what-is-cloud-sync.md
Title: 'What is Microsoft Entra Connect cloud sync?'
-description: Describes Microsoft Entra Connect cloud sync.
+ Title: 'What is Microsoft Entra Cloud Sync?'
+description: Describes Microsoft Entra Cloud Sync.
-# What is Microsoft Entra Connect cloud sync?
+# What is Microsoft Entra Cloud Sync?
> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]
-Microsoft Entra Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. However, it can be used alongside Microsoft Entra Connect Sync and it provides the following benefits:
+Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. However, it can be used alongside Microsoft Entra Connect Sync and it provides the following benefits:
- Support for synchronizing to a Microsoft Entra tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired company's AD forests are isolated from the parent company's AD forests), and companies that have historically had multiple AD forests. - Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Microsoft Entra ID, with all the sync configuration managed in the cloud.
Microsoft Entra Connect cloud sync is a new offering from Microsoft designed to
<a name='how-is-azure-ad-connect-cloud-sync-different-from-azure-ad-connect-sync'></a>
-## How is Microsoft Entra Connect cloud sync different from Microsoft Entra Connect Sync?
-With Microsoft Entra Connect cloud sync, provisioning from AD to Microsoft Entra ID is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Microsoft Entra ID and AD. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service.
+## How is Microsoft Entra Cloud Sync different from Microsoft Entra Connect Sync?
+With Microsoft Entra Cloud Sync, provisioning from AD to Microsoft Entra ID is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Microsoft Entra ID and AD. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service.
<a name='azure-ad-connect-cloud-sync-video'></a>
-## Microsoft Entra Connect cloud sync video
-The following short video provides an excellent overview of Microsoft Entra Connect cloud sync:
+## Microsoft Entra Cloud Sync video
+The following short video provides an excellent overview of Microsoft Entra Cloud Sync:
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5]
To determine if cloud sync is right for your organization, use the link below.
## Comparison between Microsoft Entra Connect and cloud sync
-The following table provides a comparison between Microsoft Entra Connect and Microsoft Entra Connect cloud sync:
+The following table provides a comparison between Microsoft Entra Connect and Microsoft Entra Cloud Sync:
| Feature | Connect sync| Cloud sync | |: |::|::|
The following table provides a comparison between Microsoft Entra Connect and Mi
| Support for device writeback|ΓùÅ |Customers should use [Cloud Kerberos trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune) for this moving forward| | Support for group writeback|ΓùÅ | | | Support for merging user attributes from multiple domains|ΓùÅ | |
-| Active Directory Domain Services support|ΓùÅ | |
+| Microsoft Entra Domain Services support|ΓùÅ | |
| [Exchange hybrid writeback](exchange-hybrid.md) |ΓùÅ |ΓùÅ | | Unlimited number of objects per AD domain |ΓùÅ | | | Support for up to 150,000 objects per AD domain |ΓùÅ |ΓùÅ |
active-directory Common Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/common-scenarios.md
Title: 'Common hybrid scenarios with Microsoft Entra ID'
-description: This article describes the common scenarios for using Microsoft Entra Connect cloud sync and Microsoft Entra Connect.
+description: This article describes the common scenarios for using Microsoft Entra Cloud Sync and Microsoft Entra Connect.
documentationcenter: ''
For additional information, see [Supported topologies for cloud sync](cloud-sync
## Cloud sync and connect sync in parallel
-You can run cloud sync and Microsoft Entra Connect in the same forest. You can use cloud sync to manage your users and groups and use Microsoft Entra Connect for devices, for example. You may decide to do allow cloud sync to handle 80% and use Microsoft Entra Connect for some of your more obscure, 20% scenarios. The tutorial, [Migrate to Microsoft Entra Connect cloud sync for an existing synced AD forest](cloud-sync/tutorial-pilot-aadc-aadccp.md) shows an example of how you would run each.
+You can run cloud sync and Microsoft Entra Connect in the same forest. You can use cloud sync to manage your users and groups and use Microsoft Entra Connect for devices, for example. You may decide to do allow cloud sync to handle 80% and use Microsoft Entra Connect for some of your more obscure, 20% scenarios. The tutorial, [Migrate to Microsoft Entra Cloud Sync for an existing synced AD forest](cloud-sync/tutorial-pilot-aadc-aadccp.md) shows an example of how you would run each.
## Common authentication methods and scenarios
active-directory Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/configure.md
How you configure your synchronization, depends on which synchronization tool you're using and what your business goals are. Use the tables to determine which features you would ## Cloud sync
-After installing the Microsoft Entra Connect provisioning agent, you'll need to configure cloud sync. This configuration is done via the portal. The following table provides a list of features you can use to meet your business goals.
+After installing the Microsoft Entra Provisioning Agent, you'll need to configure cloud sync. This configuration is done via the portal. The following table provides a list of features you can use to meet your business goals.
|Task|Description| |--|--|
active-directory How To Connect Sync Whatis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-whatis.md
This topic is the home for **Microsoft Entra Connect Sync** (also called **sync
The sync service consists of two components, the on-premises **Microsoft Entra Connect Sync** component and the service side in Microsoft Entra ID called **Microsoft Entra Connect Sync service**. >[!IMPORTANT]
->Microsoft Entra Connect Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra Cloud provisioning agent instead of the Microsoft Entra Connect application. Microsoft Entra Cloud Sync is replacing Microsoft Entra Connect Sync, which will be retired after Cloud Sync has full functional parity with Connect sync. The remainder of this article is about AADConnect sync, but we encourage customers to review the features and advantages of Cloud Sync before deploying AADConnect sync.
+>Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra Cloud provisioning agent instead of the Microsoft Entra Connect application. Microsoft Entra Cloud Sync is replacing Microsoft Entra Connect Sync, which will be retired after Cloud Sync has full functional parity with Connect sync. The remainder of this article is about AADConnect sync, but we encourage customers to review the features and advantages of Cloud Sync before deploying AADConnect sync.
> >To find out if you are already eligible for Cloud Sync, please verify your requirements in [this wizard](https://admin.microsoft.com/adminportal/home?Q=setupguidance#/modernonboarding/identitywizard). >
active-directory Reference Connect Government Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-government-cloud.md
Before you deploy the Pass-through Authentication agent, verify whether a firewa
> - the pass-through authentication agent > - [Microsoft Entra application proxy connector](../../app-proxy/what-is-application-proxy.md) >
-> For information on URLS for the Microsoft Entra Connect Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md) for cloud sync.
+> For information on URLS for the Microsoft Entra Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md) for cloud sync.
|URL |How it's used|
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history.md
If you want all the latest features and updates, check this page and install wha
To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
+## 2.2.8.0
+
+### Release status
+10/11/2023: Released for download
+
+### Functional Changes
+ - The attribute onPremisesObjectIdentifier has been added to the default sync rules. This attribute is required by Microsoft Entra Cloud Sync's Group Provisioning to AD feature.
+ - The minimum .NET runtime requirement has been increased to 4.7.1.
+
+### Bug Fixes
+ - Improvements to upgrade and auto-upgrade components.
+ - Fixed an issue preventing deprovisioning of group when deletions of both the group and a member belonging to a different domain are processed in the same sync cycle.
+ ## 2.2.1.0 ### Release status
To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade]
### Bug fixes
+- We fixed a bug where the new employeeLeaveDateTime attribute wasn't syncing correctly in version 2.1.19.0. Note that if the incorrect attribute was already used in a rule, then the rule must be updated with the new attribute and any objects in the Microsoft Entra connector space that have the incorrect attribute must be removed with the "Remove-ADSyncCSObject" cmdlet, and then a full sync cycle must be run.
## 2.1.19.0
To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade]
### Functional changes
+- We added a new attribute 'employeeLeaveDateTime' for syncing to Microsoft Entra ID. To learn more about how to use this attribute to manage your users' life cycles, please refer to [this article](../../governance/how-to-lifecycle-workflow-sync-attributes.md)
### Bug fixes
+- we fixed a bug where Microsoft Entra Connect Password writeback stopped with error code "SSPR_0029 ERROR_ACCESS_DENIED"
## 2.1.18.0
To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade]
8/2/2022: Released for download and autoupgrade. ### Bug fixes
+- We fixed a bug where autoupgrade fails when the service account is in "UPN" format.
## 2.1.15.0
When you upgrade to this V1.6 build or any newer builds, the group membership li
### Functional changes - We added the latest versions of Microsoft Identity Manager (MIM) Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).
+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](../../hybrid/connect/how-to-connect-install-existing-tenant.md#hard-match-vs-soft-match).
### Bug fixes
When you upgrade to this V1.6 build or any newer builds, the group membership li
### Functional changes - We added the latest versions of MIM Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).
+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](../../hybrid/connect/how-to-connect-install-existing-tenant.md#hard-match-vs-soft-match).
## 2.0.10.0
This is a bug fix release. There are no functional changes in this release.
## Next steps Learn more about how to [integrate your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md).+
active-directory Whatis Azure Ad Connect V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md
To address this issue, we've bundled as many of these newer components into a ne
<a name='consider-moving-to-azure-ad-connect-cloud-sync'></a>
-## Consider moving to Microsoft Entra Connect cloud sync
-Microsoft Entra Connect cloud sync is the future of synchronization for Microsoft. It replaces Microsoft Entra Connect.
+## Consider moving to Microsoft Entra Cloud Sync
+Microsoft Entra Cloud Sync is the future of synchronization for Microsoft. It replaces Microsoft Entra Connect.
> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]
active-directory Whatis Azure Ad Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect.md
# What is Microsoft Entra Connect?
-Microsoft Entra Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. If you're evaluating how to best meet your goals, you should also consider the cloud-managed solution [Microsoft Entra Connect cloud sync](../cloud-sync/what-is-cloud-sync.md).
+Microsoft Entra Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. If you're evaluating how to best meet your goals, you should also consider the cloud-managed solution [Microsoft Entra Cloud Sync](../cloud-sync/what-is-cloud-sync.md).
> [!div class="nextstepaction"]
Microsoft Entra Connect is an on-premises Microsoft application that's designed
<a name='consider-moving-to-azure-ad-connect-cloud-sync'></a>
-## Consider moving to Microsoft Entra Connect cloud sync
-Microsoft Entra Connect cloud sync is the future of synchronization for Microsoft. It will replace Microsoft Entra Connect.
+## Consider moving to Microsoft Entra Cloud Sync
+Microsoft Entra Cloud Sync is the future of synchronization for Microsoft. It will replace Microsoft Entra Connect.
> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]
active-directory Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/get-started.md
Use these tasks if you're deploying cloud sync to integrate with Active Director
|--|--| |[Determine which sync tool is correct for you](https://setup.microsoft.com/azure/add-or-sync-users-to-azure-ad) |Use the wizard to determine whether cloud sync or Microsoft Entra Connect is the right tool for you.| |[Review the cloud sync prerequisites](cloud-sync/how-to-prerequisites.md)|Review the necessary prerequisites before getting started.|
-|[Download and install the provisioning agent](cloud-sync/how-to-install.md)|Download and install the Microsoft Entra Connect Provisioning Agent. |
+|[Download and install the provisioning agent](cloud-sync/how-to-install.md)|Download and install the Microsoft Entra Provisioning Agent. |
|[Configure cloud sync](cloud-sync/how-to-configure.md)|Configure and tailor synchronization for your organization.| |[Verify users are synchronizing](cloud-sync/tutorial-single-forest.md#verify-users-are-created-and-synchronization-is-occurring)|Make sure it's working.|
active-directory Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/install.md
The following document provides the steps to install either cloud sync or Micros
<a name='install-the-azure-ad-connect-provisioning-agent-for-cloud-sync'></a>
-## Install the Microsoft Entra Connect provisioning agent for cloud sync
-Cloud sync uses the Microsoft Entra Connect provisioning agent. Use the steps below to install it.
+## Install the Microsoft Entra Provisioning Agent for cloud sync
+Cloud sync uses the Microsoft Entra Provisioning Agent. Use the steps below to install it.
[!INCLUDE [sign in](../../../includes/cloud-sync-sign-in.md)] 4. On the left, select **Agent**. 5. Select **Download on-premises agent**, and select **Accept terms & download**.
- 6. Once the **Microsoft Entra Connect Provisioning Agent Package** has completed downloading, run the *AADConnectProvisioningAgentSetup.exe* installation file from your downloads folder.
+ 6. Once the **Microsoft Entra Provisioning Agent Package** has completed downloading, run the *AADConnectProvisioningAgentSetup.exe* installation file from your downloads folder.
>[!NOTE] >When installing for the US Government Cloud use: >*AADConnectProvisioningAgentSetup.exe ENVIRONMENTNAME=AzureUSGovernment*
Cloud sync uses the Microsoft Entra Connect provisioning agent. Use the steps b
7. On the splash screen, select **I agree to the license and conditions**, and then select **Install**. 8. Once the installation operation completes, the configuration wizard will launch. Select **Next** to start the configuration.
- 9. On the **Select Extension** screen, select **HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Connect Cloud Sync** and click **Next**.
+ 9. On the **Select Extension** screen, select **HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Cloud Sync** and click **Next**.
10. Sign in with your Microsoft Entra Global Administrator account. 11. On the **Configure Service Account** screen, select a group Managed Service Account (gMSA). This account is used to run the agent service. To continue, select **Next**. 12. On the **Connect Active Directory** screen, if your domain name appears under **Configured domains**, skip to the next step. Otherwise, type your Active Directory domain name, and select **Add directory**.
active-directory On Demand Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/on-demand-provision.md
Title: 'On-demand provisioning using cloud sync'
-description: This article describes how to use on-demand provisioning with Microsoft Entra Connect cloud sync.
+description: This article describes how to use on-demand provisioning with Microsoft Entra Cloud Sync.
documentationcenter: ''
active-directory Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/sso.md
Setting up single sign-on, depends on which synchronization tool you are using and what your business goals are. Use the tables to determine which features you would ## Cloud sync
-After installing the Microsoft Entra Connect provisioning agent, you will need to configure single sign-on for cloud sync. The following table provides a list of steps required for using single sign-on.
+After installing the Microsoft Entra Provisioning Agent, you will need to configure single sign-on for cloud sync. The following table provides a list of steps required for using single sign-on.
|Task|Description| |--|--|
active-directory Sync Tools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/sync-tools.md
## List of tools -- **Cloud sync and the provisioning agent** - Microsoft Entra Connect cloud sync is the newest offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the light-weight provisioning agent and fully configurable via through the portal. For more information, see [What is cloud sync?](cloud-sync/what-is-cloud-sync.md) and [What is the provisioning agent?](cloud-sync/what-is-provisioning-agent.md)
+- **Cloud sync and the provisioning agent** - Microsoft Entra Cloud Sync is the newest offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It uses the light-weight provisioning agent and fully configurable via through the portal. For more information, see [What is cloud sync?](cloud-sync/what-is-cloud-sync.md) and [What is the provisioning agent?](cloud-sync/what-is-provisioning-agent.md)
- **Connect sync** - Microsoft Entra Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. For more information, see [What is Microsoft Entra Connect?](connect/whatis-azure-ad-connect-v2.md).
active-directory What Is Inter Directory Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/what-is-inter-directory-provisioning.md
Inter-directory provisioning allows us to create [hybrid identity](whatis-hybrid
Microsoft Entra ID currently supports three methods for accomplishing inter-directory provisioning. These methods are: -- [Microsoft Entra Connect cloud sync](./cloud-sync/what-is-cloud-sync.md) -a new Microsoft agent designed to meet and accomplish your hybrid identity goals. It is provides a light-weight inter -directory provisioning experience between Active Directory and Microsoft Entra ID and is configured via the portal.
+- [Microsoft Entra Cloud Sync](./cloud-sync/what-is-cloud-sync.md) -a new Microsoft agent designed to meet and accomplish your hybrid identity goals. It is provides a light-weight inter -directory provisioning experience between Active Directory and Microsoft Entra ID and is configured via the portal.
- [Microsoft Entra Connect](./connect/whatis-azure-ad-connect.md) - the Microsoft tool designed to meet and accomplish your hybrid identity, including inter-directory provisioning from Active Directory to Microsoft Entra ID.
active-directory What Is Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/what-is-provisioning.md
This has been accomplished by Microsoft Entra Connect Sync, Microsoft Entra Conn
## Next steps -- [What is Microsoft Entra Connect cloud sync?](cloud-sync/what-is-cloud-sync.md)
+- [What is Microsoft Entra Cloud Sync?](cloud-sync/what-is-cloud-sync.md)
- [Install cloud provisioning](cloud-sync/how-to-install.md)
active-directory Pim Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-deployment-plan.md
Previously updated : 09/12/2023 Last updated : 10/12/2023
PIM enables you to allow a specific set of actions at a particular scope. Key fe
* Enforce **Multifactor authentication** to activate any role
+* Enforce **Conditional Access policies** to activate any role (Public preview)
+ * Use **justification** to understand why users activate * Get **notifications** when privileged roles are activated
Today, you can use PIM with:
* **Azure roles** ΓÇô The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources.
-* **PIM for Groups** ΓÇô To set up just-in-time access to member and owner role of a Microsoft Entra security group. PIM for Groups not only gives you an alternative way to set up PIM for Microsoft Entra roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection.
+* **PIM for Groups** ΓÇô To set up just-in-time access to member and owner role of a Microsoft Entra security group. PIM for Groups not only gives you an alternative way to set up PIM for Microsoft Entra roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection. If the group is configured for app provisioning, activation of group membership triggers provisioning of group membership (and the user account, if it wasnΓÇÖt provisioned) to the application using the System for Cross-Domain Identity Management (SCIM) protocol.
You can assign the following to these roles or groups:
The following table shows an example test case:
| Role| Expected behavior during activation| Actual results | | | | |
-|Global Administrator| <li> Require MFA <br><li> Require Approval <br><li> Approver receives notification and can approve <br><li> Role expires after preset time|
+|Global Administrator| <li> Require MFA <br><li> Require approval <br><li> Require Conditional Access context (Public preview) <br><li> Approver receives notification and can approve <br><li> Role expires after preset time|
For both Microsoft Entra ID and Azure resource role, make sure that you have users represented who will take those roles. In addition, consider the following roles when you test PIM in your staged environment:
First, ensure that all Global and Security admin roles are managed using PIM bec
<a name='configure-pim-settings-for-azure-ad-roles'></a>
+You can use the Privileged label to identify roles with high privileges that you can manage with PIM. Privileged label is present on [**Roles and Administrator**](../roles/privileged-roles-permissions.md?tabs=admin-center) in Microsoft Entra ID admin center. See the article, [Microsoft Entra built-in roles](../roles/permissions-reference.md) to learn more.
+ ### Configure PIM settings for Microsoft Entra roles [Draft and configure your PIM settings](pim-how-to-change-default-settings.md) for every privileged Microsoft Entra role that your organization uses. The following table shows example settings:
-| Role| Require MFA| Notification| Incident ticket| Require approval| Approver| Activation duration| Perm admin |
+| Role| Require MFA| Require Conditional Access| Notification| Incident ticket| Require approval| Approver| Activation duration| Perm admin |
| | | | | | | | |
-| Global Administrator| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other Global Administrator| 1 Hour| Emergency access accounts |
-| Exchange Admin| :heavy_check_mark:| :heavy_check_mark:| :x:| :x:| None| 2 Hour| None |
-| Helpdesk Admin| :x:| :x:| :heavy_check_mark:| :x:| None| 8 Hour| None |
+| Global Administrator| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other Global Administrator| 1 Hour| Emergency access accounts |
+| Exchange Admin| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |None| 2 Hour| None |
+| Helpdesk Admin| :x: | | :x: | :heavy_check_mark: | :x: | None| 8 Hour| None |
<a name='assign-and-activate-azure-ad-roles-'></a>
For subscriptions or resources that arenΓÇÖt as critical, you wonΓÇÖt need to se
The following table shows example settings:
-| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration|
+| Role| Require MFA| Notification| Require Conditional Access| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration|
| | | | | | | |||
-| Owner of critical subscriptions| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the subscription| 1 Hour| None| n/a| 3 months |
-| User Access Administrator of less critical subscriptions| :heavy_check_mark:| :heavy_check_mark:| :x:| None| 1 Hour| None| n/a| 3 months |
+| Owner of critical subscriptions| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other owners of the subscription| 1 Hour| None| n/a| 3 months |
+| User Access Administrator of less critical subscriptions| :heavy_check_mark: | :heavy_check_mark: | | :x: | None| 1 Hour| None| n/a| 3 months |
### Assign and activate Azure Resource role
To manage a Microsoft Entra role-assignable group as a PIM for Groups, you must
The following table shows example settings:
-| Role| Require MFA| Notification| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration |
+| Role| Require MFA| Notification| Require Conditional Access| Require approval| Approver| Activation duration| Active admin| Active expiration| Eligible expiration |
| | | | | | | |||
-| Owner| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the resource| One Hour| None| n/a| Three months |
-| Member| :heavy_check_mark:| :heavy_check_mark:| :x:| None| Five Hours| None| n/a| 3 months |
+| Owner| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Other owners of the resource| One Hour| None| n/a| Three months |
+| Member| :heavy_check_mark: | :heavy_check_mark: | | :x: | None| Five Hours| None| n/a| 3 months |
### Assign eligibility for PIM for Groups You can [assign eligibility to members or owners of the PIM for Groups.](groups-assign-member-owner.md) With just one activation, they will have access to all the linked resources. >[!NOTE]
->You can assign the group to one or more Microsoft Entra ID and Azure resource roles in the same way as you assign roles to users. A maximum of 400 role-assignable groups can be created in a single Microsoft Entra organization (tenant).
+>You can assign the group to one or more Microsoft Entra ID and Azure resource roles in the same way as you assign roles to users. A maximum of 500 role-assignable groups can be created in a single Microsoft Entra organization (tenant).
![Diagram of assign eligibility for PIM for Groups.](media/pim-deployment-plan/pim-for-groups.png)
active-directory Groups Create Eligible https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-create-eligible.md
Previously updated : 04/10/2023 Last updated : 10/12/2023
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
Use the [New-MgGroup](/powershell/module/microsoft.graph.groups/new-mggroup?branch=main) command to create a role-assignable group.
+This example shows how to create a Security role-assignable group.
+
+```powershell
+Connect-MgGraph -Scopes "Group.ReadWrite.All"
+$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true
+```
+
+This example shows how to create a Microsoft 365 role-assignable group.
+ ```powershell Connect-MgGraph -Scopes "Group.ReadWrite.All"
-$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group has Helpdesk Administrator built-in role assigned to it in Azure AD." -MailEnabled:$false -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true
+$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled:$true -SecurityEnabled -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole:$true -GroupTypes "Unified"
``` # [Azure AD PowerShell](#tab/aad-powershell)
$group = New-MgGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description
Use the [New-AzureADMSGroup](/powershell/module/azuread/new-azureadmsgroup?branch=main) command to create a role-assignable group. ```powershell
-$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "This group is assigned to Helpdesk Administrator built-in role in Azure AD." -MailEnabled $false -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true
+$group = New-AzureADMSGroup -DisplayName "Contoso_Helpdesk_Administrators" -Description "Helpdesk Administrator role assigned to group" -MailEnabled $false -SecurityEnabled $true -MailNickName "contosohelpdeskadministrators" -IsAssignableToRole $true
``` For this type of group, `isPublic` will always be false and `isSecurityEnabled` will always be true.
Add-AzureADGroupMember -ObjectId $roleAssignablegroup.Id -RefObjectId $member.Ob
Use the [Create group](/graph/api/group-post-groups?branch=main) API to create a role-assignable group.
+This example shows how to create a Security role-assignable group.
+
+```http
+POST https://graph.microsoft.com/v1.0/groups
+{
+ "description": "Helpdesk Administrator role assigned to group",
+ "displayName": "Contoso_Helpdesk_Administrators",
+ "isAssignableToRole": true,
+ "mailEnabled": false,
+ "mailNickname": "contosohelpdeskadministrators",
+ "securityEnabled": true
+}
+```
+
+This example shows how to create a Microsoft 365 role-assignable group.
+ ```http POST https://graph.microsoft.com/v1.0/groups {
- "description": "This group is assigned to Helpdesk Administrator built-in role of Azure AD.",
+ "description": "Helpdesk Administrator role assigned to group",
"displayName": "Contoso_Helpdesk_Administrators", "groupTypes": [ "Unified" ], "isAssignableToRole": true, "mailEnabled": true,
- "securityEnabled": true,
"mailNickname": "contosohelpdeskadministrators",
+ "securityEnabled": true,
"visibility" : "Private" } ```
active-directory Colloquial Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/colloquial-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Colloquial for automatic user provisioning with Microsoft Entra ID'
+description: Learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Colloquial.
++
+writer: twimmers
+
+ms.assetid: 8ea5fa0c-d3f1-4398-8051-9051e2df01f5
++++ Last updated : 10/12/2023+++
+# Tutorial: Configure Colloquial for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Colloquial and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users to [Colloquial](https://www.colloquial.io) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md).
+
+## Supported capabilities
+> [!div class="checklist"]
+> * Create users in Colloquial.
+> * Remove users in Colloquial when they do not require access anymore.
+> * Keep user attributes synchronized between Microsoft Entra ID and Colloquial.
+> * [Single sign-on](colloquial-tutorial.md) to Colloquial (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [A Microsoft Entra tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Microsoft Entra ID with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Colloquial with Admin permissions.
+
+## Step 1: Plan your provisioning deployment
+* Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+* Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+* Determine what data to [map between Microsoft Entra ID and Colloquial](../app-provisioning/customize-application-attributes.md).
+
+## Step 2: Configure Colloquial to support provisioning with Microsoft Entra ID
+Contact Colloquial support to configure Colloquial to support provisioning with Microsoft Entra ID.
+
+## Step 3: Add Colloquial from the Microsoft Entra application gallery
+
+Add Colloquial from the Microsoft Entra application gallery to start managing provisioning to Colloquial. If you have previously setup Colloquial for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4: Define who will be in scope for provisioning
+
+The Microsoft Entra provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
+
+## Step 5: Configure automatic user provisioning to Colloquial
+
+This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in Colloquial based on user assignments in Microsoft Entra ID.
+
+<a name='to-configure-automatic-user-provisioning-for-Colloquial-in-azure-ad'></a>
+
+### To configure automatic user provisioning for Colloquial in Microsoft Entra ID:
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**
+
+ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
+
+1. In the applications list, select **Colloquial**.
+
+ ![Screenshot of the Colloquial link in the Applications list.](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Screenshot of Provisioning tab.](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
+
+1. Under the **Admin Credentials** section, input your Colloquial Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Colloquial. If the connection fails, ensure your Colloquial account has Admin permissions and try again.
+
+ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Screenshot of Notification Email.](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Colloquial**.
+
+1. Review the user attributes that are synchronized from Microsoft Entra ID to Colloquial in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Colloquial for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Colloquial API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|Required by Colloquial|
+ |||||
+ |userName|String|&check;|&check;
+ |active|Boolean||&check;
+ |emails[type eq "work"].value|String||&check;
+ |preferredLanguage|String||
+ |name.givenName|String||&check;
+ |name.familyName|String||&check;
+ |externalId|String||
+ |locale|String||
+ |timezone|String||
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Microsoft Entra provisioning service for Colloquial, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png)
+
+1. Define the users that you would like to provision to Colloquial by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png)
+
+1. When you're ready to provision, click **Save**.
+
+ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running.
+
+## Step 6: Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Microsoft Entra ID?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Decentralized Identifier Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md
description: An overview Azure Verifiable Credentials.
# Introduction to Microsoft Entra Verified ID - Our digital and physical lives are increasingly linked to the apps, services, and devices we use to access a rich set of experiences. This digital transformation allows us to interact with hundreds of companies and thousands of other users in ways that were previously unimaginable. But identity data has too often been exposed in security breaches. These breaches affect our social, professional, and financial lives. Microsoft believes that thereΓÇÖs a better way. Every person has a right to an identity that they own and control, one that securely stores elements of their digital identity and preserves privacy. This primer explains how we are joining hands with a diverse community to build an open, trustworthy, interoperable, and standards-based Decentralized Identity solution for individuals and organizations.
active-directory Howto Verifiable Credentials Partner Au10tix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/howto-verifiable-credentials-partner-au10tix.md
Previously updated : 08/26/2022 Last updated : 10/12/2023 # Customer intent: As a developer, I'm looking for information about the open standards that are supported by Microsoft Entra Verified ID. # Configure Verified ID by AU10TIX as your Identity Verification Partner
-In this article, we cover the steps needed to integrate Microsoft Entra Verified ID with [AU10TIX](https://www.au10tix.com/). AU10TIX is a global leader in identity verification enabling companies to scale up their business by accelerating onboarding scenarios and ongoing verification throughout the customer lifecycle. It is an automated solution for the verification of ID documents + biometrics in 8 seconds or less. AU10TIX supports the verification of documents in over 190 countries/regions reading documents in their regional languages.
+In this article, we cover the steps needed to integrate Microsoft Entra Verified ID with [AU10TIX](https://www.au10tix.com/). AU10TIX is an automated solution for the verification of ID documents + biometrics. AU10TIX supports the verification of documents in over 190 countries/regions reading documents in their regional languages.
To learn more about AU10TIX and its complete set of solutions, visit https://www.au10tix.com/.
Before you can continue with the steps below you need to meet the following requ
- A tenant [configured](verifiable-credentials-configure-tenant.md) for Microsoft Entra Verified ID service. - If you don't have an existing tenant, you can [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - You need to have completed the onboarding process with Au10tix.
- - To create a AU10TIX account, submit the form on this [page](https://www.au10tix.com/solutions/microsoft-azure-active-directory-verifiable-credentials-program/).
+ - To create a AU10TIX account, submit the form on this [page](https://www.au10tix.com/solutions/verifiable-credentials/).
>[!IMPORTANT]
active-directory Idemia https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/idemia.md
+
+ Title: Configure Verified ID by IDEMIA as your identity verification partner
+description: This article shows you the steps you need to follow to configure IDEMIA as your identity verification partner
++++++ Last updated : 10/12/2023+
+# Customer intent: As a developer, I'm looking for information about the open standards that are supported by Microsoft Entra Verified ID.
++
+# Configure Verified ID by IDEMIA as your identity verification partner
+
+In this article, we cover the steps needed to integrate Microsoft Entra Verified ID (Verified ID) with [IDEMIA](https://www.idemia.com/).
+
+## Prerequisites
+
+Before you can continue with the steps below you need to meet the following requirements:
+
+- A tenant configured with Verified ID.
+ - If you don't have an existing tenant, you can create an Azure account for free.
+- You need to have completed the onboarding process with IDEMIA.
+ - Register on the IDEMIA Experience Portal where you can create your own Microsoft verifiable credential application with a few steps low code integration.
+
+>[!IMPORTANT]
+>Before you can proceed, you must have already received a URL from IDEMIA. If you have not yet received it, follow up with IDEMIA before you try the steps documented below.
++
+## Scenario description
+
+Verified ID users can have their identity verified using IDEMIA's identity document capture and verification.
+The Identity proofing process is completed using biometric and document capture via the users' smartphones. Once a user submits their data, biometric and document data is extracted and verified against one another, or against an authoritative data source such as a national identity database or a trusted system of record. Counter-fraud and high-risk profile verification could also be performed for additional assurance.
+
+The result is a trusted user identity that gives service providers the assurance they need to proceed with customer onboarding.
++
+After verification, users are issued a reusable identity credential, which expedites the onboarding process for employees, partners, and customersΓÇï.
++
+## Configure IDEMIA as your identity verification proofing solution
+
+To configure IDEMIA as your identity verification proofing solution, follow these steps:
+
+1. Go to Quickstart in the Azure portal and select **Verified ID**.
+2. Choose select issuer.
+3. Look for IDEMIA in the search/select issuers drop down.
+4. Select VerifiedCredentialExpert as the credential type.
+5. Select **Add** and then select review.
+6. Download the request body and copy/paste the POST API request URL
+
+## Developer steps
+
+As a developer you now have the request URL and body from your tenant admin, follow these steps to update your application or website:
+
+1. Add the request URL and body to your application or website to request Verified IDs from your users.
+ >[!IMPORTANT]
+ >If you are using one of the sample apps, you'll need to replace the contents of the presentation_request_config.json with the request body obtained in Part 1. The sample code overwrites the trustedIssuers values with IssuerAuthority value from ```appsettings.json```. Copy the trustedIssuers value from the payload to IssuerAuthority in ```appsettings.json``` file.
+2. Replace the **URL** and **api key** values with your own values.
+3. [Grant permissions](verifiable-credentials-configure-tenant.md#grant-permissions-to-get-access-tokens) to your app so it can obtain an access token for the Verified ID service request service principal.
+
+## Test the user flow
+
+User flow is specific to your application or website. However, if you are using one of the sample apps follow the steps outlined as part of the sample app's documentation.
+
+## Next steps
+
+- [Verifiable credentials admin API](admin-api.md)
+- [Request Service REST API issuance specification](issuance-request-api.md)
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/encrypt-data-at-rest.md
By default, your subscription uses Microsoft-managed encryption keys. There is a
There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
-You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
### Customer-managed keys for Language Understanding
To learn how to use customer-managed keys with Azure Key Vault for Azure AI serv
- [Configure customer-managed keys with Key Vault for Azure AI services encryption from the Azure portal](../Encryption/cognitive-services-encryption-keys-portal.md)
-Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md).
+Enabling customer managed keys will also enable a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md).
> [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
### Store customer-managed keys in Azure Key Vault
ai-services Luis How To Collaborate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/luis-how-to-collaborate.md
After you have been added as a contributor, [sign in to the LUIS portal](how-to/
### Users with multiple emails
-If you add contributors to a LUIS app, you are specifying the exact email address. While Azure Active Directory (Azure AD) allows a single user to have more than one email account used interchangeably, LUIS requires the user to sign in with the email address specified when adding the contributor.
+If you add contributors to a LUIS app, you are specifying the exact email address. While Microsoft Entra ID allows a single user to have more than one email account used interchangeably, LUIS requires the user to sign in with the email address specified when adding the contributor.
<a name="owner-and-collaborators"></a>
-### Azure Active Directory resources
+<a name='azure-active-directory-resources'></a>
-If you use [Azure Active Directory](../../active-directory/index.yml) (Azure AD) in your organization, Language Understanding (LUIS) needs permission to the information about your users' access when they want to use LUIS. The resources that LUIS requires are minimal.
+### Microsoft Entra resources
+
+If you use [Microsoft Entra ID](../../active-directory/index.yml) (Microsoft Entra ID) in your organization, Language Understanding (LUIS) needs permission to the information about your users' access when they want to use LUIS. The resources that LUIS requires are minimal.
You see the detailed description when you attempt to sign up with an account that has admin consent or does not require admin consent, such as administrator consent:
You see the detailed description when you attempt to sign up with an account tha
* Allows the app to see and update your data, even when you are not currently using the app. The permission is required to refresh the access token of the user.
-### Azure Active Directory tenant user
+<a name='azure-active-directory-tenant-user'></a>
+
+### Microsoft Entra tenant user
-LUIS uses standard Azure Active Directory (Azure AD) consent flow.
+LUIS uses standard Microsoft Entra consent flow.
-The tenant admin should work directly with the user who needs access granted to use LUIS in the Azure AD.
+The tenant admin should work directly with the user who needs access granted to use LUIS in the Microsoft Entra ID.
* First, the user signs into LUIS, and sees the pop-up dialog needing admin approval. The user contacts the tenant admin before continuing. * Second, the tenant admin signs into LUIS, and sees a consent flow pop-up dialog. This is the dialog the admin needs to give permission for the user. Once the admin accepts the permission, the user is able to continue with LUIS. If the tenant admin will not sign in to LUIS, the admin can access [consent](https://account.activedirectory.windowsazure.com/r#/applications) for LUIS. On this page you can filter the list to items that include the name `LUIS`. If the tenant admin only wants certain users to use LUIS, there are a couple of possible solutions:
-* Giving the "admin consent" (consent to all users of the Azure AD), but then set to "Yes" the "User assignment required" under Enterprise Application Properties, and finally assign/add only the wanted users to the Application. With this method, the Administrator is still providing "admin consent" to the App, however, it's possible to control the users that can access it.
-* A second solution, is by using the [Azure AD identity and access management API in Microsoft Graph](/graph/azuread-identity-access-management-concept-overview) to provide consent to each specific user.
+* Giving the "admin consent" (consent to all users of the Microsoft Entra ID), but then set to "Yes" the "User assignment required" under Enterprise Application Properties, and finally assign/add only the wanted users to the Application. With this method, the Administrator is still providing "admin consent" to the App, however, it's possible to control the users that can access it.
+* A second solution, is by using the [Microsoft Entra identity and access management API in Microsoft Graph](/graph/azuread-identity-access-management-concept-overview) to provide consent to each specific user.
-Learn more about Azure active directory users and consent:
+Learn more about Microsoft Entra users and consent:
* [Restrict your app](../../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md) to a set of users ## Next steps
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/LUIS/role-based-access-control.md
LUIS supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your LUIS authoring resources. See the [Azure RBAC documentation](../../role-based-access-control/index.yml) for more information.
-## Enable Azure Active Directory authentication
+<a name='enable-azure-active-directory-authentication'></a>
-To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources).
+## Enable Microsoft Entra authentication
+
+To use Azure RBAC, you must enable Microsoft Entra authentication. You can [create a new resource with a custom subdomain](../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources).
## Add role assignment to Language Understanding Authoring resource
These custom roles only apply to authoring (Language Understanding Authoring) an
> [!NOTE] > * *Owner* and *Contributor* roles take priority over the custom LUIS roles.
-> * Azure Active Directory (Azure AAD) is only used with custom LUIS roles.
+> * Microsoft Entra ID (Azure Microsoft Entra ID) is only used with custom LUIS roles.
> * If you are assigned as a *Contributor* on Azure, your role will be shown as *Owner* in LUIS portal.
ai-services Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/authentication.md
Each request to an Azure AI service must include an authentication header. This
* Authenticate with a [single-service](#authenticate-with-a-single-service-resource-key) or [multi-service](#authenticate-with-a-multi-service-resource-key) resource key * Authenticate with a [token](#authenticate-with-an-access-token)
-* Authenticate with [Azure Active Directory (AAD)](#authenticate-with-azure-active-directory)
+* Authenticate with [Microsoft Entra ID](#authenticate-with-azure-active-directory)
## Prerequisites
curl -X POST 'https://api.cognitive.microsofttranslator.com/translate?api-versio
--data-raw '[{ "text": "How much for the cup of coffee?" }]' | json_pp ```
-## Authenticate with Azure Active Directory
+<a name='authenticate-with-azure-active-directory'></a>
+
+## Authenticate with Microsoft Entra ID
> [!IMPORTANT]
-> Azure AD authentication always needs to be used together with custom subdomain name of your Azure resource. [Regional endpoints](./cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) do not support Azure AD authentication.
+> Microsoft Entra authentication always needs to be used together with custom subdomain name of your Azure resource. [Regional endpoints](./cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) do not support Microsoft Entra authentication.
-In the previous sections, we showed you how to authenticate against Azure AI services using a single-service or multi-service subscription key. While these keys provide a quick and easy path to start development, they fall short in more complex scenarios that require Azure [role-based access control (Azure RBAC)](../../articles/role-based-access-control/overview.md). Let's take a look at what's required to authenticate using Azure Active Directory (Azure AD).
+In the previous sections, we showed you how to authenticate against Azure AI services using a single-service or multi-service subscription key. While these keys provide a quick and easy path to start development, they fall short in more complex scenarios that require Azure [role-based access control (Azure RBAC)](../../articles/role-based-access-control/overview.md). Let's take a look at what's required to authenticate using Microsoft Entra ID.
In the following sections, you'll use either the Azure Cloud Shell environment or the Azure CLI to create a subdomain, assign roles, and obtain a bearer token to call the Azure AI services. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI. > [!IMPORTANT]
-> If your organization is doing authentication through Azure AD, you should [disable local authentication](./disable-local-auth.md) (authentication with keys) so that users in the organization must always use Azure AD.
+> If your organization is doing authentication through Microsoft Entra ID, you should [disable local authentication](./disable-local-auth.md) (authentication with keys) so that users in the organization must always use Microsoft Entra ID.
### Create a resource with a custom subdomain
Now that you have a custom subdomain associated with your resource, you're going
> [!NOTE] > Keep in mind that Azure role assignments may take up to five minutes to propagate.
-1. First, let's register an [Azure AD application](/powershell/module/Az.Resources/New-AzADApplication).
+1. First, let's register an [Microsoft Entra application](/powershell/module/Az.Resources/New-AzADApplication).
```powershell-interactive $SecureStringPassword = ConvertTo-SecureString -String <YOUR_PASSWORD> -AsPlainText -Force
Now that you have a custom subdomain associated with your resource, you're going
You're going to need the **ApplicationId** in the next step.
-2. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Azure AD application.
+2. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Microsoft Entra application.
```powershell-interactive New-AzADServicePrincipal -ApplicationId <APPLICATION_ID>
In this sample, a password is used to authenticate the service principal. The to
$result | ConvertTo-Json ```
-Alternatively, the service principal can be authenticated with a certificate. Besides service principal, user principal is also supported by having permissions delegated through another Azure AD application. In this case, instead of passwords or certificates, users would be prompted for two-factor authentication when acquiring token.
+Alternatively, the service principal can be authenticated with a certificate. Besides service principal, user principal is also supported by having permissions delegated through another Microsoft Entra application. In this case, instead of passwords or certificates, users would be prompted for two-factor authentication when acquiring token.
## Authorize access to managed identities
-Azure AI services support Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../../articles/active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
+Azure AI services support Microsoft Entra authentication with [managed identities for Azure resources](../../articles/active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud.
### Enable managed identities on a VM
For more information about managed identities, see [Managed identities for Azure
You can [use Azure Key Vault](./use-key-vault.md) to securely develop Azure AI services applications. Key Vault enables you to store your authentication credentials in the cloud, and reduces the chances that secrets may be accidentally leaked, because you won't store security information in your application.
-Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
+Authentication is done via Microsoft Entra ID. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
## See also
ai-services Cognitive Services Custom Subdomains https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-custom-subdomains.md
# Custom subdomain names for Azure AI services
-Azure AI services use custom subdomain names for each resource created through the [Azure portal](https://portal.azure.com), [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/), or [Azure CLI](/cli/azure/install-azure-cli). Unlike regional endpoints, which were common for all customers in a specific Azure region, custom subdomain names are unique to the resource. Custom subdomain names are required to enable features like Azure Active Directory (Azure AD) for authentication.
+Azure AI services use custom subdomain names for each resource created through the [Azure portal](https://portal.azure.com), [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/), or [Azure CLI](/cli/azure/install-azure-cli). Unlike regional endpoints, which were common for all customers in a specific Azure region, custom subdomain names are unique to the resource. Custom subdomain names are required to enable features like Microsoft Entra ID for authentication.
## How does this impact existing resources? Azure AI services resources created before July 1, 2019 will use the regional endpoints for the associated service. These endpoints will work with existing and new resources.
-If you'd like to migrate an existing resource to leverage custom subdomain names, so that you can enable features like Azure AD, follow these instructions:
+If you'd like to migrate an existing resource to leverage custom subdomain names, so that you can enable features like Microsoft Entra ID, follow these instructions:
1. Sign in to the Azure portal and locate the Azure AI services resource that you'd like to add a custom subdomain name to. 2. In the **Overview** blade, locate and select **Generate Custom Domain Name**.
ai-services Cognitive Services Virtual Networks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-virtual-networks.md
Azure AI services provide a layered security model. This model enables you to secure your Azure AI services accounts to a specific subset of networksΓÇï. When network rules are configured, only applications that request data over the specified set of networks can access the account. You can limit access to your resources with *request filtering*, which allows requests that originate only from specified IP addresses, IP ranges, or from a list of subnets in [Azure Virtual Networks](../virtual-network/virtual-networks-overview.md).
-An application that accesses an Azure AI services resource when network rules are in effect requires authorization. Authorization is supported with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) credentials or with a valid API key.
+An application that accesses an Azure AI services resource when network rules are in effect requires authorization. Authorization is supported with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) credentials or with a valid API key.
> [!IMPORTANT] > Turning on firewall rules for your Azure AI services account blocks incoming requests for data by default. To allow requests through, one of the following conditions needs to be met:
You can manage default network access rules for Azure AI services resources thro
## Grant access from a virtual network
-You can configure Azure AI services resources to allow access from specific subnets only. The allowed subnets might belong to a virtual network in the same subscription or in a different subscription. The other subscription can belong to a different Azure AD tenant.
+You can configure Azure AI services resources to allow access from specific subnets only. The allowed subnets might belong to a virtual network in the same subscription or in a different subscription. The other subscription can belong to a different Microsoft Entra tenant.
Enable a *service endpoint* for Azure AI services within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure AI services service. For more information, see [Virtual Network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md).
Each Azure AI services resource supports up to 100 virtual network rules, which
To apply a virtual network rule to an Azure AI services resource, you need the appropriate permissions for the subnets to add. The required permission is the default *Contributor* role or the *Cognitive Services Contributor* role. Required permissions can also be added to custom role definitions.
-The Azure AI services resource and the virtual networks that are granted access might be in different subscriptions, including subscriptions that are part of a different Azure AD tenant.
+The Azure AI services resource and the virtual networks that are granted access might be in different subscriptions, including subscriptions that are part of a different Microsoft Entra tenant.
> [!NOTE]
-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure AD tenant are currently supported only through PowerShell, the Azure CLI, and the REST APIs. You can view these rules in the Azure portal, but you can't configure them.
+> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Microsoft Entra tenant are currently supported only through PowerShell, the Azure CLI, and the REST APIs. You can view these rules in the Azure portal, but you can't configure them.
### Configure virtual network rules
To grant access to a virtual network with an existing network rule:
> [!NOTE] > If a service endpoint for Azure AI services wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation. >
- > Currently, only virtual networks that belong to the same Azure AD tenant are available for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or the REST APIs.
+ > Currently, only virtual networks that belong to the same Microsoft Entra tenant are available for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or the REST APIs.
1. Select **Save** to apply your changes.
To remove a virtual network or subnet rule:
``` > [!TIP]
- > To add a network rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully-qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`.
+ > To add a network rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully-qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`.
1. Remove a network rule for a virtual network and subnet.
To remove a virtual network or subnet rule:
``` > [!TIP]
- > To add a rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully-qualified subnet ID in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`.
+ > To add a rule for a subnet in a virtual network that belongs to another Microsoft Entra tenant, use a fully-qualified subnet ID in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`.
>
- > You can use the `--subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Azure AD tenant.
+ > You can use the `--subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Microsoft Entra tenant.
1. Remove a network rule for a virtual network and subnet.
ai-services Spatial Analysis Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/spatial-analysis-web-app.md
Wait for setup to complete, and navigate to your resource in the Azure portal. G
* `IotHubConnectionString` ΓÇô The connection string to your Azure IoT Hub, this can be retrieved from the keys section of your Azure IoT Hub resource ![Configure Parameters](./media/spatial-analysis/solution-app-config-page.png)
-Once these 2 settings are added, select **Save**. Then select **Authentication/Authorization** in the left navigation menu, and update it with the desired level of authentication. We recommend Azure Active Directory (Azure AD) express.
+Once these 2 settings are added, select **Save**. Then select **Authentication/Authorization** in the left navigation menu, and update it with the desired level of authentication. We recommend Microsoft Entra ID express.
### Test the app
ai-services Video Moderation Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-moderator/video-moderation-api.md
The Content Moderator's video moderation capability is available as a free publi
Follow the instructions in [Create an Azure Media Services account](/azure/media-services/previous/media-services-portal-create-account) to subscribe to AMS and create an associated Azure storage account. In that storage account, create a new Blob storage container.
-### Create an Azure Active Directory application
+<a name='create-an-azure-active-directory-application'></a>
+
+### Create a Microsoft Entra application
Navigate to your new AMS subscription in the Azure portal and select **API access** from the side menu. Select **Connect to Azure Media Services with service principal**. Note the value in the **REST API endpoint** field; you will need this later.
-In the **Azure AD app** section, select **Create New** and name your new Azure AD application registration (for example, "VideoModADApp"). Select **Save** and wait a few minutes while the application is configured. Then, you should see your new app registration under the **Azure AD app** section of the page.
+In the **Microsoft Entra app** section, select **Create New** and name your new Microsoft Entra application registration (for example, "VideoModADApp"). Select **Save** and wait a few minutes while the application is configured. Then, you should see your new app registration under the **Microsoft Entra app** section of the page.
Select your app registration and click the **Manage application** button below it. Note the value in the **Application ID** field; you will need this later. Select **Settings** > **Keys**, and enter a description for a new key (such as "VideoModKey"). Select **Save**, and then notice the new key value. Copy this string and save it somewhere secure.
-For a more thorough walkthrough of the above process, See [Get started with Azure AD authentication](/azure/media-services/previous/media-services-portal-get-started-with-aad).
+For a more thorough walkthrough of the above process, See [Get started with Microsoft Entra authentication](/azure/media-services/previous/media-services-portal-get-started-with-aad).
Once you've done this, you can use the video moderation media processor in two different ways.
using System.Collections.Generic;
### Set up resource references
-Add the following static fields to the **Program** class in _Program.cs_. These fields hold the information necessary for connecting to your AMS subscription. Fill them in with the values you got in the steps above. Note that `CLIENT_ID` is the **Application ID** value of your Azure AD app, and `CLIENT_SECRET` is the value of the "VideoModKey" that you created for that app.
+Add the following static fields to the **Program** class in _Program.cs_. These fields hold the information necessary for connecting to your AMS subscription. Fill them in with the values you got in the steps above. Note that `CLIENT_ID` is the **Application ID** value of your Microsoft Entra app, and `CLIENT_SECRET` is the value of the "VideoModKey" that you created for that app.
```csharp // declare constants and globals
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/how-to/encrypt-data-at-rest.md
By default, your subscription uses Microsoft-managed encryption keys. There's al
Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
-You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](/azure/key-vault/general/overview).
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](/azure/key-vault/general/overview).
To enable customer-managed keys, you must also enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
When you disable customer-managed keys, your Azure AI services resource is then
1. Go to your Azure AI services resource, and then select **Encryption**. 2. Select **Microsoft Managed Keys** > **Save**.
-When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](/azure/active-directory/managed-identities-azure-resources/overview).
+When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](/azure/active-directory/managed-identities-azure-resources/overview).
> [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories).
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories).
## Next steps * [Content Safety overview](../overview.md)
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/content-safety/overview.md
The maximum size for image submissions is 4 MB, and image dimensions must be bet
## Security
-### Use Azure Active Directory or Managed Identity to manage access
+<a name='use-azure-active-directory-or-managed-identity-to-manage-access'></a>
-For enhanced security, you can use Azure Active Directory (Azure AD) or Managed Identity (MI) to manage access to your resources.
+### Use Microsoft Entra ID or Managed Identity to manage access
+
+For enhanced security, you can use Microsoft Entra ID or Managed Identity (MI) to manage access to your resources.
* Managed Identity is automatically enabled when you create a Content Safety resource.
-* Azure Active Directory is supported in both API and SDK scenarios. Refer to the general AI services guideline of [Authenticating with Azure Active Directory](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory). You can also grant access to other users within your organization by assigning them the roles of **Cognitive Services Users** and **Reader**. To learn more about granting user access to Azure resources using the Azure portal, refer to the [Role-based access control guide](/azure/role-based-access-control/quickstart-assign-role-user-portal).
+* Microsoft Entra ID is supported in both API and SDK scenarios. Refer to the general AI services guideline of [Authenticating with Microsoft Entra ID](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory). You can also grant access to other users within your organization by assigning them the roles of **Cognitive Services Users** and **Reader**. To learn more about granting user access to Azure resources using the Azure portal, refer to the [Role-based access control guide](/azure/role-based-access-control/quickstart-assign-role-user-portal).
### Encryption of data at rest
ai-services Disable Local Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/disable-local-auth.md
# Disable local authentication in Azure AI Services
-Azure AI Services provides Azure Active Directory (Azure AD) authentication support for all resources. This gives organizations control to disable local authentication methods and enforce Azure AD authentication. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials.
+Azure AI Services provides Microsoft Entra authentication support for all resources. This gives organizations control to disable local authentication methods and enforce Microsoft Entra authentication. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials.
You can disable local authentication using the Azure policy [Cognitive Services accounts should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc). You can set it at the subscription level or resource group level to enforce the policy for a group of services.
You can use PowerShell to determine whether the local authentication policy is c
To enable local authentication, execute the PowerShell cmdlet **[Set-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/set-azcognitiveservicesaccount)** with the parameter `-DisableLocalAuth false`.  Allow a few minutes for the service to accept the change to allow local authentication requests. ## Next steps-- [Authenticate requests to Azure AI services](./authentication.md)
+- [Authenticate requests to Azure AI services](./authentication.md)
ai-services Create Sas Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/create-sas-tokens.md
monikerRange: '<=doc-intel-3.1.0'
[!INCLUDE [applies to v3.1, v3.0, v2.1](includes/applies-to-v3-1-v3-0-v2-1.md)]
- In this article, learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.
+ In this article, learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Microsoft Entra credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.
:::image type="content" source="media/sas-tokens/sas-url-token.png" alt-text="Screenshot of storage URI with SAS token appended.":::
The Azure portal is a web-based console that enables you to manage your Azure su
* Consider setting a longer duration period for the time you're using your storage account for Document Intelligence Service operations. * The value of the expiry time is determined by whether you're using an **Account key** or **User delegation key** **Signing method**: * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).
- * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Azure AD credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).
+ * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Microsoft Entra credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).
1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information,*see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range).
ai-services Deploy Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/deploy-label-tool.md
az container create \
```
-### Connect to Azure AD for authorization
+<a name='connect-to-azure-ad-for-authorization'></a>
-It's recommended that you connect your web app to Azure Active Directory (Azure AD). This connection ensures that only users with valid credentials can sign in and use your web app. Follow the instructions in [Configure your App Service app](../../app-service/configure-authentication-provider-aad.md) to connect to Azure Active Directory.
+### Connect to Microsoft Entra ID for authorization
+
+It's recommended that you connect your web app to Microsoft Entra ID. This connection ensures that only users with valid credentials can sign in and use your web app. Follow the instructions in [Configure your App Service app](../../app-service/configure-authentication-provider-aad.md) to connect to Microsoft Entra ID.
