Updates from: 11/10/2023 02:39:45
Service Microsoft Docs article Related commit history on GitHub Change details
azure-government Azure Services In Fedramp Auditscope https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
Title: Azure and other Microsoft cloud services compliance scope description: This article tracks FedRAMP and DoD compliance scope for Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services across Azure, Azure Government, and Azure Government Secret cloud environments.--++ recommendations: false Previously updated : 07/26/2023 Last updated : 11/09/2023 # Azure, Dynamics 365, Microsoft 365, and Power Platform services compliance scope
For current Azure Government regions and available services, see [Products avail
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services in scope for FedRAMP High, DoD IL2, DoD IL4, DoD IL5, and DoD IL6 authorizations across Azure, Azure Government, and Azure Government Secret cloud environments. For other authorization details in Azure Government Secret and Azure Government Top Secret, contact your Microsoft account representative. ## Azure public services by audit scope
-*Last updated: June 2023*
+*Last updated: November 2023*
### Terminology used
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/index.yml) | ✅ | ✅ | | [Azure Cache for Redis](../../azure-cache-for-redis/index.yml) | ✅ | ✅ | | [Azure Cosmos DB](../../cosmos-db/index.yml) | ✅ | ✅ |
+| [Azure Container Apps](../../container-apps/index.yml) | ✅ | ✅ |
| [Azure Database for MariaDB](../../mariadb/index.yml) | ✅ | ✅ | | [Azure Database for MySQL](../../mysql/index.yml) | ✅ | ✅ | | [Azure Database for PostgreSQL](../../postgresql/index.yml) | ✅ | ✅ |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Azure Spring Apps](../../spring-apps/index.yml) | ✅ | ✅ | | [Azure Stack Edge](../../databox-online/index.yml) (formerly Data Box Edge) ***** | ✅ | ✅ | | [Azure Stack HCI](/azure-stack/hci/) | ✅ | ✅ |
+| [Azure Static WebApps](../../static-web-apps/index.yml) | ✅ | ✅ |
| [Azure Video Indexer](/azure/azure-video-indexer/) | ✅ | ✅ | | [Azure Virtual Desktop](../../virtual-desktop/index.yml) (formerly Windows Virtual Desktop) | ✅ | ✅ | | [Azure VMware Solution](../../azure-vmware/index.yml) | ✅ | ✅ |
+| [Azure Web PubSub](../../azure-web-pubsub/index.yml) | ✅ | ✅ |
| [Backup](../../backup/index.yml) | ✅ | ✅ | | [Bastion](../../bastion/index.yml) | ✅ | ✅ | | **Service** | **FedRAMP High** | **DoD IL2** |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Dynamics 365 Customer Service](/dynamics365/customer-service/overview)| ✅ | ✅ | | [Dynamics 365 Field Service](/dynamics365/field-service/overview)| ✅ | ✅ | | [Dynamics 365 Finance](/dynamics365/finance/)| ✅ | ✅ |
+| [Dynamics 365 Fraud Protection](/dynamics365/fraud-protection/)| ✅ | ✅ |
| [Dynamics 365 Guides](/dynamics365/mixed-reality/guides/)| ✅ | ✅ | | [Dynamics 365 Sales](/dynamics365/sales/help-hub) | ✅ | ✅ | | [Dynamics 365 Sales Professional](/dynamics365/sales/overview#dynamics-365-sales-professional) | ✅ | ✅ |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Microsoft Defender for Identity](/defender-for-identity/) (formerly Azure Advanced Threat Protection) | ✅ | ✅ | | **Service** | **FedRAMP High** | **DoD IL2** | | [Microsoft Defender for IoT](../../defender-for-iot/index.yml) (formerly Azure Security for IoT) | ✅ | ✅ |
+| [Microsoft Defender Vulnerability Management](../../defender-for-iot/index.yml) | ✅ | ✅ |
| [Microsoft Graph](/graph/) | ✅ | ✅ | | [Microsoft Intune](/mem/intune/) | ✅ | ✅ | | [Microsoft Purview](../../purview/index.yml) (incl. Data Map, Data Estate Insights, and governance portal) | ✅ | ✅ |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
****** FedRAMP High authorization for Azure Databricks is applicable to limited regions in Azure. To configure Azure Databricks for FedRAMP High use, contact your Microsoft or Databricks representative. ## Azure Government services by audit scope
-*Last updated: June 2023*
+*Last updated: November 2023*
### Terminology used
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Azure Stack HCI](/azure-stack/hci/) | ✅ | ✅ | ✅ | | | | [Azure Video Indexer](/azure/azure-video-indexer/) | ✅ | ✅ | ✅ | | | | [Azure Virtual Desktop](../../virtual-desktop/index.yml) (formerly Windows Virtual Desktop) | ✅ | ✅ | ✅ | ✅ | ✅ |
+| [Azure VMware Solution](../../azure-vmware/index.yml) | ✅ | ✅ | | | |
| [Backup](../../backup/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Bastion](../../bastion/index.yml) | ✅ | ✅ | ✅ | ✅ | | | [Batch](../../batch/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [HDInsight](../../hdinsight/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ | | [HPC Cache](../../hpc-cache/index.yml) | ✅ | ✅ | ✅ | ✅ | | | [Import/Export](../../import-export/index.yml) | ✅ | ✅ | ✅ | ✅ | |
