Updates from: 11/05/2022 02:13:49
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-domain-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/policy-reference.md
Title: Built-in policy definitions for Azure Active Directory Domain Services description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
active-directory How To Mfa Number Match https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md
description: Learn how to use number matching in MFA notifications
Previously updated : 11/03/2022 Last updated : 11/04/2022
This topic covers how to enable number matching in Microsoft Authenticator push
>[!NOTE] >Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will begin to be enabled by default for all users starting February 27, 2023.<br>
->We highly recommend enabling number matching in the near-term for improved sign-in security.
+>We highly recommend enabling number matching in the near term for improved sign-in security.
## Prerequisites
To enable number matching in the Azure AD portal, complete the following steps:
### When will my tenant see number matching if I don't use the Azure portal or Graph API to roll out the change?
-Number match will be enabled for all users of Microsoft Authenticator app after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users.
+Number match will be enabled for all users of Microsoft Authenticator after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users.
-### Can I opt out of number matching?
+### How should users be prepared for default number matching?
-Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. Microsoft will enable number matching for all tenants by Feb 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications.
+Here are differences in sign-in scenarios that Microsoft Authenticator users will see after number matching is enabled by default:
+
+- Authentication flows will require users to do number match when using Microsoft Authenticator. If their version of Microsoft Authenticator doesnΓÇÖt support number match, their authentication will fail.
+- Self-service password reset (SSPR) and combined registration will also require number match when using Microsoft Authenticator.
+- AD FS adapter will require number matching on [supported versions of Windows Server](#ad-fs-adapter). On earlier versions, users will continue to see the **Approve**/**Deny** experience and wonΓÇÖt see number matching until you upgrade.
+- NPS extension versions beginning 1.2.2131.2 will require users to do number matching. Because the NPS extension canΓÇÖt show a number, the user will be asked to enter a One-Time Passcode (OTP). The user must have an OTP authentication method such as Microsoft Authenticator or software OATH tokens registered to see this behavior. If the user doesnΓÇÖt have an OTP method registered, theyΓÇÖll continue to get the **Approve**/**Deny** experience.
+
+ To create a registry key that overrides this behavior and prompts users with **Approve**/**Deny**:
+
+ 1. On the NPS Server, open the Registry Editor.
+ 1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
+ 1. Set the following Key Value Pair:
+ Key: OVERRIDE_NUMBER_MATCHING_WITH_OTP
+ Value = FALSE
+ 1. Restart the NPS Service.
-### What about my Apple Watch?
+- Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone.
-Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone.
+### Can I opt out of number matching?
+
+Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. Microsoft will enable number matching for all tenants by Feb 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications.
### What happens if a user runs an older version of Microsoft Authenticator? If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.
+### Why is my user prompted to tap on one out of three numbers instead of entering the number in their Microsoft Authenticator app?
+
+Older versions of Microsoft Authenticator prompt users to tap and select a number instead of entering the number in their Microsoft Authenticator app. These authentications won't fail, but we highly recommend that users update to the latest version of the app to be able to enter the number.
+ ## Next steps
active-directory Howto Authentication Passwordless Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md
The [Azure portal](https://portal.azure.com/) now has a passwordless methods wiz
Microsoft's passwordless authentication methods enable many scenarios. Consider your organizational needs, prerequisites, and the capabilities of each authentication method to select your passwordless authentication strategy.
-The following table lists the passwordless authentication methods by device types. Our recommendations are in **bold**.
+The following table lists the passwordless authentication methods by device types. Our recommendations are in ***bold italics***.
| Device types| Passwordless authentication method | | - | - |
-| Dedicated non-windows devices| <li> **Microsoft Authenticator** <li> Security keys |
-| Dedicated Windows 10 computers (version 1703 and later)| <li> **Windows Hello for Business** <li> Security keys |
-| Dedicated Windows 10 computers (before version 1703)| <li> **Windows Hello for Business** <li> Microsoft Authenticator app |
-| Shared devices: tablets, and mobile devices| <li> **Microsoft Authenticator** <li> One-time password sign-in |
-| Kiosks (Legacy)| **Microsoft Authenticator** |
-| Kiosks and shared computers ΓÇÄ(Windows 10)| <li> **Security keys** <li> Microsoft Authenticator app |
+| Dedicated non-windows devices| <li> ***Microsoft Authenticator*** <li> Security keys |
+| Dedicated Windows 10 computers (version 1703 and later)| <li> ***Windows Hello for Business*** <li> Security keys |
+| Dedicated Windows 10 computers (before version 1703)| <li> ***Windows Hello for Business*** <li> Microsoft Authenticator app |
+| Shared devices: tablets, and mobile devices| <li> ***Microsoft Authenticator*** <li> One-time password sign-in |
+| Kiosks (Legacy)| ***Microsoft Authenticator*** |
+| Kiosks and shared computers ΓÇÄ(Windows 10)| <li> ***Security keys*** <li> Microsoft Authenticator app |
## Prerequisites
active-directory Howto Mfa Getstarted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md
description: Learn about deployment considerations and strategy for successful i
Previously updated : 06/01/2022--- Last updated : 11/04/2022+++
You can monitor authentication method registration and usage across your organiz
The Azure AD sign-in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication.
-NPS extension and AD FS logs can be viewed from **Security** > **MFA** > **Activity report**. Inclusion of this activity in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md) is currently in Preview.
+NPS extension and AD FS logs for cloud MFA activity are now included in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md), and no longer published to **Security** > **MFA** > **Activity report**.
For more information, and additional Azure AD Multi-Factor Authentication reports, see [Review Azure AD Multi-Factor Authentication events](howto-mfa-reporting.md#view-the-azure-ad-sign-ins-report).
active-directory Msal Ios Shared Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-ios-shared-devices.md
Previously updated : 03/31/2020 Last updated : 11/03/2022
# Shared device mode for iOS devices
->[!IMPORTANT]
+> [!IMPORTANT]
> This feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)] Frontline workers such as retail associates, flight crew members, and field service workers often use a shared mobile device to perform their work. These shared devices can present security risks if your users share their passwords or PINs, intentionally or not, to access customer and business data on the shared device.
-Shared device mode allows you to configure an iOS 13 or higher device to be more easily and securely shared by employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device and it's immediately ready for use by the next employee.
+Shared device mode allows you to configure an iOS 13 or higher device to be more easily and securely shared by employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device, and it's immediately ready for use by the next employee.
Shared device mode also provides Microsoft identity-backed management of the device.
This feature uses the [Microsoft Authenticator app](https://support.microsoft.co
To create a shared device mode app, developers and cloud device admins work together:
-1. **Application developers** write a single-account app (multiple-account apps are not supported in shared device mode) and write code to handle things like shared device sign-out.
+1. **Application developers** write a single-account app (multiple-account apps aren't supported in shared device mode) and write code to handle things like shared device sign-out.
1. **Device administrators** prepare the device to be shared by using a mobile device management (MDM) provider like Microsoft Intune to manage the devices in their organization. The MDM pushes the Microsoft Authenticator app to the devices and turns on "Shared Mode" for each device through a profile update to the device. This Shared Mode setting is what changes the behavior of the supported apps on the device. This configuration from the MDM provider sets the shared device mode for the device and enables the [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) which is required for shared device mode. 1. [**Required during Public Preview only**] A user with [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator) role must then launch the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) and join their device to the organization.
- To configure the membership of your organizational roles in the Azure portal: **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**
+ To configure the membership of your organizational roles in the Azure portal: **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**
The following sections help you update your application to support shared device mode.
Your device needs to be configured to support shared device mode. It must have i
1. In the Intune Configuration Portal, tell the device to enable the [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) with the following configuration:
- - **Type**: Redirect
- - **Extension ID**: com.microsoft.azureauthenticator.ssoextension
- - **Team ID**: (this field is not needed for iOS)
- - **URLs**:
- - `https://login.microsoftonline.com`
- - `https://login.microsoft.com`
- - `https://sts.windows.net`
- - `https://login.partner.microsoftonline.cn`
- - `https://login.chinacloudapi.cn`
- - `https://login.microsoftonline.de`
- - `https://login.microsoftonline.us`
- - `https://login.usgovcloudapi.net`
- - `https://login-us.microsoftonline.com`
- - **Additional Data to configure**:
- - Key: sharedDeviceMode
- - Type: Boolean
- - Value: true
-
- For more information about configuring with Intune, see the [Intune configuration documentation](/intune/configuration/ios-device-features-settings).
+ - **Type**: Redirect
+ - **Extension ID**: com.microsoft.azureauthenticator.ssoextension
+ - **Team ID**: (this field isn't needed for iOS)
+ - **URLs**:
+ - `https://login.microsoftonline.com`
+ - `https://login.microsoft.com`
+ - `https://sts.windows.net`
+ - `https://login.partner.microsoftonline.cn`
+ - `https://login.chinacloudapi.cn`
+ - `https://login.microsoftonline.de`
+ - `https://login.microsoftonline.us`
+ - `https://login.usgovcloudapi.net`
+ - `https://login-us.microsoftonline.com`
+ - **Additional Data to configure**:
+ - Key: sharedDeviceMode
+ - Type: Boolean
+ - Value: true
+
+ For more information about configuring with Intune, see the [Intune configuration documentation](/intune/configuration/ios-device-features-settings).
1. Next, configure your MDM to push the Microsoft Authenticator app to your device through an MDM profile.
- Set the following configuration options to turn on Shared Device mode:
+ Set the following configuration options to turn on Shared Device mode:
- - Configuration 1:
- - Key: sharedDeviceMode
- - Type: Boolean
- - Value: true
+ - Configuration 1:
+ - Key: sharedDeviceMode
+ - Type: Boolean
+ - Value: true
## Modify your iOS application to support shared device mode Your users depend on you to ensure their data isn't leaked to another user. The following sections provide helpful signals to indicate to your application that a change has occurred and should be handled.
-You are responsible for checking the state of the user on the device every time your app is used, and then clearing the previous user's data. This includes if it is reloaded from the background in multi-tasking.
+You're responsible for checking the state of the user on the device every time your app is used, and then clearing the previous user's data. This includes if it's reloaded from the background in multi-tasking.
On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed. We highly recommend you and your company conduct a security review process after updating your app to support shared device mode.
application.getDeviceInformation(with: nil, completionBlock: { (deviceInformatio
### Get the signed-in user and determine if a user has changed on the device
-Another important part of supporting shared device mode is determining the state of the user on the device and clearing application data if a user has changed or if there is no user at all on the device. You are responsible for ensuring data isn't leaked to another user.
+Another important part of supporting shared device mode is determining the state of the user on the device and clearing application data if a user has changed or if there's no user at all on the device. You're responsible for ensuring data isn't leaked to another user.
You can use `getCurrentAccountWithParameters:completionBlock:` API to query the currently signed-in account on the device.
parameters.loginHint = self.loginHintTextField.text;
### Globally sign out a user
-The following code removes the signed-in account and clears cached tokens from not only the app, but also from the device that's in shared device mode. It does not, however, clear the *data* from your application. You must clear the data from your application, as well as clear any cached data your application may be displaying to the user.
-
-#### Clear browser state
-
-> [!NOTE]
-> The following step is required only during public preview.
-
-In this public preview version, the [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) clears state only for applications. It does not clear state on the Safari browser. We recommend you manually clear browser session to ensure no traces of user state are left behind. You can use the optional `signoutFromBrowser` property shown below to clear any cookies. This will cause the browser to briefly launch on the device.
+The following code removes the signed-in account and clears cached tokens from not only the app, but also from the device that's in shared device mode. It doesn't, however, clear the _data_ from your application. You must clear the data from your application, as well as clear any cached data your application may be displaying to the user.
#### Swift
In this public preview version, the [Microsoft Enterprise SSO plug-in for Apple
let account = .... /* account retrieved above */ let signoutParameters = MSALSignoutParameters(webviewParameters: self.webViewParamaters!)
-signoutParameters.signoutFromBrowser = true // Only needed for Public Preview.
+signoutParameters.signoutFromBrowser = true // To trigger a browser signout in Safari.
application.signout(with: account, signoutParameters: signoutParameters, completionBlock: {(success, error) in- if let error = error {+ // Signout failed+ return+ } // Sign out completed successfully+ }) ```
application.signout(with: account, signoutParameters: signoutParameters, complet
MSALAccount *account = ... /* account retrieved above */; MSALSignoutParameters *signoutParameters = [[MSALSignoutParameters alloc] initWithWebviewParameters:webViewParameters];
-signoutParameters.signoutFromBrowser = YES; // Only needed for Public Preview.
+
+signoutParameters.signoutFromBrowser = YES; // To trigger a browser signout in Safari.
[application signoutWithAccount:account signoutParameters:signoutParameters completionBlock:^(BOOL success, NSError * _Nullable error)+ {+ if (!success)+ {+ // Signout failed+ return;+ } // Sign out completed successfully+ }]; ```
+The [Microsoft Enterprise SSO plug-in for Apple devices](apple-sso-plugin.md) clears state only for applications. It doesn't clear state on the Safari browser. You can use the optional signoutFromBrowser property shown in code snippets above to trigger a browser signout in Safari. This will cause the browser to briefly launch on the device.
+
+### Receive broadcast to detect global sign out initiated from other applications
+
+To receive the account change broadcast, you'll need to register a broadcast receiver. When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It's recommended to properly stop any operations and do data cleanup.
+
+The following code snippet shows how you could register a broadcast receiver.
+
+```objectivec
+NSString *const MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY = @"SHARED_MODE_CURRENT_ACCOUNT_CHANGED";
+
+- (void) registerDarwinNotificationListenerΓÇ»
+
+{ΓÇ»
+
+   CFNotificationCenterRef center =
+
+ CFNotificationCenterGetDarwinNotifyCenter();ΓÇ»
+
+   CFNotificationCenterAddObserver(center, nil,
+
+ sharedModeAccountChangedCallback,
+
+ (CFStringRef)MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY,ΓÇ»
+
+ nil, CFNotificationSuspensionBehaviorDeliverImmediately);ΓÇ»
+
+}ΓÇ»
+
+// CFNotificationCallbacks used specifically for Darwin notifications leave userInfo unusedΓÇ»
+
+void sharedModeAccountChangedCallback(CFNotificationCenterRef center, void * observer, CFStringRef name, void const * object, __unused CFDictionaryRef userInfo) 
+
+{ΓÇ»
+
+    // Invoke account cleanup logic here 
+
+}ΓÇ»
+```
+
+For more information about the available options for CFNotificationAddObserver or to see the corresponding method signatures in Swift, see:
+
+- [CFNotificationAddObserver](https://developer.apple.com/documentation/corefoundation/1543316-cfnotificationcenteraddobserver?language=objc)
+- [CFNotificationCallback](https://developer.apple.com/documentation/corefoundation/cfnotificationcallback?language=objc)
+
+For iOS, your app will require a background permission to remain active in the background and listen to Darwin notifications. The background capability must be added to support a different background operation ΓÇô your app may be subject to rejection from the Apple App Store if it has a background capability only to listen for Darwin notifications. If your app is already configured to complete background operations, you can add the listener as part of that operation. For more information about iOS background capabilities, see [Configuring background execution modes](https://developer.apple.com/documentation/xcode/configuring-background-execution-modes)
+ ## Next steps To see shared device mode in action, the following code sample on GitHub includes an example of running a frontline worker app on an iOS device in shared device mode:
-[MSAL iOS Swift Microsoft Graph API Sample](https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc)
+[MSAL iOS Swift Microsoft Graph API Sample](https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc)
active-directory Troubleshoot Publisher Verification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-publisher-verification.md
If you're unable to complete the process or are experiencing unexpected behavior
1. Review the [requirements](publisher-verification-overview.md#requirements) and ensure they've all been met.
-1. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully.
+2. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully.
-1. Review the list of [common issues](#common-issues).
+3. Review the list of [common issues](#common-issues).
-1. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI.
+4. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI.
## Common Issues Below are some common issues that may occur during the process. -- **I donΓÇÖt know my Microsoft Partner Network ID (MPN ID) or I donΓÇÖt know who the primary contact for the account is**
- 1. Navigate to the [MPN enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new)
- 1. Sign in with a user account in the org's primary Azure AD tenant
- 1. If an MPN account already exists, this will be recognized and you'll be added to the account
- 1. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed
+- **I donΓÇÖt know my Microsoft Partner Network ID (MPN ID) or I donΓÇÖt know who the primary contact for the account is.**
+ 1. Navigate to the [MPN enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new).
+ 2. Sign in with a user account in the org's primary Azure AD tenant.
+ 3. If an MPN account already exists, this will be recognized and you'll be added to the account.
+ 4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed.
- **I donΓÇÖt know who my Azure AD Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?**
- 1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant
- 1. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators)
- 1. Select the desired admin role
- 1. The list of users assigned that role will be displayed
+ 1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant.
+ 2. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators).
+ 3. Select the desired admin role.
+ 4. The list of users assigned that role will be displayed.
- **I don't know who the admin(s) for my MPN account are** Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles.
Below are some common issues that may occur during the process.
1. Go to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that: - The MPN ID is correct. - There are no errors or ΓÇ£pending actionsΓÇ¥ shown, and the verification status under Legal business profile and Partner info both say ΓÇ£authorizedΓÇ¥ or ΓÇ£successΓÇ¥.
- 1. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the instructions [here](/partner-center/multi-tenant-account). Be aware that all Global Admins of any tenant you add will be granted Global Admin privileges on your Partner Center account.
- 1. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Admin, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions [here](/partner-center/create-user-accounts-and-set-permissions).
+ 2. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the instructions [here](/partner-center/multi-tenant-account). Be aware that all Global Admins of any tenant you add will be granted Global Admin privileges on your Partner Center account.
+ 3. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Admin, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions [here](/partner-center/create-user-accounts-and-set-permissions).
- **When I sign into the Azure AD portal, I do not see any apps registered. Why?** Your app registrations may have been created using a different user account in this tenant, a personal/consumer account, or in a different tenant. Ensure you're signed in with the correct account in the tenant where your app registrations were created. - **I'm getting an error related to multi-factor authentication. What should I do?** Ensure [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) is enabled and **required** for the user you're signing in with and for this scenario. For example, MFA could be:
- - Always required for the user you're signing in with
+ - Always required for the user you're signing in with.
- [Required for Azure management](../conditional-access/howto-conditional-access-policy-azure-management.md). - [Required for the type of administrator](../conditional-access/howto-conditional-access-policy-admin-mfa.md) you're signing in with.
Most commonly caused by the wrong MPN ID being provided.
The target application (`AppId`) canΓÇÖt be found. Provide a valid application ID and try again.
-Most commonly caused when verification is being performed via Graph API, and the ID of the application provided is incorrect. Note- the ID of the application must be provided, not the AppId/ClientId.
+Most commonly caused when verification is being performed via Graph API, and the ID of the application provided is incorrect. Note that the ID of the application must be provided, not the AppId/ClientId.
+
+### ApplicationObjectisInvalid
+
+The target application's object ID is invalid. Please provide a valid ID and try again.
+
+Most commonly caused when the verification is being performed via Graph API, and the ID of the application provided does not exist.
+
+> [!NOTE]
+> The Object ID of the application must be provided, not the AppId/ClientId. See "id" on the list of application properties at [application resource type - Microsoft Graph v1.0 | Microsoft Learn](/graph/api/resources/application).
+
+
### B2CTenantNotAllowed
Occurs when a [Publisher Domain](howto-configure-publisher-domain.md) isn't conf
### PublisherDomainMismatch
-The target application's Publisher Domain (`publisherDomain`) doesn't match the domain used to perform email verification in Partner Center (`pcDomain`). Ensure these domains match and try again.
+The target application's Publisher Domain (`publisherDomain`) either doesn't match the domain used to perform email verification in Partner Center (`pcDomain`) or has not been verified. Ensure these domains match and have been verified then try again.
-Occurs when neither the app's [Publisher Domain](howto-configure-publisher-domain.md) nor one of the [custom domains](../fundamentals/add-custom-domain.md) added to the Azure AD tenant match the domain used to perform email verification in Partner Center.
+Occurs when neither the app's [Publisher Domain](howto-configure-publisher-domain.md) nor one of the [custom domains](../fundamentals/add-custom-domain.md) added to the Azure AD tenant match the domain used to perform email verification in Partner Center or has not been verified.
+
+See [requirements](publisher-verification-overview.md) for a list of allowed domain or sub-domain matches.
### NotAuthorizedToVerifyPublisher
-You aren't authorized to set the verified publisher property on application (<`AppId`)
+You aren't authorized to set the verified publisher property on application (<`AppId`).
Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information.
Most commonly caused by the signed-in user not being a member of the proper role
The MPN ID wasn't provided in the request body or the request content type wasn't "application/json".
+Most commonly caused when the verification is being performed via Graph API, and the MPN ID wasnΓÇÖt provided in the request.
+ ### MSANotSupported This feature isn't supported for Microsoft consumer accounts. Only applications registered in Azure AD by an Azure AD user are supported.
+Occurs when a consumer account (Hotmail, Messenger, OneDrive, MSN, Xbox Live, or Microsoft 365).
+ ### InteractionRequired
-Occurs when multi-factor authentication hasn't been performed before attempting to add a verified publisher to the app. See [common issues](#common-issues) for more information. Note: MFA must be performed in the same session when attempting to add a verified publisher. If MFA is enabled but not required to be performed in the session, the request will fail.
+Occurs when multi-factor authentication (MFA) hasn't been enabled and performed before attempting to add a verified publisher to the app. See [common issues](#common-issues) for more information. Note: MFA must be performed in the same session when attempting to add a verified publisher. If MFA is enabled but not required to be performed in the session, the request will fail.
The error message displayed will be: "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to proceed."
-### UnableToAddPublisher
+### UserUnableToAddPublisher
-One of these error messages are displayed: "A verified publisher canΓÇÖt be added to this application. Contact your administrator for assistance.", or "You're unable to add a verified publisher to this application. Contact your administrator for assistance."
+When a request to add a verified publisher is made, many signals are used to make a security risk assessment. If the user risk state is determined to be ΓÇÿAtRiskΓÇÖ, an error, ΓÇ£You're unable to add a verified publisher to this application. Contact your administrator for assistanceΓÇ¥ will be returned. Please investigate the user risk and take the appropriate steps to remediate the risk (guidance below):
-First, verify you've met the [publisher verification requirements](publisher-verification-overview.md#requirements).
+> [Investigate risk](/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users)
-> [!NOTE]
-> If you've met the publisher verification requirements and are still having issues, try using an existing or newly created user with similar permissions.
+> [Remediate risk/unblock users](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock)
+
+> [Self-remediation guidance](/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock)
+
+> Self-serve password reset (SSPR): If the organization allows SSPR, use aka.ms/sspr to reset the password for remediation. Please choose a strong password; Choosing a weak password may not reset the risk state.
+
+> [!NOTE]
+> Please give some time after remediation for the risk state to update, and then try again.
+
+### UnableToAddPublisher
When a request to add a verified publisher is made, many signals are used to make a security risk assessment. If the request is determined to be risky an error will be returned. For security reasons, Microsoft doesn't disclose the specific criteria used to determine whether a request is risky or not. If you received this error and believe the "risky" assessment is incorrect, try waiting and resubmitting the verification request. Some customers have reported success after multiple attempts. + ## Next steps If you've reviewed all of the previous information and are still receiving an error from Microsoft Graph, gather as much of the following information as possible related to the failing request and [contact Microsoft support](developer-support-help-options.md#create-an-azure-support-request).
active-directory Tutorial V2 Shared Device Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-shared-device-mode.md
Previously updated : 1/15/2020 Last updated : 11/03/2022
In this tutorial, Android developers and Azure Active Directory (Azure AD) tenan
In this tutorial: > [!div class="checklist"]
-> * Download a code sample
-> * Enable and detect shared-device mode
-> * Detect single or multiple account mode
-> * Detect a user switch, and enable global sign-in and sign-out
-> * Set up tenant and register the application in the Azure portal
-> * Set up an Android device in shared-device mode
-> * Run the sample app
+>
+> - Download a code sample
+> - Enable and detect shared-device mode
+> - Detect single or multiple account mode
+> - Detect a user switch, and enable global sign-in and sign-out
+> - Set up tenant and register the application in the Azure portal
+> - Set up an Android device in shared-device mode
+> - Run the sample app
## Prerequisites
Here's an example of the auth_config.json file included in the **app**>**main**>
```json {
- "client_id":"Client ID after app registration at https://aka.ms/MobileAppReg",
- "authorization_user_agent":"DEFAULT",
- "redirect_uri":"Redirect URI after app registration at https://aka.ms/MobileAppReg",
- "account_mode":"SINGLE",
- "broker_redirect_uri_registered": true,
- "shared_device_mode_supported": true,
- "authorities":[
- {
- "type":"AAD",
- "audience":{
- "type": "AzureADandPersonalMicrosoftAccount",
- "tenant_id":"common"
- }
- }
- ]
+ "client_id": "Client ID after app registration at https://aka.ms/MobileAppReg",
+ "authorization_user_agent": "DEFAULT",
+ "redirect_uri": "Redirect URI after app registration at https://aka.ms/MobileAppReg",
+ "account_mode": "SINGLE",
+ "broker_redirect_uri_registered": true,
+ "shared_device_mode_supported": true,
+ "authorities": [
+ {
+ "type": "AAD",
+ "audience": {
+ "type": "AzureADandPersonalMicrosoftAccount",
+ "tenant_id": "common"
+ }
+ }
+ ]
} ```
Shared-device mode allows you to configure Android devices to be shared by multi
Use `isSharedDevice()` to determine if an app is running on a device that is in shared-device mode. Your app could use this flag to determine if it should modify UX accordingly.
-Here's a code snippet that shows how you could use `isSharedDevice()`. It's from the `SingleAccountModeFragment` class in the sample app:
+Here's a code snippet that shows how you could use `isSharedDevice()`. It's from the `SingleAccountModeFragment` class in the sample app:
```Java deviceModeTextView.setText(mSingleAccountApp.isSharedDevice() ? "Shared" : "Non-Shared");
private void onSignOutClicked()
} ```
+### Receive broadcast to detect global sign out initiated from other applications
+
+To receive the account change broadcast, you'll need to register a broadcast receiver.ΓÇ» ItΓÇÖs recommended to register your broadcast receiver via the [Context-registered receivers](https://developer.android.com/guide/components/broadcasts#context-registered-receivers).
+
+When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It is recommended to properly stop any operations and do data cleanup.
+
+The following code snippet shows how you could register a broadcast receiver.
+
+```java
+private static final String CURRENT_ACCOUNT_CHANGED_BROADCAST_IDENTIFIER = "com.microsoft.identity.client.sharedmode.CURRENT_ACCOUNT_CHANGED";
+private BroadcastReceiver mAccountChangedBroadcastReceiver;
+private void registerAccountChangeBroadcastReceiver(){
+    mAccountChangedBroadcastReceiver = new BroadcastReceiver() {
+        @Override
+        public void onReceive(Context context, Intent intent) {
+            //INVOKE YOUR PRIOR ACCOUNT CLEAN UP LOGIC HERE      
+        }
+    };
+    IntentFilter filter = new
+
+ IntentFilter(CURRENT_ACCOUNT_CHANGED_BROADCAST_IDENTIFIER);
+    this.registerReceiver(mAccountChangedBroadcastReceiver, filter);
+}
+```
+ ## Administrator guide The following steps describe setting up your application in the Azure portal and putting your device into shared-device mode.
The device is now in shared mode.
:::image type="content" source="media/tutorial-v2-shared-device-mode/shared-device-mode-screen.png" alt-text="App screen showing shared device mode enabled":::
- Any sign-ins and sign-outs on the device will be global, meaning they apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features.
+Any sign-ins and sign-outs on the device will be global, meaning they apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features.
## View the shared device in the Azure portal
active-directory Secure With Azure Ad Resource Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-resource-management.md
In a Microsoft Customer Agreement, billing roles come from a single Azure AD ten
## RBAC and role assignments in Azure
-In the Azure AD Fundamentals section, you learned Azure RBAC is the authorization system that provides fine-grained access management to Azure resources, and includes many [built-in roles]../../role-based-access-control/built-in-roles.md). You can create [custom roles](../../role-based-access-control/custom-roles.md), and assign roles at different scopes. Permissions are enforced by assigning RBAC roles to objects requesting access to Azure resources.
+In the Azure AD Fundamentals section, you learned Azure RBAC is the authorization system that provides fine-grained access management to Azure resources, and includes many [built-in roles](../../role-based-access-control/built-in-roles.md). You can create [custom roles](../../role-based-access-control/custom-roles.md), and assign roles at different scopes. Permissions are enforced by assigning RBAC roles to objects requesting access to Azure resources.
Azure AD roles operate on concepts like [Azure role-based access control](../../role-based-access-control/overview.md). The [difference between these two role-based access control systems](../../role-based-access-control/rbac-and-directory-admin-roles.md) is that Azure RBAC uses Azure Resource Management to control access to Azure resources such as virtual machines or storage, and Azure AD roles control access to Azure AD, applications, and Microsoft services such as Office 365.
active-directory Pim Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-configure.md
Previously updated : 07/29/2022 Last updated : 11/4/2022 --++ # What is Azure AD Privileged Identity Management?
- Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video introduces you to important PIM concepts and features.
+ Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video explains important PIM concepts and features.
<br><br> > [!VIDEO https://www.youtube.com/embed/f-0K7mRUPpQ]
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/permissions-reference.md
Previously updated : 10/30/2022 Last updated : 11/04/2022
Users with this role have read access to recipients and write access to the attr
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | microsoft.office365.exchange/allRecipients/allProperties/allTasks | Create and delete all recipients, and read and update all properties of recipients in Exchange Online |
+> | microsoft.office365.exchange/recipients/allProperties/allTasks | Create and delete all recipients, and read and update all properties of recipients in Exchange Online |
> | microsoft.office365.exchange/migration/allProperties/allTasks | Manage all tasks related to migration of recipients in Exchange Online | ## External ID User Flow Administrator
Users with this role can manage alerts and have global read-only access on secur
| [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) | All permissions of the Security Reader role<br>Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords and configuring alert e-mails. | | [Privileged Identity Management](../privileged-identity-management/pim-configure.md) | All permissions of the Security Reader role | | [Office 365 Security & Compliance Center](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d) | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts |
-| [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/prepare-deployment) | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts |
+| [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/prepare-deployment) | All permissions of the Security Reader role<br/>View, investigate, and respond to security alerts<br/>When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Security Reader role lose access until they are assigned a Microsoft Defender for Endpoint role. |
| [Intune](/intune/role-based-access-control) | All permissions of the Security Reader role | | [Microsoft Defender for Cloud Apps](/defender-cloud-apps/manage-admins) | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts | | [Microsoft 365 service health](/microsoft-365/enterprise/view-service-health) | View the health of Microsoft 365 services |
In | Can do
Identity Protection Center | Read all security reports and settings information for security features<br><ul><li>Anti-spam<li>Encryption<li>Data loss prevention<li>Anti-malware<li>Advanced threat protection<li>Anti-phishing<li>Mail flow rules [Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.<br>**Cannot** sign up for Azure AD Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Administrator or Privileged Role Administrator), if the user is eligible for them. [Office 365 Security & Compliance Center](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d) | View security policies<br>View and investigate security threats<br>View reports
-[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/prepare-deployment) | View and investigate alerts. When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Azure AD Security Reader role lose access until they are assigned to a Microsoft Defender for Endpoint role.
+[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/prepare-deployment) | View and investigate alerts<br/>When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Security Reader role lose access until they are assigned a Microsoft Defender for Endpoint role.
[Intune](/intune/role-based-access-control) | Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune. [Microsoft Defender for Cloud Apps](/defender-cloud-apps/manage-admins) | Has read permissions. [Microsoft 365 service health](/office365/enterprise/view-service-health) | View the health of Microsoft 365 services
Users in this role can manage all aspects of the Microsoft Teams workload via th
> | microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams | > | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy | > | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/basic/update | Update basic settings of cross-tenant access policy |
> | microsoft.directory/crossTenantAccessPolicy/default/standard/read | Read basic properties of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy |
> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy |
-> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy |
> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners |
> | microsoft.directory/crossTenantAccessPolicy/partners/standard/read | Read basic properties of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners |
> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners |
-> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners |
## Teams Communications Administrator
active-directory Contentkalender Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/contentkalender-tutorial.md
Previously updated : 10/10/2022 Last updated : 11/04/2022
In this tutorial, you'll learn how to integrate Contentkalender with Azure Activ
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Contentkalender single sign-on (SSO) enabled subscription.
+* Contentkalender single sign-on (SSO) enabled subscription (contact Contentkalender [customer service](mailto:info@contentkalender.nl)).
* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD. For more information, see [Azure built-in roles](../roles/permissions-reference.md).
Follow these steps to enable Azure AD SSO in the Azure portal.
| **Identifier** | || | `https://login.contentkalender.nl` |
- | `https://login.decontentkalender.be` |
- | `https://contentkalender-acc.bettywebblocks.com/` |
+ | `https://contentkalender-acc.bettywebblocks.com/` (only for testing purposes)|
b. In the **Reply URL** text box, type one of the following URLs: | **Reply URL** | |--| | `https://login.contentkalender.nl/sso/saml/callback` |
- | `https://login.decontentkalender.be/sso/saml/callback` |
- | `https://contentkalender-acc.bettywebblocks.com/sso/saml/callback` |
+ | `https://contentkalender-acc.bettywebblocks.com/sso/saml/callback` (only for testing purposes)|
c. In the **Sign-on URL** text box, type the URL:
- `https://contentkalender-acc.bettywebblocks.com/v2/login`
+ `https://login.contentkalender.nl/v2/login`
1. Your Contentkalender application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Contentkalender expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
active-directory Iqualify Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/iqualify-tutorial.md
Previously updated : 06/21/2022 Last updated : 11/04/2022 # Tutorial: Azure AD SSO integration with iQualify LMS
Follow these steps to enable Azure AD SSO in the Azure portal.
| Name | Source Attribute| | | |
- | email | user.userprincipalname |
+ | email | user.mail |
| first_name | user.givenname | | last_name | user.surname | | person_id | "your attribute" |
active-directory Tendium Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tendium-tutorial.md
Previously updated : 06/14/2022 Last updated : 11/04/2022
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Tendium SSO
-To configure single sign-on on **Tendium** side, you need to send the **App Federation Metadata Url** to [Tendium support team](mailto:tech-partners@tendium.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Tendium** side, you need to send the **App Federation Metadata Url** to [Tendium support team](mailto:tech-partners@tendium.com). They set this setting to have the SAML SSO connection set properly on both sides.You can also contact Tendium [here](https://tendium.ai/contact/) for more information.
### Create Tendium test user
active-directory Timetabling Solutions Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/timetabling-solutions-tutorial.md
Previously updated : 06/16/2022 Last updated : 06/04/2022
To configure the integration of Timetabling Solutions into Azure AD, you need to
1. In the **Add from the gallery** section, type **Timetabling Solutions** in the search box. 1. Select **Timetabling Solutions** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
- ## Configure and test Azure AD SSO for Timetabling Solutions Configure and test Azure AD SSO with Timetabling Solutions using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Timetabling Solutions.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Timetabling Solutions SSO
-To configure single sign-on on **Timetabling Solutions** side, you need to send the **Thumbprint Value** and appropriate copied URLs from Azure portal to [Timetabling Solutions support team](https://www.timetabling.com.au/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
+In this section, you'll populate the relevant SSO values in the Timetabling Solutions Administration Console.
+
+1. In the [Administration Console](https://admin.timetabling.education/), select **5 Settings**, and then select the **SAML SSO** tab.
+1. Perform the following steps in the **SAML SSO** section:
+
+ ![Screenshot for SSO settings.](./media/timetabling-solutions-tutorial/timetabling-configuration.png)
+
+ a. Enable SAML Integration.
+
+ b. In the **SAML Login Path** textbox, paste the **Login URL** value, which you have copied from the Azure portal.
+
+ c. In the **SAML Logout Path** textbox, paste the **Logout URL** value, which you have copied from the Azure portal.
+
+ d. In the **SAML Certificate Fingerprint** textbox, paste the **Thumbprint Value**, which you have copied from the Azure portal.
-### Create Timetabling Solutions test user
+ e. Enter the **Custom Domain** name.
+
+ f. **Save** the settings.
-In this section, you create a user called Britta Simon in Timetabling Solutions. Work with [Timetabling Solutions support team](https://www.timetabling.com.au/contact-us/) to add the users in the Timetabling Solutions platform. Users must be created and activated before you use single sign-on.
+
+## Create Timetabling Solutions test user
+
+In this section, you create a user called Britta Simon in the Timetabling Solutions Administration Console.
+
+1. In the [Administration Console](https://admin.timetabling.education/), select **1 Manage Users**, and click **Add**.
+2. Enter the mandatory fields **First Name**, **Family Name** and **Email Address**. Add other appropriate values in the non-mandatory fields.
+3. Ensure **Online** is active in Status.
+4. Click **Save and Next**.
++
+> [!NOTE]
+> Work with [Timetabling Solutions support team](https://www.timetabling.com.au/contact-us/) to add the users in the Timetabling Solutions platform. Users must be created and activated before you use single sign-on.
## Test SSO
active-directory Nist Authenticator Assurance Level 3 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/nist-authenticator-assurance-level-3.md
Microsoft offers authentication methods that enable you to meet required NIST au
| FIDO2 security key<br>or<br> Smart card (Active Directory Federation Services [AD FS])<br>or<br>Windows Hello for Business with hardware TPM| Multifactor cryptographic hardware | | **Additional methods**| | | Password<br> and<br>(Hybrid Azure AD joined with hardware TPM <br>or <br> Azure AD joined with hardware TPM)| Memorized secret<br>and<br> Single-factor cryptographic hardware |
-| Password <br>and<br>Single-factor one-time password hardware (from an OTP manufacturer) <br>and<br>(Hybrid Azure AD joined with software TPM <br>or <br> Azure AD joined with software TPM <br>or<br> Compliant managed device)| Memorized secret <br>and<br>Single-factor one-time password hardware<br> and<br>Single-factor cryptographic software |
+| Password <br>and<br>Single-factor one-time password hardware (from an OTP manufacturer) <br>and<br>(Hybrid Azure AD joined with software TPM <br>or <br> Azure AD joined with software TPM <br>or<br> [Compliant managed device](https://learn.microsoft.com/mem/intune/protect/device-compliance-get-started))| Memorized secret <br>and<br>Single-factor one-time password hardware<br> and<br>Single-factor cryptographic software |
### Our recommendations
active-directory Partner Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/partner-gallery.md
To be considered into Entra Verified ID partner documentation, submit your appli
|![Screenshot of au10tix logo.](media/partner-gallery/au10tix.png) | [AU10TIX](https://www.au10tix.com/solutions/microsoft-azure-active-directory-verifiable-credentials-program) improves Verifiability While Protecting Privacy For Businesses, Employees, Contractors, Vendors, And Customers. | [Configure Verified ID by AU10TIX as your Identity Verification Partner](https://aka.ms/au10tixvc). | | ![Screenshot of a LexisNexis logo.](media/partner-gallery/lexisnexis.png) | [LexisNexis](https://solutions.risk.lexisnexis.com/did-microsoft) risk solutions Verifiable credentials enables faster onboarding for employees, students, citizens, or others to access services. | [Configure Verified ID by LexisNexis Risk Solutions as your Identity Verification Partner](https://aka.ms/lexisnexisvc). | | ![Screenshot of a Vu logo.](medi) |
-| ![Screenshot of a Onfido logo.](media/partner-gallery/onfido.jpeg) | [Onfido](https://onfido.com/landing/onfido-microsoft-idv-service/) Start issuing and accepting verifiable credentials in minutes. With verifiable credentials and Onfido you can verify a personΓÇÖs identity while respecting privacy. Digitally validate information on a personΓÇÖs ID or their biometrics.| * |
+| ![Screenshot of a Onfido logo.](media/partner-gallery/onfido.jpeg) | Start issuing and accepting verifiable credentials in minutes. With verifiable credentials and Onfido you can verify a personΓÇÖs identity while respecting privacy. Digitally validate information on a personΓÇÖs ID or their biometrics.| * |
| ![Screenshot of a Jumio logo.](media/partner-gallery/jumio.jpeg) | [Jumio](https://www.jumio.com/microsoft-verifiable-credentials/) is helping to support a new form of digital identity by Microsoft based on verifiable credentials and decentralized identifiers standards to let consumers verify once and use everywhere.| * | | ![Screenshot of a Idemia logo.](media/partner-gallery/idemia.png) | [Idemia](https://na.idemia.com/identity/verifiable-credentials/) Integration with Verified ID enables ΓÇ£Verify once, use everywhereΓÇ¥ functionality.| * | | ![Screenshot of a Acuant logo.](media/partner-gallery/acuant.png) | [Acuant](https://www.acuant.com/microsoft-acuant-verifiable-credentials-my-digital-id/) - My Digital ID - Create Your Digital Identity Once, Use It Everywhere.| * |
aks Api Server Authorized Ip Ranges https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/api-server-authorized-ip-ranges.md
Title: API server authorized IP ranges in Azure Kubernetes Service (AKS)
description: Learn how to secure your cluster using an IP address range for access to the API server in Azure Kubernetes Service (AKS) Previously updated : 07/20/2022 Last updated : 11/04/2022 #Customer intent: As a cluster operator, I want to increase the security of my cluster by limiting access to the API server to only the IP addresses that I specify.
Last updated 07/20/2022
# Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)
-In Kubernetes, the API server receives requests to perform actions in the cluster such as to create resources or scale the number of nodes. The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges.
+The Kubernetes API server is the core of the Kubernetes control plane and is the central way to interact with and manage your clusters. To improve the security of your clusters and minimize the risk of attacks, we recommend limiting the IP address ranges that can access the API server. To do this, you can use the *API server authorized IP ranges* feature.
-This article shows you how to use API server authorized IP address ranges, using the Azure CLI, to limit which IP addresses and CIDRs can access control plane.
+This article shows you how to use *API server authorized IP address ranges* feature to limit which IP addresses and CIDRs can access control plane.
## Before you begin - You need the Azure CLI version 2.0.76 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].- - To learn what IP addresses to include when integrating your AKS cluster with Azure DevOps, see the Azure DevOps [Allowed IP addresses and domain URLs][azure-devops-allowed-network-cfg] article. ### Limitations
-The API server Authorized IP ranges feature has the following limitations:
+The *API server authorized IP ranges* feature has the following limitations:
-- On clusters created after API server authorized IP address ranges moved out of preview in October 2019, API server authorized IP address ranges are only supported on the *Standard* SKU load balancer. Existing clusters with the *Basic* SKU load balancer and API server authorized IP address ranges configured will continue work as is, but they cann't be migrated to a *Standard* SKU load balancer. Existing clusters will also continue to work if their Kubernetes version or control plane are upgraded.-- API server authorized IP address ranges aren't supported with private clusters.-- When using this feature with clusters that use [Public IP per Node](use-multiple-node-pools.md#assign-a-public-ip-per-node-for-your-node-pools), those node pools with public IP per node enabled must use public IP prefixes, and those prefixes must be added as authorized ranges.
+- The *API server authorized IP ranges* feature was moved out of preview in October 2019. For clusters created after the feature was moved out of preview, this feature is only supported on the *Standard* SKU load balancer. Any existing clusters on the *Basic* SKU load balancer with the *API server authorized IP ranges* feature enabled will continue to work as is. However, these clusters cannot be migrated to a *Standard* SKU load balancer. Existing clusters will continue to work if the Kubernetes version and control plane are upgraded.
+- The *API server authorized IP ranges* feature isn't supported on private clusters.
+- When using this feature with clusters that use [Node Public IP](use-multiple-node-pools.md#assign-a-public-ip-per-node-for-your-node-pools), the node pools using Node Public IP must use public IP prefixes. The public IP prefixes must be added as authorized ranges.
## Overview of API server authorized IP ranges
az aks create \
> [!NOTE] > You should add these ranges to an allow list:
+>
> - The firewall public IP address > - Any range that represents networks that you'll administer the cluster from >
aks Api Server Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/api-server-vnet-integration.md
API Server VNet Integration is supported for public or private clusters, and pub
## Region availability
-API Server VNet Integration is available in the following regions at this time:
+API Server VNet Integration is available in all Public Azure regions except the following at this time:
-- eastus2-- northcentralus-- westcentralus-- westus2
+- southcentralus
## Prerequisites
aks Configure Azure Cni https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-azure-cni.md
The pods per node values when using Azure CNI with dynamic allocation of IPs hav
|Traditional Azure CNI|30|Yes (up to 250)| |Azure CNI with dynamic allocation of IPs|250|Yes (up to 250)|
-All other guidance related to configuring the maximum nodes per pod remains the same.
+All other guidance related to configuring the maximum pods per node remains the same.
### Additional deployment parameters
The following questions and answers apply to the **Azure CNI network configurati
Learn more about networking in AKS in the following articles: * [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md)
-* [Use an internal load balancer with Azure Container Service (AKS)](internal-lb.md)
+* [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md)
* [Create a basic ingress controller with external network connectivity][aks-ingress-basic] * [Enable the HTTP application routing add-on][aks-http-app-routing]
aks Configure Kube Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kube-proxy.md
Configure your cluster using `az aks update` and pass in the configuration file:
az aks update -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json ```
+### Limitations
+
+When using kube-proxy IPVS, the following restrictions apply:
+
+- Azure Network Policy is not supported.
+ ## Next steps Learn more about utilizing the Standard Load Balancer for inbound traffic at the [AKS Standard Load Balancer documentation](load-balancer-standard.md).
aks Csi Secrets Store Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-troubleshooting.md
- Title: Troubleshoot Azure Key Vault Provider for Secrets Store CSI Driver on Azure Kubernetes Service (AKS)
-description: Learn how to troubleshoot and resolve common problems when you're using the Azure Key Vault Provider for Secrets Store CSI Driver with Azure Kubernetes Service (AKS).
--- Previously updated : 10/18/2021---
-# Troubleshoot Azure Key Vault Provider for Secrets Store CSI Driver
-
-This article lists common issues with using Azure Key Vault Provider for Secrets Store CSI Driver on Azure Kubernetes Service (AKS) and provides troubleshooting tips for resolving them.