## Open source on GitHub
ai-services Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/label-tool.md
You need an Azure subscription ([create one for free](https://azure.microsoft.co
> [!NOTE] >
-> If your storage data is behind a VNet or firewall, you must deploy the **Document Intelligence Sample Labeling tool** behind your VNet or firewall and grant access by creating a [system-assigned managed identity](managed-identities.md "Azure managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources").
+> If your storage data is behind a VNet or firewall, you must deploy the **Document Intelligence Sample Labeling tool** behind your VNet or firewall and grant access by creating a [system-assigned managed identity](managed-identities.md "Azure managed identity is a service principal that creates a Microsoft Entra identity and specific permissions for Azure managed resources").
You use the Docker engine to run the Sample Labeling tool. Follow these steps to set up the Docker container. For a primer on Docker and container basics, see the [Docker overview](https://docs.docker.com/engine/docker-overview/).
ai-services Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/managed-identities.md
monikerRange: '<=doc-intel-3.1.0'
[!INCLUDE [applies to v3.1, v3.0, v2.1](includes/applies-to-v3-1-v3-0-v2-1.md)]
-Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources:
+Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources:
:::image type="content" source="media/managed-identities/rbac-flow.png" alt-text="Screenshot of managed identity flow (RBAC).":::
-* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications. Unlike security keys and authentication tokens, managed identities eliminate the need for developers to manage credentials.
+* You can use managed identities to grant access to any resource that supports Microsoft Entra authentication, including your own applications. Unlike security keys and authentication tokens, managed identities eliminate the need for developers to manage credentials.
* To grant access to an Azure resource, assign an Azure role to a managed identity using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
ai-services Try Document Intelligence Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/try-document-intelligence-studio.md
monikerRange: '>=doc-intel-3.0.0'
* A [**Document Intelligence**](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [**multi-service**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource. > [!TIP]
-> Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).
+> Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md).
## Models
ai-services Try Sample Label Tool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/quickstarts/try-sample-label-tool.md
You'll need the following to get started:
* An Azure AI services or Document Intelligence resource. Once you have your Azure subscription, create a [single-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer), or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) Document Intelligence resource in the Azure portal to get your key and endpoint. You can use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production. > [!TIP]
- > Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).
+ > Create an Azure AI services resource if you plan to access multiple Azure AI services under a single endpoint/key. For Document Intelligence access only, create a Document Intelligence resource. Please note that you'll need a single-service resource if you intend to use [Microsoft Entra authentication](../../../active-directory/authentication/overview-authentication.md).
## Create a Document Intelligence resource
ai-services Sdk Overview V3 0 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/sdk-overview-v3-0.md
There are two supported methods for authentication
* Use a [Document Intelligence API key](#use-your-api-key) with AzureKeyCredential from azure.core.credentials.
-* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md).
+* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md).
#### Use your API key
async function main() {
-#### Use an Azure Active Directory (Azure AD) token credential
+<a name='use-an-azure-active-directory-azure-ad-token-credential'></a>
+
+#### Use a Microsoft Entra token credential
> [!NOTE]
-> Regional endpoints do not support AAD authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication.
+> Regional endpoints do not support Microsoft Entra authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication.
Authorization is easiest using the `DefaultAzureCredential`. It provides a default token credential, based upon the running environment, capable of handling most Azure authentication scenarios.
Here's how to acquire and use the [DefaultAzureCredential](/dotnet/api/azure.ide
Install-Package Azure.Identity ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret in the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret in the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:
Here's how to acquire and use the [DefaultAzureCredential](/java/api/com.azure.i
</dependency> ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance and **`TokenCredential`** variable:
Here's how to acquire and use the [DefaultAzureCredential](/javascript/api/@azur
npm install @azure/identity ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:
Here's how to acquire and use the [DefaultAzureCredential](/python/api/azure-ide
pip install azure-identity ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:
ai-services Sdk Overview V3 1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/sdk-overview-v3-1.md
There are two supported methods for authentication
* Use a [Document Intelligence API key](#use-your-api-key) with AzureKeyCredential from azure.core.credentials.
-* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md).
+* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md).
#### Use your API key
async function main() {
-#### Use an Azure Active Directory (Azure AD) token credential
+<a name='use-an-azure-active-directory-azure-ad-token-credential'></a>
+
+#### Use a Microsoft Entra token credential
> [!NOTE]
-> Regional endpoints do not support AAD authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication.
+> Regional endpoints do not support Microsoft Entra authentication. Create a [custom subdomain](../../ai-services/authentication.md?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication.
Authorization is easiest using the `DefaultAzureCredential`. It provides a default token credential, based upon the running environment, capable of handling most Azure authentication scenarios.
Here's how to acquire and use the [DefaultAzureCredential](/dotnet/api/azure.ide
Install-Package Azure.Identity ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret in the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret in the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:
Here's how to acquire and use the [DefaultAzureCredential](/java/api/com.azure.i
</dependency> ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance and **`TokenCredential`** variable:
Here's how to acquire and use the [DefaultAzureCredential](/javascript/api/@azur
npm install @azure/identity ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:
Here's how to acquire and use the [DefaultAzureCredential](/python/api/azure-ide
pip install azure-identity ```
-1. [Register an Azure AD application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
+1. [Register a Microsoft Entra application and create a new service principal](../../ai-services/authentication.md?tabs=powershell#assign-a-role-to-a-service-principal).
1. Grant access to Document Intelligence by assigning the **`Cognitive Services User`** role to your service principal.
-1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
+1. Set the values of the client ID, tenant ID, and client secret of the Microsoft Entra application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.
1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:
ai-services How To Create Immersive Reader https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-create-immersive-reader.md
Title: "Create an Immersive Reader Resource"
-description: This article shows you how to create a new Immersive Reader resource with a custom subdomain and then configure Azure AD in your Azure tenant.
+description: This article shows you how to create a new Immersive Reader resource with a custom subdomain and then configure Microsoft Entra ID in your Azure tenant.
Last updated 03/31/2023
-# Create an Immersive Reader resource and configure Azure Active Directory authentication
+# Create an Immersive Reader resource and configure Microsoft Entra authentication
-In this article, we provide a script that creates an Immersive Reader resource and configure Azure Active Directory (Azure AD) authentication. Each time an Immersive Reader resource is created, whether with this script or in the portal, it must also be configured with Azure AD permissions.
+In this article, we provide a script that creates an Immersive Reader resource and configure Microsoft Entra authentication. Each time an Immersive Reader resource is created, whether with this script or in the portal, it must also be configured with Microsoft Entra permissions.
-The script is designed to create and configure all the necessary Immersive Reader and Azure AD resources for you all in one step. However, you can also just configure Azure AD authentication for an existing Immersive Reader resource, if for instance, you happen to have already created one in the Azure portal.
+The script is designed to create and configure all the necessary Immersive Reader and Microsoft Entra resources for you all in one step. However, you can also just configure Microsoft Entra authentication for an existing Immersive Reader resource, if for instance, you happen to have already created one in the Azure portal.
-For some customers, it may be necessary to create multiple Immersive Reader resources, for development vs. production, or perhaps for multiple different regions your service is deployed in. For those cases, you can come back and use the script multiple times to create different Immersive Reader resources and get them configured with the Azure AD permissions.
+For some customers, it may be necessary to create multiple Immersive Reader resources, for development vs. production, or perhaps for multiple different regions your service is deployed in. For those cases, you can come back and use the script multiple times to create different Immersive Reader resources and get them configured with the Microsoft Entra permissions.
-The script is designed to be flexible. It first looks for existing Immersive Reader and Azure AD resources in your subscription, and creates them only as necessary if they don't already exist. If it's your first time creating an Immersive Reader resource, the script does everything you need. If you want to use it just to configure Azure AD for an existing Immersive Reader resource that was created in the portal, it does that too.
+The script is designed to be flexible. It first looks for existing Immersive Reader and Microsoft Entra resources in your subscription, and creates them only as necessary if they don't already exist. If it's your first time creating an Immersive Reader resource, the script does everything you need. If you want to use it just to configure Microsoft Entra ID for an existing Immersive Reader resource that was created in the portal, it does that too.
It can also be used to create and configure multiple Immersive Reader resources. ## Permissions
-The listed **Owner** of your Azure subscription has all the required permissions to create an Immersive Reader resource and configure Azure AD authentication.
+The listed **Owner** of your Azure subscription has all the required permissions to create an Immersive Reader resource and configure Microsoft Entra authentication.
If you aren't an owner, the following scope-specific permissions are required:
If you aren't an owner, the following scope-specific permissions are required:
:::image type="content" source="media/contributor-role.png" alt-text="Screenshot of contributor built-in role description.":::
-* **Application Developer**. You need to have at least an Application Developer role associated in Azure AD:
+* **Application Developer**. You need to have at least an Application Developer role associated in Microsoft Entra ID:
:::image type="content" source="media/application-developer-role.png" alt-text="{alt-text}":::
-For more information, _see_ [Azure AD built-in roles](../../active-directory/roles/permissions-reference.md#application-developer)
+For more information, _see_ [Microsoft Entra built-in roles](../../active-directory/roles/permissions-reference.md#application-developer)
## Set up PowerShell environment
For more information, _see_ [Azure AD built-in roles](../../active-directory/rol
| ResourceLocation |Options: `australiaeast`, `brazilsouth`, `canadacentral`, `centralindia`, `centralus`, `eastasia`, `eastus`, `eastus2`, `francecentral`, `germanywestcentral`, `japaneast`, `japanwest`, `jioindiawest`, `koreacentral`, `northcentralus`, `northeurope`, `norwayeast`, `southafricanorth`, `southcentralus`, `southeastasia`, `swedencentral`, `switzerlandnorth`, `switzerlandwest`, `uaenorth`, `uksouth`, `westcentralus`, `westeurope`, `westus`, `westus2`, `westus3`. This parameter is optional if the resource already exists. | | ResourceGroupName |Resources are created in resource groups within subscriptions. Supply the name of an existing resource group. If the resource group doesn't already exist, a new one with this name is created. | | ResourceGroupLocation |If your resource group doesn't exist, you need to supply a location in which to create the group. To find a list of locations, run `az account list-locations`. Use the *name* property (without spaces) of the returned result. This parameter is optional if your resource group already exists. |
- | AADAppDisplayName |The Azure Active Directory application display name. If an existing Azure AD application isn't found, a new one with this name is created. This parameter is optional if the Azure AD application already exists. |
- | AADAppIdentifierUri |The URI for the Azure AD application. If an existing Azure AD application isn't found, a new one with this URI is created. For example, `api://MyOrganizationImmersiveReaderAADApp`. Here we're using the default Azure AD URI scheme prefix of `api://` for compatibility with the [Azure AD policy of using verified domains](../../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). |
- | AADAppClientSecretExpiration |The date or datetime after which your Azure AD Application Client Secret (password) will expire (for example, '2020-12-31T11:59:59+00:00' or '2020-12-31'). This function creates a client secret for you. To manage Azure AD application client secrets after you've created this resource, visit https://portal.azure.com and go to Home -> Azure Active Directory -> App Registrations -> (your app) `[AADAppDisplayName]` -> Certificates and Secrets section -> Client Secrets section (as shown in the "Manage your Azure AD application secrets" screenshot).|
+ | AADAppDisplayName |The Microsoft Entra application display name. If an existing Microsoft Entra application isn't found, a new one with this name is created. This parameter is optional if the Microsoft Entra application already exists. |
+ | AADAppIdentifierUri |The URI for the Microsoft Entra application. If an existing Microsoft Entra application isn't found, a new one with this URI is created. For example, `api://MyOrganizationImmersiveReaderAADApp`. Here we're using the default Microsoft Entra URI scheme prefix of `api://` for compatibility with the [Microsoft Entra policy of using verified domains](../../active-directory/develop/reference-breaking-changes.md#appid-uri-in-single-tenant-applications-will-require-use-of-default-scheme-or-verified-domains). |
+ | AADAppClientSecretExpiration |The date or datetime after which your Microsoft Entra Application Client Secret (password) will expire (for example, '2020-12-31T11:59:59+00:00' or '2020-12-31'). This function creates a client secret for you. To manage Microsoft Entra application client secrets after you've created this resource, visit https://portal.azure.com and go to Home -> Microsoft Entra ID -> App Registrations -> (your app) `[AADAppDisplayName]` -> Certificates and Secrets section -> Client Secrets section (as shown in the "Manage your Microsoft Entra application secrets" screenshot).|
- Manage your Azure AD application secrets
+ Manage your Microsoft Entra application secrets
![Azure portal Certificates and Secrets blade](./media/client-secrets-blade.png)
ai-services How To Multiple Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/how-to-multiple-resources.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Create the Immersive Reader resources
-Follow [these instructions](./how-to-create-immersive-reader.md) to create each Immersive Reader resource. The **Create-ImmersiveReaderResource** script has `ResourceName`, `ResourceSubdomain`, and `ResourceLocation` as parameters. These should be unique for each resource being created. The remaining parameters should be the same as what you used when setting up your first Immersive Reader resource. This way, each resource can be linked to the same Azure resource group and Azure AD application.
+Follow [these instructions](./how-to-create-immersive-reader.md) to create each Immersive Reader resource. The **Create-ImmersiveReaderResource** script has `ResourceName`, `ResourceSubdomain`, and `ResourceLocation` as parameters. These should be unique for each resource being created. The remaining parameters should be the same as what you used when setting up your first Immersive Reader resource. This way, each resource can be linked to the same Azure resource group and Microsoft Entra application.
The example below shows how to create two resources, one in WestUS, and another in EastUS. Notice the unique values for `ResourceName`, `ResourceSubdomain`, and `ResourceLocation`.
Create-ImmersiveReaderResource
## Add resources to environment configuration
-In the quickstart, you created an environment configuration file that contains the `TenantId`, `ClientId`, `ClientSecret`, and `Subdomain` parameters. Since all of your resources use the same Azure AD application, we can use the same values for the `TenantId`, `ClientId`, and `ClientSecret`. The only change that needs to be made is to list each subdomain for each resource.
+In the quickstart, you created an environment configuration file that contains the `TenantId`, `ClientId`, `ClientSecret`, and `Subdomain` parameters. Since all of your resources use the same Microsoft Entra application, we can use the same values for the `TenantId`, `ClientId`, and `ClientSecret`. The only change that needs to be made is to list each subdomain for each resource.
Your new __.env__ file should now look something like the following:
Be sure not to commit this file into source control, as it contains secrets that
Next, we're going to modify the _routes\index.js_ file that we created to support our multiple resources. Replace its content with the following code.
-As before, this code creates an API endpoint that acquires an Azure AD authentication token using your service principal password. This time, it allows the user to specify a resource location and pass it in as a query parameter. It then returns an object containing the token and the corresponding subdomain.
+As before, this code creates an API endpoint that acquires a Microsoft Entra authentication token using your service principal password. This time, it allows the user to specify a resource location and pass it in as a query parameter. It then returns an object containing the token and the corresponding subdomain.
```javascript var express = require('express');
ai-services Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/reference.md
launchAsync(token: string, subdomain: string, content: Content, options?: Option
| Name | Type | Description | | - | - | |
-| `token` | string | The Azure AD authentication token. For more information, see [How-To Create an Immersive Reader Resource](./how-to-create-immersive-reader.md). |
+| `token` | string | The Microsoft Entra authentication token. For more information, see [How-To Create an Immersive Reader Resource](./how-to-create-immersive-reader.md). |
| `subdomain` | string | The custom subdomain of your Immersive Reader resource in Azure. For more information, see [How-To Create an Immersive Reader Resource](./how-to-create-immersive-reader.md). | | `content` | [Content](#content) | An object containing the content to be shown in the Immersive Reader. | | `options` | [Options](#options) | Options for configuring certain behaviors of the Immersive Reader. Optional. |
ai-services Security How To Update Role Assignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/security-how-to-update-role-assignment.md
Title: "Security Advisory: Update Role Assignment for Azure Active Directory authentication permissions"
+ Title: "Security Advisory: Update Role Assignment for Microsoft Entra authentication permissions"
description: This article will show you how to update the role assignment on existing Immersive Reader resources due to a security bug discovered in November 2021
Last updated 01/06/2022
-# Security Advisory: Update Role Assignment for Azure Active Directory authentication permissions
+# Security Advisory: Update Role Assignment for Microsoft Entra authentication permissions
-A security bug has been discovered with Immersive Reader Azure Active Directory (Azure AD) authentication configuration. We are advising that you change the permissions on your Immersive Reader resources as described below.
+A security bug has been discovered with Immersive Reader Microsoft Entra authentication configuration. We are advising that you change the permissions on your Immersive Reader resources as described below.
## Background
-A security bug was discovered that relates to Azure AD authentication for Immersive Reader. When initially creating your Immersive Reader resources and configuring them for Azure AD authentication, it is necessary to grant permissions for the Azure AD application identity to access your Immersive Reader resource. This is known as a Role Assignment. The Azure role that was previously used for permissions was the [Cognitive Services User](../../role-based-access-control/built-in-roles.md#cognitive-services-user) role.
+A security bug was discovered that relates to Microsoft Entra authentication for Immersive Reader. When initially creating your Immersive Reader resources and configuring them for Microsoft Entra authentication, it is necessary to grant permissions for the Microsoft Entra application identity to access your Immersive Reader resource. This is known as a Role Assignment. The Azure role that was previously used for permissions was the [Cognitive Services User](../../role-based-access-control/built-in-roles.md#cognitive-services-user) role.
-During a security audit, it was discovered that this Cognitive Services User role has permissions to [List Keys](/rest/api/cognitiveservices/accountmanagement/accounts/list-keys). This is slightly concerning because Immersive Reader integrations involve the use of this Azure AD access token in client web apps and browsers, and if the access token were to be stolen by a bad actor or attacker, there is a concern that this access token could be used to `list keys` of your Immersive Reader resource. If an attacker could `list keys` for your resource, then they would obtain the `Subscription Key` for your resource. The `Subscription Key` for your resource is used as an authentication mechanism and is considered a secret. If an attacker had the resource's `Subscription Key`, it would allow them to make valid and authenticated API calls to your Immersive Reader resource endpoint, which could lead to Denial of Service due to the increased usage and throttling on your endpoint. It would also allow unauthorized use of your Immersive Reader resource, which would lead to increased charges on your bill.
+During a security audit, it was discovered that this Cognitive Services User role has permissions to [List Keys](/rest/api/cognitiveservices/accountmanagement/accounts/list-keys). This is slightly concerning because Immersive Reader integrations involve the use of this Microsoft Entra access token in client web apps and browsers, and if the access token were to be stolen by a bad actor or attacker, there is a concern that this access token could be used to `list keys` of your Immersive Reader resource. If an attacker could `list keys` for your resource, then they would obtain the `Subscription Key` for your resource. The `Subscription Key` for your resource is used as an authentication mechanism and is considered a secret. If an attacker had the resource's `Subscription Key`, it would allow them to make valid and authenticated API calls to your Immersive Reader resource endpoint, which could lead to Denial of Service due to the increased usage and throttling on your endpoint. It would also allow unauthorized use of your Immersive Reader resource, which would lead to increased charges on your bill.
-In practice however, this attack or exploit is not likely to occur or may not even be possible. For Immersive Reader scenarios, customers obtain Azure AD access tokens with an audience of `https://cognitiveservices.azure.com`. In order to successfully `list keys` for your resource, the Azure AD access token would need to have an audience of `https://management.azure.com`. Generally speaking, this is not too much of a concern, since the access tokens used for Immersive Reader scenarios would not work to `list keys`, as they do not have the required audience. In order to change the audience on the access token, an attacker would have to hijack the token acquisition code and change the audience before the call is made to Azure AD to acquire the token. Again, this is not likely to be exploited because, as an Immersive Reader authentication best practice, we advise that customers create Azure AD access tokens on the web application backend, not in the client or browser. In those cases, since the token acquisition happens on the backend service, it's not as likely or perhaps even possible that attacker could compromise that process and change the audience.
+In practice however, this attack or exploit is not likely to occur or may not even be possible. For Immersive Reader scenarios, customers obtain Microsoft Entra access tokens with an audience of `https://cognitiveservices.azure.com`. In order to successfully `list keys` for your resource, the Microsoft Entra access token would need to have an audience of `https://management.azure.com`. Generally speaking, this is not too much of a concern, since the access tokens used for Immersive Reader scenarios would not work to `list keys`, as they do not have the required audience. In order to change the audience on the access token, an attacker would have to hijack the token acquisition code and change the audience before the call is made to Microsoft Entra ID to acquire the token. Again, this is not likely to be exploited because, as an Immersive Reader authentication best practice, we advise that customers create Microsoft Entra access tokens on the web application backend, not in the client or browser. In those cases, since the token acquisition happens on the backend service, it's not as likely or perhaps even possible that attacker could compromise that process and change the audience.
-The real concern comes when or if any customer were to acquire tokens from Azure AD directly in client code. We strongly advise against this, but since customers are free to implement as they see fit, it is possible that some customers are doing this.
+The real concern comes when or if any customer were to acquire tokens from Microsoft Entra ID directly in client code. We strongly advise against this, but since customers are free to implement as they see fit, it is possible that some customers are doing this.
-To mitigate the concerns about any possibility of using the Azure AD access token to `list keys`, we have created a new built-in Azure role called `Cognitive Services Immersive Reader User` that does not have the permissions to `list keys`. This new role is not a shared role for the Azure AI services platform like `Cognitive Services User` role is. This new role is specific to Immersive Reader and will only allow calls to Immersive Reader APIs.
+To mitigate the concerns about any possibility of using the Microsoft Entra access token to `list keys`, we have created a new built-in Azure role called `Cognitive Services Immersive Reader User` that does not have the permissions to `list keys`. This new role is not a shared role for the Azure AI services platform like `Cognitive Services User` role is. This new role is specific to Immersive Reader and will only allow calls to Immersive Reader APIs.
We are advising that ALL customers migrate to using the new `Cognitive Services Immersive Reader User` role instead of the original `Cognitive Services User` role. We have provided a script below that you can run on each of your resources to switch over the role assignment permissions.
Any new Immersive Reader resources you create with our script at [How to: Create
If you created and configured an Immersive Reader resource using the instructions at [How to: Create an Immersive Reader resource](./how-to-create-immersive-reader.md) prior to February 2022, it is advised that you perform the operation below to update the role assignment permissions on ALL of your Immersive Reader resources. The operation involves running a script to update the role assignment on a single resource. If you have multiple resources, run this script multiple times, once for each resource.
-After you have updated the role using the script below, it is also advised that you rotate the subscription keys on your resource. This is in case your keys have been compromised by the exploit above, and somebody is actually using your resource with subscription key authentication without your consent. Rotating the keys will render the previous keys invalid and deny any further access. For customers using Azure AD authentication, which should be everyone per current Immersive Reader SDK implementation, rotating the keys will have no impact on the Immersive Reader service, since Azure AD access tokens are used for authentication, not the subscription key. Rotating the subscription keys is just another precaution.
+After you have updated the role using the script below, it is also advised that you rotate the subscription keys on your resource. This is in case your keys have been compromised by the exploit above, and somebody is actually using your resource with subscription key authentication without your consent. Rotating the keys will render the previous keys invalid and deny any further access. For customers using Microsoft Entra authentication, which should be everyone per current Immersive Reader SDK implementation, rotating the keys will have no impact on the Immersive Reader service, since Microsoft Entra access tokens are used for authentication, not the subscription key. Rotating the subscription keys is just another precaution.
You can rotate the subscription keys on the [Azure portal](https://portal.azure.com). Navigate to your resource and then to the `Keys and Endpoint` blade. At the top, there are buttons to `Regenerate Key1` and `Regenerate Key2`.
ai-services Tutorial Ios Picture Immersive Reader https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/immersive-reader/tutorial-ios-picture-immersive-reader.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Prerequisites * [Xcode](https://apps.apple.com/us/app/xcode/id497799835?mt=12)
-* An Immersive Reader resource configured for Azure Active Directory authentication. Follow [these instructions](./how-to-create-immersive-reader.md) to get set up. You will need some of the values created here when configuring the sample project properties. Save the output of your session into a text file for future reference.
+* An Immersive Reader resource configured for Microsoft Entra authentication. Follow [these instructions](./how-to-create-immersive-reader.md) to get set up. You will need some of the values created here when configuring the sample project properties. Save the output of your session into a text file for future reference.
* Usage of this sample requires an Azure subscription to the Azure AI Vision service. [Create an Azure AI Vision resource in the Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision). ## Create an Xcode project
The easiest way to use the Immersive Reader SDK is via CocoaPods. To install via
6. Ensure to open the project by opening the `.xcworkspace` file and not the `.xcodeproj` file.
-## Acquire an Azure AD authentication token
+<a name='acquire-an-azure-ad-authentication-token'></a>
-You need some values from the Azure AD authentication configuration prerequisite step above for this part. Refer back to the text file you saved of that session.
+## Acquire a Microsoft Entra authentication token
+
+You need some values from the Microsoft Entra authentication configuration prerequisite step above for this part. Refer back to the text file you saved of that session.
````text TenantId => Azure subscription TenantId
ai-services Multi Region Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/custom-features/multi-region-deployment.md
The same request body to each of those different URLs serves the exact same resp
## Validations and requirements
-Assigning deployment resources requires Microsoft Azure Active Directory (Azure AD) authentication. Azure AD is used to confirm you have access to the resources you are interested in assigning to your project for multi-region deployment. In the Language Studio, you can automatically [enable Azure AD authentication](https://aka.ms/rbac-language) by assigning yourself the _Cognitive Services Language Owner_ role to your original resource. To programmatically use Azure AD authentication, learn more from the [Azure AI services documentation](../../../authentication.md?source=docs&tabs=powershell&tryIt=true#authenticate-with-azure-active-directory).
+Assigning deployment resources requires Microsoft Entra authentication. Microsoft Entra ID is used to confirm you have access to the resources you are interested in assigning to your project for multi-region deployment. In the Language Studio, you can automatically [enable Microsoft Entra authentication](https://aka.ms/rbac-language) by assigning yourself the _Cognitive Services Language Owner_ role to your original resource. To programmatically use Microsoft Entra authentication, learn more from the [Azure AI services documentation](../../../authentication.md?source=docs&tabs=powershell&tryIt=true#authenticate-with-azure-active-directory).
Your project name and resource are used as its main identifiers. Therefore, a Language resource can only have a specific project name in each resource. Any other projects with the same name will not be deployable to that resource.
ai-services Encryption Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/encryption-data-at-rest.md
By default, your subscription uses Microsoft-managed encryption keys. There is a
There is also an option to manage your subscription with your own keys. Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
-You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../../key-vault/general/overview.md).
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../../key-vault/general/overview.md).
### Customer-managed keys for Language service
To learn how to use customer-managed keys with Azure Key Vault for Azure AI serv
- [Configure customer-managed keys with Key Vault for Azure AI services encryption from the Azure portal](../../encryption/cognitive-services-encryption-keys-portal.md)
-Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../../active-directory/managed-identities-azure-resources/overview.md).
+Enabling customer managed keys will also enable a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../../active-directory/managed-identities-azure-resources/overview.md).
> [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
### Store customer-managed keys in Azure Key Vault
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/concepts/role-based-access-control.md
Azure AI Language supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your projects authoring resources. See the [Azure RBAC documentation](../../../role-based-access-control/index.yml) for more information.
-## Enable Azure Active Directory authentication
+<a name='enable-azure-active-directory-authentication'></a>
-To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources).
+## Enable Microsoft Entra authentication
+
+To use Azure RBAC, you must enable Microsoft Entra authentication. You can [create a new resource with a custom subdomain](../../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources).
## Add role assignment to Language resource
These custom roles only apply to Language resources.
> [!NOTE] > * All prebuilt capabilities are accessible to all roles > * *Owner* and *Contributor* roles take priority over the custom language roles
-> * AAD is only used in case of custom Language roles
+> * Microsoft Entra ID is only used in case of custom Language roles
> * If you are assigned as a *Contributor* on Azure, your role will be shown as *Owner* in Language studio portal.
ai-services Export Import Refresh https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/export-import-refresh.md
You may want to create a copy of your question answering project or related ques
## Prerequisites * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled. Remember your Azure Active Directory ID, Subscription, language resource name you selected when you created the resource.
+* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled. Remember your Microsoft Entra ID, Subscription, language resource name you selected when you created the resource.
## Export a project
ai-services Manage Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/manage-knowledge-base.md
Question answering allows you to manage your projects by providing access to the
## Prerequisites > * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-> * A [Language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Azure Active Directory ID, Subscription, and language resource name you selected when you created the resource.
+> * A [Language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Microsoft Entra ID, Subscription, and language resource name you selected when you created the resource.
## Create a project
ai-services Migrate Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/migrate-knowledge-base.md
You may want to create copies of your projects or sources for several reasons:
## Prerequisites * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Azure Active Directory ID, Subscription, and the Language resource name you selected when you created the resource.
+* A [language resource](https://aka.ms/create-language-resource) with the custom question answering feature enabled in the Azure portal. Remember your Microsoft Entra ID, Subscription, and the Language resource name you selected when you created the resource.
## Export a project
There is no way to move chat logs with projects. If diagnostic logs are enabled,
## Next steps <!-- TODO: Replace Link-->-
ai-services Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/troubleshooting.md
Sharing works at the level of the language resource, that is, all projects assoc
</details> <details>
-<summary><b>Can you share a project with a contributor that is not in the same Azure Active Directory tenant, to modify a project?</b></summary>
+<summary><b>Can you share a project with a contributor that is not in the same Microsoft Entra tenant, to modify a project?</b></summary>
**Answer**: Sharing is based on Azure role-based access control (Azure Role-base access control). If you can share _any_ resource in Azure with another user, you can also share question answering.
ai-services Data Feeds From Different Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/data-feeds-from-different-sources.md
Use this article to find the settings and requirements for connecting different
| Authentication types | Description | | |-| |**Basic** | You need to provide basic parameters for accessing data sources. For example, you can use a connection string or a password. Data feed admins can view these credentials. |
-| **Azure managed identity** | [Managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for Azure resources is a feature of Azure Active Directory (Azure AD). It provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication.|
+| **Azure managed identity** | [Managed identities](../../active-directory/managed-identities-azure-resources/overview.md) for Azure resources is a feature of Microsoft Entra ID. It provides Azure services with an automatically managed identity in Microsoft Entra ID. You can use the identity to authenticate to any service that supports Microsoft Entra authentication.|
| **Azure SQL connection string**| Store your Azure SQL connection string as a credential entity in Metrics Advisor, and use it directly each time you import metrics data. Only admins of the credential entity can view these credentials, but authorized viewers can create data feeds without needing to know details for the credentials. | | **Azure Data Lake Storage Gen2 shared key**| Store your data lake account key as a credential entity in Metrics Advisor, and use it directly each time you import metrics data. Only admins of the credential entity can view these credentials, but authorized viewers can create data feeds without needing to know details for the credentials.| | **Service principal**| Store your [service principal](../../active-directory/develop/app-objects-and-service-principals.md) as a credential entity in Metrics Advisor, and use it directly each time you import metrics data. Only admins of the credential entity can view the credentials, but authorized viewers can create data feeds without needing to know details for the credentials.|
The following sections specify the parameters required for all authentication ty
* **Basic**: See [Configure Azure Storage connection strings](../../storage/common/storage-configure-connection-string.md#configure-a-connection-string-for-an-azure-storage-account) for information on retrieving this string. Also, you can visit the Azure portal for your Azure Blob Storage resource, and find the connection string directly in **Settings** > **Access keys**.
- * **Managed identity**: Managed identities for Azure resources can authorize access to blob and queue data. The feature uses Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services.
+ * **Managed identity**: Managed identities for Azure resources can authorize access to blob and queue data. The feature uses Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services.
You can create a managed identity in the Azure portal for your Azure Blob Storage resource. In **Access Control (IAM)**, select **Role assignments**, and then select **Add**. A suggested role type is: **Storage Blob Data Reader**. For more details, refer to [Use managed identity to access Azure Storage](../../active-directory/managed-identities-azure-resources/tutorial-vm-windows-access-storage.md#grant-access-1).
The following sections specify the parameters required for all authentication ty
* **Connection string**: There are four authentication types for Azure Data Explorer (Kusto): basic, service principal, service principal from key vault, and managed identity. The data source in the connection string should be in the URI format (starts with "https"). You can find the URI in the Azure portal.
- * **Basic**: Metrics Advisor supports accessing Azure Data Explorer (Kusto) by using Azure AD application authentication. You need to create and register an Azure AD application, and then authorize it to access an Azure Data Explorer database. For more information, see [Create an Azure AD app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app). Here's an example of connection string:
+ * **Basic**: Metrics Advisor supports accessing Azure Data Explorer (Kusto) by using Microsoft Entra application authentication. You need to create and register a Microsoft Entra application, and then authorize it to access an Azure Data Explorer database. For more information, see [Create a Microsoft Entra app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app). Here's an example of connection string:
``` Data Source=<URI Server>;Initial Catalog=<Database>;AAD Federated Security=True;Application Client ID=<Application Client ID>;Application Key=<Application Key>;Authority ID=<Tenant ID>
The following sections specify the parameters required for all authentication ty
* **Service principal**: A service principal is a concrete instance created from the application object. The service principal inherits certain properties from that application object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. To use a service principal in Metrics Advisor:
- 1. Create the Azure AD application registration. For more information, see [Create an Azure AD app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app).
+ 1. Create the Microsoft Entra application registration. For more information, see [Create a Microsoft Entra app registration in Azure Data Explorer](/azure/data-explorer/provision-azure-ad-app).
1. Manage Azure Data Explorer database permissions. For more information, see [Manage Azure Data Explorer database permissions](/azure/data-explorer/manage-database-permissions).
The following sections specify the parameters required for all authentication ty
Data Source=<URI Server>;Initial Catalog=<Database> ```
- * **Managed identity**: Managed identity for Azure resources can authorize access to blob and queue data. Managed identity uses Azure AD credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. Learn how to [authorize with a managed identity](../../storage/blobs/authorize-managed-identity.md#enable-managed-identities-on-a-vm).
+ * **Managed identity**: Managed identity for Azure resources can authorize access to blob and queue data. Managed identity uses Microsoft Entra credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. Learn how to [authorize with a managed identity](../../storage/blobs/authorize-managed-identity.md#enable-managed-identities-on-a-vm).
You can create a managed identity in the Azure portal for your Azure Data Explorer (Kusto). Select **Permissions** > **Add**. The suggested role type is: **admin / viewer**.
The following sections specify the parameters required for all authentication ty
The account name is the same as the basic authentication type.
- **Step 1:** Create and register an Azure AD application, and then authorize it to access the database. For more information, see [Create an Azure AD app registration](/azure/data-explorer/provision-azure-ad-app).
+ **Step 1:** Create and register a Microsoft Entra application, and then authorize it to access the database. For more information, see [Create a Microsoft Entra app registration](/azure/data-explorer/provision-azure-ad-app).
**Step 2:** Assign roles.
The following sections specify the parameters required for all authentication ty
4. Select **+ Add**, and select **Add role assignment** from the menu.
- 5. Set the **Select** field to the Azure AD application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**.
+ 5. Set the **Select** field to the Microsoft Entra application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**.
![Screenshot that shows the steps to assign roles.](media/datafeeds/adls-gen-2-app-reg-assign-roles.png)
Azure Monitor Logs has the following authentication types: basic, service princi
* **Service principal**: A service principal is a concrete instance created from the application object, and it inherits certain properties from that application object. A service principal is created in each tenant where the application is used, and it references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
- **Step 1:** Create and register an Azure AD application, and then authorize it to access a database. For more information, see [Create an Azure AD app registration](/azure/data-explorer/provision-azure-ad-app).
+ **Step 1:** Create and register a Microsoft Entra application, and then authorize it to access a database. For more information, see [Create a Microsoft Entra app registration](/azure/data-explorer/provision-azure-ad-app).
**Step 2:** Assign roles. 1. In the Azure portal, go to the **Storage accounts** service. 2. Select **Access Control (IAM)**. 3. Select **+ Add**, and then select **Add role assignment** from the menu.
- 4. Set the **Select** field to the Azure AD application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**.
+ 4. Set the **Select** field to the Microsoft Entra application name, and set the role to **Storage Blob Data Contributor**. Then select **Save**.
![Screenshot that shows how to assign roles.](media/datafeeds/adls-gen-2-app-reg-assign-roles.png)
Azure Monitor Logs has the following authentication types: basic, service princi
Data Source=<Server>;Initial Catalog=<db-name>;User ID=<user-name>;Password=<password> ```
- * <span id='jump'>**Managed identity**</span>: Managed identity for Azure resources can authorize access to blob and queue data. It does so by using Azure AD credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. To [enable your managed entity](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md), follow these steps:
+ * <span id='jump'>**Managed identity**</span>: Managed identity for Azure resources can authorize access to blob and queue data. It does so by using Microsoft Entra credentials from applications running in Azure virtual machines, function apps, virtual machine scale sets, and other services. By using managed identity for Azure resources and Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. To [enable your managed entity](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md), follow these steps:
1. Enabling a system-assigned managed identity is a one-click experience. In the Azure portal, for your Metrics Advisor workspace, go to **Settings** > **Identity** > **System assigned**. Then set the status as **on**. ![Screenshot that shows how to set the status as on.](media/datafeeds/set-identity-status.png)
- 1. Enable Azure AD authentication. In the Azure portal, for your data source, go to **Settings** > **Active Directory admin**. Select **Set admin**, and select an **Azure AD user account** to be made an administrator of the server. Then, choose **Select**.
+ 1. Enable Microsoft Entra authentication. In the Azure portal, for your data source, go to **Settings** > **Active Directory admin**. Select **Set admin**, and select an **Microsoft Entra user account** to be made an administrator of the server. Then, choose **Select**.
![Screenshot that shows how to set the admin.](media/datafeeds/set-admin.png) 1. Enable managed identity in Metrics Advisor. You can edit a query in the database management tool or in the Azure portal.
- **Management tool**: In your database management tool, select **Active Directory - Universal with MFA support** in the authentication field. In the **User name** field, enter the name of the Azure AD account that you set as the server administrator in step 2. For example, this might be `test@contoso.com`.
+ **Management tool**: In your database management tool, select **Active Directory - Universal with MFA support** in the authentication field. In the **User name** field, enter the name of the Microsoft Entra account that you set as the server administrator in step 2. For example, this might be `test@contoso.com`.
![Screenshot that shows how to set connection details.](media/datafeeds/connection-details.png)
Azure Monitor Logs has the following authentication types: basic, service princi
* **Service principal**: A service principal is a concrete instance created from the application object, and it inherits certain properties from that application object. A service principal is created in each tenant where the application is used, and it references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
- **Step 1:** Create and register an Azure AD application, and then authorize it to access a database. For more information, see [Create an Azure AD app registration](/azure/data-explorer/provision-azure-ad-app).
+ **Step 1:** Create and register a Microsoft Entra application, and then authorize it to access a database. For more information, see [Create a Microsoft Entra app registration](/azure/data-explorer/provision-azure-ad-app).
**Step 2:** Follow the steps documented previously, in [managed identity in SQL Server](#jump).
ai-services Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/encryption.md
Metrics Advisor supports CMK and double encryption by using BYOS (bring your own
- Get Application ID of Managed Identity
- Go to Azure Active Directory, and select 'Enterprise applications'. Change 'Application type' to **'Managed Identity'**, copy resource name of Metrics Advisor, and search. Then you're able to view the 'Application ID' from the query result, copy it.
+ Go to Microsoft Entra ID, and select 'Enterprise applications'. Change 'Application type' to **'Managed Identity'**, copy resource name of Metrics Advisor, and search. Then you're able to view the 'Application ID' from the query result, copy it.
### Step3. Grant Metrics Advisor access permission to your Azure Database for PostgreSQL
ai-services Alerts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/alerts.md
A web hook is another notification channel by using an endpoint that is provided
**Step1.** Enable Managed Identity in your Metrics Advisor resource
-A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). The managed identity is authenticated with Azure AD, so you donΓÇÖt have to store any credentials in code.
+A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource. You can grant permissions to the managed identity by using Azure role-based access control (Azure RBAC). The managed identity is authenticated with Microsoft Entra ID, so you donΓÇÖt have to store any credentials in code.
Go to Metrics Advisor resource in Azure portal, and select "Identity", turn it to "on" then Managed Identity is enabled.
ai-services Credential Entity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/metrics-advisor/how-tos/credential-entity.md
Until now, the *client ID* and *client secret* of service principal are finally
**Step 5: Create a service principal to store the key vault.**
-1. Go to [Azure portal AAD (Azure Active Directory)](https://portal.azure.com/?trace=diagnostics&feature.customportal=false#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) and create a new registration.
+1. Go to [Azure portal Microsoft Entra ID](https://portal.azure.com/?trace=diagnostics&feature.customportal=false#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) and create a new registration.
![create a new registration](../media/credential-entity/create-registration.png)
ai-services Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/models.md
These models can only be used with Embedding API requests.
| Model ID | Base model Regions | Fine-Tuning Regions | Max Request (tokens) | Training Data (up to) | Output dimensions | | | | | | |
-| text-embedding-ada-002 (version 2) | Canada East, East US, East US2, France Central, Japan East, North Central US, South Central US, Switzerland North, UK South, West Europe | N/A |8,191 | Sep 2021 | 1536 |
+| text-embedding-ada-002 (version 2) | Australia East, Canada East, East US, East US2, France Central, Japan East, North Central US, South Central US, Switzerland North, UK South, West Europe | N/A |8,191 | Sep 2021 | 1536 |
| text-embedding-ada-002 (version 1) | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 | 1536 | ### DALL-E models (Preview)
ai-services Use Your Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/use-your-data.md
To add a new data source to your Azure OpenAI resource, you need the following A
## Document-level access control
-Azure OpenAI on your data lets you restrict the documents that can be used in responses for different users with Azure Cognitive Search [security filters](/azure/search/search-security-trimming-for-azure-search-with-aad). When you enable document level access, the search results returned from Azure Cognitive Search and used to generate a response will be trimmed based on user Azure Active Directory (AD) group membership. You can only enable document-level access on existing Azure Cognitive search indexes. To enable document-level access:
+Azure OpenAI on your data lets you restrict the documents that can be used in responses for different users with Azure Cognitive Search [security filters](/azure/search/search-security-trimming-for-azure-search-with-aad). When you enable document level access, the search results returned from Azure Cognitive Search and used to generate a response will be trimmed based on user Microsoft Entra group membership. You can only enable document-level access on existing Azure Cognitive search indexes. To enable document-level access:
1. Follow the steps in the [Azure Cognitive Search documentation](/azure/search/search-security-trimming-for-azure-search-with-aad) to register your application and create users and groups. 1. [Index your documents with their permitted groups](/azure/search/search-security-trimming-for-azure-search-with-aad#index-document-with-their-permitted-groups). Be sure that your new [security fields](/azure/search/search-security-trimming-for-azure-search#create-security-field) have the schema below:
Azure OpenAI on your data lets you restrict the documents that can be used in re
**Azure OpenAI Studio**
-Once the Azure Cognitive Search index is connected, your responses in the studio will have document access based on the Azure AD permissions of the logged in user.
+Once the Azure Cognitive Search index is connected, your responses in the studio will have document access based on the Microsoft Entra permissions of the logged in user.
**Web app**
-If you are using a published [web app](#using-the-web-app), you need to redeploy it to upgrade to the latest version. The latest version of the web app includes the ability to retrieve the groups of the logged in user's Azure AD account, cache it, and include the group IDs in each API request.
+If you are using a published [web app](#using-the-web-app), you need to redeploy it to upgrade to the latest version. The latest version of the web app includes the ability to retrieve the groups of the logged in user's Microsoft Entra account, cache it, and include the group IDs in each API request.
**API**
When customizing the app, we recommend:
1. Select Microsoft as the identity provider. The default settings on this page will restrict the app to your tenant only, so you don't need to change anything else here. Then select **Add**
- Now users will be asked to sign in with their Azure Active Directory account to be able to access your app. You can follow a similar process to add another identity provider if you prefer. The app doesn't use the user's login information in any other way other than verifying they are a member of your tenant.
+ Now users will be asked to sign in with their Microsoft Entra account to be able to access your app. You can follow a similar process to add another identity provider if you prefer. The app doesn't use the user's login information in any other way other than verifying they are a member of your tenant.
### Chat history
When you chat with a model, providing a history of the chat will help the model
* [Get started using your data with Azure OpenAI](../use-your-data-quickstart.md) * [Introduction to prompt engineering](./prompt-engineering.md)--
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/encrypt-data-at-rest.md
By default, your subscription uses Microsoft-managed encryption keys. There's al
Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
-You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
To request the ability to use customer-managed keys, fill out and submit the [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request.
When you disable customer-managed keys, your Azure AI services resource is then
1. Go to your Azure AI services resource, and then select **Encryption**. 1. Select **Microsoft Managed Keys** > **Save**.
-When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md).
+When you previously enabled customer managed keys this also enabled a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md).
> [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
## Next steps
ai-services Business Continuity Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/business-continuity-disaster-recovery.md
Follow these steps to configure your client to monitor errors:
4. For the primary region and any backup regions your code will need to know: - Base URI for the resource
- - Regional access key or Azure Active Directory access
+ - Regional access key or Microsoft Entra ID access
5. Configure your code so that you monitor connectivity errors (typically connection timeouts and service unavailability errors). - Given that networks yield transient errors, for single connectivity issue occurrences, the suggestion is to retry. - For persistent connectivity issues, redirect traffic to the backup resource in the region(s) you've created.
-If you have fine-tuned a model in your primary region, you will need to retrain the base model in the secondary region(s) using the same training data. And then follow the above steps.
+If you have fine-tuned a model in your primary region, you will need to retrain the base model in the secondary region(s) using the same training data. And then follow the above steps.
ai-services Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/managed-identity.md
Title: How to configure Azure OpenAI Service with managed identities
-description: Provides guidance on how to set managed identity with Azure Active Directory
+description: Provides guidance on how to set managed identity with Microsoft Entra ID
Last updated 06/24/2022
# How to configure Azure OpenAI Service with managed identities
-More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your OpenAI resource using Azure Active Directory (Azure AD).
+More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your OpenAI resource using Microsoft Entra ID.
In the following sections, you'll use the Azure CLI to assign roles, and obtain a bearer token to call the OpenAI resource. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI.
In the following sections, you'll use the Azure CLI to assign roles, and obtain
- Access granted to the Azure OpenAI Service in the desired Azure subscription - Currently, access to this service is granted only by application. You can apply for access to Azure OpenAI by completing the [Request Access to Azure OpenAI Service form](https://aka.ms/oai/access). Open an issue on this repo to contact us if you have an issue. -- [Custom subdomain names are required to enable features like Azure Active Directory (Azure AD) for authentication.](
+- [Custom subdomain names are required to enable features like Microsoft Entra ID for authentication.](
../../cognitive-services-custom-subdomains.md) - Azure CLI - [Installation Guide](/cli/azure/install-azure-cli)
Assigning yourself to the "Cognitive Services User" role will allow you to use y
> [!NOTE] > Role assignment change will take ~5 mins to become effective.
-3. Acquire an Azure AD access token. Access tokens expire in one hour. you'll then need to acquire another one.
+3. Acquire a Microsoft Entra access token. Access tokens expire in one hour. you'll then need to acquire another one.
```azurecli export accessToken=$(az account get-access-token --resource https://cognitiveservices.azure.com --query "accessToken" -o tsv)
curl ${endpoint%/}/openai/deployments/YOUR_DEPLOYMENT_NAME/completions?api-versi
## Authorize access to managed identities
-OpenAI supports Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
+OpenAI supports Microsoft Entra authentication with [managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud.
## Enable managed identities on a VM
Before you can use managed identities for Azure resources to authorize access to
- [Azure Resource Manager client libraries](../../../active-directory/managed-identities-azure-resources/qs-configure-sdk-windows-vm.md) For more information about managed identities, see [Managed identities for Azure resources](../../../active-directory/managed-identities-azure-resources/overview.md).-
ai-services Switching Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/switching-endpoints.md
openai.api_version = "2023-05-15" # subject to change
</tr> </table>
-### Azure Active Directory authentication
+<a name='azure-active-directory-authentication'></a>
+
+### Microsoft Entra authentication
<table> <tr>
ai-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/overview.md
Azure OpenAI Service provides REST API access to OpenAI's powerful language mode
| Fine-tuning | Ada <br> Babbage <br> Curie <br> Cushman <br> Davinci <br>**Fine-tuning is currently unavailable to new customers**.| | Price | [Available here](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) | | Virtual network support & private link support | Yes, unless using [Azure OpenAI on your data](./concepts/use-your-data.md). |
-| Managed Identity| Yes, via Azure Active Directory |
+| Managed Identity| Yes, via Microsoft Entra ID |
| UI experience | **Azure portal** for account & resource management, <br> **Azure OpenAI Service Studio** for model exploration and fine tuning | | Model regional availability | [Model availability](./concepts/models.md) | | Content filtering | Prompts and completions are evaluated against our content policy with automated systems. High severity content will be filtered. |
ai-services Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/reference.md
This article provides details on the inference REST API endpoints for Azure Open
## Authentication
-Azure OpenAI provides two methods for authentication. you can use either API Keys or Azure Active Directory.
+Azure OpenAI provides two methods for authentication. you can use either API Keys or Microsoft Entra ID.
- **API Key authentication**: For this type of authentication, all API requests must include the API Key in the ```api-key``` HTTP header. The [Quickstart](./quickstart.md) provides guidance for how to make calls with this type of authentication. -- **Azure Active Directory authentication**: You can authenticate an API call using an Azure Active Directory token. Authentication tokens are included in a request as the ```Authorization``` header. The token provided must be preceded by ```Bearer```, for example ```Bearer YOUR_AUTH_TOKEN```. You can read our how-to guide on [authenticating with Azure Active Directory](./how-to/managed-identity.md).
+- **Microsoft Entra authentication**: You can authenticate an API call using a Microsoft Entra token. Authentication tokens are included in a request as the ```Authorization``` header. The token provided must be preceded by ```Bearer```, for example ```Bearer YOUR_AUTH_TOKEN```. You can read our how-to guide on [authenticating with Microsoft Entra ID](./how-to/managed-identity.md).
### REST API versioning
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/Concepts/role-based-access-control.md
Collaborate with other authors and editors using Azure role-based access control
All permissions are controlled by the permissions placed on the QnA Maker resource. These permissions align to read, write, publish, and full access. You can allow collaboration among multiple users by [updating RBAC access](../how-to/manage-qna-maker-app.md) for QnA Maker resource. This Azure RBAC feature includes:
-* Azure Active Directory (AAD) is 100% backward compatible with key-based authentication for owners and contributors. Customers can use either key-based authentication or Azure RBAC-based authentication in their requests.
+* Microsoft Entra ID is 100% backward compatible with key-based authentication for owners and contributors. Customers can use either key-based authentication or Azure RBAC-based authentication in their requests.
* Quickly add authors and editors to all knowledge bases in the resource because control is at the resource level, not at the knowledge base level. > [!NOTE]
ai-services Add Sharepoint Datasources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/add-sharepoint-datasources.md
The request begins with a pop-up to authenticate to an Active Directory account.
![Authenticate User Account](../media/add-sharepoint-datasources/authenticate-user-account.png)
-Once the QnA Maker manager selects the account, the Azure Active Directory administrator will receive a notice that they need to allow the QnA Maker app (not the QnA Maker manager) access to the SharePoint resource. The Azure Active Directory manager will need to do this for every SharePoint resource, but not every document in that resource.
+Once the QnA Maker manager selects the account, the Microsoft Entra administrator will receive a notice that they need to allow the QnA Maker app (not the QnA Maker manager) access to the SharePoint resource. The Microsoft Entra manager will need to do this for every SharePoint resource, but not every document in that resource.
### Active directory The Active Directory manager (not the QnA Maker manager) needs to grant access to QnA Maker to access the SharePoint resource by selecting [this link](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=Files.Read%20Files.Read.All%20Sites.Read.All%20User.Read%20User.ReadBasic.All%20profile%20openid%20email&client_id=c2c11949-e9bb-4035-bda8-59542eb907a6&redirect_uri=https%3A%2F%2Fwww.qnamaker.ai%3A%2FCreate&state=68) to authorize the QnA Maker Portal SharePoint enterprise app to have file read permissions.
-![Azure Active Directory manager grants permission interactively](../media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png)
+![Microsoft Entra manager grants permission interactively](../media/add-sharepoint-datasources/aad-manager-grants-permission-interactively.png)
<!-- The Active Directory manager must grant QnA Maker access either by application name, `QnAMakerPortalSharePoint`, or by application ID, `c2c11949-e9bb-4035-bda8-59542eb907a6`.
The Active Directory manager will get a pop-up window requesting permissions to
![Grant required permissions](../media/add-sharepoint-datasources/grant-required-permissions.png) -->
-### Grant access from the Azure Active Directory admin center
+<a name='grant-access-from-the-azure-active-directory-admin-center'></a>
+
+### Grant access from the Microsoft Entra admin center
1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Browse to **Azure Active Directory** > **Enterprise applications**.
+1. Browse to **Microsoft Entra ID** > **Enterprise applications**.
1. Search for `QnAMakerPortalSharePoint` the select the QnA Maker app.
ai-services Manage Knowledge Bases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/manage-knowledge-bases.md
QnA Maker allows you to manage your knowledge bases by providing access to the k
## Prerequisites > * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource.
+> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource.
## Create a knowledge base
QnA Maker allows you to manage your knowledge bases by providing access to the k
1. On the **Create** page, skip **Step 1** if you already have your QnA Maker resource.
- If you haven't created the resource yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource.
+ If you haven't created the resource yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource.
When you are done creating the resource in the Azure portal, return to the QnA Maker portal, refresh the browser page, and continue to **Step 2**.
ai-services Test Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/test-knowledge-base.md
Use the batch testing tool when you want to:
1. Select **Create a knowledge base** from the tool bar. 1. Skip **Step 1** because you should already have a QnA Maker resource, moving on to **Step 2** to select your existing resource information:
- * Azure Active Directory ID
+ * Microsoft Entra ID
* Azure Subscription Name * Azure QnA Service Name * Language - the English language
ai-services Create Publish Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/Quickstarts/create-publish-knowledge-base.md
You can create a QnA Maker knowledge base (KB) from your own content, such as FA
> [!div class="checklist"] > * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA Maker resource name you selected when you created the resource.
+> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, QnA Maker resource name you selected when you created the resource.
## Create your first QnA Maker knowledge base
You can create a QnA Maker knowledge base (KB) from your own content, such as FA
3. On the **Create** page, skip **Step 1** if you already have your QnA Maker resource.
-If you haven't created the service yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource.
+If you haven't created the service yet, select **Stable** and **Create a QnA service**. You are directed to the [Azure portal](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) to set up a QnA Maker service in your subscription. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource.
When you are done creating the resource in the Azure portal, return to the QnA Maker portal, refresh the browser page, and continue to **Step 2**.
ai-services Export Knowledge Base https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/Tutorials/export-knowledge-base.md
You may want to create a copy of your knowledge base for several reasons:
## Prerequisites > * If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, QnA resource name you selected when you created the resource.
+> * A [QnA Maker resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, QnA resource name you selected when you created the resource.
> * Set up a new [QnA Maker service](../how-to/set-up-qnamaker-service-azure.md) ## Export a knowledge base
ai-services Reference Private Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/reference-private-endpoint.md
Private endpoints are provided by [Azure Private Link](../../private-link/privat
## Prerequisites > [!div class="checklist"] > * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/cognitive-services/) before you begin.
-> * A [Text Analytics resource](https://portal.azure.com/?quickstart=true#create/Microsoft.CognitiveServicesTextAnalytics) (with Custom question answering feature) created in the Azure portal. Remember your Azure Active Directory ID, Subscription, Text Analytics resource name you selected when you created the resource.
+> * A [Text Analytics resource](https://portal.azure.com/?quickstart=true#create/Microsoft.CognitiveServicesTextAnalytics) (with Custom question answering feature) created in the Azure portal. Remember your Microsoft Entra ID, Subscription, Text Analytics resource name you selected when you created the resource.
## Steps to enable private endpoint 1. Assign *Contributer* role to Text Analytics service in the Azure Search Service instance. This operation requires *Owner* access to the subscription. Go to Identity tab in the service resource to get the identity.
ai-services Security Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/security-features.md
For a comprehensive list of Azure service security recommendations see the [Azur
|Feature | Description | |:|:| | [Transport Layer Security (TLS)](/dotnet/framework/network-programming/tls) | All of the Azure AI services endpoints exposed over HTTP enforce the TLS 1.2 protocol. With an enforced security protocol, consumers attempting to call an Azure AI services endpoint should follow these guidelines: </br>- The client operating system (OS) needs to support TLS 1.2.</br>- The language (and platform) used to make the HTTP call need to specify TLS 1.2 as part of the request. Depending on the language and platform, specifying TLS is done either implicitly or explicitly.</br>- For .NET users, consider the [Transport Layer Security best practices](/dotnet/framework/network-programming/tls). |
-| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.</br></br>By default, you authenticate your own calls to Azure AI services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use managed roles in Azure Active Directory. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md). |
+| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.</br></br>By default, you authenticate your own calls to Azure AI services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use managed roles in Microsoft Entra ID. To learn about this and other authentication options, see [Authenticate requests to Azure AI services](./authentication.md). |
| [Key rotation](./authentication.md)| Each Azure AI services resource has two API keys to enable secret rotation. This is a security precaution that lets you regularly change the keys that can access your service, protecting the privacy of your service in the event that a key gets leaked. To learn about this and other authentication options, see [Rotate keys](./rotate-keys.md). | | [Environment variables](cognitive-services-environment-variables.md) | Environment variables are name-value pairs that are stored within a specific development environment. You can store your credentials in this way as a more secure alternative to using hardcoded values in your code. However, if your environment is compromised, the environment variables are compromised as well, so this is not the most secure approach.</br></br> For instructions on how to use environment variables in your code, see the [Environment variables guide](cognitive-services-environment-variables.md). | | [Customer-managed keys (CMK)](./encryption/cognitive-services-encryption-keys-portal.md) | This feature is for services that store customer data at rest (longer than 48 hours). While this data is already double-encrypted on Azure servers, users can get extra security by adding another layer of encryption, with keys they manage themselves. You can link your service to Azure Key Vault and manage your data encryption keys there. </br></br>You need special approval to get the E0 SKU for your service, which enables CMK. Within 3-5 business days after you submit the [request form](https://aka.ms/cogsvc-cmk), you'll get an update on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once you're approved for using the E0 SKU, you'll need to create a new resource from the Azure portal and select E0 as the Pricing Tier. You won't be able to upgrade from F0 to the new E0 SKU. </br></br>Only some services can use CMK; look for your service on the [Customer-managed keys](./encryption/cognitive-services-encryption-keys-portal.md) page.|
ai-services Bring Your Own Storage Speech Resource Speech To Text https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/bring-your-own-storage-speech-resource-speech-to-text.md
Such a request returns direct Storage Account URLs to data files (without SAS or
} ```
-URL of this format ensures that only Azure Active Directory identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
+URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
> [!WARNING] > If `sasValidityInSeconds` parameter is omitted in [Get Transcription Files](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_ListFiles) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens).
Such a request returns direct Storage Account URLs to data files (without SAS or
} ```
-URL of this format ensures that only Azure Active Directory identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
+URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
> [!WARNING] > If `sasValidityInSeconds` parameter is omitted in [Get Base Model Logs](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Endpoints_ListBaseModelLogs) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens).
Such a request returns direct Storage Account URLs to data files (without SAS or
} ```
-URL of this format ensures that only Azure Active Directory identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
+URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
> [!WARNING] > If `sasValidityInSeconds` parameter is omitted in [Get Dataset Files](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Datasets_ListFiles) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens).
URL of this format ensures that only Azure Active Directory identities (users, s
- [Set up the Bring your own storage (BYOS) Speech resource](bring-your-own-storage-speech-resource.md) - [Batch transcription overview](batch-transcription.md) - [How to log audio and transcriptions for speech recognition](logging-audio-transcription.md)-- [Custom Speech overview](custom-speech-overview.md)
+- [Custom Speech overview](custom-speech-overview.md)
ai-services Bring Your Own Storage Speech Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/bring-your-own-storage-speech-resource.md
General rule is that you need to pass this JSON string as a value of `--storage`
To create a BYOS-enabled Speech resource with a REST Request to Cognitive Services API, we use [Accounts - Create](/rest/api/cognitiveservices/accountmanagement/accounts/create) request.
-You need to have a means of authentication. The example in this section uses [Microsoft Azure Active Directory token](/azure/active-directory/develop/access-tokens).
+You need to have a means of authentication. The example in this section uses [Microsoft Entra token](/azure/active-directory/develop/access-tokens).
-This code snippet generates Azure AD token using interactive browser sign-in. It requires [Azure Identity client library](/dotnet/api/overview/azure/identity-readme):
+This code snippet generates Microsoft Entra token using interactive browser sign-in. It requires [Azure Identity client library](/dotnet/api/overview/azure/identity-readme):
```csharp TokenRequestContext context = new Azure.Core.TokenRequestContext(new string[] { "https://management.azure.com/.default" }); InteractiveBrowserCredential browserCredential = new InteractiveBrowserCredential();
You need to allow access for the machine, where you run the browser using Speech
## Next steps -- [Use the Bring your own storage (BYOS) Speech resource for Speech to text](bring-your-own-storage-speech-resource-speech-to-text.md)
+- [Use the Bring your own storage (BYOS) Speech resource for Speech to text](bring-your-own-storage-speech-resource-speech-to-text.md)
ai-services Custom Commands Encryption Of Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-commands-encryption-of-data-at-rest.md
To request the ability to use customer-managed keys, fill out and submit Custome
## Customer-managed keys with Azure Key Vault
-You must use Azure Key Vault to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Speech resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
+You must use Azure Key Vault to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Speech resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
When a new Speech resource is created and used to provision Custom Commands application - data is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Azure AI services resource. The managed identity is available only after the resource is created using the Pricing Tier required for CMK.
-Enabling customer managed keys will also enable a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup.
+Enabling customer managed keys will also enable a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md), a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup.
> [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
## Configure Azure Key Vault
ai-services How To Audio Content Creation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-audio-content-creation.md
To add users to a Speech resource so that they can use Audio Content Creation, d
1. Select **Access control (IAM)** on the left navigation pane. 1. Select **Add** -> **Add role assignment**. 1. On the **Role** tab on the next screen, select a role you want to add (in this case, **Owner**).
-1. On the **Members** tab, enter a user's email address and select the user's name in the directory. The email address must be linked to a Microsoft account that's trusted by Azure Active Directory. Users can easily sign up for a [Microsoft account](https://account.microsoft.com/account) by using their personal email address.
+1. On the **Members** tab, enter a user's email address and select the user's name in the directory. The email address must be linked to a Microsoft account that's trusted by Microsoft Entra ID. Users can easily sign up for a [Microsoft account](https://account.microsoft.com/account) by using their personal email address.
1. On the **Review + assign** tab, select **Review + assign** to assign the role. Here is what happens next:
If you want to allow a user to grant access to other users, you need to assign t
:::image type="content" source="media/audio-content-creation/add-role.png" alt-text="Screenshot showing the 'Owner' role on the 'Add role assignment' pane. ":::
-1. In the [Azure portal](https://portal.azure.com/), select the collapsed menu at the upper left, select **Azure Active Directory**, and then select **Users**.
+1. In the [Azure portal](https://portal.azure.com/), select the collapsed menu at the upper left, select **Microsoft Entra ID**, and then select **Users**.
1. Search for the user's Microsoft account, go to their detail page, and then select **Assigned roles**. 1. Select **Add assignments** > **Directory Readers**. If the **Add assignments** button is unavailable, it means that you don't have access. Only the global administrator of this directory can add assignments to users.
ai-services How To Configure Azure Ad Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-azure-ad-auth.md
Title: How to configure Azure Active Directory Authentication
+ Title: How to configure Microsoft Entra authentication
-description: Learn how to authenticate using Azure Active Directory Authentication
+description: Learn how to authenticate using Microsoft Entra authentication
zone_pivot_groups: programming-languages-set-two
ms.devlang: cpp, csharp, java, python
-# Azure Active Directory Authentication with the Speech SDK
+# Microsoft Entra authentication with the Speech SDK
-When using the Speech SDK to access the Speech service, there are three authentication methods available: service keys, a key-based token, and Azure Active Directory (Azure AD). This article describes how to configure a Speech resource and create a Speech SDK configuration object to use Azure AD for authentication.
+When using the Speech SDK to access the Speech service, there are three authentication methods available: service keys, a key-based token, and Microsoft Entra ID. This article describes how to configure a Speech resource and create a Speech SDK configuration object to use Microsoft Entra ID for authentication.
-This article shows how to use Azure AD authentication with the Speech SDK. You'll learn how to:
+This article shows how to use Microsoft Entra authentication with the Speech SDK. You'll learn how to:
> [!div class="checklist"] > > - Create a Speech resource
-> - Configure the Speech resource for Azure AD authentication
-> - Get an Azure AD access token
+> - Configure the Speech resource for Microsoft Entra authentication
+> - Get a Microsoft Entra access token
> - Create the appropriate SDK configuration object.
-To learn more about Azure AD access tokens, including token lifetime, visit [Access tokens in the Microsoft identity platform](/azure/active-directory/develop/access-tokens).
+To learn more about Microsoft Entra access tokens, including token lifetime, visit [Access tokens in the Microsoft identity platform](/azure/active-directory/develop/access-tokens).
## Create a Speech resource To create a Speech resource in the [Azure portal](https://portal.azure.com), see [Get the keys for your resource](~/articles/ai-services/multi-service-resource.md?pivots=azportal#get-the-keys-for-your-resource)
-## Configure the Speech resource for Azure AD authentication
+<a name='configure-the-speech-resource-for-azure-ad-authentication'></a>
-To configure your Speech resource for Azure AD authentication, create a custom domain name and assign roles.
+## Configure the Speech resource for Microsoft Entra authentication
+
+To configure your Speech resource for Microsoft Entra authentication, create a custom domain name and assign roles.
### Create a custom domain name [!INCLUDE [Custom Domain include](includes/how-to/custom-domain.md)] ### Assign roles
-For Azure AD authentication with Speech resources, you need to assign either the *Cognitive Services Speech Contributor* or *Cognitive Services Speech User* role.
+For Microsoft Entra authentication with Speech resources, you need to assign either the *Cognitive Services Speech Contributor* or *Cognitive Services Speech User* role.
You can assign roles to the user or application using the [Azure portal](../../role-based-access-control/role-assignments-portal.md) or [PowerShell](../../role-based-access-control/role-assignments-powershell.md).
-## Get an Azure AD access token
+<a name='get-an-azure-ad-access-token'></a>
+
+## Get a Microsoft Entra access token
::: zone pivot="programming-language-csharp"
-To get an Azure AD access token in C#, use the [Azure Identity Client Library](/dotnet/api/overview/azure/identity-readme).
+To get a Microsoft Entra access token in C#, use the [Azure Identity Client Library](/dotnet/api/overview/azure/identity-readme).
-Here's an example of using Azure Identity to get an Azure AD access token from an interactive browser:
+Here's an example of using Azure Identity to get a Microsoft Entra access token from an interactive browser:
```c# TokenRequestContext context = new Azure.Core.TokenRequestContext(new string[] { "https://cognitiveservices.azure.com/.default" }); InteractiveBrowserCredential browserCredential = new InteractiveBrowserCredential();
The token context must be set to "https://cognitiveservices.azure.com/.default".
::: zone-end ::: zone pivot="programming-language-cpp"
-To get an Azure AD access token in C++, use the [Azure Identity Client Library](https://github.com/Azure/azure-sdk-for-cpp/tree/main/sdk/identity/azure-identity).
+To get a Microsoft Entra access token in C++, use the [Azure Identity Client Library](https://github.com/Azure/azure-sdk-for-cpp/tree/main/sdk/identity/azure-identity).
-Here's an example of using Azure Identity to get an Azure AD access token with your tenant ID, client ID, and client secret credentials:
+Here's an example of using Azure Identity to get a Microsoft Entra access token with your tenant ID, client ID, and client secret credentials:
```cpp const std::string tenantId = "Your Tenant ID"; const std::string clientId = "Your Client ID";
The token context must be set to "https://cognitiveservices.azure.com/.default".
::: zone-end ::: zone pivot="programming-language-java"
-To get an Azure AD access token in Java, use the [Azure Identity Client Library](/java/api/overview/azure/identity-readme).
+To get a Microsoft Entra access token in Java, use the [Azure Identity Client Library](/java/api/overview/azure/identity-readme).
-Here's an example of using Azure Identity to get an Azure AD access token from a browser:
+Here's an example of using Azure Identity to get a Microsoft Entra access token from a browser:
```java TokenRequestContext context = new TokenRequestContext(); context.addScopes("https://cognitiveservices.azure.com/.default");
The token context must be set to "https://cognitiveservices.azure.com/.default".
::: zone-end ::: zone pivot="programming-language-python"
-To get an Azure AD access token in Java, use the [Azure Identity Client Library](/python/api/overview/azure/identity-readme).
+To get a Microsoft Entra access token in Java, use the [Azure Identity Client Library](/python/api/overview/azure/identity-readme).
-Here's an example of using Azure Identity to get an Azure AD access token from an interactive browser:
+Here's an example of using Azure Identity to get a Microsoft Entra access token from an interactive browser:
```Python from azure.identity import InteractiveBrowserCredential ibc = InteractiveBrowserCredential()
aadToken = ibc.get_token("https://cognitiveservices.azure.com/.default")
::: zone-end ::: zone pivot="programming-language-more"
-Find samples that get an Azure AD access token in [Microsoft identity platform code samples](../../active-directory/develop/sample-v2-code.md).
+Find samples that get a Microsoft Entra access token in [Microsoft identity platform code samples](../../active-directory/develop/sample-v2-code.md).
For programming languages where a Microsoft identity platform client library isn't available, you can directly [request an access token](../../active-directory/develop/v2-oauth-ropc.md). ::: zone-end ## Get the Speech resource ID
-You need your Speech resource ID to make SDK calls using Azure AD authentication.
+You need your Speech resource ID to make SDK calls using Microsoft Entra authentication.
> [!NOTE] > For Intent Recognition use your LUIS Prediction resource ID.
$resourceId = resource.Id
## Create the Speech SDK configuration object
-With an Azure AD access token, you can now create a Speech SDK configuration object.
+With a Microsoft Entra access token, you can now create a Speech SDK configuration object.
The method of providing the token, and the method to construct the corresponding Speech SDK ```Config``` object varies by the object you'll be using. ### SpeechRecognizer, SpeechSynthesizer, IntentRecognizer, ConversationTranscriber
-For ```SpeechRecognizer```, ```SpeechSynthesizer```, ```IntentRecognizer```, ```ConversationTranscriber``` objects, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```SpeechConfig``` object.
+For ```SpeechRecognizer```, ```SpeechSynthesizer```, ```IntentRecognizer```, ```ConversationTranscriber``` objects, build the authorization token from the resource ID and the Microsoft Entra access token and then use it to create a ```SpeechConfig``` object.
::: zone pivot="programming-language-csharp" ```C#
speechConfig = SpeechConfig(auth_token=authorizationToken, region=region)
### TranslationRecognizer
-For the ```TranslationRecognizer```, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```SpeechTranslationConfig``` object.
+For the ```TranslationRecognizer```, build the authorization token from the resource ID and the Microsoft Entra access token and then use it to create a ```SpeechTranslationConfig``` object.
::: zone pivot="programming-language-csharp" ```C#
translationConfig = SpeechTranslationConfig(auth_token=authorizationToken, regio
### DialogServiceConnector
-For the ```DialogServiceConnection``` object, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```CustomCommandsConfig``` or a ```BotFrameworkConfig``` object.
+For the ```DialogServiceConnection``` object, build the authorization token from the resource ID and the Microsoft Entra access token and then use it to create a ```CustomCommandsConfig``` or a ```BotFrameworkConfig``` object.
::: zone pivot="programming-language-csharp" ```C#
The DialogServiceConnector is not currently supported in Python
::: zone-end ### VoiceProfileClient
-To use the ```VoiceProfileClient``` with Azure AD authentication, use the custom domain name created above.
+To use the ```VoiceProfileClient``` with Microsoft Entra authentication, use the custom domain name created above.
::: zone pivot="programming-language-csharp" ```C#
The ```VoiceProfileClient``` isn't available with the Speech SDK for Python.
::: zone-end > [!NOTE]
-> The ```ConversationTranslator``` doesn't support Azure AD authentication.
+> The ```ConversationTranslator``` doesn't support Microsoft Entra authentication.
ai-services Language Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/language-support.md
With the cross-lingual feature, you can transfer your custom neural voice model
# [Pronunciation assessment](#tab/pronunciation-assessment)
-The table in this section summarizes the 22 locales supported for pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). Latest update extends support from English to 21 additional languages and quality enhancements to existing features, including accuracy, fluency and miscue assessment. You should specify the language that you're learning or practicing improving pronunciation. The default language is set as `en-US`. If you know your target learning language, [set the locale](how-to-pronunciation-assessment.md#get-pronunciation-assessment-results) accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario.
+The table in this section summarizes the 23 locales supported for pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). Latest update extends support from English to 22 additional languages and quality enhancements to existing features, including accuracy, fluency and miscue assessment. You should specify the language that you're learning or practicing improving pronunciation. The default language is set as `en-US`. If you know your target learning language, [set the locale](how-to-pronunciation-assessment.md#get-pronunciation-assessment-results) accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario.
[!INCLUDE [Language support include](includes/language-support/pronunciation-assessment.md)]
ai-services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/role-based-access-control.md
For finer-grained resource access control, you can [add or remove roles](../../r
The [roles](#roles-for-speech-resources) define what permissions you have. Authentication is required to use the Speech resource.
-To authenticate with Speech resource keys, all you need is the key and region. To authenticate with an Azure AD token, the Speech resource must have a [custom subdomain](speech-services-private-link.md#create-a-custom-domain-name) and use a [private endpoint](speech-services-private-link.md#turn-on-private-endpoints). The Speech service uses custom subdomains with private endpoints only.
+To authenticate with Speech resource keys, all you need is the key and region. To authenticate with a Microsoft Entra token, the Speech resource must have a [custom subdomain](speech-services-private-link.md#create-a-custom-domain-name) and use a [private endpoint](speech-services-private-link.md#turn-on-private-endpoints). The Speech service uses custom subdomains with private endpoints only.
### Speech SDK authentication
-For the SDK, you configure whether to authenticate with a Speech resource key or Azure AD token. For details, see [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md).
+For the SDK, you configure whether to authenticate with a Speech resource key or Microsoft Entra token. For details, see [Microsoft Entra authentication with the Speech SDK](how-to-configure-azure-ad-auth.md).
### Speech Studio authentication
-Once you're signed into [Speech Studio](speech-studio-overview.md), you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Azure AD token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned [roles](#roles-for-speech-resources) has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Azure AD token.
+Once you're signed into [Speech Studio](speech-studio-overview.md), you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Microsoft Entra token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned [roles](#roles-for-speech-resources) has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Microsoft Entra token.
-If Speech Studio uses your Azure AD token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files.
+If Speech Studio uses your Microsoft Entra token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files.
| Authentication credential | Feature availability | | | | |Speech resource key|Full access limited only by the assigned role permissions.|
-|Azure AD token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.|
-|Azure AD token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.|
+|Microsoft Entra token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.|
+|Microsoft Entra token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.|
## Next steps
-* [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md).
+* [Microsoft Entra authentication with the Speech SDK](how-to-configure-azure-ad-auth.md).
* [Speech service encryption of data at rest](speech-encryption-of-data-at-rest.md).
ai-services Document Translation Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/connector/document-translation-flow.md
Here are the steps to upload a file from your SharePoint site to Azure Blob Stor
1. If you're using the Azure storage step for the first time, you need to enter your storage resource authentication:
-1. In the **Authentication type** field, choose **Azure AD Integrated** and then select the **Sign in** button.
+1. In the **Authentication type** field, choose **Microsoft Entra integrated** and then select the **Sign in** button.
:::image type="content" source="../media/connectors/storage-authentication.png" alt-text="Screenshot of Azure Blob Storage authentication window.":::
-1. Choose the Azure Active Directory (Azure AD) account associated with your Azure Blob Storage and Translator resource accounts.
+1. Choose the Microsoft Entra account associated with your Azure Blob Storage and Translator resource accounts.
1. After you have completed the **Azure Blob Storage** authentication, the **Create blob** step appears. Complete the fields as follows:
ai-services Create Sas Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-sas-tokens.md
Last updated 07/18/2023
# Create SAS tokens for your storage containers
-In this article, you learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Azure AD credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.
+In this article, you learn how to create user delegation, shared access signature (SAS) tokens, using the Azure portal or Azure Storage Explorer. User delegation SAS tokens are secured with Microsoft Entra credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.
:::image type="content" source="../../media/sas-url-token.png" alt-text="Screenshot of a storage url with SAS token appended.":::
In this article, you learn how to create user delegation, shared access signatur
> > [Managed identities](create-use-managed-identities.md) provide an alternate method for you to grant access to your storage data without the need to include SAS tokens with your HTTP requests. *See*, [Managed identities for Document Translation](create-use-managed-identities.md). >
-> * You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications.
+> * You can use managed identities to grant access to any resource that supports Microsoft Entra authentication, including your own applications.
> * Using managed identities replaces the requirement for you to include shared access signature tokens (SAS) with your source and target URLs. > * There's no added cost to use managed identities in Azure.
Go to the [Azure portal](https://portal.azure.com/#home) and navigate to your co
* Consider setting a longer duration period for the time you're using your storage account for Translator Service operations. * The value of the expiry time is determined by whether you're using an **Account key** or **User delegation key** **Signing method**: * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).
- * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Azure AD credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).
+ * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information,*see* [Use Microsoft Entra credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).
1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information,*see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range).
ai-services Create Use Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/how-to-guides/create-use-managed-identities.md
# Managed identities for Document Translation
-Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your [source and target URLs](#post-request-body).
+Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your [source and target URLs](#post-request-body).
:::image type="content" source="../media/managed-identity-rbac-flow.png" alt-text="Screenshot of managed identity flow (RBAC).":::
-* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications.
+* You can use managed identities to grant access to any resource that supports Microsoft Entra authentication, including your own applications.
* To grant access to an Azure resource, assign an Azure role to a managed identity using [Azure role-based access control (`Azure RBAC`)](../../../../role-based-access-control/overview.md).
ai-services Document Translation Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/quickstarts/document-translation-sdk.md
To get started, you need:
You can choose one of the following options to authorize access to your Translator resource.
-**✔️ Managed Identity**. A managed identity is a service principal that creates an Azure Active Directory (Azure AD) identity and specific permissions for an Azure managed resource. Managed identities enable you to run your Translator application without having to embed credentials in your code. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your source and target URLs.
+**✔️ Managed Identity**. A managed identity is a service principal that creates a Microsoft Entra identity and specific permissions for an Azure managed resource. Managed identities enable you to run your Translator application without having to embed credentials in your code. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your source and target URLs.
To learn more, *see* [Managed identities for Document Translation](../how-to-guides/create-use-managed-identities.md).
ai-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/encrypt-data-at-rest.md
Follow these steps to enable customer-managed keys for Translator:
### Enable customer-managed keys
-You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
A new Azure AI services resource is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault. The key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Azure AI services resource. The managed identity is available as soon as the resource is created.
To learn how to use customer-managed keys with Azure Key Vault for Azure AI serv
- [Configure customer-managed keys with Key Vault for Azure AI services encryption from the Azure portal](../Encryption/cognitive-services-encryption-keys-portal.md)
-Enabling customer managed keys will also enable a system assigned managed identity, a feature of Azure AD. Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md).
+Enabling customer managed keys will also enable a system assigned managed identity, a feature of Microsoft Entra ID. Once the system assigned managed identity is enabled, this resource will be registered with Microsoft Entra ID. After being registered, the managed identity will be given access to the Key Vault selected during customer managed key setup. You can learn more about [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md).
> [!IMPORTANT] > If you disable system assigned managed identities, access to the key vault will be removed and any data encrypted with the customer keys will no longer be accessible. Any features depended on this data will stop working. Any models that you have deployed will also be undeployed. All uploaded data will be deleted from Custom Translator. If the managed identities are re-enabled, we will not automatically redeploy the model for you. > [!IMPORTANT]
-> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Azure AD directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Azure AD directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
+> Managed identities do not currently support cross-directory scenarios. When you configure customer-managed keys in the Azure portal, a managed identity is automatically assigned under the covers. If you subsequently move the subscription, resource group, or resource from one Microsoft Entra directory to another, the managed identity associated with the resource is not transferred to the new tenant, so customer-managed keys may no longer work. For more information, see **Transferring a subscription between Microsoft Entra directories** in [FAQs and known issues with managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories).
### Store customer-managed keys in Azure Key Vault
ai-services V3 0 Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/reference/v3-0-reference.md
Authorization: Bearer <Base64-access_token>
An authentication token is valid for 10 minutes. The token should be reused when making multiple calls to the Translator. However, if your program makes requests to the Translator over an extended period of time, then your program must request a new access token at regular intervals (for example, every 8 minutes).
-## Authentication with Azure Active Directory (Azure AD)
+<a name='authentication-with-azure-active-directory-azure-ad'></a>
- Translator v3.0 supports Azure AD authentication, Microsoft's cloud-based identity and access management solution. Authorization headers enable the Translator service to validate that the requesting client is authorized to use the resource and to complete the request.
+## Authentication with Microsoft Entra ID
+
+ Translator v3.0 supports Microsoft Entra authentication, Microsoft's cloud-based identity and access management solution. Authorization headers enable the Translator service to validate that the requesting client is authorized to use the resource and to complete the request.
### **Prerequisites**
-* A brief understanding of how to [**authenticate with Azure Active Directory**](../../authentication.md?tabs=powershell#authenticate-with-azure-active-directory).
+* A brief understanding of how to [**authenticate with Microsoft Entra ID**](../../authentication.md?tabs=powershell#authenticate-with-azure-active-directory).
* A brief understanding of how to [**authorize access to managed identities**](../../authentication.md?tabs=powershell#authorize-access-to-managed-identities).
ai-services Use Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/use-key-vault.md
In a new instance of the **Windows PowerShell**, read the environment variable.
## Authenticate to Azure using Visual Studio
-Developers using Visual Studio 2017 or later can authenticate an Azure Active Directory account through Visual Studio. This enables you to access secrets in your key vault by signing into your Azure subscription from within the IDE.
+Developers using Visual Studio 2017 or later can authenticate a Microsoft Entra account through Visual Studio. This enables you to access secrets in your key vault by signing into your Azure subscription from within the IDE.
To authenticate in Visual Studio, select **Tools** from the top navigation menu, and select **Options**. Navigate to the **Azure Service Authentication** option to sign in with your user name and password.
Create a new folder named `keyVaultExample`. Then use your preferred code editor
### Install Key Vault and Language service packages
-1. In a terminal or command prompt, navigate to your project folder and install the Azure Active Directory identity library:
+1. In a terminal or command prompt, navigate to your project folder and install the Microsoft Entra identity library:
```terminal pip install azure-identity
ai-services What Are Ai Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/what-are-ai-services.md
Azure AI services supports a wide range of cultural languages at the service lev
## Security
-Azure AI services provides a layered security model, including [authentication](authentication.md "Authentication") with Azure Active Directory credentials, a valid resource key, and [Azure Virtual Networks](cognitive-services-virtual-networks.md "Azure Virtual Networks").
+Azure AI services provides a layered security model, including [authentication](authentication.md "Authentication") with Microsoft Entra credentials, a valid resource key, and [Azure Virtual Networks](cognitive-services-virtual-networks.md "Azure Virtual Networks").
## Certifications and compliance
aks Access Control Managed Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/access-control-managed-azure-ad.md
Title: Cluster access control with AKS-managed Azure Active Directory integration
-description: Learn how to access clusters when integrating Azure AD in your Azure Kubernetes Service (AKS) clusters.
+ Title: Cluster access control with AKS-managed Microsoft Entra integration
+description: Learn how to access clusters when integrating Microsoft Entra ID in your Azure Kubernetes Service (AKS) clusters.
Last updated 04/20/2023
-# Cluster access control with AKS-managed Azure Active Directory integration
+# Cluster access control with AKS-managed Microsoft Entra integration
-When you integrate Azure AD with your AKS cluster, you can use [Conditional Access][aad-conditional-access] or Privileged Identity Management (PIM) for just-in-time requests to control access to your cluster. This article shows you how to enable Conditional Access and PIM on your AKS clusters.
+When you integrate Microsoft Entra ID with your AKS cluster, you can use [Conditional Access][aad-conditional-access] or Privileged Identity Management (PIM) for just-in-time requests to control access to your cluster. This article shows you how to enable Conditional Access and PIM on your AKS clusters.
> [!NOTE]
-> Azure AD Conditional Access and Privileged Identity Management are Azure AD Premium capabilities requiring a Premium P2 SKU. For more on Azure AD SKUs, see the [pricing guide][aad-pricing].
+> Microsoft Entra Conditional Access and Privileged Identity Management are Microsoft Entra ID P1 or P2 capabilities requiring a Premium P2 SKU. For more on Microsoft Entra ID SKUs, see the [pricing guide][aad-pricing].
## Before you begin
-* See [AKS-managed Azure Active Directory integration](./managed-azure-ad.md) for an overview and setup instructions.
+* See [AKS-managed Microsoft Entra integration](./managed-azure-ad.md) for an overview and setup instructions.
-## Use Conditional Access with Azure AD and AKS
+<a name='use-conditional-access-with-azure-ad-and-aks'></a>
-1. In the Azure portal, go to the **Azure Active Directory** page and select **Enterprise applications**.
+## Use Conditional Access with Microsoft Entra ID and AKS
+
+1. In the Azure portal, go to the **Microsoft Entra ID** page and select **Enterprise applications**.
2. Select **Conditional Access** > **Policies** > **New policy**. :::image type="content" source="./media/managed-aad/conditional-access-new-policy.png" alt-text="Screenshot of adding a Conditional Access policy." lightbox="./media/managed-aad/conditional-access-new-policy.png"::: 3. Enter a name for the policy, such as *aks-policy*.
-4. Under **Assignments**, select **Users and groups**. Choose the users and groups you want to apply the policy to. In this example, choose the same Azure AD group that has administrator access to your cluster.
+4. Under **Assignments**, select **Users and groups**. Choose the users and groups you want to apply the policy to. In this example, choose the same Microsoft Entra group that has administrator access to your cluster.
:::image type="content" source="./media/managed-aad/conditional-access-users-groups.png" alt-text="Screenshot of selecting users or groups to apply the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-users-groups.png":::
-5. Under **Cloud apps or actions** > **Include**, select **Select apps**. Search for **Azure Kubernetes Service** and select **Azure Kubernetes Service AAD Server**.
+5. Under **Cloud apps or actions** > **Include**, select **Select apps**. Search for **Azure Kubernetes Service** and select **Azure Kubernetes Service Microsoft Entra Server**.
:::image type="content" source="./media/managed-aad/conditional-access-apps.png" alt-text="Screenshot of selecting Azure Kubernetes Service AD Server for applying the Conditional Access policy." lightbox="./media/managed-aad/conditional-access-apps.png":::
When you integrate Azure AD with your AKS cluster, you can use [Conditional Acce
kubectl get nodes ```
-4. In the Azure portal, navigate to **Azure Active Directory** and select **Enterprise applications** > **Activity** > **Sign-ins**.
+4. In the Azure portal, navigate to **Microsoft Entra ID** and select **Enterprise applications** > **Activity** > **Sign-ins**.
5. Under the **Conditional Access** column you should see a status of *Success*. Select the event and then select the **Conditional Access** tab. Your Conditional Access policy will be listed. :::image type="content" source="./media/managed-aad/conditional-access-sign-in-activity.png" alt-text="Screenshot that shows failed sign-in entry due to Conditional Access policy." lightbox="./media/managed-aad/conditional-access-sign-in-activity.png":::
-## Configure just-in-time cluster access with Azure AD and AKS
+<a name='configure-just-in-time-cluster-access-with-azure-ad-and-aks'></a>
+
+## Configure just-in-time cluster access with Microsoft Entra ID and AKS
-1. In the Azure portal, go to **Azure Active Directory** and select **Properties**.
+1. In the Azure portal, go to **Microsoft Entra ID** and select **Properties**.
2. Note the value listed under **Tenant ID**. It will be referenced in a later step as `<tenant-id>`.
- :::image type="content" source="./media/managed-aad/jit-get-tenant-id.png" alt-text="Screenshot of the Azure portal screen for Azure Active Directory with the tenant's ID highlighted." lightbox="./media/managed-aad/jit-get-tenant-id.png":::
+ :::image type="content" source="./media/managed-aad/jit-get-tenant-id.png" alt-text="Screenshot of the Azure portal screen for Microsoft Entra ID with the tenant's ID highlighted." lightbox="./media/managed-aad/jit-get-tenant-id.png":::
3. Select **Groups** > **New group**. :::image type="content" source="./media/managed-aad/jit-create-new-group.png" alt-text="Screenshot of the Azure portal Active Directory groups screen with the New Group option highlighted." lightbox="./media/managed-aad/jit-create-new-group.png":::
-4. Verify the group type **Security** is selected and specify a group name, such as *myJITGroup*. Under the option **Azure AD roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**.
+4. Verify the group type **Security** is selected and specify a group name, such as *myJITGroup*. Under the option **Microsoft Entra roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**.
:::image type="content" source="./media/managed-aad/jit-new-group-created.png" alt-text="Screenshot of the new group creation screen in the Azure portal." lightbox="./media/managed-aad/jit-new-group-created.png":::
When you integrate Azure AD with your AKS cluster, you can use [Conditional Acce
:::image type="content" source="./media/managed-aad/jit-get-object-id.png" alt-text="Screenshot of the Azure portal screen for the just-created group with the Object ID highlighted." lightbox="./media/managed-aad/jit-get-object-id.png":::
-6. Create the AKS cluster with AKS-managed Azure AD integration using the [`az aks create`][az-aks-create] command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier.
+6. Create the AKS cluster with AKS-managed Microsoft Entra integration using the [`az aks create`][az-aks-create] command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier.
```azurecli-interactive az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <object-id> --aad-tenant-id <tenant-id>
aks Aks Support Help https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-support-help.md
The following table lists the tags for AKS and related
| [Azure storage accounts](../storage/common/storage-account-overview.md) | [azure-storage-accounts](/answers/topics/azure-storage-accounts.html)| | [Azure Managed Identities](../active-directory/managed-identities-azure-resources/overview.md) | [azure-managed-identity](/answers/topics/azure-managed-identity.html) | | [Azure RBAC](../role-based-access-control/overview.md) | [azure-rbac](/answers/topics/azure-rbac.html)|
-| [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) | [azure-active-directory](/answers/topics/azure-active-directory.html)|
+| [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) | [Microsoft Entra ID](/answers/topics/azure-active-directory.html)|
| [Azure Policy](../governance/policy/overview.md) | [azure-policy](/answers/topics/azure-policy.html)| | [Azure Virtual Machine Scale Sets](../virtual-machine-scale-sets/overview.md) | [virtual-machine-scale-sets](/answers/topics/123/azure-virtual-machines-scale-set.html)| | [Azure Virtual Network](../virtual-network/network-overview.md) | [azure-virtual-network](/answers/topics/azure-virtual-network.html)|
aks Azure Ad Integration Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-integration-cli.md
Title: Integrate Azure Active Directory with Azure Kubernetes Service (AKS) (legacy)
-description: Learn how to use the Azure CLI to create and Azure Active Directory-enabled Azure Kubernetes Service (AKS) cluster (legacy)
+ Title: Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) (legacy)
+description: Learn how to use the Azure CLI to create and Microsoft Entra ID-enabled Azure Kubernetes Service (AKS) cluster (legacy)
Last updated 08/15/2023
-# Integrate Azure Active Directory with Azure Kubernetes Service (AKS) using the Azure CLI (legacy)
+# Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) using the Azure CLI (legacy)
> [!WARNING]
-> The feature described in this document, Azure AD Integration (legacy) was **deprecated on June 1st, 2023**. At this time, no new clusters can be created with Azure AD Integration (legacy). All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from December 1st, 2023.
+> The feature described in this document, Microsoft Entra Integration (legacy) was **deprecated on June 1st, 2023**. At this time, no new clusters can be created with Microsoft Entra Integration (legacy). All Microsoft Entra Integration (legacy) AKS clusters will be migrated to AKS-managed Microsoft Entra ID automatically starting from December 1st, 2023.
>
-> AKS has a new improved [AKS-managed Azure AD][managed-aad] experience that doesn't require you to manage server or client applications. If you want to migrate follow the instructions [here][managed-aad-migrate].
+> AKS has a new improved [AKS-managed Microsoft Entra ID][managed-aad] experience that doesn't require you to manage server or client applications. If you want to migrate follow the instructions [here][managed-aad-migrate].
-Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AD) for user authentication. In this configuration, you can log into an AKS cluster using an Azure AD authentication token. Cluster operators can also configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership.
+Azure Kubernetes Service (AKS) can be configured to use Microsoft Entra ID for user authentication. In this configuration, you can log into an AKS cluster using a Microsoft Entra authentication token. Cluster operators can also configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership.
-This article shows you how to create the required Azure AD components, then deploy an Azure AD-enabled cluster and create a basic Kubernetes role in the AKS cluster.
+This article shows you how to create the required Microsoft Entra components, then deploy a Microsoft Entra ID-enabled cluster and create a basic Kubernetes role in the AKS cluster.
## Limitations -- Azure AD can only be enabled on Kubernetes RBAC-enabled cluster.-- Azure AD legacy integration can only be enabled during cluster creation.
+- Microsoft Entra ID can only be enabled on Kubernetes RBAC-enabled cluster.
+- Microsoft Entra legacy integration can only be enabled during cluster creation.
## Before you begin
For consistency and to help run the commands in this article, create a variable
aksname="myakscluster" ```
-## Azure AD authentication overview
+<a name='azure-ad-authentication-overview'></a>
-Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][open-id-connect].
+## Microsoft Entra authentication overview
+
+Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][open-id-connect].
From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster. For more information on Webhook token authentication, see the [webhook authentication documentation][kubernetes-webhook]. > [!NOTE]
-> When configuring Azure AD for AKS authentication, two Azure AD applications are configured. This operation must be completed by an Azure tenant administrator.
+> When configuring Microsoft Entra ID for AKS authentication, two Microsoft Entra applications are configured. This operation must be completed by an Azure tenant administrator.
+
+<a name='create-azure-ad-server-component'></a>
-## Create Azure AD server component
+## Create Microsoft Entra server component
-To integrate with AKS, you create and use an Azure AD application that acts as an endpoint for the identity requests. The first Azure AD application you need gets Azure AD group membership for a user.
+To integrate with AKS, you create and use a Microsoft Entra application that acts as an endpoint for the identity requests. The first Microsoft Entra application you need gets Microsoft Entra group membership for a user.
Create the server application component using the [az ad app create][az-ad-app-create] command, then update the group membership claims using the [az ad app update][az-ad-app-update] command. The following example uses the *aksname* variable defined in the [Before you begin](#before-you-begin) section, and creates a variable
serverApplicationSecret=$(az ad sp credential reset \
--query password -o tsv) ```
-The Azure AD service principal needs permissions to perform the following actions:
+The Microsoft Entra service principal needs permissions to perform the following actions:
* Read directory data * Sign in and read user profile
az ad app permission add \
--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role ```
-Finally, grant the permissions assigned in the previous step for the server application using the [az ad app permission grant][az-ad-app-permission-grant] command. This step fails if the current account is not a tenant admin. You also need to add permissions for Azure AD application to request information that may otherwise require administrative consent using the [az ad app permission admin-consent][az-ad-app-permission-admin-consent]:
+Finally, grant the permissions assigned in the previous step for the server application using the [az ad app permission grant][az-ad-app-permission-grant] command. This step fails if the current account is not a tenant admin. You also need to add permissions for Microsoft Entra application to request information that may otherwise require administrative consent using the [az ad app permission admin-consent][az-ad-app-permission-admin-consent]:
```azurecli-interactive az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 az ad app permission admin-consent --id $serverApplicationId ```
-## Create Azure AD client component
+<a name='create-azure-ad-client-component'></a>
+
+## Create Microsoft Entra client component
-The second Azure AD application is used when a user logs to the AKS cluster with the Kubernetes CLI (`kubectl`). This client application takes the authentication request from the user and verifies their credentials and permissions. Create the Azure AD app for the client component using the [az ad app create][az-ad-app-create] command:
+The second Microsoft Entra application is used when a user logs to the AKS cluster with the Kubernetes CLI (`kubectl`). This client application takes the authentication request from the user and verifies their credentials and permissions. Create the Microsoft Entra app for the client component using the [az ad app create][az-ad-app-create] command:
```azurecli-interactive clientApplicationId=$(az ad app create \
az ad app permission grant --id $clientApplicationId --api $serverApplicationId
## Deploy the cluster
-With the two Azure AD applications created, now create the AKS cluster itself. First, create a resource group using the [az group create][az-group-create] command. The following example creates the resource group in the *EastUS* region:
+With the two Microsoft Entra applications created, now create the AKS cluster itself. First, create a resource group using the [az group create][az-group-create] command. The following example creates the resource group in the *EastUS* region:
Create a resource group for the cluster:
az aks create \
--aad-tenant-id $tenantId ```
-Finally, get the cluster admin credentials using the [az aks get-credentials][az-aks-get-credentials] command. In one of the following steps, you get the regular *user* cluster credentials to see the Azure AD authentication flow in action.
+Finally, get the cluster admin credentials using the [az aks get-credentials][az-aks-get-credentials] command. In one of the following steps, you get the regular *user* cluster credentials to see the Microsoft Entra authentication flow in action.
```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name $aksname --admin
az aks get-credentials --resource-group myResourceGroup --name $aksname --admin
## Create Kubernetes RBAC binding
-Before an Azure Active Directory account can be used with the AKS cluster, a role binding or cluster role binding needs to be created. *Roles* define the permissions to grant, and *bindings* apply them to desired users. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization].
+Before a Microsoft Entra account can be used with the AKS cluster, a role binding or cluster role binding needs to be created. *Roles* define the permissions to grant, and *bindings* apply them to desired users. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization].
-Get the user principal name (UPN) for the user currently logged in using the [az ad signed-in-user show][az-ad-signed-in-user-show] command. This user account is enabled for Azure AD integration in the next step.
+Get the user principal name (UPN) for the user currently logged in using the [az ad signed-in-user show][az-ad-signed-in-user-show] command. This user account is enabled for Microsoft Entra integration in the next step.
```azurecli-interactive az ad signed-in-user show --query userPrincipalName -o tsv ``` > [!IMPORTANT]
-> If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on the *userPrincipalName*. If the user is in a different Azure AD tenant, query for and use the *objectId* property instead.
+> If the user you grant the Kubernetes RBAC binding for is in the same Microsoft Entra tenant, assign permissions based on the *userPrincipalName*. If the user is in a different Microsoft Entra tenant, query for and use the *objectId* property instead.
Create a YAML manifest named `basic-azure-ad-binding.yaml` and paste the following contents. On the last line, replace *userPrincipalName_or_objectId* with the UPN or object ID output from the previous command:
Create the ClusterRoleBinding using the [kubectl apply][kubectl-apply] command a
kubectl apply -f basic-azure-ad-binding.yaml ```
-## Access cluster with Azure AD
+<a name='access-cluster-with-azure-ad'></a>
-Now let's test the integration of Azure AD authentication for the AKS cluster. Set the `kubectl` config context to use regular user credentials. This context passes all authentication requests back through Azure AD.
+## Access cluster with Microsoft Entra ID
+
+Now let's test the integration of Microsoft Entra authentication for the AKS cluster. Set the `kubectl` config context to use regular user credentials. This context passes all authentication requests back through Microsoft Entra ID.
```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name $aksname --overwrite-existing
Now use the [kubectl get pods][kubectl-get] command to view pods across all name
kubectl get pods --all-namespaces ```
-You receive a sign in prompt to authenticate using Azure AD credentials using a web browser. After you've successfully authenticated, the `kubectl` command displays the pods in the AKS cluster, as shown in the following example output:
+You receive a sign in prompt to authenticate using Microsoft Entra credentials using a web browser. After you've successfully authenticated, the `kubectl` command displays the pods in the AKS cluster, as shown in the following example output:
```console kubectl get pods --all-namespaces
If you see an authorization error message after you've successfully signed in us
error: You must be logged in to the server (Unauthorized) ```
-* You defined the appropriate object ID or UPN, depending on if the user account is in the same Azure AD tenant or not.
+* You defined the appropriate object ID or UPN, depending on if the user account is in the same Microsoft Entra tenant or not.
* The user is not a member of more than 200 groups. * Secret defined in the application registration for server matches the value configured using `--aad-server-app-secret` * Be sure that only one version of kubectl is installed on your machine at a time. Conflicting versions can cause issues during authorization. To install the latest version, use [az aks install-cli][az-aks-install-cli].
-## Frequently asked questions about migration from Azure Active Directory Integration to AKS-managed Azure Active Directory
+<a name='frequently-asked-questions-about-migration-from-azure-active-directory-integration-to-aks-managed-azure-active-directory'></a>
+
+## Frequently asked questions about migration from Microsoft Entra Integration to AKS-managed Microsoft Entra ID
**1. What is the plan for migration?**
-Azure Active Directory Integration (legacy) will be deprecated on 1st June 2023. After this date, you won't be able to create new clusters with Azure Active Directory (legacy). We'll migrate all Azure Active Directory Integration (legacy) AKS clusters to AKS-managed Azure Active Directory automatically starting from 1st August 2023.
+Microsoft Entra Integration (legacy) will be deprecated on 1st June 2023. After this date, you won't be able to create new clusters with Microsoft Entra ID (legacy). We'll migrate all Microsoft Entra Integration (legacy) AKS clusters to AKS-managed Microsoft Entra ID automatically starting from 1st August 2023.
We send notification emails to impacted subscription admins biweekly to remind them of migration. **2. What will happen if I don't take any action?**
-Your Azure Active Directory Integration (legacy) AKS clusters will continue working after 1st June 2023. We'll automatically migrate your clusters to AKS-managed Azure Active Directory starting from 1st August 2023. You may experience API server downtime during the migration.
+Your Microsoft Entra Integration (legacy) AKS clusters will continue working after 1st June 2023. We'll automatically migrate your clusters to AKS-managed Microsoft Entra ID starting from 1st August 2023. You may experience API server downtime during the migration.
The kubeconfig content changes after the migration. You need to merge the new credentials into the kubeconfig file using the `az aks get-credentials --resource-group <AKS resource group name> --name <AKS cluster name>`.
-We recommend updating your AKS cluster to [AKS-managed Azure Active Directory][managed-aad-migrate] manually before 1st August. This way you can manage the downtime during non-business hours when it's more convenient.
+We recommend updating your AKS cluster to [AKS-managed Microsoft Entra ID][managed-aad-migrate] manually before 1st August. This way you can manage the downtime during non-business hours when it's more convenient.
**3. Why do I still receive the notification email after manual migration?** It takes several days for the email to send. If your cluster wasn't migrated before we initiate the email-sending process, you may still receive a notification.
-**4. How can I check whether my cluster my cluster is migrated to AKS-managed Azure Active Directory?**
+**4. How can I check whether my cluster my cluster is migrated to AKS-managed Microsoft Entra ID?**
-Confirm your AKS cluster is migrated to the AKS-managed Azure Active Directory using the [`az aks show`][az-aks-show] command.
+Confirm your AKS cluster is migrated to the AKS-managed Microsoft Entra ID using the [`az aks show`][az-aks-show] command.
```azurecli az aks show -g <RGName> -n <ClusterName> --query "aadProfile" ```
-If your cluster is using the AKS-managed Azure Active Directory, the output shows `managed` is `true`. For example:
+If your cluster is using the AKS-managed Microsoft Entra ID, the output shows `managed` is `true`. For example:
```output {
If your cluster is using the AKS-managed Azure Active Directory, the output show
## Next steps
-For the complete script that contains the commands shown in this article, see the [Azure AD integration script in the AKS samples repo][complete-script].
+For the complete script that contains the commands shown in this article, see the [Microsoft Entra integration script in the AKS samples repo][complete-script].
-To use Azure AD users and groups to control access to cluster resources, see [Control access to cluster resources using Kubernetes role-based access control and Azure AD identities in AKS][azure-ad-rbac].
+To use Microsoft Entra users and groups to control access to cluster resources, see [Control access to cluster resources using Kubernetes role-based access control and Microsoft Entra identities in AKS][azure-ad-rbac].
For more information about how to secure Kubernetes clusters, see [Access and identity options for AKS)][rbac-authorization].
aks Azure Ad Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-ad-rbac.md
Title: Use Azure AD and Kubernetes RBAC for clusters
+ Title: Use Microsoft Entra ID and Kubernetes RBAC for clusters
-description: Learn how to use Azure Active Directory group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS)
+description: Learn how to use Microsoft Entra group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS)
Last updated 02/13/2023
-# Use Kubernetes role-based access control with Azure Active Directory in Azure Kubernetes Service
+# Use Kubernetes role-based access control with Microsoft Entra ID in Azure Kubernetes Service
-Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (Azure AD) for user authentication. In this configuration, you sign in to an AKS cluster using an Azure AD authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership.
+Azure Kubernetes Service (AKS) can be configured to use Microsoft Entra ID for user authentication. In this configuration, you sign in to an AKS cluster using a Microsoft Entra authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership.
This article shows you how to:
-* Control access using Kubernetes RBAC in an AKS cluster based on Azure AD group membership.
-* Create example groups and users in Azure AD.
+* Control access using Kubernetes RBAC in an AKS cluster based on Microsoft Entra group membership.
+* Create example groups and users in Microsoft Entra ID.
* Create Roles and RoleBindings in an AKS cluster to grant the appropriate permissions to create and view resources. ## Before you begin
-* You have an existing AKS cluster with Azure AD integration enabled. If you need an AKS cluster with this configuration, see [Integrate Azure AD with AKS][azure-ad-aks-cli].
-* Kubernetes RBAC is enabled by default during AKS cluster creation. To upgrade your cluster with Azure AD integration and Kubernetes RBAC, [Enable Azure AD integration on your existing AKS cluster][enable-azure-ad-integration-existing-cluster].
+* You have an existing AKS cluster with Microsoft Entra integration enabled. If you need an AKS cluster with this configuration, see [Integrate Microsoft Entra ID with AKS][azure-ad-aks-cli].
+* Kubernetes RBAC is enabled by default during AKS cluster creation. To upgrade your cluster with Microsoft Entra integration and Kubernetes RBAC, [Enable Microsoft Entra integration on your existing AKS cluster][enable-azure-ad-integration-existing-cluster].
* Make sure that Azure CLI version 2.0.61 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. * If using Terraform, install [Terraform][terraform-on-azure] version 2.99.0 or later.
-Use the Azure portal or Azure CLI to verify Azure AD integration with Kubernetes RBAC is enabled.
+Use the Azure portal or Azure CLI to verify Microsoft Entra integration with Kubernetes RBAC is enabled.
#### [Azure portal](#tab/portal)
To verify using the Azure portal:
* From your browser, sign in to the [Azure portal](https://portal.azure.com). * Navigate to **Kubernetes services**, and from the left-hand pane select **Cluster configuration**.
-* Under the **Authentication and Authorization** section, verify the **Azure AD authentication with Kubernetes RBAC** option is selected.
+* Under the **Authentication and Authorization** section, verify the **Microsoft Entra authentication with Kubernetes RBAC** option is selected.
:::image type="content" source="./media/azure-ad-rbac/rbac-portal.png" alt-text="Example of AKS Authentication and Authorization page in Azure portal." lightbox="./media/azure-ad-rbac/rbac-portal.png":::
If it's enabled, the output shows the value for `enableAzureRbac` is `false`.
-## Create demo groups in Azure AD
+<a name='create-demo-groups-in-azure-ad'></a>
-In this article, we'll create two user roles to show how Kubernetes RBAC and Azure AD control access to cluster resources. The following two example roles are used:
+## Create demo groups in Microsoft Entra ID
+
+In this article, we'll create two user roles to show how Kubernetes RBAC and Microsoft Entra ID control access to cluster resources. The following two example roles are used:
* **Application developer** * A user named *aksdev* that's part of the *appdev* group. * **Site reliability engineer** * A user named *akssre* that's part of the *opssre* group.
