Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory | Inbound Provisioning Api Configure App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md | If you're configuring inbound user provisioning to on-premises Active Directory, 3. Click on **New application** to create a new provisioning application. [![Screenshot of Microsoft Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox) 4. Enter **API-driven** in the search field, then select the application for your setup:- * **API-driven Inbound User Provisioning to On-Premises AD**: Select this app if you're provisioning hybrid identities (identities that need both on-premises AD and Microsoft Entra account) from your system of record. Once these accounts are provisioned in on-premises AD, they are automatically synchronized to your Microsoft Entra tenant using Microsoft Entra Connect or Cloud Sync. + * **API-driven Inbound User Provisioning to On-Premises AD**: Select this app if you're provisioning hybrid identities (identities that need both on-premises AD and Microsoft Entra account) from your system of record. Once these accounts are provisioned in on-premises AD, they are automatically synchronized to your Microsoft Entra tenant using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. * **API-driven Inbound User Provisioning to Microsoft Entra ID**: Select this app if you're provisioning cloud-only identities (identities that don't require on-premises AD accounts and only need Microsoft Entra account) from your system of record. [![Screenshot of API-driven provisioning apps.](media/inbound-provisioning-api-configure-app/api-driven-inbound-provisioning-apps.png)](media/inbound-provisioning-api-configure-app/api-driven-inbound-provisioning-apps.png#lightbox) |
active-directory | On Premises Application Provisioning Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md | You can define one or more matching attribute(s) and prioritize them based on th ## Agent best practices-- Using the same agent for the on-premises provisioning feature along with Workday / SuccessFactors / Microsoft Entra Connect Cloud Sync is currently unsupported. We are actively working to support on-premises provisioning on the same agent as the other provisioning scenarios.+- Using the same agent for the on-premises provisioning feature along with Workday / SuccessFactors / Microsoft Entra Connect cloud sync is currently unsupported. We are actively working to support on-premises provisioning on the same agent as the other provisioning scenarios. - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by: - Reducing the distance between the two ends of the hop. You can also check whether all the required ports are open. - Microsoft Entra Connect Provisioning Agent Package ## Provisioning agent history-This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning. +This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and cloud sync / HR-driven provisioning. Microsoft provides direct support for the latest agent version and one version before. |
active-directory | On Premises Powershell Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-powershell-connector.md | The connector provides a bridge between the capabilities of the ECMA Connector H If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).-1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud Sync** > **Agents**. +1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud sync** > **Agents**. :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png"::: 1. Select **Download on-premises agent**, review the terms of service, then select **Accept terms & download**. > [!NOTE]- > Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. + > Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect cloud sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 1. Open the provisioning agent installer, agree to the terms of service, and select **next**. 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable. |
active-directory | On Premises Scim Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md | The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).-1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud Sync** > **Agents**. +1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud sync** > **Agents**. :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png"::: 1. Select **Download on-premises agent**, and select **Accept terms & download**. >[!NOTE]- >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. + >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect cloud sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 1. Open the provisioning agent installer, agree to the terms of service, and select **next**. 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable. |
active-directory | User Provisioning Sync Attributes For Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md | Get-AzureADUser -ObjectId 0ccf8df6-62f1-4175-9e55-73da9e742690 | Select -ExpandP Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to autodiscover these attributes and set up a corresponding mapping to Microsoft Entra ID. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).-1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud Sync**. +1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud sync**. 1. Select the configuration you wish to add the extension attribute and mapping. 1. Under **Manage attributes** select **click to edit mappings**. 1. Select **Add attribute mapping**. The attributes will automatically be discovered. Cloud sync will automatically discover your extensions in on-premises Active Dir [![Custom attribute mapping](media/user-provisioning-sync-attributes-for-mapping/schema-1.png)](media/user-provisioning-sync-attributes-for-mapping/schema-1.png#lightbox) -For more information, see [Cloud Sync Custom Attribute Mapping](../hybrid/cloud-sync/custom-attribute-mapping.md) ----+For more information, see [Custom attribute mapping in Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/custom-attribute-mapping.md) <a name='create-an-extension-attribute-using-azure-ad-connect'></a> |
active-directory | 10 Secure Local Guest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/10-secure-local-guest.md | We recommend that external-facing applications have single-sign on (SSO) and pro ## Identify local guest accounts -Identify the accounts to be migrated to Microsoft Entra B2B. External identities in Active Directory are identifiable with an attribute-value pair. For example, making ExtensionAttribute15 = `External` for external users. If these users are set up with Microsoft Entra Connect or Cloud Sync, configure synced external users to have the `UserType` attributes set to `Guest`. If the users are set up as cloud-only accounts, you can modify user attributes. Primarily, identify users to convert to B2B. +Identify the accounts to be migrated to Microsoft Entra B2B. External identities in Active Directory are identifiable with an attribute-value pair. For example, making ExtensionAttribute15 = `External` for external users. If these users are set up with Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync, configure synced external users to have the `UserType` attributes set to `Guest`. If the users are set up as cloud-only accounts, you can modify user attributes. Primarily, identify users to convert to B2B. ## Map local guest accounts to external identities |
active-directory | Automate Provisioning To Applications Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/automate-provisioning-to-applications-introduction.md | In this example, the organization has a mix of cloud and on-premises infrastruct 1. The Microsoft Entra provisioning service imports the user from Workday and creates an account in AD DS, enabling the user to access AD-integrated applications. -2. Microsoft Entra Connect Cloud Sync provisions the user into Microsoft Entra ID, which enables the user to access SharePoint Online and their OneDrive files. +2. Microsoft Entra Connect cloud sync provisions the user into Microsoft Entra ID, which enables the user to access SharePoint Online and their OneDrive files. 3. The Microsoft Entra provisioning service detects a new account was created in Microsoft Entra ID. It then creates accounts in the SaaS and on-premises applications the user needs access to. |
active-directory | Automate Provisioning To Applications Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/automate-provisioning-to-applications-solutions.md | As customers transition identity management to the cloud, more users and groups |No.| What | From | To | Technology | | - | - | - | - | - |-| 1 |Users, groups| AD DS| Microsoft Entra ID| [Microsoft Entra Connect Cloud Sync](../hybrid/cloud-sync/what-is-cloud-sync.md) | +| 1 |Users, groups| AD DS| Microsoft Entra ID| [Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md) | | 2 |Users, groups, devices| AD DS| Microsoft Entra ID| [Microsoft Entra Connect Sync](../hybrid/connect/whatis-azure-ad-connect.md) | | 3 |Groups| Microsoft Entra ID| AD DS| [Microsoft Entra Connect Sync](../hybrid/connect/how-to-connect-group-writeback-v2.md) | | 4 |Guest accounts| Microsoft Entra ID| AD DS| [MIM](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario), [PowerShell](https://github.com/Azure-Samples/B2B-to-AD-Sync)| Organizations often need a complete audit trail of what users have access to app ### Next steps 1. Automate provisioning with any of your applications that are in the [Microsoft Entra app gallery](../saas-apps/tutorial-list.md), support [SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md), [SQL](../app-provisioning/on-premises-sql-connector-configure.md), or [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md).-2. Evaluate [Microsoft Entra Cloud Sync](../hybrid/cloud-sync/what-is-cloud-sync.md) for synchronization between AD DS and Microsoft Entra ID +2. Evaluate [Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md) for synchronization between AD DS and Microsoft Entra ID 3. Use the [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for complex provisioning scenarios |
active-directory | Security Operations Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-infrastructure.md | Synchronizing identity between your on-premises environment and your cloud envir Logging of Microsoft Entra Connect operations occurs in different ways: -* The Microsoft Entra Connect wizard logs data to \ProgramData\AADConnect . Each time the wizard is invoked, a timestamped trace log file is created. The trace log can be imported into Sentinel or other 3<sup data-htmlnode="">rd</sup> party security information and event management (SIEM) tools for analysis. +* The Microsoft Entra Connect wizard logs data to `\ProgramData\AADConnect`. Each time the wizard is invoked, a timestamped trace log file is created. The trace log can be imported into Sentinel or other 3<sup data-htmlnode="">rd</sup> party security information and event management (SIEM) tools for analysis. * Some operations initiate a PowerShell script to capture logging information. To collect this data, you must make sure script block logging in enabled. |
active-directory | Howto Mfaserver Dir Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-dir-ad.md | To edit attributes, click **Edit** on the Attributes tab. This brings up a wind Synchronization keeps the Azure MFA user database synchronized with the users in Active Directory or another Lightweight Directory Access Protocol (LDAP) directory. The process is similar to importing users manually from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also disables or removes users that were removed from a container, security group, or Active Directory. -The Multi-Factor Auth ADSync service is a Windows service that performs the periodic polling of Active Directory. This is not to be confused with Azure AD Sync or Microsoft Entra Connect. the Multi-Factor Auth ADSync, although built on a similar code base, is specific to the Azure Multi-Factor Authentication Server. It is installed in a Stopped state and is started by the Multi-Factor Auth Server service when configured to run. If you have a multi-server Multi-Factor Auth Server configuration, the Multi-Factor Auth ADSync may only be run on a single server. +The Multi-Factor Auth ADSync service is a Windows service that performs the periodic polling of Active Directory. This is not to be confused with Azure AD Sync or Microsoft Entra Connect. The Multi-Factor Auth ADSync, although built on a similar code base, is specific to the Azure Multi-Factor Authentication Server. It is installed in a Stopped state and is started by the Multi-Factor Auth Server service when configured to run. If you have a multi-server Multi-Factor Auth Server configuration, the Multi-Factor Auth ADSync may only be run on a single server. The Multi-Factor Auth ADSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The Multi-Factor Auth AdSync service is configured to run as LocalSystem by default. Therefore it is simplest to run the service on a domain controller. If you configure the service to always perform a full synchronization, it can run as an account with lesser permissions. This is less efficient, but requires fewer account privileges. |
active-directory | Howto Sspr Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-reporting.md | The following list explains this activity in detail: * **Activity actor**: The user who was throttled from performing additional reset operations. The user can be an end user or an administrator. * **Activity target**: The user who was throttled from performing additional reset operations. The user can be an end user or an administrator. * **Activity status**:- * _Success_: Indicates that a user was throttled from performing any additional resets, attempting any additional authentication methods, or validating any additional phone numbers for the next 24 hours. + - *Success*: Indicates that a user was throttled from performing any additional resets, attempting any additional authentication methods, or validating any additional phone numbers for the next 24 hours. * **Activity status failure reason**: Not applicable. ### Activity type: Change password (self-service) The following list explains this activity in detail: * **Activity actor**: The user who changed their password. The user can be an end user or an administrator. * **Activity target**: The user who changed their password. The user can be an end user or an administrator. * **Activity statuses**:- * _Success_: Indicates that a user successfully changed their password. - * _Failure_: Indicates that a user failed to change their password. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. + - *Success*: Indicates that a user successfully changed their password. + - *Failure*: Indicates that a user failed to change their password. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. * **Activity status failure reason**:- * _FuzzyPolicyViolationInvalidPassword_: The user selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak. + - *FuzzyPolicyViolationInvalidPassword*: The user selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak. ### Activity type: Reset password (by admin) The following list explains this activity in detail: * **Activity actor**: The administrator who performed the password reset on behalf of another end user or administrator. Must be a password administrator, user administrator, or helpdesk administrator. * **Activity target**: The user whose password was reset. The user can be an end user or a different administrator. * **Activity statuses**:- * _Success_: Indicates that an admin successfully reset a user's password. - * _Failure_: Indicates that an admin failed to change a user's password. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. -- **Activity additional details OnPremisesAgent**:- - _None_: Indicates cloud-only reset. - - _AAD Connect_: Indicates password was reset on-premises via Microsoft Entra Connect writeback agent. - - _CloudSync_: Indicates password was reset on-premises via Microsoft Entra CloudSync writeback agent. + - *Success*: Indicates that an admin successfully reset a user's password. + - *Failure*: Indicates that an admin failed to change a user's password. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. +* **Activity additional details OnPremisesAgent**: + - *None*: Indicates cloud-only reset. + - *Microsoft Entra Connect*: Indicates password was reset on-premises via Microsoft Entra Connect writeback agent. + - *CloudSync*: Indicates password was reset on-premises via Microsoft Entra CloudSync writeback agent. ### Activity type: Reset password (self-service) The following list explains this activity in detail: * **Activity actor**: The user who reset their password. The user can be an end user or an administrator. * **Activity target**: The user who reset their password. The user can be an end user or an administrator. * **Activity statuses**:- * _Success_: Indicates that a user successfully reset their own password. - * _Failure_: Indicates that a user failed to reset their own password. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. + - *Success*: Indicates that a user successfully reset their own password. + - *Failure*: Indicates that a user failed to reset their own password. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. * **Activity status failure reason**:- * _FuzzyPolicyViolationInvalidPassword_: The admin selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak. + - *FuzzyPolicyViolationInvalidPassword*: The admin selected a password that was automatically banned because the Microsoft Banned Password Detection capabilities found it to be too common or especially weak. ### Activity type: Self serve password reset flow activity progress The following list explains this activity in detail: * **Activity actor**: The user who performed part of the password reset flow. The user can be an end user or an administrator. * **Activity target**: The user who performed part of the password reset flow. The user can be an end user or an administrator. * **Activity statuses**:- * _Success_: Indicates that a user successfully completed a specific step of the password reset flow. - * _Failure_: Indicates that a specific step of the password reset flow failed. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. + - *Success*: Indicates that a user successfully completed a specific step of the password reset flow. + - *Failure*: Indicates that a specific step of the password reset flow failed. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. * **Activity status reasons**: See the following table for [all the permissible reset activity status reasons](#description-of-the-report-columns). The following list explains this activity in detail: * **Activity actor**: The user who unlocked their account without resetting their password. The user can be an end user or an administrator. * **Activity target**: The user who unlocked their account without resetting their password. The user can be an end user or an administrator. * **Allowed activity statuses**:- * _Success_: Indicates that a user successfully unlocked their own account. - * _Failure_: Indicates that a user failed to unlock their account. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. + - *Success*: Indicates that a user successfully unlocked their own account. + - *Failure*: Indicates that a user failed to unlock their account. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. ### Activity type: User registered for self-service password reset The following list explains this activity in detail: * **Activity actor**: The user who registered for password reset. The user can be an end user or an administrator. * **Activity target**: The user who registered for password reset. The user can be an end user or an administrator. * **Allowed activity statuses**:- * _Success_: Indicates that a user successfully registered for password reset in accordance with the current policy. - * _Failure_: Indicates that a user failed to register for password reset. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. + - *Success*: Indicates that a user successfully registered for password reset in accordance with the current policy. + - *Failure*: Indicates that a user failed to register for password reset. You can select the row to see the **Activity status reason** category to learn more about why the failure occurred. >[!NOTE] >Failure doesn't mean a user is unable to reset their own password. It means that they didn't finish the registration process. If there is unverified data on their account that's correct, such as a phone number that's not validated, even though they have not verified this phone number, they can still use it to reset their password. |