-
-## Logging
-
-Azure Key Vault Provider logs are available in the provider pods. To troubleshoot issues with the provider, you can look at logs from the provider pod that's running on the same node as your application pod. Run the following commands:
-
-```bash
-# find the secrets-store-provider-azure pod running on the same node as your application pod
-kubectl get pods -l app=secrets-store-provider-azure -n kube-system -o wide
-kubectl logs -l app=secrets-store-provider-azure -n kube-system --since=1h | grep ^E
-```
-
-You can also access Secrets Store CSI Driver logs by running the following commands:
-
-```bash
-# find the secrets-store-csi-driver pod running on the same node as your application pod
-kubectl get pods -l app=secrets-store-csi-driver -n kube-system -o wide
-kubectl logs -l app=secrets-store-csi-driver -n kube-system --since=1h | grep ^E
-```
-
-## Common issues
-
-### Failed to get key vault token: nmi response failed with status code: 404
-
-Error message in logs/events:
-
-```bash
-Warning FailedMount 74s kubelet MountVolume.SetUp failed for volume "secrets-store-inline" : kubernetes.io/csi: mounter.SetupAt failed: rpc error: code = Unknown desc = failed to mount secrets store objects for pod default/test, err: rpc error: code = Unknown desc = failed to mount objects, error: failed to get keyvault client: failed to get key vault token: nmi response failed with status code: 404, err: <nil>
-```
-
-Description: The Node Managed Identity (NMI) component in *aad-pod-identity* returned an error for a token request. For more information about the error and to resolve it, check the NMI pod logs and refer to the [Azure AD pod-managed identity troubleshooting guide][aad-troubleshooting].
-
-> [!NOTE]
-> Azure Active Directory (Azure AD) is abbreviated as *aad* in the *aad-pod-identity* string.
-
-### keyvault.BaseClient#GetSecret: Failure sending request: StatusCode=0 ΓÇô Original Error: context canceled
-
-Error message in logs/events:
-
-```bash
-E1029 17:37:42.461313 1 server.go:54] failed to process mount request, error: keyvault.BaseClient#GetSecret: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded
-```
-
-Description: The provider pod is unable to access the key vault instance for either of the following reasons:
-- A firewall rule is blocking egress traffic from the provider.-- Network policies that are configured in the AKS cluster are blocking egress traffic.-- The provider pods run on hostNetwork. A failure could occur if a policy is blocking this traffic or there are network jitters on the node. Check for policies that are configured to block traffic, and place the provider pods on the allowlist. Also, ensure that there is connectivity to Azure AD and your key vault from the node.-
-You can test the connectivity to your Azure key vault from the pod that's running on the host network by doing the following:
-
-1. Create the pod:
-
- ```bash
- cat <<EOF | kubectl apply -f -
- apiVersion: v1
- kind: Pod
- metadata:
- name: curl
- spec:
- hostNetwork: true
- containers:
- - args:
- - tail
- - -f
- -
- image: curlimages/curl:7.75.0
- name: curl
- dnsPolicy: ClusterFirst
- restartPolicy: Always
- EOF
- ```
-
-1. *Exec into* the pod you've just created:
-
- ```bash
- kubectl exec -it curl -- sh
- ```
-
-1. Authenticate with your Azure key vault:
-
- ```bash
- curl -X POST 'https://login.microsoftonline.com/<AAD_TENANT_ID>/oauth2/v2.0/token' -d 'grant_type=client_credentials&client_id=<AZURE_CLIENT_ID>&client_secret=<AZURE_CLIENT_SECRET>&scope=https://vault.azure.net/.default'
- ```
-
-1. Try getting a secret that's already created in your Azure key vault:
-
- ```bash
- curl -X GET 'https://<KEY_VAULT_NAME>.vault.azure.net/secrets/<SECRET_NAME>?api-version=7.2' -H "Authorization: Bearer <ACCESS_TOKEN_ACQUIRED_ABOVE>"
- ```
-
-<!-- LINKS EXTERNAL -->
-[aad-troubleshooting]: https://azure.github.io/aad-pod-identity/docs/troubleshooting/
aks Dapr Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-troubleshooting.md
- Title: Troubleshoot Dapr extension installation errors
-description: Troubleshoot errors you may encounter while installing the Dapr extension for AKS or Arc for Kubernetes
----- Previously updated : 09/15/2022---
-# Troubleshoot Dapr extension installation errors
-
-This article details some common error messages you may encounter while installing the Dapr extension for Azure Kubernetes Service (AKS) or Arc for Kubernetes.
-
-## Installation failure without an error message
-
-If the extension fails to create or update without an error message, you can inspect where the creation of the extension failed by running the `az k8s-extension list` command. For example, if a wrong key is used in the configuration-settings, such as `global.ha=false` instead of `global.ha.enabled=false`:
-
-```azure-cli-interactive
-az k8s-extension list --cluster-type managedClusters --cluster-name myCluster --resource-group myResourceGroup
-```
-
-The below JSON is returned, and the error message is captured in the `message` property.
-
-```json
-"statuses": [
- {
- "code": "InstallationFailed",
- "displayStatus": null,
- "level": null,
- "message": "Error: {failed to install chart from path [] for release [dapr-1]: err [template: dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml:1:17: executing \"dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_poddisruptionbudget.yaml\" at <.Values.global.ha.enabled>: can't evaluate field enabled in type interface {}]} occurred while doing the operation : {Installing the extension} on the config",
- "time": null
- }
-],
-```
-
-Another example:
-
-```azurecli
-az k8s-extension list --cluster-type managedClusters --cluster-name myCluster --resource-group myResourceGroup
-```
-
-```json
-"statuses": [
- {
- "code": "InstallationFailed",
- "displayStatus": null,
- "level": null,
- "message": "The extension operation failed with the following error: unable to add the configuration with configId {extension:microsoft-dapr} due to error: {error while adding the CRD configuration: error {failed to get the immutable configMap from the elevated namespace with err: configmaps 'extension-immutable-values' not found }}. (Code: ExtensionOperationFailed)",
- "time": null
- }
- ]
-```
-
-For these cases, possible remediation actions are to:
--- [Restart your AKS or Arc for Kubernetes cluster](./start-stop-cluster.md).-- Make sure you've [registered the `KubernetesConfiguration` service provider](./dapr.md#register-the-kubernetesconfiguration-service-provider).-- Force delete and [reinstall the Dapr extension](./dapr.md). -
-See below for examples of error messages you may encounter during Dapr extension install or update.
-
-## Error: Dapr version doesn't exist
-
-You're installing the Dapr extension and [targeting a specific version](./dapr.md#targeting-a-specific-dapr-version), but run into an error message saying the Dapr version doesn't exist.
-
-```
-(ExtensionOperationFailed) The extension operation failed with the following error: Failed to resolve the extension version from the given values.
-Code: ExtensionOperationFailed
-Message: The extension operation failed with the following error: Failed to resolve the extension version from the given values.
-```
-
-Try installing again, making sure to use a [supported version of Dapr](./dapr.md#dapr-versions).
-
-## Error: Dapr version exists, but not in the mentioned region
-
-Some versions of Dapr aren't available in all regions. If you receive an error message like the following, try installing in an [available region](./dapr.md#cloudsregions) where your Dapr version is supported.
-
-```
-(ExtensionTypeRegistrationGetFailed) Extension type microsoft.dapr is not registered in region <regionname>.
-Code: ExtensionTypeRegistrationGetFailed
-Message: Extension type microsoft.dapr is not registered in region <regionname>
-```
-
-## Error: `dapr-system` already exists
-
-You're installing the Dapr extension for AKS or Arc for Kubernetes, but receive an error message indicating that Dapr already exists. This error message may look like:
-
-```
-(ExtensionOperationFailed) The extension operation failed with the following error: Error: {failed to install chart from path [] for release [dapr-ext]: err [rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "dapr-operator" in namespace "dapr-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "dapr-ext": current value is "dapr"]} occurred while doing the operation : {Installing the extension} on the config
-```
-
-You need to uninstall Dapr OSS before installing the Dapr extension. For more information, read [Migrate from Dapr OSS](./dapr-migration.md).
-
-## Next steps
-
-If you're still running into issues, explore the [AKS troubleshooting guide](./troubleshooting.md) and the [Dapr OSS troubleshooting guide](https://docs.dapr.io/operations/troubleshooting/common_issues/).
aks Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/faq.md
AKS doesn't apply Network Security Groups (NSGs) to its subnet and doesn't modif
AKS nodes run the "chrony" service which pulls time from the localhost. Containers running on pods get the time from the AKS nodes. Applications launched inside a container use time from the container of the pod.
+## How are AKS addons updated?
+
+Any patch, including security patches, is automatically applied to the AKS cluster. Anything bigger than a patch, like major or minor version changes (which can have breaking changes to your deployed objects), is updated when you update your cluster if a new release is available. You can find when a new release is available by visiting the [AKS release notes](https://github.com/Azure/AKS/releases).
+ <!-- LINKS - internal --> [aks-upgrade]: ./upgrade-cluster.md
aks Node Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/node-access.md
Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you might need to access an AKS node. This access could be for maintenance, log collection, or troubleshooting operations. You can securely authenticate against AKS Linux and Windows nodes using SSH, and you can also [connect to Windows Server nodes using remote desktop protocol (RDP)][aks-windows-rdp]. For security reasons, the AKS nodes aren't exposed to the internet. To connect to the AKS nodes, you use `kubectl debug` or the private IP address.
-This article shows you how to create a connection to an AKS node.
+This article shows you how to create a connection to an AKS node and update the SSH key on an existing AKS cluster.
## Before you begin
When done, `exit` the SSH session, stop any port forwarding, and then `exit` the
kubectl delete pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx ```
+## Update SSH key on an existing AKS cluster (preview)
+
+### Prerequisites
+* Before you start, ensure the Azure CLI is installed and configured. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+* The aks-preview extension version 0.5.111 or later. To learn how to install an Azure extension, see [How to install extensions][how-to-install-azure-extensions].
+
+> [!NOTE]
+> Updating of the SSH key is supported on Azure virtual machine scale sets with AKS clusters.
+
+Use the [az aks update][az-aks-update] command to update the SSH key on the cluster. This operation will update the key on all node pools. You can either specify the key or a key file using the `--ssh-key-value` argument.
+
+```azurecli
+az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value <new SSH key value or SSH key file>
+```
+
+Examples:
+In the following example, you can specify the new SSH key value for the `--ssh-key-value` argument.
+
+```azurecli
+az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value 'ssh-rsa AAAAB3Nza-xxx'
+```
+
+In the following example, you specify a SSH key file.
+
+```azurecli
+az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value .ssh/id_rsa.pub
+```
+
+> [!IMPORTANT]
+> During this operation, all virtual machine scale set instances are upgraded and re-imaged to use the new SSH key.
++ ## Next steps If you need more troubleshooting data, you can [view the kubelet logs][view-kubelet-logs] or [view the Kubernetes master node logs][view-master-logs].
aks Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/policy-reference.md
Title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
aks Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
aks Use Azure Dedicated Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-dedicated-hosts.md
In this example, we'll use [az vm host group create][az-vm-host-group-create] to
az vm host group create \ --name myHostGroup \ -g myDHResourceGroup \--z 1\platform-fault-domain-count 1
+-z 1 \
+--platform-fault-domain-count 1 \
--automatic-placement true ```
api-management Developer Portal Extend Custom Functionality https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-extend-custom-functionality.md
-
+ Title: Add custom functionality to the Azure API Management developer portal description: How to customize the managed API Management developer portal with custom functionality such as custom widgets. Previously updated : 08/29/2022 Last updated : 11/01/2022
It accepts three arguments by default:
This function returns all data passed to your custom widget from the developer portal. It contains other data that might be useful in debugging or in more advanced scenarios. This API is expected to change with potential breaking changes. It returns a JSON object that contains the following keys: * `values` - All the values you've set in the editor, the same object that is returned by `getEditorData` -
+<!-- TEMPORARILY not present
* `environment` - Current runtime environment for the widget
-* `origin` - Location origin of the developer portal
-
+* `origin` - Location origin of the developer portal
+-->
* `instanceId` - ID of this instance of the widget ### Add or remove custom properties
To add a custom property:
1. In the file `src/values.ts`, add to the `Values` type the name of the property and type of the data it will save. 1. In the same file, add a default value for it. 1. Navigate to the `editor.html` or `editor/index` file (exact location depends on the framework you've chosen) and duplicate an existing input or add one yourself.
-1. Make sure the input field reports the changed value to the `onChange` function, which you can get from `[buildOnChange`](#azureapi-management-custom-widgets-toolsbuildonchange).
+1. Make sure the input field reports the changed value to the `onChange` function, which you can get from [`buildOnChange`](#azureapi-management-custom-widgets-toolsbuildonchange).
### (Optional) Use another framework
api-management Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-reference.md
Title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
app-service App Service Undelete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/app-service-undelete.md
Title: Restore deleted apps description: Learn how to restore a deleted app in Azure App Service. Avoid the headache of an accidentally deleted app.-- Previously updated : 9/23/2019++ Last updated : 11/4/2022
The detailed information includes:
## Restore deleted app >[!NOTE]
-> `Restore-AzDeletedWebApp` isn't supported for function apps.
+>- `Restore-AzDeletedWebApp` isn't supported for function apps.
+>- The Restore-AzDeletedWebApp cmdlet restores a deleted web app. The web app specified by TargetResourceGroupName, TargetName, and TargetSlot will be overwritten with the contents and settings of the deleted web app. If the target parameters are not specified, they will automatically be filled with the deleted web app's resource group, name, and slot. If the target web app does not exist, it will automatically be created in the app service plan specified by TargetAppServicePlanName.
+>- By default `Restore-AzDeletedWebApp` will restore both your app configuration as well any content. If you want to only restore content, you use the **`-RestoreContentOnly`** flag with this commandlet.
-Once the app you want to restore has been identified, you can restore it using `Restore-AzDeletedWebApp`.
+Once the app you want to restore has been identified, you can restore it using `Restore-AzDeletedWebApp`, please see below examples
+>*You can find the full commandlet reference here: **[Restore-AzDeletedWebApp](/powershell/module/az.websites/restore-azdeletedwebapp)*** .
+
+>Restore to the original app name:
```powershell Restore-AzDeletedWebApp -TargetResourceGroupName <my_rg> -Name <my_app> -TargetAppServicePlanName <my_asp> ```+
+>Restore to a different app name:
+```powershell
+Restore-AzDeletedWebApp -ResourceGroupName <original_rg> -Name <original_app> -TargetResourceGroupName <target_rg> -TargetName <target_app> -TargetAppServicePlanName <target_asp>
+```
+
+>Restore a slot to target app:
+```powershell
+Restore-AzDeletedWebApp -TargetResourceGroupName <my_rg> -Name <my_app> -TargetAppServicePlanName <my_asp> -Slot <original_slot>
+```
+ > [!NOTE] > Deployment slots are not restored as part of your app. If you need to restore a staging slot, use the `-Slot <slot-name>` flag.
->
+> By default `Restore-AzDeletedWebApp` will restore both your app configuration as well any content to target app. If you want to only restore content, you use the `-RestoreContentOnly` flag with this commandlet.
+
+>Restore only site content to the target app
+```powershell
+Restore-AzDeletedWebApp -TargetResourceGroupName <my_rg> -Name <my_app> -TargetAppServicePlanName <my_asp> -RestoreContentOnly
+```
+
+>Restore used for scenarios where multiple apps with the same name have been deleted with `-DeletedSiteId`
+```powershell
+Restore-AzDeletedWebApp -ResourceGroupName <original_rg> -Name <original_app> -DeletedId /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Web/locations/location/deletedSites/1234 -TargetAppServicePlanName <my_asp>
+
+```
The inputs for command are: - **Target Resource Group**: Target resource group where the app will be restored-- **Name**: Name for the app, should be globally unique.
+- **TargetName**: Target app for the deleted app to be restored to
- **TargetAppServicePlanName**: App Service plan linked to the app-
-By default `Restore-AzDeletedWebApp` will restore both your app configuration as well any content. If you want to only restore content, you use the `-RestoreContentOnly` flag with this commandlet.
+- **Name**: Name for the app, should be globally unique.
+- **ResourceGroupName**: Original resource group for the deleted app
+- **Slot**: Slot for the deleted app
+- **RestoreContentOnly**: y default `Restore-AzDeletedWebApp` will restore both your app configuration as well any content. If you want to only restore content, you use the `-RestoreContentOnly` flag with this commandlet.
> [!NOTE] > If the app was hosted on and then deleted from an App Service Environment, it can be restored only if the corresponding App Service Environment still exists.
->
-You can find the full commandlet reference here: [Restore-AzDeletedWebApp](/powershell/module/az.websites/restore-azdeletedwebapp).
++
app-service Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/networking.md
In addition to setting up DNS, you also need to enable it in the [App Service En
The apps in your App Service Environment will use the DNS that your virtual network is configured with. If you want some apps to use a different DNS server, you can manually set it on a per app basis, with the app settings `WEBSITE_DNS_SERVER` and `WEBSITE_DNS_ALT_SERVER`. `WEBSITE_DNS_ALT_SERVER` configures the secondary DNS server. The secondary DNS server is only used when there is no response from the primary DNS server.
-## Limitations
-
-While App Service Environment does deploy into your virtual network, you currently cannot use Azure Network Watcher or NSG flow to monitor outbound traffic.
- ## More resources - [Environment variables and app settings reference](../reference-app-settings.md)
app-service Overview Vnet Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-vnet-integration.md
When all traffic routing is enabled, all outbound traffic is sent into your virt
The feature supports two virtual interface per worker. Two virtual interfaces per worker means two regional virtual network integrations per App Service plan. The apps in the same App Service plan can only use one of the virtual network integrations to a specific subnet. If you need an app to connect to additional virtual networks or additional subnets in the same virtual network, you need to create another App Service plan. The virtual interfaces used isn't a resource that customers have direct access to.
-Because of the nature of how this technology operates, the traffic that's used with virtual network integration doesn't show up in Azure Network Watcher or NSG flow logs.
- ### Subnet requirements Virtual network integration depends on a dedicated subnet. When you create a subnet, the Azure subnet loses five IPs from the start. One address is used from the integration subnet for each plan instance. If you scale your app to four instances, then four addresses are used.
app-service Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/policy-reference.md
Title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
compliant with the specific standard.
## Release notes
+### November 2022
+
+- Deprecation of policy **App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
+ - Replaced by a policy with the same display name based on the site property to support *Deny* effect
+- Deprecation of policy **App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
+ - Replaced by a policy with the same display name based on the site property to support *Deny* effect
+- **App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
+ - New policy created
+- **App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
+ - New policy created
+- **App Service apps should enable configuration routing to Azure Virtual Network**
+ - New policy created
+- **App Service app slots should enable configuration routing to Azure Virtual Network**
+ - New policy created
+ ### October 2022 - **Function app slots should have remote debugging turned off**
attestation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/policy-reference.md
Title: Built-in policy definitions for Azure Attestation description: Lists Azure Policy built-in policy definitions for Azure Attestation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
automation Automation Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-disaster-recovery.md
description: This article details on disaster recovery strategy to handle servic
keywords: automation disaster recovery ++ Last updated 10/17/2022
You can use these scripts for migration of Automation account assets from the ac
### Prerequisites
- 1. Ensure that the Automation account in the secondary region is created and available so that assets from primary region can be migrated to it. It is preferred if the destination automation account is one without any custom resources as it prevents potential resource class due to same name and loss of data.
- 1. Ensure that the system assigned identities are enabled in the Automation account in the primary region.
- 1. Ensure that the primary Automation account's Managed Identity has Contributor access with read and write permissions to the Automation account in secondary region. To enable, provide the necessary permissions in secondary Automation account's managed identities. [Learn more](../role-based-access-control/quickstart-assign-role-user-portal.md).
+ 1. Ensure that the Automation account in the secondary region is created and available so that assets from primary region can be migrated to it. It is preferred if the destination automation account is one without any custom resources as it prevents potential resource clash due to same name and loss of data.
+ 1. Ensure that the system assigned managed identities are enabled in the Automation account in the primary region.
+ 1. Ensure that the system assigned managed identities of the primary Automation account has contributor access to the subscription it belongs to.
+ 1. Ensure that the primary Automation account's managed identity has Contributor access with read and write permissions to the Automation account in secondary region. To enable, provide the necessary permissions in secondary Automation account's managed identities. [Learn more](../role-based-access-control/quickstart-assign-role-user-portal.md).
1. Ensure that the script has access to the Automation account assets in primary region. Hence, it should be executed as a runbook in that Automation account for successful migration. 1. If the primary Automation account is deployed using a Run as account, then it must be switched to Managed Identity before migration. [Learn more](migrate-run-as-accounts-managed-identity.md). 1. Modules required are:
automation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/policy-reference.md
Title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
automation Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-app-configuration Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/policy-reference.md
Title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-app-configuration Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022 #
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-arc Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-cache-for-redis Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/policy-reference.md
Title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-cache-for-redis Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-functions Functions Develop Local https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-develop-local.md
When you develop your functions locally, you need to take trigger and binding be
## Local storage emulator
-During local development, you can use the local [Azurite emulator](/storage/common/storage-use-azurite.md) when testing functions with Azure Storage bindings (Queue Storage, Blob Storage, and Table Storage), without having to connect to remote storage services. Azurite integrates with Visual Studio Code and Visual Studio, and you can also run it from the command prompt using npm. For more information, see [Use the Azurite emulator for local Azure Storage development](/storage/common/storage-use-azurite.md).
+During local development, you can use the local [Azurite emulator](/azure/storage/common/storage-use-azurite.md) when testing functions with Azure Storage bindings (Queue Storage, Blob Storage, and Table Storage), without having to connect to remote storage services. Azurite integrates with Visual Studio Code and Visual Studio, and you can also run it from the command prompt using npm. For more information, see [Use the Azurite emulator for local Azure Storage development](/storage/common/storage-use-azurite.md).
The following setting in the `Values` collection of the local.settings.json file tells the local Functions host to use Azurite for the default `AzureWebJobsStorage` connection:
azure-government Azure Services In Fedramp Auditscope https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
Title: Azure and other Microsoft cloud services compliance scope description: This article tracks FedRAMP and DoD compliance scope for Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services across Azure, Azure Government, and Azure Government Secret cloud environments.- - recommendations: false Previously updated : 11/03/2022 Last updated : 09/29/2022 # Azure, Dynamics 365, Microsoft 365, and Power Platform services compliance scope
For current Azure Government regions and available services, see [Products avail
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services in scope for FedRAMP High, DoD IL2, DoD IL4, DoD IL5, and DoD IL6 authorizations across Azure, Azure Government, and Azure Government Secret cloud environments. For other authorization details in Azure Government Secret and Azure Government Top Secret, contact your Microsoft account representative. ## Azure public services by audit scope
-*Last updated: November 2022*
+*Last updated: September 2022*
### Terminology used
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Azure Monitor](../../azure-monitor/index.yml) (incl. [Application Insights](../../azure-monitor/app/app-insights-overview.md), [Log Analytics](../../azure-monitor/logs/data-platform-logs.md), and [Application Change Analysis](../../azure-monitor/app/change-analysis.md)) | &#x2705; | &#x2705; | | [Azure NetApp Files](../../azure-netapp-files/index.yml) | &#x2705; | &#x2705; | | [Azure Policy](../../governance/policy/index.yml) | &#x2705; | &#x2705; |
-| [Azure Automanage Guest Configuration](../../governance/machine-configuration/overview.md) | &#x2705; | &#x2705; |
+| [Azure Policy's guest configuration](../../governance/machine-configuration/overview.md) | &#x2705; | &#x2705; |
| **Service** | **FedRAMP High** | **DoD IL2** | | [Azure Red Hat OpenShift](../../openshift/index.yml) | &#x2705; | &#x2705; | | [Azure Resource Manager](../../azure-resource-manager/management/index.yml) | &#x2705; | &#x2705; |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
**&ast;&ast;** FedRAMP High authorization for Azure Databricks is applicable to limited regions in Azure. To configure Azure Databricks for FedRAMP High use, contact your Microsoft or Databricks representative. ## Azure Government services by audit scope
-*Last updated: November 2022*
+*Last updated: September 2022*
### Terminology used
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Application Gateway](../../application-gateway/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | [Automation](../../automation/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | [Azure Active Directory (Free and Basic)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
-| [Azure Active Directory (Premium P1 + P2, specifically Privileged Identity Management and Access Reviews)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| [Azure Active Directory (Premium P1 + P2)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
| [Azure Active Directory Domain Services](../../active-directory-domain-services/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | | [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | [Azure API for FHIR](../../healthcare-apis/azure-api-for-fhir/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Azure Monitor](../../azure-monitor/index.yml) (incl. [Application Insights](../../azure-monitor/app/app-insights-overview.md) and [Log Analytics](../../azure-monitor/logs/data-platform-logs.md)) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | [Azure NetApp Files](../../azure-netapp-files/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | | [Azure Policy](../../governance/policy/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
-| [Azure Automanage Machine Configuration](../../governance/machine-configuration/overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
+| [Azure Policy's guest configuration](../../governance/machine-configuration/overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
| **Service** | **FedRAMP High** | **DoD IL2** | **DoD IL4** | **DoD IL5** | **DoD IL6** | | [Azure Resource Manager](../../azure-resource-manager/management/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | [Azure Service Manager (RDFE)](/previous-versions/azure/ee460799(v=azure.100)) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
| [Microsoft Stream](/stream/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | | [Migrate](../../migrate/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | | [Network Watcher](../../network-watcher/index.yml) (incl. [Traffic Analytics](../../network-watcher/traffic-analytics.md)) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
-| [Notification Hubs](../../notification-hubs/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| [Notification Hubs](../../notification-hubs/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
| [Peering Service](../../peering-service/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | | [Planned Maintenance for VMs](../../virtual-machines/maintenance-and-updates.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
-| [Power Apps](/powerapps/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| [Power Apps](/powerapps/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
| **Service** | **FedRAMP High** | **DoD IL2** | **DoD IL4** | **DoD IL5** | **DoD IL6** |
-| [Power Automate](/power-automate/) (formerly Microsoft Flow) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| [Power Automate](/power-automate/) (formerly Microsoft Flow) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
| [Power BI](/power-bi/fundamentals/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | [Power BI Embedded](/power-bi/developer/embedded/) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | | | [Power Data Integrator for Dataverse](/power-platform/admin/data-integrator) (formerly Dynamics 365 Integrator App) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
azure-monitor Action Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/action-groups.md
When you use a secure webhook action, you must use Azure AD to secure the connec
> [!NOTE] >
-> Basic authentication is not supported for SecureWebhok. To use basic authentication you must use Webhook.
+> Basic authentication is not supported for SecureWebhook. To use basic authentication you must use Webhook.
> [!NOTE] >
azure-monitor Itsmc Connector Deletion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-connector-deletion.md
The process of deleting unused IT service management (ITSM) connectors has two p
## Delete associated actions
-1. In the Azure portal, select **Monitor**.
-
- ![Screenshot of the Monitor selection.](media/itsmc-connector-deletion/itsmc-monitor-selection.png)
+1. In the Azure portal, select Monitor, then **Alerts** and **Action groups**.
-2. Select **Alerts**.
-
- ![Screenshot of the Alerts selection.](media/itsmc-connector-deletion/itsmc-alert-selection.png)
+ :::image type="content" source="media/itsmc-connector-deletion/monitor-alerts-page.png" lightbox="media/itsmc-connector-deletion/monitor-alerts-page.png" alt-text="Screenshot of the Alerts page in the Azure portal. Monitor in the portal menu, Alerts on the left pane, and Action groups button are highlighted.":::
-3. Select **Manage Actions**.
-
- ![Screenshot of the Manage Actions selection.](media/itsmc-connector-deletion/itsmc-actions-selection.png)
+1. Select the action group associated with the ITSM Connector you want to delete.
-4. Select an action group that's associated with the ITSM connector that you want to delete. This article uses the example of a Cherwell connector.
-
- ![Screenshot of actions that are associated with the Cherwell connector.](media/itsmc-connector-deletion/itsmc-actions-screen.png)
+ :::image type="content" source="media/itsmc-connector-deletion/select-action-group.png" lightbox="media/itsmc-connector-deletion/select-action-group.png" alt-text="Screenshot of the Action groups page in the Azure portal.":::
-5. Review the information, and then select **Delete action group**.
+1. In the action group window, review the information and make sure this is the action group you want to delete. Then, select **Delete**.
- ![Screenshot of action group information and the button for deleting the group.](media/itsmc-connector-deletion/itsmc-action-deletion.png)
+ :::image type="content" source="media/itsmc-connector-deletion/delete-action-group.png" lightbox="media/itsmc-connector-deletion/delete-action-group.png" alt-text="Screenshot of the Action groups page in the Azure portal with an action group selected. The Delete button for deleting an action group is highlighted.":::
## Delete the connector
-1. On the search bar, search for **servicedesk**. Then select **ServiceDesk** in the list of resources.
+1. In the Azure portal, select **All resources**, then find and select your Service Desk.
- ![Screenshot of search for and selecting ServiceDesk.](media/itsmc-connector-deletion/itsmc-connector-selection.png)
+ :::image type="content" source="media/itsmc-dashboard/select-service-desk.png" lightbox="media/itsmc-dashboard/select-service-desk.png" alt-text="Screenshot of the All resources page in the Azure portal. Only resources whose name includes the ServiceDes filter criteria are listed.":::
-2. Select **ITSM Connections**, and then select the Cherwell connector.
+1. In the Service Desk window, select **ITSM Connections** from the **Workspace Data Sources** section on the left pane.
- ![Screenshot of the Cherwell I T S M connector.](media/itsmc-connector-deletion/itsmc-cherwell-connector.png)
+ :::image type="content" source="media/itsmc-resync-servicenow/select-itsm-connections.png" lightbox="media/itsmc-resync-servicenow/select-itsm-connections.png" alt-text="Screenshot of a Solution resource in the Azure portal. ITSM Connections on the left pane is highlighted.":::
-3. Select **Delete**.
+1. Select the connector you want to delete.
- ![Screenshot of the delete button for the I T S M connector.](media/itsmc-connector-deletion/itsmc-connector-deletion.png)
+1. In the **Edit ITSM** window, select **Delete**.
+
+ :::image type="content" source="media/itsmc-connector-deletion/delete-itsm-connector.png" lightbox="media/itsmc-connector-deletion/delete-itsm-connector.png" alt-text="Screenshot of the Edit ITSM window in the Azure portal with the Delete button highlighted.":::
## Next steps
azure-monitor Itsmc Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-dashboard.md
This article contains information about the IT Service Management Connector (ITS
To view errors in the dashboard:
-1. Select **All resources**, and then find **ServiceDesk(*your workspace name*)**.
+1. In the Azure portal, select **All resources**, then find and select your Service Desk.
- ![Screenshot that shows the resources in Azure services.](media/itsmc-definition/create-new-connection-from-resource.png)
+ :::image type="content" source="media/itsmc-dashboard/select-service-desk.png" lightbox="media/itsmc-dashboard/select-service-desk.png" alt-text="Screenshot of the All resources page in the Azure portal. Only resources whose name includes the ServiceDes filter criteria are listed.":::
-2. Under **Workspace Data Sources** on the left pane, select **ITSM Connections**:
+1. In the Service Desk window, select **View Summary**.
- ![Screenshot that shows selecting ITSM Connections under Workplace Data Sources.](media/itsmc-overview/add-new-itsm-connection.png)
+ :::image type="content" source="media/itsmc-dashboard/view-summary.png" lightbox="media/itsmc-dashboard/view-summary.png" alt-text="Screenshot of a Solution resource in the Azure portal. The View Summary button is highlighted.":::
-3. Under **Summary**, in the **IT Service Management Connector** area, select **View Summary**:
+1. Select the graph that appears in the **IT Service Management Connector** section.
- ![Screenshot that shows the View Summary button.](media/itsmc-resync-servicenow/dashboard-view-summary.png)
+1. The IT Service Management Connector Dashboard opens with information about status and errors.
-4. When a graph appears in the **IT Service Management Connector** area, select it:
-
- ![Screenshot that shows selection of a graph.](media/itsmc-resync-servicenow/dashboard-graph-click.png)
-
-5. The dashboard appears. Use it to review the status and the errors in your connector.
-
- ![Screenshot that shows connector status on the dashboard.](media/itsmc-resync-servicenow/connector-dashboard.png)
+ :::image type="content" source="media/itsmc-resync-servicenow/connector-dashboard.png" lightbox="media/itsmc-resync-servicenow/connector-dashboard.png" alt-text="Screenshot that shows connector status on the dashboard.":::
## Understand dashboard elements
azure-monitor Itsmc Definition https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-definition.md
After you've installed ITSMC, and prepped your ITSM tool, create an ITSM connect
1. Select **Add Connection**.
-1. Specify the connection settings for the ITSM product that you're using:
+1. Specify the ServiceNow connection settings.
- [ServiceNow](./itsmc-connections-servicenow.md)
- - [System Center Service Manager](./itsmc-connections.md)
- > [!NOTE]
- > By default, ITSMC refreshes the connection's configuration data once every 24 hours. To refresh your connection's data instantly to reflect any edits or template updates that you make, select the **Sync** button on your connection's pane.
- >
- > ![Screenshot that shows the Sync button on the connection's pane.](media/itsmc-overview/itsmc-connections-refresh.png)
+1. By default, ITSMC refreshes the connection's configuration data once every 24 hours. To refresh your connection's data instantly to reflect any edits or template updates that you make, select the **Sync** button on your connection's pane.
+
+ ![Screenshot that shows the Sync button on the connection's pane.](media/itsmc-overview/itsmc-connections-refresh.png)
## Create ITSM work items from Azure alerts
azure-monitor Itsmc Resync Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-resync-servicenow.md
Azure Monitor can connect to third-party IT Service Management (ITSM) providers.
For security reasons, you may need to refresh the authentication token used for your connection with ServiceNow. Use the following synchronization process to reactivate the connection and refresh the token:
-1. Search for the solution in the top search banner, then select the relevant solutions
+1. In the Azure portal, select **All resources**, then find and select your Service Desk.
- ![Screenshot that shows the top search banner and where to select the relevant solutions.](media/itsmc-resync-servicenow/solution-search-8-bit.png)
+ :::image type="content" source="media/itsmc-dashboard/select-service-desk.png" lightbox="media/itsmc-dashboard/select-service-desk.png" alt-text="Screenshot of the All resources page in the Azure portal. Only resources whose name includes the ServiceDes filter criteria are listed.":::
-1. In solution screen, choose "Select All" in the subscription filter and then filter by "ServiceDesk"
+1. In the Service Desk window, select **ITSM Connections** from the **Workspace Data Sources** section on the left pane.
- ![Screenshot that shows where to choose Select All and where to filter by ServiceDesk.](media/itsmc-resync-servicenow/solutions-list-8-bit.png)
+ :::image type="content" source="media/itsmc-resync-servicenow/select-itsm-connections.png" lightbox="media/itsmc-resync-servicenow/select-itsm-connections.png" alt-text="Screenshot of a Solution resource in the Azure portal. ITSM Connections on the left pane is highlighted.":::
-1. Select the solution of your ITSM connection.
-1. Select ITSM connection in the left banner.
+1. Select each connector in the list to edit the connector as necessary.
- ![Screenshot that shows where to select ITSM Connections.](media/itsmc-resync-servicenow/itsm-connector-8-bit.png)
+1. In the **Edit ITSM** window,
-1. Select each connector from the list.
- 1. Click the Connector name in order to configure it
- 1. Delete any connectors no longer in use
+ 1. If this ITSM connector isnΓÇÖt being used, delete the connector.
+ 1. Make sure that all of the fields are configured correctly. See the instructions [here](./itsmc-overview.md) for the correct settings.
+ 1. Select **Sync**.
+ 1. Select **Save**.
- 1. Update the fields according to [these definitions](./itsmc-connections.md) based on your partner type
-
- 1. Click on sync
-
- ![Screenshot that highlights the Sync button.](media/itsmc-resync-servicenow/resync-8-bit-2.png)
-
- 1. Click on save
-
- ![New connection](media/itsmc-resync-servicenow/save-8-bit.png)
-
-f. Review the notifications to see if the process started.
+ :::image type="content" source="media/itsmc-resync-servicenow/edit-itsm-connector.png" lightbox="media/itsmc-resync-servicenow/edit-itsm-connector.png" alt-text="Screenshot of the Edit ITSM window in the Azure portal.":::
azure-monitor Container Insights Prometheus https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-prometheus.md
Container insights can also scrape Prometheus metrics from your cluster and send
## Send data to Azure Monitor managed service for Prometheus [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) is a fully managed Prometheus-compatible service that supports industry standard features such as PromQL, Grafana dashboards, and Prometheus alerts. This requires configuring the *metrics addon* for the Azure Monitor agent, which sends data to Prometheus.
+> [!NOTE]
+> The metrics addon used to collect Prometheus metrics for Managed Prometheus currently only supports AKS clusters and cannot be used as an Arc enabled Kubernetes extension. To collect Prometheus metrics from Kubernetes clusters that are running self-managed Prometheus we recommend looking at the [remote write capabilities of Managed Prometheus](../essentials/prometheus-remote-write.md).
+ > [!TIP] > You don't need to enable Container insights to configure your AKS cluster to send data to managed Prometheus. See [Collect Prometheus metrics from AKS cluster (preview)](../essentials/prometheus-metrics-enable.md) for details on how to configure your cluster without enabling Container insights.
Container insights supports viewing metrics stored in your Log Analytics workspa
## Next steps - [See the default configuration for Prometheus metrics](../essentials/prometheus-metrics-scrape-default.md).-- [Customize Prometheus metric scraping for the cluster](../essentials/prometheus-metrics-scrape-configuration.md).
+- [Customize Prometheus metric scraping for the cluster](../essentials/prometheus-metrics-scrape-configuration.md).
azure-monitor Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/policy-reference.md
Title: Built-in policy definitions for Azure Monitor description: Lists Azure Policy built-in policy definitions for Azure Monitor. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-monitor Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-netapp-files Azure Netapp Files Delegate Subnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-delegate-subnet.md
na Previously updated : 10/25/2022 Last updated : 11/03/2022 # Delegate a subnet to Azure NetApp Files
-You must delegate a subnet to Azure NetApp Files. When you create a volume, you need to specify the delegated subnet.
+You must delegate a subnet to Azure NetApp Files. When you create a volume, you need to specify the delegated subnet.
## Considerations
You must delegate a subnet to Azure NetApp Files. When you create a volume, yo
Azure enables you to create multiple delegated subnets in a VNet. However, any attempts to create a new volume will fail if you use more than one delegated subnet. You can have only a single delegated subnet in a VNet. A NetApp account can deploy volumes into multiple VNets, each having its own delegated subnet. * You cannot designate a network security group or service endpoint in the delegated subnet. Doing so causes the subnet delegation to fail.
-* Access to a volume from a globally peered virtual network is not currently supported.
+* Access to a volume from a globally peered virtual network is not currently supported using Basic networks features. Global VNet peering is supported with Standard network features. See [Supported network topologies](azure-netapp-files-network-topologies.md#supported-network-topologies) for more information.
* For Azure NetApp Files support of [User-defined routes](../virtual-network/virtual-networks-udr-overview.md#custom-routes) (UDRs) and Network security groups (NSGs), see [Constraints in Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md#constraints). To establish routing or access control ***to*** the Azure NetApp Files delegated subnet, you can apply UDRs and NSGs to other subnets, even within the same VNet as the subnet delegated to Azure NetApp Files.
azure-portal Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/policy-reference.md
Title: Built-in policy definitions for Azure portal description: Lists Azure Policy built-in policy definitions for Azure portal. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-resource-manager Modules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/modules.md
Title: Bicep modules description: Describes how to define a module in a Bicep file, and how to use module scopes. Previously updated : 07/08/2022 Last updated : 11/04/2022 # Bicep modules
For example, to deploy a file that is up one level in the directory from your ma
The public module registry is hosted in a Microsoft container registry (MCR). The source code and the modules are stored in [GitHub](https://github.com/azure/bicep-registry-modules). The [README file](https://github.com/azure/bicep-registry-modules#readme) in the GitHub repo lists the available modules and their latest versions:
-![Bicep public module registry modules](./media/modules/bicep-public-module-registry-modules.png)
Select the versions to see the available versions. You can also select **Code** to see the module source code, and open the Readme files.
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/custom-providers/policy-reference.md
Title: Built-in policy definitions for Azure Custom Resource Providers description: Lists Azure Policy built-in policy definitions for Azure Custom Resource Providers. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/policy-reference.md
Title: Built-in policy definitions for Azure Managed Applications description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-resource-manager Azure Subscription Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/azure-subscription-service-limits.md
The following limits apply when you use Azure Resource Manager and Azure resourc
[!INCLUDE [azure-resource-groups-limits](../../../includes/azure-resource-groups-limits.md)]
-## Active Directory limits
+## Azure Active Directory limits
[!INCLUDE [AAD-service-limits](../../../includes/active-directory-service-limits-include.md)]
azure-resource-manager Move Resource Group And Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/move-resource-group-and-subscription.md
Title: Move resources to a new subscription or resource group description: Use Azure Resource Manager to move resources to a new resource group or subscription. Previously updated : 08/15/2022 Last updated : 11/04/2022
If validation fails, you see an error message describing why the resources can't
### Move
-To move existing resources to another resource group or subscription, use the [az resource move](/cli/azure/resource#az-resource-move) command. Provide the resource IDs of the resources to move. The following example shows how to move several resources to a new resource group. In the `--ids` parameter, provide a space-separated list of the resource IDs to move.
+To move existing resources to another resource group or subscription, use the [az resource move](/cli/azure/resource#az-resource-move) command. In the `--ids` parameter, provide a space-separated list of the resource IDs to move.
+
+The following example shows how to move several resources to a new resource group. It works when using Azure CLI in a **Bash** terminal.
```azurecli webapp=$(az resource show -g OldRG -n ExampleSite --resource-type "Microsoft.Web/sites" --query id --output tsv)
plan=$(az resource show -g OldRG -n ExamplePlan --resource-type "Microsoft.Web/s
az resource move --destination-group newgroup --ids $webapp $plan ```
+The next example shows how to run the same commands in a **PowerShell** console.
+
+```azurecli
+$webapp=$(az resource show -g OldRG -n ExampleSite --resource-type "Microsoft.Web/sites" --query id --output tsv)
+$plan=$(az resource show -g OldRG -n ExamplePlan --resource-type "Microsoft.Web/serverfarms" --query id --output tsv)
+az resource move --destination-group newgroup --ids $webapp $plan
+```
+ To move to a new subscription, provide the `--destination-subscription-id` parameter. ## Use REST API
The following image shows an error message from the Azure portal when a user tri
**Question: What does the error code "MissingMoveDependentResources" mean?**
-When moving a resource, its dependent resources must either exist in the destination resource group or subscription, or be included in the move request. You get the MissingMoveDependentResources error code when a dependent resource doesn't meet this requirement. The error message has details about the dependent resource that needs to be included in the move request.
+When you move a resource, its dependent resources must either exist in the destination resource group or subscription, or be included in the move request. You get the MissingMoveDependentResources error code when a dependent resource doesn't meet this requirement. The error message has details about the dependent resource that needs to be included in the move request.
For example, moving a virtual machine could require moving seven resource types with three different resource providers. Those resource providers and types are:
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/policy-reference.md
Title: Built-in policy definitions for Azure Resource Manager description: Lists Azure Policy built-in policy definitions for Azure Resource Manager. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-resource-manager Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-signalr Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/policy-reference.md
Title: Built-in policy definitions for Azure SignalR description: Lists Azure Policy built-in policy definitions for Azure SignalR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
azure-signalr Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SignalR description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
azure-video-indexer Edit Transcript Lines Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/edit-transcript-lines-portal.md
Title: Insert or remove transcript lines in Azure Video Indexer website
-description: This article explains how to insert or remove a transcript line in the Azure Video Indexer website.
+ Title: View and update transcriptions in Azure Video Indexer website
+description: This article explains how to insert or remove a transcript line in the Azure Video Indexer website. It also shows how to view word-level information.
Last updated 05/03/2022
-# Insert or remove transcript lines in the Azure Video Indexer website
+# View and update transcriptions
-This article explains how to insert or remove a transcript line in the [Azure Video Indexer website](https://www.videoindexer.ai/).
+This article explains how to insert or remove a transcript line in the Azure Video Indexer website. It also shows how to view word-level information.
-## Add new line to the transcript timeline
+## Insert or remove transcript lines in the Azure Video Indexer website
+
+This section explains how to insert or remove a transcript line in the [Azure Video Indexer website](https://www.videoindexer.ai/).
+
+### Add new line to the transcript timeline
While in the edit mode, hover between two transcription lines. You'll find a gap between **ending time** of the **transcript line** and the beginning of the following transcript line, user should see the following **add new transcription line** option.
Choose an existing line in the transcript line, click the **three dots** icon, s
> > While using the API, when adding a new line, **Speaker name** can be added using free text. For example, *Speaker 1* can now become *Adam*.
-## Edit existing line
+### Edit existing line
While in the edit mode, select the three dots icon. The editing options were enhanced, they now contain not just the text but also the time stamp with accuracy of milliseconds.
-## Delete line
+### Delete line
Lines can now be deleted through the same three dots icon.
-## Example how and when to use this feature
+### Consolidate two lines as one
To consolidate two lines, which you believe should appear as one.
To consolidate two lines, which you believe should appear as one.
1. Copy the text 1. Delete the line 1. Go to line 1, edit, paste the text and save.
-
+
+## Examine word-level transcription information
+
+This section shows how to examine word-level transcription information based on sentences and phrases that Azure Video Indexer identified. Each phrase is broken into words and each word has the following information associated with it
+
+|Name|Description|Example|
+||||
+|Word|A word from a phrase.|"thanks"|
+|Confidence|How confident the Azure Video Indexer that the word is correct.|0.80127704|
+|Offset|The time offset from the beginning of the video to where the word starts.|PT0.86S|
+|Duration|The duration of the word.|PT0.28S|
+
+### Get and view the transcript
+
+1. Sign in on the [Azure Video Indexer website](https://www.videoindexer.ai).
+1. Select a video.
+1. In the top-right corner, press arrow down and select **Artifacts (ZIP)**.
+1. Download the artifacts.
+1. Unzip the downloaded file > browse to where the unzipped files are located > find and open `transcript.speechservices.json`.
+1. Format and view the json.
+1. Find`RecognizedPhrases` > `NBest` > `Words` and find interesting to you information.