-In production environments, you can use existing users and groups within an Azure AD tenant.
+In production environments, you can use existing users and groups within a Microsoft Entra tenant.
1. First, get the resource ID of your AKS cluster using the [`az aks show`][az-aks-show] command. Then, assign the resource ID to a variable named *AKS_ID* so it can be referenced in other commands.
In production environments, you can use existing users and groups within an Azur
--query id -o tsv) ```
-2. Create the first example group in Azure AD for the application developers using the [`az ad group create`][az-ad-group-create] command. The following example creates a group named *appdev*:
+2. Create the first example group in Microsoft Entra ID for the application developers using the [`az ad group create`][az-ad-group-create] command. The following example creates a group named *appdev*:
```azurecli-interactive APPDEV_ID=$(az ad group create --display-name appdev --mail-nickname appdev --query Id -o tsv)
In production environments, you can use existing users and groups within an Azur
``` > [!TIP]
-> If you receive an error such as `Principal 35bfec9328bd4d8d9b54dea6dac57b82 doesn't exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5.`, wait a few seconds for the Azure AD group object ID to propagate through the directory then try the `az role assignment create` command again.
+> If you receive an error such as `Principal 35bfec9328bd4d8d9b54dea6dac57b82 doesn't exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5.`, wait a few seconds for the Microsoft Entra group object ID to propagate through the directory then try the `az role assignment create` command again.
4. Create a second example group for SREs named *opssre*.
In production environments, you can use existing users and groups within an Azur
--scope $AKS_ID ```
-## Create demo users in Azure AD
+<a name='create-demo-users-in-azure-ad'></a>
+
+## Create demo users in Microsoft Entra ID
-Now that we have two example groups created in Azure AD for our application developers and SREs, we'll create two example users. To test the Kubernetes RBAC integration at the end of the article, you'll sign in to the AKS cluster with these accounts.
+Now that we have two example groups created in Microsoft Entra ID for our application developers and SREs, we'll create two example users. To test the Kubernetes RBAC integration at the end of the article, you'll sign in to the AKS cluster with these accounts.
### Set the user principal name and password for application developers
echo "Please enter the secure password for application developers: " && read AAD
### Create the user accounts
-1. Create the first user account in Azure AD using the [`az ad user create`][az-ad-user-create] command. The following example creates a user with the display name *AKS Dev* and the UPN and secure password using the values in *AAD_DEV_UPN* and *AAD_DEV_PW*:
+1. Create the first user account in Microsoft Entra ID using the [`az ad user create`][az-ad-user-create] command. The following example creates a user with the display name *AKS Dev* and the UPN and secure password using the values in *AAD_DEV_UPN* and *AAD_DEV_PW*:
```azurecli-interactive AKSDEV_ID=$(az ad user create \
az ad group member add --group opssre --member-id $AKSSRE_ID
## Create AKS cluster resources for app devs
-We have our Azure AD groups, users, and Azure role assignments created. Now, we'll configure the AKS cluster to allow these different groups access to specific resources.
+We have our Microsoft Entra groups, users, and Azure role assignments created. Now, we'll configure the AKS cluster to allow these different groups access to specific resources.
-1. Get the cluster admin credentials using the [`az aks get-credentials`][az-aks-get-credentials] command. In one of the following sections, you get the regular *user* cluster credentials to see the Azure AD authentication flow in action.
+1. Get the cluster admin credentials using the [`az aks get-credentials`][az-aks-get-credentials] command. In one of the following sections, you get the regular *user* cluster credentials to see the Microsoft Entra authentication flow in action.
```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin
kubectl create namespace dev
> [!NOTE] > In Kubernetes, *Roles* define the permissions to grant, and *RoleBindings* apply them to desired users or groups. These assignments can be applied to a given namespace, or across the entire cluster. For more information, see [Using Kubernetes RBAC authorization][rbac-authorization]. >
-> If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on the *userPrincipalName (UPN)*. If the user is in a different Azure AD tenant, query for and use the *objectId* property instead.
+> If the user you grant the Kubernetes RBAC binding for is in the same Microsoft Entra tenant, assign permissions based on the *userPrincipalName (UPN)*. If the user is in a different Microsoft Entra tenant, query for and use the *objectId* property instead.
3. Create a Role for the *dev* namespace, which grants full permissions to the namespace. In production environments, you can specify more granular permissions for different users or groups. Create a file named `role-dev-namespace.yaml` and paste the following YAML manifest:
subjects:
kubectl apply -f rolebinding-sre-namespace.yaml ```
-## Interact with cluster resources using Azure AD identities
+<a name='interact-with-cluster-resources-using-azure-ad-identities'></a>
+
+## Interact with cluster resources using Microsoft Entra identities
Now, we'll test that the expected permissions work when you create and manage resources in an AKS cluster. In these examples, we'll schedule and view pods in the user's assigned namespace, and try to schedule and view pods outside of the assigned namespace.
-1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD.
+1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Microsoft Entra sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Microsoft Entra ID.
```azurecli-interactive az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --overwrite-existing
Error from server (Forbidden): pods is forbidden: User "aksdev@contoso.com" cann
### Test the SRE access to the AKS cluster resources
-To confirm that our Azure AD group membership and Kubernetes RBAC work correctly between different users and groups, try the previous commands when signed in as the *opssre* user.
+To confirm that our Microsoft Entra group membership and Kubernetes RBAC work correctly between different users and groups, try the previous commands when signed in as the *opssre* user.
1. Reset the *kubeconfig* context using the [`az aks get-credentials`][az-aks-get-credentials] command that clears the previously cached authentication token for the *aksdev* user.
Error from server (Forbidden): pods is forbidden: User "akssre@contoso.com" cann
## Clean up resources
-In this article, you created resources in the AKS cluster and users and groups in Azure AD. To clean up all of the resources, run the following commands:
+In this article, you created resources in the AKS cluster and users and groups in Microsoft Entra ID. To clean up all of the resources, run the following commands:
```azurecli-interactive # Get the admin kubeconfig context to delete the necessary cluster resources.
az ad group delete --group opssre
[rbac-authorization]: concepts-identity.md#kubernetes-rbac [operator-best-practices-identity]: operator-best-practices-identity.md [terraform-on-azure]: /azure/developer/terraform/overview
-[enable-azure-ad-integration-existing-cluster]: managed-azure-ad.md#use-an-existing-cluster
+[enable-azure-ad-integration-existing-cluster]: managed-azure-ad.md#use-an-existing-cluster
aks Azure Csi Blob Storage Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-csi-blob-storage-provision.md
This section provides guidance for cluster administrators who want to create one
|volumeAttributes.MSIEndpoint | Specify the MSI endpoint. | | No || |volumeAttributes.AzureStorageSPNClientID | Specify the Azure Service Principal Name (SPN) Client ID. | | No || |volumeAttributes.AzureStorageSPNTenantID | Specify the Azure SPN Tenant ID. | | No ||
-|volumeAttributes.AzureStorageAADEndpoint | Specify the Azure Active Directory (Azure AD) endpoint. | | No ||
+|volumeAttributes.AzureStorageAADEndpoint | Specify the Microsoft Entra endpoint. | | No ||
| | **Following parameters are only for feature: blobfuse read account key or SAS token from key vault** | | | | |volumeAttributes.keyVaultURL | Specify Azure Key Vault DNS name. | {vault-name}.vault.azure.net | No || |volumeAttributes.keyVaultSecretName | Specify Azure Key Vault secret name. | Existing Azure Key Vault secret name. | No ||
The following YAML creates a pod that uses the persistent volume or persistent v
[sas-tokens]: ../storage/common/storage-sas-overview.md [azure-datalake-storage-account]: ../storage/blobs/upgrade-to-data-lake-storage-gen2-how-to.md [storage-account-private-endpoint]: ../storage/common/storage-private-endpoints.md
-[manage-blob-storage]: ../storage/blobs/blob-containers-cli.md
+[manage-blob-storage]: ../storage/blobs/blob-containers-cli.md
aks Azure Netapp Files Nfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-nfs.md
To instruct Astra Trident about the Azure NetApp Files subscription and where it
clientSecret: rR0rUmWXfNioN1KhtHisiSAnoTherboGuskey6pU ```
-2. Create a file named `backend-anf.yaml` and copy in the following YAML. Change the `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. Use the `subscriptionID` for the Azure subscription where Azure NetApp Files is enabled. Obtain the `tenantID`, `clientID`, and `clientSecret` from an [application registration](../active-directory/develop/howto-create-service-principal-portal.md) in Azure Active Directory (AD) with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The location must be an Azure location that contains at least one delegated subnet created in a previous step. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads).
+2. Create a file named `backend-anf.yaml` and copy in the following YAML. Change the `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. Use the `subscriptionID` for the Azure subscription where Azure NetApp Files is enabled. Obtain the `tenantID`, `clientID`, and `clientSecret` from an [application registration](../active-directory/develop/howto-create-service-principal-portal.md) in Microsoft Entra ID with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The location must be an Azure location that contains at least one delegated subnet created in a previous step. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads).
```yaml apiVersion: trident.netapp.io/v1
aks Azure Netapp Files Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-netapp-files-smb.md
A backend must be created to instruct Astra Trident about the Azure NetApp Files
clientSecret: rR0rUmWXfNioN1KhtHisiSAnoTherboGuskey6pU ```
-2. Create a file named `backend-anf-smb.yaml` and copy in the following YAML. Change the `ClientID`, `clientSecret`, `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. The `tenantID`, `clientID`, and `clientSecret` can be found from an application registration in Azure Active Directory (AD) with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The Azure location must contain at least one delegated subnet. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads).
+2. Create a file named `backend-anf-smb.yaml` and copy in the following YAML. Change the `ClientID`, `clientSecret`, `subscriptionID`, `tenantID`, `location`, and `serviceLevel` to the correct values for your environment. The `tenantID`, `clientID`, and `clientSecret` can be found from an application registration in Microsoft Entra ID with sufficient permissions for the Azure NetApp Files service. The application registration includes the Owner or Contributor role predefined by Azure. The Azure location must contain at least one delegated subnet. The `serviceLevel` must match the `serviceLevel` configured for the capacity pool in [Configure Azure NetApp Files for AKS workloads](azure-netapp-files.md#configure-azure-netapp-files-for-aks-workloads).
```yaml apiVersion: trident.netapp.io/v1
aks Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/best-practices.md
If you're a cluster operator, work with application owners and developers to und
* [Best practices for advanced scheduler features](operator-best-practices-advanced-scheduler.md) * Includes using taints and tolerations, node selectors and affinity, and inter-pod affinity and anti-affinity. * [Best practices for authentication and authorization](operator-best-practices-identity.md)
- * Includes integration with Azure Active Directory, using Kubernetes role-based access control (Kubernetes RBAC), using Azure RBAC, and pod identities.
+ * Includes integration with Microsoft Entra ID, using Kubernetes role-based access control (Kubernetes RBAC), using Azure RBAC, and pod identities.
### Security
The following conceptual articles cover some of the fundamental features and com
For guidance on a creating full solutions with AKS for production, see [AKS solution guidance][aks-solution-guidance]. <!-- LINKS - internal -->
-[aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?WT.mc_id=AKSDOCSPAGE
+[aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?WT.mc_id=AKSDOCSPAGE
aks Cluster Container Registry Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-container-registry-integration.md
When using [Azure Container Registry (ACR)][acr-intro] with Azure Kubernetes Service (AKS), you need to establish an authentication mechanism. You can configure the required permissions between ACR and AKS using the Azure CLI, Azure PowerShell, or Azure portal. This article provides examples to configure authentication between these Azure services using the Azure CLI or Azure PowerShell.
-The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Azure Active Directory (Azure AD) **managed identity**][aad-identity] associated with the agent pool in your AKS cluster. For more information on AKS managed identities, see [Summary of managed identities][summary-msi].
+The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Microsoft Entra ID **managed identity**][aad-identity] associated with the agent pool in your AKS cluster. For more information on AKS managed identities, see [Summary of managed identities][summary-msi].
> [!IMPORTANT]
-> There's a latency issue with Azure Active Directory groups when attaching ACR. If the **AcrPull** role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there may be a delay before the RBAC group takes effect. If you're running automation that requires the RBAC configuration to be complete, we recommend you use [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue.
+> There's a latency issue with Microsoft Entra groups when attaching ACR. If the **AcrPull** role is granted to a Microsoft Entra group and the kubelet identity is added to the group to complete the RBAC configuration, there may be a delay before the RBAC group takes effect. If you're running automation that requires the RBAC configuration to be complete, we recommend you use [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Microsoft Entra group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Microsoft Entra group before a token is generated by kubelet, which avoids the latency issue.
> [!NOTE] > This article covers automatic authentication between AKS and ACR. If you need to pull an image from a private external registry, use an [image pull secret][image-pull-secret].
aks Cluster Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-extensions.md
For supported Kubernetes versions, refer to the corresponding documentation for
> For new clusters created with `az aks create`, managed identity is configured by default. For existing service principal-based clusters that need to be switched over to managed identity, it can be enabled by running `az aks update` with the `--enable-managed-identity` flag. For more information, see [Use managed identity][use-managed-identity]. > [!NOTE]
-> If you have enabled [Azure AD pod-managed identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it,
+> If you have enabled [Microsoft Entra pod-managed identity][use-azure-ad-pod-identity] on your AKS cluster or are considering implementing it,
> we recommend you first review [Workload identity overview][workload-identity-overview] to understand our
-> recommendations and options to set up your cluster to use an Azure AD workload identity (preview).
+> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview).
> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities > to federate with any external identity providers. >
-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
## Currently available extensions
aks Concepts Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-identity.md
Title: Concepts - Access and identity in Azure Kubernetes Services (AKS)
-description: Learn about access and identity in Azure Kubernetes Service (AKS), including Azure Active Directory integration, Kubernetes role-based access control (Kubernetes RBAC), and roles and bindings.
+description: Learn about access and identity in Azure Kubernetes Service (AKS), including Microsoft Entra integration, Kubernetes role-based access control (Kubernetes RBAC), and roles and bindings.
Last updated 04/28/2023
You can authenticate, authorize, secure, and control access to Kubernetes clusters in a variety of ways: * Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need.
-* With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure using Azure Active Directory and Azure RBAC.
+* With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure using Microsoft Entra ID and Azure RBAC.
Kubernetes RBAC and AKS help you secure your cluster access and provide only the minimum required permissions to developers and operators.
A ClusterRole grants and applies permissions to resources across the entire clus
### RoleBindings and ClusterRoleBindings
-Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a *RoleBinding*. If your AKS cluster [integrates with Azure Active Directory (Azure AD)](#azure-ad-integration), RoleBindings grant permissions to Azure AD users to perform actions within the cluster. See how in [Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities](azure-ad-rbac.md).
+Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a *RoleBinding*. If your AKS cluster [integrates with Microsoft Entra ID](#azure-ad-integration), RoleBindings grant permissions to Microsoft Entra users to perform actions within the cluster. See how in [Control access to cluster resources using Kubernetes role-based access control and Microsoft Entra identities](azure-ad-rbac.md).
#### RoleBindings
With a ClusterRoleBinding, you bind roles to users and apply to resources across
*Service accounts* are one of the primary user types in Kubernetes. The Kubernetes API holds and manages service accounts. Service account credentials are stored as Kubernetes secrets, allowing them to be used by authorized pods to communicate with the API Server. Most API requests provide an authentication token for a service account or a normal user account.
-Normal user accounts allow more traditional access for human administrators or developers, not just services and processes. While Kubernetes doesn't provide an identity management solution to store regular user accounts and passwords, you can integrate external identity solutions into Kubernetes. For AKS clusters, this integrated identity solution is Azure AD.
+Normal user accounts allow more traditional access for human administrators or developers, not just services and processes. While Kubernetes doesn't provide an identity management solution to store regular user accounts and passwords, you can integrate external identity solutions into Kubernetes. For AKS clusters, this integrated identity solution is Microsoft Entra ID.
For more information on the identity options in Kubernetes, see [Kubernetes authentication][kubernetes-authentication].
With Azure RBAC, you can provide your users (or identities) with granular access
### Azure RBAC for Kubernetes Authorization
-With the Azure RBAC integration, AKS will use a Kubernetes Authorization webhook server so you can manage Azure AD-integrated Kubernetes cluster resource permissions and assignments using Azure role definition and role assignments.
+With the Azure RBAC integration, AKS will use a Kubernetes Authorization webhook server so you can manage Microsoft Entra integrated Kubernetes cluster resource permissions and assignments using Azure role definition and role assignments.
![Azure RBAC for Kubernetes authorization flow](media/concepts-identity/azure-rbac-k8s-authz-flow.png)
-As shown in the above diagram, when using the Azure RBAC integration, all requests to the Kubernetes API will follow the same authentication flow as explained on the [Azure Active Directory integration section](#azure-ad-integration).
+As shown in the above diagram, when using the Azure RBAC integration, all requests to the Kubernetes API will follow the same authentication flow as explained on the [Microsoft Entra integration section](#azure-ad-integration).
-If the identity making the request exists in Azure AD, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Azure AD (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC.
+If the identity making the request exists in Microsoft Entra ID, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Microsoft Entra ID (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC.
In this scenario, you use Azure RBAC mechanisms and APIs to assign users built-in roles or create custom roles, just as you would with Kubernetes roles.
AKS provides the following four built-in roles. They are similar to the [Kuberne
| Azure Kubernetes Service RBAC Admin | Allows admin access, intended to be granted within a namespace. <br> Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. <br> Doesn't allow write access to resource quota or to the namespace itself. | | Azure Kubernetes Service RBAC Cluster Admin | Allows super-user access to perform any action on any resource. <br> Gives full control over every resource in the cluster and in all namespaces. |
-## Azure AD integration
+<a name='azure-ad-integration'></a>
-Enhance your AKS cluster security with Azure AD integration. Built on decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.
+## Microsoft Entra integration
-![Azure Active Directory integration with AKS clusters](media/concepts-identity/aad-integration.png)
+Enhance your AKS cluster security with Microsoft Entra integration. Built on decades of enterprise identity management, Microsoft Entra ID is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Microsoft Entra ID, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.
-With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster.
+![Microsoft Entra integration with AKS clusters](media/concepts-identity/aad-integration.png)
+
+With Microsoft Entra integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster.
1. To obtain a `kubectl` configuration context, a user runs the [az aks get-credentials][az-aks-get-credentials] command.
-1. When a user interacts with the AKS cluster with `kubectl`, they're prompted to sign in with their Azure AD credentials.
+1. When a user interacts with the AKS cluster with `kubectl`, they're prompted to sign in with their Microsoft Entra credentials.
This approach provides a single source for user account management and password credentials. The user can only access the resources as defined by the cluster administrator.
-Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][openid-connect]. From inside of the Kubernetes cluster, [Webhook Token Authentication][webhook-token-docs] is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster.
+Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][openid-connect]. From inside of the Kubernetes cluster, [Webhook Token Authentication][webhook-token-docs] is used to verify authentication tokens. Webhook token authentication is configured and managed as part of the AKS cluster.
### Webhook and API server
Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID
As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:
-1. `kubectl` uses the Azure AD client application to sign in users with [OAuth 2.0 device authorization grant flow](../active-directory/develop/v2-oauth2-device-code.md).
-2. Azure AD provides an access_token, id_token, and a refresh_token.
+1. `kubectl` uses the Microsoft Entra client application to sign in users with [OAuth 2.0 device authorization grant flow](../active-directory/develop/v2-oauth2-device-code.md).
+2. Microsoft Entra ID provides an access_token, id_token, and a refresh_token.
3. The user makes a request to `kubectl` with an access_token from `kubeconfig`. 4. `kubectl` sends the access_token to API Server. 5. The API Server is configured with the Auth WebHook Server to perform validation.
-6. The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.
+6. The authentication webhook server confirms the JSON Web Token signature is valid by checking the Microsoft Entra public signing key.
7. The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API. 8. A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID. 9. The API performs an authorization decision based on the Kubernetes Role/RoleBinding. 10. Once authorized, the API server returns a response to `kubectl`. 11. `kubectl` provides feedback to the user.
-Learn how to integrate AKS with Azure AD with our [AKS-managed Azure AD integration how-to guide](managed-azure-ad.md).
+Learn how to integrate AKS with Microsoft Entra ID with our [AKS-managed Microsoft Entra integration how-to guide](managed-azure-ad.md).
## AKS service permissions
By default Node Access is not required for AKS. The following access is needed
## Summary
-View the table for a quick summary of how users can authenticate to Kubernetes when Azure AD integration is enabled. In all cases, the user's sequence of commands is:
+View the table for a quick summary of how users can authenticate to Kubernetes when Microsoft Entra integration is enabled. In all cases, the user's sequence of commands is:
1. Run `az login` to authenticate to Azure. 1. Run `az aks get-credentials` to download credentials for the cluster into `.kube/config`.
View the table for a quick summary of how users can authenticate to Kubernetes w
In the Azure portal, you can find: * The *Role Grant* (Azure RBAC role grant) referred to in the second column is shown on the **Access Control** tab.
-* The Cluster Admin Azure AD Group is shown on the **Configuration** tab.
+* The Cluster Admin Microsoft Entra group is shown on the **Configuration** tab.
* Also found with parameter name `--aad-admin-group-object-ids` in the Azure CLI.
-| Description | Role grant required| Cluster admin Azure AD group(s) | When to use |
+| Description | Role grant required| Cluster admin Microsoft Entra group(s) | When to use |
| -||-|-|
-| Legacy admin login using client certificate| **Azure Kubernetes Admin Role**. This role allows `az aks get-credentials` to be used with the `--admin` flag, which downloads a [legacy (non-Azure AD) cluster admin certificate](control-kubeconfig-access.md) into the user's `.kube/config`. This is the only purpose of "Azure Kubernetes Admin Role".|n/a|If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster.|
-| Azure AD with manual (Cluster)RoleBindings| **Azure Kubernetes User Role**. The "User" role allows `az aks get-credentials` to be used without the `--admin` flag. (This is the only purpose of "Azure Kubernetes User Role".) The result, on an Azure AD-enabled cluster, is the download of [an empty entry](control-kubeconfig-access.md) into `.kube/config`, which triggers browser-based authentication when it's first used by `kubectl`.| User is not in any of these groups. Because the user is not in any Cluster Admin groups, their rights will be controlled entirely by any RoleBindings or ClusterRoleBindings that have been set up by cluster admins. The (Cluster)RoleBindings [nominate Azure AD users or Azure AD groups](azure-ad-rbac.md) as their `subjects`. If no such bindings have been set up, the user will not be able to excute any `kubectl` commands.|If you want fine-grained access control, and you're not using Azure RBAC for Kubernetes Authorization. Note that the user who sets up the bindings must log in by one of the other methods listed in this table.|
-| Azure AD by member of admin group| Same as above|User is a member of one of the groups listed here. AKS automatically generates a ClusterRoleBinding that binds all of the listed groups to the `cluster-admin` Kubernetes role. So users in these groups can run all `kubectl` commands as `cluster-admin`.|If you want to conveniently grant users full admin rights, and are _not_ using Azure RBAC for Kubernetes authorization.|
-| Azure AD with Azure RBAC for Kubernetes Authorization|Two roles: <br> First, **Azure Kubernetes User Role** (as above). <br> Second, one of the "Azure Kubernetes Service **RBAC**..." roles listed above, or your own custom alternative.|The admin roles field on the Configuration tab is irrelevant when Azure RBAC for Kubernetes Authorization is enabled.|You are using Azure RBAC for Kubernetes authorization. This approach gives you fine-grained control, without the need to set up RoleBindings or ClusterRoleBindings.|
+| Legacy admin login using client certificate| **Azure Kubernetes Admin Role**. This role allows `az aks get-credentials` to be used with the `--admin` flag, which downloads a [legacy (non-Microsoft Entra) cluster admin certificate](control-kubeconfig-access.md) into the user's `.kube/config`. This is the only purpose of "Azure Kubernetes Admin Role".|n/a|If you're permanently blocked by not having access to a valid Microsoft Entra group with access to your cluster.|
+| Microsoft Entra ID with manual (Cluster)RoleBindings| **Azure Kubernetes User Role**. The "User" role allows `az aks get-credentials` to be used without the `--admin` flag. (This is the only purpose of "Azure Kubernetes User Role".) The result, on a Microsoft Entra ID-enabled cluster, is the download of [an empty entry](control-kubeconfig-access.md) into `.kube/config`, which triggers browser-based authentication when it's first used by `kubectl`.| User is not in any of these groups. Because the user is not in any Cluster Admin groups, their rights will be controlled entirely by any RoleBindings or ClusterRoleBindings that have been set up by cluster admins. The (Cluster)RoleBindings [nominate Microsoft Entra users or Microsoft Entra groups](azure-ad-rbac.md) as their `subjects`. If no such bindings have been set up, the user will not be able to excute any `kubectl` commands.|If you want fine-grained access control, and you're not using Azure RBAC for Kubernetes Authorization. Note that the user who sets up the bindings must log in by one of the other methods listed in this table.|
+| Microsoft Entra ID by member of admin group| Same as above|User is a member of one of the groups listed here. AKS automatically generates a ClusterRoleBinding that binds all of the listed groups to the `cluster-admin` Kubernetes role. So users in these groups can run all `kubectl` commands as `cluster-admin`.|If you want to conveniently grant users full admin rights, and are _not_ using Azure RBAC for Kubernetes authorization.|
+| Microsoft Entra ID with Azure RBAC for Kubernetes Authorization|Two roles: <br> First, **Azure Kubernetes User Role** (as above). <br> Second, one of the "Azure Kubernetes Service **RBAC**..." roles listed above, or your own custom alternative.|The admin roles field on the Configuration tab is irrelevant when Azure RBAC for Kubernetes Authorization is enabled.|You are using Azure RBAC for Kubernetes authorization. This approach gives you fine-grained control, without the need to set up RoleBindings or ClusterRoleBindings.|
## Next steps -- To get started with Azure AD and Kubernetes RBAC, see [Integrate Azure Active Directory with AKS][aks-aad].
+- To get started with Microsoft Entra ID and Kubernetes RBAC, see [Integrate Microsoft Entra ID with AKS][aks-aad].
- For associated best practices, see [Best practices for authentication and authorization in AKS][operator-best-practices-identity]. - To get started with Azure RBAC for Kubernetes Authorization, see [Use Azure RBAC to authorize access within the Azure Kubernetes Service (AKS) Cluster](manage-azure-rbac.md). - To get started securing your `kubeconfig` file, see [Limit access to cluster configuration file](control-kubeconfig-access.md).
aks Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-security.md
In AKS, the Kubernetes master components are part of the managed service provide
By default, the Kubernetes API server uses a public IP address and a fully qualified domain name (FQDN). You can limit access to the API server endpoint using [authorized IP ranges][authorized-ip-ranges]. You can also create a fully [private cluster][private-clusters] to limit API server access to your virtual network.
-You can control access to the API server using Kubernetes role-based access control (Kubernetes RBAC) and Azure RBAC. For more information, see [Azure AD integration with AKS][aks-aad].
+You can control access to the API server using Kubernetes role-based access control (Kubernetes RBAC) and Azure RBAC. For more information, see [Microsoft Entra integration with AKS][aks-aad].
## Node security
aks Control Kubeconfig Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/control-kubeconfig-access.md
When you interact with an AKS cluster using the `kubectl` tool, a configuration
The [`az aks get-credentials`][az-aks-get-credentials] command lets you get the access credentials for an AKS cluster and merges these credentials into the *kubeconfig* file. You can use Azure RBAC to control access to these credentials. These Azure roles let you define who can retrieve the *kubeconfig* file and what permissions they have within the cluster.
-There are two Azure roles you can apply to an Azure Active Directory (Azure AD) user or group:
+There are two Azure roles you can apply to a Microsoft Entra user or group:
- **Azure Kubernetes Service Cluster Admin Role**
There are two Azure roles you can apply to an Azure Active Directory (Azure AD)
* Downloads *kubeconfig* for *clusterUser* role. > [!NOTE]
-> On clusters that use Azure AD, users with the *clusterUser* role have an empty *kubeconfig* file that prompts a login. Once logged in, users have access based on their Azure AD user or group settings. Users with the *clusterAdmin* role have admin access.
+> On clusters that use Microsoft Entra ID, users with the *clusterUser* role have an empty *kubeconfig* file that prompts a login. Once logged in, users have access based on their Microsoft Entra user or group settings. Users with the *clusterAdmin* role have admin access.
>
-> On clusters that don't use Azure AD, the *clusterUser* role has same effect of *clusterAdmin* role.
+> On clusters that don't use Microsoft Entra ID, the *clusterUser* role has same effect of *clusterAdmin* role.
## Assign role permissions to a user or group
-To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group using the following steps:
+To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Microsoft Entra user account or group using the following steps:
1. Get the cluster resource ID using the [`az aks show`][az-aks-show] command for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. Provide your own cluster and resource group name as needed. 2. Use the [`az account show`][az-account-show] and [`az ad user show`][az-ad-user-show] commands to get your user ID.
az role assignment create \
--role "Azure Kubernetes Service Cluster Admin Role" ```
-If you want to assign permissions to an Azure AD group, update the `--assignee` parameter shown in the previous example with the object ID for the *group* rather than the *user*.
+If you want to assign permissions to a Microsoft Entra group, update the `--assignee` parameter shown in the previous example with the object ID for the *group* rather than the *user*.
-To get the object ID for a group, use the [`az ad group show`][az-ad-group-show] command. The following command gets the object ID for the Azure AD group named *appdev*:
+To get the object ID for a group, use the [`az ad group show`][az-ad-group-show] command. The following command gets the object ID for the Microsoft Entra group named *appdev*:
```azurecli-interactive az ad group show --group appdev --query objectId -o tsv ``` > [!IMPORTANT]
-> In some cases, such as Azure AD guest users, the *user.name* in the account is different than the *userPrincipalName*.
+> In some cases, such as Microsoft Entra guest users, the *user.name* in the account is different than the *userPrincipalName*.
> > ```azurecli-interactive > $ az account show --query user.name -o tsv
az ad group show --group appdev --query objectId -o tsv
> user_contoso.com#EXT#@contoso.onmicrosoft.com > ``` >
-> In this case, set the value of *ACCOUNT_UPN* to the *userPrincipalName* from the Azure AD user. For example, if your account *user.name* is *user\@contoso.com*, this action would look like the following example:
+> In this case, set the value of *ACCOUNT_UPN* to the *userPrincipalName* from the Microsoft Entra user. For example, if your account *user.name* is *user\@contoso.com*, this action would look like the following example:
> > ```azurecli-interactive > ACCOUNT_UPN=$(az ad user list --query "[?contains(otherMails,'user@contoso.com')].{UPN:userPrincipalName}" -o tsv)
az role assignment delete --assignee $ACCOUNT_ID --scope $AKS_CLUSTER
## Next steps
-For enhanced security on access to AKS clusters, [integrate Azure Active Directory authentication][aad-integration].
+For enhanced security on access to AKS clusters, [integrate Microsoft Entra authentication][aad-integration].
<!-- LINKS - external --> [kubectl-config-use-context]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
aks Csi Migrate In Tree Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-migrate-in-tree-volumes.md
To make this process as simple as possible, and to ensure no data loss, this art
## Before you begin * The Azure CLI version 2.37.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
-* Kubectl and cluster administrators have access to create, get, list, delete access to a PVC or PV, volume snapshot, or volume snapshot content. For an Azure Active Directory (Azure AD) RBAC enabled cluster, you're a member of the [Azure Kubernetes Service RBAC Cluster Admin][aks-rbac-cluster-admin-role] role.
+* Kubectl and cluster administrators have access to create, get, list, delete access to a PVC or PV, volume snapshot, or volume snapshot content. For a Microsoft Entra RBAC enabled cluster, you're a member of the [Azure Kubernetes Service RBAC Cluster Admin][aks-rbac-cluster-admin-role] role.
## Migrate Disk volumes
aks Csi Secrets Store Driver https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-driver.md
A container using *subPath volume mount* won't receive secret updates when it's
2. Create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command and enable the `azure-keyvault-secrets-provider` add-on. > [!NOTE]
- > If you want to use Azure AD workload identity, you must also use the `--enable-oidc-issuer` and `--enable-workload-identity` parameters, such as in the following example:
+ > If you want to use Microsoft Entra Workload ID, you must also use the `--enable-oidc-issuer` and `--enable-workload-identity` parameters, such as in the following example:
> > ```azurecli-interactive > az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-oidc-issuer --enable-workload-identity
A container using *subPath volume mount* won't receive secret updates when it's
The Secrets Store CSI Driver allows for the following methods to access an Azure key vault:
-* An [Azure Active Directory workload identity][aad-workload-identity]
+* An [Microsoft Entra Workload ID][aad-workload-identity]
* A user-assigned or system-assigned managed identity Follow the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods] for your chosen method.
aks Csi Secrets Store Identity Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md
The Secrets Store CSI Driver on Azure Kubernetes Service (AKS) provides various
The following access methods are available: -- Azure Active Directory (Azure AD) workload identity
+- Microsoft Entra Workload ID
- User-assigned managed identity
-## Access with an Azure AD workload identity
+<a name='access-with-an-azure-ad-workload-identity'></a>
-An [Azure AD workload identity][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Azure AD then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL).
+## Access with a Microsoft Entra Workload ID
+
+An [Microsoft Entra Workload ID][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL).
> [!NOTE]
-> This authentication method replaces Azure AD pod-managed identity (preview). The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
+> This authentication method replaces Microsoft Entra pod-managed identity (preview). The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
### Prerequisites
Before you begin, you must have the following prerequisites:
- An existing AKS cluster with `--enable-oidc-issuer` and `--enable-workload-identity` enabled. > [!NOTE]
-> Azure AD workload identity is supported on both Windows and Linux clusters.
+> Microsoft Entra Workload ID is supported on both Windows and Linux clusters.
### Configure workload identity
Before you begin, you must have the following prerequisites:
echo $AKS_OIDC_ISSUER ```
-5. Establish a federated identity credential between the Azure AD application and the service account issuer and subject. Get the object ID of the Azure AD application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.
+5. Establish a federated identity credential between the Microsoft Entra application and the service account issuer and subject. Get the object ID of the Microsoft Entra application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.
```bash export SERVICE_ACCOUNT_NAME="workload-identity-sa" # sample name; can be changed
aks Csi Secrets Store Nginx Tls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-nginx-tls.md
Depending on your scenario, you can choose to bind the certificate to either the
> [!NOTE] >
- > - If not using Azure Active Directory (Azure AD) pod-managed identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME` .
+ > - If not using Microsoft Entra pod-managed identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME` .
> > - Also, binding the SecretProviderClass to a pod is required for the Secrets Store CSI Driver to mount it and generate the Kubernetes secret. See [Sync mounted content with a Kubernetes secret][az-keyvault-mirror-as-secret] .
aks Csi Storage Drivers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-storage-drivers.md
The CSI storage driver support on AKS allows you to natively use:
CSI storage drivers support the following scenarios:
-* [Encrypted managed disks with customer-managed keys][encrypt-managed-disks-customer-managed-keys] using Azure Key Vaults stored in a different Azure Active Directory (Azure AD) tenant.
+* [Encrypted managed disks with customer-managed keys][encrypt-managed-disks-customer-managed-keys] using Azure Key Vaults stored in a different Microsoft Entra tenant.
* Encrypt your Azure Storage disks hosting AKS OS and application data with [customer-managed keys][azure-disk-customer-managed-keys]. ## Enable CSI storage drivers on an existing cluster
aks Dapr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-overview.md
Lastly, the Dapr extension is an extension of AKS, therefore you can expect the
[Learn more about migrating from Dapr OSS to the Dapr extension for AKS][dapr-migration].
-### How can I authenticate Dapr components with Azure AD using managed identities?
+<a name='how-can-i-authenticate-dapr-components-with-azure-ad-using-managed-identities'></a>
-- Learn how [Dapr components authenticate with Azure AD][dapr-msi].
+### How can I authenticate Dapr components with Microsoft Entra ID using managed identities?
+
+- Learn how [Dapr components authenticate with Microsoft Entra ID][dapr-msi].
- Learn about [using managed identities with AKS][aks-msi]. ### How can I switch to using the Dapr extension if IΓÇÖve already installed Dapr via a method, such as Helm?
aks Developer Best Practices Pod Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/developer-best-practices-pod-security.md
This best practices article focuses on how to secure pods in AKS. You learn how
> [!div class="checklist"] > * Use pod security context to limit access to processes and services or privilege escalation
-> * Authenticate with other Azure resources using Azure Active Directory workload identities
+> * Authenticate with other Azure resources using Microsoft Entra Workload ID
> * Request and retrieve credentials from a digital vault such as Azure Key Vault You can also read the best practices for [cluster security][best-practices-cluster-security] and for [container image management][best-practices-container-image-management].
Work with your cluster operator to determine what security context settings you
To limit the risk of credentials being exposed in your application code, avoid the use of fixed or shared credentials. Credentials or keys shouldn't be included directly in your code. If these credentials are exposed, the application needs to be updated and redeployed. A better approach is to give pods their own identity and way to authenticate themselves, or automatically retrieve credentials from a digital vault.
-#### Use an Azure AD workload identity
+<a name='use-an-azure-ad-workload-identity'></a>
-A workload identity is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the [Azure SDK][azure-sdk-download] or the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL).
+#### Use a Microsoft Entra Workload ID
-For more information about workload identities, see [Configure an AKS cluster to use Azure AD workload identities with your applications][workload-identity-overview]
+A workload identity is an identity used by an application running on a pod that can authenticate itself against other Azure services that support it, such as Storage or SQL. It integrates with the capabilities native to Kubernetes to federate with external identity providers. In this security model, the AKS cluster acts as token issuer, Microsoft Entra ID uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library using the [Azure SDK][azure-sdk-download] or the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL).
+
+For more information about workload identities, see [Configure an AKS cluster to use Microsoft Entra Workload ID with your applications][workload-identity-overview]
#### Use Azure Key Vault with Secrets Store CSI Driver
-Using the [Azure AD workload identity][workload-identity-overview] enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. A digital vault can be used to store these secret contents.
+Using the [Microsoft Entra Workload ID][workload-identity-overview] enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. A digital vault can be used to store these secret contents.
When applications need a credential, they communicate with the digital vault, retrieve the latest secret contents, and then connect to the required service. Azure Key Vault can be this digital vault. The simplified workflow for retrieving a credential from Azure Key Vault using pod managed identities is shown in the following diagram: :::image type="content" source="media/developer-best-practices-pod-security/basic-key-vault.svg" alt-text="Simplified workflow for retrieving a credential from Key Vault using a pod managed identity":::
-With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using the [Azure Key Vault provider for the Secrets Store CSI Driver][aks-keyvault-csi-driver]. The Secrets Store CSI driver enables the AKS cluster to natively retrieve secret contents from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Secrets Store CSI Driver onto AKS worker nodes. You can use an Azure AD workload identity to request access to Key Vault and retrieve the secret contents needed through the Secrets Store CSI Driver.
+With Key Vault, you store and regularly rotate secrets such as credentials, storage account keys, or certificates. You can integrate Azure Key Vault with an AKS cluster using the [Azure Key Vault provider for the Secrets Store CSI Driver][aks-keyvault-csi-driver]. The Secrets Store CSI driver enables the AKS cluster to natively retrieve secret contents from Key Vault and securely provide them only to the requesting pod. Work with your cluster operator to deploy the Secrets Store CSI Driver onto AKS worker nodes. You can use a Microsoft Entra Workload ID to request access to Key Vault and retrieve the secret contents needed through the Secrets Store CSI Driver.
## Next steps This article focused on how to secure your pods. To implement some of these areas, see the following articles:
-* [Use Azure AD workload identities for Azure resources with AKS][workload-identity-overview] (preview)
+* [Use Microsoft Entra Workload ID for Azure resources with AKS][workload-identity-overview] (preview)
* [Integrate Azure Key Vault with AKS][aks-keyvault-csi-driver] <!-- EXTERNAL LINKS -->
aks Edge Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/edge-zones.md
In this section you'll learn how to deploy a Kubernetes cluster in the Edge Zone
7. On the **Access** page, configure the following options:
- - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
+ - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
- The Kubernetes role-based access control (RBAC) option is the default value to provide more fine-grained control over access to the Kubernetes resources deployed in your AKS cluster. By default, *Basic* networking is used, and [Container insights](../azure-monitor/containers/container-insights-overview.md) is enabled.
After deploying your AKS cluster in an Edge Zone, learn about how you can [confi
[public-mec-sign-up]: https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbRx4AG8rZKBBDoHEYyD9u_bxUMUVaSlhYMFA2RjUzSklKR0YyREZZNURTRi4u [az-aks-create]: /cli/azure/aks#az_aks_create
-[preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal
+[preset-config]: ./quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal
aks Intro Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md
You can create an AKS cluster using:
* [Azure portal][aks-quickstart-portal] * Template-driven deployment options, like [Azure Resource Manager templates][aks-quickstart-template], [Bicep](../azure-resource-manager/bicep/overview.md), and Terraform.
-When you deploy an AKS cluster, you specify the number and size of the nodes, and AKS deploys and configures the Kubernetes control plane and nodes. [Advanced networking][aks-networking], [Azure Active Directory (Azure AD) integration][aad], [monitoring][aks-monitor], and other features can be configured during the deployment process.
+When you deploy an AKS cluster, you specify the number and size of the nodes, and AKS deploys and configures the Kubernetes control plane and nodes. [Advanced networking][aks-networking], [Microsoft Entra integration][aad], [monitoring][aks-monitor], and other features can be configured during the deployment process.
For more information on Kubernetes basics, see [Kubernetes core concepts for AKS][concepts-clusters-workloads].
For more information on Kubernetes basics, see [Kubernetes core concepts for AKS
## Access, security, and monitoring
-For improved security and management, you can integrate with [Azure AD][aad] to:
+For improved security and management, you can integrate with [Microsoft Entra ID][aad] to:
* Use Kubernetes role-based access control (Kubernetes RBAC). * Monitor the health of your cluster and resources.
For improved security and management, you can integrate with [Azure AD][aad] to:
To limit access to cluster resources, AKS supports [Kubernetes RBAC][kubernetes-rbac]. Kubernetes RBAC controls access and permissions to Kubernetes resources and namespaces.
-#### Azure AD
+<a name='azure-ad'></a>
-You can configure an AKS cluster to integrate with Azure AD. With Azure AD integration, you can set up Kubernetes access based on existing identity and group membership. Your existing Azure AD users and groups can be provided with an integrated sign-on experience and access to AKS resources.
+#### Microsoft Entra ID
+
+You can configure an AKS cluster to integrate with Microsoft Entra ID. With Microsoft Entra integration, you can set up Kubernetes access based on existing identity and group membership. Your existing Microsoft Entra users and groups can be provided with an integrated sign-on experience and access to AKS resources.
For more information on identity, see [Access and identity options for AKS][concepts-identity].
-To secure your AKS clusters, see [Integrate Azure AD with AKS][aks-aad].
+To secure your AKS clusters, see [Integrate Microsoft Entra ID with AKS][aks-aad].
### Integrated logging and monitoring
aks Kubernetes Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-portal.md
The Kubernetes resource view from the Azure portal replaces the deprecated AKS d
## Prerequisites
-To view Kubernetes resources in the Azure portal, you need an AKS cluster. Any cluster is supported, but if you're using Azure Active Directory (Azure AD) integration, your cluster must use [AKS-managed Azure AD integration][aks-managed-aad]. If your cluster uses legacy Azure AD, you can upgrade your cluster in the portal or with the [Azure CLI][cli-aad-upgrade]. You can also [use the Azure portal][aks-quickstart-portal] to create a new AKS cluster.
+To view Kubernetes resources in the Azure portal, you need an AKS cluster. Any cluster is supported, but if you're using Microsoft Entra integration, your cluster must use [AKS-managed Microsoft Entra integration][aks-managed-aad]. If your cluster uses legacy Microsoft Entra ID, you can upgrade your cluster in the portal or with the [Azure CLI][cli-aad-upgrade]. You can also [use the Azure portal][aks-quickstart-portal] to create a new AKS cluster.
## View Kubernetes resources
This section addresses common problems and troubleshooting steps.
To access the Kubernetes resources, you must have access to the AKS cluster, the Kubernetes API, and the Kubernetes objects. Ensure that you're either a cluster administrator or a user with the appropriate permissions to access the AKS cluster. For more information on cluster security, see [Access and identity options for AKS][concepts-identity]. >[!NOTE]
-> The Kubernetes resource view in the Azure portal is only supported by [managed-AAD enabled clusters](managed-azure-ad.md) or non-AAD enabled clusters. If you're using a managed-AAD enabled cluster, your AAD user or identity needs to have the respective roles/role bindings to access the Kubernetes API and the permission to pull the [user `kubeconfig`](control-kubeconfig-access.md).
+> The Kubernetes resource view in the Azure portal is only supported by [managed-AAD enabled clusters](managed-azure-ad.md) or non-AAD enabled clusters. If you're using a managed-AAD enabled cluster, your Microsoft Entra user or identity needs to have the respective roles/role bindings to access the Kubernetes API and the permission to pull the [user `kubeconfig`](control-kubeconfig-access.md).
### Enable resource view
aks Kubernetes Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/kubernetes-service-principal.md
Title: Use a service principal with Azure Kubernetes Services (AKS)
-description: Learn how to create and manage an Azure Active Directory service principal with a cluster in Azure Kubernetes Service (AKS).
+description: Learn how to create and manage a Microsoft Entra service principal with a cluster in Azure Kubernetes Service (AKS).
Last updated 06/27/2023
# Use a service principal with Azure Kubernetes Service (AKS)
-An AKS cluster requires either an [Azure Active Directory (AD) service principal][aad-service-principal] or a [managed identity][managed-identity-resources-overview] to dynamically create and manage other Azure resources, such as an Azure Load Balancer or Azure Container Registry (ACR).
+An AKS cluster requires either an [Microsoft Entra service principal][aad-service-principal] or a [managed identity][managed-identity-resources-overview] to dynamically create and manage other Azure resources, such as an Azure Load Balancer or Azure Container Registry (ACR).
> [!NOTE] > We recommend using managed identities to authenticate with other resources in Azure, and they're the default authentication method for your AKS cluster. For more information about using a managed identity with your cluster, see [Use a system-assigned managed identity][use-managed-identity].
This article shows you how to create and use a service principal for your AKS cl
## Before you begin
-To create an Azure AD service principal, you must have permissions to register an application with your Azure AD tenant and to assign the application to a role in your subscription. If you don't have the necessary permissions, you need to ask your Azure AD or subscription administrator to assign the necessary permissions or pre-create a service principal for you to use with your AKS cluster.
+To create a Microsoft Entra service principal, you must have permissions to register an application with your Microsoft Entra tenant and to assign the application to a role in your subscription. If you don't have the necessary permissions, you need to ask your Microsoft Entra ID or subscription administrator to assign the necessary permissions or pre-create a service principal for you to use with your AKS cluster.
-If you're using a service principal from a different Azure AD tenant, there are other considerations around the permissions available when you deploy the cluster. You may not have the appropriate permissions to read and write directory information. For more information, see [What are the default user permissions in Azure Active Directory?][azure-ad-permissions]
+If you're using a service principal from a different Microsoft Entra tenant, there are other considerations around the permissions available when you deploy the cluster. You may not have the appropriate permissions to read and write directory information. For more information, see [What are the default user permissions in Microsoft Entra ID?][azure-ad-permissions]
## Prerequisites
If you use Virtual Kubelet to integrate with AKS and choose to run Azure Contain
### [Azure CLI](#tab/azure-cli)
-When using AKS and an Azure AD service principal, consider the following:
+When using AKS and a Microsoft Entra service principal, consider the following:
* The service principal for Kubernetes is a part of the cluster configuration, but don't use this identity to deploy the cluster. * By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.
-* Every service principal is associated with an Azure AD application. You can associate the service principal for a Kubernetes cluster with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.
+* Every service principal is associated with a Microsoft Entra application. You can associate the service principal for a Kubernetes cluster with any valid Microsoft Entra application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.
* When you specify the service principal **Client ID**, use the value of the `appId`. * On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the `/etc/kubernetes/azure.json` file. * When you delete an AKS cluster that was created using the [`az aks create`][az-aks-create] command, the service principal created isn't automatically deleted.
When using AKS and an Azure AD service principal, consider the following:
### [Azure PowerShell](#tab/azure-powershell)
-When using AKS and an Azure AD service principal, consider the following:
+When using AKS and a Microsoft Entra service principal, consider the following:
* The service principal for Kubernetes is a part of the cluster configuration, but don't use this identity to deploy the cluster. * By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.
-* Every service principal is associated with an Azure AD application. You can associate the service principal for a Kubernetes cluster with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.
+* Every service principal is associated with a Microsoft Entra application. You can associate the service principal for a Kubernetes cluster with any valid Microsoft Entra application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.
* When you specify the service principal **Client ID**, use the value of the `ApplicationId`. * On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the `/etc/kubernetes/azure.json` file. * When you delete an AKS cluster that was created using the [`New-AzAksCluster`][new-azakscluster], the service principal created isn't automatically deleted.
The default expiration time for the service principal credentials is one year. I
## Next steps
-For more information about Azure Active Directory service principals, see [Application and service principal objects][service-principal].
+For more information about Microsoft Entra service principals, see [Application and service principal objects][service-principal].
For information on how to update the credentials, see [Update or rotate the credentials for a service principal in AKS][update-credentials].
aks Quick Kubernetes Deploy Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/quick-kubernetes-deploy-portal.md
This quickstart assumes a basic understanding of Kubernetes concepts. For more i
1. On the **Node pools** page, leave the default options and then select **Next: Access**. 1. On the **Access** page, configure the following options:
- - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more details about managed identities, see [What are managed identities for Azure resources?](../../active-directory/managed-identities-azure-resources/overview.md)
+ - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. For more details about managed identities, see [What are managed identities for Azure resources?](../../active-directory/managed-identities-azure-resources/overview.md)
- The Kubernetes role-based access control (RBAC) option is the default value to provide more fine-grained control over access to the Kubernetes resources deployed in your AKS cluster. 1. Select **Next: Networking** when complete.
aks Tutorial Kubernetes Workload Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/learn/tutorial-kubernetes-workload-identity.md
Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you qui
* Deploy an AKS cluster using the Azure CLI with OpenID Connect (OIDC) Issuer and managed identity. * Create an Azure Key Vault and secret.
-* Create an Azure Active Directory (Azure AD) workload identity and Kubernetes service account.
+* Create a Microsoft Entra Workload ID and Kubernetes service account.
* Configure the managed identity for token federation. * Deploy the workload and verify authentication with the workload identity. ## Before you begin * This tutorial assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts].
-* If you aren't familiar with Azure AD workload identity, see the [Azure AD workload identity overview][workload-identity-overview].
+* If you aren't familiar with Microsoft Entra Workload ID, see the [Microsoft Entra Workload ID overview][workload-identity-overview].
* When you create an AKS cluster, a second resource group is automatically created to store the AKS resources. For more information, see [Why are two resource groups created with AKS?][aks-two-resource-groups] ## Prerequisites
You may wish to leave these resources in place. If you no longer need these reso
## Next steps
-In this tutorial, you deployed a Kubernetes cluster and deployed a simple container application to test working with an Azure AD workload identity.
+In this tutorial, you deployed a Kubernetes cluster and deployed a simple container application to test working with a Microsoft Entra Workload ID.
This tutorial is for introductory purposes. For guidance on a creating full solutions with AKS for production, see [AKS solution guidance][aks-solution-guidance].
aks Manage Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-azure-rbac.md
# Use Azure role-based access control for Kubernetes Authorization
-When you leverage [integrated authentication between Azure Active Directory (Azure AD) and AKS](managed-azure-ad.md), you can use Azure AD users, groups, or service principals as subjects in [Kubernetes role-based access control (Kubernetes RBAC)][kubernetes-rbac]. This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately.
+When you leverage [integrated authentication between Microsoft Entra ID and AKS](managed-azure-ad.md), you can use Microsoft Entra users, groups, or service principals as subjects in [Kubernetes role-based access control (Kubernetes RBAC)][kubernetes-rbac]. This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately.
This article covers how to use Azure RBAC for Kubernetes Authorization, which allows for the unified management and access control across Azure resources, AKS, and Kubernetes resources. For more information, see [Azure RBAC for Kubernetes Authorization][kubernetes-rbac].
This article covers how to use Azure RBAC for Kubernetes Authorization, which al
* You need the Azure CLI version 2.24.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. * You need `kubectl`, with a minimum version of [1.18.3](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183).
-* You need managed Azure AD integration enabled on your cluster before you can add Azure RBAC for Kubernetes authorization. If you need to enable managed Azure AD integration, see [Use Azure AD in AKS](managed-azure-ad.md).
+* You need managed Microsoft Entra integration enabled on your cluster before you can add Azure RBAC for Kubernetes authorization. If you need to enable managed Microsoft Entra integration, see [Use Microsoft Entra ID in AKS](managed-azure-ad.md).
* If you have CRDs and are making custom role definitions, the only way to cover CRDs today is to use `Microsoft.ContainerService/managedClusters/*/read`. For the remaining objects, you can use the specific API groups, such as `Microsoft.ContainerService/apps/deployments/read`. * New role assignments can take up to five minutes to propagate and be updated by the authorization server.
-* Azure RBAC for Kubernetes Authorization requires that the Azure AD tenant configured for authentication is same as the tenant for the subscription that holds your AKS cluster.
+* Azure RBAC for Kubernetes Authorization requires that the Microsoft Entra tenant configured for authentication is same as the tenant for the subscription that holds your AKS cluster.
-## Create a new AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization
+<a name='create-a-new-aks-cluster-with-managed-azure-ad-integration-and-azure-rbac-for-kubernetes-authorization'></a>
+
+## Create a new AKS cluster with managed Microsoft Entra integration and Azure RBAC for Kubernetes Authorization
Create an Azure resource group using the [`az group create`][az-group-create] command.
Create an Azure resource group using the [`az group create`][az-group-create] co
az group create --name myResourceGroup --location westus2 ```
-Create an AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization using the [`az aks create`][az-aks-create] command.
+Create an AKS cluster with managed Microsoft Entra integration and Azure RBAC for Kubernetes Authorization using the [`az aks create`][az-aks-create] command.