active-directory | Troubleshoot Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-sspr-writeback.md | If you have problems with password writeback for Microsoft Entra Connect, review The most common point of failure is that firewall or proxy ports, or idle timeouts are incorrectly configured. -For Microsoft Entra Connect version *1.1.443.0* and above, *outbound HTTPS* access is required to the following addresses: +For Azure AD Connect version *1.1.443.0* and above, *outbound HTTPS* access is required to the following addresses: * *\*.passwordreset.microsoftonline.com* * *\*.servicebus.windows.net* |
active-directory | Concept Conditional Access Cloud Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md | Because the policy is applied to the Azure management portal and API, services, - Microsoft IoT Central > [!NOTE]-> The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Azure AD PowerShell](/powershell/azure/active-directory/overview), which calls the [Microsoft Graph API](/graph/overview). +> The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview), which calls the [Microsoft Graph API](/graph/overview). For more information on how to set up a sample policy for Microsoft Azure Management, see [Conditional Access: Require MFA for Azure management](howto-conditional-access-policy-azure-management.md). For more information about authentication context use in applications, see the f - [Conditional Access: Conditions](concept-conditional-access-conditions.md) - [Conditional Access common policies](concept-conditional-access-policy-common.md) - [Client application dependencies](service-dependencies.md)+ |
active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | For more information about how to better secure your organization by using autom -### Public Preview - Azure AD cloud sync new user experience +### Public Preview - Azure AD Connect cloud sync new user experience -**Type:** Changed feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Identity Governance +**Type:** Changed feature +**Service category:** Azure AD Connect cloud sync +**Product capability:** Identity Governance -Try out the new guided experience for syncing objects from AD to Azure AD using Azure AD Cloud Sync in Azure portal. With this new experience, Hybrid Identity Administrators can easily determine which sync engine to use for their scenarios and learn more about the various options they have with our sync solutions. With a rich set of tutorials and videos, customers are able to learn everything about Azure AD cloud sync in one single place. +Try out the new guided experience for syncing objects from AD to Azure AD using Azure AD Connect cloud sync in Azure portal. With this new experience, Hybrid Identity Administrators can easily determine which sync engine to use for their scenarios and learn more about the various options they have with our sync solutions. With a rich set of tutorials and videos, customers are able to learn everything about Azure AD Connect cloud sync in one single place. This experience helps administrators walk through the different steps involved in setting up a cloud sync configuration and an intuitive experience to help them easily manage it. Admins can also get insights into their sync configuration by using the "Insights" option, which integrates with Azure Monitor and Workbooks. For more information, see: - [Create a new configuration for Azure AD Connect cloud sync](../hybrid/cloud-sync/how-to-configure.md) - [Attribute mapping in Azure AD Connect cloud sync](../hybrid/cloud-sync/how-to-attribute-mapping.md)-- [Azure AD cloud sync insights workbook](../hybrid/cloud-sync/how-to-cloud-sync-workbook.md)+- [Azure AD Connect cloud sync insights workbook](../hybrid/cloud-sync/how-to-cloud-sync-workbook.md) -### Public Preview - Support for Directory Extensions using Azure AD cloud sync --+### Public Preview - Support for Directory Extensions using Azure AD Connect cloud sync **Type:** New feature **Service category:** Provisioning -**Product capability:** Azure AD Connect Cloud Sync +**Product capability:** Azure AD Connect cloud sync -Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. +Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD cloud sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using the attribute mapping experience of Azure AD Connect cloud sync. -For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../hybrid/cloud-sync/custom-attribute-mapping.md) +For more information on how to enable this feature, see [Directory extensions and custom attribute mapping in Azure AD Connect cloud sync](../hybrid/cloud-sync/custom-attribute-mapping.md) We continue to share additional guidance on IPv6 enablement in Azure AD at this -**Type:** Plan for change -**Service category:** Provisioning -**Product capability:** Azure AD Connect Cloud Sync +**Type:** Plan for change +**Service category:** Provisioning +**Product capability:** Azure AD Connect cloud sync -Microsoft stops support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD cloud sync, make sure you have the latest version of the agent. You can view info about the agent release history [here](../app-provisioning/provisioning-agent-release-version-history.md). You can download the latest version [here](https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/provisioningAgentInstaller) +Microsoft stops support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD Connect cloud sync, make sure you have the latest version of the agent. You can view info about the agent release history [here](../app-provisioning/provisioning-agent-release-version-history.md). You can download the latest version [here](https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/provisioningAgentInstaller) You can find out which version of the agent you're using as follows: You can find out which version of the agent you're using as follows: 1. Select on ΓÇ£DetailsΓÇ¥ tab and you can find the version number there > [!NOTE]-> Azure Active Directory (AD) Connect follows the [Modern Lifecycle Policy](/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service. +> Azure Active Directory Connect follows the [Modern Lifecycle Policy](/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service. Product governed by the Modern Policy follow a [continuous support and servicing model](/lifecycle/overview/product-end-of-support-overview). Customers must take the latest update to remain supported. For products and services governed by the Modern Lifecycle Policy, Microsoft's policy is to provide a minimum 30 days' notification when customers are required to take action in order to avoid significant degradation to the normal use of the product or service. For more information about how to better secure your organization by using autom -**Type:** New feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Identity Lifecycle Management +**Type:** New feature +**Service category:** Azure AD Connect cloud sync +**Product capability:** Identity Lifecycle Management -Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). +Password writeback in Azure AD Connect cloud sync now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). For more information, see: [Tutorial: Validate a SCIM endpoint](../app-provision -Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold the following will happen. The Azure AD provisioning service pauses, provide you with visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning. +Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold the following will happen. The Azure AD provisioning service pauses, provide you with visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect cloud sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning. For more information, see: [Enable accidental deletions prevention in the Azure AD provisioning service](../app-provisioning/accidental-deletions.md) |
active-directory | Whats New Sovereign Clouds Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds-archive.md | Accidental deletion of users in your apps or in your on-premises directory could -### General Availability - SSPR writeback is now available for disconnected forests using Azure AD Connect Cloud sync +### General Availability - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync -**Type:** New feature -**Service category:** Azure AD Connect Cloud Sync -**Product capability:** Identity Lifecycle Management +**Type:** New feature +**Service category:** Azure AD Connect cloud sync +**Product capability:** Identity Lifecycle Management -Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). +Password writeback in Azure AD Connect cloud sync now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md). Azure AD Connect Cloud Sync Password writeback now provides customers the abilit -Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service pauses, provide you with visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning. +Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service pauses, provide you with visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect cloud sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning. For more information, see: [Enable accidental deletions prevention in the Azure AD provisioning service](../app-provisioning/accidental-deletions.md) |
active-directory | Whats New Sovereign Clouds | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md | For more information about Microsoft cloud settings for B2B collaboration, see: ### Public Preview - Support for Directory Extensions using Azure AD cloud sync -**Type:** New feature -**Service category:** Provisioning -**Product capability:** Azure AD Connect Cloud Sync +**Type:** New feature +**Service category:** Provisioning +**Product capability:** Azure AD Connect cloud sync -Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. +Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Connect cloud sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using the attribute mapping experience of cloud sync. -For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../hybrid/cloud-sync/custom-attribute-mapping.md) +For more information on how to enable this feature, see [Directory extensions and custom attribute mapping in cloud sync](../hybrid/cloud-sync/custom-attribute-mapping.md) |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | The Converged Authentication Methods Policy enables you to manage all authentica -### General Availability - Support for Directory Extensions using Azure AD Cloud Sync +### General Availability - Support for Directory Extensions using Azure AD cloud sync -**Type:** New feature -**Service category:** Provisioning -**Product capability:** Azure Active Directory Connect Cloud Sync +**Type:** New feature +**Service category:** Provisioning +**Product capability:** Azure AD Connect cloud sync -Hybrid IT Admins can now sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. For more information, see: [Cloud Sync directory extensions and custom attribute mapping](../hybrid/cloud-sync/custom-attribute-mapping.md). +Hybrid IT Admins can now sync both Active Directory and Azure AD Directory Extensions using Azure AD Connect cloud sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing customers to map the needed attributes using the attribute mapping experience of cloud sync. For more information, see [Directory extensions and custom attribute mapping in cloud sync](../hybrid/cloud-sync/custom-attribute-mapping.md). |
active-directory | How To Lifecycle Workflow Sync Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md | To take full advantage of Lifecycle Workflows, user provisioning should be autom The following table shows the scheduling (trigger) relevant attributes and the methods of synchronization that are supported. -|Attribute|Type|Supported in HR Inbound Provisioning|Support in Microsoft Entra Connect Cloud Sync|Support in Microsoft Entra Connect Sync| +|Attribute|Type|Supported in HR Inbound Provisioning|Support in Microsoft Entra Connect cloud sync|Support in Microsoft Entra Connect Sync| |--|--|--|--|--| |employeeHireDate|DateTimeOffset|Yes|Yes|Yes| |employeeLeaveDateTime|DateTimeOffset|Yes|Yes|Yes| To ensure timing accuracy of scheduled workflows itΓÇÖs crucial to consider: ## Create a custom sync rule in Microsoft Entra Connect cloud sync for EmployeeHireDate The following steps guide you through creating a synchronization rule using cloud sync. 1. In the Microsoft Entra admin center, browse to > **Hybrid management** > **Microsoft Entra Connect**.- 1. Select **Manage Microsoft Entra cloud sync**. + 1. Select **Manage Microsoft Entra Connect cloud sync**. 1. Under **Configuration**, select your configuration. 1. Select **Click to edit mappings**. This link opens the **Attribute mappings** screen. 1. Select **Add attribute**. |
active-directory | Custom Attribute Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/custom-attribute-mapping.md | -# Cloud Sync directory extensions and custom attribute mapping +# Cloud sync directory extensions and custom attribute mapping ## Directory extensions+ You can use directory extensions to extend the schema in Microsoft Entra ID with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises. For additional information on directory extensions see [Using directory extension attributes in claims](../../develop/schema-extensions.md) You need to create an [application](/graph/api/resources/application?view=graph- |--|--|--| |MS Graph|Create extensions using GRAPH|[Create extensionProperty](/graph/api/application-post-extensionproperty?view=graph-rest-1.0&tabs=http&preserve-view=true)| |PowerShell|Create extensions using PowerShell|[New-AzureADApplicationExtensionProperty](/powershell/module/azuread/new-azureadapplicationextensionproperty?view=azureadps-2.0&preserve-view=true)| -Using Cloud Sync and Microsoft Entra Connect|Create extensions using Microsoft Entra Connect|[Create an extension attribute using Microsoft Entra Connect](../../app-provisioning/user-provisioning-sync-attributes-for-mapping.md#create-an-extension-attribute-using-azure-ad-connect)| +Using cloud sync and Microsoft Entra Connect|Create extensions using Microsoft Entra Connect|[Create an extension attribute using Microsoft Entra Connect](../../app-provisioning/user-provisioning-sync-attributes-for-mapping.md#create-an-extension-attribute-using-azure-ad-connect)| |Customizing attributes to sync|Information on customizing which attributes to synch|[Customize which attributes to synchronize with Microsoft Entra ID](../connect/how-to-connect-sync-feature-directory-extensions.md#customize-which-attributes-to-synchronize-with-azure-ad) ## Use attribute mapping to map Directory Extensions |
active-directory | How To Cloud Sync Workbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-cloud-sync-workbook.md | Title: 'Microsoft Entra cloud sync insights workbook' + Title: 'Microsoft Entra Connect cloud sync insights workbook' description: This article describes the Azure Monitor workbook for cloud sync. -# Microsoft Entra cloud sync insights workbook +# Microsoft Entra Connect cloud sync insights workbook The cloud sync workbook provides a flexible canvas for data analysis. The workbook allows you to create rich visual reports within the Microsoft Entra admin center. To learn more, see Azure Monitor Workbooks overview. This workbook is intended for Hybrid Identity Admins who use cloud sync to sync users from AD to Microsoft Entra ID. It allows admins to gain insights into sync status and details. |
active-directory | How To Inbound Synch Ms Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md | Look under the 'status' section of the return object for relevant details - [What is Microsoft Entra Cloud Sync?](what-is-cloud-sync.md) - [Transformations](how-to-transformation.md)-- [Microsoft Entra Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)+- [Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true) |
active-directory | How To Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-prerequisites.md | This article provides guidance on how to choose and use Microsoft Entra Cloud Sy ## Cloud provisioning agent requirements You need the following to use Microsoft Entra Cloud Sync: -- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Cloud Sync gMSA (group Managed Service Account) to run the agent service. +- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Connect cloud sync gMSA (group managed service account) to run the agent service. - A hybrid identity administrator account for your Microsoft Entra tenant that is not a guest user. - An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). Installing the agent on a domain controller is supported. - High availability refers to the Microsoft Entra Cloud Sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Microsoft Entra Cloud Sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability. |
active-directory | How To Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-troubleshoot.md | If you have an implementation topology with Microsoft Entra Connect and Microsof ![Screenshot that shows the export error.](media/how-to-troubleshoot/log-4.png) -This error isn't related to the [Microsoft Entra Cloud Sync accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md). It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra ID directory from Microsoft Entra Connect. -If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Cloud Sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command: +This error isn't related to the [accidental deletions prevention feature](../cloud-sync/how-to-accidental-deletes.md) of Microsoft Entra Connect cloud sync. It's triggered by the [accidental deletion prevention feature](../connect/how-to-connect-sync-feature-prevent-accidental-deletes.md) set in the Microsoft Entra directory from Microsoft Entra Connect. +If you don't have a Microsoft Entra Connect server installed from which you could toggle the feature, you can use the ["AADCloudSyncTools"](../cloud-sync/reference-powershell.md) PowerShell module installed with the Microsoft Entra Connect cloud sync agent to disable the setting on the tenant and allow the blocked deletions to export after confirming they are expected and should be allowed. Use the following command: ```PowerShell Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039-c6b1-48a5-9ba7-28fe88f83980" |