-| [IoT Hub](../../iot-hub/index.yml) | ✅ | ✅ | ✅ | ✅ | |
+| [IoT Hub](../../iot-hub/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |
| [Key Vault](../../key-vault/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Lab Services](../../lab-services/index.yml) | ✅ | ✅ | ✅ | ✅ | | | [Lighthouse](../../lighthouse/index.yml)| ✅ | ✅ | ✅ | ✅ | |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) (formerly Microsoft Defender Advanced Threat Protection) | ✅ | ✅ | ✅ | ✅ | | | [Microsoft Defender for Identity](/defender-for-identity/) (formerly Azure Advanced Threat Protection) | ✅ | ✅ | ✅ | ✅ | | | [Microsoft Defender for IoT](../../defender-for-iot/index.yml) (formerly Azure Security for IoT) | ✅ | ✅ | ✅ | ✅ | |
+| [Microsoft Defender Vulnerability Management](../../defender-for-iot/index.yml) | ✅ | ✅ | | | |
| [Microsoft Graph](/graph/) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Microsoft Intune](/mem/intune/) | ✅ | ✅ | ✅ | ✅ | |
+| [Microsoft Purview](../../purview/index.yml) (incl. Data Map, Data Estate Insights, and governance portal) | ✅ | ✅ | | | |
| [Microsoft Sentinel](../../sentinel/index.yml) (formerly Azure Sentinel) | ✅ | ✅ | ✅ | ✅ | ✅ | | [Microsoft Stream](/stream/) | ✅ | ✅ | ✅ | ✅ | | | [Migrate](../../migrate/index.yml) | ✅ | ✅ | ✅ | ✅ | |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Service Fabric](../../service-fabric/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ | | **Service** | **FedRAMP High** | **DoD IL2** | **DoD IL4** | **DoD IL5** | **DoD IL6** | | [Service Health](../../service-health/index.yml) | ✅ | ✅ | ✅ | ✅ | |
-| [SignalR Service](../../azure-signalr/index.yml) | ✅ | ✅ | ✅ | ✅ | |
+| [SignalR Service](../../azure-signalr/index.yml) | ✅ | ✅ | ✅ | ✅ | ✅ |
| [Site Recovery](../../site-recovery/index.yml) | ✅ | ✅ | ✅ | ✅ | | | [SQL Database](/azure/azure-sql/database/sql-database-paas-overview) | ✅ | ✅ | ✅ | ✅ | ✅ | | [SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) | ✅ | ✅ | ✅ | ✅ | |
azure-netapp-files Azure Netapp Files Create Volumes Smb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
Before creating an SMB volume, you need to create an Active Directory connection
* <a name="continuous-availability"></a>If you want to enable Continuous Availability for the SMB volume, select **Enable Continuous Availability**.
- >[!IMPORTANT]
- >You should enable Continuous Availability for Citrix App Layering, SQL Server, [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md), and FSLogix ODFC containers. Using SMB Continuous Availability shares for workloads other than Citrix App Layering, SQL Server, FSLogix user profile containers, or FSLogix ODFC containers is *not* supported. This feature is currently supported on Windows SQL Server. Linux SQL Server is not currently supported. If you are using a non-administrator (domain) account to install SQL Server, ensure that the account has the required security privilege assigned. If the domain account does not have the required security privilege (`SeSecurityPrivilege`), and the privilege cannot be set at the domain level, you can grant the privilege to the account by using the **Security privilege users** field of Active Directory connections. See [Create an Active Directory connection](create-active-directory-connections.md#create-an-active-directory-connection).
+ [!INCLUDE [SMB Continuous Availability warning](includes/smb-continuous-availability.md)]
**Custom applications are not supported with SMB Continuous Availability.**
azure-netapp-files Azure Netapp Files Create Volumes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-create-volumes.md
This article shows you how to create an NFS volume. For SMB volumes, see [Create
>[!NOTE] >By default, the `.snapshot` directory path is hidden from NFSv4.1 clients. Enabling the **Hide snapshot path** option will hide the .snapshot directory from NFSv3 clients; the directory will still be accessible.
-3. Click **Protocol**, and then complete the following actions:
+3. Select **Protocol** then complete the following actions:
* Select **NFS** as the protocol type for the volume. * Specify a unique **file path** for the volume. This path is used when you create mount targets. The requirements for the path are as follows:
This article shows you how to create an NFS volume. For SMB volumes, see [Create
![Specify NFS protocol](../media/azure-netapp-files/azure-netapp-files-protocol-nfs.png)
-4. Click **Review + Create** to review the volume details. Then click **Create** to create the volume.
+4. Select **Review + Create** to review the volume details. Select **Create** to create the volume.