```azurecli-interactive az aks create -g myResourceGroup -n myManagedCluster --enable-aad --enable-azure-rbac
aks Manage Local Accounts Managed Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/manage-local-accounts-managed-azure-ad.md
Title: Manage local accounts with AKS-managed Azure Active Directory integration
-description: Learn how to managed local accounts when integrating Azure AD in your Azure Kubernetes Service (AKS) clusters.
+ Title: Manage local accounts with AKS-managed Microsoft Entra integration
+description: Learn how to managed local accounts when integrating Microsoft Entra ID in your Azure Kubernetes Service (AKS) clusters.
Last updated 04/20/2023
-# Manage local accounts with AKS-managed Azure Active Directory integration
+# Manage local accounts with AKS-managed Microsoft Entra integration
-When you deploy an AKS cluster, local accounts are enabled by default. Even when you enable RBAC or Azure AD integration, `--admin` access still exists as a non-auditable backdoor option. This article shows you how to disable local accounts on an existing cluster, create a new cluster with local accounts disabled, and re-enable local accounts on existing clusters.
+When you deploy an AKS cluster, local accounts are enabled by default. Even when you enable RBAC or Microsoft Entra integration, `--admin` access still exists as a non-auditable backdoor option. This article shows you how to disable local accounts on an existing cluster, create a new cluster with local accounts disabled, and re-enable local accounts on existing clusters.
## Before you begin
-* See [AKS-managed Azure Active Directory integration](./managed-azure-ad.md) for an overview and setup instructions.
+* See [AKS-managed Microsoft Entra integration](./managed-azure-ad.md) for an overview and setup instructions.
## Disable local accounts
You can disable local accounts using the parameter `disable-local-accounts`. The
> [!NOTE] >
-> * On clusters with Azure AD integration enabled, users assigned to an Azure AD administrators group specified by `aad-admin-group-object-ids` can still gain access using non-administrator credentials. On clusters without Azure AD integration enabled and `properties.disableLocalAccounts` set to `true`, any attempt to authenticate with user or admin credentials will fail.
+> * On clusters with Microsoft Entra integration enabled, users assigned to a Microsoft Entra administrators group specified by `aad-admin-group-object-ids` can still gain access using non-administrator credentials. On clusters without Microsoft Entra integration enabled and `properties.disableLocalAccounts` set to `true`, any attempt to authenticate with user or admin credentials will fail.
> > * After disabling local user accounts on an existing AKS cluster where users might have authenticated with local accounts, the administrator must [rotate the cluster certificates](certificate-rotation.md) to revoke certificates they might have had access to. If this is a new cluster, no action is required.
You can disable local accounts using the parameter `disable-local-accounts`. The
### Disable local accounts on an existing cluster
-1. Disable local accounts on an existing Azure AD integration enabled AKS cluster using the [`az aks update`][az-aks-update] command with the `disable-local-accounts` parameter.
+1. Disable local accounts on an existing Microsoft Entra integration enabled AKS cluster using the [`az aks update`][az-aks-update] command with the `disable-local-accounts` parameter.
```azurecli-interactive az aks update -g <resource-group> -n <cluster-name> --disable-local-accounts
aks Managed Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/managed-azure-ad.md
Title: AKS-managed Azure Active Directory integration
-description: Learn how to configure Azure AD for your Azure Kubernetes Service (AKS) clusters.
+ Title: AKS-managed Microsoft Entra integration
+description: Learn how to configure Microsoft Entra ID for your Azure Kubernetes Service (AKS) clusters.
Last updated 07/28/2023
-# AKS-managed Azure Active Directory integration
+# AKS-managed Microsoft Entra integration
-AKS-managed Azure Active Directory (Azure AD) integration simplifies the Azure AD integration process. Previously, you were required to create a client and server app, and the Azure AD tenant had to grant Directory Read permissions. Now, the AKS resource provider manages the client and server apps for you.
+AKS-managed Microsoft Entra integration simplifies the Microsoft Entra integration process. Previously, you were required to create a client and server app, and the Microsoft Entra tenant had to grant Directory Read permissions. Now, the AKS resource provider manages the client and server apps for you.
-Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [Open ID connect documentation][open-id-connect].
+Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Microsoft Entra authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. For more information on OpenID Connect, see the [OpenID Connect documentation][open-id-connect].
-Learn more about the Azure AD integration flow in the [Azure AD documentation](concepts-identity.md#azure-ad-integration).
+Learn more about the Microsoft Entra integration flow in the [Microsoft Entra documentation](concepts-identity.md#azure-ad-integration).
## Limitations
-* AKS-managed Azure AD integration can't be disabled.
-* Changing an AKS-managed Azure AD integrated cluster to legacy Azure AD isn't supported.
-* Clusters without Kubernetes RBAC enabled aren't supported with AKS-managed Azure AD integration.
+* AKS-managed Microsoft Entra integration can't be disabled.
+* Changing an AKS-managed Microsoft Entra integrated cluster to legacy Microsoft Entra ID isn't supported.
+* Clusters without Kubernetes RBAC enabled aren't supported with AKS-managed Microsoft Entra integration.
## Before you begin * Make sure you have Azure CLI version 2.29.0 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli). * You need `kubectl` with a minimum version of [1.18.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1181) or [`kubelogin`][kubelogin]. With the Azure CLI and the Azure PowerShell module, these two commands are included and automatically managed. Meaning, they are upgraded by default and running `az aks install-cli` isn't required or recommended. If you are using an automated pipeline, you need to manage upgrading to the correct or latest version. The difference between the minor versions of Kubernetes and `kubectl` shouldn't be more than *one* version. Otherwise, you'll experience authentication issues if you don't use the correct version. * If you're using [helm](https://github.com/helm/helm), you need a minimum version of helm 3.3.
-* This configuration requires you have an Azure AD group for your cluster. This group is registered as an admin group on the cluster to grant admin permissions. If you don't have an existing Azure AD group, you can create one using the [`az ad group create`](/cli/azure/ad/group#az_ad_group_create) command.
+* This configuration requires you have a Microsoft Entra group for your cluster. This group is registered as an admin group on the cluster to grant admin permissions. If you don't have an existing Microsoft Entra group, you can create one using the [`az ad group create`](/cli/azure/ad/group#az_ad_group_create) command.
> [!NOTE]
-> Azure AD integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Azure AD clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Azure AD clusters, or Azure AD clusters running a version older than 1.24.
+> Microsoft Entra integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Microsoft Entra ID clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Microsoft Entra clusters, or Microsoft Entra ID clusters running a version older than 1.24.
> Existing downloaded `kubeconfig` continues to work. An optional query parameter **format** is included when getting clusterUser credential to overwrite the default behavior change. You can explicitly specify format to **azure** if you need to maintain the old `kubeconfig` format .
-## Enable AKS-managed Azure AD integration on your AKS cluster
+<a name='enable-aks-managed-azure-ad-integration-on-your-aks-cluster'></a>
+
+## Enable AKS-managed Microsoft Entra integration on your AKS cluster
### Create a new cluster
Learn more about the Azure AD integration flow in the [Azure AD documentation](c
az group create --name myResourceGroup --location centralus ```
-2. Create an AKS cluster and enable administration access for your Azure AD group using the [`az aks create`][az-aks-create] command.
+2. Create an AKS cluster and enable administration access for your Microsoft Entra group using the [`az aks create`][az-aks-create] command.
```azurecli-interactive az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>] ```
- A successful creation of an AKS-managed Azure AD cluster has the following section in the response body:
+ A successful creation of an AKS-managed Microsoft Entra ID cluster has the following section in the response body:
```output "AADProfile": {
Learn more about the Azure AD integration flow in the [Azure AD documentation](c
### Use an existing cluster
-Enable AKS-managed Azure AD integration on your existing Kubernetes RBAC enabled cluster using the [`az aks update`][az-aks-update] command. Make sure to set your admin group to keep access on your cluster.
+Enable AKS-managed Microsoft Entra integration on your existing Kubernetes RBAC enabled cluster using the [`az aks update`][az-aks-update] command. Make sure to set your admin group to keep access on your cluster.
```azurecli-interactive az aks update -g MyResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id-1>,<id-2> [--aad-tenant-id <id>] ```
-A successful activation of an AKS-managed Azure AD cluster has the following section in the response body:
+A successful activation of an AKS-managed Microsoft Entra ID cluster has the following section in the response body:
```output "AADProfile": {
A successful activation of an AKS-managed Azure AD cluster has the following sec
} ```
-### Upgrade a legacy Azure AD cluster to AKS-managed Azure AD integration
+<a name='upgrade-a-legacy-azure-ad-cluster-to-aks-managed-azure-ad-integration'></a>
+
+### Upgrade a legacy Microsoft Entra ID cluster to AKS-managed Microsoft Entra integration
-If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD integration using the [`az aks update`][az-aks-update] command.
+If your cluster uses legacy Microsoft Entra integration, you can upgrade to AKS-managed Microsoft Entra integration using the [`az aks update`][az-aks-update] command.
> [!WARNING] > Free tier clusters may experience API server downtime during the upgrade. We recommend upgrading during your nonbusiness hours.
If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed
az aks update -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>] ```
-A successful migration of an AKS-managed Azure AD cluster has the following section in the response body:
+A successful migration of an AKS-managed Microsoft Entra ID cluster has the following section in the response body:
```output "AADProfile": {
A successful migration of an AKS-managed Azure AD cluster has the following sect
} ```
-## Access your AKS-managed Azure AD enabled cluster
+<a name='access-your-aks-managed-azure-ad-enabled-cluster'></a>
+
+## Access your AKS-managed Microsoft Entra ID enabled cluster
1. Get the user credentials to access your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.
A successful migration of an AKS-managed Azure AD cluster has the following sect
There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with `kubectl`. You can use [`kubelogin`][kubelogin] to connect to the cluster with a non-interactive service principal credential. > [!NOTE]
-> Azure AD integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Azure AD clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Azure AD clusters, or Azure AD clusters running a version older than 1.24.
+> Microsoft Entra integrated clusters using a Kubernetes version newer than version 1.24 automatically use the `kubelogin` format. Starting with Kubernetes version 1.24, the default format of the clusterUser credential for Microsoft Entra ID clusters is `exec`, which requires [`kubelogin`][kubelogin] binary in the execution PATH. There is no behavior change for non-Microsoft Entra clusters, or Microsoft Entra ID clusters running a version older than 1.24.
> Existing downloaded `kubeconfig` continues to work. An optional query parameter **format** is included when getting clusterUser credential to overwrite the default behavior change. You can explicitly specify format to **azure** if you need to maintain the old `kubeconfig` format . * When getting the clusterUser credential, you can use the `format` query parameter to overwrite the default behavior. You can set the value to `azure` to use the original kubeconfig format:
There are some non-interactive scenarios, such as continuous integration pipelin
az aks get-credentials --format azure ```
-* If your Azure AD integrated cluster uses Kubernetes version 1.24 or lower, you need to manually convert the kubeconfig format.
+* If your Microsoft Entra integrated cluster uses Kubernetes version 1.24 or lower, you need to manually convert the kubeconfig format.
```azurecli-interactive export KUBECONFIG=/path/to/kubeconfig
There are some non-interactive scenarios, such as continuous integration pipelin
> > For more information, you can refer to [Azure Kubelogin Known Issues][azure-kubelogin-known-issues].
-## Troubleshoot access issues with AKS-managed Azure AD
+<a name='troubleshoot-access-issues-with-aks-managed-azure-ad'></a>
+
+## Troubleshoot access issues with AKS-managed Microsoft Entra ID
> [!IMPORTANT]
-> The steps described in this section bypass the normal Azure AD group authentication. Use them only in an emergency.
+> The steps described in this section bypass the normal Microsoft Entra group authentication. Use them only in an emergency.
-If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster, you can still get admin credentials to directly access the cluster. You need to have access to the [Azure Kubernetes Service Cluster Admin](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) built-in role.
+If you're permanently blocked by not having access to a valid Microsoft Entra group with access to your cluster, you can still get admin credentials to directly access the cluster. You need to have access to the [Azure Kubernetes Service Cluster Admin](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) built-in role.
## Next steps
-* Learn about [Azure AD integration with Kubernetes RBAC][azure-ad-rbac].
+* Learn about [Microsoft Entra integration with Kubernetes RBAC][azure-ad-rbac].
* Learn more about [AKS and Kubernetes identity concepts][aks-concepts-identity].
-* Use [Azure Resource Manager (ARM) templates][aks-arm-template] to create AKS-managed Azure AD enabled clusters.
+* Use [Azure Resource Manager (ARM) templates][aks-arm-template] to create AKS-managed Microsoft Entra ID enabled clusters.
<!-- LINKS - external --> [aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters
aks Monitor Aks Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks-reference.md
The following table lists the resource log categories you can collect for AKS. I
| kube-scheduler | Logs from the scheduler. | AKSControlPlane | | cluster-autoscaler | Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting may have happened in the cluster. | AKSControlPlane | | cloud-controller-manager | Logs from the cloud-node-manager component of the Kubernetes cloud controller manager.| AKSControlPlane |
-| guard | Managed Azure Active Directory and Azure RBAC audits. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. | AKSControlPlane |
+| guard | Managed Microsoft Entra ID and Azure RBAC audits. For managed Microsoft Entra ID, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. | AKSControlPlane |
| csi-azuredisk-controller | Logs from the Azure Disk CSI storage driver. | AKSControlPlane | | csi-azurefile-controller | Logs from the Azure Files CSI storage driver. | AKSControlPlane | | csi-snapshot-controller | Logs from the Azure CSI driver snapshot controller. | AKSControlPlane |
aks Open Ai Secure Access Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/open-ai-secure-access-quickstart.md
# Secure access to Azure OpenAI from Azure Kubernetes Service (AKS)
-In this article, you learn how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Azure Active Directory (Azure AD) Workload Identity. You learn how to:
+In this article, you learn how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Microsoft Entra Workload ID. You learn how to:
* Enable workload identities on an AKS cluster. * Create an Azure user-assigned managed identity.
-* Create an Azure AD federated credential.
+* Create a Microsoft Entra ID federated credential.
* Enable workload identity on a Kubernetes Pod. > [!NOTE]
-> We recommend using Azure AD Workload Identity and managed identities on AKS for Azure OpenAI access because it enables a secure, passwordless authentication process for accessing Azure resources.
+> We recommend using Microsoft Entra Workload ID and managed identities on AKS for Azure OpenAI access because it enables a secure, passwordless authentication process for accessing Azure resources.
## Before you begin * You need an Azure account with an active subscription. If you don't have one, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * This article builds on [Deploy an application that uses OpenAI on AKS](./open-ai-quickstart.md). You should complete that article before you begin this one.
-* You need a custom domain name enabled on your Azure OpenAI account to use for Azure AD authorization. For more information, see [Custom subdomain names for Azure AI services](../ai-services/cognitive-services-custom-subdomains.md).
+* You need a custom domain name enabled on your Azure OpenAI account to use for Microsoft Entra authorization. For more information, see [Custom subdomain names for Azure AI services](../ai-services/cognitive-services-custom-subdomains.md).
[!INCLUDE [azure-cli-prepare-your-environment.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)]
-## Enable Azure AD Workload Identity on an AKS cluster
+<a name='enable-azure-ad-workload-identity-on-an-aks-cluster'></a>
-The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled on AKS by default. You must enable them on your AKS cluster before you can use them.
+## Enable Microsoft Entra Workload ID on an AKS cluster
+
+The Microsoft Entra Workload ID and OIDC Issuer Endpoint features aren't enabled on AKS by default. You must enable them on your AKS cluster before you can use them.
1. Set the resource group name and AKS cluster resource group name variables.
The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled
AKS_NAME=$(az resource list --resource-group $RG_NAME --resource-type Microsoft.ContainerService/managedClusters --query "[0].name" -o tsv) ```
-2. Enable the Azure AD Workload Identity and OIDC Issuer Endpoint features on your existing AKS cluster using the [`az aks update`][az-aks-update] command.
+2. Enable the Microsoft Entra Workload ID and OIDC Issuer Endpoint features on your existing AKS cluster using the [`az aks update`][az-aks-update] command.
```azurecli-interactive az aks update \
The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled
--scope $AOAI_RESOURCE_ID ```
-## Create an Azure AD federated credential
+<a name='create-an-azure-ad-federated-credential'></a>
+
+## Create a Microsoft Entra ID federated credential
1. Set the federated credential, namespace, and service account variables.
The Azure AD Workload Identity and OIDC Issuer Endpoint features aren't enabled
--subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME} ```
-## Use Azure AD Workload Identity on AKS
+<a name='use-azure-ad-workload-identity-on-aks'></a>
-To use Azure AD Workload Identity on AKS, you need to make a few changes to the `ai-service` deployment manifest.
+## Use Microsoft Entra Workload ID on AKS
+
+To use Microsoft Entra Workload ID on AKS, you need to make a few changes to the `ai-service` deployment manifest.
### Create a ServiceAccount
To use Azure AD Workload Identity on AKS, you need to make a few changes to the
EOF ```
-### Enable Azure AD Workload Identity on the Pod
+<a name='enable-azure-ad-workload-identity-on-the-pod'></a>
+
+### Enable Microsoft Entra Workload ID on the Pod
1. Set the Azure OpenAI resource name, endpoint, and deployment name variables.
To use Azure AD Workload Identity on AKS, you need to make a few changes to the
## Next steps
-In this article, you learned how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Azure Active Directory (Azure AD) Workload Identity.
+In this article, you learned how to secure access to Azure OpenAI from Azure Kubernetes Service (AKS) using Microsoft Entra Workload ID.
-For more information on Azure AD Workload Identity, see [Azure AD Workload Identity](./workload-identity-overview.md).
+For more information on Microsoft Entra Workload ID, see [Microsoft Entra Workload ID](./workload-identity-overview.md).
<!-- Links internal --> [az-aks-update]: /cli/azure/aks#az_aks_update
aks Operator Best Practices Cluster Isolation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-cluster-isolation.md
For more information about these features, see [Best practices for advanced sche
*Authentication and authorization* uses: * Role-based access control (RBAC).
-* Azure Active Directory (AD) integration.
+* Microsoft Entra integration.
* Pod identities. * Secrets in Azure Key Vault.
aks Operator Best Practices Cluster Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-cluster-security.md
As you manage clusters in Azure Kubernetes Service (AKS), workload and data secu
This article focuses on how to secure your AKS cluster. You learn how to: > [!div class="checklist"]
-> * Use Azure Active Directory and Kubernetes role-based access control (Kubernetes RBAC) to secure API server access.
+> * Use Microsoft Entra ID and Kubernetes role-based access control (Kubernetes RBAC) to secure API server access.
> * Secure container access to node resources. > * Upgrade an AKS cluster to the latest Kubernetes version. > * Keep nodes up to date and automatically apply security patches.
You can also read the best practices for [container image management][best-pract
> **Best practice guidance** >
-> One of the most important ways to secure your cluster is to secure access to the Kubernetes API server. To control access to the API server, integrate Kubernetes RBAC with Azure Active Directory (Azure AD). With these controls,you secure AKS the same way that you secure access to your Azure subscriptions.
+> One of the most important ways to secure your cluster is to secure access to the Kubernetes API server. To control access to the API server, integrate Kubernetes RBAC with Microsoft Entra ID. With these controls,you secure AKS the same way that you secure access to your Azure subscriptions.
The Kubernetes API server provides a single connection point for requests to perform actions within a cluster. To secure and audit access to the API server, limit access and provide the lowest possible permission levels. while this approach isn't unique to Kubernetes, it's especially important when you've logically isolated your AKS cluster for multi-tenant use.
-Azure AD provides an enterprise-ready identity management solution that integrates with AKS clusters. Since Kubernetes doesn't provide an identity management solution, you may be hard-pressed to granularly restrict access to the API server. With Azure AD-integrated clusters in AKS, you use your existing user and group accounts to authenticate users to the API server.
+Microsoft Entra ID provides an enterprise-ready identity management solution that integrates with AKS clusters. Since Kubernetes doesn't provide an identity management solution, you may be hard-pressed to granularly restrict access to the API server. With Microsoft Entra integrated clusters in AKS, you use your existing user and group accounts to authenticate users to the API server.
-![Azure Active Directory integration for AKS clusters](media/operator-best-practices-cluster-security/aad-integration.png)
+![Microsoft Entra integration for AKS clusters](media/operator-best-practices-cluster-security/aad-integration.png)
-Using Kubernetes RBAC and Azure AD-integration, you can secure the API server and provide the minimum permissions required to a scoped resource set, like a single namespace. You can grant different Azure AD users or groups different Kubernetes roles. With granular permissions, you can restrict access to the API server and provide a clear audit trail of actions performed.
+Using Kubernetes RBAC and Microsoft Entra ID-integration, you can secure the API server and provide the minimum permissions required to a scoped resource set, like a single namespace. You can grant different Microsoft Entra users or groups different Kubernetes roles. With granular permissions, you can restrict access to the API server and provide a clear audit trail of actions performed.
-The recommended best practice is to use *groups* to provide access to files and folders instead of individual identities. For example, use an Azure AD *group* membership to bind users to Kubernetes roles rather than individual *users*. As a user's group membership changes, their access permissions on the AKS cluster change accordingly.
+The recommended best practice is to use *groups* to provide access to files and folders instead of individual identities. For example, use a Microsoft Entra ID *group* membership to bind users to Kubernetes roles rather than individual *users*. As a user's group membership changes, their access permissions on the AKS cluster change accordingly.
-Meanwhile, let's say you bind the individual user directly to a role and their job function changes. While the Azure AD group memberships update, their permissions on the AKS cluster would not. In this scenario, the user ends up with more permissions than they require.
+Meanwhile, let's say you bind the individual user directly to a role and their job function changes. While the Microsoft Entra group memberships update, their permissions on the AKS cluster would not. In this scenario, the user ends up with more permissions than they require.
-For more information about Azure AD integration, Kubernetes RBAC, and Azure RBAC, see [Best practices for authentication and authorization in AKS][aks-best-practices-identity].
+For more information about Microsoft Entra integration, Kubernetes RBAC, and Azure RBAC, see [Best practices for authentication and authorization in AKS][aks-best-practices-identity].
## Restrict access to Instance Metadata API
aks Operator Best Practices Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-identity.md
In this article, we discuss what recommended practices a cluster operator can fo
> [!div class="checklist"] >
-> * Authenticate AKS cluster users with Azure Active Directory (Azure AD).
+> * Authenticate AKS cluster users with Microsoft Entra ID.
> * Control access to resources with Kubernetes role-based access control (Kubernetes RBAC). > * Use Azure RBAC to granularly control access to the AKS resource, the Kubernetes API at scale, and the `kubeconfig`. > * Use a [managed identity][managed-identities] to authenticate pods with other services.
-## Use Azure Active Directory (Azure AD)
+<a name='use-azure-active-directory-azure-ad'></a>
+
+## Use Microsoft Entra ID
> **Best practice guidance** >
-> Deploy AKS clusters with [Azure AD integration][azure-ad-integration]. Using Azure AD centralizes the identity management layer. Any change in user account or group status is automatically updated in access to the AKS cluster. Scope users or groups to the minimum permissions amount using [Roles, ClusterRoles, or Bindings](#use-kubernetes-role-based-access-control-kubernetes-rbac).
+> Deploy AKS clusters with [Microsoft Entra integration][azure-ad-integration]. Using Microsoft Entra ID centralizes the identity management layer. Any change in user account or group status is automatically updated in access to the AKS cluster. Scope users or groups to the minimum permissions amount using [Roles, ClusterRoles, or Bindings](#use-kubernetes-role-based-access-control-kubernetes-rbac).
-Your Kubernetes cluster developers and application owners need access to different resources. Kubernetes lacks an identity management solution for you to control the resources with which users can interact. Instead, you can integrate your cluster with an existing identity solution like Azure AD, an enterprise-ready identity management solution.
+Your Kubernetes cluster developers and application owners need access to different resources. Kubernetes lacks an identity management solution for you to control the resources with which users can interact. Instead, you can integrate your cluster with an existing identity solution like Microsoft Entra ID, an enterprise-ready identity management solution.
-With Azure AD-integrated clusters in AKS, you create *Roles* or *ClusterRoles* defining access permissions to resources. You then *bind* the roles to users or groups from Azure AD. Learn more about these Kubernetes RBAC in [the next section](#use-kubernetes-role-based-access-control-kubernetes-rbac). Azure AD integration and how you control access to resources can be seen in the following diagram:
+With Microsoft Entra integrated clusters in AKS, you create *Roles* or *ClusterRoles* defining access permissions to resources. You then *bind* the roles to users or groups from Microsoft Entra ID. Learn more about these Kubernetes RBAC in [the next section](#use-kubernetes-role-based-access-control-kubernetes-rbac). Microsoft Entra integration and how you control access to resources can be seen in the following diagram:
-![Cluster-level authentication for Azure Active Directory integration with AKS](media/operator-best-practices-identity/cluster-level-authentication-flow.png)
+![Cluster-level authentication for Microsoft Entra integration with AKS](media/operator-best-practices-identity/cluster-level-authentication-flow.png)
-1. Developer authenticates with Azure AD.
-1. The Azure AD token issuance endpoint issues the access token.
-1. The developer performs an action using the Azure AD token, such as `kubectl create pod`.
-1. Kubernetes validates the token with Azure AD and fetches the developer's group memberships.
+1. Developer authenticates with Microsoft Entra ID.
+1. The Microsoft Entra token issuance endpoint issues the access token.
+1. The developer performs an action using the Microsoft Entra token, such as `kubectl create pod`.
+1. Kubernetes validates the token with Microsoft Entra ID and fetches the developer's group memberships.
1. Kubernetes RBAC and cluster policies are applied.
-1. The developer's request is successful based on previous validation of Azure AD group membership and Kubernetes RBAC and policies.
+1. The developer's request is successful based on previous validation of Microsoft Entra group membership and Kubernetes RBAC and policies.
-To create an AKS cluster that uses Azure AD, see [Integrate Azure Active Directory with AKS][aks-aad].
+To create an AKS cluster that uses Microsoft Entra ID, see [Integrate Microsoft Entra ID with AKS][aks-aad].
## Use Kubernetes role-based access control (Kubernetes RBAC) > **Best practice guidance** >
-> Define user or group permissions to cluster resources with Kubernetes RBAC. Create roles and bindings that assign the least amount of permissions required. Integrate with Azure AD to automatically update any user status or group membership change and keep access to cluster resources current.
+> Define user or group permissions to cluster resources with Kubernetes RBAC. Create roles and bindings that assign the least amount of permissions required. Integrate with Microsoft Entra ID to automatically update any user status or group membership change and keep access to cluster resources current.
In Kubernetes, you provide granular access control to cluster resources. You define permissions at the cluster level, or to specific namespaces. You determine what resources can be managed and with what permissions. You then apply these roles to users or groups with a binding. For more information about *Roles*, *ClusterRoles*, and *Bindings*, see [Access and identity options for Azure Kubernetes Service (AKS)][aks-concepts-identity].
rules:
verbs: ["*"] ```
-You then create a *RoleBinding* and bind the Azure AD user *developer1\@contoso.com* to it, as shown in the following YAML manifest:
+You then create a *RoleBinding* and bind the Microsoft Entra user *developer1\@contoso.com* to it, as shown in the following YAML manifest:
```yaml kind: RoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io ```
-When *developer1\@contoso.com* is authenticated against the AKS cluster, they have full permissions to resources in the *finance-app* namespace. In this way, you logically separate and control access to resources. Use Kubernetes RBAC with Azure AD-integration.
+When *developer1\@contoso.com* is authenticated against the AKS cluster, they have full permissions to resources in the *finance-app* namespace. In this way, you logically separate and control access to resources. Use Kubernetes RBAC with Microsoft Entra ID-integration.
-To learn how to use Azure AD groups to control access to Kubernetes resources using Kubernetes RBAC, see [Control access to cluster resources using role-based access control and Azure Active Directory identities in AKS][azure-ad-rbac].
+To learn how to use Microsoft Entra groups to control access to Kubernetes resources using Kubernetes RBAC, see [Control access to cluster resources using role-based access control and Microsoft Entra identities in AKS][azure-ad-rbac].
## Use Azure RBAC
There are two levels of access needed to fully operate an AKS cluster:
## Use pod-managed identities
-Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Azure AD.
+Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Microsoft Entra ID.
> [!NOTE] > Pod identities are intended for use with Linux pods and container images only. Pod-managed identities (preview) support for Windows containers is coming soon. To access other Azure resources, like Azure Cosmos DB, Key Vault, or Blob storage, the pod needs authentication credentials. You could define authentication credentials with the container image or inject them as a Kubernetes secret. Either way, you would need to manually create and assign them. Usually, these credentials are reused across pods and aren't regularly rotated.
-With pod-managed identities (preview) for Azure resources, you automatically request access to services through Azure AD. Pod-managed identities is currently in preview for AKS. Refer to the [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started.
+With pod-managed identities (preview) for Azure resources, you automatically request access to services through Microsoft Entra ID. Pod-managed identities is currently in preview for AKS. Refer to the [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started.
> [!NOTE]
-> If you have enabled [Azure AD pod-managed identity][aad-pod-identity] on your AKS cluster or are considering implementing it,
+> If you have enabled [Microsoft Entra pod-managed identity][aad-pod-identity] on your AKS cluster or are considering implementing it,
> we recommend you first review the [workload identity overview][workload-identity-overview] article to understand our
-> recommendations and options to set up your cluster to use an Azure AD workload identity (preview).
+> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview).
> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities > to federate with any external identity providers. >
-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
-Azure Active Directory pod-managed identity (preview) supports two modes of operation:
+Microsoft Entra pod-managed identity (preview) supports two modes of operation:
* **Standard** mode: In this mode, the following 2 components are deployed to the AKS cluster: * [Managed Identity Controller(MIC)](https://azure.github.io/aad-pod-identity/docs/concepts/mic/): A Kubernetes controller that watches for changes to pods, [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes [AzureAssignedIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureassignedidentity/) as needed. Specifically, when a pod is scheduled, the MIC assigns the managed identity on Azure to the underlying virtual machine scale set used by the node pool during the creation phase. When all pods using the identity are deleted, it removes the identity from the virtual machine scale set of the node pool, unless the same managed identity is used by other pods. The MIC takes similar actions when AzureIdentity or AzureIdentityBinding are created or deleted.
- * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node. It redirects requests to itself and validates if the pod has access to the identity it's requesting a token for, and fetch the token from the Azure Active Directory tenant on behalf of the application.
+ * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node. It redirects requests to itself and validates if the pod has access to the identity it's requesting a token for, and fetch the token from the Microsoft Entra tenant on behalf of the application.
* **Managed** mode: In this mode, there's only NMI. The identity needs to be manually assigned and managed by the user. For more information, see [Pod Identity in Managed Mode](https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/). In this mode, when you use the [az aks pod-identity add](/cli/azure/aks/pod-identity#az-aks-pod-identity-add) command to add a pod identity to an Azure Kubernetes Service (AKS) cluster, it creates the [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) in the namespace specified by the `--namespace` parameter, while the AKS resource provider assigns the managed identity specified by the `--identity-resource-id` parameter to virtual machine scale set of each node pool in the AKS cluster. > [!NOTE]
-> If you instead decide to install the Azure Active Directory pod-managed identity using the [AKS cluster add-on](./use-azure-ad-pod-identity.md), setup uses the `managed` mode.
+> If you instead decide to install the Microsoft Entra pod-managed identity using the [AKS cluster add-on](./use-azure-ad-pod-identity.md), setup uses the `managed` mode.
The `managed` mode provides the following advantages over the `standard`:
Instead of manually defining credentials for pods, pod-managed identities reques
* **The Node Management Identity (NMI) server** is a pod that runs as a DaemonSet on each node in the AKS cluster. The NMI server listens for pod requests to Azure services. * **The Azure Resource Provider** queries the Kubernetes API server and checks for an Azure identity mapping that corresponds to a pod.
-When pods request a security token from Azure Active Directory to access to an Azure resource, network rules redirect the traffic to the NMI server.
+When pods request a security token from Microsoft Entra ID to access to an Azure resource, network rules redirect the traffic to the NMI server.
1. The NMI server:
When pods request a security token from Azure Active Directory to access to an A
* Queries the Azure Resource Provider. 1. The Azure Resource Provider checks for Azure identity mappings in the AKS cluster.
-1. The NMI server requests an access token from Azure AD based on the pod's identity mapping.
-1. Azure AD provides access to the NMI server, which is returned to the pod.
+1. The NMI server requests an access token from Microsoft Entra ID based on the pod's identity mapping.
+1. Microsoft Entra ID provides access to the NMI server, which is returned to the pod.
* This access token can be used by the pod to then request access to resources in Azure. In the following example, a developer creates a pod that uses a managed identity to request access to Azure SQL Database:
In the following example, a developer creates a pod that uses a managed identity
![Pod identities allow a pod to automatically request access to other resources.](media/operator-best-practices-identity/pod-identities.png) 1. Cluster operator creates a service account to map identities when pods request access to resources.
-1. The NMI server is deployed to relay any pod requests, along with the Azure Resource Provider, for access tokens to Azure AD.
+1. The NMI server is deployed to relay any pod requests, along with the Azure Resource Provider, for access tokens to Microsoft Entra ID.
1. A developer deploys a pod with a managed identity that requests an access token through the NMI server. 1. The token is returned to the pod and used to access Azure SQL Database
-To use Pod-managed identities, see [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md).
+To use Pod-managed identities, see [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md).
## Next steps This best practices article focused on authentication and authorization for your cluster and resources. To implement some of these best practices, see the following articles:
-* [Integrate Azure Active Directory with AKS][aks-aad]
-* [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md)
+* [Integrate Microsoft Entra ID with AKS][aks-aad]
+* [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (preview)](use-azure-ad-pod-identity.md)
For more information about cluster operations in AKS, see the following best practices:
aks Outbound Rules Control Egress https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/outbound-rules-control-egress.md
The following network and FQDN/application rules are required for an AKS cluster
| **`mcr.microsoft.com`** | **`HTTPS:443`** | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images/charts (for example, coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. | | **`*.data.mcr.microsoft.com`** | **`HTTPS:443`** | Required for MCR storage backed by the Azure content delivery network (CDN). | | **`management.azure.com`** | **`HTTPS:443`** | Required for Kubernetes operations against the Azure API. |
-| **`login.microsoftonline.com`** | **`HTTPS:443`** | Required for Azure Active Directory authentication. |
+| **`login.microsoftonline.com`** | **`HTTPS:443`** | Required for Microsoft Entra authentication. |
| **`packages.microsoft.com`** | **`HTTPS:443`** | This address is the Microsoft packages repository used for cached *apt-get* operations. Example packages include Moby, PowerShell, and Azure CLI. | | **`acs-mirror.azureedge.net`** | **`HTTPS:443`** | This address is for the repository required to download and install required binaries like kubenet and Azure CNI. |
The following network and FQDN/application rules are required for an AKS cluster
| **`mcr.microsoft.com`** | **`HTTPS:443`** | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images/charts (for example, coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. | | **`.data.mcr.microsoft.com`** | **`HTTPS:443`** | Required for MCR storage backed by the Azure Content Delivery Network (CDN). | | **`management.chinacloudapi.cn`** | **`HTTPS:443`** | Required for Kubernetes operations against the Azure API. |
-| **`login.chinacloudapi.cn`** | **`HTTPS:443`** | Required for Azure Active Directory authentication. |
+| **`login.chinacloudapi.cn`** | **`HTTPS:443`** | Required for Microsoft Entra authentication. |
| **`packages.microsoft.com`** | **`HTTPS:443`** | This address is the Microsoft packages repository used for cached *apt-get* operations. Example packages include Moby, PowerShell, and Azure CLI. | | **`*.azk8s.cn`** | **`HTTPS:443`** | This address is for the repository required to download and install required binaries like kubenet and Azure CNI. |
The following network and FQDN/application rules are required for an AKS cluster
| **`mcr.microsoft.com`** | **`HTTPS:443`** | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images/charts (for example, coreDNS, etc.). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. | | **`*.data.mcr.microsoft.com`** | **`HTTPS:443`** | Required for MCR storage backed by the Azure content delivery network (CDN). | | **`management.usgovcloudapi.net`** | **`HTTPS:443`** | Required for Kubernetes operations against the Azure API. |
-| **`login.microsoftonline.us`** | **`HTTPS:443`** | Required for Azure Active Directory authentication. |
+| **`login.microsoftonline.us`** | **`HTTPS:443`** | Required for Microsoft Entra authentication. |
| **`packages.microsoft.com`** | **`HTTPS:443`** | This address is the Microsoft packages repository used for cached *apt-get* operations. Example packages include Moby, PowerShell, and Azure CLI. | | **`acs-mirror.azureedge.net`** | **`HTTPS:443`** | This address is for the repository required to install required binaries like kubenet and Azure CNI. |
aks Quickstart Event Grid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quickstart-event-grid.md
Remove-AzResourceGroup -Name MyResourceGroup
> [!NOTE]
-> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete].
+> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete].
> > If you used a managed identity, the identity is managed by the platform and does not require removal.
aks Trusted Access Feature https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/trusted-access-feature.md
Many Azure services that integrate with Azure Kubernetes Service (AKS) need access to the Kubernetes API server. In order to avoid granting these services admin access or having to keep your AKS clusters public for network access, you can use the AKS Trusted Access feature.
-This feature allows services to securely connect to AKS and Kubernetes via the Azure backend without requiring private endpoint. Instead of relying on identities with [Microsoft Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) permissions, this feature can use your system-assigned managed identity to authenticate with the managed services and applications you want to use on top of AKS.
+This feature allows services to securely connect to AKS and Kubernetes via the Azure backend without requiring private endpoint. Instead of relying on identities with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) permissions, this feature can use your system-assigned managed identity to authenticate with the managed services and applications you want to use on top of AKS.
Trusted Access addresses the following scenarios:
This article shows you how to enable secure access from your Azure services to y
## Trusted Access feature overview
-Trusted Access enables you to give explicit consent to your system-assigned MSI of allowed resources to access your AKS clusters using an Azure resource *RoleBinding*. Your Azure resources access AKS clusters through the AKS regional gateway via system-assigned managed identity authentication with the appropriate Kubernetes permissions via an Azure resource *Role*. The Trusted Access feature allows you to access AKS clusters with different configurations, including but not limited to [private clusters](private-clusters.md), [clusters with local accounts disabled](manage-local-accounts-managed-azure-ad.md#disable-local-accounts), [Azure AD clusters](azure-ad-integration-cli.md), and [authorized IP range clusters](api-server-authorized-ip-ranges.md).
+Trusted Access enables you to give explicit consent to your system-assigned MSI of allowed resources to access your AKS clusters using an Azure resource *RoleBinding*. Your Azure resources access AKS clusters through the AKS regional gateway via system-assigned managed identity authentication with the appropriate Kubernetes permissions via an Azure resource *Role*. The Trusted Access feature allows you to access AKS clusters with different configurations, including but not limited to [private clusters](private-clusters.md), [clusters with local accounts disabled](manage-local-accounts-managed-azure-ad.md#disable-local-accounts), [Microsoft Entra ID clusters](azure-ad-integration-cli.md), and [authorized IP range clusters](api-server-authorized-ip-ranges.md).
## Prerequisites
aks Tutorial Kubernetes Deploy Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-deploy-cluster.md
In previous tutorials, you created a container image and uploaded it to an ACR i
AKS clusters can use [Kubernetes role-based access control (Kubernetes RBAC)][k8s-rbac], which allows you to define access to resources based on roles assigned to users. If a user is assigned multiple roles, permissions are combined. Permissions can be scoped to either a single namespace or across the whole cluster.
-To learn more about AKS and Kubernetes RBAC, see [Control access to cluster resources using Kubernetes RBAC and Azure Active Directory identities in AKS][aks-k8s-rbac].
+To learn more about AKS and Kubernetes RBAC, see [Control access to cluster resources using Kubernetes RBAC and Microsoft Entra identities in AKS][aks-k8s-rbac].
### [Azure CLI](#tab/azure-cli)
aks Tutorial Kubernetes Upgrade Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/tutorial-kubernetes-upgrade-cluster.md
Delete your cluster using the following steps:
> [!NOTE]
-> When you delete the cluster, the Azure Active Directory (Azure AD) service principal used by the AKS cluster isn't removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete]. If you used a managed identity, the identity is managed by the platform and doesn't require that you provision or rotate any secrets.
+> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster isn't removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete]. If you used a managed identity, the identity is managed by the platform and doesn't require that you provision or rotate any secrets.
## Next steps
aks Update Credentials https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/update-credentials.md
Title: Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster
-description: Learn how update or rotate the service principal or Azure AD Application credentials for an Azure Kubernetes Service (AKS) cluster.
+description: Learn how update or rotate the service principal or Microsoft Entra Application credentials for an Azure Kubernetes Service (AKS) cluster.
Last updated 03/01/2023
Last updated 03/01/2023
# Update or rotate the credentials for an Azure Kubernetes Service (AKS) cluster
-AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. AKS clusters [integrated with Azure Active Directory (Azure AD)][aad-integration] as an authentication provider have two more identities: the Azure AD Server App and the Azure AD Client App. This article details how to update the service principal and Azure AD credentials for an AKS cluster.
+AKS clusters created with a service principal have a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. AKS clusters [integrated with Microsoft Entra ID][aad-integration] as an authentication provider have two more identities: the Microsoft Entra Server App and the Microsoft Entra Client App. This article details how to update the service principal and Microsoft Entra credentials for an AKS cluster.
> [!NOTE] > Alternatively, you can use a managed identity for permissions instead of a service principal. Managed identities don't require updates or rotations. For more information, see [Use managed identities](use-managed-identity.md).
az aks update-credentials \
--client-secret "${SP_SECRET}" ```
-## Update AKS cluster with new Azure AD application credentials
+<a name='update-aks-cluster-with-new-azure-ad-application-credentials'></a>
-You can create new Azure AD server and client applications by following the [Azure AD integration steps][create-aad-app], or reset your existing Azure AD applications following the [same method as for service principal reset][reset-existing-service-principal-credentials]. After that, you need to update your cluster Azure AD application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables.
+## Update AKS cluster with new Microsoft Entra application credentials
+
+You can create new Microsoft Entra server and client applications by following the [Microsoft Entra integration steps][create-aad-app], or reset your existing Microsoft Entra applications following the [same method as for service principal reset][reset-existing-service-principal-credentials]. After that, you need to update your cluster Microsoft Entra application credentials using the [`az aks update-credentials`][az-aks-update-credentials] command with the *--reset-aad* variables.
```azurecli-interactive az aks update-credentials \
az aks update-credentials \
## Next steps
-In this article, you learned how to update or rotate service principal and Azure AD application credentials. For more information on how to use a manage identity for workloads within an AKS cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].
+In this article, you learned how to update or rotate service principal and Microsoft Entra application credentials. For more information on how to use a manage identity for workloads within an AKS cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].
<!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli
aks Upgrade Windows 2019 2022 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-windows-2019-2022.md
Node Selector is the most common and recommended option for placement of Windows
## Security and authentication considerations
-If you're using Group Managed Service Accounts (gMSA), you need to update the Managed Identity configuration for the new node pool. gMSA uses a secret (user account and password) so the node that runs the Windows pod can authenticate the container against Azure Active Directory (Azure AD). To access that secret on Azure Key Vault, the node uses a Managed Identity that allows the node to access the resource. Since Managed Identities are configured per node pool, and the pod now resides on a new node pool, you need to update that configuration. For more information, see [Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster](./use-group-managed-service-accounts.md).
+If you're using Group Managed Service Accounts (gMSA), you need to update the Managed Identity configuration for the new node pool. gMSA uses a secret (user account and password) so the node that runs the Windows pod can authenticate the container against Microsoft Entra ID. To access that secret on Azure Key Vault, the node uses a Managed Identity that allows the node to access the resource. Since Managed Identities are configured per node pool, and the pod now resides on a new node pool, you need to update that configuration. For more information, see [Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster](./use-group-managed-service-accounts.md).
The same principle applies to Managed Identities for any other pod or node pool when accessing other Azure resources. You need to update any access that Managed Identity provides to reflect the new node pool. To view update and sign-in activities, see [How to view Managed Identity activity](../active-directory/managed-identities-azure-resources/how-to-view-managed-identity-activity.md).
aks Use Azure Ad Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-ad-pod-identity.md
Title: Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)
-description: Learn how to use Azure AD pod-managed identities in Azure Kubernetes Service (AKS)
+ Title: Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview)
+description: Learn how to use Microsoft Entra pod-managed identities in Azure Kubernetes Service (AKS)
Last updated 08/15/2023
-# Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)
+# Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview)
-Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate [managed identities for Azure resources][az-managed-identities] and identities in Azure AD with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Azure AD as an identity provider.
+Microsoft Entra pod-managed identities use Kubernetes primitives to associate [managed identities for Azure resources][az-managed-identities] and identities in Microsoft Entra ID with pods. Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Microsoft Entra ID as an identity provider.
> [!IMPORTANT]
-> We recommend you review [Azure AD workload identity][workload-identity-overview].
+> We recommend you review [Microsoft Entra Workload ID][workload-identity-overview].
> This authentication method replaces pod-managed identity (preview), which integrates with the > Kubernetes native capabilities to federate with any external identity providers on behalf of the > application. >
-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024.
+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024.
> > To disable the AKS Managed add-on, use the following command: `az feature unregister --namespace "Microsoft.ContainerService" --name "EnablePodIdentityPreview"`.
az provider register --namespace Microsoft.ContainerService
## Operation mode options
-Azure AD pod-managed identity supports two modes of operation:
+Microsoft Entra pod-managed identity supports two modes of operation:
* **Standard Mode**: In this mode, the following two components are deployed to the AKS cluster: * [Managed Identity Controller (MIC)](https://azure.github.io/aad-pod-identity/docs/concepts/mic/): An MIC is a Kubernetes controller that watches for changes to pods, [AzureIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/) and [AzureIdentityBinding](https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/) through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes [AzureAssignedIdentity](https://azure.github.io/aad-pod-identity/docs/concepts/azureassignedidentity/) as needed. Specifically, when a pod is scheduled, the MIC assigns the managed identity on Azure to the underlying Virtual Machine Scale Set used by the node pool during the creation phase. When all pods using the identity are deleted, it removes the identity from the Virtual Machine Scale Set of the node pool, unless the same managed identity is used by other pods. The MIC takes similar actions when AzureIdentity or AzureIdentityBinding are created or deleted.
- * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): NMI is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Azure AD tenant on behalf of the application.
+ * [Node Managed Identity (NMI)](https://azure.github.io/aad-pod-identity/docs/concepts/nmi/): NMI is a pod that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the [Azure Instance Metadata Service](../virtual-machines/linux/instance-metadata-service.md?tabs=linux) on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Microsoft Entra tenant on behalf of the application.
* **Managed Mode**: This mode offers only NMI. When installed via the AKS cluster add-on, Azure manages creation of Kubernetes primitives (AzureIdentity and AzureIdentityBinding) and identity assignment in response to CLI commands by the user. Otherwise, if installed via Helm chart, the identity needs to be manually assigned and managed by the user. For more information, see [Pod identity in managed mode](https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/).
-When you install the Azure AD pod-managed identity via Helm chart or YAML manifest as shown in the [Installation Guide](https://azure.github.io/aad-pod-identity/docs/getting-started/installation/), you can choose between the `standard` and `managed` mode. If you instead decide to install the Azure AD pod-managed identity using the AKS cluster add-on as shown in this article, the setup will use the `managed` mode.
+When you install the Microsoft Entra pod-managed identity via Helm chart or YAML manifest as shown in the [Installation Guide](https://azure.github.io/aad-pod-identity/docs/getting-started/installation/), you can choose between the `standard` and `managed` mode. If you instead decide to install the Microsoft Entra pod-managed identity using the AKS cluster add-on as shown in this article, the setup will use the `managed` mode.
## Create an AKS cluster with Azure Container Networking Interface (CNI)
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
``` > [!NOTE]
-> When you enable pod-managed identity on your AKS cluster, an AzurePodIdentityException named *aks-addon-exception* is added to the *kube-system* namespace. An AzurePodIdentityException allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the NMI server. The *aks-addon-exception* allows AKS first-party addons, such as Azure AD pod-managed identity, to operate without having to manually configure an AzurePodIdentityException. Optionally, you can add, remove, and update an AzurePodIdentityException using `az aks pod-identity exception add`, `az aks pod-identity exception delete`, `az aks pod-identity exception update`, or `kubectl`.
+> When you enable pod-managed identity on your AKS cluster, an AzurePodIdentityException named *aks-addon-exception* is added to the *kube-system* namespace. An AzurePodIdentityException allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the NMI server. The *aks-addon-exception* allows AKS first-party addons, such as Microsoft Entra pod-managed identity, to operate without having to manually configure an AzurePodIdentityException. Optionally, you can add, remove, and update an AzurePodIdentityException using `az aks pod-identity exception add`, `az aks pod-identity exception delete`, `az aks pod-identity exception update`, or `kubectl`.
## Update an existing AKS cluster with Azure CNI
Update an existing AKS cluster with Azure CNI to include pod-managed identity.
az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity ```
-## Using Kubenet network plugin with Azure Active Directory pod-managed identities
+<a name='using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities'></a>
+
+## Using Kubenet network plugin with Microsoft Entra pod-managed identities
> [!IMPORTANT]
-> Running Azure AD pod-managed identity in a cluster with Kubenet is not a recommended configuration due to security concerns. Default Kubenet configuration fails to prevent ARP spoofing, which could be utilized by a pod to act as another pod and gain access to an identity it's not intended to have. Please follow the mitigation steps and configure policies before enabling Azure AD pod-managed identity in a cluster with Kubenet.
+> Running Microsoft Entra pod-managed identity in a cluster with Kubenet is not a recommended configuration due to security concerns. Default Kubenet configuration fails to prevent ARP spoofing, which could be utilized by a pod to act as another pod and gain access to an identity it's not intended to have. Please follow the mitigation steps and configure policies before enabling Microsoft Entra pod-managed identity in a cluster with Kubenet.
### Mitigation
kubectl get azureidentitybinding -n $POD_IDENTITY_NAMESPACE
## Run a sample application
-For a pod to use Azure AD pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. By default, the selector will match the name of the pod-managed identity, but it can also be set using the `--binding-selector` option when calling `az aks pod-identity add`.
+For a pod to use Microsoft Entra pod-managed identity, the pod needs an *aadpodidbinding* label with a value that matches a selector from a *AzureIdentityBinding*. By default, the selector will match the name of the pod-managed identity, but it can also be set using the `--binding-selector` option when calling `az aks pod-identity add`.
-To run a sample application using Azure AD pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription ID.
+To run a sample application using Microsoft Entra pod-managed identity, create a `demo.yaml` file with the following contents. Replace *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* with the values from the previous steps. Replace *SUBSCRIPTION_ID* with your subscription ID.
> [!NOTE] > In the previous steps, you created the *POD_IDENTITY_NAME*, *IDENTITY_CLIENT_ID*, and *IDENTITY_RESOURCE_GROUP* variables. You can use a command such as `echo` to display the value you set for variables, for example `echo $POD_IDENTITY_NAME`.
az aks update --resource-group myResourceGroup --name myAKSCluster --disable-pod
## Clean up
-To remove an Azure AD pod-managed identity from your cluster, remove the sample application and the pod-managed identity from the cluster. Then remove the identity and the role assignment of cluster identity.
+To remove a Microsoft Entra pod-managed identity from your cluster, remove the sample application and the pod-managed identity from the cluster. Then remove the identity and the role assignment of cluster identity.
```bash kubectl delete pod demo --namespace $POD_IDENTITY_NAMESPACE
aks Use Group Managed Service Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-group-managed-service-accounts.md
Last updated 08/30/2023
To use GMSA with AKS, you need a standard domain user credential to access the GMSA credential configured on your domain controller. To configure GMSA on your domain controller, see [Get started with Group Managed Service Accounts][gmsa-getting-started]. For the standard domain user credential, you can use an existing user or create a new one, as long as it has access to the GMSA credential. > [!IMPORTANT]
-> You must use either Active Directory Domain Service or on-premises Active Directory. At this time, you can't use Azure Active Directory to configure GMSA with an AKS cluster.
+> You must use either Active Directory Domain Service or on-premises Active Directory. At this time, you can't use Microsoft Entra ID to configure GMSA with an AKS cluster.
## Store the standard domain user credentials in Azure Key Vault
aks Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-managed-identity.md
Last updated 07/31/2023
# Use a managed identity in Azure Kubernetes Service (AKS)
-Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. This identity can be a *managed identity* or *service principal*. A system-assigned managed identity is automatically created when you create an AKS cluster. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources][managed-identity-resources-overview].
+Azure Kubernetes Service (AKS) clusters require an identity to access Azure resources like load balancers and managed disks. This identity can be a *managed identity* or *service principal*. A system-assigned managed identity is automatically created when you create an AKS cluster. This identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources][managed-identity-resources-overview].
AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*. AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable. > [!NOTE]
-> If you're considering implementing [Azure AD pod-managed identity][aad-pod-identity] on your AKS cluster, we recommend you first review the [Azure AD workload identity overview][workload-identity-overview]. This authentication method replaces Azure AD pod-managed identity (preview) and is the recommended method.
+> If you're considering implementing [Microsoft Entra pod-managed identity][aad-pod-identity] on your AKS cluster, we recommend you first review the [Microsoft Entra Workload ID overview][workload-identity-overview]. This authentication method replaces Microsoft Entra pod-managed identity (preview) and is the recommended method.
## Before you begin
AKS doesn't automatically create a [service principal](kubernetes-service-princi
## Limitations * Tenants moving or migrating a managed identity-enabled cluster isn't supported.
-* If the cluster has Azure AD pod-managed identity (`aad-pod-identity`) enabled, Node-Managed Identity (NMI) pods modify the iptables of the nodes to intercept calls to the Azure Instance Metadata (IMDS) endpoint. This configuration means any request made to the Metadata endpoint is intercepted by NMI, even if the pod doesn't use `aad-pod-identity`. AzurePodIdentityException CRD can be configured to inform `aad-pod-identity` of any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. The system pods with `kubernetes.azure.com/managedby: aks` label in *kube-system* namespace should be excluded in `aad-pod-identity` by configuring the AzurePodIdentityException CRD.
- * For more information, see [Disable aad-pod-identity for a specific pod or application](./use-azure-ad-pod-identity.md#clean-up).