active-directory | Plan Cloud Sync Topologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/plan-cloud-sync-topologies.md | An example would be: - one forest (1) contains most of the attributes - a second forest (2) contains a few attributes - Since the second forest doesn't have network connectivity to the Microsoft Entra Connect server, the object can't be merged through Microsoft Entra Connect. Cloud Sync in the second forest allows the attribute value to be retrieved from the second forest. The value can then be merged with the object in Microsoft Entra ID that is synced by Microsoft Entra Connect. + Since the second forest doesn't have network connectivity to the Microsoft Entra Connect server, the object can't be merged through Microsoft Entra Connect. Cloud sync in the second forest allows the attribute value to be retrieved from the second forest. The value can then be merged with the object in Microsoft Entra ID that is synced by Microsoft Entra Connect. This configuration is advanced and there are a few caveats to this topology: - 1. You must use `msdsConsistencyGuid` as the source anchor in the Cloud Sync configuration. + 1. You must use `msdsConsistencyGuid` as the source anchor in the cloud sync configuration. 2. The `msdsConsistencyGuid` of the user object in the second forest must match that of the corresponding object in Microsoft Entra ID. 3. You must populate the `UserPrincipalName` attribute and the `Alias` attribute in the second forest and it must match the ones that are synced from the first forest. - 4. You must remove all attributes from the attribute mapping in the Cloud Sync configuration that don't have a value or may have a different value in the second forest ΓÇô you can't have overlapping attribute mappings between the first forest and the second one. - 5. If there's no matching object in the first forest, for an object that is synced from the second forest, then Cloud Sync will still create the object in Microsoft Entra ID. The object will only have the attributes that are defined in the mapping configuration of Cloud Sync for the second forest. + 4. You must remove all attributes from the attribute mapping in the cloud sync configuration that don't have a value or may have a different value in the second forest ΓÇô you can't have overlapping attribute mappings between the first forest and the second one. + 5. If there's no matching object in the first forest, for an object that is synced from the second forest, then cloud sync will still create the object in Microsoft Entra ID. The object will only have the attributes that are defined in the mapping configuration of cloud sync for the second forest. 6. If you delete the object from the second forest, it will be temporarily soft deleted in Microsoft Entra ID. It will be restored automatically after the next Microsoft Entra Connect Sync cycle. 7. If you delete the object from the first forest, it will be soft deleted from Microsoft Entra ID. The object won't be restored unless a change is made to the object in the second forest. After 30 days the object will be hard deleted from Microsoft Entra ID and if a change is made to the object in the second forest it will be created as a new object in Microsoft Entra ID. |
active-directory | Reference Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-error-codes.md | The following is a list of error codes and their description |TimeOut|Error Message: We've detected a request timeout error when contacting the on-premises agent and synchronizing your configuration. For additional issues related to your cloud sync agent, please see our troubleshooting guidance.|Request to HIS timed out. Current Timeout value is 10 minutes.|See our [troubleshooting guidance](how-to-troubleshoot.md)| |HybridSynchronizationActiveDirectoryInternalServerError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.30b500eaf9c643b2b78804e80c1421fe.5c291d3c-d29f-4570-9d6b-f0c2fa3d5926. Additional details: Processing of the HTTP request resulted in an exception. |Couldn't process the parameters received in SCIM request to a Search request.|Please see the HTTP response returned by the 'Response' property of this exception for details.| |HybridIdentityServiceNoAgentsAssigned|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agents have been removed. If so, re-install the agent again.|There are no agents running. Probably agents have been removed. Register a new agent.|"In this case, you won't see any agent assigned to the domain in portal.|-|HybridIdentityServiceNoActiveAgents|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if "Microsoft Entra Cloud Sync Agent" under Services is running.|"Agents aren't listening to the ServiceBus endpoint. [The agent is behind a firewall that doesn't allow connections to service bus](../../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)| +|HybridIdentityServiceNoActiveAgents|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if **Microsoft Entra Connect cloud sync agent** under Services is running.|"Agents aren't listening to the ServiceBus endpoint. [The agent is behind a firewall that doesn't allow connections to service bus](../../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)| |HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from portal.| |HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus isn't able to send a message to the agent. Could be an outage in service bus, or the agent isn't responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).| |AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Microsoft Entra ID is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Microsoft Entra ID is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.| |
active-directory | Reference Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md | Disables accidentalDeletionPrevention tenant feature Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId <TenantId> ``` -This cmdlet requires `TenantId` of the Microsoft Entra tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Microsoft Entra Connect (ADSync, not Cloud Sync), is enabled and disables it. +This cmdlet requires `TenantId` of the Microsoft Entra tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Microsoft Entra Connect (ADSync, not cloud sync), is enabled and disables it. #### Example: ``` powershell |
active-directory | Common Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/common-scenarios.md | For additional information, see [Supported topologies for cloud sync](cloud-sync ## Additional information-- You can sync users & groups from the same domain using Connect Sync and Cloud Sync if:+- You can sync users & groups from the same domain using Connect Sync and cloud sync if: - Scoping filters in each sync is mutually exclusive - If inclusive, donΓÇÖt have the same attributes values clashing (Precedence isnΓÇÖt supported)-- You can sync users & groups using Connect Sync while using Cloud SyncΓÇÖs net new capabilities (*called out in Roadmap)+- You can sync users & groups using Connect Sync while using cloud syncΓÇÖs net new capabilities (*called out in Roadmap) - You can sync objects from a single AD to multiple Azure ADs if writeback capabilities are enabled only in a single Microsoft Entra tenant. |
active-directory | Deprecated Azure Ad Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/deprecated-azure-ad-connect.md | We regularly update Microsoft Entra Connect with [newer versions](reference-conn If you're still using a deprecated and unsupported version of Microsoft Entra Connect, here's what you should do: - 1. Verify which version you should install. Most customers no longer need Microsoft Entra Connect and can now use [Microsoft Entra Cloud Sync](../cloud-sync/what-is-cloud-sync.md). Cloud sync is the next generation of sync tools to provision users and groups from AD into Microsoft Entra ID. It features a lightweight agent and is fully managed from the cloud ΓÇô and it upgrades to newer versions automatically, so you never have to worry about upgrading again! + 1. Verify which version you should install. Most customers no longer need Microsoft Entra Connect and can now use [Microsoft Entra Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). Cloud sync is the next generation of sync tools to provision users and groups from AD into Microsoft Entra ID. It features a lightweight agent and is fully managed from the cloud ΓÇô and it upgrades to newer versions automatically, so you never have to worry about upgrading again! - 2. If you're not yet eligible for Microsoft Entra Cloud Sync, please follow this [link to download](https://www.microsoft.com/download/details.aspx?id=47594) and install the latest version of Microsoft Entra Connect. In most cases, upgrading to the latest version will only take a few moments. For more information, see [Upgrading Microsoft Entra Connect from a previous version.](how-to-upgrade-previous-version.md). + 2. If you're not yet eligible for Microsoft Entra Connect cloud sync, please follow this [link to download](https://www.microsoft.com/download/details.aspx?id=47594) and install the latest version of Microsoft Entra Connect. In most cases, upgrading to the latest version will only take a few moments. For more information, see [Upgrading Microsoft Entra Connect from a previous version.](how-to-upgrade-previous-version.md). ## Next steps - [What is Microsoft Entra Connect V2?](whatis-azure-ad-connect-v2.md)-- [Microsoft Entra Cloud Sync](../cloud-sync/what-is-cloud-sync.md)+- [Microsoft Entra Connect cloud sync](../cloud-sync/what-is-cloud-sync.md) - [Microsoft Entra Connect version history](reference-connect-version-history.md) |
active-directory | How To Connect Group Writeback V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-group-writeback-v2.md | -> The group writeback functionality is currently in Public Preview as we are collecting customer feedback and telemetry. Please refer to [the limitations](#understand-limitations-of-public-preview) before you enable this functionality. You should not deploy the functionality to write back security groups in your production environment. We are planning to replace the AADConnect security group writeback functionality with the new Cloud Sync group writeback feature, and when this releases we will remove the AADConnect Group Writeback functionality. This does not impact M365 group writeback functionality, which will remain unchanged. +> The group writeback functionality is currently in Public Preview as we are collecting customer feedback and telemetry. Please refer to [the limitations](#understand-limitations-of-public-preview) before you enable this functionality. You should not deploy the functionality to write back security groups in your production environment. We are planning to replace the AADConnect security group writeback functionality with the new cloud sync group writeback feature, and when this releases we will remove the AADConnect Group Writeback functionality. This does not impact M365 group writeback functionality, which will remain unchanged. There are two versions of group writeback. The original version is in general availability and is limited to writing back Microsoft 365 groups to your on-premises Active Directory instance as distribution groups. The new, expanded version of group writeback is in public preview and enables the following capabilities: |
active-directory | How To Connect Sync Service Manager Ui Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md | Title: Connectors in the Microsoft Entra Synchronization Service Manager UI' -description: Understand the Connectors tab in the Synchronization Service Manager for Microsoft Entra Connect. + Title: Connectors in the Microsoft Entra Connect Sync Service Manager UI' +description: Understand the Connectors tab in the Service Manager for Microsoft Entra Connect Sync. documentationcenter: '' -![Screenshot that shows the Sync Service Manager.](./media/how-to-connect-sync-service-manager-ui-connectors/connectors.png) +![Screenshot that shows the Microsoft Entra Connect Sync Service Manager.](./media/how-to-connect-sync-service-manager-ui-connectors/connectors.png) The Connectors tab is used to manage all systems the sync engine is connected to. |
active-directory | How To Connect Sync Whatis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-whatis.md | The Microsoft Entra Connect synchronization services (Microsoft Entra Connect Sy This topic is the home for **Microsoft Entra Connect Sync** (also called **sync engine**) and lists links to all other topics related to it. For links to Microsoft Entra Connect, see [Integrating your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md). The sync service consists of two components, the on-premises **Microsoft Entra Connect Sync** component and the service side in Microsoft Entra ID called **Microsoft Entra Connect Sync service**.->[!IMPORTANT] ->Microsoft Entra Cloud Sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra Cloud provisioning agent instead of the Microsoft Entra Connect application. Microsoft Entra Cloud Sync is replacing Microsoft Entra Connect Sync, which will be retired after Cloud Sync has full functional parity with Connect sync. The remainder of this article is about AADConnect sync, but we encourage customers to review the features and advantages of Cloud Sync before deploying AADConnect sync. ++> [!IMPORTANT] +> Microsoft Entra Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent instead of the Microsoft Entra Connect application. Microsoft Entra Connect cloud sync is replacing Microsoft Entra Connect Sync, which will be retired after cloud sync has full functional parity with Microsoft Entra Connect Sync. The remainder of this article is about Microsoft Entra Connect Sync, but we encourage customers to review the features and advantages of cloud sync before deploying AADConnect sync. >->To find out if you are already eligible for Cloud Sync, please verify your requirements in [this wizard](https://admin.microsoft.com/adminportal/home?Q=setupguidance#/modernonboarding/identitywizard). +> To find out if you are already eligible for cloud sync, please verify your requirements in [this wizard](https://admin.microsoft.com/adminportal/home?Q=setupguidance#/modernonboarding/identitywizard). >->To learn more about Cloud Sync please read [this article](../cloud-sync/what-is-cloud-sync.md), or watch this [short video](https://www.microsoft.com/videoplayer/embed/RWJ8l5). +> To learn more about cloud sync, please read [this article](../cloud-sync/what-is-cloud-sync.md), or watch this [short video](https://www.microsoft.com/videoplayer/embed/RWJ8l5). > |
active-directory | How To Upgrade Previous Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-upgrade-previous-version.md | -> It's important that you keep your servers current with the latest releases of Microsoft Entra Connect. We are constantly making upgrades to AADConnect, and these upgrades include fixes to security issues and bugs, as well as serviceability, performance, and scalability improvements. +> It's important that you keep your servers current with the latest releases of Microsoft Entra Connect. We are constantly making upgrades to Microsoft Entra Connect, and these upgrades include fixes to security issues and bugs, as well as serviceability, performance, and scalability improvements. > To see what the latest version is, and to learn what changes have been made between versions, please refer to the [release version history](./reference-connect-version-history.md) -Any versions older than Microsoft Entra Connect 2.x are currently deprecated, see [Introduction to Microsoft Entra Connect V2.0](whatis-azure-ad-connect-v2.md) for more information. It's currently supported to upgrade from any version of Microsoft Entra Connect to the current version. In-place upgrades of DirSync or ADSync aren't supported, and a swing migration is required. If you want to upgrade from DirSync, see [Upgrade from Azure AD Sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) or the [Swing migration](#swing-migration) section. +Any versions older than Microsoft Entra Connect V2 are currently deprecated, see [Introduction to Microsoft Entra Connect V2](whatis-azure-ad-connect-v2.md) for more information. It's currently supported to upgrade from any version of Microsoft Entra Connect to the current version. In-place upgrades of DirSync or ADSync aren't supported, and a swing migration is required. If you want to upgrade from DirSync, see [Upgrade from Azure AD Sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) or the [Swing migration](#swing-migration) section. In practice, customers on old versions may encounter problems not directly related to Microsoft Entra Connect. Servers that have been in production for several years typically have had several patches applied to them and not all of these can be accounted for. Customers who haven't upgraded in 12-18 months (about 1 and a half years) should consider a swing upgrade instead as this is the most conservative and least risky option. |
active-directory | Reference Connect Version History Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history-archive.md | Microsoft Entra Connect Upgrade fails if SQL Always On Availability is configure - When Group Sync Filtering page encounters an LDAP error when resolving security groups, Microsoft Entra Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by a different bug. - Fixed a bug where permissions for STK and NGC keys (ms-DS-KeyCredentialLink attribute on User/Device objects for WHfB) were not correctly set. - Fixed a bug where 'Set-ADSyncRestrictedPermissionsΓÇÖ wasn't called correctly-- Adding support for permission granting on Group Writeback in Azure ADConnect's installation wizard+- Adding support for permission granting on Group Writeback in the Microsoft Entra Connect installation wizard - When changing sign in method from Password Hash Sync to AD FS, Password Hash Sync wasn't disabled. - Added verification for IPv6 addresses in AD FS configuration - Updated the notification message to inform that an existing configuration exists. Microsoft Entra Connect Sync * Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error *ΓÇ£An item with the same key has already been addedΓÇ¥*. This issue occurs if you update OU filtering configuration to include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. Non-domain partitions such as configuration partition are skipped. * During Express installation, Microsoft Entra Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Microsoft Entra Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account. * Fixed an issue that causes DirSync upgrade to fail with error *ΓÇ£a deadlock occurred in sql server which trying to acquire an application lockΓÇ¥* when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.-* Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Microsoft Entra Connect sync configuration using Microsoft Entra Connect wizard. This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously. +* Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Microsoft Entra Connect Sync configuration using Microsoft Entra Connect wizard. This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously. * To configure OU filtering, you can either use the Microsoft Entra Connect wizard or the Synchronization Service Manager. Previously, if you use the Microsoft Entra Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you don't want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Microsoft Entra Connect wizard. * Fixed an issue that causes stored procedures required by Microsoft Entra Connect to be created under the schema of the installing admin, instead of under the dbo schema. * Fixed an issue that causes the TrackingId attribute returned by Microsoft Entra ID to be omitted in the Microsoft Entra Connect Server Event Logs. The issue occurs if Microsoft Entra Connect receives a redirection message from Microsoft Entra ID and Microsoft Entra Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting. Password Reset Microsoft Entra Connect Sync * Get-ADSyncScheduler cmdlet now returns a new Boolean property named SyncCycleInProgress. If the returned value is true, it means that there is a scheduled synchronization cycle in progress.-* Destination folder for storing Microsoft Entra Connect installation and setup logs has been moved from %localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files. +* Destination folder for storing Microsoft Entra Connect installation and setup logs has been moved from `%localappdata%\AADConnect` to `%programdata%\AADConnect` to improve accessibility to the log files. AD FS management * Added support for updating AD FS Farm TLS/SSL Certificate. |