The volume you created appears in the Volumes page.
azure-netapp-files Enable Continuous Availability Existing SMB https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/enable-continuous-availability-existing-SMB.md
You can enable the SMB Continuous Availability (CA) feature when you [create a n
>[!IMPORTANT] > Custom applications are not supported with SMB Continuous Availability. >
-> See the [**Enable Continuous Availability**](azure-netapp-files-create-volumes-smb.md#continuous-availability) option for additional details and considerations.
+> For more information, see [**Enable Continuous Availability**](azure-netapp-files-create-volumes-smb.md#continuous-availability).
->[!IMPORTANT]
-> You should enable Continuous Availability for [Citrix App Layering](https://docs.citrix.com/en-us/citrix-app-layering/4.html), SQL Server, [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md), and FSLogix ODFC containers. Using SMB Continuous Availability shares for workloads other than Citrix App Layering, SQL Server, FSLogix user profile containers, or FSLogix ODFC containers is *not* supported. This feature is currently supported on Windows SQL Server. Linux SQL Server is not currently supported.
-> If you are using a non-administrator (domain) account to install SQL Server, ensure that the account has the required security privilege assigned. If the domain account does not have the required security privilege (`SeSecurityPrivilege`), and the privilege cannot be set at the domain level, you can grant the privilege to the account by using the **Security privilege users** field of Active Directory connections. See [Create an Active Directory connection](create-active-directory-connections.md#create-an-active-directory-connection).
-
->[!IMPORTANT]
-> Change notifications are not supported with Continuously Available shares in Azure NetApp Files.
## Steps
azure-netapp-files Faq Application Resilience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/faq-application-resilience.md
Yes, certain SMB-based applications require SMB Transparent Failover. SMB Transp
* [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md) * FSLogix ODFC containers * Microsoft SQL Server (not Linux SQL Server)
+* [MSIX app attach](../virtual-desktop/create-netapp-files.md)
+ >[!CAUTION] >Custom applications are not supported with SMB Continuous Availability and cannot be used with SMB Continuous Availability enabled volumes.
azure-netapp-files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/whats-new.md
na Previously updated : 11/02/2023 Last updated : 11/08/2023
Azure NetApp Files is updated regularly. This article provides a summary about the latest new features and enhancements.
+
## November 2023
+* [SMB Continuous Availability (CA)](azure-netapp-files-create-volumes-smb.md#add-an-smb-volume) shares now supports MSIX app attach for Azure Virtual Desktop
+
+ In addition to Citrix App Layering, FSLogix user profiles including FSLogix ODFC containers, and Microsoft SQL Server, Azure NetApp Files now supports [MSIX app attach](../virtual-desktop/create-netapp-files.md) with SMB Continuous Availability shares to enhance resiliency during storage service maintenance operations. Continuous Availability enables SMB transparent failover to eliminate disruptions as a result of service maintenance events and improves reliability and user experience.
+ * [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md#supported-regions) in select US Gov regions Azure NetApp Files now supports [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md?tabs=azure-portal) in US Gov Arizona and US Gov Virginia regions. Azure NetApp Files datastores for Azure VMware Solution provide the ability to scale storage independently of compute and can go beyond the limits of the local instance storage provided by vSAN reducing total cost of ownership.
cosmos-db Concepts Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/concepts-authentication.md
Title: Active Directory authentication - Azure Cosmos DB for PostgreSQL
-description: Learn about the concepts of native PostgreSQL and Microsoft Entra authentication with Azure Cosmos DB for PostgreSQL
+ Title: PostgreSQL and Microsoft Entra ID authentication - Azure Cosmos DB for PostgreSQL
+description: Learn about the concepts of native PostgreSQL and Microsoft Entra ID authentication with Azure Cosmos DB for PostgreSQL
Previously updated : 09/19/2023 Last updated : 11/07/2023 # Microsoft Entra ID and PostgreSQL authentication with Azure Cosmos DB for PostgreSQL
Last updated 09/19/2023
[!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)] > [!IMPORTANT]
-> Microsoft Entra authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
+> Microsoft Entra ID (formerly Azure Active Directory) authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
> This preview version is provided without a service level agreement, and it's not recommended > for production workloads. Certain features might not be supported or might have constrained > capabilities.
Last updated 09/19/2023
Azure Cosmos DB for PostgreSQL supports PostgreSQL authentication and integration with Microsoft Entra ID. Each Azure Cosmos DB for PostgreSQL cluster is created with native PostgreSQL authentication enabled and one built-in PostgreSQL role named `citus`. You can add more native PostgreSQL roles after cluster provisioning is completed.
-You can also enable Microsoft Entra authentication on a cluster in addition to the PostgreSQL authentication method or instead of it. You can configure authentication methods on each Azure Cosmos DB for PostgreSQL cluster independently. If you need to change authentication method, you can do it at any time after cluster provisioning is completed. Changing authentication methods doesn't require cluster restart.
+You can also enable Microsoft Entra ID (formerly Azure Active Directory) authentication on a cluster in addition to the PostgreSQL authentication method or instead of it. You can configure authentication methods on each Azure Cosmos DB for PostgreSQL cluster independently. If you need to change authentication method, you can do it at any time after cluster provisioning is completed. Changing authentication methods doesn't require cluster restart.