+* If the cluster has Microsoft Entra pod-managed identity (`aad-pod-identity`) enabled, Node-Managed Identity (NMI) pods modify the iptables of the nodes to intercept calls to the Azure Instance Metadata (IMDS) endpoint. This configuration means any request made to the Metadata endpoint is intercepted by NMI, even if the pod doesn't use `aad-pod-identity`. AzurePodIdentityException CRD can be configured to inform `aad-pod-identity` of any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. The system pods with `kubernetes.azure.com/managedby: aks` label in *kube-system* namespace should be excluded in `aad-pod-identity` by configuring the AzurePodIdentityException CRD.
+ * For more information, see [Disable Microsoft Entra ID-pod-identity for a specific pod or application](./use-azure-ad-pod-identity.md#clean-up).
* To configure an exception, install the [mic-exception YAML](https://github.com/Azure/aad-pod-identity/blob/master/deploy/infra/mic-exception.yaml). * AKS doesn't support the use of a system-assigned managed identity if using a custom private DNS zone.
AKS uses several managed identities for built-in services and add-ons.
| Add-on | Ingress application gateway | Manages required network resources. | Contributor role for node resource group | No | Add-on | omsagent | Used to send AKS metrics to Azure Monitor. | Monitoring Metrics Publisher role | No | Add-on | Virtual-Node (ACIConnector) | Manages required network resources for Azure Container Instances (ACI). | Contributor role for node resource group | No
-| OSS project | aad-pod-identity | Enables applications to access cloud resources securely with Microsoft Azure Active Directory (Azure AD). | N/A | Steps to grant permission at [Azure AD Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md).
+| OSS project | Microsoft Entra ID-pod-identity | Enables applications to access cloud resources securely with Microsoft Entra ID. | N/A | Steps to grant permission at [Microsoft Entra Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md).
## Enable managed identities on a new AKS cluster
aks Use Oidc Issuer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-oidc-issuer.md
Last updated 07/26/2023
# Create an OpenID Connect provider on Azure Kubernetes Service (AKS)
-[OpenID Connect][open-id-connect-overview] (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol issued by Azure Active Directory (Azure AD). You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications, on your Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Azure Active Directory (Azure AD) or other cloud provider identity and access management platform, to discover the API server's public signing keys.
+[OpenID Connect][open-id-connect-overview] (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol issued by Microsoft Entra ID. You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications, on your Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Microsoft Entra ID or other cloud provider identity and access management platform, to discover the API server's public signing keys.
AKS rotates the key automatically and periodically. If you don't want to wait, you can rotate the key manually and immediately. The maximum lifetime of the token issued by the OIDC provider is one day.
During key rotation, there is one additional key present in the discovery docume
## Next steps * See [configure creating a trust relationship between an app and an external identity provider](../active-directory/develop/workload-identity-federation-create-trust.md) to understand how a federated identity credential creates a trust relationship between an application on your cluster and an external identity provider.
-* Review [Azure AD workload identity][azure-ad-workload-identity-overview] (preview). This authentication method integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.
+* Review [Microsoft Entra Workload ID][azure-ad-workload-identity-overview] (preview). This authentication method integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.
* See [Secure pod network traffic][secure-pod-network-traffic] to understand how to use the Network Policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. <!-- LINKS - external -->
aks Use Pod Security Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-pod-security-policies.md
It's important to understand how these default policies interact with user reque
## Create a test user in an AKS cluster
-When you use the [`az aks get-credentials`][az-aks-get-credentials] command, the *admin* credentials for the AKS cluster are added to your `kubectl` config by default. The admin user bypasses the enforcement of pod security policies. If you use Azure Active Directory integration for your AKS clusters, you can sign in with the credentials of a non-admin user to see the enforcement of policies in action.
+When you use the [`az aks get-credentials`][az-aks-get-credentials] command, the *admin* credentials for the AKS cluster are added to your `kubectl` config by default. The admin user bypasses the enforcement of pod security policies. If you use Microsoft Entra integration for your AKS clusters, you can sign in with the credentials of a non-admin user to see the enforcement of policies in action.
1. Create a sample namespace named *psp-aks* for test resources using the [`kubectl create namespace`][kubectl-create] command.
aks Virtual Nodes Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/virtual-nodes-cli.md
For more information on managed identities, see [Use managed identities](use-man
The pod is assigned an internal IP address from the Azure virtual network subnet delegated for use with virtual nodes. > [!NOTE]
-> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A current limitation of virtual nodes is you can't use integrated Azure AD service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`.
+> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A current limitation of virtual nodes is you can't use integrated Microsoft Entra service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`.
## Test the virtual node pod
aks Virtual Nodes Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/virtual-nodes-portal.md
The Azure Cloud Shell is a free interactive shell you can use to run the steps i
``` > [!NOTE]
-> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A limitation of virtual nodes is you can't use integrated Azure AD service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`.
+> If you use images stored in Azure Container Registry, [configure and use a Kubernetes secret][acr-aks-secrets]. A limitation of virtual nodes is you can't use integrated Microsoft Entra service principal authentication. If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error `HTTP response status code 400 error code "InaccessibleImage"`.
## Test the virtual node pod
aks Workload Identity Deploy Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-deploy-cluster.md
Title: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workload identity
-description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with an Azure AD workload identity.
+description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with a Microsoft Entra Workload ID.
Last updated 09/27/2023
Last updated 09/27/2023
Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this article, you will:
-* Deploy an AKS cluster using the Azure CLI that includes the OpenID Connect Issuer and an Azure AD workload identity
+* Deploy an AKS cluster using the Azure CLI that includes the OpenID Connect Issuer and a Microsoft Entra Workload ID
* Grant access to your Azure Key Vault
-* Create an Azure Active Directory (Azure AD) workload identity and Kubernetes service account
+* Create a Microsoft Entra Workload ID and Kubernetes service account
* Configure the managed identity for token federation.
-This article assumes you have a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts]. If you aren't familiar with Azure AD workload identity, see the following [Overview][workload-identity-overview] article.
+This article assumes you have a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts]. If you aren't familiar with Microsoft Entra Workload ID, see the following [Overview][workload-identity-overview] article.
- This article requires version 2.47.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
You can retrieve this information using the Azure CLI command: [az keyvault list
## Disable workload identity
-To disable the Azure AD workload identity on the AKS cluster where it's been enabled and configured, you can run the following command:
+To disable the Microsoft Entra Workload ID on the AKS cluster where it's been enabled and configured, you can run the following command:
```azurecli-interactive az aks update --resource-group myResourceGroup --name myAKSCluster --disable-workload-identity
aks Workload Identity Migrate From Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-migrate-from-pod-identity.md
Last updated 07/31/2023
# Migrate from pod managed-identity to workload identity
-This article focuses on migrating from a pod-managed identity to Azure Active Directory (Azure AD) workload identity for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.
+This article focuses on migrating from a pod-managed identity to Microsoft Entra Workload ID for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.
-If you aren't familiar with Azure AD workload identity, see the following [Overview][workload-identity-overview] article.
+If you aren't familiar with Microsoft Entra Workload ID, see the following [Overview][workload-identity-overview] article.
## Before you begin
For either scenario, you need to have the federated trust set up before you upda
- [Create a managed identity](#create-a-managed-identity) credential. - Associate the managed identity with the kubernetes service account already used for the pod-managed identity or [create a new Kubernetes service account](#create-kubernetes-service-account) and then associate it with the managed identity.-- [Establish a federated trust relationship](#establish-federated-identity-credential-trust) between the managed identity and Azure AD.
+- [Establish a federated trust relationship](#establish-federated-identity-credential-trust) between the managed identity and Microsoft Entra ID.
### Migrate from latest version
I0926 00:29:31.101998 1 proxy.go:129] proxy "msg"="successfully acquired t
## Remove pod-managed identity
-After you've completed your testing and the application is successfully able to get a token using the proxy sidecar, you can remove the Azure AD pod-managed identity mapping for the pod from your cluster, and then remove the identity.
+After you've completed your testing and the application is successfully able to get a token using the proxy sidecar, you can remove the Microsoft Entra pod-managed identity mapping for the pod from your cluster, and then remove the identity.
1. Run the [az aks pod-identity delete][az-aks-pod-identity-delete] command to remove the identity from your pod. This should only be done after all pods in the namespace using the pod-managed identity mapping have migrated to use the sidecar.
After you've completed your testing and the application is successfully able to
## Next steps
-This article showed you how to set up your pod to authenticate using a workload identity as a migration option. For more information about Azure AD workload identity, see the following [Overview][workload-identity-overview] article.
+This article showed you how to set up your pod to authenticate using a workload identity as a migration option. For more information about Microsoft Entra Workload ID, see the following [Overview][workload-identity-overview] article.
<!-- INTERNAL LINKS --> [pod-annotations]: workload-identity-overview.md#pod-annotations
aks Workload Identity Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/workload-identity-overview.md
Title: Use an Azure AD workload identity on Azure Kubernetes Service (AKS)
-description: Learn about Azure Active Directory workload identity for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.
+ Title: Use a Microsoft Entra Workload ID on Azure Kubernetes Service (AKS)
+description: Learn about Microsoft Entra Workload ID for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.
Last updated 09/13/2023
-# Use Azure AD workload identity with Azure Kubernetes Service (AKS)
+# Use Microsoft Entra Workload ID with Azure Kubernetes Service (AKS)
-Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Azure Active Directory (Azure AD) application credentials or managed identities to access Azure AD protected resources, such as Azure Key Vault and Microsoft Graph. Azure AD workload identity integrates with the capabilities native to Kubernetes to federate with external identity providers.
+Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Microsoft Entra application credentials or managed identities to access Microsoft Entra protected resources, such as Azure Key Vault and Microsoft Graph. Microsoft Entra Workload ID integrates with the capabilities native to Kubernetes to federate with external identity providers.
-[Azure AD workload identity][azure-ad-workload-identity] uses [Service Account Token Volume Projection][service-account-token-volume-projection] enabling pods to use a Kubernetes identity (that is, a service account). A Kubernetes token is issued and [OIDC federation][oidc-federation] enables Kubernetes applications to access Azure resources securely with Azure AD based on annotated service accounts.
+[Microsoft Entra Workload ID][azure-ad-workload-identity] uses [Service Account Token Volume Projection][service-account-token-volume-projection] enabling pods to use a Kubernetes identity (that is, a service account). A Kubernetes token is issued and [OIDC federation][oidc-federation] enables Kubernetes applications to access Azure resources securely with Microsoft Entra ID based on annotated service accounts.
-Azure AD workload identity works especially well with the [Azure Identity client libraries](#azure-identity-client-libraries) and the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL) collection if you're using [application registration][azure-ad-application-registration]. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources.
+Microsoft Entra Workload ID works especially well with the [Azure Identity client libraries](#azure-identity-client-libraries) and the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL) collection if you're using [application registration][azure-ad-application-registration]. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources.
-This article helps you understand this new authentication feature, and reviews the options available to plan your project strategy and potential migration from Azure AD pod-managed identity.
+This article helps you understand this new authentication feature, and reviews the options available to plan your project strategy and potential migration from Microsoft Entra pod-managed identity.
## Dependencies -- AKS supports Azure AD workload identities on version 1.22 and higher.
+- AKS supports Microsoft Entra Workload ID on version 1.22 and higher.
- The Azure CLI version 2.47.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. ## Azure Identity client libraries
The following client libraries are the **minimum** version required.
| Ecosystem | Library | Image | Example | Has Windows | |--|--|-|-|-|
-| .NET | [microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | `ghcr.io/azure/azure-workload-identity/msal-net:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes |
-| Go | [microsoft-authentication-library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | `ghcr.io/azure/azure-workload-identity/msal-go:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes |
-| Java | [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | `ghcr.io/azure/azure-workload-identity/msal-java:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No |
-| JavaScript | [microsoft-authentication-library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `ghcr.io/azure/azure-workload-identity/msal-node:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No |
-| Python | [microsoft-authentication-library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | `ghcr.io/azure/azure-workload-identity/msal-python:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No |
+| .NET | [Microsoft Authentication Library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | `ghcr.io/azure/azure-workload-identity/msal-net:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes |
+| Go | [Microsoft Authentication Library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | `ghcr.io/azure/azure-workload-identity/msal-go:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes |
+| Java | [Microsoft Authentication Library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | `ghcr.io/azure/azure-workload-identity/msal-java:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No |
+| JavaScript | [Microsoft Authentication Library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `ghcr.io/azure/azure-workload-identity/msal-node:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No |
+| Python | [Microsoft Authentication Library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | `ghcr.io/azure/azure-workload-identity/msal-python:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No |
## Limitations
The following client libraries are the **minimum** version required.
## How it works
-In this security model, the AKS cluster acts as token issuer, Azure Active Directory uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library or the Microsoft Authentication Library.
+In this security model, the AKS cluster acts as token issuer, Microsoft Entra ID uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library or the Microsoft Authentication Library.
:::image type="content" source="media/workload-identity-overview/aks-workload-identity-model.png" alt-text="Diagram of the AKS workload identity security model.":::
-The following table describes the required OIDC issuer endpoints for Azure AD workload identity:
+The following table describes the required OIDC issuer endpoints for Microsoft Entra Workload ID:
|Endpoint |Description | ||| |`{IssuerURL}/.well-known/openid-configuration` |Also known as the OIDC discovery document. This contains the metadata about the issuer's configurations. |
-|`{IssuerURL}/openid/v1/jwks` |This contains the public signing key(s) that Azure AD uses to verify the authenticity of the service account token. |
+|`{IssuerURL}/openid/v1/jwks` |This contains the public signing key(s) that Microsoft Entra ID uses to verify the authenticity of the service account token. |
The following diagram summarizes the authentication sequence using OpenID Connect.
Similar to other webhook addons, the certificate is rotated by cluster certifica
## Service account labels and annotations
-Azure AD workload identity supports the following mappings related to a service account:
+Microsoft Entra Workload ID supports the following mappings related to a service account:
-- One-to-one where a service account references an Azure AD object.-- Many-to-one where multiple service accounts references the same Azure AD object.-- One-to-many where a service account references multiple Azure AD objects by changing the client ID annotation. For more information, see [How to federate multiple identities with a Kubernetes service account][multiple-identities].
+- One-to-one where a service account references a Microsoft Entra object.
+- Many-to-one where multiple service accounts references the same Microsoft Entra object.
+- One-to-many where a service account references multiple Microsoft Entra objects by changing the client ID annotation. For more information, see [How to federate multiple identities with a Kubernetes service account][multiple-identities].
> [!NOTE] > If the service account annotations are updated, you need to restart the pod for the changes to take effect.
-If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think of a service account as an Azure Identity, except a service account is part of the core Kubernetes API, rather than a [Custom Resource Definition][custom-resource-definition] (CRD). The following describes a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for an Azure AD access token.
+If you've used [Microsoft Entra pod-managed identity][use-azure-ad-pod-identity], think of a service account as an Azure Identity, except a service account is part of the core Kubernetes API, rather than a [Custom Resource Definition][custom-resource-definition] (CRD). The following describes a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for a Microsoft Entra access token.
### Service account annotations
All annotations are optional. If the annotation isn't specified, the default val
|Annotation |Description |Default | |--||--|
-|`azure.workload.identity/client-id` |Represents the Azure AD application<br> client ID to be used with the pod. ||
-|`azure.workload.identity/tenant-id` |Represents the Azure tenant ID where the<br> Azure AD application is registered. |AZURE_TENANT_ID environment variable extracted<br> from `azure-wi-webhook-config` ConfigMap.|
-|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the<br> projected service account token. It's an optional field that you configure to prevent downtime<br> caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. |3600<br> Supported range is 3600-86400.|
+|`azure.workload.identity/client-id` |Represents the Microsoft Entra application<br> client ID to be used with the pod. ||
+|`azure.workload.identity/tenant-id` |Represents the Azure tenant ID where the<br> Microsoft Entra application is registered. |AZURE_TENANT_ID environment variable extracted<br> from `azure-wi-webhook-config` ConfigMap.|
+|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the<br> projected service account token. It's an optional field that you configure to prevent downtime<br> caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Microsoft Entra tokens. Microsoft Entra tokens expire in 24 hours after they're issued. |3600<br> Supported range is 3600-86400.|
### Pod labels
All annotations are optional. If the annotation isn't specified, the default val
|Annotation |Description |Default | |--||--|
-|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. |
+|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Microsoft Entra tokens. Microsoft Entra tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. |
|`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example, `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |
-|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true |
+|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire a Microsoft Entra token on behalf of the user with federated identity credential. |true |
|`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8000 | <sup>1</sup> Takes precedence if the service account is also annotated.
analysis-services Analysis Services Addservprinc Admins https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-addservprinc-admins.md
> Service principals must be added directly to the server administrator role. Adding a service principal to a security group, and then adding that security group to the server administrator role is not supported. ## Before you begin
-Before completing this task, you must have a service principal registered in Azure Active Directory.
+Before completing this task, you must have a service principal registered in Microsoft Entra ID.
[Create service principal - Azure portal](../active-directory/develop/howto-create-service-principal-portal.md) [Create service principal - PowerShell](../active-directory/develop/howto-authenticate-service-principal-powershell.md)
analysis-services Analysis Services Async Refresh https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-async-refresh.md
https://westus.asazure.windows.net/servers/myserver/models/AdventureWorks/refres
## Authentication
-All calls must be authenticated with a valid Azure Active Directory (OAuth 2) token in the Authorization header and must meet the following requirements:
+All calls must be authenticated with a valid Microsoft Entra ID (OAuth 2) token in the Authorization header and must meet the following requirements:
- The token must be either a user token or an application service principal. - The token must have the correct audience set to `https://*.asazure.windows.net`.
See [Create service principal - Azure portal](../active-directory/develop/howto-
## See also [Samples](analysis-services-samples.md)
-[REST API](/rest/api/analysisservices/servers)
+[REST API](/rest/api/analysisservices/servers)
analysis-services Analysis Services Backup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-backup.md
When restoring, your backup file must be in the storage account you've configure
> [!NOTE]
-> If you're restoring from an on-premises server, you must remove all the domain users from the model's roles and add them back to the roles as Azure Active Directory users.
+> If you're restoring from an on-premises server, you must remove all the domain users from the model's roles and add them back to the roles as Microsoft Entra users.
> >
analysis-services Analysis Services Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-connect.md
In **Azure portal** > server > **Overview** > **Server name**, copy the entire s
When connecting to Azure Analysis Services using the Tabular Object Model, use the following connection string formats:
-###### Integrated Azure Active Directory authentication
+<a name='integrated-azure-active-directory-authentication'></a>
-Integrated authentication picks up the Azure Active Directory credential cache if available. If not, the Azure login window is shown.
+###### Integrated Microsoft Entra authentication
+
+Integrated authentication picks up the Microsoft Entra credential cache if available. If not, the Azure login window is shown.
``` "Provider=MSOLAP;Data Source=<Azure AS instance name>;" ```
-###### Azure Active Directory authentication with username and password
+<a name='azure-active-directory-authentication-with-username-and-password'></a>
+
+###### Microsoft Entra authentication with username and password
``` "Provider=MSOLAP;Data Source=<Azure AS instance name>;User ID=<user name>;Password=<password>;Persist Security Info=True; Impersonation Level=Impersonate;";
Cannot initialize the data source object of OLE DB provider "MSOLAP" for linked
[Connect with Excel](analysis-services-connect-excel.md) [Connect with Power BI](analysis-services-connect-pbi.md)
-[Manage your server](analysis-services-manage.md)
+[Manage your server](analysis-services-manage.md)
analysis-services Analysis Services Create Bicep File https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-bicep-file.md
This quickstart describes how to create an Analysis Services server resource in
## Prerequisites * **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.
-* **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant. And, you need to be signed in to Azure with an account in that Azure Active Directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+* **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant. And, you need to be signed in to Azure with an account in that Microsoft Entra ID. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
## Review the Bicep file
analysis-services Analysis Services Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-powershell.md
This quickstart describes using PowerShell from the command line to create an Az
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] - **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.-- **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant and you must have an account in that directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+- **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant and you must have an account in that directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
- **Azure PowerShell**. To find the installed version, run `Get-Module -ListAvailable Az`. To install or upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). ## Import Az.AnalysisServices module
analysis-services Analysis Services Create Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-server.md
This quickstart describes how to create an Analysis Services server resource in
## Prerequisites * **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.
-* **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant. And, you need to be signed in to Azure with an account in that Azure Active Directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+* **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant. And, you need to be signed in to Azure with an account in that Microsoft Entra ID. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
## Sign in to the Azure portal
This quickstart describes how to create an Analysis Services server resource in
* **Resource group**: Create a new resource group or select one you already have. Resource groups are designed to help you manage a collection of Azure resources. To learn more, see [resource groups](../azure-resource-manager/management/overview.md). * **Location**: This Azure datacenter location hosts the server. Choose a location nearest your largest user base. * **Pricing tier**: Select a pricing tier. If you are testing and intend to install the sample model database, select the free **D1** tier. To learn more, see [Azure Analysis Services pricing](https://azure.microsoft.com/pricing/details/analysis-services/).
- * **Administrator**: By default, this will be the account you are logged in with. You can choose a different account from your Azure Active Directory.
+ * **Administrator**: By default, this will be the account you are logged in with. You can choose a different account from your Microsoft Entra ID.
* **Backup Storage setting**: Optional. If you already have a [storage account](../storage/common/storage-introduction.md), you can specify it as the default for model database backup. You can also specify [backup and restore](analysis-services-backup.md) settings later. * **Storage key expiration**: Optional. Specify a storage key expiration period.
analysis-services Analysis Services Create Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-create-template.md
If your environment meets the prerequisites and you're familiar with using ARM t
## Prerequisites * **Azure subscription**: Visit [Azure Free Trial](https://azure.microsoft.com/offers/ms-azr-0044p/) to create an account.
-* **Azure Active Directory**: Your subscription must be associated with an Azure Active Directory tenant. And, you need to be signed in to Azure with an account in that Azure Active Directory. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+* **Microsoft Entra ID**: Your subscription must be associated with a Microsoft Entra tenant. And, you need to be signed in to Azure with an account in that Microsoft Entra ID. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
## Review the template
analysis-services Analysis Services Database Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-database-users.md
# Manage database roles and users
-At the model database level, all users must belong to a role. Roles define users with particular permissions for the model database. Any user or security group added to a role must have an account in an Azure AD tenant in the same subscription as the server.
+At the model database level, all users must belong to a role. Roles define users with particular permissions for the model database. Any user or security group added to a role must have an account in a Microsoft Entra tenant in the same subscription as the server.
How you define roles is different depending on the tool you use, but the effect is the same.
When adding a **service principal** use `app:appid@tenantid`.
6. Click **Members** > **Add External**.
-8. In **Add External Member**, enter users or groups in your tenant Azure AD by email address. After you click OK and close Role Manager, roles and role members appear in Tabular Model Explorer.
+8. In **Add External Member**, enter users or groups in your tenant Microsoft Entra ID by email address. After you click OK and close Role Manager, roles and role members appear in Tabular Model Explorer.
![Screen showing roles and users in Tabular Model Explorer.](./media/analysis-services-database-users/aas-roles-tmexplorer.png)
To add roles and users to a deployed model database, you must be connected to th
|**Process database**|Members can run Process and Process All operations. Cannot modify the model schema and cannot query data.| |**Read**|Members can query data (based on row filters) but cannot modify the model schema.|
-4. Click **Membership**, then enter a user or group in your tenant Azure AD by email address.
+4. Click **Membership**, then enter a user or group in your tenant Microsoft Entra ID by email address.
![Screen showing Add user.](./media/analysis-services-database-users/aas-roles-adduser-ssms.png)
You can run a TMSL script in the XMLA window in SSMS or by using PowerShell. Use
**Sample TMSL script**
-In this sample, a B2B external user and a group are added to the Analyst role with Read permissions for the SalesBI database. Both the external user and group must be in same tenant Azure AD.
+In this sample, a B2B external user and a group are added to the Analyst role with Read permissions for the SalesBI database. Both the external user and group must be in same tenant Microsoft Entra ID.
``` {
analysis-services Analysis Services Gateway Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-gateway-install.md
To learn more about how Azure Analysis Services works with the gateway, see [Con
* Install the gateway on a computer that remains on and does not go to sleep. * Do not install the gateway on a computer with a wireless only connection to your network. Performance can be diminished. * When installing the gateway, the user account you're signed in to your computer with must have Log on as service privileges. When install is complete, the On-premises data gateway service uses the NT SERVICE\PBIEgwService account to log on as a service. A different account can be specified during setup or in Services after setup is complete. Ensure Group Policy settings allow both the account you're signed in with when installing and the service account you choose have Log on as service privileges.
-* Sign in to Azure with an account in Azure AD for the same [tenant](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) as the subscription you are registering the gateway in. Azure B2B (guest) accounts are not supported when installing and registering a gateway.
+* Sign in to Azure with an account in Microsoft Entra ID for the same [tenant](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) as the subscription you are registering the gateway in. Azure B2B (guest) accounts are not supported when installing and registering a gateway.
* If data sources are on an Azure Virtual Network (VNet), you must configure the [AlwaysUseGateway](analysis-services-vnet-gateway.md) server property. * If installing the gateway on an Azure Virtual Machine (VM), ensure optimal networking performance by configuring Accelerated networking. To learn more, see [Create a Windows VM with accelerated networking](../virtual-network/create-vm-accelerated-networking-powershell.md).
To learn more about how Azure Analysis Services works with the gateway, see [Con
![Screenshot showing install location and license terms.](media/analysis-services-gateway-install/aas-gateway-installer-accept.png)
-3. Sign in to Azure. The account must be in your tenant's Azure Active Directory. This account is used for the gateway administrator. Azure B2B (guest) accounts are not supported when installing and registering the gateway.
+3. Sign in to Azure. The account must be in your tenant's Microsoft Entra ID. This account is used for the gateway administrator. Azure B2B (guest) accounts are not supported when installing and registering the gateway.
![Screenshot showing sign in to Azure.](media/analysis-services-gateway-install/aas-gateway-installer-account.png) > [!NOTE]
- > If you sign in with a domain account, it's mapped to your organizational account in Azure AD. Your organizational account is used as the gateway administrator.
+ > If you sign in with a domain account, it's mapped to your organizational account in Microsoft Entra ID. Your organizational account is used as the gateway administrator.
## Register
analysis-services Analysis Services Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-gateway.md
Information provided here is specific to how Azure Analysis Services works with
For Azure Analysis Services, getting setup with the gateway the first time is a four-part process: -- **Download and run setup** - This step installs a gateway service on a computer in your organization. You also sign in to Azure using an account in your [tenant's](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) Azure AD. Azure B2B (guest) accounts are not supported.
+- **Download and run setup** - This step installs a gateway service on a computer in your organization. You also sign in to Azure using an account in your [tenant's](/previous-versions/azure/azure-services/jj573650(v=azure.100)#what-is-an-azure-ad-tenant) Microsoft Entra ID. Azure B2B (guest) accounts are not supported.
- **Register your gateway** - In this step, you specify a name and recovery key for your gateway and select a region, registering your gateway with the Gateway Cloud Service. Your gateway resource can be registered in any region, but it's recommended it be in the same region as your Analysis Services servers.
analysis-services Analysis Services Manage Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-manage-users.md
Title: Azure Analysis Services authentication and user permissions| Microsoft Docs
-description: This article describes how Azure Analysis Services uses Azure Active Directory (Azure AD) for identity management and user authentication.
+description: This article describes how Azure Analysis Services uses Microsoft Entra ID for identity management and user authentication.
# Authentication and user permissions
-Azure Analysis Services uses Azure Active Directory (Azure AD) for identity management and user authentication. Any user creating, managing, or connecting to an Azure Analysis Services server must have a valid user identity in an [Azure AD tenant](../active-directory/fundamentals/active-directory-whatis.md) in the same subscription.
+Azure Analysis Services uses Microsoft Entra ID for identity management and user authentication. Any user creating, managing, or connecting to an Azure Analysis Services server must have a valid user identity in an [Microsoft Entra tenant](../active-directory/fundamentals/active-directory-whatis.md) in the same subscription.
-Azure Analysis Services supports [Azure AD B2B collaboration](../active-directory/external-identities/what-is-b2b.md). With B2B, users from outside an organization can be invited as guest users in an Azure AD directory. Guests can be from another Azure AD tenant directory or any valid email address. Once invited and the user accepts the invitation sent by email from Azure, the user identity is added to the tenant directory. Those identities can be added to security groups or as members of a server administrator or database role.
+Azure Analysis Services supports [Microsoft Entra B2B collaboration](../active-directory/external-identities/what-is-b2b.md). With B2B, users from outside an organization can be invited as guest users in a Microsoft Entra directory. Guests can be from another Microsoft Entra tenant directory or any valid email address. Once invited and the user accepts the invitation sent by email from Azure, the user identity is added to the tenant directory. Those identities can be added to security groups or as members of a server administrator or database role.
![Azure Analysis Services authentication architecture](./media/analysis-services-manage-users/aas-manage-users-arch.png)
Azure Analysis Services supports [Azure AD B2B collaboration](../active-director
All client applications and tools use one or more of the Analysis Services [client libraries](/analysis-services/client-libraries?view=azure-analysis-services-current&preserve-view=true) (AMO, MSOLAP, ADOMD) to connect to a server.
-All three client libraries support both Azure AD interactive flow, and non-interactive authentication methods. The two non-interactive methods, Active Directory Password and Active Directory Integrated Authentication methods can be used in applications utilizing AMOMD and MSOLAP. These two methods never result in pop-up dialog boxes for sign in.
+All three client libraries support both Microsoft Entra interactive flow, and non-interactive authentication methods. The two non-interactive methods, Active Directory Password and Active Directory Integrated Authentication methods can be used in applications utilizing AMOMD and MSOLAP. These two methods never result in pop-up dialog boxes for sign in.
Client applications like Excel and Power BI Desktop, and tools like SSMS and Analysis Services projects extension for Visual Studio install the latest versions of the client libraries with regular updates. Power BI Desktop, SSMS, and Analysis Services projects extension are updated monthly. Excel is [updated with Microsoft 365](https://support.microsoft.com/office/when-do-i-get-the-newest-features-for-microsoft-365-da36192c-58b9-4bc9-8d51-bb6eed468516). Microsoft 365 updates are less frequent, and some organizations use the deferred channel, meaning updates are deferred up to three months. Depending on the client application or tools you use, the type of authentication and how you sign in may be different. Each application may support different features for connecting to cloud services like Azure Analysis Services.
-Power BI Desktop, Visual Studio, and SSMS support Active Directory Universal Authentication, an interactive method that also supports Azure AD Multi-Factor Authentication (MFA). Azure AD MFA helps safeguard access to data and applications while providing a simple sign in process. It delivers strong authentication with several verification options (phone call, text message, smart cards with pin, or mobile app notification). Interactive MFA with Azure AD can result in a pop-up dialog box for validation. **Universal Authentication is recommended**.
+Power BI Desktop, Visual Studio, and SSMS support Active Directory Universal Authentication, an interactive method that also supports Microsoft Entra multifactor authentication (MFA). Microsoft Entra multifactor authentication helps safeguard access to data and applications while providing a simple sign in process. It delivers strong authentication with several verification options (phone call, text message, smart cards with pin, or mobile app notification). Interactive MFA with Microsoft Entra ID can result in a pop-up dialog box for validation. **Universal Authentication is recommended**.
-If signing in to Azure by using a Windows account, and Universal Authentication is not selected or available (Excel), [Active Directory Federation Services (AD FS)](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) is required. With Federation, Azure AD and Microsoft 365 users are authenticated using on-premises credentials and can access Azure resources.
+If signing in to Azure by using a Windows account, and Universal Authentication is not selected or available (Excel), [Active Directory Federation Services (AD FS)](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) is required. With Federation, Microsoft Entra ID and Microsoft 365 users are authenticated using on-premises credentials and can access Azure resources.
### SQL Server Management Studio (SSMS)
Azure Analysis Services servers support connections from [SSMS V17.1](/sql/ssms/
* Supports Azure B2B guest users invited into the Azure AS tenant. When connecting to a server, guest users must select Active Directory Universal Authentication when connecting to the server.
-* Supports Multi-Factor Authentication (MFA). Azure AD MFA helps safeguard access to data and applications with a range of verification options: phone call, text message, smart cards with pin, or mobile app notification. Interactive MFA with Azure AD can result in a pop-up dialog box for validation.
+* Supports multifactor authentication (MFA). Microsoft Entra multifactor authentication helps safeguard access to data and applications with a range of verification options: phone call, text message, smart cards with pin, or mobile app notification. Interactive MFA with Microsoft Entra ID can result in a pop-up dialog box for validation.
### Visual Studio
Power BI Desktop connects to Azure Analysis Services using Active Directory Univ
### Excel
-Excel users can connect to a server by using a Windows account, an organization ID (email address), or an external email address. External email identities must exist in the Azure AD as a guest user.
+Excel users can connect to a server by using a Windows account, an organization ID (email address), or an external email address. External email identities must exist in the Microsoft Entra ID as a guest user.
## User permissions
-**Server administrators** are specific to an Azure Analysis Services server instance. They connect with tools like Azure portal, SSMS, and Visual Studio to perform tasks like configuring settings and managing user roles. By default, the user that creates the server is automatically added as an Analysis Services server administrator. Other administrators can be added by using Azure portal or SSMS. Server administrators must have an account in the Azure AD tenant in the same subscription. To learn more, see [Manage server administrators](analysis-services-server-admins.md).
+**Server administrators** are specific to an Azure Analysis Services server instance. They connect with tools like Azure portal, SSMS, and Visual Studio to perform tasks like configuring settings and managing user roles. By default, the user that creates the server is automatically added as an Analysis Services server administrator. Other administrators can be added by using Azure portal or SSMS. Server administrators must have an account in the Microsoft Entra tenant in the same subscription. To learn more, see [Manage server administrators](analysis-services-server-admins.md).
**Database users** connect to model databases by using client applications like Excel or Power BI. Users must be added to database roles. Database roles define administrator, process, or read permissions for a database. It's important to understand database users in a role with administrator permissions is different than server administrators. However, by default, server administrators are also database administrators. To learn more, see [Manage database roles and users](analysis-services-database-users.md).
-**Azure resource owners**. Resource owners manage resources for an Azure subscription. Resource owners can add Azure AD user identities to Owner or Contributor Roles within a subscription by using **Access control** in Azure portal, or with Azure Resource Manager templates.
+**Azure resource owners**. Resource owners manage resources for an Azure subscription. Resource owners can add Microsoft Entra user identities to Owner or Contributor Roles within a subscription by using **Access control** in Azure portal, or with Azure Resource Manager templates.
![Access control in Azure portal](./media/analysis-services-manage-users/aas-manage-users-rbac.png)
Roles at this level apply to users or accounts that need to perform tasks that c
## Database roles
- Roles defined for a tabular model are database roles. That is, the roles contain members consisting of Azure AD users and security groups that have specific permissions that define the action those members can take on a model database. A database role is created as a separate object in the database, and applies only to the database in which that role is created.
+ Roles defined for a tabular model are database roles. That is, the roles contain members consisting of Microsoft Entra users and security groups that have specific permissions that define the action those members can take on a model database. A database role is created as a separate object in the database, and applies only to the database in which that role is created.
By default, when you create a new tabular model project, the model project does not have any roles. Roles can be defined by using the Role Manager dialog box in Visual Studio. When roles are defined during model project design, they are applied only to the model workspace database. When the model is deployed, the same roles are applied to the deployed model. After a model has been deployed, server and database administrators can manage roles and members by using SSMS. To learn more, see [Manage database roles and users](analysis-services-database-users.md).
Roles at this level apply to users or accounts that need to perform tasks that c
## Next steps
-[Manage access to resources with Azure Active Directory groups](../active-directory/fundamentals/active-directory-manage-groups.md)
+[Manage access to resources with Microsoft Entra groups](../active-directory/fundamentals/active-directory-manage-groups.md)
[Manage database roles and users](analysis-services-database-users.md) [Manage server administrators](analysis-services-server-admins.md) [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md)
analysis-services Analysis Services Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-manage.md
To get all the latest features, and the smoothest experience when connecting to
**DAX Studio** – An open-source tool for DAX authoring, diagnosis, performance tuning, and analysis. Features include object browsing, integrated tracing, query execution breakdowns with detailed statistics, DAX syntax highlighting and formatting. XMLA read-only is required for query operations. To learn more, see [daxstudio.org](https://daxstudio.org/). ## Server administrators and database users
-In Azure Analysis Services, there are two types of users, server administrators and database users. Both types of users must be in your Azure Active Directory and must be specified by organizational email address or UPN. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+In Azure Analysis Services, there are two types of users, server administrators and database users. Both types of users must be in your Microsoft Entra ID and must be specified by organizational email address or UPN. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
## Troubleshooting connection problems When connecting using SSMS, if you run into problems, you may need to clear the login cache. Nothing is cached to disc. To clear the cache, close and restart the connect process.
analysis-services Analysis Services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-overview.md
Azure Analysis Services is a fully managed platform as a service (PaaS) that pro
In Azure portal, you can [create a server](analysis-services-create-server.md) within minutes. And with Azure Resource Manager [templates](../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md) and PowerShell, you can create servers using a declarative template. With a single template, you can deploy server resources along with other Azure components such as storage accounts and Azure Functions.
-Azure Analysis Services integrates with many Azure services enabling you to build sophisticated analytics solutions. Integration with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) provides secure, role-based access to your critical data. Integrate with [Azure Data Factory](../data-factory/introduction.md) pipelines by including an activity that loads data into the model. [Azure Automation](../automation/automation-intro.md) and [Azure Functions](../azure-functions/functions-overview.md) can be used for lightweight orchestration of models using custom code.
+Azure Analysis Services integrates with many Azure services enabling you to build sophisticated analytics solutions. Integration with [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) provides secure, role-based access to your critical data. Integrate with [Azure Data Factory](../data-factory/introduction.md) pipelines by including an activity that loads data into the model. [Azure Automation](../automation/automation-intro.md) and [Azure Functions](../azure-functions/functions-overview.md) can be used for lightweight orchestration of models using custom code.
## The right tier when you need it
Azure Analysis Services Firewall blocks all client connections other than those
### Authentication
-User authentication is handled by [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Azure Active Directory for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+User authentication is handled by [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Microsoft Entra ID for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
### Data security
Secure access to data sources on-premises in your organization is achieved by in
### Roles
-Analysis Services uses [role-based authorization](/analysis-services/tabular-models/roles-ssas-tabular) that grants access to server and model database operations, objects, and data. All users who access a server or database do so with their Azure AD user account within an assigned role. The server administrator role is at the server resource level. By default, the account used when creating a server is automatically included in the Server Admins role. Additional user and group accounts are added by using the portal, SSMS, or PowerShell.
+Analysis Services uses [role-based authorization](/analysis-services/tabular-models/roles-ssas-tabular) that grants access to server and model database operations, objects, and data. All users who access a server or database do so with their Microsoft Entra user account within an assigned role. The server administrator role is at the server resource level. By default, the account used when creating a server is automatically included in the Server Admins role. Additional user and group accounts are added by using the portal, SSMS, or PowerShell.
Non-administrative users who query data are granted access through database roles. A database role is created as a separate object in the database, and applies only to the database in which that role is created. Database roles are defined by (database) Administrator, Read, and Read and Process permissions. User and group accounts are added by using SSMS or PowerShell.
Tabular models at the 1400 and higher compatibility level support object-level s
### Automation through service principals
-Service principals are an Azure Active Directory application resource you create within your tenant to perform unattended resource and service-level operations. Service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks like data refresh, scale up/down, and pause/resume. Permissions are assigned to service principals through role membership. To learn more, see [Automation with service principals](analysis-services-service-principal.md).
+Service principals are a Microsoft Entra application resource you create within your tenant to perform unattended resource and service-level operations. Service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks like data refresh, scale up/down, and pause/resume. Permissions are assigned to service principals through role membership. To learn more, see [Automation with service principals](analysis-services-service-principal.md).
### Azure governance
analysis-services Analysis Services Refresh Azure Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-refresh-azure-automation.md
The example in this article uses the [SqlServer PowerShell module](/powershell/m
## Authentication
-All calls must be authenticated with a valid Azure Active Directory (OAuth 2) token. The example in this article uses a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
+All calls must be authenticated with a valid Microsoft Entra ID (OAuth 2) token. The example in this article uses a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
## Prerequisites
else
## Next steps [Samples](analysis-services-samples.md)
-[REST API](/rest/api/analysisservices/servers)
+[REST API](/rest/api/analysisservices/servers)
analysis-services Analysis Services Refresh Logic App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-refresh-logic-app.md
To learn more about using REST APIs with Azure Analysis Services, see [Asynchron
## Authentication
-All calls must be authenticated with a valid Azure Active Directory (OAuth 2) token. The examples in this article will use a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
+All calls must be authenticated with a valid Microsoft Entra ID (OAuth 2) token. The examples in this article will use a Service Principal (SPN) to authenticate to Azure Analysis Services. To learn more, see [Create a service principal by using Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
## Design the logic app
Configure the HTTP activity as follows:
|**Headers** | Content-Type, application/json <br /> <br /> ![Headers](./media/analysis-services-async-refresh-logic-app/6.png) | |**Body** | To learn more about forming the request body, see [Asynchronous refresh with the REST API - POST /refreshes](analysis-services-async-refresh.md#post-refreshes). | |**Authentication** |Active Directory OAuth |
-|**Tenant** |Fill in your Azure Active Directory TenantId |
+|**Tenant** |Fill in your Microsoft Entra TenantId |
|**Audience** |https://*.asazure.windows.net | |**Client ID** |Enter your Service Principal Name ClientID | |**Credential Type** |Secret |
Save the Logic App.
## Next steps [Samples](analysis-services-samples.md)
-[REST API](/rest/api/analysisservices/servers)
+[REST API](/rest/api/analysisservices/servers)
analysis-services Analysis Services Server Admins https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-server-admins.md
# Manage server administrators
-Server administrators must be a valid user, service principal, or security group in the Azure Active Directory (Azure AD) for the tenant in which the server resides. You can use **Analysis Services Admins** for your server in Azure portal, Server Properties in SSMS, PowerShell, or REST API to manage server administrators.
+Server administrators must be a valid user, service principal, or security group in the Microsoft Entra ID for the tenant in which the server resides. You can use **Analysis Services Admins** for your server in Azure portal, Server Properties in SSMS, PowerShell, or REST API to manage server administrators.
When adding a **security group**, use `obj:groupid@tenantid`. Service principals are not supported in security groups added to the server administrator role.
If server firewall is enabled, server administrator client computer IP addresses
1. In the portal, for your server, click **Analysis Services Admins**. 2. In **\<servername> - Analysis Services Admins**, click **Add**.
-3. In **Add Server Administrators**, select user accounts from your Azure AD or invite external users by email address.
+3. In **Add Server Administrators**, select user accounts from your Microsoft Entra ID or invite external users by email address.
![Server Admins in Azure portal](./media/analysis-services-server-admins/aas-manage-users-admins.png)
If server firewall is enabled, server administrator client computer IP addresses
1. Right-click the server > **Properties**. 2. In **Analysis Server Properties**, click **Security**.
-3. Click **Add**, and then enter the email address for a user or group in your Azure AD.
+3. Click **Add**, and then enter the email address for a user or group in your Microsoft Entra ID.
![Add server administrators in SSMS](./media/analysis-services-server-admins/aas-manage-users-ssms.png)
analysis-services Analysis Services Service Principal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/analysis-services-service-principal.md
# Automation with service principals
-Service principals are an Azure Active Directory application resource you create within your tenant to perform unattended resource and service level operations. They're a unique type of *user identity* with an application ID and password or certificate. A service principal has only those permissions necessary to perform tasks defined by the roles and permissions for which it is assigned.
+Service principals are a Microsoft Entra application resource you create within your tenant to perform unattended resource and service level operations. They're a unique type of *user identity* with an application ID and password or certificate. A service principal has only those permissions necessary to perform tasks defined by the roles and permissions for which it is assigned.
-In Analysis Services, service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks. For example, provisioning servers, deploying models, data refresh, scale up/down, and pause/resume can all be automated by using service principals. Permissions are assigned to service principals through role membership, much like regular Azure AD UPN accounts.
+In Analysis Services, service principals are used with Azure Automation, PowerShell unattended mode, custom client applications, and web apps to automate common tasks. For example, provisioning servers, deploying models, data refresh, scale up/down, and pause/resume can all be automated by using service principals. Permissions are assigned to service principals through role membership, much like regular Microsoft Entra UPN accounts.
-Analysis Services does not support operations performed by managed identities using service principals. To learn more, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) and [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-analysis-services).
+Analysis Services does not support operations performed by managed identities using service principals. To learn more, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) and [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-analysis-services).
## Create service principals
analysis-services Analysis Services Tutorial Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/analysis-services/tutorials/analysis-services-tutorial-roles.md
To learn more about user security in Azure Analysis Services, see [Authenticatio
## Prerequisites -- An Azure Active Directory in your subscription.
+- A Microsoft Entra ID in your subscription.
- Created an [Azure Analysis Services server](../analysis-services-create-server.md) in your subscription. - Have [server administrator](../analysis-services-server-admins.md) permissions. - [Add the adventureworks sample model](../analysis-services-create-sample-model.md) to your server.
For the remaining tasks, you use SSMS to connect to and manage your server.
## Add a user account to the server administrator role
-In this task, you add a user or group account from your Azure AD to the server administrator role. If specifying a security group, use `obj:groupid@tenantid`.
+In this task, you add a user or group account from your Microsoft Entra ID to the server administrator role. If specifying a security group, use `obj:groupid@tenantid`.
1. In **Object Explorer**, right-click your server name, and then click **Properties**. 2. In the **Analysis Server Properties** window, click **Security** > **Add**.
-3. In the **Select a User or Group** window, enter a user or group account in your Azure AD, and then click **Add**.
+3. In the **Select a User or Group** window, enter a user or group account in your Microsoft Entra ID, and then click **Add**.
![Add server admin](./media/analysis-services-tutorial-roles/aas-add-server-admin.png)
In this task, you add a user or group account to the Internet Sales Administrato
![New Query Editor Window](./media/analysis-services-tutorial-roles/aas-add-db-admin.png)
-3. In the **XMLAQuery**, change the value for **"memberName":** to a user or group account in your Azure AD. By default, the account you're signed in with is included; however, you do not need to add your own account because you are already a server administrator.
+3. In the **XMLAQuery**, change the value for **"memberName":** to a user or group account in your Microsoft Entra ID. By default, the account you're signed in with is included; however, you do not need to add your own account because you are already a server administrator.
![TMSL script in XMLA query](./media/analysis-services-tutorial-roles/aas-add-db-admin-script.png)
In this task, you add a user or group account to the Internet Sales Administrato
## Add a new model database role and add a user or group
-In this task, you use the [Create](/analysis-services/tmsl/create-command-tmsl) command in a TMSL script to create a new Internet Sales Global role, specify *read* permissions for the role, and add a user or group account from your Azure AD.
+In this task, you use the [Create](/analysis-services/tmsl/create-command-tmsl) command in a TMSL script to create a new Internet Sales Global role, specify *read* permissions for the role, and add a user or group account from your Microsoft Entra ID.
1. In **Object Explorer**, right-click **adventureworks**, and then click **New Query** > **XMLA**. 2. Copy and paste the following TMSL script into the query editor:
In this task, you use the [Create](/analysis-services/tmsl/create-command-tmsl)
} ```
-3. Change `"memberName": "globalsales@adventureworks.com"` object value to a user or group account in your Azure AD.
+3. Change `"memberName": "globalsales@adventureworks.com"` object value to a user or group account in your Microsoft Entra ID.
4. Press **F5**, to execute the script. ## Verify your changes
When no longer needed, delete the user or group accounts and roles. To do so, us
In this tutorial, you learned how to connect to your Azure AS server and explore the adventureworks sample model databases and properties in SSMS. You also learned how to use SSMS and TMSL scripts to add users or groups to existing and new roles. Now that you have user permissions configured for your server and sample model database, you and other users can connect to it by using client applications like Power BI. To learn more, continue to the next tutorial. > [!div class="nextstepaction"]
-> [Tutorial: Connect with Power BI Desktop](analysis-services-tutorial-pbid.md)
+> [Tutorial: Connect with Power BI Desktop](analysis-services-tutorial-pbid.md)
api-management Api Management Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-features.md
Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
| Feature | Consumption | Developer | Basic | Standard | Premium | | -- | -- | | -- | -- | - |
-| Azure AD integration<sup>1</sup> | No | Yes | No | Yes | Yes |
+| Microsoft Entra integration<sup>1</sup> | No | Yes | No | Yes | Yes |
| Virtual Network (VNet) support | No | Yes | No | No | Yes | | Private endpoint support for inbound connections | No | Yes | Yes | Yes | Yes | | Multi-region deployment | No | No | No | No | Yes |
Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
| [Pass-through GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes | | [Synthetic GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |
-<sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
+<sup>1</sup> Enables the use of Microsoft Entra ID (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
<sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/> <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/> <sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/>
api-management Api Management Howto Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-aad.md
Title: Authorize access to API Management developer portal by using Azure AD
+ Title: Authorize access to API Management developer portal by using Microsoft Entra ID
-description: Learn how to enable user sign-in to the API Management developer portal by using Azure Active Directory.
+description: Learn how to enable user sign-in to the API Management developer portal by using Microsoft Entra ID.
-# Authorize developer accounts by using Azure Active Directory in Azure API Management
+# Authorize developer accounts by using Microsoft Entra ID in Azure API Management
In this article, you'll learn how to: > [!div class="checklist"]
-> * Enable access to the developer portal for users from Azure Active Directory (Azure AD).
-> * Manage groups of Azure AD users by adding external groups that contain the users.
+> * Enable access to the developer portal for users from Microsoft Entra ID.
+> * Manage groups of Microsoft Entra users by adding external groups that contain the users.
For an overview of options to secure the developer portal, see [Secure access to the API Management developer portal](secure-developer-portal-access.md). > [!IMPORTANT]
-> * This article has been updated with steps to configure an Azure AD app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)).
-> * If you previously configured an Azure AD app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal).
+> * This article has been updated with steps to configure a Microsoft Entra app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)).
+> * If you previously configured a Microsoft Entra app for user sign-in using the Azure AD Authentication Library (ADAL), we recommend that you [migrate to MSAL](#migrate-to-msal).
## Prerequisites
For an overview of options to secure the developer portal, see [Secure access to
[!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)]
-## Enable user sign-in using Azure AD - portal
+<a name='enable-user-sign-in-using-azure-adportal'></a>
-To simplify the configuration, API Management can automatically enable an Azure AD application and identity provider for users of the developer portal. Alternatively, you can manually enable the Azure AD application and identity provider.
+## Enable user sign-in using Microsoft Entra ID - portal
-### Automatically enable Azure AD application and identity provider
+To simplify the configuration, API Management can automatically enable a Microsoft Entra application and identity provider for users of the developer portal. Alternatively, you can manually enable the Microsoft Entra application and identity provider.
+
+<a name='automatically-enable-azure-ad-application-and-identity-provider'></a>
+
+### Automatically enable Microsoft Entra application and identity provider
1. In the left menu of your API Management instance, under **Developer portal**, select **Portal overview**.
-1. On the **Portal overview** page, scroll down to **Enable user sign-in with Azure Active Directory**.
-1. Select **Enable Azure AD**.
-1. On the **Enable Azure AD** page, select **Enable Azure AD**.
+1. On the **Portal overview** page, scroll down to **Enable user sign-in with Microsoft Entra ID**.
+1. Select **Enable Microsoft Entra ID**.
+1. On the **Enable Microsoft Entra ID** page, select **Enable Microsoft Entra ID**.
1. Select **Close**.
- :::image type="content" source="media/api-management-howto-aad/enable-azure-ad-portal.png" alt-text="Screenshot of enabling Azure AD in the developer portal overview page.":::
+ :::image type="content" source="media/api-management-howto-aad/enable-azure-ad-portal.png" alt-text="Screenshot of enabling Microsoft Entra ID in the developer portal overview page.":::
-After the Azure AD provider is enabled:
+After the Microsoft Entra provider is enabled:
-* Users in the specified Azure AD instance can [sign into the developer portal by using an Azure AD account](#log_in_to_dev_portal).
-* You can manage the Azure AD configuration on the **Developer portal** > **Identities** page in the portal.
+* Users in the specified Microsoft Entra instance can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal).
+* You can manage the Microsoft Entra configuration on the **Developer portal** > **Identities** page in the portal.
* Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page. * Republish the developer portal after any configuration change.
-### Manually enable Azure AD application and identity provider
+<a name='manually-enable-azure-ad-application-and-identity-provider'></a>
+
+### Manually enable Microsoft Entra application and identity provider
1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**. 1. Select **+Add** from the top to open the **Add identity provider** pane to the right.
-1. Under **Type**, select **Azure Active Directory** from the drop-down menu. Once selected, you'll be able to enter other necessary information.
+1. Under **Type**, select **Microsoft Entra ID** from the drop-down menu. Once selected, you'll be able to enter other necessary information.
* In the **Client library** dropdown, select **MSAL**. * To add **Client ID** and **Client secret**, see steps later in the article. 1. Save the **Redirect URL** for later.
After the Azure AD provider is enabled:
> [!IMPORTANT] > Update the **Client secret** before the key expires.
-1. In the **Add identity provider** pane's **Allowed tenants** field, specify the Azure AD instance's domains to which you want to grant access to the API Management service instance APIs.
+1. In the **Add identity provider** pane's **Allowed tenants** field, specify the Microsoft Entra instance's domains to which you want to grant access to the API Management service instance APIs.
* You can separate multiple domains with newlines, spaces, or commas. > [!NOTE] > You can specify multiple domains in the **Allowed Tenants** section. A global administration must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should: > 1. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, `https://contoso.portal.azure-api.net/aadadminconsent`).
- > 1. Enter the domain name of the Azure AD tenant to which they want to grant access.
+ > 1. Enter the domain name of the Microsoft Entra tenant to which they want to grant access.
> 1. Select **Submit**. 1. After you specify the desired configuration, select **Add**.
-1. Republish the developer portal for the Azure AD configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**.
+1. Republish the developer portal for the Microsoft Entra configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**.
-After the Azure AD provider is enabled:
+After the Microsoft Entra provider is enabled:
-* Users in the specified Azure AD instance can [sign into the developer portal by using an Azure AD account](#log_in_to_dev_portal).