+
+```json
+"RecognizedPhrases": [
+{
+ "RecognitionStatus": "Success",
+ "Channel": 0,
+ "Speaker": 1,
+ "Offset": "PT0.86S",
+ "Duration": "PT11.01S",
+ "OffsetInTicks": 8600000,
+ "DurationInTicks": 110100000,
+ "NBest": [
+ {
+ "Confidence": 0.82356554,
+ "Lexical": "thanks for joining ...",
+ "ITN": "thanks for joining ...",
+ "MaskedITN": "",
+ "Display": "Thanks for joining ...",
+ "Words": [
+ {
+ "Word": "thanks",
+ "Confidence": 0.80127704,
+ "Offset": "PT0.86S",
+ "Duration": "PT0.28S",
+ "OffsetInTicks": 8600000,
+ "DurationInTicks": 2800000
+ },
+ {
+ "Word": "for",
+ "Confidence": 0.93965703,
+ "Offset": "PT1.15S",
+ "Duration": "PT0.13S",
+ "OffsetInTicks": 11500000,
+ "DurationInTicks": 1300000
+ },
+ {
+ "Word": "joining",
+ "Confidence": 0.97060966,
+ "Offset": "PT1.29S",
+ "Duration": "PT0.31S",
+ "OffsetInTicks": 12900000,
+ "DurationInTicks": 3100000
+ },
+ {
+
+```
+ ## Next steps For updating transcript lines and text using API visit [Azure Video Indexer Developer portal](https://aka.ms/avam-dev-portal)
azure-video-indexer Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/release-notes.md
Now supporting word level time annotation with confidence score.
An annotation is any type of additional information that is added to an already existing text, be it a transcription of an audio file or an original text file.
+For more information, see [Examine word-level transcription information](edit-transcript-lines-portal.md#examine-word-level-transcription-information).
+ ### Azure Monitor integration enabling indexing logs The new set of logs, described below, enables you to better monitor your indexing pipeline.
azure-vmware Deploy Disaster Recovery Using Jetstream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/deploy-disaster-recovery-using-jetstream.md
For full details, refer to the article: [Disaster Recovery with Azure NetApp Fil
- An NSX-T network segment configured on Azure VMware Solution private cloud with DHCP enabled on the segment for the transient JetStream Virtual appliances employed during recovery or failover. -- A DNS server configured on both the primary and DR sites to resolve the IP addresses of Azure VMware Solution vCenter Server, Azure VMware Solution ESXi hosts, Azure Storage account, and the JetStream Marketplace service for the JetStream virtual appliances.
+- DNS configured on both the primary and DR sites to resolve the IP addresses of Azure VMware Solution vCenter Server, Azure VMware Solution ESXi hosts, Azure Storage account, the JetStream DR Management Server Appliance (MSA) and the JetStream Marketplace service for the JetStream virtual appliances.
- (Optional) Azure NetApp Files volume(s) are created and attached to the Azure VMware Solution private cloud for recovery or failover of protected VMs to Azure NetApp Files backed datastores. - [Attach Azure NetApp Files datastores to Azure VMware Solution hosts (Preview)](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md)
You can follow these steps for both supported scenarios.
| **Field** | **Value** | | | | | **Network** | Name of the NSX-T Data Center network segment where you must deploy the JetStream MSA. |
- | **Datastore** | Name of the datastore where you'll deploy the MSA. |
+ | **Datastore** | Name of the datastore where you will deploy the JetStream MSA. |
| **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster to be protected, for example, **Cluster-1**. You can only provide one cluster name. |
- | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA is deployed, for example, **Cluster-1**. |
+ | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA will be deployed, for example, **Cluster-1**. |
| **VMName** | Name of JetStream MSA VM, for example, **jetstreamServer**. | | **Specify name for execution** | Alphanumeric name of the execution, for example, **Invoke-PreflightJetDRInstall-Exec1**. It's used to verify if the cmdlet ran successfully. | | **Timeout** | The period after which a cmdlet exits if taking too long to finish. |
Azure VMware Solution supports the installation of JetStream using either static
| **Field** | **Value** | | | | | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster to be protected, for example, **Cluster-1**. You can only provide one cluster name during the install. |
- | **Datastore** | Name of the datastore where you'll deploy the JetStream MSA. |
+ | **Datastore** | Name of the datastore where the JetStream MSA will be deployed. |
| **VMName** | Name of JetStream MSA VM, for example, **jetstreamServer**. |
- | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA is deployed, for example, **Cluster-1**. |
+ | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA will be deployed, for example, **Cluster-1**. |
| **Netmask** | Netmask of the MSA to be deployed, for example, **255.255.255.0**. | | **MSIp** | IP address of the JetStream MSA VM. | | **Dns** | DNS IP that the JetStream MSA VM should use. | | **Gateway** | IP address of the network gateway for the JetStream MSA VM. | | **Credential** | Credentials of the root user of the JetStream MSA VM. | | **HostName** | Hostname (FQDN) of the JetStream MSA VM. |
- | **Network** | Name of the NSX-T Data Center network segment where you must deploy the JetStream MSA. |
+ | **Network** | Name of the NSX-T Data Center network segment where the JetStream MSA will be deployed. |
| **Specify name for execution** | Alphanumeric name of the execution, for example, **Install-JetDRWithStaticIP-Exec1**. It's used to verify if the cmdlet ran successfully and should be unique for each run. |
This step also installs JetStream vSphere Installation Bundle (VIB) on the clust
| **Field** | **Value** | | | | | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster to be protected, for example, **Cluster-1**. You can only provide one cluster name during the install. |
- | **Datastore** | Name of the datastore where you'll deploy the JetStream MSA. |
+ | **Datastore** | Name of the datastore where the JetStream MSA will be deployed. |
| **VMName** | Name of JetStream MSA VM, for example, **jetstreamServer**. |
- | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA is deployed, for example, **Cluster-1**. |
+ | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA will be deployed, for example, **Cluster-1**. |
| **Credential** | Credentials of the root user of the JetStream MSA VM. | | **HostName** | Hostname (FQDN) of the JetStream MSA VM. |
- | **Network** | Name of the NSX-T Data Center network segment where you must deploy the JetStream MSA. |
+ | **Network** | Name of the NSX-T Data Center network segment where the JetStream MSA will be deployed. |
| **Specify name for execution** | Alphanumeric name of the execution, for example, **Install-JetDRWithDHCP-Exec1**. It's used to verify if the cmdlet ran successfully and should be unique for each run. |
Once JetStream DR MSA and JetStream VIB are installed on the Azure VMware Soluti
1. [Create a JetStream replication log store volume](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/create-a-replication-log-store-volume/) using one of the datastores available to the Azure VMware Solution cluster. >[!TIP]
- >Fast local storage, such as vSAN datastore, is preferred for the replication log.
+ >Fast local storage, such as vSAN datastore, is preferred for the replication log volume.
-1. [Create a JetStream protected domain](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/create-a-protected-domain/). You'll provide the Azure Blob Storage site, JetStream DRVA instance, and replication log created in previous steps.
+1. [Create a JetStream protected domain](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/create-a-protected-domain/). You'll provide the Azure Blob Storage site, JetStream DRVA instance, and replication log volume created in previous steps.
1. [Select the VMs](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/select-vms-for-protection/) you want to protect and then [start VM protection](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/start-vm-protection/).
This cmdlet disables JetStream DR only on one of the clusters and doesn't comple
| **Field** | **Value** | | | |
- | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster to be protected, for example, **Cluster-1**. You can only provide one cluster name during the install. |
+ | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster currently protected by JetStream DR, for example, **Cluster-1**. You can only provide one cluster name to be disabled. |
| **Credential** | Credentials of the root user of the JetStream MSA VM. | | **MSIp** | IP address of the JetStream MSA VM. | | **Specify name for execution** | Alphanumeric name of the execution, for example, **Disable-JetDRForCluster-Exec1**. It's used to verify if the cmdlet ran successfully and should be unique for each run. |
This cmdlet disables JetStream DR only on one of the clusters and doesn't comple
| **Field** | **Value** | | | |
- | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster to be protected, for example, **Cluster-1**. You can only provide one cluster name during the install. |
+ | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster currently protected by JetStream DR, for example, **Cluster-1**. You can only provide one cluster name during uninstall. |
| **Credential** | Credentials of the root user of the JetStream MSA VM. | | **MSIp** | IP address of the JetStream MSA VM. | | **Specify name for execution** | Alphanumeric name of the execution, for example, **Invoke-PreflightJetDRUninstall-Exec1**. It's used to verify if the cmdlet ran successfully and should be unique for each run.|
This cmdlet disables JetStream DR only on one of the clusters and doesn't comple
| **Field** | **Value** | | | |
- | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster to be protected, for example, **Cluster-1**. You can only provide one cluster name during the install. |
+ | **ProtectedCluster** | Name of the Azure VMware Solution private cloud cluster currently protected by JetStream DR, for example, **Cluster-1**. You can only provide one cluster name during uninstall. |
| **Credential** | Credentials of the root user of the JetStream MSA VM. | | **MSIp** | IP address of the JetStream MSA VM. | | **Specify name for execution** | Alphanumeric name of the execution, for example, **Uninstall-JetDR-Exec1**. It's used to verify if the cmdlet ran successfully and should be unique for each run.|
This cmdlet disables JetStream DR only on one of the clusters and doesn't comple
JetStream DR is a solution that [JetStream Software](https://www.jetstreamsoft.com/) supports. For any product or support issues with JetStream, contact support-avs@jetstreamsoft.com.
-Azure VMware Solution uses the Run command (Preview) to automate both the install and uninstall of JetStream DR. Contact Microsoft support for any issue with the run commands. For issues with JetStream install and uninstall cmdlets, contact JetStream for support.
+Azure VMware Solution uses the Run command to automate both the install and uninstall of JetStream DR. Contact Microsoft support for any issue with the run commands. For issues with JetStream install and uninstall cmdlets, contact JetStream for support.
azure-vmware Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-vmware/introduction.md
Title: Introduction
description: Learn the features and benefits of Azure VMware Solution to deploy and manage VMware-based workloads in Azure. Azure VMware Solution SLA guarantees that Azure VMware management tools (vCenter Server and NSX Manager) will be available at least 99.9% of the time. Previously updated : 06/15/2022 Last updated : 10/28/2022+ # What is Azure VMware Solution?
-Azure VMware Solution provides you with private clouds that contain VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. The minimum initial deployment is three hosts, but additional hosts can be added one at a time, up to a maximum of 16 hosts per cluster. All provisioned private clouds have VMware vCenter Server, VMware vSAN, VMware vSphere, and VMware NSX-T Data Center. As a result, you can migrate workloads from your on-premises environments, deploy new virtual machines (VMs), and consume Azure services from your private clouds. In addition, Azure VMware Solution management tools (vCenter Server and NSX Manager) are available at least 99.9% of the time. For more information, see [Azure VMware Solution SLA](https://azure.microsoft.com/support/legal/sla/azure-vmware/v1_1/).
+Azure VMware Solution provides you with private clouds that contain VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. The minimum initial deployment is three hosts, but more hosts can be added one at a time, up to a maximum of 16 hosts per cluster. All provisioned private clouds have VMware vCenter Server, VMware vSAN, VMware vSphere, and VMware NSX-T Data Center. As a result, you can migrate workloads from your on-premises environments, deploy new virtual machines (VMs), and consume Azure services from your private clouds. For information about the SLA, see the [Azure service-level agreements](https://azure.microsoft.com/support/legal/sla/azure-vmware/v1_1/) page.
Azure VMware Solution is a VMware validated solution with ongoing validation and testing of enhancements and upgrades. Microsoft manages and maintains the private cloud infrastructure and software. It allows you to focus on developing and running workloads in your private clouds to deliver business value. The diagram shows the adjacency between private clouds and VNets in Azure, Azure services, and on-premises environments. Network access from private clouds to Azure services or VNets provides SLA-driven integration of Azure service endpoints. ExpressRoute Global Reach connects your on-premises environment to your Azure VMware Solution private cloud.
-
:::image type="content" source="media/adjacency-overview-drawing-final.png" alt-text="Diagram of Azure VMware Solution private cloud adjacency to Azure and on-premises." border="false":::
The diagram shows the adjacency between private clouds and VNets in Azure, Azure
You can deploy new or scale existing private clouds through the Azure portal or Azure CLI. - ## Networking [!INCLUDE [avs-networking-description](includes/azure-vmware-solution-networking-description.md)]
For more information, see [Networking concepts](concepts-networking.md).
## Access and security
-Azure VMware Solution private clouds use vSphere role-based access control for enhanced security. You can integrate vSphere SSO LDAP capabilities with Azure Active Directory. For more information, see the [Access and Identity concepts](concepts-identity.md).
+Azure VMware Solution private clouds use vSphere role-based access control for enhanced security. You can integrate vSphere SSO LDAP capabilities with Azure Active Directory. For more information, see the [Access and Identity concepts](concepts-identity.md) page.
vSAN data-at-rest encryption, by default, is enabled and is used to provide vSAN datastore security. For more information, see [Storage concepts](concepts-storage.md). ## Data Residency and Customer Data
-Azure VMware Solution does not store customer data.
+Azure VMware Solution doesn't store customer data.
## VMware software versions
Regular upgrades of the Azure VMware Solution private cloud and VMware software
## Monitoring your private cloud
-Once youΓÇÖve deployed Azure VMware Solution into your subscription, [Azure Monitor logs](../azure-monitor/overview.md) are generated automatically.
+Once youΓÇÖve deployed Azure VMware Solution into your subscription, [Azure Monitor logs](../azure-monitor/overview.md) are generated automatically.
In your private cloud, you can:+ - Collect logs on each of your VMs. - [Download and install the MMA agent](../azure-monitor/agents/log-analytics-agent.md#installation-options) on Linux and Windows VMs. - Enable the [Azure diagnostics extension](../azure-monitor/agents/diagnostics-extension-overview.md).
In your private cloud, you can:
Monitoring patterns inside the Azure VMware Solution are similar to Azure VMs within the IaaS platform. For more information and how-tos, see [Monitoring Azure VMs with Azure Monitor](../azure-monitor/vm/monitor-vm-azure.md). ## Customer communication+ [!INCLUDE [customer-communications](includes/customer-communications.md)]
+## Azure VMware Solution Responsibility Matrix - Microsoft vs Customer
+
+Azure VMware Solution implements a shared responsibility model that defines distinct roles and responsibilities of the two parties involved in the offering: Customer and Microsoft. The shared role responsibilities are illustrated in more detail in following two tables.
+
+The shared responsibility matrix table shows the high-level responsibilities between a customer and Microsoft for different aspects of the deployment/management of the private cloud and the customer application workloads.
++
+The following table provides a detailed list of roles and responsibilities between the customer and Microsoft, which encompasses the most frequent tasks and definitions. For further questions, contact Microsoft.
+
+| **Role** | **Task/details** |
+| -- | - |
+| Microsoft - Azure VMware Solution | Physical infrastructure<ul><li>Azure regions</li><li>Azure availability zones</li><li>Express Route/Global reach</ul></li>Compute/Network/Storage<ul><li>Rack and power Bare Metal hosts</li><li>Rack and power network equipment</ul></li>Software defined Data Center (SDDC) deploy/lifecycle<ul><li>VMware ESXi deploy, patch, and upgrade</li><li>VMware vCenter Servers deploy, patch, and upgrade</li><li>VMware NSX-T Data Centers deploy, patch, and upgrade</li><li>vSAN deploy, patch, and upgrade</ul></li>SDDC Networking - VMware NSX-T Data Center provider config<ul><li>Microsoft Edge node/cluster, VMware NSX-T Data Center host preparation</li><li>Provider Tier-0 and Tenant Tier-1 Gateway</li><li>Connectivity from Tier-0 (using BGP) to Azure Network via Express Route</ul></li>SDDC Compute - VMware vCenter Server provider config<ul><li>Create default cluster</li><li>Configure virtual networking for vMotion, Management, vSAN, and others</ul></li>SDDC backup/restore<ul><li>Backup and restore VMware vCenter Server</li><li>Backup and restore VMware NSX-T Data Center NSX-T Manager</ul></li>SDDC health monitoring and corrective actions, for example: replace failed hosts</br><br>(optional) HCX deploys with fully configured compute profile on cloud side as add-on</br><br>(optional) SRM deploys, upgrade, and scale up/down</br><br>Support - SDDC platforms and HCX |
+| Customer | Request Azure VMware Solution host quote with Microsoft<br>Plan and create a request for SDDCs on Azure portal with:<ul><li>Host count</li><li>Management network range</li><li>Other information</ul></li>Configure SDDC network and security (VMware NSX-T Data Center)<ul><li>Network segments to host applications</li><li>Additional Tier -1 routers</li><li>Firewall</li><li>VMware NSX-T Data Center LB</li><li>IPsec VPN</li><li>NAT</li><li>Public IP addresses</li><li>Distributed firewall/gateway firewall</li><li>Network extension using HCX or VMware NSX-T Data Center</li><li>AD/LDAP config for RBAC</ul></li>Configure SDDC - VMware vCenter Server<ul><li>AD/LDAP config for RBAC</li><li>Deploy and lifecycle management of Virtual Machines (VMs) and application<ul><li>Install operating systems</li><li>Patch operating systems</li><li>Install antivirus software</li><li>Install backup software</li><li>Install configuration management software</li><li>Install application components</li><li>VM networking using VMware NSX-T Data Center segments</ul></li><li>Migrate Virtual Machines (VMs)<ul><li>HCX configuration</li><li>Live vMotion</li><li>Cold migration</li><li>Content library sync</ul></li></ul></li>Configure SDDC - vSAN<ul><li>Define and maintain vSAN VM policies</li><li>Add hosts to maintain adequate 'slack space'</ul></li>Configure HCX<ul><li>Download and deploy HCA connector OVA in on-premises</li><li>Pairing on-premises HCX connector</li><li>Configure the network profile, compute profile, and service mesh</li><li>Configure HCX network extension/MON</li><li>Upgrade/updates</ul></li>Network configuration to connect to on-premises, VNET, or internet</br><br>Add or delete hosts requests to cluster from Portal</br><br>Deploy/lifecycle management of partner (third party) solutions |
+| Partner ecosystem | Support for their product/solution. For reference, the following are some of the supported Azure VMware Solution partner solution/product:<ul><li>BCDR - SRM, JetStream, RiverMeadow, and others</li><li>Backup - Veeam, Commvault, Rubrik, and others</li><li>VDI - Horizon/Citrix</li><li>Security solutions - BitDefender, TrendMicro, Checkpoint</li><li>Other VMware products - vRA, VRops, AVI |
++ ## Next steps The next step is to learn key [private cloud and cluster concepts](concepts-private-clouds-clusters.md).
The next step is to learn key [private cloud and cluster concepts](concepts-priv
<!-- LINKS - internal --> [concepts-private-clouds-clusters]: ./concepts-private-clouds-clusters.md-
azure-web-pubsub Concept Service Internals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-service-internals.md
Previously updated : 07/27/2022 Last updated : 09/30/2022 # Azure Web PubSub service internals
Azure Web PubSub Service provides an easy way to publish/subscribe messages usin
Workflow as shown in the above graph: 1. A *client* connects to the service `/client` endpoint using WebSocket transport. Service forward every WebSocket frame to the configured upstream(server). The WebSocket connection can connect with any custom subprotocol for the server to handle, or it can connect with the service-supported subprotocol `json.webpubsub.azure.v1`, which empowers the clients to do pub/sub directly. Details are described in [client protocol](#client-protocol).
-1. The service invokes the server using **CloudEvents HTTP protocol** on different client events. [**CloudEvents**](https://github.com/cloudevents/spec/blob/v1.0.1/http-protocol-binding.md) is a standardized and protocol-agnostic definition of the structure and metadata description of events hosted by the Cloud Native Computing Foundation (CNCF). Details are described in [server protocol](#server-protocol).
-1. The Web PubSub server can invoke the service using the REST API to send messages to clients or to manage the connected clients. Details are described in [server protocol](#server-protocol)
+2. On different client events, the service invokes the server using **CloudEvents protocol**. [**CloudEvents**](https://github.com/cloudevents/spec/tree/v1.0.1) is a standardized and protocol-agnostic definition of the structure and metadata description of events hosted by the Cloud Native Computing Foundation (CNCF). Detailed implementation of CloudEvents protocol relies on the server role, described in [server protocol](#server-protocol).
+3. The Web PubSub server can invoke the service using the REST API to send messages to clients or to manage the connected clients. Details are described in [server protocol](#server-protocol)
## Client protocol
-A client connection connects to the `/client` endpoint of the service using [WebSocket protocol](https://tools.ietf.org/html/rfc6455). The WebSocket protocol provides full-duplex communication channels over a single TCP connection and was standardized by the IETF as RFC 6455 in 2011. Most languages have native support to start WebSocket connections.
+A client connection connects to the `/client` endpoint of the service using [WebSocket protocol](https://tools.ietf.org/html/rfc6455). The WebSocket protocol provides full-duplex communication channels over a single TCP connection and was standardized by the IETF as RFC 6455 in 2011. Most languages have native support to start WebSocket connections.
Our service supports two kinds of clients: - One is called [the simple WebSocket client](#the-simple-websocket-client) - The other is called [the PubSub WebSocket client](#the-pubsub-websocket-client) ### The simple WebSocket client
-A simple WebSocket client, as the naming indicates, is a simple WebSocket connection. It can also have its custom subprotocol.
+A simple WebSocket client, as the naming indicates, is a simple WebSocket connection. It can also have its custom subprotocol.
For example, in JS, a simple WebSocket client can be created using the following code. ```js
A simple WebSocket client follows a client<->server architecture, as the below s
![Diagram showing the sequence for a client connection.](./media/concept-service-internals/simple-client-sequence.png)
-1. When the client starts a WebSocket handshake, the service tries to invoke the `connect` event handler (the server) for WebSocket handshake. Developers can use this handler to handle the WebSocket handshake, determine the subprotocol to use, authenticate the client, and join the client to groups.
-1. When the client is successfully connected, the service invokes a `connected` event handler. It works as a notification and doesn't block the client from sending messages. Developers can use this handler to do data storage and can respond with messages to the client.
-1. When the client sends messages, the service triggers the `message` event to the event handler (the server) to handle the messages sent. This event is a general event containing the messages sent in a WebSocket frame. Your code needs to dispatch the messages inside this event handler.
-1. When the client disconnects, the service tries to trigger the `disconnected` event to the event handler (the server) once it detects the disconnect.
+1. When the client starts a WebSocket handshake, the service tries to invoke the `connect` event handler for WebSocket handshake. Developers can use this handler to handle the WebSocket handshake, determine the subprotocol to use, authenticate the client, and join the client to groups.
+2. When the client is successfully connected, the service invokes a `connected` event handler. It works as a notification and doesn't block the client from sending messages. Developers can use this handler to do data storage and can respond with messages to the client. The service also pushes a `connected` event to all concerning event listeners, if any.
+3. When the client sends messages, the service triggers a `message` event to the event handler to handle the messages sent. This event is a general event containing the messages sent in a WebSocket frame. Your code needs to dispatch the messages inside this event handler. If the event handler returns non-successful response code for, the service drops the client connection. The service also pushes a `message` event to all concerning event listeners, if any. If the service can't find any registered servers to receive the messages, the service also drops the connection.
+4. When the client disconnects, the service tries to trigger the `disconnected` event to the event handler once it detects the disconnect. The service also pushes a `disconnected` event to all concerning event listeners, if any.
-The events fall into two categories:
-* Synchronous events (blocking)
- Synchronous events block the client workflow. When such an event trigger fails, the service drops the client connection.
- * `connect`
- * `message`
-* Asynchronous events (non-blocking)
- Asynchronous events don't block the client workflow, it acts as some notification to the upstream event handler. When such an event trigger fails, the service logs the error detail.
- * `connected`
- * `disconnected`
-
#### Scenarios These connections can be used in a typical client-server architecture where the client sends messages to the server and the server handles incoming messages using [Event Handlers](#event-handler). It can also be used when customers apply existing [subprotocols](https://www.iana.org/assignments/websocket/websocket.xml) in their application logic.
A PubSub WebSocket client can:
[PubSub WebSocket Subprotocol](./reference-json-webpubsub-subprotocol.md) contains the details of the `json.webpubsub.azure.v1` subprotocol.
-You may have noticed that for a [simple WebSocket client](#the-simple-websocket-client), the *server* is a **must have** role to handle the events from clients. A simple WebSocket connection always triggers a `message` event when it sends messages, and always relies on the server-side to process messages and do other operations. With the help of the `json.webpubsub.azure.v1` subprotocol, an authorized client can join a group and publish messages to a group directly. It can also route messages to different upstream (event handlers) by customizing the *event* the message belongs.
+You may have noticed that for a [simple WebSocket client](#the-simple-websocket-client), the *server* is a **must have** role to receive the `message` events from clients. A simple WebSocket connection always triggers a `message` event when it sends messages, and always relies on the server-side to process messages and do other operations. With the help of the `json.webpubsub.azure.v1` subprotocol, an authorized client can join a group and publish messages to a group directly. It can also route messages to different event handlers / event listeners by customizing the *event* the message belongs.
#### Scenarios: Such clients can be used when clients want to talk to each other. Messages are sent from `client2` to the service and the service delivers the message directly to `client1` if the clients are authorized to do so.
var client1 = new WebSocket("wss://xxx.webpubsub.azure.com/client/hubs/hub1", "j
client1.onmessage = e => { if (e.data) { var message = JSON.parse(e.data);
- if (message.type === "message"
+ if (message.type === "message"
&& message.group === "Group1"){ // Only print messages from Group1 console.log(message.data);
client2.onopen = e => {
As the above example shows, `client2` sends data directly to `client1` by publishing messages to `Group1` which `client1` is in.
+### Client events summary
+
+Client events fall into two categories:
+* Synchronous events (blocking)
+ Synchronous events block the client workflow.
+ * `connect`: This event is for event handler only. When the client starts a WebSocket handshake, the event is triggered and developers can use `connect` event handler to handle the WebSocket handshake, determine the subprotocol to use, authenticate the client, and join the client to groups.
+ * `message`: This event is triggered when a client sends a message.
+* Asynchronous events (non-blocking)
+ Asynchronous events don't block the client workflow, it acts as some notification to server. When such an event trigger fails, the service logs the error detail.
+ * `connected`: This event is triggered when a client connects to the service successfully.
+ * `disconnected`: This event is triggered when a client disconnected with the service.
+ ### Client message limit The maximum allowed message size for one WebSocket frame is **1MB**.
The server-side can also grant or revoke permissions of the client dynamically t
## Server protocol
-Server protocol provides the functionality for the server to manage the client connections and the groups.
+Server protocol provides the functionality for the server to handle client events and manage the client connections and the groups.
-In general, server protocol contains two roles:
+In general, server protocol contains three roles:
1. [Event handler](#event-handler) 1. [Connection manager](#connection-manager)
+1. [Event listener](#event-listener)
### Event handler
-The event handler handles the incoming client events. Event handlers are registered and configured in the service through the portal or Azure CLI. When a client event is triggered, the service can identify if the event is to be handled or not. Now we use `PUSH` mode to invoke the event handler. The event handler on the server side exposes a publicly accessible endpoint for the service to invoke when the event is triggered. It acts as a **webhook**.
+The event handler handles the incoming client events. Event handlers are registered and configured in the service through the portal or Azure CLI. When a client event is triggered, the service can identify if the event is to be handled or not. Now we use `PUSH` mode to invoke the event handler. The event handler on the server side exposes a publicly accessible endpoint for the service to invoke when the event is triggered. It acts as a **webhook**.
Web PubSub service delivers client events to the upstream webhook using the [CloudEvents HTTP protocol](https://github.com/cloudevents/spec/blob/v1.0.1/http-protocol-binding.md).
-For every event, the service formulates an HTTP POST request to the registered upstream and expects an HTTP response.
+For every event, the service formulates an HTTP POST request to the registered upstream and expects an HTTP response.
The data sent from the service to the server is always in CloudEvents `binary` format.
The data sent from the service to the server is always in CloudEvents `binary` f
#### Upstream and Validation
-Event handlers need to be registered and configured in the service through the portal or Azure CLI before first use. When a client event is triggered, the service can identify if the event must be handled or not. For public preview, we use `PUSH` mode to invoke the event handler. The event handler on the server side exposes publicly accessible endpoint for the service to invoke when the event is triggered. It acts as a **webhook** **upstream**.
+Event handlers need to be registered and configured in the service through the portal or Azure CLI before first use. When a client event is triggered, the service can identify if the event must be handled or not. For public preview, we use `PUSH` mode to invoke the event handler. The event handler on the server side exposes publicly accessible endpoint for the service to invoke when the event is triggered. It acts as a **webhook** **upstream**.
The URL can use `{event}` parameter to define a URL template for the webhook handler. The service calculates the value of the webhook URL dynamically when the client request comes in. For example, when a request `/client/hubs/chat` comes in, with a configured event handler URL pattern `http://host.com/api/{event}` for hub `chat`, when the client connects, it will first POST to this URL: `http://host.com/api/connect`. This behavior can be useful when a PubSub WebSocket client sends custom events, that the event handler helps dispatch different events to different upstream. The `{event}` parameter isn't allowed in the URL domain name.
For now, we don't support [WebHook-Request-Rate](https://github.com/cloudevents/
- Step1: Enable Identity for the Web PubSub service - Step2: Select from existing Azure AD application that stands for your webhook web app - ### Connection manager The server is by nature an authorized user. With the help of the *event handler role*, the server knows the metadata of the clients, for example, `connectionId` and `userId`, so it can:
It can also grant or revoke publish/join permissions for a PubSub client:
- Grant publish/join permissions to some specific group or to all groups - Revoke publish/join permissions for some specific group or for all groups - Check if the client has permission to join or publish to some specific group or to all groups
-
+ The service provides REST APIs for the server to do connection management. ![Diagram showing the Web PubSub service connection manager workflow.](./media/concept-service-internals/manager-rest.png) The detailed REST API protocol is defined [here][rest].
+### Event listener
+
+> [!NOTE]
+> Event listener feature is in preview.
+
+The event listener listens to the incoming client events. Each event listener contains a filter to specify which kinds of events it concerns, an endpoint about where to send the events to.
+
+Currently we support [**Event Hubs**](https://azure.microsoft.com/products/event-hubs/) as an event listener endpoint.
+
+You need to register event listeners beforehand, so that when a client event is triggered, the service can push the event to the corresponding event listeners. See [this doc](./howto-develop-event-listener.md#configure-an-event-listener) for how to configure an event listener with an event hub endpoint.
+
+You can configure multiple event listeners. The order of the event listeners doesn't matter. If an event matches with multiple event listeners, it will be sent to all the listeners it matches. See the following diagram for an example. Let's say you configure four event listeners at the same time. Then a client event that matches with three of those listeners will be sent to three listeners, leaving the rest one untouched.
++
+You can combine an [event handler](#event-handler) and event listeners for the same event. In this case, both event handler and event listeners will receive the event.
+
+Web PubSub service delivers client events to event listeners using [CloudEvents AMQP extension for Azure Web PubSub](reference-cloud-events-amqp.md).
+ ### Summary You may have noticed that the *event handler role* handles communication from the service to the server while *the manager role* handles communication from the server to the service. After combining the two roles, the data flow between service and server looks similar to the following diagram using HTTP protocol.
azure-web-pubsub Howto Develop Event Listener https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/howto-develop-event-listener.md
+
+ Title: Send client events to Event Hubs
+description: Guidance about how to configure Event Hubs as event listener to send client events to Event Hubs.
++++ Last updated : 09/30/2022++
+# Send client events to Event Hubs
+
+> [!NOTE]
+> Event listener feature is in preview.
+
+## Overview
+
+If you want to listen to your [client events](concept-service-internals.md#terms) without exposing a publicly accessible endpoint, you can configure an "event listener" rule with an [event hub](https://azure.microsoft.com/products/event-hubs/) endpoint, and a filter to specify which kinds of events it concerns. You can configure multiple event listeners at the same time. Web PubSub service notifies all concerning event listeners in parallel when a client event comes.
+
+This tutorial shows you how to authorize your Web PubSub service to connect to Event Hubs and how to add an event listener rule to your service settings.
+
+Web PubSub service uses Azure Active Directory (Azure AD) authentication with managed identity to connect to Event Hubs. Therefore, you should enable the managed identity of the service and make sure it has proper permissions to connect to Event Hubs. You can grant the built-in [Azure Event Hubs Data sender](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-sender) role to the managed identity so that it has enough permissions.
+
+To configure an Event Hubs listener, you need to:
+
+1. [Add a managed identity to your Web PubSub service](#add-a-managed-identity-to-your-web-pubsub-service)
+2. [Grant the managed identity an `Azure Event Hubs Data sender` role](#grant-the-managed-identity-an-azure-event-hubs-data-sender-role)
+3. [Add an event listener rule to your service settings](#add-an-event-listener-rule-to-your-service-settings)
+
+## Configure an event listener
+
+### Add a managed identity to your Web PubSub service
+
+Find your Azure Web PubSub service from **Azure portal**. Navigate to **Identity**. To add a system-assigned identity, on the **System assigned** tab, switch **Status** to **On**. Select **Save**. For more information about managed identities, see [Managed identities in Azure Web PubSub](./howto-use-managed-identity.md).
++
+### Grant the managed identity an `Azure Event Hubs Data sender` role
+
+1. Find your Azure Event Hubs resource in **Azure portal**. You could choose to grant the role in the Event Hubs namespace level or entity level. The following steps choose the namespace level.
+
+1. Navigate to **Access Control**. Select **Add role assignment**.
+ :::image type="content" source="media/howto-develop-event-listener/event-hub-access-control.png" alt-text="Screenshot of granting access to Event Hubs namespace":::
+
+1. Select **Azure Event Hubs Data Sender** role in the **Role** tab. Then select **Next**.
+ :::image type="content" source="media/howto-develop-event-listener/event-hub-data-sender-role.png" alt-text="Screenshot of selecting Azure EventHubs Data Sender role":::
+
+1. In the **Members** tab, choose to assign access to **Managed identity**. Select **Select members** to select your Web PubSub service. Then you can **Review + assign** your role assignment.
+ :::image type="content" source="media/howto-develop-event-listener/event-hub-select-identity.png" alt-text="Screenshot of selecting your Web PubSub service identity":::
+
+### Add an event listener rule to your service settings
+
+1. Find your service from **Azure portal**. Navigate to **Settings**. Then select **Add** to configure your event listener. For an existing hub configuration, select **...** on right side will navigate to the same editing page.
+ :::image type="content" source="media/howto-develop-event-listener/web-pubsub-settings.png" alt-text="Screenshot of Web PubSub settings":::
+
+1. Then in the below editing page, you'd need to configure hub name, and select **Add** to add an event listener.
+ :::image type="content" source="media/howto-develop-event-listener/configure-hub-settings.png" alt-text="Screenshot of configuring hub settings":::
+
+1. On the **Configure Event Listener** page, first configure an event hub endpoint. You can select **Select Event Hub from your subscription** to select, or directly input the fully qualified namespace and the event hub name. Then select `user` and `system` events you'd like to listen to. Finally select **Confirm** when everything is done.
+ :::image type="content" source="media/howto-develop-event-listener/configure-event-hub-listener.png" alt-text="Screenshot of configuring Event Hubs Listener":::
++
+## Test your configuration with live demo
+
+1. Open this [Event Hubs Consumer Client](https://awpseventlistenerdemo.blob.core.windows.net/eventhub-consumer/https://docsupdatetracker.net/index.html) web app, input the Event Hubs connection string to connect to an event hub as a consumer. If you get the Event Hubs connection string from an Event Hubs namespace resource instead of an event hub instance, then you need to specify the event hub name. This event hub consumer client is connected with the mode that only reads new events; the events published before aren't seen here. You can change the consumer client connection mode to read all the available events in the production environment.
+
+1. Use this [WebSocket Client](https://awpseventlistenerdemo.blob.core.windows.net/webpubsub-client/websocket-client.html) web app to generate client events. If you've configured to send system event `connected` to that event hub, you should be able to see a printed `connected` event in the Event Hubs consumer client after connecting to Web PubSub service successfully. You can also generate a user event with the app.
+ :::image type="content" source="media/howto-develop-event-listener/eventhub-consumer-connected-event.png" alt-text="Screenshot of a printed connected event in the Event Hubs consumer client app":::
+ :::image type="content" source="media/howto-develop-event-listener/web-pubsub-client-specify-event-name.png" alt-text="The area of the WebSocket client app to generate a user event":::
+
+## Next steps
+
+In this article, you learned how event listeners work and how to configure an event listener with an event hub endpoint. To learn the data format sent to Event Hubs, read the following specification.
+
+> [!div class="nextstepaction"]
+> [Specification: CloudEvents AMQP extension for Azure Web PubSub](./reference-cloud-events-amqp.md)
+<!--TODO: Add demo-->
azure-web-pubsub Reference Cloud Events Amqp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/reference-cloud-events-amqp.md
+
+ Title: Reference - CloudEvents extension for Azure Web PubSub event listener with AMQP protocol
+description: The reference defines CloudEvents extensions for Azure Web PubSub event listener with AMQP protocol.
++++ Last updated : 09/30/2022++
+# CloudEvents extension for Azure Web PubSub event listener with AMQP protocol
+
+The Azure Web PubSub Service describes client events as [CloudEvents](https://github.com/cloudevents/spec/tree/v1.0.2). CloudEvents is a specification for describing event data in common formats to provide interoperability across services, platforms and systems.
+
+The event listeners of the service listen to client events. Event Hubs is currently the only supported event listener endpoint, whose primary protocol is AMQP ([Advanced Message Queueing Protocol](http://docs.oasis-open.org/amqp/core/v1.0/amqp-core-overview-v1.0.html)). The Web PubSub service uses [CloudEvents AMQP protocol binding](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/bindings/amqp-protocol-binding.md) to map CloudEvents to AMQP messages.
+
+The data sent from service to server is always in CloudEvents `binary` format.
+
+## Web PubSub CloudEvents attribute extension
+
+<a name="extension"></a>
+
+This extension defines the attributes used by Web PubSub for each event it produces.
+
+The following table contains attributes mapping to the [standard properties](http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-messaging-v1.0-os.html#type-properties) section of an AMQP message.
+
+| Name | Description | Example |
+| -- | -- | -- |
+| `content-type` | The RFC-2046 MIME type for the message's body | application/json
+| `message-id` | Uniquely defines a message in a Web PubSub service, in the format of "{connection-id}/{an integer generated by service}" | 0bd83792-2a0c-48d3-9fbd-df63aa2ed9db/1
+
+The following table contains all the CloudEvents attributes mapping to the [application properties](http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-messaging-v1.0-os.html#type-application-properties) section of an AMQP message. Each attribute name is prefixed with `cloudEvents:`.
+
+| Name | Description | Example |
+| -- | -- | -- |
+| `specversion` | Cloud events specification version, is always 1.0 | 1.0 |
+| `source` | Indicates the hub and the connection ID where the event comes from, in the format "/hubs/{hub}/client/{connectionId}" | /hubs/chat/client/0bd83792-2a0c-48d3-9fbd-df63aa2ed9db |
+| `id` | An integer generated by the service, unique in the events from the same client connection | 1 |
+| `awpsversion` | Cloud events Azure Web PubSub specification version, is always 1.0 | 1.0 |
+| `hub` | The hub name where the event comes from | chat |
+| `eventname` | The name of the event | connected |
+| `type` | The event type | azure.webpubsub.sys.connect |
+| `connectionid` | The ID of the client connection | 0bd83792-2a0c-48d3-9fbd-df63aa2ed9db |
+| `time` | The time when the service send the event, in the format "yyyy-MM-ddTHH:mm:ssZ" | 2021-01-01T00:00:00Z |
+| `userid`\* | The ID of user | user1 |
+| `subprotocol`\* | The subprotocol name | json.webpubsub.azure.v1 |
+| `connectionstate`\* | Defines the state for the connection. You can reset the value in the response header of event handlers. For more information about connection state, see [Web PubSub CloudEvents attributes](./reference-cloud-events.md#attributes). | anystring |
+
+The "\*" following the attribute name indicates the attribute is present only when the value isn't null or empty.
+
+## Events
+<a name="events"></a>
+
+This section shows the AMQP message body with the attribute values that depend on a specific client event type. Attribute values that don't depend on a client event type are omitted.
+
+- System `connect` event: Not supported by event listeners.
+- [System `connected` event](#connected)
+- [System `disconnected` event](#disconnected)
+- [User events `message` for the simple WebSocket clients](#message)
+- [User custom event `{custom_event}` for PubSub WebSocket clients](#custom_event)
+
+### System `connected` event
+
+<a name="connected"></a>
+
+- `content-type`: `application/json`
+- `cloudEvents:type`: `azure.webpubsub.sys.connected`
+- `cloudEvents:eventname`: `connected`
+
+The message body is always empty JSON.
+
+```json
+{}
+```
+
+### System `disconnected` event
+
+<a name="disconnected"></a>
+
+- `content-type`: `application/json`
+- `cloudEvents:type`: `azure.webpubsub.sys.disconnected`
+- `cloudEvents:eventname`: `disconnected`
+
+The message body contains the reason the client disconnected.
+
+```json
+{"reason":"{Reason}"}
+```
+
+### User events `message` for the simple WebSocket clients
+
+<a name="message"></a>
+
+- `content-type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
+- `cloudEvents:type`: `azure.webpubsub.user.message`
+
+Message body is what the client sends.
+
+### User custom event `{custom_event}` for PubSub WebSocket clients
+<a name="custom_event"></a>
+
+- `content-type`: `application/octet-stream` for binary frame; `application/json` for JSON frame; `text/plain` for text frame; `application/x-protobuf` for Protobuf frame;
+- `cloudEvents:type`: `azure.webpubsub.user.<event_name>`
+
+The following cases show how to send events with different data content types and the received AMQP message bodies.
+
+#### Case 1: send event with text data:
+
+```json
+{
+ "type": "event",
+ "event": "<event_name>",
+ "dataType": "text",
+ "data": "text data"
+}
+```
+
+Received AMQP message body:
+
+```
+text data
+```
+
+#### Case 2: send event with JSON data:
+
+```json
+{
+ "type": "event",
+ "event": "<event_name>",
+ "dataType": "json",
+ "data": {
+ "hello": "world"
+ }
+}
+```
+
+Received AMQP message body:
+
+```
+{
+ "hello": "world"
+}
+```
+
+#### Case 3: send event with binary data:
+
+```json
+{
+ "type": "event",
+ "event": "<event_name>",
+ "dataType": "binary",
+ "data": "aGVsbG8gd29ybGQ=" // base64 encoded binary
+}
+```
+
+Received AMQP message body:
+
+```
+<binary data>
+```
azure-web-pubsub Reference Cloud Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/reference-cloud-events.md
Title: Reference - CloudEvents extension for Azure Web PubSub
-description: The reference describes CloudEvents extension defined for Azure Web PubSub service
+ Title: Reference - CloudEvents extension for Azure Web PubSub event handler with HTTP protocol
+description: The reference describes CloudEvents extensions for Azure Web PubSub event handler with HTTP protocol.
-+ Last updated 11/08/2021
-# CloudEvents extension for Azure Web PubSub
+# CloudEvents extension for Azure Web PubSub event handler with HTTP protocol
-Service delivers client events to the upstream webhook using the [CloudEvents HTTP protocol](https://github.com/cloudevents/spec/blob/v1.0.1/http-protocol-binding.md).
+The Web PubSub service delivers client events to the upstream webhook using the [CloudEvents HTTP protocol binding](https://github.com/cloudevents/spec/blob/v1.0.1/http-protocol-binding.md).
-The data sending from service to server is always in CloudEvents `binary` format.
+The data sent from the Web PubSub service to the server is always in CloudEvents `binary` format.
- [Webhook Validation](#protection) - [Web PubSub CloudEvents Attribute Extension](#extension)
ce-eventName: connect
* Status code: * `204`: Success, with no content. * `200`: Success, the content SHOULD be a JSON format, with following properties allowed:
-* Header `ce-connectionState`: If this header exists, the connection state of this connection will be updated to the value of the header. Please note that only *blocking* events can update the connection state. The below sample uses base64 encoded JSON string to store complex state for the connection.
-*
+* Header `ce-connectionState`: If this header exists, the connection state of this connection will be updated to the value of the header. Please note that only *blocking* events can update the connection state. The below sample uses base64 encoded JSON string to store the complex state for the connection.
+*
```HTTP HTTP/1.1 200 OK ce-connectionState: eyJrZXkiOiJhIn0=
ce-connectionState: eyJrZXkiOiJhIn0=
* `userId`: `{auth-ed user ID}`
- As the service allows anonymous connections, it's the `connect` event's responsibility to tell the service the user ID of the client connection. The Service will read the user ID from the response payload `userId` if it exists. The connection will be dropped if user ID cannot be read from the request claims nor the `connect` event's response payload.
+ As the service allows anonymous connections, it's the `connect` event's responsibility to tell the service the user ID of the client connection. The service will read the user ID from the response payload `userId` if it exists. The connection will be dropped if the user ID cannot be read from the request claims nor the `connect` event's response payload.
<a name="connect_response_header_group"></a>
-
+ * `groups`: `{groups to join}` The property provides a convenient way for user to add this connection to one or multiple groups. In this way, there's no need to have another call to add this connection to some group. * `roles`: `{roles the client has}`
-
- The property provides a way for the upstream to authorize the client. Different roles define different initial permissions the client has, it can be useful when the client is a PubSub WebSocket client. Details about the permissions are described in [Client permissions](./concept-client-protocols.md#permissions).
+
+ The property provides a way for the upstream Webhook to authorize the client. There are different roles to grant initial permissions for PubSub WebSocket clients. Details about the permissions are described in [Client permissions](./concept-client-protocols.md#permissions).
#### Error response format:
HTTP/1.1 200 OK
The service invokes the event handler upstream for every WebSocket message frame. * `ce-type`: `azure.webpubsub.user.message`
-* `Content-Type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
+* `Content-Type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
UserPayload is what the client sends.
UserPayload
* Status code * `204`: Success, with no content. * `200`: Success, the format of the `UserResponsePayload` depends on the `Content-Type` of the response.
-* `Content-Type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
-* Header `Content-Type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
+* `Content-Type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
+* Header `Content-Type`: `application/octet-stream` for binary frame; `text/plain` for text frame;
* Header `ce-connectionState`: If this header exists, the connection state of this connection will be updated to the value of the header. Please note that only *blocking* events can update the connection state. The below sample uses base64 encoded JSON string to store complex state for the connection.
-When the `Content-Type` is `application/octet-stream`, the service sends `UserResponsePayload` to the client using `binary` WebSocket frame. When the `Content-Type` is `text/plain`, the service sends `UserResponsePayload` to the client using `text` WebSocket frame.