## PostgreSQL authentication
Permissions for the `citus` role:
superusers. * Read all pg\_stat\_\* views and use various statistics-related extensions--even views or extensions normally visible only to superusers.
-* Execute monitoring functions that may take ACCESS SHARE locks on tables,
+* Execute monitoring functions that might take ACCESS SHARE locks on tables,
potentially for a long time. * [Create PostgreSQL extensions](reference-extensions.md).
Notably, the `citus` role has some restrictions:
* Can't create roles * Can't create databases
-`citus` role can't be deleted but would be disabled if 'Microsoft Entra authentication only' authentication method is selected on cluster.
+`citus` role can't be deleted but would be disabled if 'Microsoft Entra ID authentication only' authentication method is selected on cluster.
<a name='azure-active-directory-authentication-preview'></a>
-## Microsoft Entra authentication (preview)
+## Microsoft Entra ID authentication (preview)
-[Microsoft Entra ID](./../../active-directory/fundamentals/active-directory-whatis.md) authentication is a mechanism of connecting to Azure Cosmos DB for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
+[Microsoft Entra ID](/entra/fundamentals/whatis) (formerly Azure Active Directory) authentication is a mechanism of connecting to Azure Cosmos DB for PostgreSQL using identities defined in Microsoft Entra ID. With Microsoft Entra ID authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
Benefits of using Microsoft Entra ID include: - Authentication of users across Azure Services in a uniform way - Management of password policies and password rotation in a single place - Multiple forms of authentication supported by Microsoft Entra ID, which can eliminate the need to store passwords-- Microsoft Entra authentication uses PostgreSQL database roles to authenticate identities at the database level
+- Microsoft Entra ID authentication uses PostgreSQL database roles to authenticate identities at the database level
- Support of token-based authentication for applications connecting to Azure Cosmos DB for PostgreSQL <a name='manage-postgresql-access-for-azure-ad-principals'></a>
-### Manage PostgreSQL access for Microsoft Entra principals
+### Manage PostgreSQL access for Microsoft Entra ID principals
-When Microsoft Entra authentication is enabled and Microsoft Entra principal is added as a Microsoft Entra administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra administrator sign-in can be a Microsoft Entra user, Service Principal or Managed Identity. Multiple Microsoft Entra administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs.
+When Microsoft Entra ID authentication is enabled and Microsoft Entra ID principal is added as a Microsoft Entra ID administrator, the account gets the same privileges as [the `citus` role](#the-citus-role). The Microsoft Entra ID administrator sign-in can be a Microsoft Entra ID user, Service Principal or Managed Identity. Multiple Microsoft Entra ID administrators can be configured at any time and you can optionally disable PostgreSQL (password) authentication to the Azure Cosmos DB for PostgreSQL cluster for better auditing and compliance needs.
-Additionally, any number of non-admin Microsoft Entra roles can be added to a cluster at any time once Microsoft Entra authentication is enabled. Database permissions for non-admin Microsoft Entra roles are managed similar to regular roles.
+Additionally, any number of non-admin Microsoft Entra ID roles can be added to a cluster at any time once Microsoft Entra ID authentication is enabled. Database permissions for non-admin Microsoft Entra ID roles are managed similar to regular roles.
<a name='connect-using-azure-ad-identities'></a>
-### Connect using Microsoft Entra identities
+### Connect using Microsoft Entra ID identities
-Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities:
+Microsoft Entra ID authentication supports the following methods of connecting to a database using Microsoft Entra ID identities:
-- Microsoft Entra Password-- Microsoft Entra integrated-- Microsoft Entra Universal with MFA-- Using Active Directory Application certificates or client secrets
+- Microsoft Entra ID Password
+- Microsoft Entra ID integrated
+- Microsoft Entra ID Universal with MFA
+- Using Microsoft Entra ID Application certificates or client secrets
- Managed Identity
-Once you've authenticated against the Active Directory, you then retrieve a token. This token is your password for logging in.
+Once you've authenticated against the Microsoft Entra ID, you then retrieve a token. This token is your password for logging in.
### Other considerations -- Multiple Microsoft Entra principals (a user, service principal, or managed identity) can be configured as Microsoft Entra administrator for an Azure Cosmos DB for PostgreSQL cluster at any time.-- If a Microsoft Entra principal is deleted from Microsoft Entra service, it still remains as a PostgreSQL role on the cluster, but it's no longer able to acquire new access token. In this case, although the matching role still exists in the Postgres database it's unable to authenticate to the cluster nodes. Database administrators need to transfer ownership and drop such roles manually.
+- Multiple Microsoft Entra ID principals (a user, service principal, or managed identity) can be configured as Microsoft Entra ID administrator for an Azure Cosmos DB for PostgreSQL cluster at any time.
+- If a Microsoft Entra ID principal is deleted from Microsoft Entra ID service, it still remains as a PostgreSQL role on the cluster, but it's no longer able to acquire new access token. In this case, although the matching role still exists in the Postgres database it's unable to authenticate to the cluster nodes. Database administrators need to transfer ownership and drop such roles manually.