active-directory | Tshoot Connect Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-connectivity.md | This article explains how connectivity between Microsoft Entra Connect and Micro Microsoft Entra Connect uses the Microsoft Authentication Library (MSAL) for authentication. The installation wizard and the sync engine require machine.config to be properly configured because these two are .NET applications. > [!NOTE]-> Microsoft Entra Connect v1.6.xx.x uses the Active Directory Authentication Library (ADAL). The ADAL is being deprecated and support will end in June 2022. We recommend that you upgrade to the latest version of [Microsoft Entra Connect v2](whatis-azure-ad-connect-v2.md). +> Azure AD Connect v1.6.xx.x uses the Active Directory Authentication Library (ADAL). The ADAL is being deprecated and support will end in June 2022. We recommend that you upgrade to the latest version of [Microsoft Entra Connect v2](whatis-azure-ad-connect-v2.md). In this article, we show how Fabrikam connects to Microsoft Entra ID through its proxy. The proxy server is named `fabrikamproxy` and uses port 8080. |
active-directory | Tshoot Connect Pass Through Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-pass-through-authentication.md | Depending on the type of issue you may have, you need to look in different place ### Microsoft Entra Connect logs -For errors related to installation, check the Microsoft Entra Connect logs at **%ProgramData%\AADConnect\trace-\*.log**. +For errors related to installation, check the Microsoft Entra Connect logs at `%ProgramData%\AADConnect\trace-*.log`. ### Authentication Agent event logs |
active-directory | Whatis Azure Ad Connect V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md | Title: 'What is Microsoft Entra Connect v2.0?' + Title: 'Introduction to Microsoft Entra Connect V2' description: Learn about the next version of Microsoft Entra Connect. -# Introduction to Microsoft Entra Connect V2.0 +# Introduction to Microsoft Entra Connect V2 -Microsoft Entra Connect was released several years ago. Since this time, several of the components that Microsoft Entra Connect uses have been scheduled for deprecation and updated to newer versions. Attempting to update all of these components individually would take time and planning. +Azure AD Connect V1 was released several years ago. Since this time, several of the components used have been scheduled for deprecation and updated to newer versions. Attempting to update all of these components individually would take time and planning. -To address this issue, we've bundled as many of these newer components into a new, single release, so you only have to update once. This release is Microsoft Entra Connect V2. This release is a new version of the same software used to accomplish your hybrid identity goals, built using the latest foundational components. +To address this issue, we've bundled as many of these newer components into a new single release, so you only have to update once. This release is Microsoft Entra Connect V2. This release is a new version of the same software used to accomplish your hybrid identity goals, built using the latest foundational components. >[!NOTE]- >Microsoft Entra Connect V1 has been retired as of August 31, 2022 and is no longer supported. Microsoft Entra Connect V1 installations may **stop working unexpectedly**. If you are still using a Microsoft Entra Connect V1 you need to upgrade to Microsoft Entra Connect V2 immediately. + >Microsoft Entra Connect V1 has been retired as of August 31, 2022 and is no longer supported. Microsoft Entra Connect V1 installations may **stop working unexpectedly**. If you are still using Azure AD Connect V1, you need to upgrade to Microsoft Entra Connect V2 immediately. <a name='consider-moving-to-azure-ad-connect-cloud-sync'></a> -## Consider moving to Microsoft Entra Cloud Sync -Microsoft Entra Cloud Sync is the future of synchronization for Microsoft. It replaces Microsoft Entra Connect. +## Consider moving to Microsoft Entra Connect cloud sync ++Microsoft Entra Connect cloud sync is the future of synchronization for Microsoft. It replaces Microsoft Entra Connect. > [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q] -Before moving the Microsoft Entra Connect V2.0, you should consider moving to cloud sync. You can see if cloud sync is right for you, by accessing the [Check sync tool](https://aka.ms/EvaluateSyncOptions) from the portal or via the link provided. +Before moving to Microsoft Entra Connect V2, you should consider moving to Microsoft Entra Connect cloud sync. You can see if cloud sync is right for you by accessing the [Check sync tool](https://aka.ms/EvaluateSyncOptions) from the portal or via the link provided. For more information, see [What is cloud sync?](../cloud-sync/what-is-cloud-sync.md) -- ## What are the major changes? ### SQL Server 2019 LocalDB No, the upgrade to SQL 2019 doesn't remove any SQL 2012 components from your ser **What happens if I don't upgrade?** </br> Until one of the components that are being retired are actually deprecated, you will not see any impact. Microsoft Entra Connect will keep on working. -Support for TLS 1.0/1.1 is deprecated in 2022, and you need to make sure you aren't using these protocols by that date as your service may stop working unexpectedly. You can manually configure your server for TLS 1.2 though, and that doesn't require an update of Microsoft Entra Connect to V2 +Support for TLS 1.0/1.1 is deprecated in 2022, and you need to make sure you aren't using these protocols by that date as your service may stop working unexpectedly. You can manually configure your server for TLS 1.2 though, and that doesn't require an update of Microsoft Entra Connect to V2. -Microsoft Entra Connect Health may stop working after March 2023. We will auto upgrade all Health agents to a new version before that, but we cannot auto upgrade if you are running AADConnect V1 due to compatibility issues with V versions. +Microsoft Entra Connect Health may stop working after March 2023. We will auto upgrade all Health agents to a new version before that, but we cannot auto upgrade if you are running Azure AD Connect V1 due to compatibility issues with V versions. After December 2022, ADAL is planned to go out of support. When ADAL goes out of support, authentication may stop working unexpectedly, and this will block the Microsoft Entra Connect server from working properly. We strongly advise you to upgrade to Microsoft Entra Connect V2 before December 2022. You can't upgrade to a supported authentication library with your current Microsoft Entra Connect version. -**After upgrading to 2 the ADSync PowerShell cmdlets don't work?** </br> -This is a known issue. Restart your PowerShell session after installing or upgrading to version 2 and then reimport the module. Use the following instructions to import the module. +**After upgrading to V2 the ADSync PowerShell cmdlets don't work?** </br> +This is a known issue. Restart your PowerShell session after installing or upgrading to V2 and then reimport the module. Use the following instructions to import the module. 1. Open Windows PowerShell with administrative privileges. 1. Type or copy and paste the following code: |
active-directory | Decommission Connect Sync V1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/decommission-connect-sync-v1.md | On **October 1, 2023**, Azure AD cloud services will stop accepting connections If you are still using Azure AD Connect V1 you must take action immediately. >[!IMPORTANT]->Azure AD Connect V1 will stop working on October 1st 2023. You need to migrate to cloud sync or connect sync V2. +>Azure AD Connect V1 will stop working on October 1st 2023. You need to migrate to Microsoft Entra Connect cloud sync or Microsoft Entra Connect Sync. ## Migrate to cloud sync-Before moving to Azure AD Connect V2, you should see if cloud sync is right for you instead. Cloud sync uses a light-weight provisioning agent and is fully configurable through the portal. To choose the best sync tool for your situation, use the [Wizard to evaluate sync options.](https://aka.ms/EvaluateSyncOptions) +Before moving to Microsoft Entra Connect Sync, you should see if cloud sync is right for you instead. Cloud sync uses a light-weight provisioning agent and is fully configurable through the portal. To choose the best sync tool for your situation, use the [Wizard to evaluate sync options.](https://aka.ms/EvaluateSyncOptions) Based on your environment and needs, you may qualify for moving to cloud sync. For a comparison of cloud sync and connect sync, see [Comparison between cloud sync and connect sync](cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync). To learn more, read [What is cloud sync?](cloud-sync/what-is-cloud-sync.md) and [What is the provisioning agent?](cloud-sync/what-is-provisioning-agent.md) -## Migrating to Azure AD Connect V2 +## Migrating to Microsoft Entra Connect V2 If you aren't yet eligible to move to cloud sync, use this table for more information on migrating to V2. |Title|Description| |--|--| |[Information on deprecation](connect/deprecated-azure-ad-connect.md)|Information on Azure AD Connect V1 deprecation|-|[What is Azure AD Connect V2?](connect/whatis-azure-ad-connect-v2.md)|Information on the latest version of Azure AD Connect| -|[Upgrading from a previous version](connect/how-to-upgrade-previous-version.md)|Information on moving from one version of Azure AD Connect to another +|[What is Microsoft Entra Connect V2?](connect/whatis-azure-ad-connect-v2.md)|Information on the latest version of Microsoft Entra Connect| +|[Upgrading from a previous version](connect/how-to-upgrade-previous-version.md)|Information on moving from one version of Microsoft Entra Connect to another ## Frequently asked questions If you aren't yet eligible to move to cloud sync, use this table for more inform ## Next steps - [What is Azure AD Connect V2?](./connect/whatis-azure-ad-connect-v2.md)-- [Azure AD Cloud Sync](./cloud-sync/what-is-cloud-sync.md)+- [Azure AD cloud sync](./cloud-sync/what-is-cloud-sync.md) - [Azure AD Connect version history](./connect/reference-connect-version-history.md) |
active-directory | Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/install.md | Cloud sync uses the Microsoft Entra Provisioning Agent. Use the steps below to 7. On the splash screen, select **I agree to the license and conditions**, and then select **Install**. 8. Once the installation operation completes, the configuration wizard will launch. Select **Next** to start the configuration.- 9. On the **Select Extension** screen, select **HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Cloud Sync** and click **Next**. + 9. On the **Select Extension** screen, select **HR-driven provisioning (Workday and SuccessFactors) / Microsoft Entra Connect cloud sync** and click **Next**. 10. Sign in with your Microsoft Entra Global Administrator account. 11. On the **Configure Service Account** screen, select a group Managed Service Account (gMSA). This account is used to run the agent service. To continue, select **Next**. 12. On the **Connect Active Directory** screen, if your domain name appears under **Configured domains**, skip to the next step. Otherwise, type your Active Directory domain name, and select **Add directory**. |
active-directory | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/prerequisites.md | -The following document provides the prerequisites for integrating with Active Directory. --## Cloud Sync +The following document provides the prerequisites for integrating with Active Directory. +## Cloud sync ### Hardware and software - |Requirement|Description and more requirements| |--|--| |Windows server 2016 or greater that is or has:|ΓÇó 4 GB RAM or more</br>ΓÇó .NET 4.7.1 runtime or greater</br>ΓÇó domain-joined</br>ΓÇó PowerShell execution policy set to **Undefined** or **RemoteSigned**</br>ΓÇó TLS 1.2 enabled</br>| |
active-directory | Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/sso.md | -After installing the Microsoft Entra Provisioning Agent, you will need to configure single sign-on for cloud sync. The following table provides a list of steps required for using single sign-on. ++After installing the Microsoft Entra Connect provisioning agent, you will need to configure single sign-on for cloud sync. The following table provides a list of steps required for using single sign-on. |Task|Description| |--|--| |
active-directory | Migrate Okta Sync Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sync-provisioning.md | In this example, Okta stamped the **mail** attribute to the user's account, alth <a name='install-azure-ad-cloud-sync-agents'></a> -## Install Microsoft Entra cloud sync agents +## Install Microsoft Entra Connect cloud sync agents -After you prepare your list of source and destination targets, install and configure Microsoft Entra cloud sync agents. See, [Tutorial: Integrate a single forest with a single Microsoft Entra tenant](../hybrid/cloud-sync/tutorial-single-forest.md). +After you prepare your list of source and destination targets, install and configure Microsoft Entra Connect cloud sync agents. See, [Tutorial: Integrate a single forest with a single Microsoft Entra tenant](../hybrid/cloud-sync/tutorial-single-forest.md). > [!NOTE] > If you use a Microsoft Entra Connect server, skip this section. After you verify the Microsoft Entra Connect installation, disable Okta provisio After you disable Okta provisioning, the Microsoft Entra Connect server can synchronize objects. >[!NOTE]- >If you use Microsoft Entra cloud sync agents, skip this section. + >If you use Microsoft Entra Connect cloud sync agents, skip this section. 1. From the desktop, run the installation wizard from the desktop. 2. Select **Configure**. After you disable Okta provisioning, the Microsoft Entra Connect server can sync [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -After you disable Okta provisioning, the Microsoft Entra cloud sync agent can synchronize objects. +After you disable Okta provisioning, the Microsoft Entra Connect cloud sync agent can synchronize objects. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator). 2. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Connect Sync**. |
active-directory | Azure Databricks With Private Link Workspace Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/azure-databricks-with-private-link-workspace-provisioning-tutorial.md | If you have already downloaded the provisioning agent and configured it for anot 1. Select **Download on-premises agent**, and select **Accept terms & download**. > [!NOTE]- > Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. + > Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect cloud sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 1. Open the provisioning agent installer, agree to the terms of service, and select **next**. 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable. |
ai-services | Model Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/model-versions.md | + + Title: Azure OpenAI Service model versions ++description: Learn about model versions in Azure OpenAI. ++ Last updated : 10/13/2023+++++recommendations: false +keywords: +++# Azure OpenAI Service model versions ++Azure OpenAI Service is committed to providing the best generative AI models for customers. As part of this commitment, Azure OpenAI Service regularly releases new model versions to incorporate the latest features and improvements from OpenAI. ++In particular, the GPT-3.5 Turbo and GPT-4 models see regular updates with new features. For example, versions 0613 of GPT-3.5 Turbo and GPT-4 introduced function calling. Function calling is a popular feature that allows the model to create structured outputs that can be used to call external tools. +## How model versions work ++We want to make it easy for customers to stay up to date as models improve. Customers can choose to start with a particular version and to automatically update as new versions are released. ++When a customer deploys GPT-3.5-Turbo and GPT-4 on Azure OpenAI Service, the standard behavior is to deploy the current default version ΓÇô for example, GPT-4 version 0314. When the default version changes to say GPT-4 version 0613, the deployment is automatically updated to version 0613 so that customer deployments feature the latest capabilities of the model. ++Customers can also deploy a specific version like GPT-4 0314 or GPT-4 0613 and choose an update policy, which can include the following options: ++* Deployments set to **Auto-update to default** automatically update to use the new default version. +* Deployments set to **Upgrade when expired** automatically update when its current version is retired. +* Deployments that are set to **No Auto Upgrade** stop working when the model is retired. ++## How Azure updates OpenAI models ++Azure works closely with OpenAI to release new model versions. When a new version of a model is released, a customer can immediately test it in new deployments. Azure publishes when new versions of models are released, and notifies customers at least two weeks before a new version becomes the default version of the model. Azure also maintains the previous major version of the model until its retirement date, so customers can switch back to it if desired. ++## What you need to know about Azure OpenAI model version upgrades ++As a customer of Azure OpenAI models, you might notice some changes in the model behavior and compatibility after a version upgrade. These changes might affect your applications and workflows that rely on the models. Here are some tips to help you prepare for version upgrades and minimize the impact: ++* Read [whatΓÇÖs new](../whats-new.md) and [models](../concepts/models.md) to understand the changes and new features. +* Read the documentation on [model deployments](../how-to/create-resource.md) and [version upgrades](../concepts/model-versions.md) to understand how to work with model versions. +* Test your applications and workflows with the new model version after release. +* Update your code and configuration to use the new features and capabilities of the new model version. ++## Next Steps ++- [Learn more about working with Azure OpenAI models](../how-to/working-with-models.md) +- [Learn more about Azure OpenAI model regional availability](../concepts/models.md) +- [Learn more about Azure OpenAI](../overview.md) |