+When the `Content-Type` is `application/octet-stream`, the service sends `UserResponsePayload` to the client using `binary` WebSocket frame. When the `Content-Type` is `text/plain`, the service sends `UserResponsePayload` to the client using `text` WebSocket frame.
```HTTP HTTP/1.1 200 OK
text data
"dataType" : "json", "data": { "hello": "world"
- },
+ },
} ```
UserResponsePayload
``` * Status code * `204`: Success, with no content.
- * `200`: Success, data sending to the PubSub WebSocket client depends on the `Content-Type`;
-* Header `ce-connectionState`: If this header exists, the connection state of this connection will be updated to the value of the header. Please note that only *blocking* events can update the connection state. The below sample uses base64 encoded JSON string to store complex state for the connection.
+ * `200`: Success, data sending to the PubSub WebSocket client depends on the `Content-Type`;
+* Header `ce-connectionState`: If this header exists, the connection state of this connection will be updated to the value of the header. Please note that only *blocking* events can update the connection state. The below sample uses base64 encoded JSON string to store the complex state for the connection.
* When Header `Content-Type` is `application/octet-stream`, the service sends `UserResponsePayload` back to the client using `dataType` as `binary` with payload base64 encoded. A sample response: ```json {
backup Backup Azure Restore Files From Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-restore-files-from-vm.md
Title: Recover files and folders from Azure VM backup description: In this article, learn how to recover files and folders from an Azure virtual machine recovery point.- Previously updated : 02/22/2022+ Last updated : 11/04/2022 +++ # Recover files from Azure virtual machine backup
The following table shows the compatibility between server and computer operatin
|Server OS | Compatible client OS | | | - |
+| Windows Server 2022 | Windows 11 and Windows 10 |
| Windows Server 2019 | Windows 10 | | Windows Server 2016 | Windows 10 | | Windows Server 2012 R2 | Windows 8.1 |
backup Backup Support Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-support-automation.md
Title: Automation in Azure Backup support matrix description: This article summarizes automation tasks related to Azure Backup support. Previously updated : 12/24/2021 Last updated : 11/04/2022
You can automate most backup related tasks using programmatic methods in Azure
| **Category** | **Operation** | **PowerShell** | **CLI** | **REST API** | **Azure Policy** | **ARM Template** | **Bicep** | **Terraform** | | | | | | | | | | |
-| Backup | Create backup policy and configure backup | Supported | Supported | Supported | Currently not here | Supported | Supported | Supported <br><br> [See the examples](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_instance_postgresql). |
-| Backup | Run on-demand backup | Supported | Supported | Supported | N/A | N/A | N/A | N/A |
-| Restore | Restore database on target storage account | Supported | Supported | Supported | N/A | N/A | N/A | N/A |
+| Backup | Create backup policy and configure backup | Supported <br><br> [See the examples](backup-postgresql-ps.md). | Supported <br><br> [See the examples](backup-postgresql-cli.md). | Supported <br><br> [See the examples](backup-azure-data-protection-use-rest-api-backup-postgresql.md). | Currently not here | Supported | Supported | Supported <br><br> [See the examples](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_instance_postgresql). |
+| Backup | Run on-demand backup | Supported <br><br> [See the examples](backup-postgresql-ps.md). | Supported <br><br> [See the examples](backup-postgresql-cli.md). | Supported <br><br> [See the examples](backup-azure-data-protection-use-rest-api-backup-postgresql.md). | N/A | N/A | N/A | N/A |
+| Restore | Restore database on target storage account | Supported <br><br> [See the examples](restore-postgresql-database-ps.md). | Supported <br><br> [See the examples](restore-postgresql-database-cli.md). | Supported <br><br> [See the examples](restore-postgresql-database-use-rest-api.md) | N/A | N/A | N/A | N/A |
| Manage | Modify backup policy | Supported | Supported | Supported | N/A | N/A | N/A | N/A | | Manage | Stop protection and delete data | Supported | Supported | Supported | N/A | N/A | N/A | N/A | | Manage | Stop protection and retain data | Supported | Supported | Supported | N/A | N/A | N/A | N/A |
backup Backup Support Matrix Iaas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-support-matrix-iaas.md
Title: Support matrix for Azure VM backup description: Provides a summary of support settings and limitations when backing up Azure VMs with the Azure Backup service. Previously updated : 11/01/2022 Last updated : 11/04/2022
The following table summarizes the supported operating systems when backing up A
**Scenario** | **OS support** |
-Back up with Azure VM agent extension | - Windows 10 Client (64 bit only) <br/><br/>- Windows Server 2022 (Datacenter/Datacenter Core/Standard) <br/><br/>- Windows Server 2019 (Datacenter/Datacenter Core/Standard) <br/><br/> - Windows Server 2016 (Datacenter/Datacenter Core/Standard) <br/><br/> - Windows Server 2012 R2 (Datacenter/Standard) <br/><br/> - Windows Server 2012 (Datacenter/Standard) <br/><br/> - Windows Server 2008 R2 (RTM and SP1 Standard) <br/><br/> - Windows Server 2008 (64 bit only)
+Back up with Azure VM agent extension | - Windows 11 Client (64 bit only) <br/><br/> - Windows 10 Client (64 bit only) <br/><br/>- Windows Server 2022 (Datacenter/Datacenter Core/Standard) <br/><br/>- Windows Server 2019 (Datacenter/Datacenter Core/Standard) <br/><br/> - Windows Server 2016 (Datacenter/Datacenter Core/Standard) <br/><br/> - Windows Server 2012 R2 (Datacenter/Standard) <br/><br/> - Windows Server 2012 (Datacenter/Standard) <br/><br/> - Windows Server 2008 R2 (RTM and SP1 Standard) <br/><br/> - Windows Server 2008 (64 bit only)
Back up with MARS agent | [Supported](backup-support-matrix-mars-agent.md#supported-operating-systems) operating systems. Back up with DPM/MABS | Supported operating systems for backup with [MABS](backup-mabs-protection-matrix.md) and [DPM](/system-center/dpm/dpm-protection-matrix).
backup Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/policy-reference.md
Title: Built-in policy definitions for Azure Backup description: Lists Azure Policy built-in policy definitions for Azure Backup. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
backup Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
batch Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/policy-reference.md
Title: Built-in policy definitions for Azure Batch description: Lists Azure Policy built-in policy definitions for Azure Batch. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
batch Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-guestos-msrc-releases.md
na Previously updated : 10/18/2022 Last updated : 11/4/2022
The following tables show the Microsoft Security Response Center (MSRC) updates
## October 2022 Guest OS
->[!NOTE]
-
->The October Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the October Guest OS. This list is subject to change.
-
-| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
-| | | | | |
-| Rel 22-10 | [5020438] | Latest Cumulative Update(LCU) | 6.50 | Oct 17, 2022 |
-| Rel 22-10 | [5018413] | IE Cumulative Updates | 2.130, 3.117, 4.110 | Oct 11, 2022 |
-| Rel 22-10 | [5020436] | Latest Cumulative Update(LCU) | 7.18 | Oct 17, 2022 |
-| Rel 22-10 | [5020439] | Latest Cumulative Update(LCU) | 5.74 | Aug 9, 2022 |
-| Rel 22-10 | [5013637] | .NET Framework 3.5 Security and Quality Rollup LKG | 2.130 | Oct 11, 2022 |
-| Rel 22-10 | [5013644] | .NET Framework 4.6.2 Security and Quality Rollup LKG | 2.130 | May 10, 2022 |
-| Rel 22-10 | [5013638] | .NET Framework 3.5 Security and Quality Rollup LKG | 4.110 | Jun 14, 2022 |
-| Rel 22-10 | [5013643] | .NET Framework 4.6.2 Security and Quality Rollup LKG | 4.110 | May 10, 2022 |
-| Rel 22-10 | [5013635] | .NET Framework 3.5 Security and Quality Rollup LKG | 3.117 | Oct 11, 2022 |
-| Rel 22-10 | [5013642] | .NET Framework 4.6.2 Security and Quality Rollup LKG | 3.117 | May 10, 2022 |
-| Rel 22-10 | [5013641] | . NET Framework 3.5 and 4.7.2 Cumulative Update LKG | 6.50 | May 10, 2022 |
-| Rel 22-10 | [5013626] | .NET Framework 4.8 Security and Quality Rollup LKG | 6.50 | May 10, 2022 |
-| Rel 22-10 | [5017028] | .NET Framework 4.8 Security and Quality Rollup LKG | 7.18 | Sep 13, 2022 |
-| Rel 22-10 | [5018454] | Monthly Rollup | 2.130 | Oct 11, 2022 |
-| Rel 22-10 | [5020448] | OOB Monthly Rollup | 2.130 | Oct 17, 2022 |
-| Rel 22-10 | [5018457] | Monthly Rollup | 3.117 | Oct 11, 2022 |
-| Rel 22-10 | [5020449] | OOB Monthly Rollup | 3.117 | Oct 17, 2022 |
-| Rel 22-10 | [5018474] | Monthly Rollup | 4.110 | Oct 11, 2022 |
-| Rel 22-10 | [5020447] | OOB Monthly Rollup | 4.110 | Oct 17, 2020 |
-| Rel 22-10 | [5016263] | Servicing Stack update | 3.117 | Jul 12, 2022 |
-| Rel 22-10 | [5018922] | Servicing Stack update | 4.110 | Oct 11, 2022 |
-| Rel 22-10 | [4578013] | OOB Standalone Security update | 4.110 | Aug 19, 2020 |
-| Rel 22-10 | [5017396] | Servicing Stack update | 5.74 | Sep 13, 2022 |
-| Rel 22-10 | [5017397] | Servicing Stack update | 2.130 | Sep 13, 2022 |
-| Rel 22-10 | [4494175] | Microcode | 5.74 | Sep 1, 2020 |
-| Rel 22-10 | [4494174] | Microcode | 6.50 | Sep 1, 2020 |
+
+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
+| | | | | |
+| Rel 22-10 | [5020438] | Latest Cumulative Update(LCU) | [6.50] | Oct 17, 2022 |
+| Rel 22-10 | [5018413] | IE Cumulative Updates | [2.130], [3.117], [4.110] | Oct 11, 2022 |
+| Rel 22-10 | [5020436] | Latest Cumulative Update(LCU) | [7.18] | Oct 17, 2022 |
+| Rel 22-10 | [5020439] | Latest Cumulative Update(LCU) | [5.74] | Aug 9, 2022 |
+| Rel 22-10 | [5013637] | .NET Framework 3.5 Security and Quality Rollup LKG | [2.130] | Oct 11, 2022 |
+| Rel 22-10 | [5013644] | .NET Framework 4.6.2 Security and Quality Rollup LKG | [2.130] | May 10, 2022 |
+| Rel 22-10 | [5013638] | .NET Framework 3.5 Security and Quality Rollup LKG | [4.110] | Jun 14, 2022 |
+| Rel 22-10 | [5013643] | .NET Framework 4.6.2 Security and Quality Rollup LKG | [4.110] | May 10, 2022 |
+| Rel 22-10 | [5013635] | .NET Framework 3.5 Security and Quality Rollup LKG | [3.117] | Oct 11, 2022 |
+| Rel 22-10 | [5013642] | .NET Framework 4.6.2 Security and Quality Rollup LKG | [3.117] | May 10, 2022 |
+| Rel 22-10 | [5013641] | . NET Framework 3.5 and 4.7.2 Cumulative Update LKG | [6.50] | May 10, 2022 |
+| Rel 22-10 | [5013626] | .NET Framework 4.8 Security and Quality Rollup LKG | [6.50] | May 10, 2022 |
+| Rel 22-10 | [5017028] | .NET Framework 4.8 Security and Quality Rollup LKG | [7.18] | Sep 13, 2022 |
+| Rel 22-10 | [5018454] | Monthly Rollup | [2.130] | Oct 11, 2022 |
+| Rel 22-10 | [5020448] | OOB Monthly Rollup | [2.130] | Oct 17, 2022 |
+| Rel 22-10 | [5018457] | Monthly Rollup | [3.117] | Oct 11, 2022 |
+| Rel 22-10 | [5020449] | OOB Monthly Rollup | [3.117] | Oct 17, 2022 |
+| Rel 22-10 | [5018474] | Monthly Rollup | [4.110] | Oct 11, 2022 |
+| Rel 22-10 | [5020447] | OOB Monthly Rollup | [4.110] | Oct 17, 2020 |
+| Rel 22-10 | [5016263] | Servicing Stack update | [3.117] | Jul 12, 2022 |
+| Rel 22-10 | [5018922] | Servicing Stack update | [4.110] | Oct 11, 2022 |
+| Rel 22-10 | [4578013] | OOB Standalone Security update | [4.110] | Aug 19, 2020 |
+| Rel 22-10 | [5017396] | Servicing Stack update | [5.74] | Sep 13, 2022 |
+| Rel 22-10 | [5017397] | Servicing Stack update | [2.130] | Sep 13, 2022 |
+| Rel 22-10 | [4494175] | Microcode | [5.74] | Sep 1, 2020 |
+| Rel 22-10 | [4494174] | Microcode | [6.50] | Sep 1, 2020 |
[5020438]: https://support.microsoft.com/kb/5020438 [5018413]: https://support.microsoft.com/kb/5018413
The following tables show the Microsoft Security Response Center (MSRC) updates
[5017397]: https://support.microsoft.com/kb/5017397 [4494175]: https://support.microsoft.com/kb/4494175 [4494174]: https://support.microsoft.com/kb/4494174
+[2.130]: ./cloud-services-guestos-update-matrix.md#family-2-releases
+[3.117]: ./cloud-services-guestos-update-matrix.md#family-3-releases
+[4.110]: ./cloud-services-guestos-update-matrix.md#family-4-releases
+[5.74]: ./cloud-services-guestos-update-matrix.md#family-5-releases
+[6.50]: ./cloud-services-guestos-update-matrix.md#family-6-releases
+[7.18]: ./cloud-services-guestos-update-matrix.md#family-7-releases
## September 2022 Guest OS
cloud-services Cloud Services Guestos Update Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-guestos-update-matrix.md
na Previously updated : 9/29/2022 Last updated : 11/4/2022 # Azure Guest OS releases and SDK compatibility matrix
Unsure about how to update your Guest OS? Check [this][cloud updates] out.
## News updates
+###### **November 4, 2022**
+The October Guest OS has released.
+ ###### **September 29, 2022** The September Guest OS has released.
The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
-| WA-GUEST-OS-7.16_202209-01 | September 29, 2022 | Post 7.18 |
-| WA-GUEST-OS-7.15_202208-01 | September 2, 2022 | Post 7.17 |
+| WA-GUEST-OS-7.18_202210-02 | November 4, 2022 | Post 7.20 |
+| WA-GUEST-OS-7.16_202209-01 | September 29, 2022 | Post 7.19 |
+|~~WA-GUEST-OS-7.15_202208-01~~| September 2, 2022 | November 4, 2022 |
|~~WA-GUEST-OS-7.14_202207-01~~| August 3, 2022 | September 29, 2022 | |~~WA-GUEST-OS-7.13_202206-01~~| July 11, 2022 | September 2, 2022 | |~~WA-GUEST-OS-7.12_202205-01~~| May 26, 2022 | August 3, 2022 |
The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
-| WA-GUEST-OS-6.48_202209-01 | September 29, 2022 | Post 6.50 |
-| WA-GUEST-OS-6.47_202208-01 | September 2, 2022 | Post 6.49 |
+| WA-GUEST-OS-6.50_202210-02 | November 4, 2022 | Post 6.52 |
+| WA-GUEST-OS-6.48_202209-01 | September 29, 2022 | Post 6.51 |
+|~~WA-GUEST-OS-6.47_202208-01~~| September 2, 2022 | November 4, 2022 |
|~~WA-GUEST-OS-6.46_202207-01~~| August 3, 2022 | September 29, 2022 | |~~WA-GUEST-OS-6.45_202206-01~~| July 11, 2022 | September 2, 2022 | |~~WA-GUEST-OS-6.44_202205-01~~| May 26, 2022 | August 3, 2022 |
The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
-| WA-GUEST-OS-5.72_202209-01 | September 29, 2022 | Post 5.74 |
-| WA-GUEST-OS-5.71_202208-01 | September 2, 2022 | Post 5.73 |
+| WA-GUEST-OS-5.74_202210-02 | November 4, 2022 | Post 5.76 |
+| WA-GUEST-OS-5.72_202209-01 | September 29, 2022 | Post 5.75 |
+|~~WA-GUEST-OS-5.71_202208-01~~| September 2, 2022 | November 4, 2022 |
|~~WA-GUEST-OS-5.70_202207-01~~| August 3, 2022 | September 29, 2022 | |~~WA-GUEST-OS-5.69_202206-01~~| July 11, 2022 | September 2, 2022 | |~~WA-GUEST-OS-5.68_202205-01~~| May 26, 2022 | August 3, 2022 |
The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
-| WA-GUEST-OS-4.108_202209-01 | September 29, 2022 | Post 4.110 |
-| WA-GUEST-OS-4.107_202208-01 | September 2, 2022 | Post 4.109 |
+| WA-GUEST-OS-4.110_202210-02 | November 4, 2022 | Post 4.112 |
+| WA-GUEST-OS-4.108_202209-01 | September 29, 2022 | Post 4.111 |
+|~~WA-GUEST-OS-4.107_202208-01~~| September 2, 2022 | November 4, 2022 |
|~~WA-GUEST-OS-4.106_202207-02~~| August 3, 2022 | September 29, 2022 | |~~WA-GUEST-OS-4.105_202206-02~~| July 11, 2022 | September 2, 2022 | |~~WA-GUEST-OS-4.103_202205-01~~| May 26, 2022 | August 2, 2022 |
The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
-| WA-GUEST-OS-3.115_202209-01 | September 29, 2022 | Post 3.117 |
-| WA-GUEST-OS-3.114_202208-01 | September 2, 2022 | Post 3.116 |
+| WA-GUEST-OS-3.117_202210-02 | November 4, 2022 | Post 3.119 |
+| WA-GUEST-OS-3.115_202209-01 | September 29, 2022 | Post 3.118 |
+|~~WA-GUEST-OS-3.114_202208-01~~| September 2, 2022 | November 4, 2022 |
|~~WA-GUEST-OS-3.113_202207-02~~| August 3, 2022 | September 29, 2022 | |~~WA-GUEST-OS-3.112_202206-02~~| July 11, 2022 | September 2, 2022 | |~~WA-GUEST-OS-3.110_202205-01~~| May 26, 2022 | August 3, 2022 |
The September Guest OS has released.
| Configuration string | Release date | Disable date | | | | |
-| WA-GUEST-OS-2.128_202209-01 | September 29, 2022 | Post 2.130 |
-| WA-GUEST-OS-2.127_202208-01 | September 2, 2022 | Post 2.129 |
+| WA-GUEST-OS-2.130_202210-02 | November 4, 2022 | Post 2.132 |
+| WA-GUEST-OS-2.128_202209-01 | September 29, 2022 | Post 2.131 |
+|~~WA-GUEST-OS-2.127_202208-01~~| September 2, 2022 | November 4, 2022 |
|~~WA-GUEST-OS-2.126_202207-02~~| August 3, 2022 | September 29, 2022 | |~~WA-GUEST-OS-2.125_202206-02~~| July 11, 2022 | September 2, 2022 | |~~WA-GUEST-OS-2.123_202205-01~~| May 26, 2022 | August 3, 2022 |
cognitive-services Beginners Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/beginners-guide.md
+
+ Title: Custom Translator for beginners
+
+description: A user guide for understanding the end-to-end customized machine translation process.
+++++ Last updated : 11/04/2022++
+# Custom Translator for beginners
+
+ [Custom Translator](overview.md) enables you to a build translation system that reflects your business, industry, and domain-specific terminology and style. Training and deploying a custom system is easy and doesn't require any programming skills. The customized translation system seamlessly integrates into your existing applications, workflows, and websites and is available on Azure through the same cloud-based [Microsoft Text Translator API](../reference/v3-0-translate.md?tabs=curl) service that powers billions of translations every day.
+
+The platform enables users to build and publish custom translation systems to and from English. The Custom Translator supports more than 60 languages that map directly to the languages available for NMT. For a complete list, *see* [Translator language support](../language-support.md).
+
+## Is a custom translation model the right choice for me?
+
+A well-trained custom translation model provides more accurate domain-specific translations because it relies on previously translated in-domain documents to learn preferred translations. Translator uses these terms and phrases in context to produce fluent translations in the target language while respecting context-dependent grammar.
+
+Training a full custom translation model requires a substantial amount of data. If you don't have at least 10,000 sentences of previously trained documents, you won't be able to train a full-language translation model. However, you can either train a dictionary-only model or use the high-quality, out-of-the-box translations available with the Text Translator API.
++
+## What does training a custom translation model involve?
+
+Building a custom translation model requires:
+
+* Understanding your use-case.
+
+* Obtaining in-domain translated data (preferably human translated).
+
+* The ability to assess translation quality or target language translations.
+
+## How do I evaluate my use-case?
+
+Having clarity on your use-case and what success looks like is the first step towards sourcing proficient training data. Here are a few considerations:
+
+* What is your desired outcome and how will you measure it?
+
+* What is your business domain?
+
+* Do you have in-domain sentences of similar terminology and style?
+
+* Does your use-case involve multiple domains? If yes, should you build one translation system or multiple systems?
+
+* Do you have requirements impacting regional data residency at-rest and in-transit?
+
+* Are the target users in one or multiple regions?
+
+## How should I source my data?
+
+Finding in-domain quality data is often a challenging task that varies based on user classification. Here are some questions you can ask yourself as you evaluate what data may be available to you:
+
+* Enterprises often have a wealth of translation data that has accumulated over many years of using human translation. Does your company have previous translation data available that you can use?
+
+* Do you have a vast amount of monolingual data? Monolingual data is data in only one language. If so, can you get translations for this data?
+
+* Can you crawl online portals to collect source sentences and synthesize target sentences?
+
+## What should I use for training material?
+
+| Source | What it does | Rules to follow |
+||||
+| Bilingual training documents | Teaches the system your terminology and style. | **Be liberal**. Any in-domain human translation is better than machine translation. Add and remove documents as you go and try to improve the [BLEU score](concepts/bleu-score.md?WT.mc_id=aiml-43548-heboelma). |
+| Tuning documents | Trains the Neural Machine Translation parameters. | **Be strict**. Compose them to be optimally representative of what you are going to translation in the future. |
+| Test documents | Calculate the [BLEU score](concepts/bleu-score.md?WT.mc_id=aiml-43548-heboelma).| **Be strict**. Compose test documents to be optimally representative of what you plan to translate in the future. |
+| Phrase dictionary | Forces the given translation 100% of the time. | **Be restrictive**. A phrase dictionary is case-sensitive and any word or phrase listed is translated in the way you specify. In many cases, it's better to not use a phrase dictionary and let the system learn. |
+| Sentence dictionary | Forces the given translation 100% of the time. | **Be strict**. A sentence dictionary is case-insensitive and good for common in domain short sentences. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If only a portion of the sentence matches, the entry won't match. |
+
+## What is a BLEU score?
+
+BLEU (Bilingual Evaluation Understudy) is an algorithm for evaluating the precision or accuracy of text that has been machine translated from one language to another. Custom Translator uses the BLEU metric as one way of conveying translation accuracy.
+
+A BLEU score is a number between zero and 100. A score of zero indicates a low quality translation where nothing in the translation matched the reference. A score of 100 indicates a perfect translation that is identical to the reference. It's not necessary to attain a score of 100 - a BLEU score between 40 and 60 indicates a high-quality translation.
+
+[Read more](concepts/bleu-score.md?WT.mc_id=aiml-43548-heboelma)
+
+## What happens if I don't submit tuning or testing data?
+
+Tuning and test sentences are optimally representative of what you plan to translate in the future. If you don't submit any tuning or testing data, Custom Translator will automatically exclude sentences from your training documents to use as tuning and test data.
+
+| System-generated | Manual-selection |
+|||
+| Convenient. | Enables fine-tuning for your future needs.|
+| Good, if you know that your training data is representative of what you are planning to translate. | Provides more freedom to compose your training data.|
+| Easy to redo when you grow or shrink the domain. | Allows for more data and better domain coverage.|
+|Changes each training run.| Remains static over repeated training runs|
+
+## How is training material processed by Custom Translator?
+
+To prepare for training, documents undergo a series of processing and filtering steps. These steps are explained below. Knowledge of the filtering process may help with understanding the sentence count displayed as well as the steps you can take to prepare training documents for training with Custom Translator.
+
+* ### Sentence alignment
+
+ If your document isn't in XLIFF, XLSX, TMX, or ALIGN format, Custom Translator aligns the sentences of your source and target documents to each other, sentence-by-sentence. Translator doesn't perform document alignmentΓÇöit follows your naming convention for the documents to find a matching document in the other language. Within the source text, Custom Translator tries to find the corresponding sentence in the target language. It uses document markup like embedded HTML tags to help with the alignment.
+
+ If you see a large discrepancy between the number of sentences in the source and target documents, your source document may not be parallel, or couldn't be aligned. The document pairs with a large difference (>10%) of sentences on each side warrant a second look to make sure they're indeed parallel.
+
+* ### Extracting tuning and testing data
+
+ Tuning and testing data is optional. If you don't provide it, the system will remove an appropriate percentage from your training documents to use for tuning and testing. The removal happens dynamically as part of the training process. Since this step occurs as part of training, your uploaded documents aren't affected. You can see the final used sentence counts for each category of dataΓÇötraining, tuning, testing, and dictionaryΓÇöon the Model details page after training has succeeded.
+
+* ### Length filter
+
+ * Removes sentences with only one word on either side.
+ * Removes sentences with more than 100 words on either side. Chinese, Japanese, Korean are exempt.
+ * Removes sentences with fewer than three characters. Chinese, Japanese, Korean are exempt.
+ * Removes sentences with more than 2000 characters for Chinese, Japanese, Korean.
+ * Removes sentences with less than 1% alphanumeric characters.
+ * Removes dictionary entries containing more than 50 words.
+
+* ### White space
+
+ * Replaces any sequence of white-space characters including tabs and CR/LF sequences with a single space character.
+ * Removes leading or trailing space in the sentence.
+
+* ### Sentence end punctuation
+
+ * Replaces multiple sentence-end punctuation characters with a single instance. Japanese character normalization.
+
+ * Converts full width letters and digits to half-width characters.
+
+* ### Unescaped XML tags
+
+ Transforms unescaped tags into escaped tags:
+
+ | Tag | Becomes |
+ |||
+ | \&lt; | \&amp;lt; |
+ | \&gt; | \&amp;gt; |
+ | \&amp; | \&amp;amp; |
+
+* ### Invalid characters
+
+ Custom Translator removes sentences that contain Unicode character U+FFFD. The character U+FFFD indicates a failed encoding conversion.
+
+## What steps should I take before uploading data?
+
+* Remove sentences with invalid encoding.
+* Remove Unicode control characters.
+* If feasible, align sentences (source-to-target).
+* Remove source and target sentences that don't match the source and target languages.
+* When source and target sentences have mixed languages, ensure that untranslated words are intentional, for example, names of organizations and products.
+* Correct grammatical and typographical errors to prevent teaching these errors to your model.
+* Though our training process handles source and target lines containing multiple sentences, it's better to have one source sentence mapped to one target sentence.
+
+## How do I evaluate the results?
+
+After your model is successfully trained, you can view the model's BLEU score and baseline model BLEU score on the model details page. We use the same set of test data to generate both the model's BLEU score and the baseline BLEU score. This data will help you make an informed decision regarding which model would be better for your use-case.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Try our Quickstart](quickstart.md)
cognitive-services Bleu Score https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/bleu-score.md
+
+ Title: "What is a BLEU score? - Custom Translator"
+
+description: BLEU is a measurement of the differences between machine translation and human-created reference translations of the same source sentence.
+++++ Last updated : 11/04/2022++
+#Customer intent: As a Custom Translator user, I want to understand how BLEU score works so that I understand system test outcome better.
++
+# What is a BLEU score?
+
+[BLEU (Bilingual Evaluation Understudy)](https://en.wikipedia.org/wiki/BLEU) is a measurement of the difference between an automatic translation and human-created reference translations of the same source sentence.
+
+## Scoring process
+
+The BLEU algorithm compares consecutive phrases of the automatic translation
+with the consecutive phrases it finds in the reference translation, and counts
+the number of matches, in a weighted fashion. These matches are position
+independent. A higher match degree indicates a higher degree of similarity with
+the reference translation, and higher score. Intelligibility and grammatical correctness aren't taken into account.
+
+## How BLEU works?
+
+The BLEU score's strength is that it correlates well with human judgment. BLEU averages out
+individual sentence judgment errors over a test corpus, rather than attempting
+to devise the exact human judgment for every sentence.
+
+A more extensive discussion of BLEU scores is [here](https://youtu.be/-UqDljMymMg).
+
+BLEU results depend strongly on the breadth of your domain; consistency of
+test, training and tuning data; and how much data you have
+available for training. If your models have been trained on a narrow domain, and
+your training data is consistent with your test data, you can expect a high
+BLEU score.
+
+>[!NOTE]
+>A comparison between BLEU scores is only justifiable when BLEU results are compared with the same Test set, the same language pair, and the same MT engine. A BLEU score from a different test set is bound to be different.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [BLEU score evaluation](../how-to/test-your-model.md)
cognitive-services Customization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/customization.md
+
+ Title: Translation Customization - Translator
+
+description: Use the Microsoft Translator Hub to build your own machine translation system using your preferred terminology and style.
++++++ Last updated : 11/04/2022+++
+# Customize your text translations
+
+The Custom Translator is a feature of the Translator service, which allows users to customize Microsoft Translator's advanced neural machine translation when translating text using Translator (version 3 only).
+
+The feature can also be used to customize speech translation when used with [Cognitive Services Speech](../../../speech-service/index.yml).
+
+## Custom Translator
+
+With Custom Translator, you can build neural translation systems that understand the terminology used in your own business and industry. The customized translation system will then integrate into existing applications, workflows, and websites.
+
+### How does it work?
+
+Use your previously translated documents (leaflets, webpages, documentation, etc.) to build a translation system that reflects your domain-specific terminology and style, better than a standard translation system. Users can upload TMX, XLIFF, TXT, DOCX, and XLSX documents.
+
+The system also accepts data that is parallel at the document level but isn't yet aligned at the sentence level. If users have access to versions of the same content in multiple languages but in separate documents, Custom Translator will be able to automatically match sentences across documents. The system can also use monolingual data in either or both languages to complement the parallel training data to improve the translations.
+
+The customized system is then available through a regular call to Translator using the category parameter.
+
+Given the appropriate type and amount of training data it isn't uncommon to expect gains between 5 and 10, or even more BLEU points on translation quality by using Custom Translator.
+
+More details about the various levels of customization based on available data can be found in the [Custom Translator User Guide](../overview.md).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Set up a customized language system using Custom Translator](../overview.md)
cognitive-services Data Filtering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/data-filtering.md
+
+ Title: "Data Filtering - Custom Translator"
+
+description: When you submit documents to be used for training a custom system, the documents undergo a series of processing and filtering steps.
++++ Last updated : 11/04/2022+++
+#Customer intent: As a Custom Translator, I want to understand how data is filtered before training a model.
++
+# Data filtering
+
+When you submit documents to be used for training, the documents undergo a series of processing and filtering steps. These steps are explained here. The knowledge of the filtering may help you understand the sentence count displayed in Custom Translator and the steps you may take yourself to prepare the documents for training with Custom Translator.
+
+## Sentence alignment
+
+If your document isn't in XLIFF, TMX, or ALIGN format, Custom Translator aligns the sentences of your source and target documents to each other, sentence by sentence. Custom Translator doesn't perform document alignment ΓÇô it follows your naming of the documents to find the matching document of the other language. Within the document, Custom Translator tries to find the corresponding sentence in the other language. It uses document markup like embedded HTML tags to help with the alignment.
+
+If you see a large discrepancy between the number of sentences in the source and target documents, your documents may not be parallel. The document pairs with a large difference (>10%) of sentences on each side warrant a second look to make sure they're indeed parallel. Custom Translator shows a warning next to the document if the sentence count differs suspiciously.
+
+## Deduplication
+
+Custom Translator removes the sentences that are present in test and tuning documents from training data. The removal happens dynamically inside of the training run, not in the data processing step. Custom Translator reports the sentence count to you in the project overview before such removal.
+
+## Length filter
+
+* Remove sentences with only one word on either side.
+* Remove sentences with more than 100 words on either side.ΓÇ» Chinese, Japanese, Korean are exempt.
+* Remove sentences with fewer than three characters. Chinese, Japanese, Korean are exempt.
+* Remove sentences with more than 2000 characters for Chinese, Japanese, Korean.
+* Remove sentences with less than 1% alpha characters.
+* Remove dictionary entries containing more than 50 words.
+
+## White space
+
+* Replace any sequence of white-space characters including tabs and CR/LF sequences with a single space character.
+* Remove leading or trailing space in the sentence
+
+## Sentence end punctuation
+
+Replace multiple sentence end punctuation characters with a single instance.
+
+## Japanese character normalization
+
+Convert full width letters and digits to half-width characters.
+
+## Unescaped XML tags
+
+Filtering transforms unescaped tags into escaped tags:
+* `&lt;` becomes `&amp;lt;`
+* `&gt;` becomes `&amp;gt;`
+* `&amp;` becomes `&amp;amp;`
+
+## Invalid characters
+
+Custom Translator removes sentences that contain Unicode character U+FFFD. The character U+FFFD indicates a failed encoding conversion.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to train a model](../how-to/train-custom-model.md)
cognitive-services Dictionaries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/dictionaries.md
+
+ Title: "What is a dictionary? - Custom Translator"
+
+description: How to create an aligned document that specifies a list of phrases or sentences (and their translations) that you always want Microsoft Translator to translate the same way. Dictionaries are sometimes also called glossaries or term bases.
++++ Last updated : 11/04/2022+++
+#Customer intent: As a Custom Translator, I want to understand how to use a dictionary to build a custom translation model.
++
+# What is a dictionary?
+
+A dictionary is an aligned pair of documents that specifies a list of phrases or sentences and their corresponding translations. Use a dictionary in your training, when you want Translator to translate any instances of the source phrase or sentence, using the translation you've provided in the dictionary. Dictionaries are sometimes called glossaries or term bases. You can think of the dictionary as a brute force "copy and replace" for all the terms you list. Furthermore, Microsoft Custom Translator service builds and makes use of its own general purpose dictionaries to improve the quality of its translation. However, a customer provided dictionary takes precedent and will be searched first to look up words or sentences.
+
+Dictionaries only work for projects in language pairs that have a fully supported Microsoft general neural network model behind them. [View the complete list of languages](../../language-support.md).
+
+## Phrase dictionary
+
+A phrase dictionary is case-sensitive. It's an exact find-and-replace operation. When you include a phrase dictionary in training your model, any word or phrase listed is translated in the way specified. The rest of the sentence is translated as usual. You can use a phrase dictionary to specify phrases that shouldn't be translated by providing the same untranslated phrase in the source and target files.
+
+## Sentence dictionary
+
+A sentence dictionary is case-insensitive. The sentence dictionary allows you to specify an exact target translation for a source sentence. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If the source dictionary entry ends with punctuation, it's ignored during the match. If only a portion of the sentence matches, the entry won't match. When a match is detected, the target entry of the sentence dictionary will be returned.
+
+## Dictionary-only trainings
+
+You can train a model using only dictionary data. To do so, select only the dictionary document (or multiple dictionary documents) that you wish to include and select **Create model**. Since this training is dictionary-only, there's no minimum number of training sentences required. Your model will typically complete training much faster than a standard training. The resulting models will use the Microsoft baseline models for translation with the addition of the dictionaries you've added. You won't get a test report.
+
+>[!Note]
+>Custom Translator doesn't sentence align dictionary files, so it is important that there are an equal number of source and target phrases/sentences in your dictionary documents and that they are precisely aligned.
+
+## Recommendations
+
+- Dictionaries aren't a substitute for training a model using training data. For better results, we recommended letting the system learn from your training data. However, when sentences or compound nouns must be translated verbatim, use a dictionary.
+
+- The phrase dictionary should be used sparingly. When a phrase within a sentence is replaced, the context of that sentence is lost or limited for translating the rest of the sentence. The result is that, while the phrase or word within the sentence will translate according to the provided dictionary, the overall translation quality of the sentence often suffers.
+
+- The phrase dictionary works well for compound nouns like product names ("_Microsoft SQL Server_"), proper names ("_City of Hamburg_"), or product features ("_pivot table_"). It doesn't work as well for verbs or adjectives because those words are typically highly contextual within the source or target language. The best practice is to avoid phrase dictionary entries for anything but compound nouns.
+
+- If you're using a phrase dictionary, capitalization and punctuation are important. Dictionary entries are case- and punctuation-sensitive. Custom Translator will only match words and phrases in the input sentence that use exactly the same capitalization and punctuation marks as specified in the source dictionary file. Also, translations will reflect the capitalization and punctuation provided in the target dictionary file.
+
+ **Example**
+
+ - If you're training an English-to-Spanish system that uses a phrase dictionary and you specify "_SQL server_" in the source file and "_Microsoft SQL Server_" in the target file. When you request the translation of a sentence that contains the phrase "_SQL server_", Custom Translator will match the dictionary entry and the translation will contain "_Microsoft SQL Server_."
+ - When you request translation of a sentence that includes the same phrase but **doesn't** match what is in your source file, such as "_sql server_", "_sql Server_" or "_SQL Server_", it **won't** return a match from your dictionary.
+ - The translation follows the rules of the target language as specified in your phrase dictionary.
+
+- If you're using a sentence dictionary, end-of-sentence punctuation is ignored.
+
+ **Example**
+
+ - If your source dictionary contains "_This sentence ends with punctuation!_", then any translation requests containing "_This sentence ends with punctuation_" will match.
+
+- Your dictionary should contain unique source lines. If a source line (a word, phrase, or sentence) appears more than once in a dictionary file, the system will always use the **last entry** provided and return the target when a match is found.
+
+- Avoid adding phrases that consist of only numbers or are two- or three-letter words, such as acronyms, in the source dictionary file.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn about document formatting guidelines](document-formats-naming-convention.md)
cognitive-services Document Formats Naming Convention https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/document-formats-naming-convention.md
+
+ Title: "Document formats and naming conventions - Custom Translator"
+
+description: This article is a guide to document formats and naming conventions in Custom Translator to avoid naming conflicts.
++++ Last updated : 11/04/2022+++
+#Customer intent: As a Custom Translator user, I want to understand how to format and name my documents.
++
+# Document formats and naming convention guidance
+
+Any file used for custom translation must be at least **four** characters in length.
+
+This table includes all supported file formats that you can use to build your translation system:
+
+| Format | Extensions | Description |
+|-|--|--|
+| XLIFF | .XLF, .XLIFF | A parallel document format, export of Translation Memory systems. The languages used are defined inside the file. |
+| TMX | .TMX | A parallel document format, export of Translation Memory systems. The languages used are defined inside the file. |
+| ZIP | .ZIP | ZIP is an archive file format. |
+| Locstudio | .LCL | A Microsoft format for parallel documents |
+| Microsoft Word | .DOCX | Microsoft Word document |
+| Adobe Acrobat | .PDF | Adobe Acrobat portable document |
+| HTML | .HTML, .HTM | HTML document |
+| Text file | .TXT | UTF-16 or UTF-8 encoded text files. The file name must not contain Japanese characters. |
+| Aligned text file | .ALIGN | The extension `.ALIGN` is a special extension that you can use if you know that the sentences in the document pair are perfectly aligned. If you provide a `.ALIGN` file, Custom Translator won't align the sentences for you. |
+| Excel file | .XLSX | Excel file (2013 or later). First line/ row of the spreadsheet should be language code. |
+
+## Dictionary formats
+
+For dictionaries, Custom Translator supports all file formats that are supported for training sets. If you're using an Excel dictionary, the first line/ row of the spreadsheet should be language codes.
+
+## Zip file formats
+
+Documents can be grouped into a single zip file and uploaded. The Custom Translator supports zip file formats (ZIP, GZ, and TGZ).
+
+Each document in the zip file with the extension TXT, HTML, HTM, PDF, DOCX, ALIGN must follow this naming convention:
+
+{document name}\_{language code}
+where {document name} is the name of your document, {language code} is the ISO LanguageID (two characters), indicating that the document contains sentences in that language. There must be an underscore (_) before the language code.
+
+For example, to upload two parallel documents within a zip for an English to
+Spanish system, the files should be named "data_en" and "data_es".
+
+Translation Memory files (TMX, XLF, XLIFF, LCL, XLSX) aren't required to follow the specific language-naming convention.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn about managing projects](workspace-and-project.md#what-is-a-custom-translator-project)
cognitive-services Model Training https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/model-training.md
+
+ Title: "What are training and modeling? - Custom Translator"
+
+description: A model is the system, which provides translation for a specific language pair. The outcome of a successful training is a model. To train a model, three mutually exclusive data sets are required training dataset, tuning dataset, and testing dataset.
+++++ Last updated : 11/04/2022++
+#Customer intent: As a Custom Translator user, I want to concept of a model and training, so that I can efficiently use training, tuning and testing datasets the helps me build a translation model.
++
+# What are training and modeling?
+
+A model is the system, which provides translation for a specific language pair. The outcome of a successful training is a model. To train a model, three mutually exclusive document types are required: training, tuning, and testing. Dictionary document type can also be provided. For more information, _see_ [Sentence alignment](./sentence-alignment.md#suggested-minimum-number-of-sentences).
+
+If only training data is provided when queuing a training, Custom Translator will automatically assemble tuning and testing data. It will use a random subset of sentences from your training documents, and exclude these sentences from the training data itself.
+
+## Training document type for Custom Translator
+
+Documents included in training set are used by the Custom Translator as the basis for building your model. During training execution, sentences that are present in these documents are aligned (or paired). You can take liberties in composing your set of training documents. You can include documents that you believe are of tangential relevance in one model. Again exclude them in another to see the impact in [BLEU (Bilingual Evaluation Understudy) score](bleu-score.md). As long as you keep the tuning set and test set constant, feel free to experiment with the composition of the training set. This approach is an effective way to modify the quality of your translation system.
+
+You can run multiple trainings within a project and compare the [BLEU scores](bleu-score.md) across all training runs. When you're running multiple trainings for comparison, ensure same tuning/ test data is specified each time. Also make sure to also inspect the results manually in the ["Testing"](../how-to/test-your-model.md) tab.
+
+## Tuning document type for Custom Translator
+
+Parallel documents included in this set are used by the Custom Translator to tune the translation system for optimal results.
+
+The tuning data is used during training to adjust all parameters and weights of the translation system to the optimal values. Choose your tuning data carefully: the tuning data should be representative of the content of the documents you intend to translate in the future. The tuning data has a major influence on the quality of the translations produced. Tuning enables the translation system to provide translations that are closest to the samples you provide in the tuning data. You don't need more than 2500 sentences in your tuning data. For optimal translation quality, it's recommended to select the tuning set manually by choosing the most representative selection of sentences.
+
+When creating your tuning set, choose sentences that are a meaningful and representative length of the future sentences that you expect to translate. Choose sentences that have words and phrases that you intend to translate in the approximate distribution that you expect in your future translations. In practice, a sentence length of 7 to 10 words will produce the best results. These sentences contain enough context to show inflection and provide a phrase length that is significant, without being overly complex.
+
+A good description of the type of sentences to use in the tuning set is prose: actual fluent sentences. Not table cells, not poems, not lists of things, not only punctuation, or numbers in a sentence - regular language.
+
+If you manually select your tuning data, it shouldn't have any of the same sentences as your training and testing data. The tuning data has a significant impact on the quality of the translations - choose the sentences carefully.
+
+If you aren't sure what to choose for your tuning data, just select the training data and let Custom Translator select the tuning data for you. When you let the Custom Translator choose the tuning data automatically, it will use a random subset of sentences from your bilingual training documents and exclude these sentences from the training material itself.
+
+## Testing dataset for Custom Translator
+
+Parallel documents included in the testing set are used to compute the BLEU (Bilingual Evaluation Understudy) score. This score indicates the quality of your translation system. This score actually tells you how closely the translations done by the translation system resulting from this training match the reference sentences in the test data set.
+
+The BLEU score is a measurement of the delta between the automatic translation and the reference translation. Its value ranges from 0 to 100. A score of 0 indicates that not a single word of the reference appears in the translation. A score of 100 indicates that the automatic translation exactly matches the reference: the same word is in the exact same position. The score you receive is the BLEU score average for all sentences of the testing data.
+
+The test data should include parallel documents where the target language sentences are the most desirable translations of the corresponding source language sentences in the source-target pair. You may want to use the same criteria you used to compose the tuning data. However, the testing data has no influence over the quality of the translation system. It's used exclusively to generate the BLEU score for you.
+
+You don't need more than 2,500 sentences as the testing data. When you let the system choose the testing set automatically, it will use a random subset of sentences from your bilingual training documents, and exclude these sentences from the training material itself.
+
+You can view the custom translations of the testing set, and compare them to the translations provided in your testing set, by navigating to the test tab within a model.
+
+## Next Steps
+
+> [!div class="nextstepaction"]
+> [Test and evaluate your model](../how-to/test-your-model.md)
cognitive-services Parallel Documents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/parallel-documents.md
+
+ Title: "What are parallel documents? - Custom Translator"
+
+description: Parallel documents are pairs of documents where one is the translation of the other. One document in the pair contains sentences in the source language and the other document contains these sentences translated into the target language.
++++ Last updated : 11/04/2022++
+#Customer intent: As a Custom Translator, I want to understand how to use parallel documents to build a custom translation model.
++
+# What are parallel documents?
+
+Parallel documents are pairs of documents where one is the translation of the
+other. One document in the pair contains sentences in the source language and
+the other document contains these sentences translated into the target language.
+It doesn't matter which language is marked as "source" and which language is
+marked as "target" ΓÇô a parallel document can be used to train a translation
+system in either direction.
+
+## Requirements
+
+You'll need a minimum of 10,000 unique aligned parallel sentences to train a system. This limitation is a safety net to ensure your parallel sentences contain enough unique vocabulary to successfully train a translation model. As a best practice, continuously add more parallel content and retrain to improve the quality of your translation system. For more information, *see* [Sentence Alignment](./sentence-alignment.md).