> [!NOTE]
-> Login with the deleted Microsoft Entra user can still be done till the token expires (up to 90 minutes from token issuing). If you also remove the user from Azure Cosmos DB for PostgreSQL cluster this access will be revoked immediately.
+> Login with the deleted Microsoft Entra ID user can still be done till the token expires (up to 90 minutes from token issuing). If you also remove the user from Azure Cosmos DB for PostgreSQL cluster this access will be revoked immediately.
-- Azure Cosmos DB for PostgreSQL matches access tokens to the database role using the userΓÇÖs unique Microsoft Entra user ID, as opposed to using the username. If a Microsoft Entra user is deleted and a new user is created with the same name, Azure Cosmos DB for PostgreSQL considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and a new user is added with the same name the new user would be unable to connect with the existing role.
+- Azure Cosmos DB for PostgreSQL matches access tokens to the database role using the userΓÇÖs unique Microsoft Entra ID user ID, as opposed to using the username. If a Microsoft Entra ID user is deleted and a new user is created with the same name, Azure Cosmos DB for PostgreSQL considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and a new user is added with the same name the new user would be unable to connect with the existing role.
## Next steps
cosmos-db How To Configure Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/postgresql/how-to-configure-authentication.md
Previously updated : 09/19/2023 Last updated : 11/06/2023 # Use Microsoft Entra ID and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL
Last updated 09/19/2023
[!INCLUDE [PostgreSQL](../includes/appliesto-postgresql.md)] > [!IMPORTANT]
-> Microsoft Entra authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
+> Microsoft Entra ID (formerly Azure Active Directory) authentication in Azure Cosmos DB for PostgreSQL is currently in preview.
> This preview version is provided without a service level agreement, and it's not recommended > for production workloads. Certain features might not be supported or might have constrained > capabilities. > > You can see a complete list of other new features in [preview features](product-updates.md#features-in-preview).
-In this article, you configure authentication methods for Azure Cosmos DB for PostgreSQL. You manage Microsoft Entra admin users and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL. You also learn how to use a Microsoft Entra token with Azure Cosmos DB for PostgreSQL.
+In this article, you configure authentication methods for Azure Cosmos DB for PostgreSQL. You manage Microsoft Entra ID admin users and native PostgreSQL roles for authentication with Azure Cosmos DB for PostgreSQL. You also learn how to use a Microsoft Entra ID token with Azure Cosmos DB for PostgreSQL.
An Azure Cosmos DB for PostgreSQL cluster is created with one built-in native PostgreSQL role named 'citus'. You can add more native PostgreSQL roles after cluster provisioning is completed.
-You can also configure Microsoft Entra authentication for Azure Cosmos DB for PostgreSQL. You can enable Microsoft Entra authentication in addition or instead of the native PostgreSQL authentication on your cluster. You can change authentication methods enabled on cluster at any point after the cluster is provisioned. When Microsoft Entra authentication is enabled, you can add multiple Microsoft Entra users to an Azure Cosmos DB for PostgreSQL cluster and make any of them administrators. Microsoft Entra user can be a user or a service principal.
+You can also configure Microsoft Entra ID (formerly Azure Active Directory) authentication for Azure Cosmos DB for PostgreSQL. You can enable Microsoft Entra ID authentication in addition or instead of the native PostgreSQL authentication on your cluster. You can change authentication methods enabled on cluster at any point after the cluster is provisioned. When Microsoft Entra ID authentication is enabled, you can add multiple Microsoft Entra ID users to an Azure Cosmos DB for PostgreSQL cluster and make any of them administrators. Microsoft Entra ID user can be a user or a service principal.
## Choose authentication method You need to use Azure portal to configure authentication methods on an Azure Cosmos DB for PostgreSQL cluster.
-Complete the following items on your Azure Cosmos DB for PostgreSQL cluster to enable or disable Microsoft Entra authentication and native PostgreSQL authentication.
+Complete the following items on your Azure Cosmos DB for PostgreSQL cluster to enable or disable Microsoft Entra ID authentication and native PostgreSQL authentication.
1. On the cluster page, under the **Cluster management** heading, choose **Authentication** to open authentication management options.
-1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra authentication (preview)**, or **PostgreSQL and Microsoft Entra authentication (preview)** as the authentication method based on your requirements.
+1. In **Authentication methods** section, choose **PostgreSQL authentication only**, **Microsoft Entra ID authentication (preview)**, or **PostgreSQL and Microsoft Entra ID authentication (preview)** as the authentication method based on your requirements.
-Once done proceed with [configuring Microsoft Entra authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on **Authentication** page.
+Once done proceed with [configuring Microsoft Entra ID authentication](#configure-azure-active-directory-authentication) or [adding native PostgreSQL roles](#configure-native-postgresql-authentication) on **Authentication** page.
<a name='configure-azure-active-directory-authentication'></a>
-## Configure Microsoft Entra authentication
+## Configure Microsoft Entra ID authentication
-To add or remove Microsoft Entra roles on cluster, follow these steps on **Authentication** page:
+### Prerequisites
-1. In **Microsoft Entra authentication (preview)** section, select **Add Microsoft Entra admins**.