-* You can manage the Azure AD configuration on the **Developer portal** > **Identities** page in the portal.
+* Users in the specified Microsoft Entra instance can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal).
+* You can manage the Microsoft Entra configuration on the **Developer portal** > **Identities** page in the portal.
* Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page. * Republish the developer portal after any configuration change. ## Migrate to MSAL
-If you previously configured an Azure AD app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management.
+If you previously configured a Microsoft Entra app for user sign-in using the ADAL, you can use the portal to migrate the app to MSAL and update the identity provider in API Management.
-### Update Azure AD app for MSAL compatibility
+<a name='update-azure-ad-app-for-msal-compatibility'></a>
+
+### Update Microsoft Entra app for MSAL compatibility
For steps, see [Switch redirect URIs to the single-page application type](../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform). ### Update identity provider configuration 1. In the left menu of your API Management instance, under **Developer portal**, select **Identities**.
-1. Select **Azure Active Directory** from the list.
+1. Select **Microsoft Entra ID** from the list.
1. In the **Client library** dropdown, select **MSAL**. 1. Select **Update**. 1. [Republish your developer portal](api-management-howto-developer-portal-customize.md#publish-from-the-azure-portal).
-## Add an external Azure AD group
+<a name='add-an-external-azure-ad-group'></a>
+
+## Add an external Microsoft Entra group
-Now that you've enabled access for users in an Azure AD tenant, you can:
-* Add Azure AD groups into API Management.
-* Control product visibility using Azure AD groups.
+Now that you've enabled access for users in a Microsoft Entra tenant, you can:
+* Add Microsoft Entra groups into API Management.
+* Control product visibility using Microsoft Entra groups.
1. Navigate to the App Registration page for the application you registered in [the previous section](#enable-user-sign-in-using-azure-adportal). 1. Select **API Permissions**. 1. Add the following minimum **application** permissions for Microsoft Graph API: * `User.Read.All` application permission ΓÇô so API Management can read the userΓÇÖs group membership to perform group synchronization at the time the user logs in.
- * `Group.Read.All` application permission ΓÇô so API Management can read the Azure AD groups when an administrator tries to add the group to API Management using the **Groups** blade in the portal.
+ * `Group.Read.All` application permission ΓÇô so API Management can read the Microsoft Entra groups when an administrator tries to add the group to API Management using the **Groups** blade in the portal.
1. Select **Grant admin consent for {tenantname}** so that you grant access for all users in this directory.
-Now you can add external Azure AD groups from the **Groups** tab of your API Management instance.
+Now you can add external Microsoft Entra groups from the **Groups** tab of your API Management instance.
1. Under **Developer portal** in the side menu, select **Groups**.
-1. Select the **Add Azure AD group** button.
+1. Select the **Add Microsoft Entra group** button.
- :::image type="content" source="media/api-management-howto-aad/api-management-with-aad008.png" alt-text="Screenshot showing Add Azure AD group button in the portal.":::
+ :::image type="content" source="media/api-management-howto-aad/api-management-with-aad008.png" alt-text="Screenshot showing Add Microsoft Entra group button in the portal.":::
1. Select the **Tenant** from the drop-down. 1. Search for and select the group that you want to add. 1. Press the **Select** button.
-Once you add an external Azure AD group, you can review and configure its properties:
+Once you add an external Microsoft Entra group, you can review and configure its properties:
1. Select the name of the group from the **Groups** tab. 2. Edit **Name** and **Description** information for the group.
-Users from the configured Azure AD instance can now:
+Users from the configured Microsoft Entra instance can now:
* Sign into the developer portal. * View and subscribe to any groups for which they have visibility. > [!NOTE] > Learn more about the difference between **Delegated** and **Application** permissions types in [Permissions and consent in the Microsoft identity platform](../active-directory/develop/v2-permissions-and-consent.md#permission-types) article.
-## <a id="log_in_to_dev_portal"></a> Developer portal: Add Azure AD account authentication
+## <a id="log_in_to_dev_portal"></a> Developer portal: Add Microsoft Entra account authentication
-In the developer portal, you can sign in with Azure AD using the **Sign-in button: OAuth** widget included on the sign-in page of the default developer portal content.
+In the developer portal, you can sign in with Microsoft Entra ID using the **Sign-in button: OAuth** widget included on the sign-in page of the default developer portal content.
:::image type="content" source="media/api-management-howto-aad/developer-portal-azure-ad-signin.png" alt-text="Screenshot showing OAuth widget in developer portal.":::
-Although a new account will automatically be created when a new user signs in with Azure AD, consider adding the same widget to the sign-up page. The **Sign-up form: OAuth** widget represents a form used for signing up with OAuth.
+Although a new account will automatically be created when a new user signs in with Microsoft Entra ID, consider adding the same widget to the sign-up page. The **Sign-up form: OAuth** widget represents a form used for signing up with OAuth.
> [!IMPORTANT]
-> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the Azure AD changes to take effect.
+> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the Microsoft Entra ID changes to take effect.
+
+<a name='legacy-developer-portal-how-to-sign-in-with-azure-ad'></a>
-## Legacy developer portal: How to sign in with Azure AD
+## Legacy developer portal: How to sign in with Microsoft Entra ID
[!INCLUDE [api-management-portal-legacy.md](../../includes/api-management-portal-legacy.md)]
-To sign into the developer portal by using an Azure AD account that you configured in the previous sections:
+To sign into the developer portal by using a Microsoft Entra account that you configured in the previous sections:
1. Open a new browser window using the sign-in URL from the Active Directory application configuration.
-2. Select **Azure Active Directory**.
+2. Select **Microsoft Entra ID**.
![Sign-in page][api-management-dev-portal-signin]
-1. Enter the credentials of one of the users in Azure AD.
+1. Enter the credentials of one of the users in Microsoft Entra ID.
2. Select **Sign in**. ![Signing in with username and password][api-management-aad-signin]
Your user is now signed in to the developer portal for your API Management servi
## Next Steps -- Learn more about [Azure Active Directory and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
+- Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
- Learn more about [MSAL](../active-directory/develop/msal-overview.md) and [migrating to MSAL](../active-directory/develop/msal-migration.md). - [Create an API Management service instance](./get-started-create-service-instance.md). - [Manage your first API](./import-and-publish.md).
api-management Api Management Howto Create Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-create-groups.md
API Management has the following immutable system groups:
* **Developers** - Authenticated developer portal users fall into this group. Developers are the customers that build applications using your APIs. Developers are granted access to the developer portal and build applications that call the operations of an API. * **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal of an API Management instance fall into this group. They can be granted certain read-only access, such as the ability to view APIs but not call them.
-In addition to these system groups, administrators can create custom groups or [use external groups in associated Azure Active Directory tenants][leverage external groups in associated Azure Active Directory tenants]. Custom and external groups can be used alongside system groups in giving developers visibility and access to API products. For example, you could create one custom group for developers affiliated with a specific partner organization and allow them access to the APIs from a product containing relevant APIs only. A user can be a member of more than one group.
+In addition to these system groups, administrators can create custom groups or [use external groups in associated Microsoft Entra tenants][leverage external groups in associated Azure Active Directory tenants]. Custom and external groups can be used alongside system groups in giving developers visibility and access to API products. For example, you could create one custom group for developers affiliated with a specific partner organization and allow them access to the APIs from a product containing relevant APIs only. A user can be a member of more than one group.
This guide shows how administrators of an API Management instance can add new groups and associate them with products and developers.
Now that the group is created, it can be associated with products and developers
Once a product is associated with a group, developers in that group can view and subscribe to the product. > [!NOTE]
-> To add Azure Active Directory groups, see [How to authorize developer accounts using Azure Active Directory in Azure API Management](api-management-howto-aad.md).
+> To add Microsoft Entra groups, see [How to authorize developer accounts using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md).
To remove a group from the product, click **Delete**.
api-management Api Management Howto Developer Portal Customize https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-developer-portal-customize.md
Learn more about the developer portal:
- [Azure API Management developer portal overview](api-management-howto-developer-portal.md) - [Migrate to the new developer portal](developer-portal-deprecated-migration.md) from the deprecated legacy portal.-- Configure authentication to the developer portal with [usernames and passwords](developer-portal-basic-authentication.md), [Azure AD](api-management-howto-aad.md), or [Azure AD B2C](api-management-howto-aad-b2c.md).
+- Configure authentication to the developer portal with [usernames and passwords](developer-portal-basic-authentication.md), [Microsoft Entra ID](api-management-howto-aad.md), or [Azure AD B2C](api-management-howto-aad-b2c.md).
- Learn more about [customizing and extending](developer-portal-extend-custom-functionality.md) the functionality of the developer portal.
api-management Api Management Howto Integrate Internal Vnet Appgateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-integrate-internal-vnet-appgateway.md
In the first setup example, all your APIs are managed only from within your virt
In this article, we also expose the *developer portal* and the *management endpoint* to external audiences through the application gateway. Extra steps are needed to create a listener, probe, settings, and rules for each endpoint. All details are provided in their respective steps.
-If you use Azure Active Directory or third-party authentication, enable the [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway.
+If you use Microsoft Entra ID or third-party authentication, enable the [cookie-based session affinity](../application-gateway/features.md#session-affinity) feature in Application Gateway.
> [!WARNING] > To prevent Application Gateway WAF from breaking the download of OpenAPI specifications in the developer portal, disable the firewall rule `942200 - "Detects MySQL comment-/space-obfuscated injections and backtick termination"`.
api-management Api Management Howto Oauth2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-oauth2.md
Title: Authorize test console of API Management developer portal using OAuth 2.0
-description: Set up OAuth 2.0 user authorization for the test console in the Azure API Management developer portal. This example uses Azure AD as an OAuth 2.0 provider.
+description: Set up OAuth 2.0 user authorization for the test console in the Azure API Management developer portal. This example uses Microsoft Entra ID as an OAuth 2.0 provider.
documentationcenter: ''
If you haven't yet created an API Management service instance, see [Create an AP
## Scenario overview
-Configuring OAuth 2.0 user authorization in API Management only enables the developer portal's test console (and the test console in the Azure portal) as a client to acquire a token from the authorization server. The configuration for each OAuth 2.0 provider is different, although the steps are similar, and the required pieces of information used to configure OAuth 2.0 in your API Management service instance are the same. This article shows an example using Azure Active Directory as an OAuth 2.0 provider.
+Configuring OAuth 2.0 user authorization in API Management only enables the developer portal's test console (and the test console in the Azure portal) as a client to acquire a token from the authorization server. The configuration for each OAuth 2.0 provider is different, although the steps are similar, and the required pieces of information used to configure OAuth 2.0 in your API Management service instance are the same. This article shows an example using Microsoft Entra ID as an OAuth 2.0 provider.
The following are the high level configuration steps:
-1. Register an application (backend-app) in Azure AD to represent the API.
+1. Register an application (backend-app) in Microsoft Entra ID to represent the API.
-1. Register another application (client-app) in Azure AD to represent a client application that needs to call the API - in this case, the test console of the developer portal.
+1. Register another application (client-app) in Microsoft Entra ID to represent a client application that needs to call the API - in this case, the test console of the developer portal.
- In Azure AD, grant permissions to allow the client-app to call the backend-app.
+ In Microsoft Entra ID, grant permissions to allow the client-app to call the backend-app.
1. Configure the test console in the developer portal to call an API using OAuth 2.0 user authorization.
This configuration supports the following OAuth flow:
:::image type="content" source="media/api-management-howto-oauth2/overview-graphic-azure-ad.png" alt-text="Overview graphic to visually conceptualize the following flow.":::
-1. The developer portal requests a token from Azure AD using the client-app credentials.
+1. The developer portal requests a token from Microsoft Entra ID using the client-app credentials.
-1. After successful validation, Azure AD issues the access/refresh token.
+1. After successful validation, Microsoft Entra ID issues the access/refresh token.
1. A developer (user of the developer portal) makes an API call with the authorization header.
-1. The token gets validated by using the `validate-jwt` policy in API Management by Azure AD.
+1. The token gets validated by using the `validate-jwt` policy in API Management by Microsoft Entra ID.
1. Based on the validation result, the developer will receive the response in the developer portal.
Throughout this tutorial you'll be asked to record key information to reference
- **Backend Application (client) ID**: The GUID of the application that represents the backend API - **Backend Application Scopes**: One or more scopes you may create to access the API. The scope format is `api://<Backend Application (client) ID>/<Scope Name>` (for example, api://1764e900-1827-4a0b-9182-b2c1841864c2/Read) - **Client Application (client) ID**: The GUID of the application that represents the developer portal-- **Client Application Secret Value**: The GUID that serves as the secret for interaction with the client application in Azure Active Directory
+- **Client Application Secret Value**: The GUID that serves as the secret for interaction with the client application in Microsoft Entra ID
## Register applications with the OAuth server You'll need to register two applications with your OAuth 2.0 provider: one represents the backend API to be protected, and a second represents the client application that calls the API - in this case, the test console of the developer portal.
-The following are example steps using Azure AD as the OAuth 2.0 provider. For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md).
+The following are example steps using Microsoft Entra ID as the OAuth 2.0 provider. For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md).
-### Register an application in Azure AD to represent the API
+<a name='register-an-application-in-azure-ad-to-represent-the-api'></a>
+
+### Register an application in Microsoft Entra ID to represent the API
1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.
The following are example steps using Azure AD as the OAuth 2.0 provider. For de
1. Once the scopes are created, make a note of them for use in a subsequent step.
-### Register another application in Azure AD to represent a client application
+<a name='register-another-application-in-azure-ad-to-represent-a-client-application'></a>
+
+### Register another application in Microsoft Entra ID to represent a client application
-Register every client application that calls the API as an application in Azure AD.
+Register every client application that calls the API as an application in Microsoft Entra ID.
1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.
Register every client application that calls the API as an application in Azure
When the secret is created, note the key value for use in a subsequent step. You can't access the secret again in the portal.
-### Grant permissions in Azure AD
+<a name='grant-permissions-in-azure-ad'></a>
+
+### Grant permissions in Microsoft Entra ID
Now that you've registered two applications to represent the API and the test console, grant permissions to allow the client-app to call the backend-app.
Optionally:
* Select one or more desired **Authorization grant types**. For this example, select **Authorization code** (the default). [Learn more](#authorization-grant-types)
- * Enter the **Authorization endpoint URL**. You can obtain the endpoint URL from the **Endpoints** page of one of your app registrations. For a single-tenant app in Azure AD, this URL will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Azure AD tenant.
+ * Enter the **Authorization endpoint URL**. You can obtain the endpoint URL from the **Endpoints** page of one of your app registrations. For a single-tenant app in Microsoft Entra ID, this URL will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Microsoft Entra tenant.
Using the v2 endpoint is recommended; however, API Management supports both v1 and v2 endpoints.
Optionally:
1. Specify **Token endpoint URL**, **Client authentication methods**, **Access token sending method**, and **Default scope**.
- * Enter the **Token endpoint URL**. For a single tenant app in Azure AD, it will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Azure AD tenant. Use the same endpoint version (v2 or v1) that you chose previously.
+ * Enter the **Token endpoint URL**. For a single tenant app in Microsoft Entra ID, it will be similar to one of the following URLs, where `{aad-tenant}` is replaced with the ID of your Microsoft Entra tenant. Use the same endpoint version (v2 or v1) that you chose previously.
`https://login.microsoftonline.com/{aad-tenant}/oauth2/v2.0/token` (v2)
After saving the OAuth 2.0 server configuration, configure an API or APIs to use
> [!IMPORTANT] > * Configuring OAuth 2.0 user authorization settings for an API enables API Management to acquire a token from the authorization server when you use the test console in the Azure portal or developer portal. The authorization server settings are also added to the API definition and documentation.
-> * For OAuth 2.0 authorization at runtime, the client app must acquire and present the token and you need to configure token validation in API Management or the backend API. For an example, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md).
+> * For OAuth 2.0 authorization at runtime, the client app must acquire and present the token and you need to configure token validation in API Management or the backend API. For an example, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).
1. Select **APIs** from the **API Management** menu on the left.
Select the **GET Resource** operation, select **Open Console**, and then select
![Open console][api-management-open-console]
-When **Authorization code** is selected, a pop-up window is displayed with the sign-in form of the OAuth 2.0 provider. In this example, the sign-in form is provided by Azure Active Directory.
+When **Authorization code** is selected, a pop-up window is displayed with the sign-in form of the OAuth 2.0 provider. In this example, the sign-in form is provided by Microsoft Entra ID.
> [!NOTE] > If you have pop-ups disabled, you'll be prompted to enable them by the browser. After you enable them, select **Authorization code** again and the sign-in form will be displayed.
At this point you can configure the desired values for the remaining parameters,
## Next steps
-For more information about using OAuth 2.0 and API Management, see [Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md).
+For more information about using OAuth 2.0 and API Management, see [Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).
[api-management-oauth2-signin]: ./media/api-management-howto-oauth2/api-management-oauth2-signin.png
api-management Api Management Howto Protect Backend With Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-protect-backend-with-aad.md
Title: Protect API in API Management using OAuth 2.0 and Azure Active Directory
+ Title: Protect API in API Management using OAuth 2.0 and Microsoft Entra ID
-description: Learn how to secure user access to an API in Azure API Management with OAuth 2.0 user authorization and Azure Active Directory.
+description: Learn how to secure user access to an API in Azure API Management with OAuth 2.0 user authorization and Microsoft Entra ID.
-# Protect an API in Azure API Management using OAuth 2.0 authorization with Azure Active Directory
+# Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID
-In this article, you'll learn high level steps to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Azure Active Directory (Azure AD)](../active-directory/develop/active-directory-v2-protocols.md).
+In this article, you'll learn high level steps to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Microsoft Entra ID](../active-directory/develop/active-directory-v2-protocols.md).
For a conceptual overview of API authorization, see [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md).
Prior to following the steps in this article, you must have:
- An API Management instance - A published API using the API Management instance-- An Azure AD tenant
+- A Microsoft Entra tenant
## Overview
-Follow these steps to protect an API in API Management, using OAuth 2.0 authorization with Azure AD.
+Follow these steps to protect an API in API Management, using OAuth 2.0 authorization with Microsoft Entra ID.
-1. Register an application (called *backend-app* in this article) in Azure AD to protect access to the API.
+1. Register an application (called *backend-app* in this article) in Microsoft Entra ID to protect access to the API.
To access the API, users or applications will acquire and present a valid OAuth token granting access to this app with each API request. 1. Configure the [validate-jwt](validate-jwt-policy.md) policy in API Management to validate the OAuth token presented in each incoming API request. Valid requests can be passed to the API.
-Details about OAuth authorization flows and how to generate the required OAuth tokens are beyond the scope of this article. Typically, a separate client app is used to acquire tokens from Azure AD that authorize access to the API. For links to more information, see the [Next steps](#next-steps).
+Details about OAuth authorization flows and how to generate the required OAuth tokens are beyond the scope of this article. Typically, a separate client app is used to acquire tokens from Microsoft Entra ID that authorize access to the API. For links to more information, see the [Next steps](#next-steps).
-## Register an application in Azure AD to represent the API
+<a name='register-an-application-in-azure-ad-to-represent-the-api'></a>
-Using the Azure portal, protect an API with Azure AD by first registering an application that represents the API.
+## Register an application in Microsoft Entra ID to represent the API
+
+Using the Azure portal, protect an API with Microsoft Entra ID by first registering an application that represents the API.
For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md).
For details about app registration, see [Quickstart: Configure an application to
## Authorization workflow
-1. A user or application acquires a token from Azure AD with permissions that grant access to the backend-app.
+1. A user or application acquires a token from Microsoft Entra ID with permissions that grant access to the backend-app.
1. The token is added in the Authorization header of API requests to API Management.
For details about app registration, see [Quickstart: Configure an application to
## Next steps
-* To learn more about how to build an application and implement OAuth 2.0, see [Azure AD code samples](../active-directory/develop/sample-v2-code.md).
+* To learn more about how to build an application and implement OAuth 2.0, see [Microsoft Entra code samples](../active-directory/develop/sample-v2-code.md).
* For an end-to-end example of configuring OAuth 2.0 user authorization in the API Management developer portal, see [How to authorize test console of developer portal by configuring OAuth 2.0 user authorization](api-management-howto-oauth2.md). -- Learn more about [Azure AD and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
+- Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
- For other ways to secure your back-end service, see [Mutual certificate authentication](./api-management-howto-mutual-certificates.md).-
api-management Api Management Howto Setup Delegation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-setup-delegation.md
var signature = digest.toString('base64');
## Next steps - [Learn more about the developer portal.](api-management-howto-developer-portal.md)-- [Authenticate using Azure AD](api-management-howto-aad.md) or with [Azure AD B2C](api-management-howto-aad-b2c.md).
+- [Authenticate using Microsoft Entra ID](api-management-howto-aad.md) or with [Azure AD B2C](api-management-howto-aad-b2c.md).
- More developer portal questions? [Find answers in our FAQ](developer-portal-faq.md). [Delegating developer sign-in and sign-up]: #delegate-signin-up
api-management Api Management Howto Use Managed Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-use-managed-service-identity.md
# Use managed identities in Azure API Management
-This article shows you how to create a managed identity for an Azure API Management instance and how to use it to access other resources. A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
+This article shows you how to create a managed identity for an Azure API Management instance and how to use it to access other resources. A managed identity generated by Microsoft Entra ID allows your API Management instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
You can grant two types of identities to an API Management instance:
You can grant two types of identities to an API Management instance:
- A *user-assigned identity* is a standalone Azure resource that can be assigned to your service. The service can have multiple user-assigned identities. > [!NOTE]
-> Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription is moved to a different directory. If a subscription is moved, you'll need to recreate and configure the identities.
+> Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. They don't get updated if a subscription is moved to a different directory. If a subscription is moved, you'll need to recreate and configure the identities.
## Create a system-assigned managed identity
When the instance is created, it has the following additional properties:
} ```
-The `tenantId` property identifies which Azure AD tenant the identity belongs to. The `principalId` property is a unique identifier for the instance's new identity. Within Azure AD, the service principal has the same name that you gave to your API Management instance.
+The `tenantId` property identifies which Microsoft Entra tenant the identity belongs to. The `principalId` property is a unique identifier for the instance's new identity. Within Microsoft Entra ID, the service principal has the same name that you gave to your API Management instance.
> [!NOTE] > An API Management instance can have both system-assigned and user-assigned identities at the same time. In this case, the `type` property would be `SystemAssigned,UserAssigned`.
When the service is created, it has the following additional properties:
} ```
-The `principalId` property is a unique identifier for the identity that's used for Azure AD administration. The `clientId` property is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls.
+The `principalId` property is a unique identifier for the identity that's used for Microsoft Entra administration. The `clientId` property is a unique identifier for the application's new identity that's used for specifying which identity to use during runtime calls.
> [!NOTE] > An API Management instance can have both system-assigned and user-assigned identities at the same time. In this case, the `type` property would be `SystemAssigned,UserAssigned`.
You can configure and use a user-assigned managed identity to access an event hu
You can remove a system-assigned identity by disabling the feature through the portal or the Azure Resource Manager template in the same way that it was created. User-assigned identities can be removed individually. To remove all identities, set the identity type to `"None"`.
-Removing a system-assigned identity in this way will also delete it from Azure AD. System-assigned identities are also automatically removed from Azure AD when the API Management instance is deleted.
+Removing a system-assigned identity in this way will also delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when the API Management instance is deleted.
To remove all identities by using the Azure Resource Manager template, update this section:
api-management Api Management Key Concepts Experiment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-key-concepts-experiment.md
API Management integrates with many complementary Azure services to create enter
* [Azure Monitor](api-management-howto-use-azure-monitor.md) for logging, reporting, and alerting on management operations, systems events, and API requestsΓÇï * [Application Insights](api-management-howto-app-insights.md) for live metrics, end-to-end tracing, and troubleshooting * [Virtual networks](virtual-network-concepts.md), [private endpoints](private-endpoint.md), and [Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md) for network-level protectionΓÇï
-* Azure Active Directory for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï
+* Microsoft Entra ID for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï
* [Event Hubs](api-management-howto-log-event-hubs.md) for streaming eventsΓÇï * Several Azure compute offerings commonly used to build and host APIs on Azure, including [Functions](import-function-app-as-api.md), [Logic Apps](import-logic-app-as-api.md), [Web Apps](import-app-service-as-api.md), [Service Fabric](how-to-configure-service-fabric-backend.md), and others.ΓÇï
Groups are used to manage the visibility of products to developers. API Manageme
* **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal. They can be granted certain read-only access, such as the ability to view APIs but not call them.
-Administrators can also create custom groups or use external groups in an [associated Azure Active Directory tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
+Administrators can also create custom groups or use external groups in an [associated Microsoft Entra tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
**More information**: * [How to create and use groups][How to create and use groups]
api-management Api Management Key Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-key-concepts.md
API Management integrates with many complementary Azure services to create enter
* [Azure Monitor](api-management-howto-use-azure-monitor.md) for logging, reporting, and alerting on management operations, systems events, and API requestsΓÇï * [Application Insights](api-management-howto-app-insights.md) for live metrics, end-to-end tracing, and troubleshooting * [Virtual networks](virtual-network-concepts.md), [private endpoints](private-endpoint.md), and [Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md) for network-level protectionΓÇï
-* Azure Active Directory for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï
+* Microsoft Entra ID for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)ΓÇï
* [Event Hubs](api-management-howto-log-event-hubs.md) for streaming eventsΓÇï * Several Azure compute offerings commonly used to build and host APIs on Azure, including [Functions](import-function-app-as-api.md), [Logic Apps](import-logic-app-as-api.md), [Web Apps](import-app-service-as-api.md), [Service Fabric](how-to-configure-service-fabric-backend.md), and others.ΓÇï
Groups are used to manage the visibility of products to developers. API Manageme
* **Guests** - Unauthenticated developer portal users, such as prospective customers visiting the developer portal. They can be granted certain read-only access, such as the ability to view APIs but not call them.
-Administrators can also create custom groups or use external groups in an [associated Azure Active Directory tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
+Administrators can also create custom groups or use external groups in an [associated Microsoft Entra tenant](api-management-howto-aad.md) to give developers visibility and access to API products. For example, create a custom group for developers in a partner organization to access a specific subset of APIs in a product. A user can belong to more than one group.
**More information**: * [How to create and use groups][How to create and use groups]
api-management Api Management Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-policies.md
More information about policies:
- [Restrict caller IPs](ip-filter-policy.md) - Filters (allows/denies) calls from specific IP addresses and/or address ranges. - [Set usage quota by subscription](quota-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. - [Set usage quota by key](quota-by-key-policy.md) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.-- [Validate Azure Active Directory token](validate-azure-ad-token-policy.md) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP header, query parameter, or token value.
+- [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) - Enforces existence and validity of a Microsoft Entra JWT extracted from either a specified HTTP header, query parameter, or token value.
- [Validate JWT](validate-jwt-policy.md) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value. - [Validate client certificate](validate-client-certificate-policy.md) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.
For more information about working with policies, see:
+ [Tutorial: Transform and protect your API](transform-api.md) + [Set or edit policies](set-edit-policies.md) + [Policy snippets repo](https://github.com/Azure/api-management-policy-snippets) --
api-management Api Management Sample Send Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-sample-send-request.md
There are certain tradeoffs when using a fire-and-forget style of request. If fo
The `send-request` policy enables using an external service to perform complex processing functions and return data to the API management service that can be used for further policy processing. ### Authorizing reference tokens
-A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Azure Active Directory](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server.
+A major function of API Management is protecting backend resources. If the authorization server used by your API creates [JWT tokens](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims) as part of its OAuth2 flow, as [Microsoft Entra ID](../active-directory/hybrid/whatis-hybrid-identity.md) does, then you can use the `validate-jwt` policy to verify the validity of the token. Some authorization servers create what are called [reference tokens](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/) that cannot be verified without making a callback to the authorization server.
### Standardized introspection In the past, there has been no standardized way of verifying a reference token with an authorization server. However a recently proposed standard [RFC 7662](https://tools.ietf.org/html/rfc7662) was published by the IETF that defines how a resource server can verify the validity of a token.
api-management Api Management Template Data Model Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-template-data-model-reference.md
This topic describes the entity and type representations for common items used i
|Property|Type|Description| |--|-|--| |`Properties`|string dictionary|Properties for this authentication provider.|
-|`AuthenticationType`|string|The provider type. (Azure Active Directory, Facebook login, Google Account, Microsoft Account, Twitter).|
+|`AuthenticationType`|string|The provider type. (Microsoft Entra ID, Facebook login, Google Account, Microsoft Account, Twitter).|
|`Caption`|string|Display name of the provider.| ## <a name="Representation"></a> Representation
api-management Api Management Template Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-template-resources.md
The following localization options are supported:
|GeneralExceptionMessage|Something is not right. It could be a temporary glitch or a bug. Please, try again.| |GeneralJsonExceptionMessage|Something is not right. It could be a temporary glitch or a bug. Please, reload the page and try again.| |ConfirmationMessageUnsavedChanges|There are some unsaved changes. Are you sure you want to cancel and discard the changes?|
-|AzureActiveDirectory|Azure Active Directory|
+|AzureActiveDirectory|Microsoft Entra ID|
|HttpLargeRequestMessage|Http Request Body too large.| ### <a name="CommonStrings"></a> CommonStrings
The following localization options are supported:
|WebAuthenticationUserIsNotConfirm|Please confirm your registration before attempting to sign in.| |WebAuthenticationInvalidEmailFormatted|Email is invalid: {0}| |WebAuthenticationUserNotFound|User not found|
-|WebAuthenticationTenantNotRegistered|Your account belongs to an Azure Active Directory tenant which is not authorized to access this portal.|
+|WebAuthenticationTenantNotRegistered|Your account belongs to a Microsoft Entra tenant which is not authorized to access this portal.|
|WebAuthenticationAuthenticationFailed|Authentication has failed.| |WebAuthenticationGooglePlusNotEnabled|Authentication has failed. If you authorized the application then please contact the admin to make sure that Google authentication is configured correctly.| |ValidationErrorAllowedTenantIsRequired|Allowed Tenant is required|
-|ValidationErrorTenantIsNotValid|The Azure Active Directory tenant '{0}' is not valid.|
-|WebAuthenticationActiveDirectoryTitle|Azure Active Directory|
+|ValidationErrorTenantIsNotValid|The Microsoft Entra tenant '{0}' is not valid.|
+|WebAuthenticationActiveDirectoryTitle|Microsoft Entra ID|
|WebAuthenticationLoginUsingYourProvider|Log in using your {0} account| |WebAuthenticationUserLimitNotice|This service has reached the maximum number of allowed users. Please `<a href="mailto:{0}"\>contact the administrator</a\>` to upgrade their service and re-enable user registration.| |WebAuthenticationUserLimitNoticeHeader|User registration disabled|
The following localization options are supported:
|WebAuthenticationSignupConfirmationAlmostDone|Almost Done| |WebAuthenticationSignupConfirmationEmailSent|WeΓÇÖve sent an e-mail to {0}. Please follow the instructions inside the e-mail to activate your account. If the e-mail doesnΓÇÖt arrive within the next few minutes, please check your junk email folder.| |WebAuthenticationEmailSentNotificationMessage|Email sent successfully to {0}|
-|WebAuthenticationNoAadTenantConfigured|No Azure Active Directory tenant configured for the service.|
+|WebAuthenticationNoAadTenantConfigured|No Microsoft Entra tenant configured for the service.|
|CheckboxLabelUserRegistrationTermsConsentRequired|I agree to the `<a data-toggle="modal" href="#" data-target="#terms"\>Terms of Use</a\>`.| |TextblockUserRegistrationTermsProvided|Please review `<a data-toggle="modal" href="#" data-target="#terms"\>Terms of Use.</a\>`| |DialogHeadingTermsOfUse|Terms of Use|
api-management Api Management Troubleshoot Cannot Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-troubleshoot-cannot-add-custom-domain.md
The API Management service does not have permission to access the key vault that
To resolve this issue, follow these steps:
-1. Go to the [Azure portal](https://portal.azure.com), select your API Management instance, and then select **Managed identities**. Make sure that the **Register with Azure Active Directory** option is set to **Yes**.
+1. Go to the [Azure portal](https://portal.azure.com), select your API Management instance, and then select **Managed identities**. Make sure that the **Register with Microsoft Entra ID** option is set to **Yes**.
![Registering with Azure Active Director](./media/api-management-troubleshoot-cannot-add-custom-domain/register-with-aad.png) 1. In the Azure portal, open the **Key vaults** service, and select the key vault that you're trying to use for the custom domain. 1. Select **Access policies**, and check whether there is a service principal that matches the name of the API Management service instance. If there is, select the service principal, and make sure that it has the **Get** permission listed under **Secret permissions**.
Learn more about API Management service:
* For other ways to secure your back-end service, see [Mutual Certificate authentication](api-management-howto-mutual-certificates.md). * [Create an API Management service instance](get-started-create-service-instance.md).
-* [Manage your first API](import-and-publish.md).
+* [Manage your first API](import-and-publish.md).
api-management Authentication Authorization Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-authorization-overview.md
API Management supports other client-side and service-side authentication and au
> [!NOTE] > Other API Management components have separate mechanisms to secure and restrict user access:
-> * For managing the API Management instance through the Azure control plane, API Management relies on Azure AD and Azure [role-based access control (RBAC)](api-management-role-based-access-control.md).
+> * For managing the API Management instance through the Azure control plane, API Management relies on Microsoft Entra ID and Azure [role-based access control (RBAC)](api-management-role-based-access-control.md).
> * The API Management developer portal supports [several options](secure-developer-portal-access.md) to facilitate secure user sign-up and sign-in. ## Authentication versus authorization
What happens when a client app calls an API with a request that is secured using
* The client (the calling app, or *bearer*) authenticates using credentials to an *identity provider*. * The client obtains a time-limited *access token* (a JSON web token, or JWT) from the identity provider's *authorization server*.
- The identity provider (for example, Azure AD) is the *issuer* of the token, and the token includes an *audience claim* that authorizes access to a *resource server* (for example, to a backend API, or to the API Management gateway itself).
+ The identity provider (for example, Microsoft Entra ID) is the *issuer* of the token, and the token includes an *audience claim* that authorizes access to a *resource server* (for example, to a backend API, or to the API Management gateway itself).
* The client calls the API and presents the access token - for example, in an Authorization header. * The *resource server* validates the access token. Validation is a complex process that includes a check that the *issuer* and *audience* claims contain expected values. * Based on token validation criteria, access to resources of the [backend](backends.md) API is then granted.
-Depending on the type of client app and scenarios, different *authorization flows* are needed to request and manage tokens. For example, the authorization code flow and grant type are commonly used in apps that call web APIs. Learn more about [OAuth flows and application scenarios in Azure AD](../active-directory/develop/authentication-flows-app-scenarios.md).
+Depending on the type of client app and scenarios, different *authorization flows* are needed to request and manage tokens. For example, the authorization code flow and grant type are commonly used in apps that call web APIs. Learn more about [OAuth flows and application scenarios in Microsoft Entra ID](../active-directory/develop/authentication-flows-app-scenarios.md).
## OAuth 2.0 authorization scenarios in API Management
Depending on the type of client app and scenarios, different *authorization flow
A common authorization scenario is when the calling application requests access to the backend API directly and presents an OAuth 2.0 token in an authorization header to the gateway. Azure API Management then acts as a "transparent" proxy between the caller and backend API, and passes the token through unchanged to the backend. The scope of the access token is between the calling application and backend API.
-The following image shows an example where Azure AD is the authorization provider. The client app might be a single-page application (SPA).
+The following image shows an example where Microsoft Entra ID is the authorization provider. The client app might be a single-page application (SPA).
:::image type="content" source="media/authentication-authorization-overview/oauth-token-backend.svg" alt-text="Diagram showing OAuth communication where audience is the backend.":::
Although the access token sent along with the HTTP request is intended for the b
Example:
-* [Protect an API in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md)
+* [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md)
> [!TIP]
-> In the special case when API access is protected using Azure AD, you can configure the [validate-azure-ad-token](validate-azure-ad-token-policy.md) policy for token validation.
+> In the special case when API access is protected using Microsoft Entra ID, you can configure the [validate-azure-ad-token](validate-azure-ad-token-policy.md) policy for token validation.
### Scenario 2 - Client app authorizes to API Management In this scenario, the API Management service acts on behalf of the API, and the calling application requests access to the API Management instance. The scope of the access token is between the calling application and the API Management gateway. In API Management, configure a policy ([validate-jwt](validate-jwt-policy.md) or [validate-azure-ad-token](validate-azure-ad-token-policy.md)) to validate the token before the gateway passes the request to the backend. A separate mechanism typically secures the connection between the gateway and the backend API.
-In the following example, Azure AD is again the authorization provider, and mutual TLS (mTLS) authentication secures the connection between the gateway and the backend.
+In the following example, Microsoft Entra ID is again the authorization provider, and mutual TLS (mTLS) authentication secures the connection between the gateway and the backend.
:::image type="content" source="media/authentication-authorization-overview/oauth-token-gateway.svg" alt-text="Diagram showing OAuth communication where audience is the API Management gateway.":::
While authorization is preferred, and OAuth 2.0 has become the dominant method o
|Mechanism |Description |Considerations | ||||
-|[Managed identity authentication](authentication-managed-identity-policy.md) | Authenticate to backend API with a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). | Recommended for scoped access to a protected backend resource by obtaining a token from Azure AD. |
+|[Managed identity authentication](authentication-managed-identity-policy.md) | Authenticate to backend API with a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). | Recommended for scoped access to a protected backend resource by obtaining a token from Microsoft Entra ID. |
|[Certificate authentication](authentication-certificate-policy.md) | Authenticate to backend API using a client certificate. | Certificate may be stored in key vault. | |[Basic authentication](authentication-basic-policy.md) | Authenticate to backend API with username and password that are passed through an Authorization header. | Discouraged if better options are available. |
api-management Authentication Managed Identity Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authentication-managed-identity-policy.md
# Authenticate with managed identity
- Use the `authentication-managed-identity` policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the `Authorization` header using the `Bearer` scheme. API Management caches the token until it expires.
+ Use the `authentication-managed-identity` policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Microsoft Entra ID for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the `Authorization` header using the `Bearer` scheme. API Management caches the token until it expires.
-Both system-assigned identity and any of the multiple user-assigned identities can be used to request a token. If `client-id` is not provided, system-assigned identity is assumed. If the `client-id` variable is provided, token is requested for that user-assigned identity from Azure Active Directory.
+Both system-assigned identity and any of the multiple user-assigned identities can be used to request a token. If `client-id` is not provided, system-assigned identity is assumed. If the `client-id` variable is provided, token is requested for that user-assigned identity from Microsoft Entra ID.
[!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
Both system-assigned identity and any of the multiple user-assigned identities c
| Attribute | Description | Required | Default | | -- | | -- | - |
-|resource|String. The application ID of the target web API (secured resource) in Azure Active Directory. Policy expressions are allowed. |Yes|N/A|
-|client-id|String. The client ID of the user-assigned identity in Azure Active Directory. Policy expressions aren't allowed. |No|system-assigned identity|
+|resource|String. The application ID of the target web API (secured resource) in Microsoft Entra ID. Policy expressions are allowed. |Yes|N/A|
+|client-id|String. The client ID of the user-assigned identity in Microsoft Entra ID. Policy expressions aren't allowed. |No|system-assigned identity|
|output-token-variable-name|String. Name of the context variable that will receive token value as an object of type `string`. Policy expressions aren't allowed. |No|N/A| |ignore-error|Boolean. If set to `true`, the policy pipeline continues to execute even if an access token isn't obtained.|No|`false`|
api-management Authorizations Configure Common Providers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-configure-common-providers.md
Title: Configure authorization providers - Azure API Management | Microsoft Docs
-description: Learn how to configure common identity providers for authorizations in Azure API Management. Example providers are Azure Active Directory and a generic OAuth 2.0 provider. An authorization manages authorization tokens to an OAuth 2.0 backend service.
+description: Learn how to configure common identity providers for authorizations in Azure API Management. Example providers are Microsoft Entra ID and a generic OAuth 2.0 provider. An authorization manages authorization tokens to an OAuth 2.0 backend service.
In this article, you learn about configuring identity providers for [authorizations](authorizations-overview.md) in your API Management instance. Settings for the following common providers are shown:
-* Azure AD provider
+* Microsoft Entra provider
* Generic OAuth 2.0 provider
-You add identity provider settings when configuring an authorization in your API Management instance. For a step-by-step example of configuring an Azure AD provider and authorization, see:
+You add identity provider settings when configuring an authorization in your API Management instance. For a step-by-step example of configuring a Microsoft Entra provider and authorization, see:
* [Create an authorization with the Microsoft Graph API](authorizations-how-to-azure-ad.md)
To configure any of the supported providers in API Management, first configure a
* Depending on the provider and your scenario, you might need to retrieve other settings such as authorization endpoint URLs or scopes.
-## Azure AD provider
+<a name='azure-ad-provider'></a>
-Authorizations support the Azure AD identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols.
+## Microsoft Entra provider
+
+Authorizations support the Microsoft Entra identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols.
* **Supported grant types**: authorization code, client credentials > [!NOTE]
-> Currently, the Azure AD authorization provider supports only the Azure AD v1.0 endpoints.
+> Currently, the Microsoft Entra authorization provider supports only the Azure AD v1.0 endpoints.
-### Azure AD provider settings
+<a name='azure-ad-provider-settings'></a>
+
+### Microsoft Entra provider settings
[!INCLUDE [api-management-authorization-azure-ad-provider](../../includes/api-management-authorization-azure-ad-provider.md)]
Required settings for these providers differ from provider to provider but are s
## Next steps * Learn more about [authorizations](authorizations-overview.md) in API Management.
-* Create an authorization for [Azure AD](authorizations-how-to-azure-ad.md) or [GitHub](authorizations-how-to-github.md).
+* Create an authorization for [Microsoft Entra ID](authorizations-how-to-azure-ad.md) or [GitHub](authorizations-how-to-github.md).
api-management Authorizations How To Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-how-to-azure-ad.md
This article guides you through the steps required to create an [authorization](
You learn how to: > [!div class="checklist"]
-> * Create an Azure AD application
+> * Create a Microsoft Entra application
> * Create and configure an authorization in API Management > * Configure an access policy > * Create a Microsoft Graph API in API Management and configure a policy
You learn how to:
## Prerequisites -- Access to an Azure Active Directory (Azure AD) tenant where you have permissions to create an app registration and to grant admin consent for the app's permissions. [Learn more](../active-directory/roles/delegate-app-roles.md#restrict-who-can-create-applications)
+- Access to a Microsoft Entra tenant where you have permissions to create an app registration and to grant admin consent for the app's permissions. [Learn more](../active-directory/roles/delegate-app-roles.md#restrict-who-can-create-applications)
If you want to create your own developer tenant, you can sign up for the [Microsoft 365 Developer Program](https://developer.microsoft.com/microsoft-365/dev-program). - A running API Management instance. If you need to, [create an Azure API Management instance](get-started-create-service-instance.md). - Enable a [system-assigned managed identity](api-management-howto-use-managed-service-identity.md) for API Management in the API Management instance.
-## Step 1: Create an Azure AD application
+<a name='step-1-create-an-azure-ad-application'></a>
-Create an Azure AD application for the API and give it the appropriate permissions for the requests that you want to call.
+## Step 1: Create a Microsoft Entra application
+
+Create a Microsoft Entra application for the API and give it the appropriate permissions for the requests that you want to call.
1. Sign in to the [Azure portal](https://portal.azure.com) with an account with sufficient permissions in the tenant.
-1. Under **Azure Services**, search for **Azure Active Directory**.
+1. Under **Azure Services**, search for **Microsoft Entra ID**.
1. On the left menu, select **App registrations**, and then select **+ New registration**.
- :::image type="content" source="media/authorizations-how-to-azure-ad/create-registration.png" alt-text="Screenshot of creating an Azure AD app registration in the portal.":::
+ :::image type="content" source="media/authorizations-how-to-azure-ad/create-registration.png" alt-text="Screenshot of creating a Microsoft Entra app registration in the portal.":::
1. On the **Register an application** page, enter your application registration settings: 1. In **Name**, enter a meaningful name that will be displayed to users of the app, such as *MicrosoftGraphAuth*.
Create an Azure AD application for the API and give it the appropriate permissio
|Settings |Value | |||
- |**Provider name** | A name of your choice, such as *aad-01* |
+ |**Provider name** | A name of your choice, such as *Microsoft Entra ID-01* |
|**Identity provider** | Select **Azure Active Directory v1** | |**Grant type** | Select **Authorization code** | |**Client id** | Paste the value you copied earlier from the app registration | |**Client secret** | Paste the value you copied earlier from the app registration | |**Resource URL** | `https://graph.microsoft.com` |
- |**Tenant ID** | Optional for Azure AD identity provider. Default is *Common* |
- |**Scopes** | Optional for Azure AD identity provider. Automatically configured from AD app's API permissions. |
- |**Authorization name** | A name of your choice, such as *aad-auth-01* |
+ |**Tenant ID** | Optional for Microsoft Entra identity provider. Default is *Common* |
+ |**Scopes** | Optional for Microsoft Entra identity provider. Automatically configured from AD app's API permissions. |
+ |**Authorization name** | A name of your choice, such as *Microsoft Entra auth-01* |
1. After the authorization provider and authorization are created, select **Next**.
-## Step 3: Authorize with Azure AD and configure an access policy
+<a name='step-3-authorize-with-azure-ad-and-configure-an-access-policy'></a>
+
+## Step 3: Authorize with Microsoft Entra ID and configure an access policy
-1. On the **Login** tab, select **Login with Azure Active Directory**. Before the authorization will work, it needs to be authorized.
- :::image type="content" source="media/authorizations-how-to-azure-ad/login-azure-ad.png" alt-text="Screenshot of login with Azure AD in the portal.":::
+1. On the **Login** tab, select **Login with Microsoft Entra ID**. Before the authorization will work, it needs to be authorized.
+ :::image type="content" source="media/authorizations-how-to-azure-ad/login-azure-ad.png" alt-text="Screenshot of login with Microsoft Entra ID in the portal.":::
1. When prompted, sign in to your organizational account. 1. On the confirmation page, select **Allow access**.
The preceding policy definition consists of two parts:
## Next steps * Learn more about [access restriction policies](api-management-access-restriction-policies.md)
-* Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Azure AD.
+* Learn more about [scopes and permissions](../active-directory/develop/scopes-oidc.md) in Microsoft Entra ID.
api-management Authorizations Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/authorizations-overview.md
During Step 1, you configure your authorization provider. You can choose between
> With the Generic OAuth 2.0 provider, other identity providers that support the standards of [OAuth 2.0 flow](https://oauth.net/2/) can be used. >
-To use an authorization provider, at least one *authorization* is required. Each authorization is a separate connection to the authorization provider. The process of configuring an authorization differs based on the configured grant type. Each authorization provider configuration only supports one grant type. For example, if you want to configure Azure AD to use both grant types, two authorization provider configurations are needed. The following table summarizes the two grant types.
+To use an authorization provider, at least one *authorization* is required. Each authorization is a separate connection to the authorization provider. The process of configuring an authorization differs based on the configured grant type. Each authorization provider configuration only supports one grant type. For example, if you want to configure Microsoft Entra ID to use both grant types, two authorization provider configurations are needed. The following table summarizes the two grant types.
|Grant type |Description |
For authorizations based on the authorization code grant type, you must authenti
#### Step 3: Access policy
-You configure one or more *access policies* for each authorization. The access policies determine which [Azure AD identities](../active-directory/develop/app-objects-and-service-principals.md) can gain access to your authorizations at runtime. Authorizations currently support managed identities and service principals.
+You configure one or more *access policies* for each authorization. The access policies determine which [Microsoft Entra identities](../active-directory/develop/app-objects-and-service-principals.md) can gain access to your authorizations at runtime. Authorizations currently support managed identities and service principals.
|Identity |Description | Benefits | Considerations | |||--|-|
-|Service principal | Identity whose tokens can be used to authenticate and grant access to specific Azure resources, when an organization is using Azure Active Directory (Azure AD). By using a service principal, organizations avoid creating fictitious users to manage authentication when they need to access a resource. A service principal is an Azure AD identity that represents a registered Azure AD application. | Permits more tightly scoped access to authorization. Isn't tied to specific API Management instance. Relies on Azure AD for permission enforcement. | Getting the [authorization context](get-authorization-context-policy.md) requires an Azure AD token. |
-|Managed identity | Service principal of a special type that represents an Azure AD identity for an Azure service. Managed identities are tied to, and can only be used with, an Azure resource. Managed identities eliminate the need for you to manually create and manage service principals directly.<br/><br/>When a system-assigned managed identity is enabled, a service principal representing that managed identity is created in your tenant automatically and tied to your resource's lifecycle.|No credentials are needed.|Identity is tied to specific Azure infrastructure. Anyone with Contributor access to API Management instance can access any authorization granting managed identity permissions. |
+|Service principal | Identity whose tokens can be used to authenticate and grant access to specific Azure resources, when an organization is using Microsoft Entra ID. By using a service principal, organizations avoid creating fictitious users to manage authentication when they need to access a resource. A service principal is a Microsoft Entra identity that represents a registered Microsoft Entra application. | Permits more tightly scoped access to authorization. Isn't tied to specific API Management instance. Relies on Microsoft Entra ID for permission enforcement. | Getting the [authorization context](get-authorization-context-policy.md) requires a Microsoft Entra token. |
+|Managed identity | Service principal of a special type that represents a Microsoft Entra identity for an Azure service. Managed identities are tied to, and can only be used with, an Azure resource. Managed identities eliminate the need for you to manually create and manage service principals directly.<br/><br/>When a system-assigned managed identity is enabled, a service principal representing that managed identity is created in your tenant automatically and tied to your resource's lifecycle.|No credentials are needed.|Identity is tied to specific Azure infrastructure. Anyone with Contributor access to API Management instance can access any authorization granting managed identity permissions. |
| Managed identity `<Your API Management instance name>` | This option corresponds to a managed identity tied to your API Management instance. | Quick selection of system-assigned managed identity for the corresponding API management instance. | Identity is tied to your API Management instance. Anyone with Contributor access to API Management instance can access any authorization granting managed identity permissions. | ## Security considerations
Learn how to:
- Configure [identity providers](authorizations-configure-common-providers.md) for authorizations - Configure and use an authorization for the [Microsoft Graph API](authorizations-how-to-azure-ad.md) or the [GitHub API](authorizations-how-to-github.md) - Configure [multiple authorization connections](configure-authorization-connection.md) for a provider-
api-management Identity Provider Adal Retirement Sep 2025 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/identity-provider-adal-retirement-sep-2025.md
Title: Azure API Management identity providers configuration change (September 2025) | Microsoft Docs
-description: Azure API Management is updating the library used for user authentication in the developer portal. If you use Azure AD or Azure AD B2C identity providers, you need to update application settings and identity provider configuration to use the Microsoft Authentication Library (MSAL).
+description: Azure API Management is updating the library used for user authentication in the developer portal. If you use Microsoft Entra ID or Azure AD B2C identity providers, you need to update application settings and identity provider configuration to use the Microsoft Authentication Library (MSAL).
documentationcenter: ''
Last updated 09/06/2022
-# ADAL-based Azure AD or Azure AD B2C identity provider retirement (September 2025)
+# ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement (September 2025)
-On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Azure AD or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal.
+On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Microsoft Entra ID or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal.
-This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Azure AD or Azure AD B2C identity providers beyond 30 September, 2025.
+This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Microsoft Entra ID or Azure AD B2C identity providers beyond 30 September, 2025.
## Is my service affected by this change? Your service is impacted by this change if:
-* You've configured an [Azure AD](../api-management-howto-aad.md) or [Azure AD B2C](../api-management-howto-aad-b2c.md) identity provider for user account authentication using the ADAL and use the provided developer portal.
+* You've configured an [Microsoft Entra ID](../api-management-howto-aad.md) or [Azure AD B2C](../api-management-howto-aad-b2c.md) identity provider for user account authentication using the ADAL and use the provided developer portal.
## What is the deadline for the change?
-On 30 September, 2025, these identity providers will stop functioning. To avoid disruption of your developer portal, you need to update your Azure AD applications and identity provider configuration in Azure API Management by that date. Your developer portal might be at a security risk after Microsoft ADAL support ends in June 1, 2023.
+On 30 September, 2025, these identity providers will stop functioning. To avoid disruption of your developer portal, you need to update your Microsoft Entra applications and identity provider configuration in Azure API Management by that date. Your developer portal might be at a security risk after Microsoft ADAL support ends in June 1, 2023.
-Developer portal sign-in and sign-up with Azure AD or Azure AD B2C will stop working past 30 September, 2025 if you don't update your ADAL-based Azure AD or Azure AD B2C identity providers. This new authentication method is more secure, as it relies on the OAuth 2.0 authorization code flow with PKCE and uses an up-to-date software library.
+Developer portal sign-in and sign-up with Microsoft Entra ID or Azure AD B2C will stop working past 30 September, 2025 if you don't update your ADAL-based Microsoft Entra ID or Azure AD B2C identity providers. This new authentication method is more secure, as it relies on the OAuth 2.0 authorization code flow with PKCE and uses an up-to-date software library.
## What do I need to do?
-### Update Azure AD and Azure AD B2C applications for MSAL compatibility
+<a name='update-azure-ad-and-azure-ad-b2c-applications-for-msal-compatibility'></a>
+
+### Update Microsoft Entra ID and Azure AD B2C applications for MSAL compatibility
[Switch redirect URIs to the single-page application type](../../active-directory/develop/migrate-spa-implicit-to-auth-code.md#switch-redirect-uris-to-spa-platform).
Developer portal sign-in and sign-up with Azure AD or Azure AD B2C will stop wor
1. Go to the [Azure portal](https://portal.azure.com) and navigate to your Azure API Management service. 2. Select **Identities** in the menu.
-3. Select **Azure Active Directory** or **Azure Active Directory B2C** from the list.
+3. Select **Microsoft Entra ID** or **Azure Active Directory B2C** from the list.
4. Select **MSAL** in the **Client library** dropdown. 5. Select **Update**. 6. [Republish your developer portal](../api-management-howto-developer-portal-customize.md#publish-from-the-azure-portal).