+
+Microsoft requires that documents uploaded to the Custom Translator don't violate a third party's copyright or intellectual properties. For more information, please see the [Terms of Use](https://azure.microsoft.com/support/legal/cognitive-services-terms/). Uploading a document using the portal doesn't alter the ownership of the intellectual property in the document itself.
+
+## Use of parallel documents
+
+Parallel documents are used by the system:
+
+1. To learn how words, phrases and sentences are commonly mapped between the
+ two languages.
+
+2. To learn how to process the appropriate context depending on the surrounding
+ phrases. A word may not always translate to the exact same word in the other
+ language.
+
+As a best practice, make sure that there's a 1:1 sentence correspondence between
+the source and target language versions of the documents.
+
+If your project is domain (category) specific, your documents should be
+consistent in terminology within that category. The quality of the resulting
+translation system depends on the number of sentences in your document set and
+the quality of the sentences. The more examples your documents contain with
+diverse usages for a word specific to your category, the better job the system
+can do during translation.
+
+Documents uploaded are private to each workspace and can be used in as many
+projects or trainings as you like. Sentences extracted from your documents are
+stored separately in your repository as plain Unicode text files and are
+available for you to delete. Don't use the Custom Translator as a document
+repository, you won't be able to download the documents you uploaded in the
+format you uploaded them.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to use a dictionary](dictionaries.md)
cognitive-services Sentence Alignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/sentence-alignment.md
+
+ Title: "Sentence pairing and alignment - Custom Translator"
+
+description: During the training execution, sentences present in parallel documents are paired or aligned. Custom Translator learns translations one sentence at a time, by reading a sentence and translating it. Then it aligns words and phrases in these two sentences to each other.
++++ Last updated : 11/04/2022+++
+#Customer intent: As a Custom Translator user, I want to know how sentence alignment works, so that I can have better understanding of underlying process of sentence extraction, pairing, filtering, aligning.
++
+# Sentence pairing and alignment in parallel documents
+
+After documents are uploaded, sentences present in parallel documents are
+paired or aligned. Custom Translator reports the number of sentences it was
+able to pair as the Aligned Sentences in each of the data sets.
+
+## Pairing and alignment process
+
+Custom Translator learns translations of sentences one sentence at a time. It reads a sentence from the source text, and then the translation of this sentence from the target text. Then it aligns words and phrases in these two sentences to each other. This process enables it to create a map of the words and phrases in one sentence to the equivalent words and phrases in the translation of the sentence. Alignment tries to ensure that the system trains on sentences that are translations of each other.
+
+## Pre-aligned documents
+
+If you know you have parallel documents, you may override the
+sentence alignment by supplying pre-aligned text files. You can extract all
+sentences from both documents into text file, organized one sentence per line,
+and upload with an `.align` extension. The `.align` extension signals Custom
+Translator that it should skip sentence alignment.
+
+For best results, try to make sure that you have one sentence per line in your
+ files. Don't have newline characters within a sentence, it will cause poor
+alignments.
+
+## Suggested minimum number of sentences
+
+For a training to succeed, the table below shows the minimum number of sentences required in each document type. This limitation is a safety net to ensure your parallel sentences contain enough unique vocabulary to successfully train a translation model. The general guideline is having more in-domain parallel sentences of human translation quality should produce higher-quality models.
+
+| Document type | Suggested minimum sentence count | Maximum sentence count |
+||--|--|
+| Training | 10,000 | No upper limit |
+| Tuning | 500 | 2,500 |
+| Testing | 500 | 2,500 |
+| Dictionary | 0 | 250,000 |
+
+> [!NOTE]
+>
+> - Training will not start and will fail if the 10,000 minimum sentence count for Training is not met.
+> - Tuning and Testing are optional. If you do not provide them, the system will remove an appropriate percentage from Training to use for validation and testing.
+> - You can train a model using only dictionary data. Please refer to [What is Dictionary](dictionaries.md).
+> - If your dictionary contains more than 250,000 sentences, our Document Translation feature is a better choice. Please refer to [Document Translation](../../document-translation/overview.md).
+> - Free (F0) subscription training has a maximum limit of 2,000,000 characters.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to use a dictionary](dictionaries.md)
cognitive-services Workspace And Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/concepts/workspace-and-project.md
+
+ Title: "What is a workspace and project? - Custom Translator"
+
+description: This article will explain the differences between a workspace and a project as well as project categories and labels for the Custom Translator service.
+++++ Last updated : 11/04/2022+++
+#Customer intent: As a Custom Translator user, I want to concept of a project, so that I can use it efficiently.
+
+# What is a Custom Translator workspace?
+
+A workspace is a work area for composing and building your custom translation system. A workspace can contain multiple projects, models, and documents. All the work you do in Custom Translator is inside a specific workspace.
+
+Workspace is private to you and the people you invite into your workspace. Uninvited people don't have access to the content of your workspace. You can invite as many people as you like into your workspace and modify or remove their access anytime. You can also create a new workspace. By default a workspace won't contain any projects or documents that are within your other workspaces.
+
+## What is a Custom Translator project?
+
+A project is a wrapper for a model, documents, and tests. Each project
+automatically includes all documents that are uploaded into that workspace that
+have the correct language pair. For example, if you have both an English to
+Spanish project and a Spanish to English project, the same documents will be
+included in both projects. Each project has a CategoryID associated with it
+that is used when querying the [V3 API](../../reference/v3-0-translate.md?tabs=curl) for translations. CategoryID is parameter used to get translations from a customized system built with Custom Translator.
+
+## Project categories
+
+The category identifies the domain ΓÇô the area of terminology and style you want to use ΓÇô for your project. Choose the category most relevant to your documents. In some cases, your choice of the category directly influences the behavior of the Custom Translator.
+
+We have two sets of baseline models. They're General and Technology. If the category **Technology** is selected, the Technology baseline models will be used. For any other category selection, the General baseline models are used. The Technology baseline model does well in technology domain, but it shows lower quality, if the sentences used for translation don't fall within the technology domain. We suggest customers select category Technology only if sentences fall strictly within the technology domain.
+
+In the same workspace, you may create projects for the same language pair in
+different categories. Custom Translator prevents creation of a duplicate project
+with the same language pair and category. Applying a label to your project
+allows you to avoid this restriction. Don't use labels unless you're building translation systems for multiple clients, as adding a
+unique label to your project will be reflected in your projects CategoryID.
+
+## Project labels
+
+Custom Translator allows you to assign a project label to your project. The
+project label distinguishes between multiple projects with the same language
+pair and category. As a best practice, avoid using project labels unless
+necessary.
+
+The project label is used as part of the CategoryID. If the project label is
+left unset or is set identically across projects, then projects with the same
+category and *different* language pairs will share the same CategoryID. This approach is
+advantageous because it allows you to switch between languages when using the Translator API without worrying about a CategoryID that is unique to each project.
+
+For example, if I wanted to enable translations in the Technology domain from
+English to French and from French to English, I would create two
+projects: one for English -\> French, and one for French -\> English. I would
+specify the same category (Technology) for both and leave the project label
+blank. The CategoryID for both projects would match, so I could query the API
+for both English and French translations without having to modify my CategoryID.
+
+If you're a language service provider and want to serve
+multiple customers with different models that retain the same category and
+language pair, use a project label to differentiate between customers.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn about model training](model-training.md)
cognitive-services Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/faq.md
Title: "Legacy: Frequently asked questions - Custom Translator"
+ Title: "Frequently asked questions - Custom Translator"
description: This article contains answers to frequently asked questions about the Azure Cognitive Services Custom Translator.
Last updated 08/17/2020
-#Customer intent: As a Custom Translator user, I want to review frequently asked questions.
# Custom Translator frequently asked questions
files.
## I tried uploading my TMX, but it says "document processing failed" Ensure that the TMX conforms to the [TMX 1.4b Specification](https://www.gala-global.org/tmx-14b).+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Try the custom translator quickstart](quickstart.md)
+
cognitive-services How To Create Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-create-project.md
- Title: "Legacy: How to create a project - Custom Translator"-
-description: This article explains how to create and manage a project in the Azure Cognitive Services Custom Translator.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to create project, so that I can build and manage a project.
--
-# Create a project
-
-A project contains translation models for one language pair. Each includes all documents that are uploaded into that workspace that have the correct language pair.
-
-Creating project is the first step toward building a model.
-
-## Create a project
-
-1. In the [Custom Translator](https://legacy.portal.customtranslator.azure.ai/) legacy portal, select **Create project**.
-
- ![Create project](media/how-to/how-to-create-project.png)
-
-1. Enter the following details about your project in the dialog:
-
- a. Project name (required): Give your project a unique, meaningful name. It's not necessary to mention the languages within the title.
-
- b. Description: A short summary about the project. This description has no
- influence over the behavior of the Custom Translator or your resulting
- custom system, but can help you differentiate between different
- projects.
-
- c. Language pair (required): Select the language that you're translating
- from and to.
-
- d. Category (required): Select the category that's most appropriate for
- your project. The category describes the terminology and style of the
- documents you intend to translate.
-
- e. Category description: Use this field to better describe the particular
- field or industry in which you're working. For example, if your
- category is medicine, you might add a particular document, such a surgery,
- or pediatrics. The description has no influence over the behavior of the
- Custom Translator or your resulting custom system.
-
- f. Project label: The [project label](workspace-and-project.md#project-labels) distinguishes between
- projects with the same language pair and category. As a best practice,
- use a label *only* if you're planning to build multiple projects for
- the same language pair and same category and want to access these
- projects with a different CategoryID. Don't use this field if you're
- building systems for one category only. A project label isn't required
- and not helpful to distinguish between language pairs. You can use the
- same label for multiple projects.
-
- ![Create project dialog](media/how-to/how-to-create-project-dialog.png)
-
-1. Select **Create**
-
-## View project details
-
-The Custom Translator landing page shows the first 10 projects in your workspace. It displays the project name, language pair, category, status, and BLEU score.
-
-After selecting a project, you'll see the following text on the project page:
--- CategoryID: A CategoryID is created by concatenating the WorkspaceID,
- project label, and category code. You use the CategoryID with the Text
- Translator API to get custom translations. To copy, choose the **copy icon**.
--- Train button: Use this button to start a [training a model](how-to-train-model.md).--- Add documents button: Use this button to [upload documents](how-to-upload-document.md).--- Filter documents button: Use this button to filter and search for specific
- document(s).
-
- ![View project details](media/how-to/how-to-view-project.png)
-
-## Next steps
--- Learn [how to search, edit, delete project](how-to-search-edit-delete-projects.md).-- Learn [how to upload document](how-to-upload-document.md) to build translation models.
cognitive-services How To Manage Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-manage-settings.md
- Title: "Legacy: How to manage settings? - Custom Translator"-
-description: How to manage settings, create workspace, share workspace, and manage key in Custom Translator.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to manage settings, so that I can create workspace, share workspace, and manage key in Custom Translator.
--
-# How to manage settings
-
-Within the Custom Translator settings page, you can share your workspace, modify your Translator key, and delete workspace.
-
-To access the settings page:
-
-1. Sign in to the [Custom Translator](https://portal.customtranslator.azure.ai/) portal.
-2. On Custom Translator portal, select the gear icon in the sidebar.
- ![Setting Link](media/how-to/how-to-settings.png)
-
-## Associating Translator Subscription
-
-You need to have a Translator key associated with your workspace to train or deploy models.
-
-If you don't have a subscription, follow the steps below:
-
-1. Subscribe to create a Translator resource. Follow [How to sign up for Translator](../how-to-create-translator-resource.md) to subscribe and acquire a Translator key.
-2. Note the key for your Translator subscription. Either Key1 or Key2 is acceptable.
-
-3. Navigate back to the Custom Translator portal.
-
-## Create a new workspace
-
-1. Select the **Create workspace** button in Custom Translator sidebar.
-
- ![Create new workspace](media/how-to/create-new-workspace.png)
-
-2. In the dialog, enter the name of the new workspace.
-3. Select **Next**.
-4. Choose subscription type.
-5. Select subscription region. The region must match the selected region when Translator resource key was created.
-6. Enter the key for your translator subscription, then select the **Save** button.
-
- ![Create new workspace dialog](media/how-to/create-new-workspace-dialog.png)
-
->[!Note]
->Custom Translator does not support creating workspace for Translator Text API resource (a.k.a. Azure key) that was created inside [Enabled VNET](../../../api-management/api-management-using-with-vnet.md).
-
-### Modify existing key
-
-1. Navigate to the "Settings" page for your workspace.
-2. Select **Change Key**.
-
- ![How to add key](media/how-to/how-to-add-subscription-key.png)
-
-3. In the dialog, enter the key for your Translator subscription, then select the **Save** button.
-
- ![How to add key dialog](media/how-to/how-to-add-subscription-key-dialog.png)
-
-## Manage your workspace
-
-A workspace is a work area for composing and building your custom translation system. A workspace can contain multiple projects, models, and documents.
-
-If different part of your work needs to be shared with different people, then creating multiple workspaces may be useful.
-
-## Share your workspace
-
-In Custom Translator you can share your workspace with others, if different part of your work needs to be shared with different people.
-
-1. Navigate to the workspace "Settings" page.
-2. Select the **Add people** button in the **Sharing settings** section.
-
- ![Share workspace](media/how-to/share-workspace.png)
-
-3. On the dialog, enter a comma-separated list of email addresses you want this workspace shared with. Make sure you share with the email address that person uses to sign in to Custom Translator with. Select the appropriate level of sharing permission and select the **Save** button.
-
- ![Share workspace dialog](media/how-to/share-workspace-dialog.png)
-
-4. If your workspace still has the default name "My workspace", you'll be required to change it before sharing your workspace.
-5. Select **Save**.
-
-## Sharing permissions
-
-1. **Reader:** A reader in the workspace will be able to view all information in the workspace.
-
-2. **Editor:** An editor in the workspace will be able to add documents, train models, and delete documents and projects. They can add a key, but can't modify who the workspace is shared with, delete the workspace, or change the workspace name.
-
-3. **Owner:** An owner has full permissions to the workspace.
-
-## Change sharing permission
-
-When a workspace is shared, the **Sharing settings** section shows all email addresses that this workspace is shared with. You can change existing sharing permission for each email address if you have owner access to the workspace.
-
-1. In the **Sharing settings** section, for each email, a dropdown menu shows the current permission level.
-
-2. Choose the dropdown menu and select the new permission level you want to assign to that email address.
-
- ![Sharing permission settings](media/how-to/sharing-permission-settings.png)
-
-## Pin your workspace
-
-Your first created workspace is by default pinned. Each time you sign in, your pinned workspace is displayed upon site load. If you have created many workspaces and desire to make one of them your default when you sign in, you need to pin it.
-
-1. In the sidebar, select the name of the workspace you want to pin.
-2. Navigate to the "Settings" page for your workspace.
-3. Select the **Pin icon**.
-
- ![Pin workspace](media/how-to/how-to-pin-workspace.png)
-
-## Next steps
--- Learn [how to create your workspace and projects](workspace-and-project.md)
cognitive-services How To Search Edit Delete Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-search-edit-delete-projects.md
- Title: "Legacy: How to search, edit, and delete project - Custom Translator"-
-description: Custom Translator provides various ways to manage your projects in efficient manner. You can create multiple projects, search based on your criteria, edit your projects. Deleting a project is also possible in Custom Translator.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to search, edit, delete projects, so that I can manage my projects effeciently.
-
-# Search, edit, and delete projects
-
-Custom Translator provides multiple ways to manage your projects in efficient manner. You can create many projects, search based on your criteria, and edit your projects. Deleting a project is also possible in Custom Translator.
-
-## Search and filter projects
-
-The filter tool allows you to search projects by different filter conditions. It filters like project name, status, source and target language, and category of the project.
-
-1. Select the **filter button**.
-
- ![Search project](media/how-to/how-to-search-project.png)
-
-2. You can filter by any (or all) of the following fields: project name, source language, target language, category, and project availability.
-
-3. Select **apply**.
-
- ![Search project filter options](media/how-to/how-to-search-project-filters.png)
-
-4. Clear the filter to view all your projects by tapping "Clear".
-
-## Edit a project
-
-Custom Translator gives you the ability to edit the name and description of a project. Other project metadata like the category, source language, and target language aren't available for edit. The steps below describe how to edit a project.
-
-1. Select the **pencil icon** that appears when you hover over a project.
-
- ![Edit project](media/how-to/how-to-edit-project.png)
-
-2. In the dialog, you can modify the project name, the description of the project, the category description, and the project label if no model is deployed. You can't modify the category or language pair once the project is created.
-
- ![Edit project dialog](media/how-to/how-to-edit-project-dialog.png)
-
-3. Select the **Save** button.
-
-## Delete a project
-
-You can delete a project when you no longer need it. Make sure the project doesn't have models in an active state such as deployed, training submitted, data processing, or deploying, otherwise, the delete operation will fail. The following steps describe how to delete a project.
-1. Hover on any project record and select on the **trash bin** icon.
-
- ![Delete project](media/how-to/how-to-delete-project.png)
-
-2. Confirm deletion. Deleting a project will delete all models that were created within that project. Deleting project won't affect your documents.
-
- ![Delete confirmation dialog](media/how-to/how-to-delete-project-confirm.png)
-
-## Next steps
--- [Upload documents](how-to-upload-document.md) to start building your custom translation model.
cognitive-services How To Train Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-train-model.md
- Title: "Legacy: Train a model - Custom Translator"-
-description: How to train and build a custom translation model.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to train, so that I can start start building my custom translation model.
--
-# Train a model
-
-Training a model is the first and most important step to building a translation model, otherwise, model can't be built. Training happens based on documents you select for the trainings. When you select documents of "Training" document type, be mindful of the 10,000 parallel sentences minimum requirement. As you select documents, we display the total number of training sentences to guide you. This requirement doesn't apply when you only select documents of dictionary document type to train a model.
-
-To train a model:
-
-1. Select the project where you want to build a model.
-
-2. The Data tab for the project will show all the relevant documents for the project language pair. Manually select the documents you want to use to train your model. You can select training, tuning, and testing documents from this screen. Also you just select the training set and have Custom Translator create the tuning and test sets for you.
-
- - Document name: Name of the document.
-
- - Pairing: Is this document a parallel or monolingual document? Monolingual documents are currently not supported for training.
-
- - Document type: Can be training, tuning, testing, or dictionary.
-
- - Language pair: This show the source and target language for the project.
-
- - Source sentences: Shows the number of sentences extracted from the source file.
-
- - Target sentences: Shows the number of sentences extracted from the target file.
-
- ![Train model](media/how-to/how-to-train-model.png)
-
-3. Select **Create model** button.
-
-4. On the dialog, specify the name for your model. By default, "Train immediately" is selected to start the training pipeline when you select the **Create model** button. You can select **Save as draft** to create the model metadata and put the model in a draft state but model training wouldn't start. At a later time, you've to manually select models in draft state to train.
-
-5. Select the **Create model** button.
-
- ![Train model dialog](media/how-to/how-to-train-model-2.png)
-
-6. Custom Translator will submit the training, and show the status of the
- training in the models tab.
-
- ![Train model page](media/how-to/how-to-train-model-3.png)
-
->[!Note]
->Custom Translator supports 10 concurrent trainings within a workspace at any point in time.
-
-## Modify a model name
-
-You can modify a model name from the Model Details page.
-
-1. From the projects page, select the project name where the model exists.
-2. Select the model tab.
-3. Select the model name to view the model details.
-4. Select the **pencil icon**.
-
- ![Edit model](media/how-to/how-to-edit-model.png)
-
-5. In the dialog, change the model name and give your model a meaningful name.
-
- ![Edit more dialog](media/how-to/how-to-edit-model-dialog.png)
-
-6. Select **Save**.
-
-## Next steps
--- Learn [how to view a model's details](how-to-view-model-details.md).
cognitive-services How To Upload Document https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-upload-document.md
- Title: "Legacy: How to upload a document - Custom Translator"-
-description: The document upload feature uploads parallel documents (two documents where one is the origin and the other is the translation) into the service.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to know how to upload document, so that I can start uploading my documents to train my model .
--
-# Upload a document
-
-In [Custom Translator](https://portal.customtranslator.azure.ai), you can upload parallel documents to train your translation models. [Parallel documents](what-are-parallel-documents.md) are pairs of documents where one is a translation of the other. One document in the pair contains sentences in the source language and the other document contains sentences translated into the target language.
-
-Before uploading your documents, review the [document formats and naming convention guidance](document-formats-naming-convention.md) to make sure your file format is supported in Custom Translator.
-
-## How to upload document?
-
-From [Custom Translator](https://portal.customtranslator.azure.ai) portal, Select the **Documents** tab to go to documents page.
-
-![Document upload link](media/how-to/how-to-upload-1.png)
-1. Select the **Upload files** button on the documents page.
-
- ![Upload document page](media/how-to/how-to-upload-2.png)
-
-2. On the dialog fill in the following information:
-
- a. Document type:
-
- - Training: document(s) for training set.
- - Tuning: document(s) for tuning set.
- - Testing: document(s) for testing set.
- - Phrase Dictionary: document(s) for phrase dictionary.
- - Sentence Dictionary: document(s) for sentence dictionary
-
- b. Language pair
-
- c. Override document if exists: Select this check box if you want to
- overwrite any existing documents with the same name.
-
- d. Fill in the relevant section for either parallel data or combo data.
-
- - Parallel data:
- - Source file: Select source language file from your local computer.
- - Target file: Select target language file from your local computer.
- - Document name: Used only if you're uploading parallel files.
-
- - Combo data:
- - Combo File: Select the combo file from your local computer. Your combo file has both of your source and target language sentences. [Naming convention](document-formats-naming-convention.md) is important for combo files.
-
- e. Select **Upload**.
-
- ![Upload document dialog](media/how-to/how-to-upload-dialog.png)
-
-3. At this point, we're processing your documents and attempting to extract sentences. You can select **View upload Progress** to check the status of your documents as they process.
-
- ![Upload document processing dialog](media/how-to/how-to-upload-processing-dialog.png)
-
-4. This page will display the status, and any errors for each file within your
- upload. You can view past upload status at any time by selecting the
- **Upload history** tab.
-
- ![Upload document history dialog](media/how-to/how-to-upload-document-history.png)
-## View upload history
-
-In upload history page you can view history of all document uploads details like document type, language pair, upload status etc.
-
-1. From the [Custom Translator](https://portal.customtranslator.azure.ai) portal, select the **Upload History** tab to view history.
-
- ![Upload history tab](media/how-to/how-to-upload-history-1.png)
-
-2. This page shows the status of all of your past uploads. It displays
- uploads from most recent to least recent. For each upload, it shows the document name, upload status, upload date, number of files uploaded, type of file uploaded, and language pairs.
-
- ![Upload history page](media/how-to/how-to-document-history-2.png)
-
-3. Select any upload history record. In upload history details page,
- you can view the uploaded files, upload status of the file, file language, and error messages.
-
-## Next steps
--- Use the [document details page](how-to-view-document-details.md) to review list of extracted sentences.-- [How to train a model](how-to-train-model.md).
cognitive-services How To View Document Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-view-document-details.md
- Title: "Legacy: Document details - Custom Translator"-
-description: The document list page shows the first 10 document in your workspace. For each of the documents, it displays the name, pairing, type, language, upload time stamp, and the email address of the user who uploaded the document.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to view document details, so that I can to review list of extracted sentences in a document.
--
-# View document details
-
-The document list page shows the first 10 document in your workspace. For each
-of the documents, it displays the name, pairing, type, language, upload time
-stamp, and the email address of the user who uploaded the document.
-
-Select an individual document to view the document details page. The document details page displays the list of extracted sentences from the document.
--- By default the "Side-by-side" source and target languages display is selected in the dropdown field, but you can toggle to view sentences in the source or target language.-- 20 sentences are displayed per page by default. You can use the pagination control to browse between pages.-
-![document details](media/how-to/how-to-view-document-details.png)
-
-## Delete a document
-
-User must be a workspace owner to delete document to delete a document. Additionally, if a document is in use by a model, it can't be deleted.
-
-1. Go to document page
-2. Hover on any document record and select the **trash bin** icon.
-
- ![Delete document](media/how-to/how-to-delete-document-1.png)
-
-3. Confirm Delete.
-
- ![Delete confirm](media/how-to/how-to-delete-document-confirm.png)
-
-## Next steps
--- Learn [how to train a model](how-to-train-model.md).
cognitive-services How To View Model Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-view-model-details.md
- Title: "Legacy: View the model details - Custom Translator"-
-description: Models tab under any project shows details of each model such as model name, model status, BLEU score, training, tuning, testing sentence count.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to view the model details, so that I can review details of each translation model.
--
-# View the model details
-
-The Models tab under project shows all models in that project. All models trained for that project are listed in this tab.
-
-For each model in the project, these details are displayed.
-
-1. Model Name: Shows the model name of a given model.
-
-2. Status: Shows status of a given model. Your new training will have a status
- of Submitted until it's accepted. The status will change to Data processing
- while the service evaluates the content of your documents. When the
- evaluation of your documents is complete, the status will change to Running.
- You'll be able the see the number of sentences that are part of the
- training, including the tuning and testing sets that are created for you
- automatically. Below is a list of model status that describes state of the models.
-
- - Submitted: Specifies that the backend is processing the documents for that model.
-
- - TrainingQueued: Specifies that the training is being queued to MT system for that model.
-
- - Running: Specifies that the training is running in MT system for that model.
-
- - Succeeded: Specifies that the training succeeded in MT system and a model is available. In this status, a BLEU score is displayed for that model.
-
- - Deployed: Specifies that the successful trained model is submitted to MT system for deployment.
-
- - Undeploying: Specifies that the deployed model is undeploying.
-
- - Undeployed: Specifies that the undeployment process of a model has been completed successfully.
-
- - Training Failed: Specifies that the training failed. If a training failure occurs, retry the training job. If the error persists, contact us. Don't delete the failed model.
-
- - DataProcessingFailed: Specifies that data processing has failed for one or more documents belonging to the model.
-
- - DeploymentFailed: Specifies that the model deployment has failed.
-
- - MigratedDraft: Specifies that the model is in draft state after migration from Hub to Custom Translator.
-
-3. BLEU Score: shows BLEU (Bilingual Evaluation Understudy) score of the model,
- indicating the quality of your translation system. This score tells you how
- closely the translations done by the translation system resulting from this
- training match the reference sentences in the test data set. The BLEU score appears if training is successfully complete. If training isn't complete/ failed, you won't see any BLEU score.
-
-4. Training Sentence count: Shows total number of sentences used as training
- set.
-
-5. Tuning Sentence count: Shows total number of sentences used as tuning set.
-
-6. Training Sentence count: Shows total number of sentences used as testing
- set.
-
-7. Mono Sentence count: Shows total number of sentences used as mono set.
-
-8. Deploy action button: For a successfully trained model, it shows "Deploy"
- button if not deployed. If a model is deployed, the **Undeploy** button is shown.
-
-9. Delete: You can use this button if you want to delete the model. Deleting a
- model won't delete any of the documents used to create that model.
-
- ![View model details](media/how-to/how-to-view-model-details.png)
-
->[!Note]
->To compare consecutive trainings for the same systems, it is important to keep the tuning set and testing set constant.
-
-## View the model training details
-
-When your training is complete, you can review details about the training from the details page. Select a project, locate and select the models tab, and choose a model.
-
-The model page has two tabs: Training details and Test.
-
-1. **Training Details:** This tab shows the list of document(s) used in the training:
-
- - Documents Name: This field shows the name of the document
-
- - Document Type: This field shows if this document is parallel/ mono.
-
- - Sentence count in source language: This field shows number of sentences are there as part of source language.
-
- - Sentence count in target language: This field shows number of sentences are there as part of target language.
-
- - Aligned Sentences: This field shows number of sentences has been aligned by Custom Translator during align process.
-
- - Used Sentences: This field shows number of sentences has been used by Custom Translator during this training.
-
- ![Model training details](media/how-to/how-to-model-training-details.png)
-
-2. **Test:** This tab shows the test details for a successful training.
-
-## Next steps
--- Review [test results](how-to-view-system-test-results.md) and analyze training results.
cognitive-services How To View System Test Results https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to-view-system-test-results.md
- Title: "Legacy: View system test results and deployment - Custom Translator"-
-description: When your training is successful, review system tests to analyze your training results. If you're satisfied with the training results, place a deployment request for the trained model.
---- Previously updated : 12/06/2021---
-#Customer intent: As a Custom Translator user, I want to understand how to view system test results, so that I can review test results and analyze my training.
--
-# View system test results
-
-When your training is successful, review system tests to analyze your training results. If you're satisfied with the training results, place a deployment request for the trained model.
-
-## System test results page
-
-Select a project, then select the models tab of that project, locate the model you want to use and finally select the test tab.
-
-The test tab shows you:
-
-1. **System Test Results:** The result of the test process in the trainings. The test process produces the BLEU score.
-
- **Sentence Count:** How many parallel sentences were used in the test set.
-
- **BLEU Score:** BLEU score generated for a model after training completion.
-
- **Status:** Indicates if the test process is complete or in progress.
-
- ![System test results](media/how-to/how-to-system-test-results.png)
-
-2. Select the System test results, and that will take you to test result details page. This page shows the machine translation of sentences that were part of the test dataset.
-
-3. The table on the test result details page has two columns - one for each
- language in the pair. The column for the source language shows the sentence
- to be translated. The column for the target language contains two sentences
- in each row.
-
- **Ref:** This sentence is the reference translation of the source sentence as given in the test dataset.
-
- **MT:** This sentence is the automatic translation of the source sentence done by the model built after the training was conducted.
-
- ![System test results compare](media/how-to/how-to-system-test-results-2.png)
-
-## Download test
-
-Select the **Download Translations** link to download a zip file. The zip contains the
-machine translations of source sentences in the test data set.
-
-![Download test](media/how-to/how-to-system-test-download.png)
-
-This downloaded zip archive contains three files.
-
-1. **custom.mt.txt:** This file contains machine translations of source language sentences in
- the target language done by the model trained with user's data.
-
-1. **ref.txt:** This file contains user provided translations of source language sentences in
- the target language.
-
-1. **source.txt:** This file contains sentences in the source language.
-
- ![Downloaded system test results](media/how-to/how-to-download-system-test.png)
-
-## Deploy a model
-
-To request a deployment:
-
-1. Select a project, go to Models tab.
-
-1. For a successfully trained model, it shows "Deploy" button, if not deployed.
-
- ![Screenshot that highlights the Deploy button for deploying a model.](media/how-to/how-to-deploy-model.png)
-
-1. Select **Deploy**.
-1. Select **Deployed** for the region(s) where you want your model to be deployed, and select **Save**. You can select **Deployed** for multiple regions.
-
- ![Screenshot that shows where you can deploy or undeploy a model.](media/how-to/how-to-deploy-model-regions.png)
-
-1. You can view the status of your model in the "Status" column.
-
->[!Note]
->Custom Translator supports 10 deployed models within a workspace at any point in time.
-
-## Update deployment settings
-
-To update deployment settings:
-
-1. Select a project, and go to the **Models** tab.
-
-1. For a successfully deployed model, it shows an **Update** button.
-
- ![Screenshot that highlights the Update button for updating deployment settings.](media/how-to/how-to-update-undeploy-model.png)
-
-1. Select **Update**.
-
-1. Select **Deployed** or **Undeployed** for the region(s) where you want your model deployed or undeployed, then select **Save**.
-
- ![Deploy model](media/how-to/how-to-undeploy-model.png)
-
->[!Note]
->If you select **Undeployed** for all regions, the model is undeployed from all regions, and put into an undeployed state. It's now unavailable for use.
-
-## Next steps
--- Start using your deployed custom translation model via [Microsoft Translator Text API V3](../reference/v3-0-translate.md?tabs=curl).-- Learn [how to manage settings](how-to-manage-settings.md) to share your workspace, manage key.
cognitive-services Create Manage Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/create-manage-project.md
+
+ Title: Create and manage a project
+
+description: How to create and manage a project in the Azure Cognitive Services Custom Translator.
++++ Last updated : 11/04/2022++++
+# Create and manage a project
+
+A project contains translation models for one language pair. Each project includes all documents that were uploaded into that workspace with the correct language pair.
+
+Creating a project is the first step in building and publishing a model.
+
+## Create a project
+
+1. After you sign in, your default workspace is loaded. To create a project in different workspace, select **My workspaces**, then select a workspace name.
+
+1. Select **Create project**.
+
+1. Enter the following details about your project in the creation dialog:
+
+ - **Project name (required):** Give your project a unique, meaningful name. It's not necessary to mention the languages within the title.
+
+ - **Language pair (required):** Select the source and target languages from the dropdown list
+
+ - **Domain (required):** Select the domain from the dropdown list that's most appropriate for your project. The domain describes the terminology and style of the documents you intend to translate.
+
+ >[!Note]
+ >Select **Show advanced options** to add project label, project description, and domain description
+
+ - **Project label:** The project label distinguishes between projects with the same language pair and domain. As a best practice, here are a few tips:
+
+ - Use a label *only* if you're planning to build multiple projects for the same language pair and same domain and want to access these projects with a different Domain ID.
+
+ - Don't use a label if you're building systems for one domain only.
+
+ - A project label isn't required and not helpful to distinguish between language pairs.
+
+ - You can use the same label for multiple projects.
+
+ - **Project description:** A short summary about the project. This description has no influence over the behavior of the Custom Translator or your resulting custom system, but can help you differentiate between different projects.
+
+ - **Domain description:** Use this field to better describe the particular field or industry in which you're working. or example, if your category is medicine, you might add details about your subfield, such as surgery or pediatrics. The description has no influence over the behavior of the Custom Translator or your resulting custom system.
+
+1. Select **Create project**.
+
+ :::image type="content" source="../media/how-to/create-project-dialog.png" alt-text="Screenshot illustrating the create project fields.":::
+
+## Edit a project
+
+To modify the project name, project description, or domain description:
+
+1. Select the workspace name.
+
+1. Select the project name, for example, *English-to-German*.
+
+1. The **Edit and Delete** buttons should now be visible.
+
+ :::image type="content" source="../media/how-to/edit-project-dialog-1.png" alt-text="Screenshot illustrating the edit project fields":::
+
+1. Select **Edit** and fill in or modify existing text.
+
+ :::image type="content" source="../media/how-to/edit-project-dialog-2.png" alt-text="Screenshot illustrating detailed edit project fields.":::
+
+1. Select **Edit project** to save.
+
+## Delete a project
+
+1. Follow the [**Edit a project**](#edit-a-project) steps 1-3 above.
+
+1. Select **Delete** and read the delete message before you select **Delete project** to confirm.
+
+ :::image type="content" source="../media/how-to/delete-project-1.png" alt-text="Screenshot illustrating delete project fields.":::
+
+ >[!Note]
+ >If your project has a published model or a model that is currently in training, you will only be able to delete your project once your model is no longer published or training.
+ >
+ > :::image type="content" source="../media/how-to/delete-project-2.png" alt-text="Screenshot illustrating the unable to delete message.":::
+
+## Next steps
+
+- Learn [how to manage project documents](create-manage-training-documents.md).
+- Learn [how to train a model](train-custom-model.md).
+- Learn [how to test and evaluate model quality](test-your-model.md).
+- Learn [how to publish model](publish-model.md).
+- Learn [how to translate with custom models](translate-with-custom-model.md).
cognitive-services Create Manage Training Documents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/create-manage-training-documents.md
+
+ Title: Build and upload training documents
+
+description: How to build and upload parallel documents (two documents where one is the origin and the other is the translation) using Custom Translator.
++++ Last updated : 11/04/2022++++
+# Build and manage training documents
+
+[Custom Translator](../overview.md) enables you to build translation models that reflect your business, industry, and domain-specific terminology and style. Training and deploying a custom model is easy and doesn't require any programming skills. Custom Translator allows you to upload parallel files, translation memory files, or zip files.
+
+[Parallel documents](../what-are-parallel-documents.md) are pairs of documents where one (target) is a translation of the other (source). One document in the pair contains sentences in the source language and the other document contains those sentences translated into the target language.
+
+Before uploading your documents, review the [document formats and naming convention guidance](../document-formats-naming-convention.md) to make sure your file format is supported by Custom Translator.
+
+## How to create document sets
+
+Finding in-domain quality data is often a challenging task that varies based on user classification. Here are some questions you can ask yourself as you evaluate what data may be available to you:
+
+- Enterprises often have a wealth of translation data that has accumulated over many years of using human translation. Does your company have previous translation data available that you can use?
+
+- Do you have a vast amount of monolingual data? Monolingual data is data in only one language. If so, can you get translations for this data?
+
+- Can you crawl online portals to collect source sentences and synthesize target sentences?
+
+### Training material for each document types
+
+| Source | What it does | Rules to follow |
+||||
+| Bilingual training documents | Teaches the system your terminology and style. | **Be liberal**. Any in-domain human translation is better than machine translation. Add and remove documents as you go and try to improve the [BLEU score](../concepts/bleu-score.md?WT.mc_id=aiml-43548-heboelma). |
+| Tuning documents | Trains the Neural Machine Translation parameters. | **Be strict**. Compose them to be optimally representative of what you are going to translation in the future. |
+| Test documents | Calculate the [BLEU score](../beginners-guide.md#what-is-a-bleu-score).| **Be strict**. Compose test documents to be optimally representative of what you plan to translate in the future. |
+| Phrase dictionary | Forces the given translation 100% of the time. | **Be restrictive**. A phrase dictionary is case-sensitive and any word or phrase listed is translated in the way you specify. In many cases, it's better to not use a phrase dictionary and let the system learn. |
+| Sentence dictionary | Forces the given translation 100% of the time. | **Be strict**. A sentence dictionary is case-insensitive and good for common in domain short sentences. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If only a portion of the sentence matches, the entry won't match. |
+
+## How to upload documents
+
+Document types are associated with the language pair selected when you create a project.
+
+1. Sign-in to [Custom Translator](https://portal.customtranslator.azure.ai) portal. Your default workspace is loaded and a list of previously created projects are displayed.
+
+1. Select the desired project **Name**. By default, the **Manage documents** blade is selected and a list of previously uploaded documents is displayed.
+
+1. Select **Add document set** and choose the document type:
+
+ - Training set
+ - Testing set
+ - Tuning set
+ - Dictionary set:
+ - Phrase Dictionary
+ - Sentence Dictionary
+
+1. Select **Next**.
+
+ :::image type="content" source="../media/how-to/upload-1.png" alt-text="Screenshot illustrating the document upload link.":::
+
+ >[!Note]
+ >Choosing **Dictionary set** launches **Choose type of dictionary** dialog.
+ >Choose one and select **Next**
+
+1. Select your documents format from the radio buttons.
+
+ :::image type="content" source="../media/how-to/upload-2.png" alt-text="Screenshot illustrating the upload document page.":::
+
+ - For **Parallel documents**, fill in the `Document set name` and select **Browse files** to select source and target documents.
+ - For **Translation memory (TM)** file or **Upload multiple sets with ZIP**, select **Browse files** to select the file
+
+1. Select **Upload**.
+
+At this point, Custom Translator is processing your documents and attempting to extract sentences as indicated in the upload notification. Once done processing, you'll see the upload successful notification.
+
+ :::image type="content" source="../media/quickstart/document-upload-notification.png" alt-text="Screenshot illustrating the upload document processing dialog window.":::
+
+## View upload history
+
+In workspace page you can view history of all document uploads details like document type, language pair, upload status etc.
+
+1. From the [Custom Translator](https://portal.customtranslator.azure.ai) portal workspace page,
+ click Upload History tab to view history.
+
+ :::image type="content" source="../media/how-to/upload-history-tab.png" alt-text="Screenshot showing the upload history tab.":::
+
+2. This page shows the status of all of your past uploads. It displays
+ uploads from most recent to least recent. For each upload, it shows the document name, upload status, the upload date, the number of files uploaded, type of file uploaded, the language pair of the file, and created by. You can use Filter to quickly find documents by name, status, language, and date range.
+
+ :::image type="content" source="../media/how-to/upload-history-page.png" alt-text="Screenshot showing the upload history page.":::
+
+3. Click on any upload history record. In upload history details page,
+ you can view the files uploaded as part of the upload, uploaded status of the file, language of the file and error message (if there is any error in upload).
+
+## Next steps
+
+- Learn [how to train a model](train-custom-model.md).
+- Learn [how to test and evaluate model quality](test-your-model.md).
+- Learn [how to publish model](publish-model.md).
+- Learn [how to translate with custom models](translate-with-custom-model.md).
cognitive-services Create Manage Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/create-manage-workspace.md
+
+ Title: Create and manage a workspace
+
+description: How to create and manage workspaces
++++ Last updated : 11/04/2022+++++
+# Create and manage a workspace
+
+ Workspaces are places to manage your documents, projects, and models. When you create a workspace, you can choose to use the workspace independently, or share it with teammates to divide up the work.
+
+## Create workspace
+
+1. After you sign in to Custom Translator, you'll be asked for permission to read your profile from the Microsoft identity platform to request your user access token and refresh token. Both tokens are needed for authentication and to ensure that you aren't signed out during your live session or while training your models. </br>Select **Yes**.
+
+ :::image type="content" source="../media/quickstart/first-time-user.png" alt-text="Screenshot illustrating first-time sign-in.":::
+
+1. Select **My workspaces**
+
+1. Select **Create a new workspace**
+
+1. Type a **Workspace name** and select **Next**
+
+1. Select "Global" for **Select resource region** from the dropdown list.
+
+1. Copy/paste your Translator Services key.
+
+1. Select **Next**.
+
+1. Select **Done**
+
+ > [!NOTE]
+ > Region must match the region that was selected during the resource creation. You can use **KEY 1** or **KEY 2**.
+
+ > [!NOTE]
+ > All uploaded customer content, custom model binaries, custom model configurations, and training logs are kept encrypted-at-rest in the selected region.
+
+ :::image type="content" source="../media/quickstart/resource-key.png" alt-text="Screenshot illustrating the resource key.":::
+
+ :::image type="content" source="../media/quickstart/create-workspace-1.png" alt-text="Screenshot illustrating workspace creation.":::
+
+## Manage workspace settings
+
+Select a workspace and navigate to **Workspace settings**. You can manage the following workspace settings:
+
+* Change the resource key for global regions. If you're using a regional specific resource, you can't change your resource key.
+
+* Change the workspace name.
+
+* [Share the workspace with others](#share-workspace-for-collaboration).
+
+* Delete the workspace.
+
+### Share workspace for collaboration
+
+The person who created the workspace is the owner. Within **Workspace settings**, an owner can designate three different roles for a collaborative workspace:
+
+* **Owner**. An owner has full permissions within the workspace.
+
+* **Editor**. An editor can add documents, train models, and delete documents and projects. They can't modify who the workspace is shared with, delete the workspace, or change the workspace name.
+
+* **Reader**. A reader can view (and download if available) all information in the workspace.
+
+> [!NOTE]
+> The Custom Translator workspace sharing policy has changed. For additional security measures, you can share a workspace only with people who have recently signed in to the Custom Translator portal.
+
+1. Select **Share**.
+
+1. Complete the **email address** field for collaborators.
+
+1. Select **role** from the dropdown list.
+
+1. Select **Share**.
+++
+### Remove somebody from a workspace
+
+1. Select **Share**.
+
+2. Select the **X** icon next to the **Role** and email address that you want to remove.
++
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to manage projects](create-manage-project.md)
cognitive-services Publish Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/publish-model.md
+
+ Title: Publish a custom model
+
+description: This article explains how to publish a custom model using the Azure Cognitive Services Custom Translator.
++++ Last updated : 11/04/2022+++
+# Publish a custom model
+
+Publishing your model makes it available for use with the Translator API. A project might have one or many successfully trained models. You can only publish one model per project; however, you can publish a model to one or multiple regions depending on your needs. For more information, see [Translator pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/#pricing).
+
+## Publish your trained model
+
+You can publish one model per project to one or multiple regions.
+1. Select the **Publish model** blade.
+
+1. Select *en-de with sample data* and select **Publish**.
+
+1. Check the desired region(s).
+
+1. Select **Publish**. The status should transition from _Deploying_ to _Deployed_.
+
+ :::image type="content" source="../media/quickstart/publish-model.png" alt-text="Screenshot illustrating the publish model blade.":::
+
+## Replace a published model
+
+To replace a published model, you can exchange the published model with a different model in the same region(s):
+
+1. Select the replacement model.
+
+1. Select **Publish**.
+
+1. Select **publish** once more in the **Publish model** dialog window.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to translate with custom models](../quickstart.md)
cognitive-services Test Your Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/test-your-model.md
+
+ Title: View custom model details and test translation
+
+description: How to test your custom model BLEU score and evaluate translations
++++ Last updated : 11/04/2022+++
+# Test your model
+
+Once your model has successfully trained, you can use translations to evaluate the quality of your model. In order to make an informed decision about whether to use our standard model or your custom model, you should evaluate the delta between your custom model [**BLEU score**](#bleu-score) and our standard model **Baseline BLEU**. If your models have been trained on a narrow domain, and your training data is consistent with the test data, you can expect a high BLEU score.
+
+## BLEU score
+
+BLEU (Bilingual Evaluation Understudy) is an algorithm for evaluating the precision or accuracy of text that has been machine translated from one language to another. Custom Translator uses the BLEU metric as one way of conveying translation accuracy.
+
+A BLEU score is a number between zero and 100. A score of zero indicates a low-quality translation where nothing in the translation matched the reference. A score of 100 indicates a perfect translation that is identical to the reference. It's not necessary to attain a score of 100ΓÇöa BLEU score between 40 and 60 indicates a high-quality translation.
+
+[Read more](../concepts/bleu-score.md?WT.mc_id=aiml-43548-heboelma)
+
+## Model details
+
+1. Select the **Model details** blade.
+
+1. Select the model name. Review the training date/time, total training time, number of sentences used for training, tuning, testing, and dictionary. Check whether the system generated the test and tuning sets. You'll use the `Category ID` to make translation requests.
+
+1. Evaluate the model [BLEU](../beginners-guide.md#what-is-a-bleu-score) score. Review the test set: the **BLEU score** is the custom model score and the **Baseline BLEU** is the pre-trained baseline model used for customization. A higher **BLEU score** means there's high translation quality using the custom model.
+
+ :::image type="content" source="../media/quickstart/model-details.png" alt-text="Screenshot illustrating the model detail.":::
+
+## Test quality of your model's translation
+
+1. Select **Test model** blade.
+
+1. Select model **Name**.
+
+1. Human evaluate translation from your **Custom model** and the **Baseline model** (our pre-trained baseline used for customization) against **Reference** (target translation from the test set).
+
+1. If you're satisfied with the training results, place a deployment request for the trained model.