-1. In **Select Microsoft Entra Admins** panel, select one or more valid Microsoft Entra user or enterprise application in the current AD tenant to be a Microsoft Entra administrator on your Azure Cosmos DB for PostgreSQL cluster.
+Users need to be allowed to sign in to Azure Cosmos DB for PostgreSQL in the Microsoft Entra ID tenant. These steps should be performed once for the Microsoft Entra ID tenant that is going to be used for authentication on Azure Cosmos DB for PostgreSQL clusters.
+
+> [!IMPORTANT]
+> Microsoft Entra ID tenant administrator permissions are needed to make the change. See [guidance for troubleshooting permissions](/entra/identity/enterprise-apps/add-application-portal-configure#prerequisites).
+
+# [Azure portal](#tab/portal)
+
+1. Search for 'Microsoft Entra ID' in [Azure portal](https://portal.azure.com/).
+1. Open 'Microsoft Entra ID' service.
+1. On the **Overview** page of Microsoft Entra ID service in the **Overview** section, search for 'b4fa09d8-5da5-4352-83d9-05c2a44cf431' application ID.
+1. Choose 'Azure Cosmos DB for PostgreSQL AAD Authentication' enterprise application in the search results.
+1. In the Azure Cosmos DB for PostgreSQL AAD Authentication enterprise application, choose **Properties** page.
+1. Set **Enabled for users to sign-in?** to **Yes** and save the change.
+
+# [Azure CLI](#tab/cli)
+
+```azurecli
+az ad sp update --id b4fa09d8-5da5-4352-83d9-05c2a44cf431 --set accountEnabled=true
+```
++
+### Add Microsoft Entra ID admins to Azure Cosmos DB for PostgreSQL cluster
+
+To add or remove Microsoft Entra ID roles on cluster, follow these steps on **Authentication** page:
+
+1. In **Microsoft Entra ID authentication (preview)** section, select **Add Microsoft Entra ID admins**.
+1. In **Select Microsoft Entra ID Admins** panel, select one or more valid Microsoft Entra ID user or enterprise application in the current AD tenant to be a Microsoft Entra ID administrator on your Azure Cosmos DB for PostgreSQL cluster.
1. Use **Select** to confirm your choice. 1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding native PostgreSQL roles.
To add Postgres roles on cluster, follow these steps on **Authentication** page:
1. In **PostgreSQL authentication** section, select **Add PostgreSQL role**. 1. Enter the role name and password. Select **Save**.
-1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding Microsoft Entra admin users.
+1. In the **Authentication** page, select **Save** in the toolbar to save changes or proceed with adding Microsoft Entra ID admin users.
The native PostgreSQL user is created on the coordinator node of the cluster, and propagated to all the worker nodes. Roles created through the Azure portal have the LOGIN attribute, which means theyΓÇÖre true users who can sign in to the database. <a name='connect-to-azure-cosmos-for-postgresql-by-using-azure-ad-authentication'></a>
-## Connect to Azure Cosmos for PostgreSQL by using Microsoft Entra authentication
+## Connect to Azure Cosmos for PostgreSQL by using Microsoft Entra ID authentication
-Microsoft Entra integration works with standard PostgreSQL client tools like **psql**, which aren't Microsoft Entra aware and support only specifying the username and password when you're connecting to PostgreSQL. In such cases, the Microsoft Entra token is passed as the password.
+Microsoft Entra ID integration works with standard PostgreSQL client tools like **psql**, which aren't Microsoft Entra ID aware and support only specifying the username and password when you're connecting to PostgreSQL. In such cases, the Microsoft Entra ID token is passed as the password.
-We've tested the following clients:
+We tested the following clients:
- **psql command line**: Use the `PGPASSWORD` variable to pass the token. - **Other libpq-based clients**: Examples include common application frameworks and object-relational mappers (ORMs).
Start by authenticating with Microsoft Entra ID by using the Azure CLI. This ste
az login ```
-The command opens a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and password.
+The command opens a browser window to the Microsoft Entra ID authentication page. It requires you to give your Microsoft Entra ID user name and password.
<a name='retrieve-the-azure-ad-access-token'></a>
-### Retrieve the Microsoft Entra access token
+### Retrieve the Microsoft Entra ID access token
-Use the Azure CLI to acquire an access token for the Microsoft Entra authenticated user to access Azure Cosmos for PostgreSQL. Here's an example:
+Use the Azure CLI to acquire an access token for the Microsoft Entra ID authenticated user to access Azure Cosmos for PostgreSQL. Here's an example:
```azurecli-interactive az account get-access-token --resource https://postgres.cosmos.azure.com
export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --quer
> [!NOTE]
-> Make sure PGPASSWORD variable is set to the Microsoft Entra access token for your
-> subscription for Microsoft Entra authentication. If you need to do Postgres role authentication
+> Make sure PGPASSWORD variable is set to the Microsoft Entra ID access token for your
+> subscription for Microsoft Entra ID authentication. If you need to do Postgres role authentication
> from the same session you can set PGPASSWORD to the Postgres role password > or clear the PGPASSWORD variable value to enter the password interactively. > Authentication would fail with the wrong value in PGPASSWORD.
psql "host=mycluster.[uniqueID].postgres.cosmos.azure.com user=user@tenant.onmic
### Use a token as a password for signing in with PgAdmin
-To connect by using a Microsoft Entra token with PgAdmin, follow these steps:
+To connect by using a Microsoft Entra ID token with PgAdmin, follow these steps:
1. Clear the **Connect now** option at server creation. 1. Enter your server details on the **Connection** tab and save.
- 1. Make sure a valid Microsoft Entra user is specified in **Username**.