ai-services | Working With Models | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/working-with-models.md | keywords: # Working with Azure OpenAI models -Azure OpenAI Service is powered by a diverse set of models with different capabilities and price points. [Model availability varies by ](../concepts/models.md). +Azure OpenAI Service is powered by a diverse set of models with different capabilities and price points. [Model availability varies by region](../concepts/models.md). You can get a list of models that are available for both inference and fine-tuning by your Azure OpenAI resource by using the [Models List API](/rest/api/cognitiveservices/azureopenaistable/models/list). Azure OpenAI now supports automatic updates for select model deployments. On mod :::image type="content" source="../media/models/auto-update.png" alt-text="Screenshot of the deploy model UI of Azure OpenAI Studio." lightbox="../media/models/auto-update.png"::: +You can learn more about Azure OpenAI model versions and how they work in the [Azure OpenAI model versions](../concepts/model-versions.md) article. + ### Auto update to default When **Auto-update to default** is selected your model deployment will be automatically updated within two weeks of a change in the default version. If you're still in the early testing phases for inference models, we recommend d ### Specific model version -As your use of Azure OpenAI evolves, and you start to build and integrate with applications you may want to manually control model updates so that you can first test and validate that model performance is remaining consistent for your use case prior to upgrade. +As your use of Azure OpenAI evolves, and you start to build and integrate with applications you might want to manually control model updates so that you can first test and validate that model performance is remaining consistent for your use case prior to upgrade. When you select a specific model version for a deployment this version will remain selected until you either choose to manually update yourself, or once you reach the retirement date for the model. When the retirement date is reached the model will automatically upgrade to the default version at the time of retirement. -### GPT-35-Turbo 0301 and GPT-4 0314 retirement --The `gpt-35-turbo` (`0301`) and both `gpt-4` (`0314`) models will be retired no earlier than July 5, 2024. Upon retirement, deployments will automatically be upgraded to the default version at the time of retirement. If you would like your deployment to stop accepting completion requests rather than upgrading, then you'll be able to set the model upgrade option to expire through the API. - ## Viewing deprecation dates For currently deployed models, from Azure OpenAI Studio select **Deployments**: There are three distinct model deployment upgrade options which are configurable | Name | Description | ||--| | `OnceNewDefaultVersionAvailable` | Once a new version is designated as the default, the model deployment will automatically upgrade to the default version within two weeks of that designation change being made. |-`OnceCurrentVersionExpired` | Once the retirement date is reached the model deployment will automatically upgrade to the current default version. | -`NoAutoUpgrade` | The model deployment will never automatically upgrade. Once the retirement date is reached the model deployment will stop working. You will need to update your code referencing that deployment to point to a non-expired model deployment. | +|`OnceCurrentVersionExpired` | Once the retirement date is reached the model deployment will automatically upgrade to the current default version. | +|`NoAutoUpgrade` | The model deployment will never automatically upgrade. Once the retirement date is reached the model deployment will stop working. You will need to update your code referencing that deployment to point to a non-expired model deployment. | To query the current model deployment settings including the deployment upgrade configuration for a given resource use [`Deployments List`](/rest/api/cognitiveservices/accountmanagement/deployments/list?tabs=HTTP#code-try-0) |
azure-arc | Validation Program | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/validation-program.md | To see how all Azure Arc-enabled components are validated, see [Validation progr |Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL server version |--|--|--|--|--|+|TKGs 2.2|1.25.7|1.23.0_2023-09-12|16.0.5100.7246|14.5 (Ubuntu 20.04)| |TKGm 2.3|1.26.5|1.23.0_2023-09-12|16.0.5100.7246|14.5 (Ubuntu 20.04)| |TKGm 2.2|1.25.7|1.19.0_2023-05-09|16.0.937.6223|14.5 (Ubuntu 20.04)| |TKGm 2.1.0|1.24.9|1.15.0_2023-01-10|16.0.816.19223|14.5 (Ubuntu 20.04)|-|TKGm 1.6.0|1.23.8|1.11.0_2022-09-13|16.0.312.4243|12.3 (Ubuntu 12.3-1)| + ### Wind River More tests will be added in future releases of Azure Arc-enabled data services. + |
azure-arc | Onboard Windows Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-windows-server.md | Title: Connect Windows Server machines to Azure through Azure Arc Setup description: In this article, you learn how to connect Windows Server machines to Azure Arc using the built-in Windows Server Azure Arc Setup wizard. Previously updated : 10/10/2023 Last updated : 10/12/2023 # Connect Windows Server machines to Azure through Azure Arc Setup -Windows Server machines can be onboarded directly to Azure Arc through a graphical wizard included in Windows Server. The wizard automates the onboarding process by checking the necessary prerequisites for successful Azure Arc onboarding and fetching and installing the latest version of the Azure Connected Machine (AzCM) agent. Once the wizard process completes, you're directed to your Window Server machine in the Azure portal, where it can be viewed and managed like any other Azure Arc-enabled resource. +Windows Server machines can be onboarded directly to [Azure Arc](https://azure.microsoft.com/products/azure-arc/) through a graphical wizard included in Windows Server. The wizard automates the onboarding process by checking the necessary prerequisites for successful Azure Arc onboarding and fetching and installing the latest version of the Azure Connected Machine (AzCM) agent. Once the wizard process completes, you're directed to your Window Server machine in the Azure portal, where it can be viewed and managed like any other Azure Arc-enabled resource. ++Onboarding to Azure Arc is not needed if the Windows Server machine is already running in Azure. > [!NOTE] > This feature only applies to Windows Server 2022 and later. It was released in the [Cumulative Update of 10/10/2023](https://support.microsoft.com/en-us/topic/october-10-2023-kb5031364-os-build-20348-2031-7f1d69e7-c468-4566-887a-1902af791bbc). Windows Server machines can be onboarded directly to Azure Arc through a graphic * An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -* Modern browser (Microsoft Edge) for authentication to Microsoft Azure. Configuration of the Azure Connected Machine agent requires authentication to your Azure account, either through interactive authentication on a modern browser or device code log-in on a separate device (if the machine doesn't have a modern browser). +* Modern browser (Microsoft Edge) for authentication to Microsoft Azure. Configuration of the Azure Connected Machine agent requires authentication to your Azure account, either through interactive authentication on a modern browser or device code login on a separate device (if the machine doesn't have a modern browser). ## Launch Azure Arc Setup and connect to Azure Arc The Azure Arc Setup wizard is launched from a system tray icon at the bottom of :::image type="content" source="media/onboard-windows-server/resource-details.png" alt-text="Screenshot of resource details window with fields."::: -1. Select an option for enabling Azure Automanage on your machine, and then click **Next**. -- Azure Automanage machine best practices help enhance reliability, security, and management for virtual machines. To learn more, see [Azure Automanage machine best practices](/azure/automanage/overview-about). - 1. Once the configuration completes and your machine is onboarded to Azure Arc, select **Finish**. 1. Go to the Server Manager and select **Local Server** to view the status of the machine in the **Azure Arc Management** field. A successfully onboarded machine has a status of **Enabled**. To uninstall Azure Arc Setup, follow these steps: 1. On the confirmation page, select **Restart the destination server automatically if required**, then select **Remove**. +To uninstall Azure Arc Setup through PowerShell, run the following command: ++```powershell +Disable-WindowsOptionalFeature -Online -FeatureName AzureArcSetup +``` + > [!NOTE] > Uninstalling Azure Arc Setup does not uninstall the Azure Connected Machine agent from the machine. For instructions on uninstalling the agent, see [Managing and maintaining the Connected Machine agent](manage-agent.md). > |
azure-monitor | Codeless Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/codeless-overview.md | Links are provided to more information for each supported scenario. |Environment/Resource provider | .NET Framework | .NET Core / .NET | Java | Node.js | Python | |-|-|-|--|-|--|-|Azure App Service on Windows - Publish as Code | [ :white_check_mark: :link: ](azure-web-apps-net.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-net-core.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-java.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md) <sup>[1](#OnBD)</sup> | :x: | -|Azure App Service on Windows - Publish as Docker | [ :white_check_mark: :link: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) <sup>[2](#Preview)</sup> | [ :white_check_mark: :link: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) <sup>[2](#Preview)</sup> | [ :white_check_mark: :link: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) <sup>[2](#Preview)</sup> | [ :white_check_mark: :link: ](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/public-preview-application-insights-auto-instrumentation-for/ba-p/3947971) <sup>[2](#Preview)</sup> | :x: | -|Azure App Service on Linux - Publish as Code | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-java.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: | -|Azure App Service on Linux - Publish as Docker | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: | -|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | +|Azure App Service on Windows - Publish as Code | [ :white_check_mark: :link: ](azure-web-apps-net.md) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-net-core.md) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-java.md) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md) ┬╣ | :x: | +|Azure App Service on Windows - Publish as Docker | [ :white_check_mark: :link: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ┬▓ | [ :white_check_mark: :link: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ┬▓ | [ :white_check_mark: :link: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ┬▓ | [ :white_check_mark: :link: ](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/public-preview-application-insights-auto-instrumentation-for/ba-p/3947971) ┬▓ | :x: | +|Azure App Service on Linux - Publish as Code | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-java.md) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: | +|Azure App Service on Linux - Publish as Docker | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) | [ :white_check_mark: :link: ](azure-web-apps-java.md) | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: | +|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ | |Azure Functions - dependencies | :x: | :x: | [ :white_check_mark: :link: ](monitor-functions.md) | :x: | [ :white_check_mark: :link: ](monitor-functions.md#distributed-tracing-for-python-function-apps) | |Azure Spring Cloud | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | :x: | :x: | |Azure Kubernetes Service (AKS) | :x: | :x: | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |-|Azure VMs Windows | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) <sup>[2](#Preview)</sup> <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) <sup>[2](#Preview)</sup> <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: | -|On-premises VMs Windows | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) <sup>[2](#Preview)</sup> <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: | +|Azure VMs Windows | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) ┬▓ ┬│ | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) ┬▓ ┬│ | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: | +|On-premises VMs Windows | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) ┬│ | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) ┬▓ ┬│ | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: | |Standalone agent - any environment | :x: | :x: | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: | **Footnotes**-- <a name="OnBD">1</a>: Application Insights is on by default and enabled automatically.-- <a name="Preview">2</a>: This feature is in public preview. See [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).-- <a name="Agent">3</a>: An agent must be deployed and configured.+- ┬╣: Application Insights is on by default and enabled automatically. +- ┬▓: This feature is in public preview. See [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +- ┬│: An agent must be deployed and configured. > [!NOTE] > Autoinstrumentation was known as "codeless attach" before October 2021. |
azure-monitor | Distributed Trace Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/distributed-trace-data.md | + + Title: Distributed tracing and telemetry correlation in Azure Application Insights +description: This article provides information about distributed tracing and telemetry correlation + Last updated : 10/14/2023++ms.devlang: csharp, java, javascript, python ++++# What is distributed tracing and telemetry correlation? ++Modern cloud and [microservices](https://azure.com/microservices) architectures have enabled simple, independently deployable services that reduce costs while increasing availability and throughput. However, it has made overall systems more difficult to reason about and debug. Distributed tracing solves this problem by providing a performance profiler that works like call stacks for cloud and microservices architectures. ++Azure Monitor provides two experiences for consuming distributed trace data: the [transaction diagnostics](./search-and-transaction-diagnostics.md?tabs=transaction-diagnostics) view for a single transaction/request and the [application map](./app-map.md) view to show how systems interact. ++[Application Insights](app-insights-overview.md#application-insights-overview) can monitor each component separately and detect which component is responsible for failures or performance degradation by using distributed telemetry correlation. This article explains the data model, context-propagation techniques, protocols, and implementation of correlation tactics on different languages and platforms used by Application Insights. ++## Enable distributed tracing ++To enable distributed tracing for an application, add the right agent, SDK, or library to each service based on its programming language. ++### Enable via Application Insights through autoinstrumentation or SDKs ++The Application Insights agents and SDKs for .NET, .NET Core, Java, Node.js, and JavaScript all support distributed tracing natively. Instructions for installing and configuring each Application Insights SDK are available for: ++* [.NET](asp-net.md) +* [.NET Core](asp-net-core.md) +* [Java](./opentelemetry-enable.md?tabs=java) +* [Node.js](../app/nodejs.md) +* [JavaScript](./javascript.md#enable-distributed-tracing) +* [Python](/previous-versions/azure/azure-monitor/app/opencensus-python) ++With the proper Application Insights SDK installed and configured, tracing information is automatically collected for popular frameworks, libraries, and technologies by SDK dependency autocollectors. The full list of supported technologies is available in the [Dependency autocollection documentation](asp-net-dependencies.md#dependency-auto-collection). ++ Any technology also can be tracked manually with a call to [TrackDependency](./api-custom-events-metrics.md) on the [TelemetryClient](./api-custom-events-metrics.md). ++### Enable via OpenTelemetry ++Application Insights now supports distributed tracing through [OpenTelemetry](https://opentelemetry.io/). OpenTelemetry provides a vendor-neutral instrumentation to send traces, metrics, and logs to Application Insights. Initially, the OpenTelemetry community took on distributed tracing. Metrics and logs are still in progress. ++A complete observability story includes all three pillars. Check the status of our [Azure Monitor OpenTelemetry-based offerings](opentelemetry-enable.md) to see the latest status on what's included, which offerings are generally available, and support options. ++The following pages consist of language-by-language guidance to enable and configure Microsoft's OpenTelemetry-based offerings. Importantly, we share the available functionality and limitations of each offering so you can determine whether OpenTelemetry is right for your project. ++* [.NET](opentelemetry-enable.md?tabs=net) +* [Java](opentelemetry-enable.md?tabs=java) +* [Node.js](opentelemetry-enable.md?tabs=nodejs) +* [Python](opentelemetry-enable.md?tabs=python) ++### Enable via OpenCensus ++In addition to the Application Insights SDKs, Application Insights also supports distributed tracing through [OpenCensus](https://opencensus.io/). OpenCensus is an open-source, vendor-agnostic, single distribution of libraries to provide metrics collection and distributed tracing for services. It also enables the open-source community to enable distributed tracing with popular technologies like Redis, Memcached, or MongoDB. [Microsoft collaborates on OpenCensus with several other monitoring and cloud partners](https://open.microsoft.com/2018/06/13/microsoft-joins-the-opencensus-project/). ++For more information on OpenCensus for Python, see [Set up Azure Monitor for your Python application](/previous-versions/azure/azure-monitor/app/opencensus-python). ++The OpenCensus website maintains API reference documentation for [Python](https://opencensus.io/api/python/trace/usage.html), [Go](https://godoc.org/go.opencensus.io), and various guides for using OpenCensus. ++## Data model for telemetry correlation ++Application Insights defines a [data model](../../azure-monitor/app/data-model-complete.md) for distributed telemetry correlation. To associate telemetry with a logical operation, every telemetry item has a context field called `operation_Id`. Every telemetry item in the distributed trace shares this identifier. So even if you lose telemetry from a single layer, you can still associate telemetry reported by other components. ++A distributed logical operation typically consists of a set of smaller operations that are requests processed by one of the components. [Request