+
+## Next steps
+
+- Learn [how to publish/deploy a custom model](publish-model.md).
+- Learn [how to translate documents with a custom model](translate-with-custom-model.md).
cognitive-services Train Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/train-custom-model.md
+
+ Title: Train model
+
+description: How to train a custom model
++++ Last updated : 11/04/2022+++
+# Train a custom model
+
+A model provides translations for a specific language pair. The outcome of a successful training is a model. To train a custom model, three mutually exclusive document types are required: training, tuning, and testing. If only training data is provided when queuing a training, Custom Translator will automatically assemble tuning and testing data. It will use a random subset of sentences from your training documents, and exclude these sentences from the training data itself. A minimum of 10,000 parallel training sentences are required to train a full model.
+
+## Create model
+
+1. Select the **Train model** blade.
+
+1. Type the **Model name**.
+
+1. Keep the default **Full training** selected or select **Dictionary-only training**.
+
+ >[!Note]
+ >Full training displays all uploaded document types. Dictionary-only displays dictionary documents only.
+
+1. Under **Select documents**, select the documents you want to use to train the model, for example, `sample-English-German` and review the training cost associated with the selected number of sentences.
+
+1. Select **Train now**.
+
+1. Select **Train** to confirm.
+
+ >[!Note]
+ >**Notifications** displays model training in progress, e.g., **Submitting data** state. Training model takes few hours, subject to the number of selected sentences.
+
+ :::image type="content" source="../media/quickstart/train-model.png" alt-text="Screenshot illustrating the train model blade.":::
+
+## When to select dictionary-only training
+
+For better results, we recommended letting the system learn from your training data. However, when you don't have enough parallel sentences to meet the 10,000 minimum requirements, or sentences and compound nouns must be rendered as-is, use dictionary-only training. Your model will typically complete training much faster than with full training. The resulting models will use the baseline models for translation along with the dictionaries you've added. You won't see BLEU scores or get a test report.
+
+> [!Note]
+>Custom Translator doesn't sentence-align dictionary files. Therefore, it is important that there are an equal number of source and target phrases/sentences in your dictionary documents and that they are precisely aligned. If not, the document upload will fail.
+
+## Model details
+
+1. After successful model training, select the **Model details** blade.
+
+1. Select the **Model Name** to review training date/time, total training time, number of sentences used for training, tuning, testing, dictionary, and whether the system generated the test and tuning sets. You'll use `Category ID` to make translation requests.
+
+1. Evaluate the model [BLEU score](../beginners-guide.md#what-is-a-bleu-score). Review the test set: the **BLEU score** is the custom model score and the **Baseline BLEU** is the pre-trained baseline model used for customization. A higher **BLEU score** means higher translation quality using the custom model.
+
+ :::image type="content" source="../media/quickstart/model-details.png" alt-text="Screenshot illustrating model details fields.":::
+
+## Duplicate model
+
+1. Select the **Model details** blade.
+
+1. Hover over the model name and check the selection button.
+
+1. Select **Duplicate**.
+
+1. Fill in **New model name**.
+
+1. Keep **Train immediately** checked if no further data will be selected or uploaded, otherwise, check **Save as draft**
+
+1. Select **Save**
+
+ > [!Note]
+ >
+ > If you save the model as `Draft`, **Model details** is updated with the model name in `Draft` status.
+ >
+ > To add more documents, select on the model name and follow `Create model` section above.
+
+ :::image type="content" source="../media/how-to/duplicate-model.png" alt-text="Screenshot illustrating the duplicate model blade.":::
+
+## Next steps
+
+- Learn [how to test and evaluate model quality](test-your-model.md).
+- Learn [how to publish model](publish-model.md).
+- Learn [how to translate with custom models](translate-with-custom-model.md).
cognitive-services Translate With Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/how-to/translate-with-custom-model.md
+
+ Title: Translate text with a custom model
+
+description: How to make translation requests using custom models published with the Azure Cognitive Services Custom Translator.
++++ Last updated : 11/04/2022+++
+# Translate text with a custom model
+
+After you publish your custom model, you can access it with the Translator API by using the `Category ID` parameter.
+
+## How to translate
+
+1. Use the `Category ID` when making a custom translation request via Microsoft Translator [Text API V3](../../reference/v3-0-translate.md?tabs=curl). The `Category ID` is created by concatenating the WorkspaceID, project label, and category code. Use the `CategoryID` with the Text Translator API to get custom translations.
+
+ ```http
+ https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=de&category=a2eb72f9-43a8-46bd-82fa-4693c8b64c3c-TECH
+
+ ```
+
+ More information about the Translator Text API can be found on the [Translator API Reference](../../reference/v3-0-translate.md) page.
+
+1. You may also want to download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslation/releases).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn more about building and publishing custom models](../beginners-guide.md)
cognitive-services Key Terms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/key-terms.md
Previously updated : 12/06/2021 Last updated : 11/01/2022
-#Customer intent: As a Custom Translator user, I want to review and understand the terms in multiple articles.
# Custom Translator key terms
The following table presents a list of key terms that you may find as you work w
| Word Breaking/ Unbreaking | Word breaking is the function of marking the boundaries between words. Many writing systems use a space to denote the boundary between words. Word unbreaking refers to the removal of any visible marker that may have been inserted between words in a preceding step. | | Delimiters | Delimiters are the ways that a sentence is divided up into segments or delimit the margin between sentences. For instance, in English spaces delimit words, colons, and semi-colons delimit clauses and periods delimit sentences. | | Training Files | A training file is used to teach the machine translation system how to map from one language (the source) to a target language (the target). The more data you provide, the better the system will perform. |
-| Tuning Files | These files are often randomly derived from the training set (if you don't select a tuning set). The sentences are autoselected and used to tune the system and ensure that it is functioning properly. If you wish to create a general-purpose translation model and create your own tuning files, make sure they're a random set of sentences across domains |
-| Testing Files| These files are often derived files, randomly selected from the training set (if you do not select any test set). The purpose of these sentences is to evaluate the translation model's accuracy. Since these sentences are ones you want to make sure the system accurately translates, you may wish to create a testing set and upload it to the translator. Doing so will ensure that these sentences are used in the system's evaluation (the generation of a BLEU score). |
+| Tuning Files | These files are often randomly derived from the training set (if you don't select a tuning set). The sentences are autoselected and used to tune the system and ensure that it's functioning properly. If you wish to create a general-purpose translation model and create your own tuning files, make sure they're a random set of sentences across domains |
+| Testing Files| These files are often derived files, randomly selected from the training set (if you don't select any test set). The purpose of these sentences is to evaluate the translation model's accuracy. To make sure the system accurately translates these sentences, you may wish to create a testing set and upload it to the translator. Doing so will ensure that the sentences are used in the system's evaluation (the generation of a BLEU score). |
| Combo file | A type of file in which the source and translated sentences are contained in the same file. Supported file formats (TMX, XLIFF, XLF, ICI, and XLSX). | | Archive file | A file that contains other files. Supported file formats (zip, gz, tgz). |
-| BLEU Score | [BLEU](what-is-bleu-score.md) is the industry standard method for evaluating the "precision" or accuracy of the translation model. Though other methods of evaluation exist, Microsoft Translator relies BLEU method to report accuracy to Project Owners.
+| BLEU Score | [BLEU](concepts/bleu-score.md) is the industry standard method for evaluating the "precision" or accuracy of the translation model. Though other methods of evaluation exist, Microsoft Translator relies BLEU method to report accuracy to Project Owners.
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/overview.md
Previously updated : 02/25/2022 Last updated : 11/04/2022 # What is Custom Translator?
-Custom Translator is a feature of the Microsoft Translator service, which enables Translator enterprises, app developers, and language service providers to build customized neural machine translation (NMT) systems. The customized translation systems seamlessly integrate into existing applications, workflows, and websites.
+Custom Translator is a feature of the Microsoft Translator service, which enables enterprises, app developers, and language service providers to build customized neural machine translation (NMT) systems. The customized translation systems seamlessly integrate into existing applications, workflows, and websites.
-Translation systems built with [Custom Translator](https://portal.customtranslator.azure.ai) are available through the same cloud-based, secure, high performance, highly scalable Microsoft Translator [Text API V3](../reference/v3-0-translate.md?tabs=curl) that powers billions of translations every day.
+Translation systems built with [Custom Translator](https://portal.customtranslator.azure.ai) are available through Microsoft Translator [Microsoft Translator Text API V3](../reference/v3-0-translate.md?tabs=curl), the same cloud-based, secure, high performance system powering billions of translations every day.
The platform enables users to build and publish custom translation systems to and from English. Custom Translator supports more than three dozen languages that map directly to the languages available for NMT. For a complete list, *see* [Translator language support](../language-support.md). This documentation contains the following article types:
-* [**Quickstarts**](./v2.0/quickstart.md) are getting-started instructions to guide you through making requests to the service.
-* [**How-to guides**](./v2.0/how-to/create-manage-workspace.md) contain instructions for using the feature in more specific or customized ways.
+* [**Quickstarts**](./quickstart.md) are getting-started instructions to guide you through making requests to the service.
+* [**How-to guides**](./how-to/create-manage-workspace.md) contain instructions for using the feature in more specific or customized ways.
## Features
Custom Translator provides different features to build custom translation system
|Feature |Description | ||| |[Apply neural machine translation technology](https://www.microsoft.com/translator/blog/2016/11/15/microsoft-translator-launching-neural-network-based-translations-for-all-its-speech-languages/) | Improve your translation by applying neural machine translation (NMT) provided by Custom translator. |
-|[Build systems that knows your business terminology](./v2.0/beginners-guide.md) | Customize and build translation systems using parallel documents that understand the terminologies used in your own business and industry. |
-|[Use a dictionary to build your models](./v2.0/how-to/train-custom-model.md#when-to-select-dictionary-only-training) | If you don't have training data set, you can train a model with only dictionary data. |
-|[Collaborate with others](./v2.0/how-to/create-manage-workspace.md#manage-workspace-settings) | Collaborate with your team by sharing your work with different people. |
-|[Access your custom translation model](./v2.0/how-to/translate-with-custom-model.md) | Your custom translation model can be accessed anytime by your existing applications/ programs via Microsoft Translator Text API V3. |
+|[Build systems that knows your business terminology](./beginners-guide.md) | Customize and build translation systems using parallel documents that understand the terminologies used in your own business and industry. |
+|[Use a dictionary to build your models](./how-to/train-custom-model.md#when-to-select-dictionary-only-training) | If you don't have training data set, you can train a model with only dictionary data. |
+|[Collaborate with others](./how-to/create-manage-workspace.md#manage-workspace-settings) | Collaborate with your team by sharing your work with different people. |
+|[Access your custom translation model](./how-to/translate-with-custom-model.md) | Your custom translation model can be accessed anytime by your existing applications/ programs via Microsoft Translator Text API V3. |
## Get better translations
You can use previously translated documents to build a translation system. These
Custom Translator also accepts data that's parallel at the document level to make data collection and preparation more effective. If users have access to versions of the same content in multiple languages but in separate documents, Custom Translator will be able to automatically match sentences across documents.
-If the appropriate type and amount of training data is supplied, it's not uncommon to see [BLEU score](what-is-bleu-score.md) gains between 5 and 10 points by using Custom Translator.
+If the appropriate type and amount of training data is supplied, it's not uncommon to see [BLEU score](concepts/bleu-score.md) gains between 5 and 10 points by using Custom Translator.
## Be productive and cost effective
Custom systems can be seamlessly accessed and integrated into any product or bus
* Read about [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/).
-* With [Quickstart](./v2.0/quickstart.md) learn to build a translation model in Custom Translator.
+* With [Quickstart](./quickstart.md) learn to build a translation model in Custom Translator.
cognitive-services Quickstart Build Deploy Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/quickstart-build-deploy-custom-model.md
- Title: "Legacy: Quickstart - Build, deploy, and use a custom model"-
-description: A step-by-step guide to building a translation system using the Custom Translator Legacy.
---- Previously updated : 04/26/2022---
-#Customer intent: As a user, I want to understand how to use Custom Translator so that I can build, deploy, and use a custom model for translation.
-
-# Quickstart: Build, deploy, and use a custom model for translation
-
-This article provides step-by-step instructions to build a translation system with Custom Translator.
-
-## Prerequisites
-
-1. To use the [Custom Translator](https://portal.customtranslator.azure.ai)
- Portal, you'll need a [Microsoft account](https://signup.live.com) or [Azure AD account](../../../active-directory/fundamentals/active-directory-whatis.md)
- (organization account hosted on Azure) to sign in.
-
-2. A subscription to the Translator Text API via the Azure portal. You'll need the Translator Text API key to associate with your workspace in Custom Translator. See [how to sign up for the Translator Text API](../how-to-create-translator-resource.md).
-
-3. When you've both of the above, sign in to the
- [Custom Translator](https://portal.customtranslator.azure.ai) portal to create workspaces, projects, upload files and create/deploy models.
-
-You can read an overview of translation and custom translation, learn some tips, and watch a getting started video in the [Azure AI technical blog](https://techcommunity.microsoft.com/t5/azure-ai/customize-a-translation-to-make-sense-in-a-specific-context/ba-p/2811956).
-
-You can also view a full, start to finish walkthrough video of Custom Translator on [YouTube](https://www.youtube.com/watch?v=TykB6WDTkRc&t=3s).
-
->[!Note]
->Custom Translator does not support creating workspace for Translator Text API resource that was created inside [Enabled VNET](../../../api-management/api-management-using-with-vnet.md).
-
-## Create a workspace
-
-If you're first-time user, you'll be asked to agree to the Terms of Service to create a workspace associated with your Microsoft Translator Text API subscription.
-
-![Create workspace](media/quickstart/terms-of-service.png)
-![Create workspace image 1](media/quickstart/create-workspace-1.png)
-![Create workspace image 2](media/quickstart/create-workspace-2.png)
-![Create workspace image 3](media/quickstart/create-workspace-3.png)
-![Create workspace image 4](media/quickstart/create-workspace-4.png)
-![Create workspace image 5](media/quickstart/create-workspace-5.png)
-![Create workspace image 6](media/quickstart/create-workspace-6.png)
-
-On subsequent visits to the Custom Translator portal, navigate to the Settings page. There you can manage your workspace, create more workspaces, associate your Microsoft Translator Text API key with your workspaces, add co-owners, and change a key.
-
-## Create a project
-
-On the Custom Translator portal landing page, select **New Project**. On the dialog you can enter your desired project name, language pair, category, and other relevant field information. Then, save
-your project. For more details, visit [Create Project](how-to-create-project.md).
-
-![Create project](media/how-to/how-to-create-project.png)
-## Upload documents
-
-Next, upload [training](training-and-model.md#training-document-type-for-custom-translator), [tuning](training-and-model.md#tuning-document-type-for-custom-translator) and [testing](training-and-model.md#testing-dataset-for-custom-translator) document sets. You can upload both [parallel](what-are-parallel-documents.md) and combo documents. You can also upload [dictionary](what-is-dictionary.md).
-
-You can upload documents from either the documents tab or from a specific
-project's page.
-
-![Upload documents](media/how-to/how-to-upload-1.png)
-
-When uploading documents, choose the document type (training, tuning, or
-testing), and the language pair. When uploading parallel documents, you'll need
-to additionally specify a document name. For more details, visit [Upload document](how-to-upload-document.md).
-
-## Create a model
-
-When all your required documents are uploaded, the next step is to build your model.
-
-Select the project you've created. You'll see all the documents you've uploaded
-that share a language pair with this project. Select the documents that you want
-included in your model. You can select [training](training-and-model.md#training-document-type-for-custom-translator),
-[tuning](training-and-model.md#tuning-document-type-for-custom-translator), and [testing](training-and-model.md#testing-dataset-for-custom-translator) data. Or select just
-training data and let Custom Translator automatically build tuning and test sets
-for your model.
-
-![Create a model](media/how-to/how-to-train-model-1.png)
-
-When you've finished selecting your desired documents, select the **Create Model** button to
-create your model and start training. You can see the status of your training,
-and details for all the models you've trained, in the Models tab.
-
-For more details, visit [Create a Model](how-to-train-model.md).
-
-## Analyze your model
-
-Once your training has completed successfully, inspect the results. The BLEU
-score is one metric that indicates the quality of your translation. You can also
-manually compare the translations made with your custom model to the
-translations provided in your test set by navigating to the **Test** tab and selecting **System Results**. Manually inspecting a few of these translations will give you a good idea of the quality of translation produced by your system. For more details, visit [System Test Results](how-to-view-system-test-results.md).
-
-## Deploy a trained model
-
-When you're ready to deploy your trained model, select the **Deploy** button. You can have one deployed model per project, and you can view the status of your deployment in the Status column. For more details, visit [Model Deployment](how-to-view-system-test-results.md#deploy-a-model)
-
-![Deploy a trained model](media/how-to/how-to-deploy.png)
-
-## Swap deployed model
-
-To swap a deployed model with another within a project, select the **Swap** button displayed next to the desired model. During the swap process, the deployed model will continue to be available to serve translation requests.
-
-![Swap deployed model](media/how-to/how-to-swap-model.png)
-
-## Use a deployed model
-
-Deployed models can be accessed via the Microsoft Translator [Text API V3 by
-specifying the CategoryID](../reference/v3-0-translate.md?tabs=curl). More information about the Translator Text API can
-be found on the [API
-Reference](../reference/v3-0-reference.md) webpage.
-
-## Next steps
--- Learn how to navigate the [Custom Translator workspace and manage your projects](workspace-and-project.md).
cognitive-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/quickstart.md
+
+ Title: "Quickstart: Build, deploy, and use a custom model - Custom Translator"
+
+description: A step-by-step guide to building a translation system using the Custom Translator portal v2.
++++ Last updated : 11/04/2022+++
+# Quickstart: Build, publish, and translate with custom models
+
+Translator is a cloud-based neural machine translation service that is part of the Azure Cognitive Services family of REST API that can be used with any operating system. Translator powers many Microsoft products and services used by thousands of businesses worldwide to perform language translation and other language-related operations. In this quickstart, you'll learn to build custom solutions for your applications across all [supported languages](../language-support.md).
+
+## Prerequisites
+
+ To use the [Custom Translator](https://portal.customtranslator.azure.ai/) portal, you'll need the following resources:
+
+* A [Microsoft account](https://signup.live.com).
+
+* Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services/)
+* Once you have an Azure subscription, [create a Translator resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) in the Azure portal to get your key and endpoint. After it deploys, select **Go to resource**.
+ * You'll need the key and endpoint from the resource to connect your application to the Translator service. You'll paste your key and endpoint into the code below later in the quickstart. You can find these values on the Azure portal **Keys and Endpoint** page:
+
+ :::image type="content" source="../media/keys-and-endpoint-portal.png" alt-text="Screenshot: Azure portal keys and endpoint page.":::
+
+For more information, *see* [how to create a Translator resource](../how-to-create-translator-resource.md).
+
+## Custom Translator portal
+
+>[!Note]
+>Custom Translator does not support creating workspace for a Translator Text API resource created inside an [Enabled VNet](../../../api-management/api-management-using-with-vnet.md?tabs=stv2).
+
+Once you have the above prerequisites, sign in to the [Custom Translator](https://portal.customtranslator.azure.ai/) portal to create workspaces, build projects, upload files, train models, and publish your custom solution.
+
+You can read an overview of translation and custom translation, learn some tips, and watch a getting started video in the [Azure AI technical blog](https://techcommunity.microsoft.com/t5/azure-ai/customize-a-translation-to-make-sense-in-a-specific-context/ba-p/2811956).
+
+## Process summary
+
+1. [**Create a workspace**](#create-a-workspace). A workspace is a work area for composing and building your custom translation system. A workspace can contain multiple projects, models, and documents. All the work you do in Custom Translator is done inside a specific workspace.
+
+1. [**Create a project**](#create-a-project). A project is a wrapper for models, documents, and tests. Each project includes all documents that are uploaded into that workspace with the correct language pair. For example, if you have both an English-to-Spanish project and a Spanish-to-English project, the same documents will be included in both projects.
+
+1. [**Upload parallel documents**](#upload-documents). Parallel documents are pairs of documents where one (target) is the translation of the other (source). One document in the pair contains sentences in the source language and the other document contains sentences translated into the target language. It doesn't matter which language is marked as "source" and which language is marked as "target"ΓÇöa parallel document can be used to train a translation system in either direction.
+
+1. [**Train your model**](#train-your-model). A model is the system that provides translation for a specific language pair. The outcome of a successful training is a model. When you train a model, three mutually exclusive document types are required: training, tuning, and testing. If only training data is provided when queuing a training, Custom Translator will automatically assemble tuning and testing data. It will use a random subset of sentences from your training documents, and exclude these sentences from the training data itself. A 10,000 parallel sentence is the minimum requirement to train a model.
+
+1. [**Test (human evaluate) your model**](#test-your-model). The testing set is used to compute the [BLEU](beginners-guide.md#what-is-a-bleu-score) score. This score indicates the quality of your translation system.
+
+1. [**Publish (deploy) your trained model**](#publish-your-model). Your custom model is made available for runtime translation requests.
+
+1. [**Translate text**](#translate-text). Use the cloud-based, secure, high performance, highly scalable Microsoft Translator [Text API V3](../reference/v3-0-translate.md?tabs=curl) to make translation requests.
+
+## Create a workspace
+
+1. After your sign-in to Custom Translator, you'll be asked for permission to read your profile from the Microsoft identity platform to request your user access token and refresh token. Both tokens are needed for authentication and to ensure that you aren't signed out during your live session or while training your models. </br>Select **Yes**.
+
+ :::image type="content" source="media/quickstart/first-time-user.png" alt-text="Screenshot illustrating how to create a workspace.":::
+
+1. Select **My workspaces**.
+
+1. Select **Create a new workspace**.
+
+1. Type _Contoso MT models_ for **Workspace name** and select **Next**.
+
+1. Select "Global" for **Select resource region** from the dropdown list.
+
+1. Copy/paste your Translator Services key.
+
+1. Select **Next**.
+
+1. Select **Done**.
+
+ >[!Note]
+ > Region must match the region that was selected during the resource creation. You can use **KEY 1** or **KEY 2.**
+
+ :::image type="content" source="media/quickstart/resource-key.png" alt-text="Screenshot illustrating the resource key.":::
+
+ :::image type="content" source="media/quickstart/create-workspace-1.png" alt-text="Screenshot illustrating workspace creation.":::
+
+## Create a project
+
+Once the workspace is created successfully, you'll be taken to the **Projects** page.
+
+You'll create English-to-German project to train a custom model with only a [training](training-and-model.md#training-document-type-for-custom-translator) document type.
+
+1. Select **Create project**.
+
+1. Type *English-to-German* for **Project name**.
+
+1. Select *English (en)* as **Source language** from the dropdown list.
+
+1. Select *German (de)* as **Target language** from the dropdown list.
+
+1. Select *General* for **Domain** from the dropdown list.
+
+1. Select **Create project**.
+
+ :::image type="content" source="media/quickstart/create-project.png" alt-text="Screenshot illustrating how to create a project.":::
+
+## Upload documents
+
+In order to create a custom model, you need to upload all or a combination of [training](training-and-model.md#training-document-type-for-custom-translator), [tuning](training-and-model.md#tuning-document-type-for-custom-translator), [testing](training-and-model.md#testing-dataset-for-custom-translator), and [dictionary](concepts/dictionaries.md) document types.
+
+In this quickstart, you'll upload [training](training-and-model.md#training-document-type-for-custom-translator) documents for customization.
+
+>[!Note]
+> You can use our sample training, phrase and sentence dictionaries dataset, [Customer sample English-to-German datasets](https://github.com/MicrosoftTranslator/CustomTranslatorSampleDatasets), for this quickstart. However, for production, it's better to upload your own training dataset.
+
+1. Select *English-to-German* project name.
+
+1. Select **Manage documents** from the left navigation menu.
+
+1. Select **Add document set**.
+
+1. Check the **Training set** box and select **Next**.
+
+1. Keep **Parallel documents** checked and type *sample-English-German*.
+
+1. Under the **Source (English - EN) file**, select **Browse files** and select *sample-English-German-Training-en.txt*.
+
+1. Under **Target (German - EN) file**, select **Browse files** and select *sample-English-German-Training-de.txt*.
+
+1. Select **Upload**
+
+ >[!Note]
+ >You can upload the sample phrase and sentence dictionaries dataset. This step is left for you to complete.
+
+ :::image type="content" source="media/quickstart/upload-model.png" alt-text="Screenshot illustrating how to upload documents.":::
+
+## Train your model
+
+Now you're ready to train your English-to-German model.
+
+1. Select **Train model** from the left navigation menu.
+
+1. Type *en-de with sample data* for **Model name**.
+
+1. Keep **Full training** checked.
+
+1. Under **Select documents**, check *sample-English-German* and review the training cost associated with the selected number of sentences.
+
+1. Select **Train now**.
+
+1. Select **Train** to confirm.
+
+ >[!Note]
+ >**Notifications** displays model training in progress, e.g., **Submitting data** state. Training model takes few hours, subject to the number of selected sentences.
+
+ :::image type="content" source="media/quickstart/train-model.png" alt-text="Screenshot illustrating how to create a model.":::
+
+1. After successful model training, select **Model details** from the left navigation menu.
+
+1. Select the model name *en-de with sample data*. Review training date/time, total training time, number of sentences used for training, tuning, testing, and dictionary. Check whether the system generated the test and tuning sets. You'll use the `Category ID` to make translation requests.
+
+1. Evaluate the model [BLEU](beginners-guide.md#what-is-a-bleu-score) score. The test set **BLEU score** is the custom model score and **Baseline BLEU** is the pre-trained baseline model used for customization. A higher **BLEU score** means higher translation quality using the custom model.
+
+ >[!Note]
+ >If you train with our shared customer sample datasets, BLEU score will be different than the image.
+
+ :::image type="content" source="media/quickstart/model-details.png" alt-text="Screenshot illustrating model details.":::
+
+## Test your model
+
+Once your training has completed successfully, inspect the test set translated sentences.
+
+1. Select **Test model** from the left navigation menu.
+2. Select "en-de with sample data"
+3. Human evaluate translation from **New model** (custom model), and **Baseline model** (our pre-trained baseline used for customization) against **Reference** (target translation from the test set)
+
+## Publish your model
+
+Publishing your model makes it available for use with the Translator API. A project might have one or many successfully trained models. You can only publish one model per project; however, you can publish a model to one or multiple regions depending on your needs. For more information, see [Translator pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/#pricing).
+
+1. Select **Publish model** from the left navigation menu.
+
+1. Select *en-de with sample data* and select **Publish**.
+
+1. Check the desired region(s).
+
+1. Select **Publish**. The status should transition from _Deploying_ to _Deployed_.
+
+ :::image type="content" source="media/quickstart/publish-model.png" alt-text="Screenshot illustrating how to deploy a trained model.":::
+
+## Translate text
+
+1. Developers should use the `Category ID` when making translation requests with Microsoft Translator [Text API V3](../reference/v3-0-translate.md?tabs=curl). More information about the Translator Text API can be found on the [API Reference](../reference/v3-0-reference.md) webpage.
+
+1. Business users may want to download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslator/releases/tag/V2.9.4).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to manage workspaces](how-to/create-manage-workspace.md)
cognitive-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/release-notes.md
Title: "Legacy: Release notes - Custom Translator"
+ Title: "Release notes - Custom Translator"
description: Custom Translator releases, improvements, bug fixes, and known issues. Previously updated : 05/03/2021 Last updated : 11/04/2022 -+ # Custom Translator release notes This page has the latest release notes for features, improvements, bug fixes, and known issues for the Custom Translator service.
+## 2022-November release
+
+### November 2022 improvements and fixes
+
+#### Custom Translator stable GA v2.0 release
+
+* Custom Translator version v2.0 is generally available and ready for use in your production applications.
+
+* Upload history has been added to the workspace, next to Projects and Documents tabs.
+
+#### Language model updates
+
+* Language pairs are listed in the table below. We encourage you to retrain your models accordingly for higher quality.
+
+|Source Language|Target Language|
+|:-|:-|
+|Chinese Simplified (zh-Hans)|English (en-us)|
+|Chinese Traditional (zh-Hant)|English (en-us)|
+|Czech (cs)|English (en-us)|
+|Dutch (nl)|English (en-us)|
+|English (en-us)|Chinese Simplified (zh-Hans)|
+|English (en-us)|Chinese Traditional (zh-Hant)|
+|English (en-us)|Czech (cs)|
+|English (en-us)|Dutch (nl)|
+|English (en-us)|French (fr)|
+|English (en-us)|German (de)|
+|English (en-us)|Italian (it)|
+|English (en-us)|Polish (pl)|
+|English (en-us)|Romanian (ro)|
+|English (en-us)|Russian (ru)|
+|English (en-us)|Spanish (es)|
+|English (en-us)|Swedish (sv)|
+|German (de)|English (en-us)|
+|Italian (it)|English (en-us)|
+|Russian (ru)|English (en-us)|
+|Spanish (es)|English (en-us)|
+
+#### Security update
+
+* Custom Translator API preview REST API calls now require User Access Token to authenticate.
+
+* Visit our GitHub repo for a [C# code sample](https://github.com/MicrosoftTranslator/CustomTranslator-API-CSharp).
+
+#### Fixes
+
+* Resolved document upload error that caused a blank page in the browser.
+
+* Applied functional modifications.
+ ## 2021-May release
-### Improvements and Bug fixes
+### May 2021 improvements and fixes
+
+* We added new training pipeline to improve the custom model generalization and capacity to retain more customer terminology (words and phrases).
-- We added new training pipeline to improve the custom model generalization and capacity to retain more customer terminology (words and phrases).-- Refreshed Custom Translator baselines to fix word alignment bug. See list of impacted language pair*.
+* Refreshed Custom Translator baselines to fix word alignment bug. See list of impacted language pair*.
### Language pair list
cognitive-services Unsupported Language Deployments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/custom-translator/unsupported-language-deployments.md
- Title: "Legacy: Unsupported language deployments - Custom Translator"-
-description: This article shows you how to deploy unsupported language pairs in Azure Cognitive Services Custom Translator.
------ Previously updated : 04/24/2019----
-# Unsupported language deployments
-
-<!--Custom Translator provides the highest-quality translations possible using the latest techniques in neural machine learning. While Microsoft intends to make neural training available in all languages, there are some limitations that prevent us from being able to offer neural machine translation in all language pairs.-->
-
-With the upcoming retirement of the Microsoft Translator Hub, Microsoft will be undeploying all models currently deployed through the Hub. Many of you have models deployed in the Hub whose language pairs aren't supported in Custom Translator. We don't want users in this situation to have no recourse for translating their content.
-
-We now have a process that allows you to deploy your unsupported models through the Custom Translator. This process enables you to continue to translate content using the latest V3 API. These models will be hosted until you choose to undeploy them or the language pair becomes available in Custom Translator. This article explains the process to deploy models with unsupported language pairs.
-
-## Prerequisites
-
-In order for your models to be candidates for deployment, they must meet the following criteria:
-* The project containing the model must have been migrated from the Hub to the Custom Translator using the Migration Tool.
-* The model must be in the deployed state when the migration happens.
-* The language pair of the model must be an unsupported language pair in Custom Translator. Language pairs in which a language is supported to or from English, but the pair itself doesn't include English, are candidates for unsupported language deployments. For example, a Hub model for a French to German language pair is considered an unsupported language pair even though French to English and English to German are supported language pair.
-
-## Process
-Once you have migrated models from the Hub that are candidates for deployment, you can find them by going to the **Settings** page for your workspace and scrolling to the end of the page where you'll see an **Unsupported Translator Hub Trainings** section. This section only appears if you have projects that meet the prerequisites mentioned above.
-
-![Screenshot that highlights the Unsupported Translator Hub Trainings section.](media/unsupported-language-deployments/unsupported-translator-hub-trainings.jpg)
-
-Within the **Unsupported Translator Hub Trainings** selection page, the **Unrequested trainings** tab contains models that are eligible for deployment. Select the models you wish to deploy and submit a request. Before the April 30 deployment deadline, you can select as many models as you wish for deployment.
-
-![Screenshot that shows the Unrequested trainings tab.](media/unsupported-language-deployments/unsupported-translator-hub-trainings-list.jpg)
-
-Once submitted, the model will no longer be available on the **Unrequested trainings** tab and will instead appear on the **Requested trainings** tab. You can view your requested trainings at any time.
-
-![How to migrate from Hub](media/unsupported-language-deployments/request-unsupported-trainings.jpg)
-
-## What's next?
-
-The models you selected for deployment are saved once the Hub is decommissioned and all models are undeployed. You've until May 24 to submit requests for deployment of unsupported models. We'll deploy these models on June 15 at which point they'll be accessible through the Translator V3 API. In addition, they'll be available through the V2 API until July 1.
-
-For further information on important dates in the deprecation of the Hub check [here](https://www.microsoft.com/translator/business/hub/).
-Once deployed, normal hosting charges will apply. See [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/) for details.
-
-Unlike standard Custom Translator models, Hub models will only be available in a single region, so multi-region hosting charges won't apply. Once deployed, you'll be able to undeploy your Hub model at any time through the migrated Custom Translator project.
-
-## Next steps
--- [Train a model](how-to-train-model.md).-- Start using your deployed custom translation model via [Microsoft Translator Text API V3](../reference/v3-0-translate.md?tabs=curl).
cognitive-services Encrypt Data At Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/encrypt-data-at-rest.md
description: Microsoft lets you manage your Cognitive Services subscriptions with your own keys, called customer-managed keys (CMK). This article covers data encryption at rest for Translator, and how to enable and manage CMK. - Previously updated : 08/28/2020 Last updated : 11/03/2022 #Customer intent: As a user of the Translator service, I want to learn how encryption at rest works. # Translator encryption of data at rest
-Translator automatically encrypts your data, which you upload to build custom translation models, when it is persisted to the cloud, helping to meet your organizational security and compliance goals.
+Translator automatically encrypts your uploaded data when it's persisted to the cloud helping to meet your organizational security and compliance goals.
## About Cognitive Services encryption
Data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki
## About encryption key management
-By default, your subscription uses Microsoft-managed encryption keys. If you are using a pricing tier that supports Customer-managed keys, you can see the encryption settings for your resource in the **Encryption** section of the [Azure portal](https://portal.azure.com), as shown in the following image.
+By default, your subscription uses Microsoft-managed encryption keys. If you're using a pricing tier that supports Customer-managed keys, you can see the encryption settings for your resource in the **Encryption** section of the [Azure portal](https://portal.azure.com), as shown in the following image.
![View Encryption settings](../media/cognitive-services-encryption/encryptionblade.png)
-For subscriptions that only support Microsoft-managed encryption keys, you will not have an **Encryption** section.
+For subscriptions that only support Microsoft-managed encryption keys, you won't have an **Encryption** section.
## Customer-managed keys with Azure Key Vault
-By default, your subscription uses Microsoft-managed encryption keys. There is also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. If CMK is configured for your subscription, double encryption is provided, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.
+By default, your subscription uses Microsoft-managed encryption keys. There's also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offers greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data. If CMK is configured for your subscription, double encryption is provided, which offers a second layer of protection, while allowing you to control the encryption key through your Azure Key Vault.
> [!IMPORTANT] > Customer-managed keys are available for all pricing tiers for the Translator service. To request the ability to use customer-managed keys, fill out and submit the [Translator Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) It will take approximately 3-5 business days to hear back on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once approved for using CMK with the Translator service, you will need to create a new Translator resource. Once your Translator resource is created, you can use Azure Key Vault to set up your managed identity. Follow these steps to enable customer-managed keys for Translator:
-1. Create your new regional Translator or regional Cognitive Services resource. This will not work with a global resource.
+1. Create your new regional Translator or regional Cognitive Services resource. Customer-managed keys won't work with a global resource.
2. Enabled Managed Identity in the Azure portal, and add your customer-managed key information. 3. Create a new workspace in Custom Translator and associate this subscription information.
Follow these steps to enable customer-managed keys for Translator:
You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Cognitive Services resource and the key vault must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
-A new Cognitive Services resource is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Cognitive Services resource. The managed identity is available as soon as the resource is created.
+A new Cognitive Services resource is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the resource is created. Customer-managed keys are stored in Azure Key Vault. The key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the Cognitive Services resource. The managed identity is available as soon as the resource is created.
To learn how to use customer-managed keys with Azure Key Vault for Cognitive Services encryption, see:
Only RSA keys of size 2048 are supported with Cognitive Services encryption. For
To revoke access to customer-managed keys, use PowerShell or Azure CLI. For more information, see [Azure Key Vault PowerShell](/powershell/module/az.keyvault//) or [Azure Key Vault CLI](/cli/azure/keyvault). Revoking access effectively blocks access to all data in the Cognitive Services resource and your models will be undeployed, as the encryption key is inaccessible by Cognitive Services. All uploaded data will also be deleted from Custom Translator. - ## Next steps
-* [Learn more about Azure Key Vault](../../key-vault/general/overview.md)
+> [!div class="nextstepaction"]
+> [Learn more about Azure Key Vault](../../key-vault/general/overview.md)
cognitive-services Prevent Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/prevent-translation.md
The Translator allows you to tag content so that it isn't translated. For exampl
4. Don't pass the string to the Translator for translation.
-5. Custom Translator: Use a [dictionary in Custom Translator](custom-translator/what-is-dictionary.md) to prescribe the translation of a phrase with 100% probability.
+5. Custom Translator: Use a [dictionary in Custom Translator](custom-translator/concepts/dictionaries.md) to prescribe the translation of a phrase with 100% probability.
## Next steps
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/whats-new.md
Translator is a language service that enables users to translate text and docume
Translator service supports language translation for more than 100 languages. If your language community is interested in partnering with Microsoft to add your language to Translator, contact us via the [Translator community partner onboarding form](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR-riVR3Xj0tOnIRdZOALbM9UOU1aMlNaWFJOOE5YODhRR1FWVzY0QzU1OS4u).
+## November 2022
+
+### Custom Translator stable GA v2.0 release
+
+Custom Translator version v2.0 is generally available and ready for use in your production applications!
+ ## June 2022 ### Document Translation stable GA 1.0.0 release
Document Translation .NET and Python client-library SDKs are now generally avail
* The [Custom Translator portal (v2.0)](https://portal.customtranslator.azure.ai/) is now in public preview and includes significant changes that makes it easier to create your custom translation systems.
-* To learn more, see our Custom Translator [documentation](custom-translator/overview.md) and try our [quickstart](custom-translator/v2.0/quickstart.md) for step-by-step instructions.
+* To learn more, see our Custom Translator [documentation](custom-translator/overview.md) and try our [quickstart](custom-translator/quickstart.md) for step-by-step instructions.
## October 2021
cognitive-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/policy-reference.md
Title: Built-in policy definitions for Azure Cognitive Services description: Lists Azure Policy built-in policy definitions for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
cognitive-services Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cognitive Services description: Lists Azure Policy Regulatory Compliance controls available for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
container-apps Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/policy-reference.md
Title: Built-in policy definitions for Azure Container Apps
description: Lists Azure Policy built-in policy definitions for Azure Container Apps. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
container-instances Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/policy-reference.md
Previously updated : 09/12/2022 Last updated : 11/04/2022 # Azure Policy built-in definitions for Azure Container Instances
container-registry Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/policy-reference.md
Title: Built-in policy definitions for Azure Container Registry
description: Lists Azure Policy built-in policy definitions for Azure Container Registry. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 10/11/2022 Last updated : 11/04/2022
container-registry Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/security-controls-policy.md
description: Lists Azure Policy Regulatory Compliance controls available for Azu
Previously updated : 10/12/2022 Last updated : 11/04/2022
cosmos-db How To Dotnet Create Container https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-create-container.md
To create a container, call one of the following methods:
The following example creates a container asynchronously: The [``Database.CreateContainerAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerasync) method will throw an exception if a database with the same name already exists.
The [``Database.CreateContainerAsync``](/dotnet/api/microsoft.azure.cosmos.datab
The following example creates a container asynchronously only if it doesn't already exist on the account: The [``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) method will only create a new container if it doesn't already exist. This method is useful for avoiding errors if you run the same code multiple times.
In all examples so far, the response from the asynchronous request was cast imme
The following example shows the **Database.CreateContainerIfNotExistsAsync** method returning a **ContainerResponse**. Once returned, you can parse response properties and then eventually get the underlying **Container** object: ## Next steps
cosmos-db How To Dotnet Create Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-create-database.md
To create a database, call one of the following methods:
The following example creates a database asynchronously: The [``CosmosClient.CreateDatabaseAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseasync) method will throw an exception if a database with the same name already exists.
The [``CosmosClient.CreateDatabaseAsync``](/dotnet/api/microsoft.azure.cosmos.co
The following example creates a database asynchronously only if it doesn't already exist on the account: The [``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) method will only create a new database if it doesn't already exist. This method is useful for avoiding errors if you run the same code multiple times.
In all examples so far, the response from the asynchronous request was cast imme
The following example shows the **CosmosClient.CreateDatabaseIfNotExistsAsync** method returning a **DatabaseResponse**. Once returned, you can parse response properties and then eventually get the underlying **Database** object: ## Next steps
cosmos-db How To Dotnet Create Item https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-create-item.md
When referencing the item using a URI, use the system-generated *resource identi
> [!NOTE] > The examples in this article assume that you have already defined a C# type to represent your data named **Product**: >
-> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/250-create-item/Product.cs" id="type" :::
+> :::code language="csharp" source="~/cosmos-db-nosql-dotnet-samples/250-create-item/Product.cs" id="type" :::
> > The examples also assume that you have already created a new object of type **Product** named **newItem**: >
-> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/250-create-item/Program.cs" id="create_object" :::
+> :::code language="csharp" source="~/cosmos-db-nosql-dotnet-samples/250-create-item/Program.cs" id="create_object" :::
> To create an item, call one of the following methods:
To create an item, call one of the following methods:
The following example creates a new item asynchronously: The [``Container.CreateItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync) method will throw an exception if there's a conflict with the unique identifier of an existing item. To learn more about potential exceptions, see [``CreateItemAsync<>`` exceptions](/dotnet/api/microsoft.azure.cosmos.container.createitemasync#exceptions).
The [``Container.CreateItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.contain
The following example replaces an existing item asynchronously: The [``Container.ReplaceItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.replaceitemasync) method requires the provided string for the ``id`` parameter to match the unique identifier of the ``item`` parameter.
The [``Container.ReplaceItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.contai
The following example will create a new item or replace an existing item if an item already exists with the same unique identifier: The [``Container.UpsertItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.upsertitemasync) method will use the unique identifier of the ``item`` parameter to determine if there's a conflict with an existing item and to replace the item appropriately.
cosmos-db How To Dotnet Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-get-started.md
export COSMOS_KEY="<cosmos-account-PRIMARY-KEY>"
Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` and ``COSMOS_KEY`` environment variables as parameters. ### Connect with a connection string
export COSMOS_CONNECTION_STRING="<cosmos-account-PRIMARY-CONNECTION-STRING>"
Create a new instance of the **CosmosClient** class with the ``COSMOS_CONNECTION_STRING`` environment variable as the only parameter. ### Connect using the Microsoft Identity Platform
dotnet build
In your code editor, add using directives for ``Azure.Core`` and ``Azure.Identity`` namespaces. #### Create CosmosClient with default credential implementation
If you're testing on a local machine, or your application will run on Azure serv
For this example, we saved the instance in a variable of type [``TokenCredential``](/dotnet/api/azure.core.tokencredential) as that's a more generic type that's reusable across SDKs. Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` environment variable and the **TokenCredential** object as parameters. #### Create CosmosClient with a custom credential implementation
If you plan to deploy the application out of Azure, you can obtain an OAuth toke
For this example, we create a [``ClientSecretCredential``](/dotnet/api/azure.identity.clientsecretcredential) instance by using client and tenant identifiers, along with a client secret. You can obtain the client ID, tenant ID, and client secret when you register an application in Azure Active Directory (AD). For more information about registering Azure AD applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md). Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` environment variable and the **TokenCredential** object as parameters. ## Build your application
cosmos-db How To Dotnet Query Items https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-query-items.md
To learn more about the SQL syntax for Azure Cosmos DB for NoSQL, see [Getting s
> [!NOTE] > The examples in this article assume that you have already defined a C# type to represent your data named **Product**: >
-> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/300-query-items/Product.cs" id="type" :::
+> :::code language="csharp" source="~/cosmos-db-nosql-dotnet-samples/300-query-items/Product.cs" id="type" :::
> To query items in a container, call one of the following methods:
To query items in a container, call one of the following methods:
This example builds a SQL query using a simple string, retrieves a feed iterator, and then uses nested loops to iterate over results. The outer **while** loop will iterate through result pages, while the inner **foreach** loop iterates over results within a page. The [Container.GetItemQueryIterator<>](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) method returns a [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1) that is used to iterate through multi-page results. The ``HasMoreResults`` property indicates if there are more result pages left. The ``ReadNextAsync`` method gets the next page of results as an enumerable that is then used in a loop to iterate over results. Alternatively, use the [QueryDefinition](/dotnet/api/microsoft.azure.cosmos.querydefinition) to build a SQL query with parameterized input: > [!TIP] > Parameterized input values can help prevent many common SQL query injection attacks.
Alternatively, use the [QueryDefinition](/dotnet/api/microsoft.azure.cosmos.quer
In this example, an [``IQueryable``<>](/dotnet/api/system.linq.iqueryable) object is used to construct a [Language Integrated Query (LINQ)](/dotnet/csharp/programming-guide/concepts/linq/). The results are then iterated over using a feed iterator. The [Container.GetItemLinqQueryable<>](/dotnet/api/microsoft.azure.cosmos.container.getitemlinqqueryable) method constructs an ``IQueryable`` to build the LINQ query. Then the ``ToFeedIterator<>`` method is used to convert the LINQ query expression into a [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1).
cosmos-db How To Dotnet Read Item https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-dotnet-read-item.md
Every item in Azure Cosmos DB for NoSQL has a unique identifier specified by the
> [!NOTE] > The examples in this article assume that you have already defined a C# type to represent your data named **Product**: >
-> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/275-read-item/Product.cs" id="type" :::
+> :::code language="csharp" source="~/cosmos-db-nosql-dotnet-samples/275-read-item/Product.cs" id="type" :::
> To perform a point read of an item, call one of the following methods:
To perform a point read of an item, call one of the following methods:
The following example point reads a single item asynchronously and returns a deserialized item using the provided generic type: The [``Database.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) method reads and item and returns an object of type [``ItemResponse<>``](/dotnet/api/microsoft.azure.cosmos.itemresponse-1). The **ItemResponse<>** type inherits from the [``Response<>``](/dotnet/api/microsoft.azure.cosmos.response-1) type, which contains an implicit conversion operator to convert the object into the generic type. To learn more about implicit operators, see [user-defined conversion operators](/dotnet/csharp/language-reference/operators/user-defined-conversion-operators). Alternatively, you can return the **ItemResponse<>** generic type and explicitly get the resource. The more general **ItemResponse<>** type also contains useful metadata about the underlying API operation. In this example, metadata about the request unit charge for this operation is gathered using the **RequestCharge** property. ## Read an item as a stream asynchronously This example reads an item as a data stream directly: The [``Container.ReadItemStreamAsync``](/dotnet/api/microsoft.azure.cosmos.container.readitemstreamasync) method returns the item as a [``Stream``](/dotnet/api/system.io.stream) without deserializing the contents.