+ 1. Make sure a valid Microsoft Entra ID user is specified in **Username**.
1. From the pgAdmin **Object** menu, select **Connect Server**.
-1. Enter the Active Directory token password when you're prompted.
+1. Enter the Microsoft Entra ID token password when you're prompted.
Here are some essential considerations when you're connecting: -- `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra user.-- Be sure to use the exact way the Azure user is spelled. Microsoft Entra user and group names are case-sensitive.
+- `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra ID user.
+- Be sure to use the exact way the Azure user is spelled. Microsoft Entra ID user and group names are case-sensitive.
- If the name contains spaces, use a backslash (`\`) before each space to escape it. - The access token's validity is 5 minutes to 90 minutes. You should get the access token before initiating the sign-in to Azure Cosmos for PostgreSQL.
-You're now authenticated to your Azure Cosmos for PostgreSQL server through Microsoft Entra authentication.
+You're now authenticated to your Azure Cosmos for PostgreSQL server through Microsoft Entra ID authentication.
## Manage native PostgreSQL roles
To update a user, visit the **Authentication** page for your cluster,
and select the ellipses **...** next to the user. The ellipses open a menu to delete the user or reset their password.
-The `citus` role is privileged and can't be deleted. However, `citus` role would be disabled, if 'Microsoft Entra authentication only' authentication method is selected for the cluster.
+The `citus` role is privileged and can't be deleted. However, `citus` role would be *disabled*, if 'Microsoft Entra ID authentication only' authentication method is selected for the cluster.
## How to modify privileges for user roles
For example, to allow PostgreSQL `db_user` to read `mytable`, grant the permissi
GRANT SELECT ON mytable TO db_user; ```
-To grant the same permissions to Microsoft Entra role `user@tenant.onmicrosoft.com` use the following command:
+To grant the same permissions to Microsoft Entra ID role `user@tenant.onmicrosoft.com` use the following command:
```sql GRANT SELECT ON mytable TO "user@tenant.onmicrosoft.com";
system-wide (for example, for all tables in a schema):
GRANT SELECT ON ALL TABLES IN SCHEMA public TO db_user; ```
-Or for Microsoft Entra role
+Or for Microsoft Entra ID role
```sql -- applies to the coordinator node and propagates to worker nodes for Azure AD role user@tenant.onmicrosoft.com
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "user@tenant.onmicrosoft.com";
- Learn about [authentication in Azure Cosmos DB for PostgreSQL](./concepts-authentication.md) - Check out [Microsoft Entra ID limits and limitations in Azure Cosmos DB for PostgreSQL](./reference-limits.md#azure-active-directory-authentication)-- Review [Microsoft Entra fundamentals](./../../active-directory/fundamentals/active-directory-whatis.md)
+- Review [Microsoft Entra ID fundamentals](/entra/fundamentals/whatis)
- [Learn more about SQL GRANT in PostgreSQL](https://www.postgresql.org/docs/current/sql-grant.html)
virtual-desktop Create Netapp Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/create-netapp-files.md
To start using Azure NetApp Files:
1. Set up your Azure NetApp Files account by following the instructions in [Set up your Azure NetApp Files account](create-fslogix-profile-container.md#set-up-your-azure-netapp-files-account). 2. Create a capacity pool by following the instructions in [Set up a capacity pool](../azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md).
-3. Join a Microsoft Entra connection by following the instructions in [Join an Active Directory connection](create-fslogix-profile-container.md#join-an-active-directory-connection).
-4. Create a new volume by following the instructions in [Create a new volume](create-fslogix-profile-container.md#create-a-new-volume) and [Configure volume access parameters](create-fslogix-profile-container.md#configure-volume-access-parameters).
+3. Join an Active Directory connection by following the instructions in [Join an Active Directory connection](create-fslogix-profile-container.md#join-an-active-directory-connection).
+4. Create a new volume by following the instructions to [create an SMB volume for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-create-volumes-smb.md). Ensure select **Enable Continuous Availability**.
5. Make sure your connection to the Azure NetApp Files share works by following the instructions in [Make sure users can access the Azure NetApp Files share](create-fslogix-profile-container.md#make-sure-users-can-access-the-azure-netapp-files-share). ## Upload an MSIX image to the Azure NetApp file share
Now that you've set up your Azure NetApp Files share, you can start uploading im
To upload an MSIX image to your Azure NetApp Files share: 1. In each session host, install the certificate that you signed the MSIX package with. Make sure to store the certificates in the folder named **Trusted People**.
-2. Copy the MSIX image you want to add to the Azure NetApps Files share.