telemetry](../../azure-monitor/app/data-model-complete.md#request) defines these operations. Every request telemetry item has its own `id` that identifies it uniquely and globally. And all telemetry items (such as traces and exceptions) that are associated with the request should set the `operation_parentId` to the value of the request `id`. ++[Dependency telemetry](../../azure-monitor/app/data-model-complete.md#dependency) represents every outgoing operation, such as an HTTP call to another component. It also defines its own `id` that's globally unique. Request telemetry, initiated by this dependency call, uses this `id` as its `operation_parentId`. ++You can build a view of the distributed logical operation by using `operation_Id`, `operation_parentId`, and `request.id` with `dependency.id`. These fields also define the causality order of telemetry calls. ++In a microservices environment, traces from components can go to different storage items. Every component can have its own connection string in Application Insights. To get telemetry for the logical operation, Application Insights queries data from every storage item. ++When the number of storage items is large, you need a hint about where to look next. The Application Insights data model defines two fields to solve this problem: `request.source` and `dependency.target`. The first field identifies the component that initiated the dependency request. The second field identifies which component returned the response of the dependency call. ++For information on querying from multiple disparate instances by using the `app` query expression, see [app() expression in Azure Monitor query](../logs/app-expression.md#app-expression-in-azure-monitor-query). ++## Example ++Let's look at an example. An application called Stock Prices shows the current market price of a stock by using an external API called Stock. The Stock Prices application has a page called Stock page that the client web browser opens by using `GET /Home/Stock`. The application queries the Stock API by using the HTTP call `GET /api/stock/value`. ++You can analyze the resulting telemetry by running a query: ++```kusto +(requests | union dependencies | union pageViews) +| where operation_Id == "STYz" +| project timestamp, itemType, name, id, operation_ParentId, operation_Id +``` ++In the results, all telemetry items share the root `operation_Id`. When an Ajax call is made from the page, a new unique ID (`qJSXU`) is assigned to the dependency telemetry, and the ID of the pageView is used as `operation_ParentId`. The server request then uses the Ajax ID as `operation_ParentId`. ++| itemType | name | ID | operation_ParentId | operation_Id | +|||-|-|-| +| pageView | Stock page | `STYz` | | `STYz` | +| dependency | GET /Home/Stock | `qJSXU` | `STYz` | `STYz` | +| request | GET Home/Stock | `KqKwlrSt9PA=` | `qJSXU` | `STYz` | +| dependency | GET /api/stock/value | `bBrf2L7mm2g=` | `KqKwlrSt9PA=` | `STYz` | ++When the call `GET /api/stock/value` is made to an external service, you need to know the identity of that server so you can set the `dependency.target` field appropriately. When the external service doesn't support monitoring, `target` is set to the host name of the service. An example is `stock-prices-api.com`. But if the service identifies itself by returning a predefined HTTP header, `target` contains the service identity that allows Application Insights to build a distributed trace by querying telemetry from that service. ++## Correlation headers using W3C TraceContext ++Application Insights is transitioning to [W3C Trace-Context](https://w3c.github.io/trace-context/), which defines: ++- `traceparent`: Carries the globally unique operation ID and unique identifier of the call. +- `tracestate`: Carries system-specific tracing context. ++The latest version of the Application Insights SDK supports the Trace-Context protocol, but you might need to opt in to it. (Backward compatibility with the previous correlation protocol supported by the Application Insights SDK is maintained.) ++The [correlation HTTP protocol, also called Request-Id](https://github.com/dotnet/runtime/blob/master/src/libraries/System.Diagnostics.DiagnosticSource/src/HttpCorrelationProtocol.md), is being deprecated. This protocol defines two headers: ++- `Request-Id`: Carries the globally unique ID of the call. +- `Correlation-Context`: Carries the name-value pairs collection of the distributed trace properties. ++Application Insights also defines the [extension](https://github.com/lmolkov) for the correlation HTTP protocol. It uses `Request-Context` name-value pairs to propagate the collection of properties used by the immediate caller or callee. The Application Insights SDK uses this header to set the `dependency.target` and `request.source` fields. ++The [W3C Trace-Context](https://w3c.github.io/trace-context/) and Application Insights data models map in the following way: ++| Application Insights | W3C TraceContext | +| |-| +| `Id` of `Request` and `Dependency` | [parent-id](https://w3c.github.io/trace-context/#parent-id) | +| `Operation_Id` | [trace-id](https://w3c.github.io/trace-context/#trace-id) | +| `Operation_ParentId` | [parent-id](https://w3c.github.io/trace-context/#parent-id) of this span's parent span. This field must be empty if it's a root span.| ++For more information, see [Application Insights telemetry data model](../../azure-monitor/app/data-model-complete.md). ++### Enable W3C distributed tracing support for .NET apps ++W3C TraceContext-based distributed tracing is enabled by default in all recent +.NET Framework/.NET Core SDKs, along with backward compatibility with legacy Request-Id protocol. ++### Enable W3C distributed tracing support for Java apps ++#### Java 3.0 agent ++ Java 3.0 agent supports W3C out of the box, and no more configuration is needed. ++#### Java SDK ++- **Incoming configuration** ++ For Java EE apps, add the following code to the `<TelemetryModules>` tag in *ApplicationInsights.xml*: ++ ```xml + <Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebRequestTrackingTelemetryModule> + <Param name = "W3CEnabled" value ="true"/> + <Param name ="enableW3CBackCompat" value = "true" /> + </Add> + ``` ++ For Spring Boot apps, add these properties: ++ - `azure.application-insights.web.enable-W3C=true` + - `azure.application-insights.web.enable-W3C-backcompat-mode=true` ++- **Outgoing configuration** ++ Add the following code to *AI-Agent.xml*: ++ ```xml + <Instrumentation> + <BuiltIn enabled="true"> + <HTTP enabled="true" W3C="true" enableW3CBackCompat="true"/> + </BuiltIn> + </Instrumentation> + ``` ++ > [!NOTE] + > Backward compatibility mode is enabled by default, and the `enableW3CBackCompat` parameter is optional. Use it only when you want to turn backward compatibility off. + > + > Ideally, you'll' turn off this mode when all your services are updated to newer versions of SDKs that support the W3C protocol. We highly recommend that you move to these newer SDKs as soon as possible. ++It's important to make sure the incoming and outgoing configurations are exactly the same. ++### Enable W3C distributed tracing support for web apps ++This feature is enabled by default for JavaScript and the headers are automatically included when the hosting page domain is the same as the domain the requests are sent to (for example, the hosting page is `example.com` and the Ajax requests are sent to `example.com`). To change the distributed tracing mode, use the [`distributedTracingMode` configuration field](./javascript-sdk-configuration.md#sdk-configuration). AI_AND_W3C is provided by default for backward compatibility with any legacy services instrumented by Application Insights. ++- **[npm-based setup](./javascript-sdk.md?tabs=npmpackage#get-started)** ++ Add the following configuration: + ```JavaScript + distributedTracingMode: DistributedTracingModes.W3C + ``` ++- **[JavaScript (Web) SDK Loader Script-based setup](./javascript-sdk.md?tabs=javascriptwebsdkloaderscript#get-started)** ++ Add the following configuration: + ``` + distributedTracingMode: 2 // DistributedTracingModes.W3C + ``` ++If the XMLHttpRequest or Fetch Ajax requests are sent to a different domain host, including subdomains, the correlation headers aren't included by default. To enable this feature, set the [`enableCorsCorrelation` configuration field](./javascript-sdk-configuration.md#sdk-configuration) to `true`. If you set `enableCorsCorrelation` to `true`, all XMLHttpRequest and Fetch Ajax requests include the correlation headers. As a result, if the application on the server that is being called doesn't support the `traceparent` header, the request might fail, depending on whether the browser / version can validate the request based on which headers the server accepts. ++> [!IMPORTANT] +> To see all configurations required to enable correlation, see the [JavaScript correlation documentation](./javascript.md#enable-distributed-tracing). ++## Telemetry correlation in OpenCensus Python ++OpenCensus Python supports [W3C Trace-Context](https://w3c.github.io/trace-context/) without requiring extra configuration. ++For a reference, you can find the OpenCensus data model on [this GitHub page](https://github.com/census-instrumentation/opencensus-specs/tree/master/trace). ++### Incoming request correlation ++OpenCensus Python correlates W3C Trace-Context headers from incoming requests to the spans that are generated from the requests themselves. OpenCensus correlates automatically with integrations for these popular web application frameworks: Flask, Django, and Pyramid. You just need to populate the W3C Trace-Context headers with the [correct format](https://www.w3.org/TR/trace-context/#trace-context-http-headers-format) and send them with the request. ++Explore this sample Flask application. Install Flask, OpenCensus, and the extensions for Flask and Azure. ++```shell ++pip install flask opencensus opencensus-ext-flask opencensus-ext-azure ++``` ++You need to add your Application Insights connection string to the environment variable. ++```shell +APPLICATIONINSIGHTS_CONNECTION_STRING=<appinsights-connection-string> +``` ++**Sample Flask Application** ++```python +from flask import Flask +from opencensus.ext.azure.trace_exporter import AzureExporter +from opencensus.ext.flask.flask_middleware import FlaskMiddleware +from opencensus.trace.samplers import ProbabilitySampler ++app = Flask(__name__) +middleware = FlaskMiddleware( + app, + exporter=AzureExporter( + connection_string='<appinsights-connection-string>', # or set environment variable APPLICATION_INSIGHTS_CONNECTION_STRING + ), + sampler=ProbabilitySampler(rate=1.0), +) ++@app.route('/') +def hello(): + return 'Hello World!' ++if __name__ == '__main__': + app.run(host='localhost', port=8080, threaded=True) +``` ++This code runs a sample Flask application on your local machine, listening to port `8080`. To correlate trace context, you send a request to the endpoint. In this example, you can use a `curl` command: ++``` +curl --header "traceparent: 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01" localhost:8080 +``` ++By looking at the [Trace-Context header format](https://www.w3.org/TR/trace-context/#trace-context-http-headers-format), you can derive the following information: ++`version`: `00` ++`trace-id`: `4bf92f3577b34da6a3ce929d0e0e4736` ++`parent-id/span-id`: `00f067aa0ba902b7` ++`trace-flags`: `01` ++If you look at the request entry that was sent to Azure Monitor, you can see fields populated with the trace header information. You can find the data under **Logs (Analytics)** in the Azure Monitor Application Insights resource. +++The `id` field is in the format `<trace-id>.<span-id>`, where `trace-id` is taken from the trace header that was passed in the request and `span-id` is a generated 8-byte array for this span. ++The `operation_ParentId` field is in the format `<trace-id>.<parent-id>`, where both `trace-id` and `parent-id` are taken from the trace header that was passed in the request. ++### Log correlation ++OpenCensus Python enables you to correlate logs by adding a trace ID, a span ID, and a sampling flag to log records. You add these attributes by installing OpenCensus [logging integration](https://pypi.org/project/opencensus-ext-logging/). The following attributes are added to Python `LogRecord` objects: `traceId`, `spanId`, and `traceSampled` (applicable only for loggers that are created after the integration). ++Install the OpenCensus logging integration: ++```console +python -m pip install opencensus-ext-logging +``` ++**Sample application** ++```python +import logging ++from opencensus.trace import config_integration +from opencensus.trace.samplers import AlwaysOnSampler +from opencensus.trace.tracer import Tracer ++config_integration.trace_integrations(['logging']) +logging.basicConfig(format='%(asctime)s traceId=%(traceId)s spanId=%(spanId)s %(message)s') +tracer = Tracer(sampler=AlwaysOnSampler()) ++logger = logging.getLogger(__name__) +logger.warning('Before the span') +with tracer.span(name='hello'): + logger.warning('In the span') +logger.warning('After the span') +``` +When this code runs, the following prints in the console: +``` +2019-10-17 11:25:59,382 traceId=c54cb1d4bbbec5864bf0917c64aeacdc spanId=0000000000000000 Before the span +2019-10-17 11:25:59,384 traceId=c54cb1d4bbbec5864bf0917c64aeacdc spanId=70da28f5a4831014 In the span +2019-10-17 11:25:59,385 traceId=c54cb1d4bbbec5864bf0917c64aeacdc spanId=0000000000000000 After the span +``` ++Notice that there's a `spanId` present for the log message that's within the span. The `spanId` is the same as that which belongs to the span named `hello`. ++You can export the log data by using `AzureLogHandler`. For more information, see [Set up Azure Monitor for your Python application](/previous-versions/azure/azure-monitor/app/opencensus-python#logs). ++We can also pass trace information from one component to another for proper correlation. For example, consider a scenario where there are two components, `module1` and `module2`. Module 1 calls functions in Module 2. To get logs from both `module1` and `module2` in a single trace, we can use the following approach: +++```python +# module1.py +import logging ++from opencensus.trace import config_integration +from opencensus.trace.samplers import AlwaysOnSampler +from opencensus.trace.tracer import Tracer +from module_2 import function_1 ++config_integration.trace_integrations(["logging"]) +logging.basicConfig( + format="%(asctime)s traceId=%(traceId)s spanId=%(spanId)s %(message)s" +) +tracer = Tracer(sampler=AlwaysOnSampler()) ++logger = logging.getLogger(__name__) +logger.warning("Before the span") ++with tracer.span(name="hello"): + logger.warning("In the span") + function_1(logger, tracer) +logger.warning("After the span") +``` ++```python +# module_2.py +import logging ++from opencensus.trace import config_integration +from opencensus.trace.samplers import AlwaysOnSampler +from opencensus.trace.tracer import Tracer ++config_integration.trace_integrations(["logging"]) +logging.basicConfig( + format="%(asctime)s traceId=%(traceId)s spanId=%(spanId)s %(message)s" +) +logger = logging.getLogger(__name__) +tracer = Tracer(sampler=AlwaysOnSampler()) +++def function_1(logger=logger, parent_tracer=None): + if parent_tracer is not None: + tracer = Tracer( + span_context=parent_tracer.span_context, + sampler=AlwaysOnSampler(), + ) + else: + tracer = Tracer(sampler=AlwaysOnSampler()) ++ with tracer.span("function_1"): + logger.info("In function_1") ++``` ++## Telemetry correlation in .NET ++Correlation is handled by default when onboarding an app. No special actions are required. ++* [Application Insights for ASP.NET Core applications](asp-net-core.md#application-insights-for-aspnet-core-applications) +* [Configure Application Insights for your ASP.NET website](asp-net.md#configure-application-insights-for-your-aspnet-website) +* [Application Insights for Worker Service applications (non-HTTP applications)](worker-service.md#application-insights-for-worker-service-applications-non-http-applications) ++.NET runtime supports distributed with the help of [Activity](https://github.com/dotnet/runtime/blob/master/src/libraries/System.Diagnostics.DiagnosticSource/src/ActivityUserGuide.md) and [DiagnosticSource](https://github.com/dotnet/runtime/blob/master/src/libraries/System.Diagnostics.DiagnosticSource/src/DiagnosticSourceUsersGuide.md) ++The Application Insights .NET SDK uses `DiagnosticSource` and `Activity` to collect and correlate telemetry. ++<a name="java-correlation"></a> +## Telemetry correlation in Java ++[Java agent](./opentelemetry-enable.md?tabs=java) supports automatic correlation of telemetry. It automatically populates `operation_id` for all telemetry (like traces, exceptions, and custom events) issued within the scope of a request. It also propagates the correlation headers that were described earlier for service-to-service calls via HTTP, if the [Java SDK agent](deprecated-java-2x.md#monitor-dependencies-caught-exceptions-and-method-execution-times-in-java-web-apps) is configured. ++> [!NOTE] +> Application Insights Java agent autocollects requests and dependencies for JMS, Kafka, Netty/Webflux, and more. For Java SDK, only calls made via Apache HttpClient are supported for the correlation feature. Automatic context propagation across messaging technologies like Kafka, RabbitMQ, and Azure Service Bus isn't supported in the SDK. ++To collect custom telemetry, you need to instrument the application with Java 2.6 SDK. ++### Role names ++You might want to customize the way component names are displayed in [Application Map](../../azure-monitor/app/app-map.md). To do so, you can manually set `cloud_RoleName` by taking one of the following actions: ++- For Application Insights Java, set the cloud role name as follows: ++ ```json + { + "role": { + "name": "my cloud role name" + } + } + ``` ++ You can also set the cloud role name by using the environment variable `APPLICATIONINSIGHTS_ROLE_NAME`. ++- With Application Insights Java SDK 2.5.0 and later, you can specify `cloud_RoleName` + by adding `<RoleName>` to your *ApplicationInsights.xml* file: ++ :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot that shows Application Insights overview and connection string." lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png"::: ++ ```xml + <?xml version="1.0" encoding="utf-8"?> + <ApplicationInsights xmlns="http://schemas.microsoft.com/ApplicationInsights/2013/Settings" schemaVersion="2014-05-30"> + <ConnectionString>InstrumentationKey=00000000-0000-0000-0000-000000000000</ConnectionString> + <RoleName>** Your role name **</RoleName> + ... + </ApplicationInsights> + ``` ++- If you use Spring Boot with the Application Insights Spring Boot Starter, set your custom name for the application in the *application.properties* file: ++ `spring.application.name=<name-of-app>` ++You can also set the cloud role name via environment variable or system property. See [Configuring cloud role name](./java-standalone-config.md#cloud-role-name) for details. ++## Next steps ++- [Application map](./app-map.md) +- Write [custom telemetry](../../azure-monitor/app/api-custom-events-metrics.md). +- For advanced correlation scenarios in ASP.NET Core and ASP.NET, see [Track custom operations](custom-operations-tracking.md). +- Learn more about [setting cloud_RoleName](./app-map.md#set-or-override-cloud-role-name) for other SDKs. +- Onboard all components of your microservice on Application Insights. Check out the [supported platforms](./app-insights-overview.md#supported-languages). +- See the [data model](./data-model-complete.md) for Application Insights types. +- Learn how to [extend and filter telemetry](./api-filtering-sampling.md). +- Review the [Application Insights config reference](configuration-with-applicationinsights-config.md). |