If you aren't planning to deserialize the items directly, using the stream APIs
In this example, a list of tuples containing unique identifier and partition key pairs are used to look up and retrieve multiple items: [``Container.ReadManyItemsAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readmanyitemsasync) returns a list of items based on the unique identifiers and partition keys you provide. This operation is typically more performant than a query since you'll effectively perform a point read operation on all items in the list.
cosmos-db Quickstart Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/quickstart-dotnet.md
Get started with the Azure Cosmos DB client library for .NET to create databases
## Prerequisites
-* An Azure account with an active subscription. [Create an account for free](https://aka.ms/trycosmosdb).
-* [.NET 6.0 or later](https://dotnet.microsoft.com/download)
-* [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)
+- An Azure account with an active subscription.
+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+ - Alternatively, you can [try Azure Cosmos DB free](../try-free.md) before you commit.
+- [.NET 6.0 or later](https://dotnet.microsoft.com/download)
+- [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)
### Prerequisite check
-* In a terminal or command window, run ``dotnet --version`` to check that the .NET SDK is version 6.0 or later.
-* Run ``az --version`` (Azure CLI) or ``Get-Module -ListAvailable AzureRM`` (Azure PowerShell) to check that you have the appropriate Azure command-line tools installed.
+- In a terminal or command window, run ``dotnet --version`` to check that the .NET SDK is version 6.0 or later.
+- Run ``az --version`` (Azure CLI) or ``Get-Module -ListAvailable AzureRM`` (Azure PowerShell) to check that you have the appropriate Azure command-line tools installed.
## Setting up
Build succeeded.
You'll use the following .NET classes to interact with these resources:
-* [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) - This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service.
-* [``Database``](/dotnet/api/microsoft.azure.cosmos.database) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.
-* [``Container``](/dotnet/api/microsoft.azure.cosmos.container) - This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it.
-* [``QueryDefinition``](/dotnet/api/microsoft.azure.cosmos.querydefinition) - This class represents a SQL query and any query parameters.
-* [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1) - This class represents an iterator that can track the current page of results and get a new page of results.
-* [``FeedResponse<>``](/dotnet/api/microsoft.azure.cosmos.feedresponse-1) - This class represents a single page of responses from the iterator. This type can be iterated over using a ``foreach`` loop.
+- [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) - This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service.
+- [``Database``](/dotnet/api/microsoft.azure.cosmos.database) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.
+- [``Container``](/dotnet/api/microsoft.azure.cosmos.container) - This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it.
+- [``QueryDefinition``](/dotnet/api/microsoft.azure.cosmos.querydefinition) - This class represents a SQL query and any query parameters.
+- [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1) - This class represents an iterator that can track the current page of results and get a new page of results.
+- [``FeedResponse<>``](/dotnet/api/microsoft.azure.cosmos.feedresponse-1) - This class represents a single page of responses from the iterator. This type can be iterated over using a ``foreach`` loop.
## Code examples
-* [Authenticate the client](#authenticate-the-client)
-* [Create a database](#create-a-database)
-* [Create a container](#create-a-container)
-* [Create an item](#create-an-item)
-* [Get an item](#get-an-item)
-* [Query items](#query-items)
+- [Authenticate the client](#authenticate-the-client)
+- [Create a database](#create-a-database)
+- [Create a container](#create-a-container)
+- [Create an item](#create-an-item)
+- [Get an item](#get-an-item)
+- [Query items](#query-items)
The sample code described in this article creates a database named ``adventureworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.
For this sample code, the container will use the category as a logical partition
From the project directory, open the *Program.cs* file. In your editor, add a using directive for ``Microsoft.Azure.Cosmos``. Define a new instance of the ``CosmosClient`` class using the constructor, and [``Environment.GetEnvironmentVariable``](/dotnet/api/system.environment.getenvironmentvariable) to read the two environment variables you created earlier. For more information on different ways to create a ``CosmosClient`` instance, see [Get started with Azure Cosmos DB for NoSQL and .NET](how-to-dotnet-get-started.md#connect-to-azure-cosmos-db-sql-api).
For more information on different ways to create a ``CosmosClient`` instance, se
Use the [``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) method to create a new database if it doesn't already exist. This method will return a reference to the existing or newly created database. For more information on creating a database, see [Create a database in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-create-database.md).
For more information on creating a database, see [Create a database in Azure Cos
The [``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) will create a new container if it doesn't already exist. This method will also return a reference to the container. For more information on creating a container, see [Create a container in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-create-container.md). ### Create an item
-The easiest way to create a new item in a container is to first build a C# [class](/dotnet/csharp/language-reference/keywords/class) or [record](/dotnet/csharp/language-reference/builtin-types/record) type with all of the members you want to serialize into JSON. In this example, the C# record has a unique identifier, a *category* field for the partition key, and extra *name*, *quantity*, and *sale* fields.
+The easiest way to create a new item in a container is to first build a C# [class](/dotnet/csharp/language-reference/keywords/class) or [record](/dotnet/csharp/language-reference/builtin-types/record) type with all of the members you want to serialize into JSON. In this example, the C# record has a unique identifier, a *categoryId* field for the partition key, and extra *categoryName*, *name*, *quantity*, and *sale* fields.
Create an item in the container by calling [``Container.CreateItemAsync``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync). For more information on creating, upserting, or replacing items, see [Create an item in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-create-item.md).
For more information on creating, upserting, or replacing items, see [Create an
In Azure Cosmos DB, you can perform a point read operation by using both the unique identifier (``id``) and partition key fields. In the SDK, call [``Container.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) passing in both values to return a deserialized instance of your C# type. For more information about reading items and parsing the response, see [Read an item in Azure Cosmos DB for NoSQL using .NET](how-to-dotnet-read-item.md). ### Query items
-After you insert an item, you can run a query to get all items that match a specific filter. This example runs the SQL query: ``SELECT * FROM todo t WHERE t.partitionKey = 'gear-surf-surfboards'``. This example uses the **QueryDefinition** type and a parameterized query expression for the partition key filter. Once the query is defined, call [``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) to get a result iterator that will manage the pages of results. Then, use a combination of ``while`` and ``foreach`` loops to retrieve pages of results and then iterate over the individual items.
+After you insert an item, you can run a query to get all items that match a specific filter. This example runs the SQL query: ``SELECT * FROM products p WHERE p.categoryId = "61dba35b-4f02-45c5-b648-c6badc0cbd79"``. This example uses the **QueryDefinition** type and a parameterized query expression for the partition key filter. Once the query is defined, call [``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) to get a result iterator that will manage the pages of results. Then, use a combination of ``while`` and ``foreach`` loops to retrieve pages of results and then iterate over the individual items.
## Run the code
-This app creates an Azure Cosmos DB for NoSQL database and container. The example then creates an item and then reads the exact same item back. Finally, the example issues a query that should only return that single item. With each step, the example outputs metadata to the console about the steps it has performed.
+This app creates an API for NoSQL database and container. The example then creates an item and then reads the exact same item back. Finally, the example issues a query that should only return that single item. With each step, the example outputs metadata to the console about the steps it has performed.
To run the app, use a terminal to navigate to the application directory and run the application.
cosmos-db Quickstart Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/quickstart-python.md
Title: 'Quickstart: Build a Python app using Azure Cosmos DB for NoSQL account'
-description: Presents a Python code sample you can use to connect to and query the Azure Cosmos DB for NoSQL
-
+ Title: Quickstart - Azure Cosmos DB for NoSQL client library for Python
+description: Learn how to build a .NET app to manage Azure Cosmos DB for NoSQL account resources and data in this quickstart.
++ ms.devlang: python Previously updated : 08/25/2022-- Last updated : 11/03/2022+
-# Quickstart: Build a Python application using an Azure Cosmos DB for NoSQL account
+# Quickstart: Azure Cosmos DB for NoSQL client library for Python
+ [!INCLUDE[NoSQL](../includes/appliesto-nosql.md)]
-> [!div class="op_single_selector"]
->
-> * [.NET](quickstart-dotnet.md)
-> * [Node.js](quickstart-nodejs.md)
-> * [Java](quickstart-java.md)
-> * [Spring Data](quickstart-java-spring-data.md)
-> * [Python](quickstart-python.md)
-> * [Spark v3](quickstart-spark.md)
-> * [Go](quickstart-go.md)
->
+
+Get started with the Azure Cosmos DB client library for Python to create databases, containers, and items within your account. Follow these steps to install the package and try out example code for basic tasks.
-In this quickstart, you create and manage an Azure Cosmos DB for NoSQL account from the Azure portal, and from Visual Studio Code with a Python app cloned from GitHub. Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities.
+> [!NOTE]
+> The [example code snippets](https://github.com/azure-samples/cosmos-db-nosql-python-samples) are available on GitHub as a .NET project.
+
+[API reference documentation](/python/api/azure-cosmos/azure.cosmos) | [Library source code](https://github.com/azure/azure-sdk-for-python/tree/main/sdk/cosmos/azure-cosmos) | [Package (PyPI)](https://pypi.org/project/azure-cosmos) | [Samples](samples-python.md)
## Prerequisites -- An Azure Cosmos DB Account. You options are:
- * Within an Azure active subscription:
- * [Create an Azure free Account](https://azure.microsoft.com/free) or use your existing subscription
- * [Visual Studio Monthly Credits](https://azure.microsoft.com/pricing/member-offers/credit-for-visual-studio-subscribers)
- * [Azure Cosmos DB Free Tier](../optimize-dev-test.md#azure-cosmos-db-free-tier)
- * Without an Azure active subscription:
- * [Try Azure Cosmos DB for free](../try-free.md), a tests environment that lasts for 30 days.
- * [Azure Cosmos DB Emulator](https://aka.ms/cosmosdb-emulator)
-- [Python 3.7+](https://www.python.org/downloads/), with the `python` executable in your `PATH`.-- [Visual Studio Code](https://code.visualstudio.com/).-- The [Python extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-python.python#overview).-- [Git](https://www.git-scm.com/downloads). -- [Azure Cosmos DB for NoSQL SDK for Python](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/cosmos/azure-cosmos)
+- An Azure account with an active subscription. [Create an account for free](https://aka.ms/trycosmosdb).
+- [Python 3.7 or later](https://www.python.org/downloads/)
+ - Ensure the `python` executable is in your `PATH`.
+- [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)
+
+### Prerequisite check
-## Important update on Python 2.x Support
+- In a terminal or command window, run ``python --version`` to check that the .NET SDK is version 3.7 or later.
+- Run ``az --version`` (Azure CLI) or ``Get-Module -ListAvailable AzureRM`` (Azure PowerShell) to check that you have the appropriate Azure command-line tools installed.
-New releases of this SDK won't support Python 2.x starting January 1st, 2022. Please check the [CHANGELOG](./sdk-python.md) for more information.
+## Setting up
-## Create a database account
+This section walks you through creating an Azure Cosmos DB account and setting up a project that uses Azure Cosmos DB for NoSQL client library for .NET to manage resources.
+### Create an Azure Cosmos DB account
-## Add a container
+> [!TIP]
+> Alternatively, you can [try Azure Cosmos DB free](../try-free.md) before you commit. If you create an account using the free trial, you can safely skip this section.
-## Add sample data
+### Create a new Python app
+Create a new Python code file (*app.py*) in an empty folder using your preferred integrated development environment (IDE).
-## Query your data
+### Install the package
+Add the [`azure-cosmos`](https://pypi.org/project/azure-cosmos) PyPI package to the Python app. Use the `pip install` command to install the package.
-## Clone the sample application
+```bash
+pip install azure-cosmos
+```
-Now let's clone a API for NoSQL app from GitHub, set the connection string, and run it. This quickstart uses version 4 of the [Python SDK](https://pypi.org/project/azure-cosmos/#history).
+### Configure environment variables
-1. Open a command prompt, create a new folder named git-samples, then close the command prompt.
- ```cmd
- md git-samples
- ```
+## Object model
- If you are using a bash prompt, you should instead use the following command:
- ```bash
- mkdir "git-samples"
- ```
+You'll use the following Python classes to interact with these resources:
-2. Open a git terminal window, such as git bash, and use the `cd` command to change to the new folder to install the sample app.
+- [``CosmosClient``](/python/api/azure-cosmos/azure.cosmos.cosmos_client.cosmosclient) - This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service.
+- [``DatabaseProxy``](/python/api/azure-cosmos/azure.cosmos.database.databaseproxy) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.
+- [``ContainerProxy``](/python/api/azure-cosmos/azure.cosmos.container.containerproxy) - This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it.
- ```bash
- cd "git-samples"
- ```
+## Code examples
-3. Run the following command to clone the sample repository. This command creates a copy of the sample app on your computer.
+- [Authenticate the client](#authenticate-the-client)
+- [Create a database](#create-a-database)
+- [Create a container](#create-a-container)
+- [Create an item](#create-an-item)
+- [Get an item](#get-an-item)
+- [Query items](#query-items)
- ```bash
- git clone https://github.com/Azure-Samples/azure-cosmos-db-python-getting-started.git
- ```
+The sample code described in this article creates a database named ``adventureworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.
-## Update your connection string
+For this sample code, the container will use the category as a logical partition key.
-Now go back to the Azure portal to get your connection string information and copy it into the app.
+### Authenticate the client
-1. In your Azure Cosmos DB account in the [Azure portal](https://portal.azure.com/), select **Keys** from the left navigation. Use the copy buttons on the right side of the screen to copy the **URI** and **Primary Key** into the *cosmos_get_started.py* file in the next step.
+From the project directory, open the *app.py* file. In your editor, import the `os` and `json` modules. Then, import the `CosmosClient` and `PartitionKey` classes from the `azure.cosmos` module.
- :::image type="content" source="./media/quickstart-python/access-key-and-uri-in-keys-settings-in-the-azure-portal.png" alt-text="Get an access key and URI in the Keys settings in the Azure portal":::
-2. In Visual Studio Code, open the *cosmos_get_started.py* file in *\git-samples\azure-cosmos-db-python-getting-started*.
+Create variables for the `COSMOS_ENDPOINT` and `COSMOS_KEY` environment variables using `os.environ`.
-3. Copy your **URI** value from the portal (using the copy button) and make it the value of the **endpoint** variable in *cosmos_get_started.py*.
- `endpoint = 'https://FILLME.documents.azure.com',`
+Create a new client instance using the [`CosmosClient`](/python/api/azure-cosmos/azure.cosmos.cosmos_client.cosmosclient) class constructor and the two variables you created as parameters.
-4. Then copy your **PRIMARY KEY** value from the portal and make it the value of the **key** in *cosmos_get_started.py*. You've now updated your app with all the info it needs to communicate with Azure Cosmos DB.
- `key = 'FILLME'`
+### Create a database
-5. Save the *cosmos_get_started.py* file.
+Use the [`CosmosClient.create_database_if_not_exists`](/python/api/azure-cosmos/azure.cosmos.cosmos_client.cosmosclient#azure-cosmos-cosmos-client-cosmosclient-create-database-if-not-exists) method to create a new database if it doesn't already exist. This method will return a [`DatabaseProxy`](/python/api/azure-cosmos/azure.cosmos.databaseproxy) reference to the existing or newly created database.
-## Review the code
-This step is optional. Learn about the database resources created in code, or skip ahead to [Update your connection string](#update-your-connection-string).
+### Create a container
-The following snippets are all taken from the [cosmos_get_started.py](https://github.com/Azure-Samples/azure-cosmos-db-python-getting-started/blob/main/cosmos_get_started.py) file.
+The [`PartitionKey`](/python/api/azure-cosmos/azure.cosmos.partitionkey) class defines a partition key path that you can use when creating a container.
-* The CosmosClient is initialized. Make sure to update the "endpoint" and "key" values as described in the [Update your connection string](#update-your-connection-string) section.
- [!code-python[](~/azure-cosmos-db-python-getting-started/cosmos_get_started.py?name=create_cosmos_client)]
+The [`Databaseproxy.create_container_if_not_exists`](/python/api/azure-cosmos/azure.cosmos.databaseproxy#azure-cosmos-databaseproxy-create-container-if-not-exists) method will create a new container if it doesn't already exist. This method will also return a [`ContainerProxy`](/python/api/azure-cosmos/azure.cosmos.containerproxy) reference to the container.
-* A new database is created.
- [!code-python[](~/azure-cosmos-db-python-getting-started/cosmos_get_started.py?name=create_database_if_not_exists)]
+### Create an item
-* A new container is created, with 400 RU/s of [provisioned throughput](../request-units.md). We choose `lastName` as the [partition key](../partitioning-overview.md#choose-partitionkey), which allows us to do efficient queries that filter on this property.
+Create a new item in the container by first creating a new variable (`newItem`) with a sample item defined. In this example, the unique identifier of this item is `70b63682-b93a-4c77-aad2-65501347265f`. The partition key value is derived from the `/categoryId` path, so it would be `61dba35b-4f02-45c5-b648-c6badc0cbd79`.
- [!code-python[](~/azure-cosmos-db-python-getting-started/cosmos_get_started.py?name=create_container_if_not_exists)]
-* Some items are added to the container. Containers are a collection of items (JSON documents) that can have varied schema. The helper methods ```get_[name]_family_item``` return representations of a family that are stored in Azure Cosmos DB as JSON documents.
+> [!TIP]
+> The remaining fields are flexible and you can define as many or as few as you want. You can even combine different item schemas in the same container.
- [!code-python[](~/azure-cosmos-db-python-getting-started/cosmos_get_started.py?name=create_item)]
+Create an item in the container by using the [`ContainerProxy.create_item`](/python/api/azure-cosmos/azure.cosmos.containerproxy#azure-cosmos-containerproxy-create-item) method passing in the variable you already created.
-* Point reads (key value lookups) are performed using the `read_item` method. We print out the [RU charge](../request-units.md) of each operation.
- [!code-python[](~/azure-cosmos-db-python-getting-started/cosmos_get_started.py?name=read_item)]
+### Get an item
-* A query is performed using SQL query syntax. Because we're using partition key values of ```lastName``` in the WHERE clause, Azure Cosmos DB will efficiently route this query to the relevant partitions, improving performance.
+In Azure Cosmos DB, you can perform a point read operation by using both the unique identifier (``id``) and partition key fields. In the SDK, call [`ContainerProxy.read_item](/python/api/azure-cosmos/azure.cosmos.containerproxy#azure-cosmos-containerproxy-read-item) passing in both values to return an item as a dictionary of strings and values (`dict[str, Any]`).
- [!code-python[](~/azure-cosmos-db-python-getting-started/cosmos_get_started.py?name=query_items)]
-
-## Run the app
-1. In Visual Studio Code, select **View** > **Command Palette**.
+In this example, the dictionary result is saved to a variable named `existingItem`.
-2. At the prompt, enter **Python: Select Interpreter** and then select the version of Python to use.
+### Query items
- The Footer in Visual Studio Code is updated to indicate the interpreter selected.
+After you insert an item, you can run a query to get all items that match a specific filter. This example runs the SQL query: ``SELECT * FROM products p WHERE p.categoryId = "61dba35b-4f02-45c5-b648-c6badc0cbd79"``. This example uses query parameterization to construct the query. The query uses a string of the SQL query, and a dictionary of query parameters.
-3. Select **View** > **Integrated Terminal** to open the Visual Studio Code integrated terminal.
-4. In the integrated terminal window, ensure you are in the *azure-cosmos-db-python-getting-started* folder. If not, run the following command to switch to the sample folder.
+This example dictionary included the `@categoryId` query parameter and the corresponding value `61dba35b-4f02-45c5-b648-c6badc0cbd79`.
- ```cmd
- cd "\git-samples\azure-cosmos-db-python-getting-started"`
- ```
+Once the query is defined, call [`ContainerProxy.query_items`](/python/api/azure-cosmos/azure.cosmos.containerproxy#azure-cosmos-containerproxy-query-items) to run the query and return the results as a paged set of items (`ItemPage[Dict[str, Any]]`).
-5. Run the following command to install the azure-cosmos package.
- ```python
- pip install azure-cosmos aiohttp
- ```
+Finally, use a for loop to iterate over the results in each page and perform various actions.
- If you get an error about access being denied when attempting to install azure-cosmos, you'll need to [run VS Code as an administrator](https://stackoverflow.com/questions/37700536/visual-studio-code-terminal-how-to-run-a-command-with-administrator-rights).
-6. Run the following command to run the sample and create and store new documents in Azure Cosmos DB.
+In this example, `json.dumps` is used to print the item to the console in a human-readable way.
- ```python
- python cosmos_get_started.py
- ```
+## Run the code
-7. To confirm the new items were created and saved, in the Azure portal, select **Data Explorer** > **AzureSampleFamilyDatabase** > **Items**. View the items that were created. For example, here is a sample JSON document for the Andersen family:
-
- ```json
- {
- "id": "Andersen-1569479288379",
- "lastName": "Andersen",
- "district": "WA5",
- "parents": [
- {
- "familyName": null,
- "firstName": "Thomas"
- },
- {
- "familyName": null,
- "firstName": "Mary Kay"
- }
- ],
- "children": null,
- "address": {
- "state": "WA",
- "county": "King",
- "city": "Seattle"
- },
- "registered": true,
- "_rid": "8K5qAIYtZXeBhB4AAAAAAA==",
- "_self": "dbs/8K5qAA==/colls/8K5qAIYtZXc=/docs/8K5qAIYtZXeBhB4AAAAAAA==/",
- "_etag": "\"a3004d78-0000-0800-0000-5d8c5a780000\"",
- "_attachments": "attachments/",
- "_ts": 1569479288
- }
- ```
+This app creates an API for NoSQL database and container. The example then creates an item and then reads the exact same item back. Finally, the example issues a query that should only return that single item. At the final step, the example outputs the final item to the console.
-## Review SLAs in the Azure portal
+Use a terminal to navigate to the application directory and run the application.
+```bash
+python app.py
+```
+
+The output of the app should be similar to this example:
+
+```output
+{
+ "id": "70b63682-b93a-4c77-aad2-65501347265f",
+ "categoryId": "61dba35b-4f02-45c5-b648-c6badc0cbd79",
+ "categoryName": "gear-surf-surfboards",
+ "name": "Yamba Surfboard",
+ "quantity": 12,
+ "sale": false,
+ "_rid": "yzN6AIfJxe0BAAAAAAAAAA==",
+ "_self": "dbs/yzN6AA==/colls/yzN6AIfJxe0=/docs/yzN6AIfJxe0BAAAAAAAAAA==/",
+ "_etag": "\"2a00ccd4-0000-0200-0000-63650e420000\"",
+ "_attachments": "attachments/",
+ "_ts": 16457527130
+}
+```
+
+> [!NOTE]
+> The fields assigned by Azure Cosmos DB (ex. ) will vary from this sample output.
## Clean up resources ## Next steps
-In this quickstart, you've learned how to create an Azure Cosmos DB account, create a container using the Data Explorer, and run a Python app in Visual Studio Code. You can now import additional data to your Azure Cosmos DB account.
-
-Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.
-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)
-* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)
+In this quickstart, you learned how to create an Azure Cosmos DB for NoSQL account, create a database, and create a container using the Python SDK. You can now dive deeper into guidance on how to import your data into the API for NoSQL.
> [!div class="nextstepaction"]
-> [Import data into Azure Cosmos DB for the API for NoSQL](../import-data.md)
+> [Import data into Azure Cosmos DB for NoSQL](../import-data.md)
cosmos-db Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/policy-reference.md
Title: Built-in policy definitions for Azure Cosmos DB description: Lists Azure Policy built-in policy definitions for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
cosmos-db Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
data-factory Continuous Integration Delivery Improvements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/continuous-integration-delivery-improvements.md
Follow these steps to get started:
```json { "scripts":{
- "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index",
+ "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index"
}, "dependencies":{ "@microsoft/azure-data-factory-utilities":"^1.0.0"
data-factory Create Self Hosted Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-self-hosted-integration-runtime.md
Based on your source and sinks, you might need to allow additional domains and o
For some cloud databases, such as Azure SQL Database and Azure Data Lake, you might need to allow IP addresses of self-hosted integration runtime machines on their firewall configuration.
+> [!NOTE]
+> It is not right to install both Integration Runtime and Power BI gateway in same machine, because mainly Integration Runtime uses port number 443, which is one of the main ports being used by Power BI gateway as well.
+ ### Get URL of Azure Relay One required domain and port that need to be put in the allowlist of your firewall is for the communication to Azure Relay. The self-hosted integration runtime uses it for interactive authoring such as test connection, browse folder list and table list, get schema, and preview data. If you don't want to allow **.servicebus.windows.net** and would like to have more specific URLs, then you can see all the FQDNs that are required by your self-hosted integration runtime from the service portal. Follow these steps:
data-factory Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/policy-reference.md
Previously updated : 09/12/2022 Last updated : 11/04/2022 # Azure Policy built-in definitions for Data Factory (Preview)
data-factory Security And Access Control Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/security-and-access-control-troubleshoot-guide.md
Previously updated : 08/18/2022 Last updated : 11/04/2022
The problem is usually caused by one of the following factors:
If none of the preceding methods works, contact Microsoft for help.
+### Deleted or rejected private end point still shows Aprroved in ADF
+
+#### Symptoms
+
+You created managed private endpoint from ADF and obtained an approved private endpoint. But, after deleting or rejecting the private endpoint later, the managed private endpoint in ADF still persists to exist and shows ΓÇ£ApprovedΓÇ¥.
+
+#### Cause
+
+Currently, ADF stops pulling private end point status after the it is approved. Hence the status shown in ADF is stale.
+
+##### Resolution
+
+You should delete the managed private end point in ADF once existing private endpoints are rejected/deleted from source/sink datasets.
### Invalid or empty authentication key issue after public network access is disabled
data-factory Self Hosted Integration Runtime Auto Update https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-auto-update.md
Previously updated : 08/18/2022 Last updated : 10/23/2022 # Self-hosted integration runtime auto-update and expire notification
You can use this [PowerShell command](/powershell/module/az.datafactory/get-azda
> If you have multiple self-hosted integration runtime nodes, there is no downtime during auto-update. The auto-update happens in one node first while others are working on tasks. When the first node finishes the update, it will take over the remain tasks when other nodes are updating. If you only have one self-hosted integration runtime, then it has some downtime during the auto-update. ## Auto-update version vs latest version
-To ensure the stability of self-hosted integration runtime, although we release two versions, we will only push one version every month. So sometimes you will find that the auto-update version is the previous version of the actual latest version. If you want to get the latest version, you can go to [download center](https://www.microsoft.com/download/details.aspx?id=39717). Additionally, auto-update to a version is managed one. You cannot change it. If you want to upgrade to latest version, you have to do it manually.
+To ensure the stability of self-hosted integration runtime, although we release two versions, we will only push one version every month. So sometimes you will find that the auto-update version is the previous version of the actual latest version. If you want to get the latest version, you can go to [download center](https://www.microsoft.com/download/details.aspx?id=39717) and do so manually. Additionally, **auto-update** to a new version is managed internally. You cannot change it.
The self-hosted integration runtime **Auto update** page in ADF portal shows the newer version if current version is old. When your self-hosted integration runtime is online, this version is auto-update version and will automatically update your self-hosted integration runtime in the scheduled time. But if your self-hosted integration runtime is offline, the page only shows the latest version.
data-factory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/whats-new.md
This page is updated monthly, so revisit it regularly. For older months' update
Check out our [What's New video archive](https://www.youtube.com/playlist?list=PLt4mCx89QIGS1rQlNt2-7iuHHAKSomVLv) for all of our monthly update videos.
+## October 2022
+
+### Data flow
+
+- Export up to 1000 rows from data flow preview [Learn more](concepts-data-flow-debug-mode.md?tabs=data-factory#data-preview)
+- SQL CDC in Mapping Data Flows now available (Public Preview) [Learn more](connector-sql-server.md?tabs=data-factory#native-change-data-capture)
+- Unlock advanced analytics with Microsoft 365 Mapping Data Flow Connector [Learn more](https://devblogs.microsoft.com/microsoft365dev/scale-access-to-microsoft-365-data-with-microsoft-graph-data-connect/)
+
+### Data movement
+
+- SAP Change Data Capture (CDC) in now generally available [Learn more](connector-sap-change-data-capture.md#transform-data-with-the-sap-cdc-connector)
+- Azure-SSIS Integration Runtime now generally available in Azure Synapse Analytics [Learn more](https://techcommunity.microsoft.com/t5/sql-server-integration-services/azure-ssis-integration-runtime-now-available-in-azure-synapse/ba-p/3171763)
+
+### Developer productivity
+
+- Now accepting community contributions to Template Gallery [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-azure-data-factory-community-templates/ba-p/3650989)
+- New design in Azure portal ΓÇô easily discover how to launch ADF Studio [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/improved-ui-for-launching-azure-data-factory-studio/ba-p/3659610)
+- Learning Center now available in the Azure Data Factory studio [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-the-learning-center-to-azure-data-factory-studio/ba-p/3660888)
+- One-click to try Azure Data Factory [Learn more](quickstart-get-started.md)
+
+### Orchestration
+
+- Granular billing view available for ADF ΓÇô see detailed billing information by pipeline (Public Preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/granular-billing-for-azure-data-factory/ba-p/3654600)
+- Script activity execution timeout now configurable [Learn more](transform-data-using-script.md)
+
+### Region expansion
+
+Continued region expansion ΓÇô Qatar Central now supported [Learn more](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=data-factory)
+
+### Continuous integration and continuous deployment
+
+Exclude pipeline triggers that did not change in deployment now generally available [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/ci-cd-improvements-related-to-pipeline-triggers-deployment/ba-p/3605064)
+ ## September 2022 ### Video summary
DELETE method in the Web activity now supports sending a body with HTTP request
### User interface - Native UI support of parameterization added for 6 additional linked services ΓÇô SAP ODP, ODBC, Microsoft Access, Informix, Snowflake, and DB2 [Learn more](parameterize-linked-services.md?tabs=data-factory#supported-linked-service-types)-- Pipeline designer enhancements added in Studio Preview experience ΓÇô users can view workflow inside pipeline objects like For Each, If Then, etc.. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/azure-data-factory-updated-pipeline-designer/ba-p/3618755)
+- Pipeline designer enhancements added in Studio Preview experience ΓÇô users can view workflow inside pipeline objects like For Each, If Then, etc. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/azure-data-factory-updated-pipeline-designer/ba-p/3618755)
## August 2022
DELETE method in the Web activity now supports sending a body with HTTP request
Service principal authentication type added for Azure Blob storage [Learn more](connector-azure-blob-storage.md?tabs=data-factory#service-principal-authentication) ### Developer productivity-- Default activity time out changed from 7 days to 12 hours [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/azure-data-factory-changing-default-pipeline-activity-timeout/ba-p/3598729)
+- Default activity time-out changed from 7 days to 12 hours [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/azure-data-factory-changing-default-pipeline-activity-timeout/ba-p/3598729)
- New data factory creation experience - one click to have your factory ready within seconds [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/new-experience-for-creating-data-factory-within-seconds/ba-p/3561249) - Expression builder UI update ΓÇô categorical tabs added for easier use [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/coming-soon-to-adf-more-pipeline-expression-builder-ease-of-use/ba-p/3567196)
data-factory Wrangling Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/wrangling-tutorial.md
The other method is in the activities pane of the pipeline canvas. Open the **Po
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWJd3T] >
-Add a **Source dataset** for your Power Query mash-up. You can either choose an existing dataset or create a new one. After you have saved your mash-up, you can then add the Power Query data wrangling activity to your pipeline and select a sink dataset to tell ADF where to land your data. While you can choose one or more source datasets, only one sink is allowed at this time. Choosing a sink dataset is optional, but at least one source dataset is required.
+Add a **Source dataset** for your Power Query mash-up. You can either choose an existing dataset or create a new one. After you have saved your mash-up, you can then create a pipeline, add the Power Query data wrangling activity to your pipeline and select a sink dataset to tell ADF where to land your data. While you can choose one or more source datasets, only one sink is allowed at this time. Choosing a sink dataset is optional, but at least one source dataset is required.
:::image type="content" source="media/wrangling-data-flow/tutorial4.png" alt-text="Wrangling":::
First, you will choose a dataset source for the mashup editor.
:::image type="content" source="media/wrangling-data-flow/power-query-new-source.png" alt-text="Power Query source.":::
-Once you have completed building your Power Query, you can save it and add the mashup as an activity to your pipeline. That is when you will set the sink dataset properties.
+Once you have completed building your Power Query, you can save it and then create a pipeline. You need to add the mashup as an activity to your pipeline. That is when you will create/select the sink dataset to land your data. You can also set the sink dataset properties by clicking on the second button on the right side of the sinked dataset. Remember to change the "partition option" under "Optimize" to "Single partition" if you only want to get a single output file.
:::image type="content" source="media/wrangling-data-flow/power-query-new-sink.png" alt-text="Power Query sink.":::
data-lake-analytics Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Analytics description: Lists Azure Policy built-in policy definitions for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
data-lake-analytics Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
data-lake-store Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Storage Gen1 description: Lists Azure Policy built-in policy definitions for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
data-lake-store Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
databox-online Azure Stack Edge Gpu Certificates Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-certificates-overview.md
The various types of certificates that you can bring for your device are as foll
- Encryption certificates - Support session certificates
-Each of these certificates are described in detail in the following sections.
+Each type of certificate is described in detail in the following sections.
## Signing chain certificates
There are three IoT Edge certificates that you need to install to enable this tr
- The IoT Edge certificates are uploaded in `.pem` format.
-For more information on IoT Edge certificates, see [Azure IoT Edge certificate details](../iot-edge/iot-edge-certs.md#iot-edge-certificates) and [Create IoT Edge production certificates](../iot-edge/how-to-manage-device-certificates.md?preserve-view=true&view=iotedge-2020-11#create-production-certificates).
+For more information on IoT Edge certificates, see [Azure IoT Edge certificate details](../iot-edge/iot-edge-certs.md) and [Create IoT Edge production certificates](../iot-edge/how-to-manage-device-certificates.md).
## Kubernetes certificates
If VPN (Point-to-site) is configured on your device, you can bring your own VPN
#### Caveats - The VPN certificate must be uploaded as a *.pfx* format with a private key.-- The VPN certificate is not dependant on the device name, device serial number, or device configuration. It only requires the external FQDN.
+- The VPN certificate is not dependent on the device name, device serial number, or device configuration. It only requires the external FQDN.
- Make sure that the client OID is set. For more information, see [Generate and export certificates for Point-to-Site using PowerShell](../vpn-gateway/vpn-gateway-certificates-point-to-site.md#generate-and-export-certificates-for-point-to-site-using-powershell).
databox-online Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/policy-reference.md
Title: Built-in policy definitions for Azure Stack Edge description: Lists Azure Policy built-in policy definitions for Azure Stack Edge. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
databox Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/policy-reference.md
Title: Built-in policy definitions for Azure Data Box description: Lists Azure Policy built-in policy definitions for Azure Data Box. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
databox Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Box description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Box. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
ddos-protection Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/policy-reference.md
na Previously updated : 10/12/2022 Last updated : 11/04/2022
defender-for-cloud Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/policy-reference.md
Title: Built-in policy definitions for Microsoft Defender for Cloud description: Lists Azure Policy built-in policy definitions for Microsoft Defender for Cloud. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022 # Azure Policy built-in definitions for Microsoft Defender for Cloud
deployment-environments Concept Environments Key Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/concept-environments-key-concepts.md
Last updated 10/12/2022
# Key concepts for new Azure Deployment Environments Preview users
-Learn about the key concepts and components of Azure Deployment Environments Preview. This knowledge can help you to more effectively deploy environments for your scenarios.
+Learn about the key concepts and components of Azure Deployment Environments Preview. This knowledge can help you more effectively deploy environments for your scenarios.
> [!IMPORTANT] > Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Dev centers
-A dev center is a collection of projects that require similar settings. Dev centers enable dev infrastructure managers to manage the infrastructure-as-code templates made available to the projects using Catalogs, and configure the different types of environments, various development teams can create, using Environment Types.
+A dev center is a collection of projects that require similar settings. Dev centers enable development infrastructure (dev infra) managers to:
+
+- Use catalogs to manage infrastructure as code (IaC) templates that are available to the projects.
+- Use environment types to configure the types of environments that development teams can create.
## Projects
-A project is the point of access for the development team members. When you associate a project with a dev center, all the settings at the dev center level will be automatically applied to the project. Each project can be associated with only one dev center. Dev infra admins can configure different types of environments made available for the project by specifying the environment types appropriate for the specific development team.
+A project is the point of access for the development team. When you associate a project with a dev center, all the settings for the dev center are automatically applied to the project.
+
+Each project can be associated with only one dev center. Dev infra admins can configure environments for a project by specifying which environment types are appropriate for the development team.
## Environments
-Environment is a collection of Azure resources on which your application is deployed. For example, to deploy a web application, you might create an environment consisting of an [App Service](../app-service/overview.md), [Key Vault](../key-vault/general/basic-concepts.md), [Cosmos DB](../cosmos-db/introduction.md) and a [Storage account](../storage/common/storage-account-overview.md). An environment could consist of both Azure PaaS and IaaS resources such as AKS Cluster, App Service, VMs, databases, etc.
+An environment is a collection of Azure resources on which your application is deployed. For example, to deploy a web application, you might create an environment that consists of [Azure App Service](../app-service/overview.md), [Azure Key Vault](../key-vault/general/basic-concepts.md), [Azure Cosmos DB](../cosmos-db/introduction.md), and a [storage account](../storage/common/storage-account-overview.md). An environment could consist of both Azure platform as a service (PaaS) and infrastructure as a service (IaaS) resources such as an Azure Kubernetes Service (AKS) cluster, virtual machines, and databases.
## Identities
-[Managed Identities](../active-directory/managed-identities-azure-resources/overview.md) are used in Azure Deployment Environments to provide elevation-of-privilege capabilities. Identities will help provide self-serve capabilities to your development teams without them needing any access to the target subscriptions in which the Azure resources are created. The managed identity attached to the dev center needs to be granted appropriate access to connect to the Catalogs and should be granted 'Owner' access to the target deployment subscriptions configured at the project level. Azure Deployment Environments service will use the specific deployment identity to perform the deployment on behalf of the developer.
+in Azure Deployment Environments, you use [managed identities](../active-directory/managed-identities-azure-resources/overview.md) to provide elevation-of-privilege capabilities. Identities can help you provide self-serve capabilities to your development teams without giving them access to the target subscriptions in which the Azure resources are created.
+
+The managed identity that's attached to the dev center needs to be granted appropriate access to connect to the catalogs. You should grant owner access to the target deployment subscriptions that are configured at the project level. The Azure Deployment Environments service will use the specific managed identity to perform the deployment on behalf of the developer.
## Dev center environment types
-You can use environment types to define the type of environments the development teams can create, for example, dev, test, sandbox, pre-production, or production. Azure Deployment Environments provides the flexibility to name the environment types as per the nomenclature used in your enterprise. When you create an environment type, you'll be able to configure and apply different settings for different environment types based on specific needs of the development teams.
+You can define the types of environments that development teams can create: for example, dev, test, sandbox, pre-production, or production. Azure Deployment Environments provides the flexibility to name the environment types according to the nomenclature that your enterprise uses. You can configure settings for various environment types based on the specific needs of the development teams.
## Project environment types
-Project Environment Types are a subset of the environment types configured per dev center and help you pre-configure the different types of environments specific development teams can create. You'll be able to configure the target subscription in which Azure resources are created per project per environment type. Project environment types will allow you to automatically apply the right set of policies on different environments and help abstract the Azure governance related concepts from your development teams. The service also provides the flexibility to pre-configure the [managed identity](concept-environments-key-concepts.md#identities) that will be used to perform the deployment and the access levels the development teams will get after a specific environment is created.
+Project environment types are a subset of the environment types that you configure for the dev center. They help you preconfigure the types of environments that specific development teams can create. You can configure the target subscription in which Azure resources are created per project and per environment type.
+
+Project environment types allow you to automatically apply the right set of policies on environments and help abstract the Azure governance-related concepts from your development teams. The service also provides the flexibility to preconfigure:
+
+- The [managed identity](concept-environments-key-concepts.md#identities) that will be used to perform the deployment.
+- The access levels that the development teams will get after a specific environment is created.
## Catalogs
-Catalogs help you provide a set of curated infra-as-code templates for your development teams to create Environments. You can attach either a [GitHub repository](https://docs.github.com/repositories/creating-and-managing-repositories/about-repositories) or an [Azure DevOps Services repository](/azure/devops/repos/get-started/what-is-repos) as a Catalog. Deployment Environments will scan through the specified folder of the repository to find [Catalog Items](#catalog-items), and make them available for use by all the Projects associated with the dev center.
+Catalogs help you provide a set of curated IaC templates for your development teams to create environments. You can attach either a [GitHub repository](https://docs.github.com/repositories/creating-and-managing-repositories/about-repositories) or an [Azure DevOps Services repository](/azure/devops/repos/get-started/what-is-repos) as a catalog.
+
+Deployment environments scan the specified folder of the repository to find [catalog items](#catalog-items). The environments then make those catalog items available to all the projects associated with the dev center.
-## Catalog Items
+## Catalog items
-A Catalog Item is a combination of an infra-as-code template and a manifest file. The environment definition will be defined in the template and the manifest will be used to provide metadata about the template. The Catalog Items that you provide in the Catalog will be used by your development teams to create environments in Azure.
+A catalog item is a combination of an IaC template and a manifest file. The template defines the environment, and the manifest provides metadata about the template. Your development teams will use the items that you provide in the catalog to create environments in Azure.
> [!NOTE]
-> During public preview, Azure Deployments Environments uses Azure Resource Manager (ARM) templates.
+> During public preview, Azure Deployment Environments uses Azure Resource Manager (ARM) templates.
-## Azure Resource Manager (ARM) templates
+## ARM templates
-[Azure Resource Manager (ARM) templates](../azure-resource-manager/templates/overview.md) help you implement the infrastructure as code for your Azure solutions by defining the infrastructure and configuration for your project, the resources to deploy, and the properties of those resources.
+[ARM templates](../azure-resource-manager/templates/overview.md) help you implement the IaC for your Azure solutions by defining the infrastructure and configuration for your project, the resources to deploy, and the properties of those resources.
-[Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md) describes the structure of an Azure Resource Manager template, the different sections of a template, and the properties that are available in those sections.
+To learn about the structure of an ARM template, the sections of a template, and the properties that are available in those sections, see [Understand the structure and syntax of Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md).
## Next steps
deployment-environments Concept Environments Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/concept-environments-scenarios.md
Last updated 10/12/2022
# Scenarios for using Azure Deployment Environments Preview
-This article discusses a few possible scenarios and benefits of Azure Deployment Environments Preview, and the resources used to implement those scenarios. Depending on the needs of an enterprise, Azure Deployment Environments can be configured to meet different requirements.
-
-Some possible scenarios are:
-- Environments as part of a CI/CD pipeline-- Sandbox environments for investigations-- On-demand test environments-- Training sessions, hands-on labs, and hackathons
+This article discusses a few possible scenarios for Azure Deployment Environments Preview, along with the resources that an organization can use to implement those scenarios. Azure Deployment Environments can be configured to meet the needs of an enterprise.
> [!IMPORTANT] > Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Environments as part of a CI/CD pipeline
-Creating and managing environments across an enterprise can require significant effort. With Azure Deployment Environments, different types of product lifecycle environments such as development, testing, staging, pre-Production, Production, etc. can be easily created, updated, and plugged into a CI/CD pipeline.
+Creating and managing environments across an enterprise can require significant effort. With Azure Deployment Environments, different types of product lifecycle environments (such as development, testing, staging, pre-production, and production) can be easily created, updated, and plugged into a continuous integration and continuous delivery (CI/CD) pipeline.
In this scenario, Azure Deployment Environments provides the following benefits: -- Organizations can attach a [Catalog](./concept-environments-key-concepts.md#catalogs) and provide common 'infra-as-code' templates to create environments ensuring consistency across teams.-- Developers and testers can test the latest version of their application by quickly provisioning environments by using reusable templates.
+- Organizations can attach a [catalog](./concept-environments-key-concepts.md#catalogs) and provide common infrastructure as code (IaC) templates to create environments, to help ensure consistency across teams.
+- Developers and testers can test the latest version of their application by using reusable templates to quickly provision environments.
- Development teams can connect their environments to CI/CD pipelines to enable DevOps scenarios.-- Central Dev IT teams can centrally track costs, security alerts, and manage environments across different projects and dev centers.
+- Central dev IT teams can centrally track costs, track security alerts, and manage environments across projects and dev centers.
## Sandbox environments for investigations
-Developers often investigate different technologies or infrastructure designs. By default, all environments created with Azure Deployment Environments are created in their own resource group and the Project members get contributor access to those resources by default.
+Developers often investigate different technologies or infrastructure designs. By default, all environments created with Azure Deployment Environments are in their own resource group. Project members get contributor access to those resources by default.
In this scenario, Azure Deployment Environments provides the following benefits:
+- Developers can add and change Azure resources as they need for their development or test environments.
+- Central dev IT teams can easily track costs for all the environments that are used for investigations.
## On-demand test environments
-Often developers need to create adhoc test environments that mimic their formal development or testing environments to test a new capability before checking in the code and executing a pipeline. With Azure Deployment Environments, test environments can be easily created, updated, or duplicated.
+Developers often need to create ad hoc environments that mimic their formal development or test environments, to test a new capability before checking in the code and executing a pipeline. With Azure Deployment Environments, developers can easily create, update, or duplicate test environments.
In this scenario, Azure Deployment Environments provides the following benefits:-- Allows teams to access a fully configured environment when itΓÇÖs needed. -- Developers can test the latest version of their application by quickly creating new adhoc environments using reusable templates.