If you have questions, get answers from community experts in [Microsoft Q&A](htt
1. Under **Service**, select **My services**, then select **API Management Service**. 1. Under **Resource**, select the Azure resource that youΓÇÖre creating a support request for. 1. For **Problem type**, select **Authentication and Security**.
-1. For **Problem subtype**, select **Azure Active Directory Authentication** or **Azure Active Directory B2C Authentication**.
+1. For **Problem subtype**, select **Microsoft Entra authentication** or **Azure Active Directory B2C Authentication**.
## More information
-* [Authenticate users with Azure AD](../api-management-howto-aad.md)
+* [Authenticate users with Microsoft Entra ID](../api-management-howto-aad.md)
* [Authenticate users with Azure AD B2C](../api-management-howto-aad-b2c.md) * [Microsoft Q&A](/answers/topics/azure-api-management.html) ## Next steps
-See all [upcoming breaking changes and feature retirements](overview.md).
+See all [upcoming breaking changes and feature retirements](overview.md).
api-management Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/overview.md
The following table lists all the upcoming breaking changes and feature retireme
| [Deprecated (legacy) portal retirement][devportal2023] | October 31, 2023 | | [Self-hosted gateway v0/v1 retirement][shgwv0v1] | October 1, 2023 | | [stv1 platform retirement][stv12024] | August 31, 2024 |
-| [ADAL-based Azure AD or Azure AD B2C identity provider retirement][msal2025] | September 30, 2025 |
+| [ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement][msal2025] | September 30, 2025 |
| [CAPTCHA endpoint update][captcha2025] | September 30, 2025 | <!-- Links -->
api-management Configure Authorization Connection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/configure-authorization-connection.md
# Configure multiple authorization connections
-You can configure multiple authorizations (also called *authorization connections*) to an authorization provider in your API Management instance. For example, if you configured Azure AD as an authorization provider, you might need to create multiple authorizations for different scenarios and users.
+You can configure multiple authorizations (also called *authorization connections*) to an authorization provider in your API Management instance. For example, if you configured Microsoft Entra ID as an authorization provider, you might need to create multiple authorizations for different scenarios and users.
In this article, you learn how to add an authorization connection to an existing provider, using the portal. For an overview of configuration steps, see [How to configure authorizations?](authorizations-overview.md#how-to-configure-authorizations) ## Prerequisites * An API Management instance. If you need to, [create one](get-started-create-service-instance.md).
-* A configured authorization provider. For example, see the steps to create a provider for [GitHub](authorizations-how-to-github.md) or [Azure AD](authorizations-how-to-azure-ad.md).
+* A configured authorization provider. For example, see the steps to create a provider for [GitHub](authorizations-how-to-github.md) or [Microsoft Entra ID](authorizations-how-to-azure-ad.md).
## Create an authorization connection - portal
In this article, you learn how to add an authorization connection to an existing
1. Complete the steps for your authorization connection. 1. On the **Authorization** tab, enter an **Authorization name**. Select **Create**, then select **Next**. 1. On the **Login** tab (for authorization code grant type), complete the steps to login to the authorization provider to allow access. Select **Next**.
- 1. On the **Access policy** tab, assign access to the Azure AD identity or identities that can use the authorization. Select **Complete**.
+ 1. On the **Access policy** tab, assign access to the Microsoft Entra identity or identities that can use the authorization. Select **Complete**.
1. The new connection appears in the list of authorizations, and shows a status of **Connected**. :::image type="content" source="media/configure-authorization-connection/list-authorizations.png" alt-text="Screenshot of list of authorization connections in the portal.":::
To update an authorization connection:
* Learn more about [configuring identity providers](authorizations-configure-common-providers.md) for authorizations. * Review [limits](authorizations-overview.md#limits) for authorization providers and authorizations.----
api-management Developer Portal Basic Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-basic-authentication.md
There are two ways to add a username and password for authentication to the deve
## Delete the username and password provider
-If you've configured another identity provider for the developer portal such as [Azure AD](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md), you might want to delete the username and password provider.
+If you've configured another identity provider for the developer portal such as [Microsoft Entra ID](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md), you might want to delete the username and password provider.
Deleting the identity provider prevents adding users to use username and password authentication. Existing users configured for basic authentication are also prevented from signing into the developer portal.
Deleting the identity provider prevents adding users to use username and passwor
For steps to add other identity providers for developer sign-up to the developer portal, see: -- [Authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md)-- [Authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md)
+- [Authorize developer accounts by using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md)
+- [Authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md)
api-management Developer Portal Deprecated Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-deprecated-migration.md
When you migrate from the deprecated portal, keep in mind the following changes:
- *Issues* and *Applications* aren't supported in the new developer portal. - Direct integration with Facebook, Microsoft, Twitter, and Google as identity providers isn't supported in the new developer portal. You can integrate with those providers via Azure AD B2C. - If you use delegation, change the return URL in your applications and use the [*Get Shared Access Token* API endpoint](/rest/api/apimanagement/current-ga/user/get-shared-access-token) instead of the *Generate SSO URL* endpoint.-- If you use Azure AD as an identity provider:
+- If you use Microsoft Entra ID as an identity provider:
- Change the return URL in your application to point to the new developer portal domain. - Modify the suffix of the return URL in your application from `/signin-aad` to `/signin`.
api-management Developer Portal Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-faq.md
After you update the domain, you need to [republish the portal](api-management-h
## I added an identity provider and I can't see it in the portal
-After you configure an identity provider (for example, Azure AD, Azure AD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget.
+After you configure an identity provider (for example, Microsoft Entra ID, Azure AD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect. Make sure your developer portal pages include the OAuth buttons widget.
## I set up delegation and the portal doesn't use it
api-management Front Door Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/front-door-api-management.md
The following are high level steps to add an endpoint for the developer portal t
For more information and details about settings, see [How to configure an origin for Azure Front Door](../frontdoor/how-to-configure-origin.md#create-a-new-origin-group). > [!NOTE]
-> If you've configured an [Azure AD](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md) identity provider for the developer portal, you need to update the corresponding app registration with an additional redirect URL to Front Door. In the app registration, add the URL for the developer portal endpoint configured in your Front Door profile.
+> If you've configured an [Microsoft Entra ID](api-management-howto-aad.md) or [Azure AD B2C](api-management-howto-aad-b2c.md) identity provider for the developer portal, you need to update the corresponding app registration with an additional redirect URL to Front Door. In the app registration, add the URL for the developer portal endpoint configured in your Front Door profile.
## Next steps
api-management Get Authorization Context Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/get-authorization-context-policy.md
The policy fetches and stores authorization and refresh tokens from the configur
| authorization-id | The authorization resource identifier. Policy expressions are allowed. | Yes | N/A | | context-variable-name | The name of the context variable to receive the [`Authorization` object](#authorization-object). Policy expressions are allowed. | Yes | N/A | | identity-type | Type of identity to check against the authorization access policy. <br> - `managed`: managed identity of the API Management service. <br> - `jwt`: JWT bearer token specified in the `identity` attribute.<br/><br/>Policy expressions are allowed. | No | `managed` |
-| identity | An Azure AD JWT bearer token to check against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: `https://azure-api.net/authorization-manager` <br> - `oid`: Permission object ID <br> - `tid`: Permission tenant ID<br/><br/>Policy expressions are allowed. | No | N/A |
+| identity | A Microsoft Entra JWT bearer token to check against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: `https://azure-api.net/authorization-manager` <br> - `oid`: Permission object ID <br> - `tid`: Permission tenant ID<br/><br/>Policy expressions are allowed. | No | N/A |
| ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource isn't found or is in an error state): <br> - `true`: the context variable is assigned a value of null. <br> - `false`: return `500`<br/><br/>If you set the value to `false`, and the policy configuration includes an `on-error` section, the error is available in the `context.LastError` property.<br/><br/>Policy expressions are allowed. | No | `false` | ### Authorization object
api-management How To Create Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-create-workspace.md
The new workspace appears in the list on the **Workspaces** page. Select the wor
After creating a workspace, assign permissions to users to manage the workspace's resources. Each workspace user must be assigned both a service-scoped workspace RBAC role and a workspace-scoped RBAC role, or granted equivalent permissions using custom roles. > [!NOTE]
-> For easier management, set up Azure AD groups to assign workspace permissions to multiple users.
+> For easier management, set up Microsoft Entra groups to assign workspace permissions to multiple users.
> * For a list of built-in workspace roles, see [How to use role-based access control in API Management](api-management-role-based-access-control.md).
The open source [Azure API Management workspaces migration tool](https://github.
## Next steps * Workspace collaborators can get started [managing APIs and other resources in their API Management workspace](api-management-in-workspace.md)-
api-management How To Deploy Self Hosted Gateway Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md
This article describes the steps for deploying the self-hosted gateway component
## Deploy to Kubernetes > [!TIP]
-> The following steps deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using a gateway access token (authentication key). You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Azure AD](self-hosted-gateway-enable-azure-ad.md).
+> The following steps deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using a gateway access token (authentication key). You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Microsoft Entra ID](self-hosted-gateway-enable-azure-ad.md).
1. Select **Gateways** under **Deployment and infrastructure**. 2. Select the self-hosted gateway resource that you want to deploy.
api-management How To Self Hosted Gateway On Kubernetes In Production https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md
Without a valid access token, a self-hosted gateway can't access and download co
When you're automating token refresh, use [this management API operation](/rest/api/apimanagement/current-ga/gateway/generate-token) to generate a new token. For information on managing Kubernetes secrets, see the [Kubernetes website](https://kubernetes.io/docs/concepts/configuration/secret). > [!TIP]
-> You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Azure AD](self-hosted-gateway-enable-azure-ad.md).
+> You can also deploy the self-hosted gateway to Kubernetes and enable authentication to the API Management instance by using [Microsoft Entra ID](self-hosted-gateway-enable-azure-ad.md).
## Autoscaling
api-management Howto Protect Backend Frontend Azure Ad B2c https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/howto-protect-backend-frontend-azure-ad-b2c.md
For defense in depth, we then use EasyAuth to validate the token again inside th
> * Creation of an Azure Functions Backend API > * Import of an Azure Functions API into Azure API Management > * Securing the API in Azure API Management
-> * Calling the Azure Active Directory B2C Authorization Endpoints via the Microsoft Identity Platform Libraries (MSAL.js)
+> * Calling the Azure Active Directory B2C Authorization Endpoints via the Microsoft identity platform Libraries (MSAL.js)
> * Storing a HTML / Vanilla JS Single Page Application and serving it from an Azure Blob Storage Endpoint ## Prerequisites
Open the Azure AD B2C blade in the portal and do the following steps.
## Build the function API
-1. Switch back to your standard Azure AD tenant in the Azure portal so we can configure items in your subscription again.
+1. Switch back to your standard Microsoft Entra tenant in the Azure portal so we can configure items in your subscription again.
1. Go to the Function Apps blade of the Azure portal, open your empty function app, then click 'Functions', click 'Add'. 1. In the flyout that appears, choose 'Develop in portal', under 'select a template' then choose 'HTTP trigger', under Template details name it 'hello' with authorization level 'Function', then select Add. 1. Switch to the Code + Test blade and copy-paste the sample code from below *over the existing code* that appears.
Open the Azure AD B2C blade in the portal and do the following steps.
> [!IMPORTANT] > Now your Function API is deployed and should throw 401 responses if the correct JWT isn't supplied as an Authorization: Bearer header, and should return data when a valid request is presented.
- > You added additional defense-in-depth security in EasyAuth by configuring the 'Login With Azure AD' option to handle unauthenticated requests.
+ > You added additional defense-in-depth security in EasyAuth by configuring the 'Login With Microsoft Entra ID' option to handle unauthenticated requests.
> > We still have no IP security applied, if you have a valid key and OAuth2 token, anyone can call this from anywhere - ideally we want to force all requests to come via API Management. >
You'll need to add CIDR formatted blocks of addresses to the IP restrictions pan
1. Select the '$web' container from the list 1. Select https://docsupdatetracker.net/index.html blob from the list 1. Click 'Edit'
-1. Update the auth values in the msal config section to match your *front-end* application you registered in B2C earlier. Use the code comments for hints on how the config values should look.
+1. Update the auth values in the MSAL config section to match your *front-end* application you registered in B2C earlier. Use the code comments for hints on how the config values should look.
The *authority* value needs to be in the format:- https://{b2ctenantname}.b2clogin.com/tfp/{b2ctenantname}.onmicrosoft.com}/{signupandsigninpolicyname}, if you have used our sample names and your b2c tenant is called 'contoso' then you would expect the authority to be 'https://contoso.b2clogin.com/tfp/contoso.onmicrosoft.com/Frontendapp_signupandsignin'. 1. Set the api values to match your backend address (The API Base Url you recorded earlier, and the 'b2cScopes' values were recorded earlier for the *backend application*). 1. Click Save
The steps above can be adapted and edited to allow many different uses of Azure
## Next steps
-* Learn more about [Azure Active Directory and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
+* Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).
* Check out more [videos](https://azure.microsoft.com/documentation/videos/index/?services=api-management) about API Management. * For other ways to secure your back-end service, see [Mutual Certificate authentication](api-management-howto-mutual-certificates.md). * [Create an API Management service instance](get-started-create-service-instance.md).
api-management Mitigate Owasp Api Threats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/mitigate-owasp-api-threats.md
Use API Management for user authentication and authorization:
* [Client certificate](authentication-certificate-policy.md) policy - Using client certificates is more secure than basic credentials or subscription key, but it doesn't allow the flexibility provided by token-based authorization protocols such as OAuth 2.0.
-* **Authorization** - API Management supports a [validate JWT](validate-jwt-policy.md) policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. Configure the policy to check relevant token claims, audience, and expiration time. Learn more about protecting an API using [OAuth 2.0 authorization and Azure Active Directory](api-management-howto-protect-backend-with-aad.md).
+* **Authorization** - API Management supports a [validate JWT](validate-jwt-policy.md) policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. Configure the policy to check relevant token claims, audience, and expiration time. Learn more about protecting an API using [OAuth 2.0 authorization and Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).
More recommendations:
More recommendations:
* APIs should use TLS/SSL (transport security) to protect the credentials or tokens. Credentials and tokens should be sent in request headers and not as query parameters.
-* In the API Management [developer portal](api-management-howto-developer-portal.md), configure [Azure Active Directory](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) as the identity provider to increase the account security. The developer portal uses CAPTCHA to mitigate brute force attacks.
+* In the API Management [developer portal](api-management-howto-developer-portal.md), configure [Microsoft Entra ID](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) as the identity provider to increase the account security. The developer portal uses CAPTCHA to mitigate brute force attacks.
### Related information
More information about this threat: [API7:2019 Security misconfiguration](https:
* If you choose to [self-host](developer-portal-self-host.md) the developer portal, ensure there's a process in place to periodically update the self-hosted portal to the latest version. Updates for the default managed version are automatic.
- * Use [Azure Active Directory (Azure AD)](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) for user sign-up and sign-in. Disable the default username and password authentication, which is less secure.
+ * Use [Microsoft Entra ID](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) for user sign-up and sign-in. Disable the default username and password authentication, which is less secure.
* Assign [user groups](api-management-howto-create-groups.md#-associate-a-group-with-a-product) to products, to control the visibility of APIs in the portal.
api-management Protect With Ddos Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/protect-with-ddos-protection.md
Enabling Azure DDoS Protection for API Management is supported only for instance
> [!NOTE] > If the instance is hosted on the `stv1` platform, you must [migrate](compute-infrastructure.md#how-do-i-migrate-to-the-stv2-platform) to the `stv2` platform. * An Azure DDoS Protection [plan](../ddos-protection/manage-ddos-protection.md)
- * The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Azure Active Directory tenant.
+ * The plan you select can be in the same, or different, subscription than the virtual network and the API Management instance. If the subscriptions differ, they must be associated to the same Microsoft Entra tenant.
* You may use a plan created using either the Network DDoS protection SKU or IP DDoS Protection SKU (preview). See [Azure DDoS Protection SKU Comparison](../ddos-protection/ddos-protection-sku-comparison.md). > [!NOTE]
api-management Secure Developer Portal Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/secure-developer-portal-access.md
Title: Secure access to developer portal
-description: Learn about options to secure access to the API Management developer portal, including Azure AD, Azure AD B2C, and basic authentication
+description: Learn about options to secure access to the API Management developer portal, including Microsoft Entra ID, Azure AD B2C, and basic authentication
API Management has a fully customizable, standalone, managed [developer portal](
For steps to enable Azure AD B2C authentication in the developer portal, see [How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md).
-* **Internal users** - The preferred option when the developer portal is consumed internally is to leverage your corporate Azure AD. Azure AD provides a seamless single sign-on (SSO) experience for corporate users who need to access and discover APIs through the developer portal.
+* **Internal users** - The preferred option when the developer portal is consumed internally is to leverage your corporate Microsoft Entra ID. Microsoft Entra ID provides a seamless single sign-on (SSO) experience for corporate users who need to access and discover APIs through the developer portal.
- For steps to enable Azure AD authentication in the developer portal, see [How to authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md).
+ For steps to enable Microsoft Entra authentication in the developer portal, see [How to authorize developer accounts by using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md).
* **Basic authentication** - A default option is to use the built-in developer portal [username and password](developer-portal-basic-authentication.md) provider, which allows developers to register directly in API Management and sign in using API Management user accounts. User sign up through this option is protected by a CAPTCHA service.
If the API exposed through Azure API Management is secured with OAuth 2.0 - that
To enable the test console to acquire a valid OAuth 2.0 token for API testing:
-1. Add an OAuth 2.0 user authorization server to your instance. You can use any OAuth 2.0 provider, including Azure AD, Azure AD B2C, or a third-party identity provider.
+1. Add an OAuth 2.0 user authorization server to your instance. You can use any OAuth 2.0 provider, including Microsoft Entra ID, Azure AD B2C, or a third-party identity provider.
2. Then, configure the API with settings for that authorization server. In the portal, configure OAuth 2.0 authorization on the API's **Settings** page > **Security** > **User authorization**.
Different authentication and authorization options apply to different scenarios.
### Scenario 1 - Intranet API and applications * An API Management contributor and backend API developer wants to publish an API that is secured by OAuth 2.0.
-* The API will be consumed by desktop applications whose users sign in using SSO through Azure AD.
+* The API will be consumed by desktop applications whose users sign in using SSO through Microsoft Entra ID.
* The desktop application developers also need to discover and test the APIs via the API Management developer portal. Key configurations:
Key configurations:
|Configuration |Reference | |||
-| Authorize developer users of the API Management developer portal using their corporate identities and Azure AD. | [Authorize developer accounts by using Azure Active Directory in Azure API Management](api-management-howto-aad.md) |
+| Authorize developer users of the API Management developer portal using their corporate identities and Microsoft Entra ID. | [Authorize developer accounts by using Microsoft Entra ID in Azure API Management](api-management-howto-aad.md) |
|Set up the test console in the developer portal to obtain a valid OAuth 2.0 token for the desktop app developers to exercise the backend API. <br/><br/>The same configuration can be used for the test console in the Azure portal, which is accessible to the API Management contributors and backend developers. <br/><br/>The token could be used in combination with an API Management subscription key. | [How to authorize test console of developer portal by configuring OAuth 2.0 user authorization](api-management-howto-oauth2.md)<br/><br/>[Subscriptions in Azure API Management](api-management-subscriptions.md) | | Validate the OAuth 2.0 token and claims when an API is called through API Management with an access token. | [Validate JWT policy](validate-jwt-policy.md) |
Go a step further with this scenario by moving API Management into the network p
* An API Management contributor and backend API developer wants to undertake a rapid proof-of-concept to expose a legacy API through Azure API Management. The API through API Management will be externally (internet) facing. * The API uses client certificate authentication and will be consumed by a new public-facing single-page app (SPA) being developed offshore by a partner.
-* The SPA uses OAuth 2.0 with Open ID Connect (OIDC).
+* The SPA uses OAuth 2.0 with OpenID Connect (OIDC).
* Application developers will access the API in a test environment through the developer portal, using a test backend endpoint to accelerate frontend development. Key configurations:
Key configurations:
| Validate the OAuth 2.0 token and claims when the SPA calls API Management with an access token. In this case, the audience is API Management. | [Validate JWT policy](validate-jwt-policy.md) | | Set up API Management to use client certificate authentication to the backend. | [Secure backend services using client certificate authentication in Azure API Management](api-management-howto-mutual-certificates.md) |
-Go a step further with this scenario by using the [developer portal with Azure AD authorization](api-management-howto-aad.md) and Azure AD [B2B collaboration](../active-directory/external-identities/what-is-b2b.md) to allow the delivery partners to collaborate more closely. Consider delegating access to API Management through RBAC in a development or test environment and enable SSO into the developer portal using their own corporate credentials.
+Go a step further with this scenario by using the [developer portal with Microsoft Entra authorization](api-management-howto-aad.md) and Microsoft Entra [B2B collaboration](../active-directory/external-identities/what-is-b2b.md) to allow the delivery partners to collaborate more closely. Consider delegating access to API Management through RBAC in a development or test environment and enable SSO into the developer portal using their own corporate credentials.
### Scenario 3 - External API, SaaS, open to the public
api-management Self Hosted Gateway Enable Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-enable-azure-ad.md
Title: Azure API Management self-hosted gateway - Azure AD authentication
-description: Enable the Azure API Management self-hosted gateway to authenticate with its associated cloud-based API Management instance using Azure Active Directory authentication.
+ Title: Azure API Management self-hosted gateway - Microsoft Entra authentication
+description: Enable the Azure API Management self-hosted gateway to authenticate with its associated cloud-based API Management instance using Microsoft Entra authentication.
Last updated 05/22/2023
-# Use Azure AD authentication for the self-hosted gateway
+# Use Microsoft Entra authentication for the self-hosted gateway
The Azure API Management [self-hosted gateway](self-hosted-gateway-overview.md) needs connectivity with its associated cloud-based API Management instance for reporting status, checking for and applying configuration updates, and sending metrics and events.
-In addition to using a gateway access token (authentication key) to connect with its cloud-based API Management instance, you can enable the self-hosted gateway to authenticate to its associated cloud instance by using an [Azure AD app](../active-directory/develop/app-objects-and-service-principals.md). With Azure AD authentication, you can configure longer expiry times for secrets and use standard steps to manage and rotate secrets in Active Directory.
+In addition to using a gateway access token (authentication key) to connect with its cloud-based API Management instance, you can enable the self-hosted gateway to authenticate to its associated cloud instance by using an [Microsoft Entra app](../active-directory/develop/app-objects-and-service-principals.md). With Microsoft Entra authentication, you can configure longer expiry times for secrets and use standard steps to manage and rotate secrets in Active Directory.
## Scenario overview
-The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create an Azure AD app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app.
+The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create a Microsoft Entra app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app.
-To enable Azure AD authentication, complete the following steps:
+To enable Microsoft Entra authentication, complete the following steps:
1. Create two custom roles to: * Let the configuration API get access to customer's RBAC information * Grant permissions to read self-hosted gateway configuration 1. Grant RBAC access to the API Management instance's managed identity
-1. Create an Azure AD app and grant it access to read the gateway configuration
+1. Create a Microsoft Entra app and grant it access to read the gateway configuration
1. Deploy the gateway with new configuration options ## Prerequisites
Assign the API Management Configuration API Access Validator Service Role to the
### Assign API Management Gateway Configuration Reader Role
-#### Step 1: Register Azure AD app
+<a name='step-1-register-azure-ad-app'></a>
-Create a new Azure AD app. For steps, see [Create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This app will be used by the self-hosted gateway to authenticate to the API Management instance.
+#### Step 1: Register Microsoft Entra app
+
+Create a new Microsoft Entra app. For steps, see [Create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This app will be used by the self-hosted gateway to authenticate to the API Management instance.
* Generate a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret) * Take note of the following application values for use in the next section when deploying the self-hosted gateway: application (client) ID, directory (tenant) ID, and client secret
Create a new Azure AD app. For steps, see [Create an Azure Active Directory appl
* Scope: The API Management instance (or resource group or subscription in which it's deployed) * Role: API Management Gateway Configuration Reader Role
-* Assign access to: Azure AD app
+* Assign access to: Microsoft Entra app
## Deploy the self-hosted gateway
-Deploy the self-hosted gateway to Kubernetes, adding Azure AD app registration settings to the `data` element of the gateways `ConfigMap`. In the following example YAML configuration file, the gateway is named *mygw* and the file is named `mygw.yaml`.
+Deploy the self-hosted gateway to Kubernetes, adding Microsoft Entra app registration settings to the `data` element of the gateways `ConfigMap`. In the following example YAML configuration file, the gateway is named *mygw* and the file is named `mygw.yaml`.
> [!IMPORTANT] > If you're following the existing Kubernetes [deployment guidance](how-to-deploy-self-hosted-gateway-kubernetes.md): > * Make sure to omit the step to store the default authentication key using the `kubectl create secret generic` command.
-> * Substitute the following basic configuration file for the default YAML file that's generated for you in the Azure portal. The following file adds Azure AD configuration in place of configuration to use an authentication key.
+> * Substitute the following basic configuration file for the default YAML file that's generated for you in the Azure portal. The following file adds Microsoft Entra configuration in place of configuration to use an authentication key.
```yml
api-management Self Hosted Gateway Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-overview.md
To operate properly, each self-hosted gateway needs outbound connectivity on por
| Hostname of Azure Blob Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) | | Hostname of Azure Table Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) | | Endpoints for Azure Resource Manager | ✔️ | Optional<sup>3</sup> | Required endpoints are `management.azure.com`. |
-| Endpoints for Azure Active Directory integration | ✔️ | Optional<sup>4</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. |
+| Endpoints for Microsoft Entra integration | ✔️ | Optional<sup>4</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. |
| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](../azure-monitor/app/ip-addresses.md#outgoing-ports) | | Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) | | Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | This requirement depends on the external cache that is being used | <sup>1</sup>For an API Management instance in an internal virtual network, enable private connectivity to the v2 configuration endpoint from the location of the self-hosted gateway, for example, using a private DNS in a peered network.<br/> <sup>2</sup>Only required in v2 when API inspector or quotas are used in policies.<br/>
-<sup>3</sup>Only required when using Azure AD authentication to verify RBAC permissions.<br/>
-<sup>4</sup>Only required when using Azure AD authentication or Azure AD-related policies.<br/>
+<sup>3</sup>Only required when using Microsoft Entra authentication to verify RBAC permissions.<br/>
+<sup>4</sup>Only required when using Microsoft Entra authentication or Microsoft Entra related policies.<br/>
<sup>5</sup>Only required when feature is used and requires public IP address, port, and hostname information.<br/> > [!IMPORTANT]
To authenticate the connection between the self-hosted gateway and the cloud-bas
|Option |Considerations | |||
-| [Azure Active Directory authentication](self-hosted-gateway-enable-azure-ad.md) | Configure one or more Azure AD apps for access to gateway<br/><br/>Manage access separately per app<br/><br/>Configure longer expiry times for secrets in accordance with your organization's policies<br/><br/>Use standard Azure AD procedures to assign or revoke user or group permissions to app and to rotate secrets<br/><br/> |
+| [Microsoft Entra authentication](self-hosted-gateway-enable-azure-ad.md) | Configure one or more Microsoft Entra apps for access to gateway<br/><br/>Manage access separately per app<br/><br/>Configure longer expiry times for secrets in accordance with your organization's policies<br/><br/>Use standard Microsoft Entra procedures to assign or revoke user or group permissions to app and to rotate secrets<br/><br/> |
| Gateway access token (also called authentication key) | Token expires every 30 days at maximum and must be renewed in the containers<br/><br/>Backed by a gateway key that can be rotated independently (for example, to revoke access) <br/><br/>Regenerating gateway key invalidates all access tokens created with it | ### Connectivity failures
api-management Self Hosted Gateway Settings Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-settings-reference.md
Here is an overview of all configuration options:
| Name | Description | Required | Default | Availability | |-||-|-|-|
-| gateway.name | Id of the self-hosted gateway resource. | Yes, when using Azure AD authentication | N/A | v2.3+ |
+| gateway.name | Id of the self-hosted gateway resource. | Yes, when using Microsoft Entra authentication | N/A | v2.3+ |
| config.service.endpoint | Configuration endpoint in Azure API Management for the self-hosted gateway. Find this value in the Azure portal under **Gateways** > **Deployment**. | Yes | N/A | v2.0+ |
-| config.service.auth | Defines how the self-hosted gateway should authenticate to the Configuration API. Currently gateway token and Azure AD authentication are supported. | Yes | N/A | v2.0+ |
-| config.service.auth.azureAd.tenantId | ID of the Azure AD tenant. | Yes, when using Azure AD authentication | N/A | v2.3+ |
-| config.service.auth.azureAd.clientId | Client ID of the Azure AD app to authenticate with (also known as application ID). | Yes, when using Azure AD authentication | N/A | v2.3+ |
-| config.service.auth.azureAd.clientSecret | Secret of the Azure AD app to authenticate with. | Yes, when using Azure AD authentication (unless certificate is specified) | N/A | v2.3+ |
-| config.service.auth.azureAd.certificatePath | Path to certificate to authenticate with for the Azure AD app. | Yes, when using Azure AD authentication (unless secret is specified) | N/A | v2.3+ |
-| config.service.auth.azureAd.authority | Authority URL of Azure AD. | No | `https://login.microsoftonline.com` | v2.3+ |
-| config.service.auth.tokenAudience | Audience of token used for Azure AD authentication | No | `https://azure-api.net/configuration` | v2.3+ |
+| config.service.auth | Defines how the self-hosted gateway should authenticate to the Configuration API. Currently gateway token and Microsoft Entra authentication are supported. | Yes | N/A | v2.0+ |
+| config.service.auth.azureAd.tenantId | ID of the Microsoft Entra tenant. | Yes, when using Microsoft Entra authentication | N/A | v2.3+ |
+| config.service.auth.azureAd.clientId | Client ID of the Microsoft Entra app to authenticate with (also known as application ID). | Yes, when using Microsoft Entra authentication | N/A | v2.3+ |
+| config.service.auth.azureAd.clientSecret | Secret of the Microsoft Entra app to authenticate with. | Yes, when using Microsoft Entra authentication (unless certificate is specified) | N/A | v2.3+ |
+| config.service.auth.azureAd.certificatePath | Path to certificate to authenticate with for the Microsoft Entra app. | Yes, when using Microsoft Entra authentication (unless secret is specified) | N/A | v2.3+ |
+| config.service.auth.azureAd.authority | Authority URL of Microsoft Entra ID. | No | `https://login.microsoftonline.com` | v2.3+ |
+| config.service.auth.tokenAudience | Audience of token used for Microsoft Entra authentication | No | `https://azure-api.net/configuration` | v2.3+ |
| config.service.endpoint.disableCertificateValidation | Defines if the self-hosted gateway should validate the server-side certificate of the Configuration API. It is recommended to use certificate validation, only disable for testing purposes and with caution as it can introduce security risk. | No | `false` | v2.0+ | | config.service.integration.timeout | Defines the timeout for interacting with the Configuration API. | No | `00:01:40` | v2.3.5+ |
The self-hosted gateway provides support for a few authentication options to int
This guidance helps you provide the required information to define how to authenticate: - For gateway token-based authentication, specify an access token (authentication key) of the self-hosted gateway in the Azure portal under **Gateways** > **Deployment**.-- For Azure AD-based authentication, specify `azureAdApp` and provide the additional `config.service.auth.azureAd` authentication settings.
+- For Microsoft Entra ID-based authentication, specify `azureAdApp` and provide the additional `config.service.auth.azureAd` authentication settings.
## Cross-instance discovery & synchronization
api-management Self Hosted Gateway Support Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-support-policies.md
The following table shows Microsoft's responsibilities, shared responsibilities,
|Microsoft Azure |Shared responsibilities |Customers | ||||
-|▪️ **Configuration endpoint (management plane)** - The self-hosted gateway depends on a configuration endpoint that provides the configuration, APIs, hostnames, and policy information. This configuration endpoint is part of the management plane of every API Management service.<br/><br/>▪️ **Gateway container image maintenance and updates** - Bug fixes, patches, performance improvements, and new features in the self-hosted gateway [container image](self-hosted-gateway-overview.md#packaging). |▪ **Securing self-hosted gateway communication with configuration endpoint** - The communication between the self-hosted gateway and the configuration endpoint can be secured by two mechanisms: either an access token that expires automatically every 30 days and needs to be updated for the running containers; or authentication with Azure Active Directory, which doesn't require token refresh.<br/><br/> ▪ **Keeping the gateway up to date** - The customer oversees regularly updating the gateway to the latest version and latest features. And Microsoft will provide updated images with new features, bug fixes, and patches. | ▪ **Gateway hosting** - Deploying and operating the gateway infrastructure: virtual machines with container runtime and/or Kubernetes cluster.<br/><br/>▪ **Network configuration** - Necessary to maintain management plane connectivity and API access.<br/><br/> ▪ **Gateway SLA** - Capacity management, scaling, and uptime.<br/><br/> ▪ **Providing diagnostics data to support** - Collecting and sharing diagnostics data with support engineers.<br/><br/>▪ **Third party OSS (open-source software) software components** - Combining the self-hosted gateway with other software like Prometheus, Grafana, service meshes, container runtimes, Kubernetes distributions, and proxies are the customer's responsibility. |
+|▪️ **Configuration endpoint (management plane)** - The self-hosted gateway depends on a configuration endpoint that provides the configuration, APIs, hostnames, and policy information. This configuration endpoint is part of the management plane of every API Management service.<br/><br/>▪️ **Gateway container image maintenance and updates** - Bug fixes, patches, performance improvements, and new features in the self-hosted gateway [container image](self-hosted-gateway-overview.md#packaging). |▪ **Securing self-hosted gateway communication with configuration endpoint** - The communication between the self-hosted gateway and the configuration endpoint can be secured by two mechanisms: either an access token that expires automatically every 30 days and needs to be updated for the running containers; or authentication with Microsoft Entra ID, which doesn't require token refresh.<br/><br/> ▪ **Keeping the gateway up to date** - The customer oversees regularly updating the gateway to the latest version and latest features. And Microsoft will provide updated images with new features, bug fixes, and patches. | ▪ **Gateway hosting** - Deploying and operating the gateway infrastructure: virtual machines with container runtime and/or Kubernetes cluster.<br/><br/>▪ **Network configuration** - Necessary to maintain management plane connectivity and API access.<br/><br/> ▪ **Gateway SLA** - Capacity management, scaling, and uptime.<br/><br/> ▪ **Providing diagnostics data to support** - Collecting and sharing diagnostics data with support engineers.<br/><br/>▪ **Third party OSS (open-source software) software components** - Combining the self-hosted gateway with other software like Prometheus, Grafana, service meshes, container runtimes, Kubernetes distributions, and proxies are the customer's responsibility. |
## Self-hosted gateway container image support coverage
api-management Soft Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/soft-delete.md
You **can't** reuse the name of an API Management instance in a new deployment:
* While the instance is soft-deleted.
-* In a subscription other than the one used to deploy the original instance, even after the original instance has been permanently deleted (purged) from Azure. This restriction applies whether the new subscription used is in the same or a different Azure Active Directory tenant. The restriction is in effect for several days or longer after deletion, depending on the subscription type.
+* In a subscription other than the one used to deploy the original instance, even after the original instance has been permanently deleted (purged) from Azure. This restriction applies whether the new subscription used is in the same or a different Microsoft Entra tenant. The restriction is in effect for several days or longer after deletion, depending on the subscription type.
- This restriction is because Azure reserves the service host name to a customer's tenant for a reservation period to prevent the threat of subdomain takeover with dangling DNS entries. For more information, see [Prevent dangling DNS entries and avoid subdomain takeover](/azure/security/fundamentals/subdomain-takeover). To see all dangling DNS entries for subscriptions in an Azure AD tenant, see [Identify dangling DNS entries](/azure/security/fundamentals/subdomain-takeover#identify-dangling-dns-entries).
+ This restriction is because Azure reserves the service host name to a customer's tenant for a reservation period to prevent the threat of subdomain takeover with dangling DNS entries. For more information, see [Prevent dangling DNS entries and avoid subdomain takeover](/azure/security/fundamentals/subdomain-takeover). To see all dangling DNS entries for subscriptions in a Microsoft Entra tenant, see [Identify dangling DNS entries](/azure/security/fundamentals/subdomain-takeover#identify-dangling-dns-entries).
## Next steps
api-management Sql Data Source Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/sql-data-source-policy.md
The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request
|Element|Description|Required| |-|--|--|
-| [connection-string](#connection-string-attributes) | Specifies the Azure SQL connection string. The connection string uses either SQL authentication (username and password) or Azure AD authentication if an API Management managed identity is configured. | Yes |
+| [connection-string](#connection-string-attributes) | Specifies the Azure SQL connection string. The connection string uses either SQL authentication (username and password) or Microsoft Entra authentication if an API Management managed identity is configured. | Yes |
| [include-fragment](include-fragment-policy.md) | Inserts a policy fragment in the policy definition. If there are multiple fragments, then add additional `include-fragment` elements. | No | | [authentication-certificate](authentication-certificate-policy.md) | Authenticates using a client certificate in the resolver's SQL request. | No |
The `sql-data-source` resolver policy configures a Transact-SQL (T-SQL) request
## Configure managed identity integration with Azure SQL
-You can configure an API Management system-assigned managed identity for access to Azure SQL instead of configuring SQL authentication with username and password. For background, see [Configure and manage Azure AD authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure).
+You can configure an API Management system-assigned managed identity for access to Azure SQL instead of configuring SQL authentication with username and password. For background, see [Configure and manage Microsoft Entra authentication with Azure SQL](/azure/azure-sql/database/authentication-aad-configure).
### Prerequisites * Enable a system-assigned [managed identity](api-management-howto-use-managed-service-identity.md) in your API Management instance.
-### Enable Azure AD access
+<a name='enable-azure-ad-access'></a>
-Enable Azure Active Directory authentication to SQL Database by assigning an Azure AD user as the admin of the server.
+### Enable Microsoft Entra ID access
+
+Enable Microsoft Entra authentication to SQL Database by assigning a Microsoft Entra user as the admin of the server.
1. In the [portal](https://portal.azure.com), go to your Azure SQL server.
-1. Select **Azure Active Directory**.
+1. Select **Microsoft Entra ID**.
1. Select **Set admin** and select yourself or a group to which you belong. 1. Select **Save**.
The following example resolves a GraphQL mutation using a T-SQL INSERT statement
* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)
api-management Validate Azure Ad Token Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-azure-ad-token-policy.md
Last updated 12/08/2022
-# Validate Azure Active Directory token
+# Validate Microsoft Entra token
-The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Azure Active Directory service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.
+The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.
> [!NOTE] > To validate a JWT that was provided by another identity provider, API Management also provides the generic [`validate-jwt`](validate-jwt-policy.md) policy.
The `validate-azure-ad-token` policy enforces the existence and validity of a JS
| Attribute | Description | Required | Default | | - | | -- | |
-| tenant-id | Tenant ID or URL of the Azure Active Directory service. Policy expressons are allowed.| Yes | N/A |
+| tenant-id | Tenant ID or URL of the Microsoft Entra service. Policy expressons are allowed.| Yes | N/A |
| header-name | The name of the HTTP header holding the token. Policy expressions are allowed. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | `Authorization` | | query-parameter-name | The name of the query parameter holding the token. Policy expressions are allowed. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A | | token-value | Expression returning a string containing the token. You must not return `Bearer` as part of the token value. Policy expressions are allowed. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |
The `validate-azure-ad-token` policy enforces the existence and validity of a JS
### Usage notes
-* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Azure AD authentication by applying the `validate-azure-ad-token` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control.
+* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Microsoft Entra authentication by applying the `validate-azure-ad-token` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control.
* When using a custom header (`header-name`), the header value cannot be prefixed with `Bearer ` and should be removed. ## Examples ### Simple token validation
-The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Azure AD tenant ID and client application ID are provided using named values.
+The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Microsoft Entra tenant ID and client application ID are provided using named values.
```xml <validate-azure-ad-token tenant-id="{{aad-tenant-id}}">
The following policy is the minimal form of the `validate-azure-ad-token` policy
### Validate that audience and claim are correct
-The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The hostname is provided using a policy expression, and the Azure AD tenant ID and client application ID are provided using named values. The decoded JWT is provided in the `jwt` variable after validation.
+The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The hostname is provided using a policy expression, and the Microsoft Entra tenant ID and client application ID are provided using named values. The decoded JWT is provided in the `jwt` variable after validation.
For more details on optional claims, read [Provide optional claims to your app](../active-directory/develop/active-directory-optional-claims.md).
For more details on optional claims, read [Provide optional claims to your app](
[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]-
api-management Validate Jwt Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/validate-jwt-policy.md
The `validate-jwt` policy enforces existence and validity of a supported JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value. > [!NOTE]
-> To validate a JWT that was provided by the Azure Active Directory service, API Management also provides the [`validate-azure-ad-token`](validate-azure-ad-token-policy.md) policy.
+> To validate a JWT that was provided by the Microsoft Entra service, API Management also provides the [`validate-azure-ad-token`](validate-azure-ad-token-policy.md) policy.
[!INCLUDE [api-management-policy-form-alert](../../includes/api-management-policy-form-alert.md)]
The `validate-jwt` policy enforces existence and validity of a supported JSON we
| Element | Description | Required | | - | -- | -- |
-| openid-config |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice. <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Azure Active Directory use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- (v2) `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/> - (v2 multitenant) ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- (v1) `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/><br/> substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`. | No |
+| openid-config |Add one or more of these elements to specify a compliant OpenID configuration endpoint URL from which signing keys and issuer can be obtained.<br/><br/>Configuration including the JSON Web Key Set (JWKS) is pulled from the endpoint every 1 hour and cached. If the token being validated references a validation key (using `kid` claim) that is missing in cached configuration, or if retrieval fails, API Management pulls from the endpoint at most once per 5 min. These intervals are subject to change without notice. <br/><br/>The response should be according to specs as defined at URL: `https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata`. <br/><br/>For Microsoft Entra ID use the OpenID Connect [metadata endpoint](../active-directory/develop/v2-protocols-oidc.md#find-your-apps-openid-configuration-document-uri) configured in your app registration such as:<br/>- (v2) `https://login.microsoftonline.com/{tenant-name}/v2.0/.well-known/openid-configuration`<br/> - (v2 multitenant) ` https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration`<br/>- (v1) `https://login.microsoftonline.com/{tenant-name}/.well-known/openid-configuration` <br/><br/> substituting your directory tenant name or ID, for example `contoso.onmicrosoft.com`, for `{tenant-name}`. | No |
| issuer-signing-keys | A list of Base64-encoded security keys, in [`key`](#key-attributes) subelements, used to validate signed tokens. If multiple security keys are present, then each key is tried until either all are exhausted (in which case validation fails) or one succeeds (useful for token rollover). <br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To validate an RS256 signed token, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management, or the RSA modulus `n` and exponent `e` pair of the RS256 signing key-in Base64url-encoded format. | No | | decryption-keys | A list of Base64-encoded keys, in [`key`](#key-attributes) subelements, used to decrypt the tokens. If multiple security keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/>Optionally specify a key by using the `id` attribute to match a `kid` claim. To decrypt an RS256 signed token, optionally specify the public key using a `certificate-id` attribute with value the identifier of a certificate uploaded to API Management. | No | | audiences | A list of acceptable audience claims, in `audience` subelements, that can be present on the token. If multiple audience values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. At least one audience must be specified. | No |
The `validate-jwt` policy enforces existence and validity of a supported JSON we
* **RS256** - the key may be provided either via an OpenID configuration endpoint, or by providing the ID of an uploaded certificate (in PFX format) that contains the public key, or the modulus-exponent pair of the public key. * The policy supports tokens encrypted with symmetric keys using the following encryption algorithms: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512. * To configure the policy with one or more OpenID configuration endpoints for use with a self-hosted gateway, the OpenID configuration endpoints URLs must also be reachable by the cloud gateway.
-* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Azure AD authentication by applying the `validate-jwt` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control.
+* You can use access restriction policies in different scopes for different purposes. For example, you can secure the whole API with Microsoft Entra authentication by applying the `validate-jwt` policy on the API level, or you can apply it on the API operation level and use `claims` for more granular control.
* When using a custom header (`header-name`), the header value cannot be prefixed with `Bearer ` and should be removed.
The `validate-jwt` policy enforces existence and validity of a supported JSON we
</validate-jwt> ```
-### Azure Active Directory token validation
+<a name='azure-active-directory-token-validation'></a>
+
+### Microsoft Entra token validation
```xml <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
api-management Virtual Network Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-reference.md
When an API Management service instance is hosted in a VNet, the ports in the fo
| * / [80], 443 | Inbound | TCP | Internet / VirtualNetwork | **Client communication to API Management** | External only | | * / 3443 | Inbound | TCP | ApiManagement / VirtualNetwork | **Management endpoint for Azure portal and PowerShell** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / Storage | **Dependency on Azure Storage** | External & Internal |
-| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |
+| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Microsoft Entra ID](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |
| * / 443 | Outbound | TCP | VirtualNetwork / AzureConnectors | [Authorizations](authorizations-overview.md) dependency (optional) | External & Internal | | * / 1433 | Outbound | TCP | VirtualNetwork / Sql | **Access to Azure SQL endpoints** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / AzureKeyVault | **Access to Azure Key Vault** | External & Internal |
When an API Management service instance is hosted in a VNet, the ports in the fo
| * / [80], 443 | Inbound | TCP | Internet / VirtualNetwork | **Client communication to API Management** | External only | | * / 3443 | Inbound | TCP | ApiManagement / VirtualNetwork | **Management endpoint for Azure portal and PowerShell** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / Storage | **Dependency on Azure Storage** | External & Internal |
-| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |
+| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Microsoft Entra ID](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |
| * / 443 | Outbound | TCP | VirtualNetwork / AzureKeyVault | Access to Azure Key Vault for [named values](api-management-howto-properties.md) integration (optional) | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / AzureConnectors | [Authorizations](authorizations-overview.md) dependency (optional) | External & Internal | | * / 1433 | Outbound | TCP | VirtualNetwork / Sql | **Access to Azure SQL endpoints** | External & Internal |
To enable TLS/SSL certificate chain building and validation, the API Management
Outbound access on port `53` is required for communication with DNS servers. If a custom DNS server exists on the other end of a VPN gateway, the DNS server must be reachable from the subnet hosting API Management.
-## Azure Active Directory integration
+<a name='azure-active-directory-integration'></a>
-To operate properly, the API Management service needs outbound connectivity on port 443 to the following endpoints associated with Azure Active Directory: `<region>.login.microsoft.com` and `login.microsoftonline.com`.
+## Microsoft Entra integration
+
+To operate properly, the API Management service needs outbound connectivity on port 443 to the following endpoints associated with Microsoft Entra ID: `<region>.login.microsoft.com` and `login.microsoftonline.com`.
## Metrics and health monitoring
api-management Visualize Using Managed Grafana Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/visualize-using-managed-grafana-dashboard.md
You can use [Azure Managed Grafana](../managed-grafana/index.yml) to visualize A
* The Managed Grafana instance must be in the same subscription as the API Management instance.
- * When created, the Grafana workspace is automatically assigned an Azure Active Directory managed identity, which is assigned the Monitor Reader role on the subscription. This gives you immediate access to Azure Monitor from the new Grafana workspace without needing to set permissions manually. Learn more about [configuring data sources](../managed-grafan) for Managed Grafana.
+ * When created, the Grafana workspace is automatically assigned a Microsoft Entra managed identity, which is assigned the Monitor Reader role on the subscription. This gives you immediate access to Azure Monitor from the new Grafana workspace without needing to set permissions manually. Learn more about [configuring data sources](../managed-grafan) for Managed Grafana.
## Import API Management dashboard
Review the default visualizations on the dashboard, which will appear similar to
* For more information about managing your Grafana dashboard, see the [Grafana docs](https://grafana.com/docs/grafana/v9.0/dashboards/). * Easily pin log queries and charts from the Azure portal to your Managed Grafana dashboard. For more information, see [Monitor your Azure services in Grafana](../azure-monitor/visualize/grafana-plugin.md#pin-charts-from-the-azure-portal-to-azure-managed-grafana).----
api-management Workspaces Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/workspaces-overview.md
Azure RBAC is used to configure workspace collaborators' permissions to read and
Workspace members must be assigned both a service-scoped role and a workspace-scoped role, or granted equivalent permissions using custom roles. The service-scoped role enables referencing service-level resources from workspace-level resources. For example, publish an API from a workspace with a service-level product, assign a service-level tag to an API, or organize a user into a workspace-level group to control API and product visibility. > [!NOTE]
-> For easier management, set up Azure AD groups to assign workspace permissions to multiple users.
+> For easier management, set up Microsoft Entra groups to assign workspace permissions to multiple users.
> ## Workspaces and other API Management features
All resources in an API Management service need to have unique names, even if th
## Next steps
-* [Create a workspace](how-to-create-workspace.md)
+* [Create a workspace](how-to-create-workspace.md)
app-service Configure Authentication Api Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-api-version.md
There are two versions of the management API for App Service authentication. The
> [!WARNING] > Migration to V2 will disable management of the App Service Authentication/Authorization feature for your application through some clients, such as its existing experience in the Azure portal, Azure CLI, and Azure PowerShell. This cannot be reversed.
-The V2 API doesn't support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it uses the converged [Microsoft identity platform](../active-directory/develop/v2-overview.md) to sign-in users with both Azure AD and personal Microsoft accounts. When switching to the V2 API, the V1 Azure Active Directory (Azure AD) configuration is used to configure the Microsoft identity platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but you should move to the newer Microsoft Identity Platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more.
+The V2 API doesn't support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it uses the converged [Microsoft identity platform](../active-directory/develop/v2-overview.md) to sign-in users with both Microsoft Entra ID and personal Microsoft accounts. When switching to the V2 API, the V1 Microsoft Entra configuration is used to configure the Microsoft identity platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but you should move to the newer Microsoft identity platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more.
The automated migration process will move provider secrets into application settings and then convert the rest of the configuration into the new format. To use the automatic migration:
The following steps will allow you to manually migrate the application to the V2
In the resulting JSON payload, make note of the secret value used for each provider you've configured:
- * Azure AD: `clientSecret`
+ * Microsoft Entra ID: `clientSecret`
* Google: `googleClientSecret` * Facebook: `facebookAppSecret` * Twitter: `twitterConsumerSecret`
The following steps will allow you to manually migrate the application to the V2
1. Add a property to `authsettings.json` that points to the application setting name you created earlier for each provider:
- * Azure AD: `clientSecretSettingName`
+ * Microsoft Entra ID: `clientSecretSettingName`
* Google: `googleClientSecretSettingName` * Facebook: `facebookAppSecretSettingName` * Twitter: `twitterConsumerSecretSettingName` * Microsoft Account: `microsoftAccountClientSecretSettingName`
- An example file after this operation might look similar to the following, in this case only configured for Azure AD:
+ An example file after this operation might look similar to the following, in this case only configured for Microsoft Entra ID:
```json {
You've now migrated the app to store identity provider secrets as application se
#### Support for Microsoft Account provider registrations
-If your existing configuration contains a Microsoft Account provider and doesn't contain an Azure AD provider, you can switch the configuration over to the Azure AD provider and then perform the migration. To do this:
+If your existing configuration contains a Microsoft Account provider and doesn't contain a Microsoft Entra provider, you can switch the configuration over to the Microsoft Entra provider and then perform the migration. To do this:
1. Go to [**App registrations**](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal and find the registration associated with your Microsoft Account provider. It may be under the "Applications from personal account" heading. 1. Navigate to the "Authentication" page for the registration. Under "Redirect URIs", you should see an entry ending in `/.auth/login/microsoftaccount/callback`. Copy this URI. 1. Add a new URI that matches the one you just copied, except instead have it end in `/.auth/login/aad/callback`. This will allow the registration to be used by the App Service Authentication / Authorization configuration. 1. Navigate to the App Service Authentication / Authorization configuration for your app. 1. Collect the configuration for the Microsoft Account provider.
-1. Configure the Azure AD provider using the "Advanced" management mode, supplying the client ID and client secret values you collected in the previous step. For the Issuer URL, use Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with your **Directory (tenant) ID**.
+1. Configure the Microsoft Entra provider using the "Advanced" management mode, supplying the client ID and client secret values you collected in the previous step. For the Issuer URL, use Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Azure), also replacing *\<tenant-id>* with your **Directory (tenant) ID**.
1. Once you've saved the configuration, test the login flow by navigating in your browser to the `/.auth/login/aad` endpoint on your site and complete the sign-in flow.
-1. At this point, you've successfully copied the configuration over, but the existing Microsoft Account provider configuration remains. Before you remove it, make sure that all parts of your app reference the Azure AD provider through login links, etc. Verify that all parts of your app work as expected.
-1. Once you've validated that things work against the Azure AD provider, you may remove the Microsoft Account provider configuration.
+1. At this point, you've successfully copied the configuration over, but the existing Microsoft Account provider configuration remains. Before you remove it, make sure that all parts of your app reference the Microsoft Entra provider through login links, etc. Verify that all parts of your app work as expected.
+1. Once you've validated that things work against the Microsoft Entra provider, you may remove the Microsoft Account provider configuration.
> [!WARNING]
-> It is possible to converge the two registrations by modifying the [supported account types](../active-directory/develop/supported-accounts-validation.md) for the Azure AD app registration. However, this would force a new consent prompt for Microsoft Account users, and those users' identity claims may be different in structure, `sub` notably changing values since a new App ID is being used. This approach is not recommended unless thoroughly understood. You should instead wait for support for the two registrations in the V2 API surface.
+> It is possible to converge the two registrations by modifying the [supported account types](../active-directory/develop/supported-accounts-validation.md) for the Microsoft Entra app registration. However, this would force a new consent prompt for Microsoft Account users, and those users' identity claims may be different in structure, `sub` notably changing values since a new App ID is being used. This approach is not recommended unless thoroughly understood. You should instead wait for support for the two registrations in the V2 API surface.
#### Switching to V2
app-service Configure Authentication Customize Sign In Out https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-authentication-customize-sign-in-out.md
Users can initiate a sign-out by sending a `GET` request to the app's `/.auth/lo
- Clears authentication cookies from the current session. - Deletes the current user's tokens from the token store.-- For Azure Active Directory and Google, performs a server-side sign-out on the identity provider.
+- For Microsoft Entra ID and Google, performs a server-side sign-out on the identity provider.
Here&#