azure-monitor | Nodejs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/nodejs.md | process.env.APPLICATIONINSIGHTS_LOGDIR = "C:\\applicationinsights\\logs"; <!--references--> -[FAQ]: ../faq.yml +[FAQ]: ./app-insights-overview.md#frequently-asked-questions |
azure-monitor | Opentelemetry Add Modify | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md | -To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry). +To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](#frequently-asked-questions). <!NOTE TO CONTRIBUTORS: PLEASE DO NOT SEPARATE OUT JAVASCRIPT AND TYPESCRIPT INTO DIFFERENT TABS.> input() ### Add custom exceptions Select instrumentation libraries automatically report exceptions to Application Insights.-However, you may want to manually report exceptions beyond what instrumentation libraries report. -For instance, exceptions caught by your code aren't ordinarily reported. You may wish to report them +However, you might want to manually report exceptions beyond what instrumentation libraries report. +For instance, exceptions caught by your code aren't ordinarily reported. You might wish to report them to draw attention in relevant experiences including the failures section and end-to-end transaction views. #### [ASP.NET Core](#tab/aspnetcore) with tracer.start_as_current_span("hello", record_exception=False) as span: ### Add custom spans -You may want to add a custom span in two scenarios. First, when there's a dependency request not already collected by an instrumentation library. Second, when you wish to model an application process as a span on the end-to-end transaction view. +You might want to add a custom span in two scenarios. First, when there's a dependency request not already collected by an instrumentation library. Second, when you wish to model an application process as a span on the end-to-end transaction view. #### [ASP.NET Core](#tab/aspnetcore) Currently unavailable. ### Send custom telemetry using the Application Insights Classic API -We recommend you use the OpenTelemetry APIs whenever possible, but there may be some scenarios when you have to use the Application Insights [Classic API](api-custom-events-metrics.md)s. +We recommend you use the OpenTelemetry APIs whenever possible, but there might be some scenarios when you have to use the Application Insights [Classic API](api-custom-events-metrics.md)s. #### [ASP.NET Core](#tab/aspnetcore) span_id = trace.get_current_span().get_span_context().span_id + [!INCLUDE [azure-monitor-app-insights-opentelemetry-support](../includes/azure-monitor-app-insights-opentelemetry-support.md)] ## Next steps |
azure-monitor | Opentelemetry Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md | export OTEL_SERVICE_NAME="my-helloworld-service" ## Enable Sampling -You may want to enable sampling to reduce your data ingestion volume, which reduces your cost. Azure Monitor provides a custom *fixed-rate* sampler that populates events with a sampling ratio, which Application Insights converts to `ItemCount`. The *fixed-rate* sampler ensures accurate experiences and event counts. The sampler is designed to preserve your traces across services, and it's interoperable with older Application Insights SDKs. For more information, see [Learn More about sampling](sampling.md#brief-summary). +You might want to enable sampling to reduce your data ingestion volume, which reduces your cost. Azure Monitor provides a custom *fixed-rate* sampler that populates events with a sampling ratio, which Application Insights converts to `ItemCount`. The *fixed-rate* sampler ensures accurate experiences and event counts. The sampler is designed to preserve your traces across services, and it's interoperable with older Application Insights SDKs. For more information, see [Learn More about sampling](sampling.md#brief-summary). > [!NOTE] > Metrics and Logs are unaffected by sampling. For more information about OpenTelemetry SDK configuration, see the [OpenTelemet + [!INCLUDE [azure-monitor-app-insights-opentelemetry-support](../includes/azure-monitor-app-insights-opentelemetry-support.md)] |
azure-monitor | Opentelemetry Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-enable.md | -This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). We walk through how to install the "Azure Monitor OpenTelemetry Distro." The Distro [automatically collects](opentelemetry-add-modify.md#automatic-data-collection) traces, metrics, logs, and exceptions across your application and its dependencies. To learn more about collecting data using OpenTelemetry, see [Data Collection Basics](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry). +This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). We walk through how to install the "Azure Monitor OpenTelemetry Distro." The Distro [automatically collects](opentelemetry-add-modify.md#automatic-data-collection) traces, metrics, logs, and exceptions across your application and its dependencies. To learn more about collecting data using OpenTelemetry, see [Data Collection Basics](opentelemetry-overview.md) or [OpenTelemetry FAQ](#frequently-asked-questions). ## OpenTelemetry Release Status OpenTelemetry offerings are available for .NET, Node.js, Python and Java applica - ┬▓ :warning: : OpenTelemetry is available as a public preview. [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) > [!NOTE]-> For a feature-by-feature release status, see the [FAQ](../faq.yml#what-s-the-current-release-state-of-features-within-the-azure-monitor-opentelemetry-distro-). +> For a feature-by-feature release status, see the [FAQ](#whats-the-current-release-state-of-features-within-the-azure-monitor-opentelemetry-distro). > The ASP.NET Core Distro is undergoing additional stability testing prior to GA. You can use the .NET Exporter if you need a fully supported OpenTelemetry solution for your ASP.NET Core application. ## Get started You've now enabled Application Insights for your application. All the following As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. To learn more, see [Statsbeat in Azure Application Insights](./statsbeat.md). + [!INCLUDE [azure-monitor-app-insights-opentelemetry-support](../includes/azure-monitor-app-insights-opentelemetry-support.md)] ## Next steps |
azure-monitor | Opentelemetry Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-overview.md | There are two methods to instrument your application: - [Application Insights SDKs](asp-net-core.md) - [Azure Monitor OpenTelemetry Distros](opentelemetry-enable.md). -While we see OpenTelemetry as our future direction, we have no plans to stop collecting data from older SDKs. We still have a way to go before our Azure OpenTelemetry Distros [reach feature parity with our Application Insights SDKs](../faq.yml#what-s-the-current-release-state-of-features-within-the-azure-monitor-opentelemetry-distro-). In many cases, customers continue to choose to use Application Insights SDKs for quite some time. +While we see OpenTelemetry as our future direction, we have no plans to stop collecting data from older SDKs. We still have a way to go before our Azure OpenTelemetry Distros [reach feature parity with our Application Insights SDKs](./opentelemetry-enable.md#whats-the-current-release-state-of-features-within-the-azure-monitor-opentelemetry-distro). In many cases, customers continue to choose to use Application Insights SDKs for quite some time. > [!IMPORTANT] > "Manual" doesn't mean you'll be required to write complex code to define spans for distributed traces, although it remains an option. Instrumentation Libraries packaged into our Distros enable you to effortlessly capture telemetry signals across common frameworks and libraries. We're actively working to [instrument the most popular Azure Service SDKs using OpenTelemetry](https://devblogs.microsoft.com/azure-sdk/introducing-experimental-opentelemetry-support-in-the-azure-sdk-for-net/) so these signals are available to customers who use the Azure Monitor OpenTelemetry Distro. A direct exporter sends telemetry in-process (from the application's code) direc Alternatively, sending application telemetry via an agent like OpenTelemetry-Collector can have some benefits including sampling, post-processing, and more. Azure Monitor is developing an agent and ingestion endpoint that supports [Open Telemetry Protocol (OTLP)](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/README.md), providing a path for any OpenTelemetry-supported programming language beyond our [supported languages](platforms.md) to use to Azure Monitor. > [!NOTE]-> For Azure Monitor's position on the [OpenTelemetry-Collector](https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/design.md), see the [OpenTelemetry FAQ](../faq.yml#can-i-use-the-opentelemetry-collector-). +> For Azure Monitor's position on the [OpenTelemetry-Collector](https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/design.md), see the [OpenTelemetry FAQ](./opentelemetry-enable.md#can-i-use-the-opentelemetry-collector). > [!TIP] > If you are planning to use OpenTelemetry-Collector for sampling or additional data processing, you may be able to get these same capabilities built-in to Azure Monitor. Customers who have migrated to [Workspace-based Appplication Insights](convert-classic-resource.md) can benefit from [Ingestion-time Transformations](../essentials/data-collection-transformations.md). To enable, follow the details in the [tutorial](../logs/tutorial-workspace-transformations-portal.md), skipping the step that shows how to set up a diagnostic setting since with Workspace-centric Application Insights this is already configured. If youΓÇÖre filtering less than 50% of the overall volume, itΓÇÖs no additional cost. After 50%, there is a cost but much less than the standard per GB charge. Select your enablement approach: - [JavaScript: Web](./javascript.md) - [Azure Monitor OpenTelemetry Distro](opentelemetry-enable.md) -Check out the [Azure Monitor Application Insights FAQ](./app-insights-overview.md#frequently-asked-questions) and [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry) for more information. +Check out the [Azure Monitor Application Insights FAQ](./app-insights-overview.md#frequently-asked-questions) and [OpenTelemetry FAQ](./opentelemetry-enable.md#frequently-asked-questions) for more information. |
azure-vmware | Concepts Private Clouds Clusters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/concepts-private-clouds-clusters.md | Title: Concepts - Private clouds and clusters description: Understand the key capabilities of Azure VMware Solution software-defined data centers and VMware vSphere clusters. Previously updated : 10/12/2023 Last updated : 10/14/2023 Each Azure VMware Solution architectural component has the following function: - Azure Subscription: Provides controlled access, budget, and quota management for the Azure VMware Solution. - Azure Region: Groups data centers into Availability Zones (AZs) and then groups AZs into regions. - Azure Resource Group: Places Azure services and resources into logical groups.-- Azure VMware Solution Private Cloud: Offers compute, networking, and storage resources using VMware software, including vCenter Server, NSX-T Data Center software-defined networking, vSAN software-defined storage, and Azure bare-metal ESXi hosts.-- Azure VMware Solution Resource Cluster: Provides compute, networking, and storage resources for customer workloads by scaling out the Azure VMware Solution private cloud using VMware software, including vSAN software-defined storage and Azure bare-metal ESXi hosts.+- Azure VMware Solution Private Cloud: Offers compute, networking, and storage resources using VMware software, including vCenter Server, NSX-T Data Center software-defined networking, vSAN software-defined storage, and Azure bare-metal ESXi hosts. Azure NetApp Files and Pure Cloud Block Store are also supported. +- Azure VMware Solution Resource Cluster: Provides compute, networking, and storage resources for customer workloads by scaling out the Azure VMware Solution private cloud using VMware software, including vSAN software-defined storage and Azure bare-metal ESXi hosts. Azure NetApp Files and Pure Cloud Block Store are also supported. - VMware HCX: Delivers mobility, migration, and network extension services. - VMware Site Recovery: Automates disaster recovery and storage replication services with VMware vSphere Replication. Third-party disaster recovery solutions Zerto Disaster Recovery and JetStream Software Disaster Recovery are also supported. - Dedicated Microsoft Enterprise Edge (D-MSEE): Router that connects Azure cloud and the Azure VMware Solution private cloud instance. |
batch | Batch Aad Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/batch-aad-auth.md | To authenticate with integrated authentication from Batch .NET: To authenticate with a service principal from Batch .NET: -1. Install the [Azure Batch .NET](https://www.nuget.org/packages/Azure.Batch/) and the [MSAL](https://www.nuget.org/packages/Microsoft.Identity.Client/) NuGet packages. +1. Install the [Azure Batch .NET](https://www.nuget.org/packages/Microsoft.Azure.Batch/) and the [MSAL](https://www.nuget.org/packages/Microsoft.Identity.Client/) NuGet packages. 1. Declare the following `using` statements in your code: |
defender-for-cloud | Agentless Container Registry Vulnerability Assessment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/agentless-container-registry-vulnerability-assessment.md | +r > [!NOTE] > This feature supports scanning of images in the Azure Container Registry (ACR) only. Images that are stored in other container registries should be imported into ACR for coverage. Learn how to [import container images to a container registry](/azure/container-registry/container-registry-import-images). Container vulnerability assessment powered by MDVM (Microsoft Defender Vulnerabi | [Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/ContainersRuntimeRecommendationDetailsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5)  | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 | - **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](/azure/governance/resource-graph/overview#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md#review-recommendation-data-in-azure-resource-graph-arg).-- **Query vulnerability information via subassessment API** - You can get scan results via [REST API](subassessment-rest-api.md).+- **Query scan results via REST API** - Learn how to query scan results via [REST API](subassessment-rest-api.md). - **Support for exemptions** - Learn how to [create exemption rules for a management group, resource group, or subscription](disable-vulnerability-findings-containers.md). - **Support for disabling vulnerabilities** - Learn how to [disable vulnerabilities on images](disable-vulnerability-findings-containers.md). |
defender-for-cloud | Incidents Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/incidents-reference.md | Title: Reference table for all incidents description: This article lists the incidents visible in Microsoft Defender for Cloud Previously updated : 06/07/2023 Last updated : 10/15/2023 # Incidents - a reference guide Learn how to [manage security incidents](incidents.md#managing-security-incident | **Security incident detected suspicious Kubernetes cluster activity (Preview)** | This incident indicates that suspicious activity has been detected on your Kubernetes cluster following suspicious user activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same cluster, which increases the fidelity of malicious activity in your environment. The suspicious activity on your Kubernetes cluster might indicate that a threat actor has gained unauthorized access to your environment and is attempting to compromise it. | High | | **Security incident detected suspicious storage activity (Preview)** | Scenario 1: This incident indicates that suspicious storage activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding suspicious storage activity may suggest they are attempting to access potentially sensitive data. <br><br> Scenario 2: This incident indicates that suspicious storage activity has been detected following suspicious user or service principal activity. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious account activity might indicate that a threat actor gained unauthorized access to your environment, and the succeeding suspicious storage activity may suggest they are attempting to access potentially sensitive data. | High | | **Security incident detected suspicious Azure toolkit activity (Preview)** | This incident indicates that suspicious activity has been detected following the potential usage of an Azure toolkit. Multiple alerts from different Defender for Cloud plans have been triggered on the same user or service principal, which increases the fidelity of malicious activity in your environment. The usage of an Azure toolkit can indicate that an attacker has gained unauthorized access to your environment and is attempting to compromise it. | High |-|**Security incident detected suspicious DNS activity (Preview)** | Scenario 1: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it. |High| +|**Security incident detected suspicious DNS activity (Preview)** | Scenario 1: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious DNS activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious DNS activity might indicate that a threat actor gained unauthorized access to your environment and is attempting to compromise it. | Medium | |**Security incident detected suspicious SQL activity (Preview)** | Scenario 1: This incident indicates that suspicious SQL activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious SQL activity might indicate that a threat actor is targeting your SQL server and is attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious SQL activity has been detected. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious SQL activity might indicate that a threat actor is targeting your SQL server and is attempting to compromise it. |High| | **Security incident detected suspicious app service activity (Preview)** | Scenario 1: This incident indicates that suspicious activity has been detected in your app service environment. Multiple alerts from different Defender for Cloud plans have been triggered on the same resource, which increases the fidelity of malicious activity in your environment. Suspicious app service activity might indicate that a threat actor is targeting your application and may be attempting to compromise it. <br><br> Scenario 2: This incident indicates that suspicious activity has been detected in your app service environment. Multiple alerts from different Defender for Cloud plans have been triggered from the same IP address, which increases the fidelity of malicious activity in your environment. Suspicious app service activity might indicate that a threat actor is targeting your application and may be attempting to compromise it.ΓÇï | High | | **Security incident detected compromised machine** | This incident indicates suspicious activity on one or more of your virtual machines. Multiple alerts from different Defender for Cloud plans have been triggered in chronological order on the same resource, following the MITRE ATT&CK framework. This might indicate a threat actor has gained unauthorized access to your environment and successfully compromised this machine.| Medium/High | |