+2. Copy the MSIX image you want to add to the Azure NetApp Files share.
3. Go to **File Explorer** and enter the mount path, then paste the MSIX image into the mount path folder. Your MSIX image should now be accessible to your session hosts when they add an MSIX package using the Azure portal or PowerShell.
virtual-desktop Client Features Web https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/users/client-features-web.md
Title: Use features of the Remote Desktop Web client - Azure Virtual Desktop
description: Learn how to use features of the Remote Desktop Web client when connecting to Azure Virtual Desktop. Previously updated : 01/25/2023 Last updated : 11/07/2023
Native resolution is set to off by default. To turn on native resolution:
### New user interface
-A new user interface is available by default. It is recommended to use the new client, as the original version will be deprecated soon.
+A new user interface is available by default. It is recommended to use the New Client, as the original version will be deprecated soon.
-To revert to the original user interface, toggle the new client to **Off** on the top navigation bar.
+To revert to the original user interface, toggle the New Client to **Off** on the top navigation bar.
### Grid view and list view You can change the view of remote resources assigned to you between grid view (default) and list view. To change between grid view and list view:
-1. Sign in to the Remote Desktop Web client and make sure the new client toggle is set to **On**. Then, select **Settings** on the taskbar.
+1. Sign in to the Remote Desktop Web client and make sure the New Client toggle is set to **On**. Then, select **Settings** on the taskbar.
1. In the top-right hand corner, select the **Grid View** icon or the **List View** icon. The change will take effect immediately.
You can change the view of remote resources assigned to you between grid view (d
You can change between light mode (default) and dark mode. To change between light mode and dark mode:
-1. Sign in to the Remote Desktop Web client and make sure the new client toggle is set to **On**. Then, select **Settings** on the taskbar.
+1. Sign in to the Remote Desktop Web client and make sure the New Client toggle is set to **On**. Then, select **Settings** on the taskbar.
1. Toggle **Dark Mode** to **On** to use dark mode, or **Off** to use light mode. The change will take effect immediately.
If you have another Remote Desktop client installed, you can download an RDP fil
1. Open the downloaded RDP file in your Remote Desktop client to launch a remote session.
-## Reset user settings (preview)
+## Reset user settings
If you want to reset your user settings back to the default, you can do this in the web client for the current browser. To reset user settings:
-1. Sign in to the Remote Desktop Web client and make sure you have toggled **Try the new client (Preview)** to **On**, then select **Settings** on the taskbar.
+1. Sign in to the Remote Desktop Web client and make sure you have toggled **New Client** to **On**, then select **Settings** on the taskbar.
1. Select **Reset user settings**. You'll need to confirm that you want reset the web client settings to default.
virtual-desktop Whats New Client Ios Ipados https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-client-ios-ipados.md
description: Learn about recent changes to the Remote Desktop client for iOS and
Previously updated : 09/21/2023 Last updated : 11/08/2023 # What's new in the Remote Desktop client for iOS and iPadOS
virtual-desktop Whats New Client Web https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-client-web.md
A new user interface is available in preview, which has the following new functi
- An updated design. - [Switch between grid view and list view](users/client-features-web.md#grid-view-and-list-view). - [Switch between light mode and dark mode](users/client-features-web.md#light-mode-and-dark-mode).-- [Reset user settings](users/client-features-web.md#reset-user-settings-preview).
+- [Reset user settings](users/client-features-web.md#reset-user-settings).
For more information and how to try the new user interface, see [New user interface](users/client-features-web.md#new-user-interface).
virtual-desktop Whats New Client Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-client-windows.md
description: Learn about recent changes to the Remote Desktop client for Windows
Previously updated : 10/24/2023 Last updated : 11/09/2023 # What's new in the Remote Desktop client for Windows
The following table lists the current versions available for the public and Insi
| Release | Latest version | Download | ||-|-|
-| Public | 1.2.4677 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370) |
+| Public | 1.2.4763 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370) |
| Insider | 1.2.4763 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368) |
-## Updates for version 1.2.4763 (Insider)
+## Updates for version 1.2.4763
-*Date published: October 24, 2023*
+*Date published: November 7, 2023*
-Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368)
+Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370)
- Added a link to the troubleshooting documentation to error messages to help users resolve minor issues without needing to contact Microsoft Support. - Improved the connection bar user interface (UI).
Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233), [Wi
*Date published: October 17, 2023*
-Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139456), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139370)
+Download: [Windows 64-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1d1KN), [Windows 32-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1d1KO), [Windows ARM64](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1cRm0)
- Added new parameters for multiple monitor configuration when connecting to a remote resource using the [Uniform Resource Identifier (URI) scheme](uri-scheme.md). - Added support for the following languages: Czech (Czechia), Hungarian (Hungary), Indonesian (Indonesia), Korean (Korea), Portuguese (Portugal), Turkish (T├╝rkiye).
Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369), [Wi
*Date published: October 6, 2023*
-Download: [Windows 64-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1cTP6), [Windows 32-bit](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1cTP7), [Windows ARM64](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1cRlf)
- - Fixed the [CVE-2023-5217](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-5217) security vulnerability. ## Updates for version 1.2.4582