defender-for-cloud | Sql Azure Vulnerability Assessment Find | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/sql-azure-vulnerability-assessment-find.md | If the vulnerability settings show the option to configure a storage account, yo ## Find vulnerabilities in your Azure SQL databases -### [Express configuration (preview)](#tab/express) +### [Express configuration](#tab/express) ### Permissions |
defender-for-cloud | Upcoming Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md | The Attack Path's Azure Resource Graph (ARG) table scheme will be updated. The ` The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/) As a result, features of the two Defender for Cloud plans that rely on the Log Analytics agent are impacted, and they have updated strategies: [Defender for Servers](#defender-for-servers) and [Defender for SQL Server on machines](#defender-for-sql-server-on-machines). +## Deprecating two security incidents ++**Estimated date for change: November 2023** ++Following quality improvement process, the following security incidents are set to be deprecated: 'Security incident detected suspicious virtual machines activity' and 'Security incident detected on multiple machines'. + ## Next steps For all recent changes to Defender for Cloud, see [What's new in Microsoft Defender for Cloud?](release-notes.md). |
dev-box | How To Configure Azure Compute Gallery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/how-to-configure-azure-compute-gallery.md | To learn more about Azure Compute Gallery and how to create galleries, see: A gallery used to configure dev box definitions must have at least [one image definition and one image version](../virtual-machines/image-version.md). +When creating a virtual machine image, select an image from the marketplace that is Dev Box compatible, like the following examples: +- [Visual Studio 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoftvisualstudio.visualstudio2019plustools?tab=Overview) +- [Visual Studio 2022](https://azuremarketplace.microsoft.com/marketplace/apps/microsoftvisualstudio.visualstudioplustools?tab=Overview) + The image version must meet the following requirements: - Generation 2. - Hyper-V v2. |
dev-box | Overview What Is Microsoft Dev Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/overview-what-is-microsoft-dev-box.md | Dev Box service configuration begins with the creation of a dev center, which re Azure network connections enable dev boxes to communicate with your organization's network. The network connection provides a link between the dev center and your organization's virtual networks. In the network connection, you define how a dev box joins Microsoft Entra ID. Use a Microsoft Entra join to connect exclusively to cloud-based resources, or use a Microsoft Entra hybrid join to connect to on-premises resources and cloud-based resources. -Dev box definitions define the configuration of the dev boxes that are available to users. You can use an image from Azure Marketplace, like the **Visual Studio 2022 Enterprise on Windows 11 Enterprise + Microsoft 365 Apps 22H2** image. Or you can create your own custom image and store it in Azure Compute Gallery. Specify a SKU with compute and storage to complete the dev box definition. +Dev box definitions define the configuration of the dev boxes that are available to users. You can use an image from Azure Marketplace, like the **Visual Studio 2022 Enterprise on Windows 11 Enterprise + Microsoft 365 Apps 22H2** image. Or you can create your own custom image and store it in [Azure Compute Gallery](how-to-configure-azure-compute-gallery.md). Specify a SKU with compute and storage to complete the dev box definition. Dev Box projects are the point of access for development teams. You assign the Dev Box User role to a project to give a developer access to the dev box pools that are associated with the project. When the configuration of the service is complete, developers can create and man Microsoft Dev Box and [Azure Deployment Environments](../deployment-environments/overview-what-is-azure-deployment-environments.md) are complementary services that share certain architectural components. Deployment Environments provides developers with preconfigured cloud-based environments for developing applications. Dev centers and projects are common to both services, and they help organize resources in an enterprise. -When configuring Dev Box, you may see Deployment Environments resources and components. You may even see informational messages regarding Deployment Environments features. If you're not configuring any Deployment Environments features, you can safely ignore these messages. +When configuring Dev Box, you might see Deployment Environments resources and components. You might even see informational messages regarding Deployment Environments features. If you're not configuring any Deployment Environments features, you can safely ignore these messages. For example, as you create a project, you might see this informational message about catalogs: |
dev-box | Quickstart Create Dev Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-create-dev-box.md | To complete this quickstart, you need: :::image type="content" source="./media/quickstart-create-dev-box/create-dev-box.png" alt-text="Screenshot of the dialog for adding a dev box."::: - You may see the following information: + You see the following information: - How many dev boxes you can create in the project that you selected, if the project has limits configured. - Whether hibernation is supported or not. - A shutdown time if the pool where you're creating the dev box has a shutdown schedule. After you create a dev box, one way to access it quickly is through a browser: :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-open-in-browser.png" alt-text="Screenshot of dev box card that shows the option for opening in a browser."::: -A new tab opens with a Remote Desktop session through which you can use your dev box. +A new tab opens with a Remote Desktop session through which you can use your dev box. Use a work or school account to log in to your dev box, not a personal Microsoft account. ## Clean up resources |
healthcare-apis | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/release-notes.md | +> [!NOTE] +> In West US2 region, during provisioning new Azure API for FHIR instance errors are reported. FHIR service team is actively investigating the issue. + ## **August 2023** **Decimal value precision in FHIR service is updated per FHIR specification** |
machine-learning | Concept Retrieval Augmented Generation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/concept-retrieval-augmented-generation.md | To implement RAG, a few key requirements must be met. First, data should be form ## Conclusion -Azure Machine Learning allows you to incorporate RAG in your AI using the Azure AI Studio or using code with Azure Machine Learning pipelines. It offers several value additions like the ability to measure and enhance RAG workflows, test data generation, automatic prompt creation, and visualize prompt evaluation metrics. It enables the integration of RAG workflows into MLOps workflows using pipelines. You can also use your data with open source offerings like LangChain. +Azure Machine Learning allows you to incorporate RAG in your AI using the Azure Machine Learning Studio or using code with Azure Machine Learning pipelines. It offers several value additions like the ability to measure and enhance RAG workflows, test data generation, automatic prompt creation, and visualize prompt evaluation metrics. It enables the integration of RAG workflows into MLOps workflows using pipelines. You can also use your data with open source offerings like LangChain. ## Next steps |
search | Vector Search Ranking | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/vector-search-ranking.md | -# Relevance scoring in vector search +# Searching and relevance in vector search > [!IMPORTANT] > Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme). This article is for developers who need a deeper understanding of relevance scoring for vector queries in Azure Cognitive Search. -## Scoring algorithms used in vector search +## Vector search supported algorithms Azure Cognitive Search provides the following scoring algorithms for vector search: -| Algorithm | Usage | Range | -|--|-|-| -|`exhaustiveKnn` | Calculates the distances between all pairs of data points. | Metric dependent, usually 0 < 1.00 | -| `hnsw` | Creates proximity graphs for organizing and querying vector content. | Metric dependent, usually 0 < 1.00. | ++ `exhaustiveKnn`: Calculates the distances between the query vector and all data points, making it very computationally intensive for large datasets. Because the algorithm does not require fast random access of data points, this algorithm will **not** consume vector index size quota.++ `hnsw`: Organizes high-dimensional data points into a hierarchical graph structure that enables fast and scalable similarity search while maintaining a trade-off between search accuracy and computational cost. Because the algorithm requires all data points to reside in memory for fast random access, this algorithm will consume vector index size quota. Vector search algorithms are specified in a search index, and then specified on the field definition (also in the index): + [Create a vector index](vector-search-how-to-create-index.md) -Because many algorithm configuration parameters are used to initialize the vector index during index creation, they're immutable parameters and can't be changed once the index is built. However, there's a subset of parameters that can be modified in a [query request](vector-search-how-to-query.md). +Algorithm parameters that are used to initialize the index during index creation are *immutable* and cannot be changed after the index is built. Some parameters that affect the query-time characteristics may be modified.Some of these parameters can be modified in a [query request](vector-search-how-to-query.md). Each algorithm has different memory requirements, which affect [vector index size](vector-search-index-size.md), predicated on memory usage. When evaluating algorithms, remember: -+ `hnsw`, which accesses proximity graphs stored in memory, adds overhead to vector index size. -+ `exhaustiveKnn` doesn't load the entire vector index into memory. As such, it has no vector index size overhead, meaning it doesn't contribute to index size. ++ `hnsw`, which accesses HNSW graphs stored in memory, adds overhead to vector index size because these additional data structures consume space, and fast random access requires the full index to be loaded into memory.++ `exhaustiveKnn` doesn't load the entire vector index into memory. As such, it has no vector index size overhead, meaning it doesn't contribute to vector index size. <a name="eknn"></a> |
virtual-machines | Auto Shutdown Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/auto-shutdown-vm.md | + + Title: Auto-shutdown the VM +description: Learn how to set up auto-shutdown for VMs in Azure. +++++ Last updated : 09/27/2023++++# Auto-shutdown the VM ++In this tutorial, you learn how to automatically shut-down virtual machines (VMs) in Azure. The auto-shutdown feature for Azure VMs can help reduce costs by shutting down the VMs during off hours when they aren't needed and automatically restarting them when they're needed again. ++## Configure auto-shutdown for a virtual machine ++### [Portal](#tab/portal) ++Sign in to the [Azure portal](https://portal.azure.com/). +1. In the Azure portal, navigate to the virtual machine you want to configure auto-shutdown for. +2. In the virtual machine's detail page, select "Auto-shutdown" under the **Operations** section. +3. In the "Auto-shutdown" configuration screen, toggle the switch to "On." +4. Set the time you want the virtual machine to shut down. +5. Select "Save" to save the auto-shutdown configuration. ++### [Azure CLI](#tab/azure-cli) ++To configure auto-shutdown for a single virtual machine using the Azure CLI, you can use the following script: ++```azurecli-interactive +# Set the resource group name, VM name, and shutdown time +RESOURCE_GROUP_NAME="myResourceGroup" +VM_NAME="myVM" # Add your VM's name here +SHUTDOWN_TIME="18:00" ++# Prompt the user to choose whether to auto-restart or leave the machines off +echo "Do you want to auto-restart the machine? (y/n)" +read RESTART_OPTION ++# Set the auto-shutdown and auto-start properties based on the user's choice +if [ "$RESTART_OPTION" == "y" ]; then + AUTO_SHUTDOWN="true" + AUTO_START="true" +else + AUTO_SHUTDOWN="true" + AUTO_START="false" +fi ++# Set the auto-shutdown and auto-start properties for the VM +az vm auto-shutdown -g $RESOURCE_GROUP_NAME -n $VM_NAME --time $SHUTDOWN_TIME ++if [ "$AUTO_START" == "true" ]; then + az vm restart -g $RESOURCE_GROUP_NAME -n $VM_NAME --no-wait +fi +``` ++To configure auto-shutdown for multiple virtual machines using the Azure CLI, you can use the following script: ++```azurecli-interactive +# Set the resource group name and shutdown time +RESOURCE_GROUP_NAME="myResourceGroup" +SHUTDOWN_TIME="18:00" ++# Prompt the user to choose whether to auto-restart or leave the machines off +echo "Do you want to auto-restart the machines? (y/n)" +read RESTART_OPTION ++# Set the auto-shutdown and auto-start properties based on the user's choice +if [ "$RESTART_OPTION" == "y" ]; then + AUTO_SHUTDOWN="true" + AUTO_START="true" +else + AUTO_SHUTDOWN="true" + AUTO_START="false" +fi ++# Loop through all VMs in the resource group and set the auto-shutdown and auto-start properties +for VM_ID in $(az vm list -g $RESOURCE_GROUP_NAME --query "[].id" -o tsv); do + az vm auto-shutdown --ids $VM_ID --time $SHUTDOWN_TIME + az vm restart --ids $VM_ID --no-wait +done +``` ++The above scripts use the `az vm auto-shutdown` and `az vm restart` commands to set the `auto-shutdown` and `restart` properties of all the VMs in the specified resource group. The `--ids` option is used to specify the VMs by their IDs, and the `--time` and `--auto-start-`enabled options are used to set the auto-shutdown and autostart properties, respectively. ++Both scripts also prompt to choose whether to auto restart the machines or leave them off until they're manually restarted. The choice is used to set the -`-auto-shutdown-enabled` property of the VMs. ++++## Clean up resources ++If you no longer need the virtual machine, delete it with the following steps: ++1. Navigate to the virtual machine's **Overview** page on the left +1. Select on "Delete" from the top middle option. +1. Follow the prompts to delete the virtual machine. ++For more information on how to delete a virtual machine, see [delete a VM](./delete.md). ++## Next steps ++Learn about sizes and how to resize a VM: +- Types of virtual machine [sizes.](./sizes.md) +- Change the [size of a virtual machine](./resize-vm.md). |
virtual-machines | Backup And Disaster Recovery For Azure Iaas Disks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/backup-and-disaster-recovery-for-azure-iaas-disks.md | IaaS application data issues are another possibility. Consider an application th ### Comparison Overview -This section cover's some of Azures for backup and disaster recovery. You can refer to the following comparison table for a high level overview. +This section covers some of Azure's options for backup and disaster recovery. You can refer to the following comparison table for a high level overview. |Solution |Snapshot |Restore Points |Azure Backup|Azure Site Recovery| |-|--|||| Explore your options: - [Copy an incremental snapshot to a new region](disks-copy-incremental-snapshot-across-regions.md) - [Overview of VM restore points](virtual-machines-create-restore-points.md) - [Overview of Azure Disk Backup](../backup/disk-backup-overview.md)-- [About Site Recovery](../site-recovery/site-recovery-overview.md)+- [About Site Recovery](../site-recovery/site-recovery-overview.md) |
virtual-machines | Quick Create Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/linux/quick-create-portal.md | Use a web browser of your choice to view the default NGINX welcome page. Type th ## Clean up resources -When no longer needed, you can delete the resource group, virtual machine, and all related resources. To do so, select the resource group for the virtual machine, select **Delete**, then confirm the name of the resource group to delete. +### Delete resources +When no longer needed, you can delete the resource group, virtual machine, and all related resources. ++1. On the Overview page for the VM, select the **Resource group** link. +1. At the top of the page for the resource group, select **Delete resource group**. +1. A page will open warning you that you are about to delete resources. Type the name of the resource group and select **Delete** to finish deleting the resources and the resource group. +++### Auto-shutdown +If the VM is still needed, Azure provides an Auto-shutdown feature for virtual machines to help manage costs and ensure you are not billed for unused resources. ++1. On the **Operations** section for the VM, select the **Auto-shutdown** option. +1. A page will open where you can configure the auto-shutdown time. Select the **On** option to enable and then set a time that works for you. +1. Once you have set the time, select **Save** at the top to enable your Auto-shutdown configuration. ++> [!NOTE] +> Remember to configure the time zone correctly to match your requirements, as (UTC) Coordinated Universal Time is the default setting in the Time zone dropdown. ## Next steps |
virtual-machines | Quick Create Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/quick-create-portal.md | In the portal, select the VM and in the overview of the VM, hover over the IP ad ## Clean up resources +### Delete resources When no longer needed, you can delete the resource group, virtual machine, and all related resources. 1. On the Overview page for the VM, select the **Resource group** link. 1. At the top of the page for the resource group, select **Delete resource group**. 1. A page will open warning you that you are about to delete resources. Type the name of the resource group and select **Delete** to finish deleting the resources and the resource group. +### Auto-shutdown +If the VM is still needed, Azure provides an Auto-shutdown feature for virtual machines to help manage costs and ensure you are not billed for unused resources. ++1. On the **Operations** section for the VM, select the **Auto-shutdown** option. +1. A page will open where you can configure the auto-shutdown time. Select the **On** option to enable and then set a time that works for you. +1. Once you have set the time, select **Save** at the top to enable your Auto-shutdown configuration. ++> [!NOTE] +> Remember to configure the time zone correctly to match your requirements, as (UTC) Coordinated Universal Time is the default setting in the Time zone dropdown. + ## Next steps In this quickstart, you deployed a simple virtual machine, opened a network port for web traffic, and installed a basic web server. To learn more about Azure virtual machines, continue to the tutorial for Windows VMs. |