+- Teams can access a fully configured environment when it's needed.
+- Developers can test the latest version of an application by using reusable templates to quickly create new ad hoc environments.
## Trainings, hands-on labs, and hackathons
-A Project in Azure Deployment Environments acts as a great container for transient activities like workshops, hands-on labs, trainings, or hackathons. The service allows you to create a Project where you can provide custom templates to each user.
+A project in Azure Deployment Environments acts as a container for transient activities like workshops, hands-on labs, trainings, or hackathons. You can create a project to provide custom templates to each user.
In this scenario, Azure Deployment Environments provides the following benefits: -- Each trainee can create identical and isolated environments for training. -- Easily delete a Project and all related resources when the training is over.
+- Each user can create identical and isolated environments for training.
+- You can easily delete a project and all related resources when the training is over.
+
+## Deployment options
-## Proof of concept deployment vs. scaled deployment
+After you decide to explore Azure Deployment Environments, there are two general paths forward: proof-of-concept deployment or scaled deployment.
-Once you decide to explore Azure Deployment Environments, there are two general paths forward: Proof of concept vs scaled deployment.
+### Proof-of-concept deployment
-### Proof of concept deployment
+A proof-of-concept deployment is a concentrated effort from a single team to establish organizational value. Although it can be tempting to start with a scaled deployment, that approach tends to fail more often than the proof-of-concept option.
-A **proof of concept** deployment focuses on a concentrated effort from a single team to establish organizational value. While it can be tempting to think of a scaled deployment, the approach tends to fail more often than the proof of concept option. Therefore, we recommend that you start small, learn from the first team, repeat the same approach with two to three additional teams, and then plan for a scaled deployment based on the knowledge gained. For a successful proof of concept, we recommend that you pick one or two teams, and identify their scenarios ([environments as part of a CI/CD pipeline](#environments-as-part-of-a-cicd-pipeline) vs [sandbox environments](#sandbox-environments-for-investigations)), document their current use cases, and then deploy Azure Deployment Environments.
+We recommend that you start small, learn from the first team, repeat the same approach with two to three additional teams, and then plan for a scaled deployment based on the knowledge gained. For a successful proof of concept, we recommend that you pick one or two teams, identify their scenarios ([environments as part of a CI/CD pipeline](#environments-as-part-of-a-cicd-pipeline) versus [sandbox environments](#sandbox-environments-for-investigations)), document their current use cases, and then deploy Azure Deployment Environments.
### Scaled deployment
-A **scaled deployment** consists of weeks of reviewing and planning with an intent of deploying Azure Deployment Environments to the entire enterprise that has hundreds or thousands of developers.
+A scaled deployment consists of weeks of reviewing and planning with an intent of deploying Azure Deployment Environments to the entire enterprise, which has hundreds or thousands of developers.
## Next steps -- To get started with the service, [Quickstart: Create and configure the Azure Deployment Environments dev center](./quickstart-create-and-configure-devcenter.md)-- Learn more about [Azure Deployment Environments key concepts](./concept-environments-key-concepts.md)
+- To get started with the service, see [Quickstart: Create and configure the Azure Deployment Environments dev center](./quickstart-create-and-configure-devcenter.md).
+- Learn more about [Azure Deployment Environments key concepts](./concept-environments-key-concepts.md).
deployment-environments How To Configure Deployment Environments User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-configure-deployment-environments-user.md
Title: Configure deployment environments user access
+ Title: Provide access to developers
-description: Learn how to configure access for developers by using the Deployment Environments Users built-in role.
+description: Learn how to configure access for developers by using the Deployment Environments User built-in role.
# Provide access to developers
-Development team members must have access to a specific project before they can create deployment environments. By using the built-in Deployment Environments User role, you can assign permissions to Active Directory Users or Groups at either the project level or the specific project environment type level.
+In Azure Deployment Environments, development team members must get access to a specific project before they can create deployment environments. By using the built-in Deployment Environments User role, you can assign permissions to Active Directory users or groups at either the project level or the environment type level.
-Based on the scope that users are granted access to, a Deployment Environments User can:
+Based on the scope of access that you allow, a developer who has the Deployment Environments User role can:
-* View the project environment types
-* Create an environment
-* Read, write, delete, or perform actions (deploy, reset, etc.) on their own environment
-* Read or perform actions (deploy, reset, etc.) on environments created by other users
+* View the project environment types.
+* Create an environment.
+* Read, write, delete, or perform actions (like deploy or reset) on their own environment.
+* Read or perform actions (like deploy or reset) on environments that other users created.
-When the role is assigned at the project level, the Deployment Environments User will be able to perform the actions listed above on all environment types enabled at the Project level. When the role is assigned to specific environment type(s), the user will be able to perform the actions only on the respective environment type(s).
+When you assign the role at the project level, the user can perform the preceding actions on all environment types enabled at the project level. When you assign the role to specific environment types, the user can perform the actions only on the respective environment types.
-## Assign permissions to developers to a project
+## Assign permissions to developers for a project
-1. Select the project you want to provide your development team members access to.
-2. Select **Access Control(IAM)** from the left menu.
+1. Select the project that you want your development team members to be able to access.
+2. Select **Access control (IAM)** from the left menu.
- :::image type="content" source=".\media\configure-deployment-environments-user\access-control-page.png" alt-text="Screenshot showing link to access control page.":::
+ :::image type="content" source=".\media\configure-deployment-environments-user\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::
3. Select **Add** > **Add role assignment**.
- :::image type="content" source=".\media\configure-deployment-environments-user\add-role-assignment.png" alt-text="Screenshot showing Add role assignment menu option.":::
+ :::image type="content" source=".\media\configure-deployment-environments-user\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::
-4. On the Add role assignment page, on the Role tab, search for *deployment environments user*, select the **Deployment Environments User** built-in role, and then select **Next**.
-5. On the Members tab, select **+ Select Members**.
-6. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.
-7. On the Members tab, select **Review + assign**.
+4. On the **Add role assignment** page, on the **Role** tab, search for **deployment environments user**, select the **Deployment Environments User** built-in role, and then select **Next**.
+5. On the **Members** tab, select **+ Select members**.
+6. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.
+7. On the **Members** tab, select **Review + assign**.
-The user can now view the project and all the Environment Types enabled within it. Deployment Environments users can [create environments from the CLI](./quickstart-create-access-environments.md).
+The users can now view the project and all the environment types that you've enabled within it. Users who have the Deployment Environments User role can also [create environments from the Azure CLI](./quickstart-create-access-environments.md).
-## Assign permissions to developers to a specific environment type
+## Assign permissions to developers for an environment type
-1. Select the project you want to provide your development team members access to.
-2. Select **Environment Types** and select the **...** beside the specific environment type.
+1. Select the project that you want your development team members to be able to access.
+2. Select **Environment types**, and then select the ellipsis (**...**) beside the specific environment type.
- :::image type="content" source=".\media\configure-deployment-environments-user\project-environment-types.png" alt-text="Screenshot showing the environment types associated with a project.":::
+ :::image type="content" source=".\media\configure-deployment-environments-user\project-environment-types.png" alt-text="Screenshot that shows the environment types associated with a project.":::
-3. Select **Access Control**.
+3. Select **Access control (IAM)**.
- :::image type="content" source=".\media\configure-deployment-environments-user\access-control-page.png" alt-text="Screenshot showing link to access control page.":::
+ :::image type="content" source=".\media\configure-deployment-environments-user\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::
4. Select **Add** > **Add role assignment**.
- :::image type="content" source=".\media\configure-deployment-environments-user\add-role-assignment.png" alt-text="Screenshot showing Add role assignment menu option.":::
+ :::image type="content" source=".\media\configure-deployment-environments-user\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::
-5. On the Add role assignment page, on the Role tab, search for *deployment environments user*, select the **Deployment Environments User** built-in role, and then select **Next**.
-6. On the Members tab, select **+ Select Members**.
-7. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.
-8. On the Members tab, select **Review + assign**.
+5. On the **Add role assignment** page, on the **Role** tab, search for **deployment environments user**, select the **Deployment Environments User** built-in role, and then select **Next**.
+6. On the **Members** tab, select **+ Select members**.
+7. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.
+8. On the **Members** tab, select **Review + assign**.
-The user can now view the project and the specific environment type that they have been granted access to. Deployment Environments users can [create environments using the CLI](./quickstart-create-access-environments.md).
+The users can now view the project and the specific environment type that you've granted them access to. Users who have the Deployment Environments User role can also [create environments by using the Azure CLI](./quickstart-create-access-environments.md).
> [!NOTE]
-> Only users assigned the Deployment Environments User role, the DevCenter Project Admin role, or a built-in role with appropriate permissions will be able to create environments.
+> Only users who have the Deployment Environments User role, the DevCenter Project Admin role, or a built-in role with appropriate permissions can create environments.
## Next steps
-* [Create and Configure Projects](./quickstart-create-and-configure-projects.md)
-* [Provide access to Dev Managers](./how-to-configure-project-admin.md)
+* [Create and configure projects](./quickstart-create-and-configure-projects.md)
+* [Provide access to dev managers](./how-to-configure-project-admin.md)
deployment-environments How To Configure Devcenter Environment Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-configure-devcenter-environment-types.md
Title: Configure Dev center environment types
+ Title: Configure dev center environment types
-description: Learn how to configure dev center environment types to define the types of environments that your developers can deploy.
+description: Learn how to configure dev center environment types to define environments that your developers can deploy.
Last updated 10/12/2022
-# Configure environment types for your Dev center
+# Configure environment types for your dev center
-In Azure Deployment Environments Preview, [environment types](./concept-environments-key-concepts.md#dev-center-environment-types) are used to define the types of environments available to development teams to deploy. You have the flexibility to name the environment types as per the nomenclature used in your enterprise, for example, sandbox, dev, test, or production. You can specify deployment settings and the permissions available to developers per environment type per project.
+In Azure Deployment Environments Preview, you use [environment types](./concept-environments-key-concepts.md#dev-center-environment-types) to define the environments that development teams can deploy. You have the flexibility to name the environment types according to the nomenclature that your enterprise uses: for example, sandbox, dev, test, or production. You can specify deployment settings and the permissions that are available to developers per environment type and per project.
In this article, you'll learn how to:
-* Add a new environment type to your dev center
-* Delete an environment type from the dev center
+* Add a new environment type to a dev center.
+* Delete an environment type from a dev center.
> [!IMPORTANT] > Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Add a new dev center environment type
-Environment types allow your development teams to choose from different types of environments when creating self-service environments.
- Add a new environment type to the dev center as follows: 1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Access Azure Deployment Environments.
+1. Open Azure Deployment Environments.
1. Select your dev center from the list. 1. Select **Environment types** from the left pane.
-1. Select **+ Add**
+1. Select **+ Add**.
1. On the **Add environment type** page, add the following details:
- 1. Add a **Name** for the environment type.
- 1. Add a **Description** (optional).
- 1. Add **Tags** by adding **Name/Value** (optional).
+ 1. For **Name**, add a name for the environment type.
+ 1. For **Description**, add a description (optional).
+ 1. For **Tags**, add tags by adding **Name** and **Value** information (optional).
1. Select **Add**. >[!NOTE]
-> A dev center environment type is available to a specific project only after an associated [project environment type](how-to-configure-project-environment-types.md) is added.
+> A dev center environment type is available to a specific project only after you add an associated [project environment type](how-to-configure-project-environment-types.md).
## Delete a dev center environment type > [!NOTE]
-> Environment types can't be deleted if any existing project environment types or deployed environments reference the specific dev center environment type. Delete all the associated deployed environments and project environment types before attempting to delete an environment type.
+> You can't delete a dev center environment type if any existing project environment types or deployed environments reference it. Delete all the associated project environment types and deployed environments before you try to delete a dev center environment type.
-When you delete an environment type, it'll no longer be available when deploying environments or configuring new project environment types.
+When you delete an environment type, it will no longer be available when you're deploying environments or configuring new project environment types.
+
+To delete an environment type from a dev center:
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Access Azure Deployment Environments.
+1. Open Azure Deployment Environments.
1. Select your dev center from the list. 1. Select **Environment types** from the left pane.
-1. Select the environment type(s) you want to delete.
-1. Select **Delete** and confirm.
+1. Select the environment types that you want to delete.
+1. Select **Delete** and then confirm.
## Next steps
-* [Create and configure project environment type](how-to-configure-project-environment-types.md) to enable environment types for specific projects.
+* [Create and configure environment types for specific projects](how-to-configure-project-environment-types.md)
deployment-environments How To Configure Project Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-configure-project-admin.md
Title: Configure deployment environments project admin access
+ Title: Provide access to dev managers
description: Learn how to configure access for dev managers by using the DevCenter Project Admin built-in role.
Last updated 10/12/2022
-# Provide access to Dev Managers
+# Provide access to dev managers
-You can create multiple projects associated with the dev center to align with each team's specific requirements. By using the built-in DevCenter Project Admin role, you can delegate project administration to a member of a team. Project Admins can configure [project environment types](concept-environments-key-concepts.md#project-environment-types) to enable developers to create different types of [environments](concept-environments-key-concepts.md#environments) and apply different settings to each environment type.
+In Azure Deployment Environments, you can create multiple projects associated with the dev center to align with each team's requirements. By using the built-in DevCenter Project Admin role, you can delegate project administration to a member of a team. DevCenter Project Admin users can configure [project environment types](concept-environments-key-concepts.md#project-environment-types) to enable developers to create various types of [environments](concept-environments-key-concepts.md#environments) and apply settings to each environment type.
-The DevCenter Project Admin role can be assigned at either the project level or the specific project environment type level.
+You can assign the DevCenter Project Admin role to a dev manager at either the project level or the environment type level.
-Based on the scope that users are granted access to, a DevCenter Project Admin can:
+Based on the scope of access that you allow, a DevCenter Project Admin user can:
-* View, add, update, disable or delete the project environment types
-* Create an environment
-* Read, write, delete, or perform actions (deploy, reset, etc.) on their own environment
-* Read, delete, or perform actions (deploy, reset, etc.) on environments created by other users
+* View, add, update, disable, or delete the project environment types.
+* Create an environment.
+* Read, write, delete, or perform actions (like deploy or reset) on their own environment.
+* Read, delete, or perform actions (like deploy or reset) on environments that other users created.
-When the role is assigned at the project level, the DevCenter Project Admin can perform the actions listed above on all environment types at the Project level. When the role is assigned to specific environment type(s), the DevCenter Project Admin can perform the actions only on the respective environment type(s).
+When you assign the role at the project level, the user can perform the preceding actions on all environment types at the project level. When you assign the role to specific environment types, the user can perform the actions only on the respective environment types.
-## Assign permissions to dev managers to a project
+## Assign permissions to dev managers for a project
-1. Select the project you want to provide your development team members access to.
-2. Select **Access Control(IAM)** from the left menu.
+1. Select the project that you want your development team members to be able to access.
+2. Select **Access control (IAM)** from the left menu.
- :::image type="content" source=".\media\configure-project-admin\access-control-page.png" alt-text="Screenshot showing link to access control page.":::
+ :::image type="content" source=".\media\configure-project-admin\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::
3. Select **Add** > **Add role assignment**.
- :::image type="content" source=".\media\configure-project-admin\add-role-assignment.png" alt-text="Screenshot showing Add role assignment menu option.":::
+ :::image type="content" source=".\media\configure-project-admin\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::
-4. On the Add role assignment page, on the Role tab, search for *DevCenter Project Admin*, select the **DevCenter Project Admin** built-in role, and then select **Next**.
+4. On the **Add role assignment** page, on the **Role** tab, search for **devcenter project admin**, select the **DevCenter Project Admin** built-in role, and then select **Next**.
- :::image type="content" source=".\media\configure-project-admin\built-in-role.png" alt-text="Screenshot showing built-in DevCenter project admin role.":::
+ :::image type="content" source=".\media\configure-project-admin\built-in-role.png" alt-text="Screenshot that shows selecting the built-in DevCenter Project Admin role.":::
-5. On the Members tab, select **+ Select Members**.
+5. On the **Members** tab, select **+ Select members**.
- :::image type="content" source=".\media\configure-project-admin\select-role-members.png" alt-text="Screenshot showing link to select role members pane.":::
+ :::image type="content" source=".\media\configure-project-admin\select-role-members.png" alt-text="Screenshot that shows the link for selecting role members.":::
-1. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.
+1. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.
-7. On the Members tab, select **Review + assign**.
+7. On the **Members** tab, select **Review + assign**.
-The user will now be able to view the project and manage all the Environment Types that have been enabled within it. DevCenter Project Admin can also [create environments from the CLI](./quickstart-create-access-environments.md).
+The users can now view the project and manage all the environment types that you've enabled within it. DevCenter Project Admin users can also [create environments from the Azure CLI](./quickstart-create-access-environments.md).
-## Assign permissions to dev managers to a specific environment type
+## Assign permissions to dev managers for an environment type
-1. Select the project you want to provide your development team members access to.
-2. Select **Environment Types** and select the **...** beside the specific environment type.
+1. Select the project that you want your development team members to be able to access.
+2. Select **Environment types**, and then select the ellipsis (**...**) beside the specific environment type.
- :::image type="content" source=".\media\configure-project-admin\project-environment-types.png" alt-text="Screenshot showing the environment types associated with a project.":::
+ :::image type="content" source=".\media\configure-project-admin\project-environment-types.png" alt-text="Screenshot that shows the environment types associated with a project.":::
-3. Select **Access Control**.
+3. Select **Access control (IAM)**.
- :::image type="content" source=".\media\configure-project-admin\access-control-page.png" alt-text="Screenshot showing link to access control page.":::
+ :::image type="content" source=".\media\configure-project-admin\access-control-page.png" alt-text="Screenshot that shows the link to the access control page.":::
4. Select **Add** > **Add role assignment**.
- :::image type="content" source=".\media\configure-project-admin\add-role-assignment.png" alt-text="Screenshot showing Add role assignment menu option.":::
+ :::image type="content" source=".\media\configure-project-admin\add-role-assignment.png" alt-text="Screenshot that shows the menu option for adding a role assignment.":::
-5. On the Add role assignment page, on the Role tab, search for **DevCenter Project Admin**, select the **DevCenter Project Admin** built-in role, and then select **Next**.
+5. On the **Add role assignment** page, on the **Role** tab, search for **devcenter project admin**, select the **DevCenter Project Admin** built-in role, and then select **Next**.
- :::image type="content" source=".\media\configure-project-admin\built-in-role.png" alt-text="Screenshot showing built-in DevCenter project admin role.":::
+ :::image type="content" source=".\media\configure-project-admin\built-in-role.png" alt-text="Screenshot that shows selecting the built-in DevCenter Project Admin role.":::
-6. On the Members tab, select **+ Select Members**.
-7. In **Select members**, select the Active Directory Users or Groups you want to add, and then select **Select**.
-8. On the Members tab, select **Review + assign**.
+6. On the **Members** tab, select **+ Select members**.
+7. In **Select members**, select the Active Directory users or groups that you want to add, and then choose **Select**.
+8. On the **Members** tab, select **Review + assign**.
-The user will now be able to view the project and manage only the specific environment type that they have been granted access to. DevCenter Project Admin can also [create environments using the CLI](./quickstart-create-access-environments.md).
+The users can now view the project and manage only the specific environment type that you've granted them access to. DevCenter Project Admin users can also [create environments by using the Azure CLI](./quickstart-create-access-environments.md).
> [!NOTE]
-> Only users assigned the Deployment Environments User role, the DevCenter Project Admin role, or a built-in role with appropriate permissions will be able to create environments.
+> Only users who have the Deployment Environments User role, the DevCenter Project Admin role, or a built-in role with appropriate permissions can create environments.
## Next steps
-* [Create and Configure Projects](./quickstart-create-and-configure-projects.md)
+* [Create and configure projects](./quickstart-create-and-configure-projects.md)
* [Provide access to developers](./how-to-configure-deployment-environments-user.md)
deployment-environments How To Configure Project Environment Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-configure-project-environment-types.md
Title: Configure project environment types
-description: Learn how to configure environment types to define deployment settings and permissions available to developers when deploying environments in a project.
+description: Learn how to configure environment types to define deployment settings and permissions available to developers when they're deploying environments in a project.
# Configure project environment types
-Project environment types are a subset of the [environment types configured per dev center](how-to-configure-devcenter-environment-types.md) and help pre-configure the different types of environments a specific development team can create . In Azure Deployment Environments Preview, [environment types](concept-environments-key-concepts.md#project-environment-types) added to the project will be available to developers when they deploy environments, and they determine the subscription and identity used for those deployments.
+Project environment types are a subset of the [environment types configured for a dev center](how-to-configure-devcenter-environment-types.md). They help preconfigure the environments that a specific development team can create.
-Project environment types enable the Dev Infra teams to:
-- Configure the target subscription in which Azure resources will be created per environment type per project.
- You will be able to provide different subscriptions for different Environment Types in a given project and thereby, automatically apply the right set of policies on different environments. This also abstracts Azure governance related concepts from your development teams.
-- Pre-configure the managed identity that will be used to perform the deployment and the access levels development teams get after the specific environment is created.
+In Azure Deployment Environments Preview, [environment types](concept-environments-key-concepts.md#project-environment-types) that you add to the project will be available to developers when they deploy environments. Environment types determine the subscription and identity that are used for those deployments.
+
+Project environment types enable development infrastructure teams to:
+
+- Configure the target subscription in which Azure resources will be created per environment type and per project.
+
+ You can provide subscriptions for environment types in a project to automatically apply the right set of policies on environments. This action also abstracts Azure governance-related concepts from your development teams.
+- Preconfigure the managed identity that developers will use to perform the deployment, along with the access levels that development teams get after the environment is created.
In this article, you'll learn how to:
-* Add a new project environment type
-* Update a project environment type
-* Enable or disable a project environment type
-* Delete a project environment type
+* Add a new project environment type.
+* Update a project environment type.
+* Enable or disable a project environment type.
+* Delete a project environment type.
> [!IMPORTANT] > Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Prerequisites-- A [dev center level environment type](how-to-configure-devcenter-environment-types.md).
+Before you configure a project environment type, you need:
-## Add a new project environment type
+- An [environment type at the dev center level](how-to-configure-devcenter-environment-types.md).
+- [Write access](/azure/devops/organizations/security/add-users-team-project) to the specific project.
->[!NOTE]
-> To configure project environment types, you'll need write [access](/azure/devops/organizations/security/add-users-team-project) to the specific project.
+## Add a new project environment type
-Configuring a new project environment type will enable your development teams to create an environment with a specific environment type. The environment will be created in the mapped subscription using the configured deployment identity, along with permissions granted to the resources created as part of the environment, and all the associated policies automatically applied.
+When you configure a new project environment type, your development teams can use it to create an environment. They'll create the environment in the mapped subscription by using the configured deployment identity, along with permissions granted to resources created as part of the environment. All the associated policies are automatically applied.
Add a new project environment type as follows: 1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Access Azure Deployment Environments.
-1. Select **Projects** from the left pane, and then select the specific Project.
+1. Open Azure Deployment Environments.
+1. Select **Projects** from the left pane, and then select the specific project.
1. Select **Environment types** from the left pane. 1. Select **+ Add**.
- :::image type="content" source="./media/configure-project-environment-types/add-new-project-environment-type.png" alt-text="Screenshot showing adding a project environment type.":::
+ :::image type="content" source="./media/configure-project-environment-types/add-new-project-environment-type.png" alt-text="Screenshot that shows selections for adding a project environment type.":::
1. On the **Add environment type to Project** page, provide the following details: |Name |Value | ||-|
- |**Type**| Select a dev center level environment type to enable for the specific project.|
- |**Deployment Subscription**| Select the target subscription in which the environments will be created.|
- |**Deployment Identity** | Select either a system assigned identity or a user assigned managed identity that'll be used to perform deployments on behalf of the user.|
- |**Permissions on environment resources** > **Environment Creator Role(s)**| Select the role(s) that'll get access to the environment resources.|
- |**Permissions on environment resources** > **Additional access** | Select the user(s) or Azure Active Directory (Azure AD) group(s) that'll be granted specific role(s) on the environment resources.|
- |**Tags** (optional) | Provide a **Name** and **Value**. These tags will be applied on all resources created as part of the environments.|
+ |**Type**| Select a dev center environment type to enable for the project.|
+ |**Deployment subscription**| Select the target subscription in which the environment will be created.|
+ |**Deployment identity** | Select either a system-assigned identity or a user-assigned managed identity that will be used to perform deployments on behalf of the user.|
+ |**Permissions on environment resources** > **Environment Creator Role(s)**| Select the roles that will get access to the environment resources.|
+ |**Permissions on environment resources** > **Additional access** | Select the users or Azure Active Directory groups that will be granted specific roles on the environment resources.|
+ |**Tags** (optional) | Provide a name and value for tags that will be applied on all resources created as part of the environments.|
- :::image type="content" source="./media/configure-project-environment-types/add-project-environment-type-page.png" alt-text="Screenshot showing adding details on the add project environment type page.":::
+ :::image type="content" source="./media/configure-project-environment-types/add-project-environment-type-page.png" alt-text="Screenshot that shows adding details on the page for adding a project environment type.":::
> [!NOTE]
-> At least one identity (system assigned or user assigned) must be enabled for deployment identity and will be used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be [granted 'Owner' access to the deployment subscription](how-to-configure-managed-identity.md) configured per environment type.
+> At least one identity (system assigned or user assigned) must be enabled for deployment identity. It will be used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be [granted Owner access to the deployment subscription](how-to-configure-managed-identity.md) configured per environment type.
## Update a project environment type
-A project environment type can be updated to use a different subscription or deployment identity when deploying environments. Once the project environment type is updated, it will only affect creation of new environments. Existing environments will continue to exist in the previously mapped subscription.
+You can update a project environment type so that it uses a different subscription or deployment identity when developers deploy environments. Updating a project environment type affects only the creation of new environments. Existing environments will continue to exist in the previously mapped subscription.
Update an existing project environment type as follows:
-1. Navigate to the Azure Deployment Environments Project.
-1. Select **Environment types** from the left pane of the specific Project.
-1. Select the environment type you want to update.
+1. In the Azure portal, open Azure Deployment Environments.
+1. Select **Projects** from the left pane, and then select the specific project.
+1. Select **Environment types** from the left pane.
+1. Select the environment type that you want to update.
1. Select the **Edit** icon (![image](./media/configure-project-environment-types/edit-icon.png)) on the specific row. 1. On the **Edit environment type** page, update the previous configuration, and then select **Submit**. ## Enable or disable a project environment type
-A project environment type can be disabled to prevent developers from creating new environments with the specific environment type. Once a project environment type is disabled, it cannot be used to create a new environment. Existing environments are not affected.
+You can disable a project environment type to prevent developers from using it to create environments. Disabling a project environment type doesn't affect existing environments.
-When a disabled environment type is re-enabled, development teams will be able to create new environments with that specific environment type.
+When you enable an environment type (or re-enable one that you disabled), development teams can use it to create environments.
-1. Navigate to the Azure Deployment Environments project.
-1. Select **Environment types** on the left pane of the specific project.
-1. Select the specific environment type to enable or disable.
+1. In the Azure portal, open Azure Deployment Environments.
+1. Select **Projects** from the left pane, and then select the specific project.
+1. Select **Environment types** from the left pane.
+1. Select the environment type to enable or disable.
1. Select **Enable** or **Disable** from the command bar and then confirm. ## Delete a project environment type
-You can delete a specific project environment type only if it is not being used by any deployed environments in the Project. Once you delete a specific project environment type, development teams will no longer be able to use it to create environments.
+You can delete a specific project environment type only if no deployed environments in the project are using it. After you delete a project environment type, development teams can't use it to create environments.
-1. Navigate to the Azure Deployment Environments project.
-1. Select **Environment types** from the left pane of the specific project.
+1. In the Azure portal, open Azure Deployment Environments.
+1. Select **Projects** from the left pane, and then select the specific project.
+1. Select **Environment types** from the left pane.
1. Select a project environment type to delete.
-1. Select **Delete** from the command bar.
-1. Confirm to delete the project environment type.
+1. Select **Delete** from the command bar and then confirm.
## Next steps
-* Get started with [creating environments](quickstart-create-access-environments.md)
+* Get started with [creating environments](quickstart-create-access-environments.md).
deployment-environments Overview What Is Azure Deployment Environments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/overview-what-is-azure-deployment-environments.md
Title: What is Azure Deployment Environments?
-description: 'Azure Deployment Environments enables developer teams to quickly spin up app infrastructure with project-based templates, minimizing set-up time while maximizing security, compliance, and cost efficiency.'
+description: 'Azure Deployment Environments enables developer teams to quickly spin up app infrastructure with project-based templates, minimizing setup time while maximizing security, compliance, and cost efficiency.'
Last updated 10/12/2022
# What is Azure Deployment Environments Preview?
-Azure Deployment Environments empowers development teams to quickly and easily spin-up app infrastructure with project-based templates that establish consistency and best practices while maximizing security, compliance, and cost efficiency. This on-demand access to secure environments accelerates the different stages of the software development lifecycle in a compliant and cost-efficient manner.
+Azure Deployment Environments empowers development teams to quickly and easily spin up app infrastructure with project-based templates that establish consistency and best practices while maximizing security. This on-demand access to secure environments accelerates the stages of the software development lifecycle in a compliant and cost-efficient way.
-A Deployment Environment is a pre-configured collection of Azure resources deployed in predefined subscriptions, where Azure governance is applied based on the type of environment, such as sandbox, testing, staging, or production.
+A deployment environment is a preconfigured collection of Azure resources deployed in predefined subscriptions. Azure governance is applied to those subscriptions based on the type of environment, such as sandbox, testing, staging, or production.
:::image type="content" source="./media/overview-what-is-azure-deployment-environments/azure-deployment-environments-scenarios-sml.png" lightbox="./media/overview-what-is-azure-deployment-environments/azure-deployment-environments-scenarios.png" alt-text="Diagram that shows the Azure Deployment Environments scenario flow.":::
-With Azure Deployment Environments, your Dev Infra Admin can enforce enterprise security policies and provide curated set of environment templates, which are predefined infrastructure-as-code templates.
+With Azure Deployment Environments, your development infrastructure (dev infra) admin can enforce enterprise security policies and provide a curated set of predefined infrastructure as code (IaC) templates.
>[!NOTE]
-> Azure Deployment Environments Preview currently only supports Azure Resource Manager (ARM) templates.
+> Azure Deployment Environments Preview currently supports only Azure Resource Manager (ARM) templates.
-Learn more about the [key concepts for Azure Deployment Environments](./concept-environments-key-concepts.md).
+You can [learn more about the key concepts for Azure Deployment Environments](./concept-environments-key-concepts.md).
> [!IMPORTANT] > Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ## Usage scenarios
-Azure Deployment Environments enables usage [scenarios](./concept-environments-scenarios.md) for both DevOps teams and developers.
+Azure Deployment Environments enables usage [scenarios](./concept-environments-scenarios.md) for both DevOps teams and developers. Common scenarios include:
-Some common use cases:
--- Quickly create on-demand Azure environments by using reusable infrastructure-as-code (IaC) templates.
+- Quickly create on-demand Azure environments by using reusable IaC templates.
- Create [sandbox environments](concept-environments-scenarios.md#sandbox-environments-for-investigations) to test your code.-- Pre-configure various types of environments and seamlessly integrate with your CI/CD pipeline.-- Create pre-configured environments for trainings and demos.
+- Preconfigure various types of environments and seamlessly integrate with your continuous integration and continuous delivery (CI/CD) pipeline.
+- Create preconfigured environments for trainings and demos.
### Developer scenarios
-Developers have self-service experience when working with [environments](./concept-environments-key-concepts.md#environments):
+Developers have the following self-service experience when working with [environments](./concept-environments-key-concepts.md#environments).
>[!NOTE]
-> Developers will have a CLI based experience to create and manage environments for Azure Deployment Environments Preview.
+> Developers have a CLI-based experience to create and manage environments for Azure Deployment Environments Preview.
-- Deploy a pre-configured environment for any stage of your development cycle.
+- Deploy a preconfigured environment for any stage of the development cycle.
- Spin up a sandbox environment to explore Azure.-- Create PaaS and IaaS environments quickly and easily by following a few simple steps.-- Deploy an environment easily and quickly right from where you work.
+- Create platform as a service (PaaS) and infrastructure as a service (IaaS) environments quickly and easily by following a few simple steps.
+- Deploy environments right from where they work.
-### Dev Infra scenarios
+### Dev infra scenarios
-Azure Deployment Environments enable your Dev Infra Admin to ensure that the right set of policies and settings are applied on different types of environments, control the resource configuration that the developers can create, and centrally track environments across different projects by doing the following tasks:
+Azure Deployment Environments helps your dev infra admin apply the right set of policies and settings on various types of environments, control the resource configuration that developers can create, and centrally track environments across projects by doing the following tasks:
-- Provide project-based curated set of reusable 'infra as code' templates.
+- Provide a project-based, curated set of reusable IaC templates.
- Define specific Azure deployment configurations per project and per environment type.-- Provide self-service experience without giving control over subscription.-- Track cost and ensure compliance with enterprise governance policies.
+- Provide a self-service experience without giving control over subscriptions.
+- Track costs and ensure compliance with enterprise governance policies.
-Azure Deployment Environments Preview will support two [built-in roles](../role-based-access-control/built-in-roles.md):
+Azure Deployment Environments Preview supports two [built-in roles](../role-based-access-control/built-in-roles.md):
-- **Dev center Project Admin**, who can create environments and manage the environment types for a project.-- **Deployment Environments User**, who can create environments as per appropriate access.
+- **Dev Center Project Admin**: Creates environments and manages the environment types for a project.
+- **Deployment Environments User**: Creates environments based on appropriate access.
## Benefits
-Azure Deployment Environments provide the following benefits to creating, configuring, and managing environments in the cloud.
+Azure Deployment Environments provides the following benefits to creating, configuring, and managing environments in the cloud:
- **Standardization and collaboration**:
-Capture and share 'infra as code' templates in source control within your team or organization, to easily create on-demand environments. Promote collaboration through inner-sourcing of templates through source control repositories.
+Capture and share IaC templates in source control within your team or organization, to easily create on-demand environments. Promote collaboration through inner-sourcing of templates from source control repositories.
- **Compliance and governance**:
-Dev Infra Teams can curate environment templates to enforce enterprise security policies and map projects to Azure subscriptions, identities, and permissions by environment types.
+Dev infra teams can curate environment templates to enforce enterprise security policies and map projects to Azure subscriptions, identities, and permissions by environment types.
- **Project-based configurations**:
-Create and organize environment templates by the type of applications development teams are working on, rather than an unorganized list of templates or a traditional IaC setup.
+Create and organize environment templates by the types of applications that development teams are working on, rather than using an unorganized list of templates or a traditional IaC setup.
- **Worry-free self-service**:
-Enable your development teams to quickly and easily create app infrastructure (PaaS, serverless, and more) resources by using a set of pre-configured templates. You can also track costs on these resources to stay within your budget.
+Enable your development teams to quickly and easily create app infrastructure (PaaS, serverless, and more) resources by using a set of preconfigured templates. You can also track costs on these resources to stay within your budget.
-- **Integrate with your existing toolchain**:
-Use the APIs to provision environments directly from your preferred continuous integration (CI) tool, integrated development environment (IDE), or automated release pipeline. You can also use the comprehensive command-line tool.
+- **Integration with your existing toolchain**:
+Use APIs to provision environments directly from your preferred CI tool, integrated development environment (IDE), or automated release pipeline. You can also use the comprehensive command-line tool.
## Next steps Start using Azure Deployment Environments: -- Learn about the [key concepts for Azure Deployment Environments](./concept-environments-key-concepts.md).-- [Azure Deployment Environments scenarios](./concept-environments-scenarios.md).-- [Quickstart: Create and configure a dev center](./quickstart-create-and-configure-devcenter.md).-- [Quickstart: Create and configure project](./quickstart-create-and-configure-projects.md).
+- [Key concepts for Azure Deployment Environments](./concept-environments-key-concepts.md)
+- [Azure Deployment Environments scenarios](./concept-environments-scenarios.md)
+- [Quickstart: Create and configure a dev center](./quickstart-create-and-configure-devcenter.md)
+- [Quickstart: Create and configure a project](./quickstart-create-and-configure-projects.md)
- [Quickstart: Create and access environments](./quickstart-create-access-environments.md)
deployment-environments Quickstart Create Access Environments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/quickstart-create-access-environments.md
Title: Create and access Environments
-description: This quickstart shows you how to create and access environments in an Azure Deployment Environments Project.
+ Title: Create and access an environment
+
+description: Learn how to create and access an environment in an Azure Deployment Environments Preview project.
Last updated 10/26/2022
-# Quickstart: Create and access Environments
+# Quickstart: Create and access an environment
-This quickstart shows you how to create and access [environments](concept-environments-key-concepts.md#environments) in an existing Azure Deployment Environments Preview Project. Only users with a [Deployment Environments User](how-to-configure-deployment-environments-user.md) role, a [DevCenter Project Admin](how-to-configure-project-admin.md) role, or a [built-in role](../role-based-access-control/built-in-roles.md) with appropriate permissions can create environments.
+This quickstart shows you how to create and access an [environment](concept-environments-key-concepts.md#environments) in an existing Azure Deployment Environments Preview project.
-In this quickstart, you do the following actions:
+Only a user who has the [Deployment Environments User](how-to-configure-deployment-environments-user.md) role, the [DevCenter Project Admin](how-to-configure-project-admin.md) role, or a [built-in role](../role-based-access-control/built-in-roles.md) that has appropriate permissions can create an environment.
-* Create an environment
-* Access environments in a project
+In this quickstart, you learn how to:
+
+> [!div class="checklist"]
+>
+> - Create an environment
+> - Access an environment
> [!IMPORTANT]
-> Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Azure Deployment Environments currently is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
## Prerequisites -- [Create and configure a dev center](quickstart-create-and-configure-devcenter.md)-- [Create and configure a project](quickstart-create-and-configure-projects.md)-- Install the Deployment Environments Azure CLI Extension
- 1. [Download and install the Azure CLI](/cli/azure/install-azure-cli).
- 2. Install the Deployment Environments AZ CLI extension:
+- [Create and configure a dev center](quickstart-create-and-configure-devcenter.md).
+- [Create and configure a project](quickstart-create-and-configure-projects.md).
+- Install the Azure Deployment Environments Azure CLI extension:
- **Automated install**
- Execute the script https://aka.ms/DevCenter/Install-DevCenterCli.ps1 directly in PowerShell to install:
- ```powershell
- iex "& { $(irm https://aka.ms/DevCenter/Install-DevCenterCli.ps1 ) }"
- ```
-
- This will uninstall any existing dev center extension and install the latest version.
+ 1. [Download and install the Azure CLI](/cli/azure/install-azure-cli).
+ 1. Install the Azure Deployment Environments AZ CLI extension:
- **Manual install**
-
- Run the following command in the Azure CLI:
- ```azurecli
- az extension add --source https://fidalgosetup.blob.core.windows.net/cli-extensions/devcenter-0.1.0-py3-none-any.whl
- ```
+ **Automated installation**
+
+ In PowerShell, run the https://aka.ms/DevCenter/Install-DevCenterCli.ps1 script:
+
+ ```powershell
+ iex "& { $(irm https://aka.ms/DevCenter/Install-DevCenterCli.ps1 ) }"
+ ```
+
+ The script uninstalls any existing dev center extension and installs the latest version.
+
+ **Manual installation**
+
+ Run the following command in the Azure CLI:
+
+ ```azurecli
+ az extension add --source https://fidalgosetup.blob.core.windows.net/cli-extensions/devcenter-0.1.0-py3-none-any.whl
+ ```
->[!NOTE]
-> Only users with a [Deployment Environments user](how-to-configure-deployment-environments-user.md) role or a [DevCenter Project Admin](how-to-configure-project-admin.md) role or a built-in role with appropriate permissions will be able to create environments.
+## Create an environment
-## Create an Environment
+Complete the following steps in the Azure CLI to create an environment and configure resources. You can view the outputs as defined in the specific Azure Resource Manager template (ARM template).
-Run the following steps in Azure CLI to create an Environment and configure resources. You'll be able to view the outputs as defined in the specific Azure Resource Manager (ARM) template.
+1. Sign in to the Azure CLI:
-1. Sign in to Azure CLI.
```azurecli az login ```
-1. List all the Deployment Environments projects you have access to.
- ```azurecli
- az graph query -q "Resources | where type =~ 'microsoft.devcenter/projects'" -o table
- ```
+1. List all the Azure Deployment Environments projects you have access to:
-1. Configure the default subscription to the subscription containing the project.
- ```azurecli
- az account set --subscription <name>
- ```
+ ```azurecli
+ az graph query -q "Resources | where type =~ 'microsoft.devcenter/projects'" -o table
+ ```
-1. Configure the default resource group (RG) to the RG containing the project.
- ```azurecli
- az config set defaults.group=<name>
- ```
+1. Configure the default subscription as the subscription that contains the project:
-1. Once you have set the defaults, list the type of environments you can create in a specific project.
- ```azurecli
- az devcenter dev environment-type list --dev-center <name> --project-name <name> -o table
- ```
+ ```azurecli
+ az account set --subscription <name>
+ ```
-1. List the [Catalog Items](concept-environments-key-concepts.md#catalog-items) available to a specific project.
- ```azurecli
- az devcenter dev catalog-item list --dev-center <name> --project-name <name> -o table
- ```
+1. Configure the default resource group as the resource group that contains the project:
-1. Create an environment by using a *catalog-item* ('infra-as-code' template defined in the [manifest.yaml](configure-catalog-item.md#add-a-new-catalog-item) file) from the list of available catalog items.
- ```azurecli
- az devcenter dev environment create --dev-center-name <devcenter-name>
- --project-name <project-name> -n <name> --environment-type <environment-type-name>
- --catalog-item-name <catalog-item-name> catalog-name <catalog-name>
- ```
+ ```azurecli
+ az config set defaults.group=<name>
+ ```
- If the specific *catalog-item* requires any parameters use `--parameters` and provide the parameters as a json-string or json-file, for example:
- ```json
- $params = "{ 'name': 'firstMsi', 'location': 'northeurope' }"
- az devcenter dev environment create --dev-center-name <devcenter-name>
- --project-name <project-name> -n <name> --environment-type <environment-type-name>
- --catalog-item-name <catalog-item-name> --catalog-name <catalog-name>
- --parameters $params
- ```
+1. List the type of environments you can create in a specific project:
+
+ ```azurecli
+ az devcenter dev environment-type list --dev-center <name> --project-name <name> -o table
+ ```
+
+1. List the [catalog items](concept-environments-key-concepts.md#catalog-items) that are available to a specific project:
+
+ ```azurecli
+ az devcenter dev catalog-item list --dev-center <name> --project-name <name> -o table
+ ```
+
+1. Create an environment by using a *catalog-item* (an infrastructure-as-code template defined in the [manifest.yaml](configure-catalog-item.md#add-a-new-catalog-item) file) from the list of available catalog items:
+
+ ```azurecli
+ az devcenter dev environment create --dev-center-name <devcenter-name>
+ --project-name <project-name> -n <name> --environment-type <environment-type-name>
+ --catalog-item-name <catalog-item-name> catalog-name <catalog-name>
+ ```
+
+ If the specific *catalog-item* requires any parameters, use `--parameters` and provide the parameters as a JSON string or a JSON file. For example:
+
+ ```json
+ $params = "{ 'name': 'firstMsi', 'location': 'northeurope' }"
+ az devcenter dev environment create --dev-center-name <devcenter-name>
+ --project-name <project-name> -n <name> --environment-type <environment-type-name>
+ --catalog-item-name <catalog-item-name> --catalog-name <catalog-name>
+ --parameters $params
+ ```
> [!NOTE]
-> You can use `--help` to view more details about any command, accepted arguments, and examples. For example use `az devcenter dev environment create --help` to view more details about Environment creation.
+> You can use `--help` to view more details about any command, accepted arguments and examples. For example, use `az devcenter dev environment create --help` to view more details about creating an environment.
-## Access Environments
+## Access an environment
-1. List existing environments in a specific project.
- ```azurecli
+To access an environment:
+
+1. List existing environments that are available in a specific project:
+
+ ```azurecli
az devcenter dev environment list --dev-center <devcenter-name> --project-name <project-name> ```
-1. You can view the access end points to various resources as defined in the ARM template outputs.
-1. Access the specific resources using the endpoints.
+1. View the access endpoints to various resources as defined in the ARM template outputs.
+1. Access the specific resources by using the endpoints.
## Next steps -- [Learn how to configure a catalog](how-to-configure-catalog.md).-- [Learn how to configure a catalog item](configure-catalog-item.md).
+- Learn how to [add and configure a catalog](how-to-configure-catalog.md).
+- Learn how to [add and configure a catalog item](configure-catalog-item.md).
deployment-environments Quickstart Create And Configure Devcenter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/quickstart-create-and-configure-devcenter.md
Title: Configure the Azure Deployment Environments service
-description: This quickstart shows you how to configure the Azure Deployment Environments service. You'll create a dev center, attach an identity, attach a catalog, and create environment types.
+ Title: Create and configure a dev center
+
+description: Learn how to create and configure a dev center in Azure Deployment Environments Preview. In the quickstart, you create a dev center, attach an identity, attach a catalog, and create environment types.
Previously updated : 10/12/2022 Last updated : 10/26/2022
-# Quickstart: Configure the Azure Deployment Environments Preview service
+# Quickstart: Create and configure a dev center
-This quickstart shows you how to configure Azure Deployment Environments Preview by using the Azure portal. The Enterprise Dev Infra team typically sets up a Dev center, configures different entities within the Dev center, creates projects, and provides access to development teams. Development teams create [Environments](concept-environments-key-concepts.md#environments) using the [Catalog items](concept-environments-key-concepts.md#catalog-items), connect to individual resources, and deploy their applications.
+This quickstart shows you how to create and configure a dev center in Azure Deployment Environments Preview.
-In this quickstart, you'll perform the following actions:
+An enterprise development infrastructure team typically sets up a dev center, configures different entities within the dev center, creates projects, and provides access to development teams. Development teams create [environments](concept-environments-key-concepts.md#environments) by using [catalog items](concept-environments-key-concepts.md#catalog-items), connect to individual resources, and deploy applications.
-* Create a Dev center
-* Attach an Identity
-* Attach a Catalog
-* Create Environment types
+In this quickstart, you learn how to:
+
+> [!div class="checklist"]
+>
+> - Create a dev center
+> - Attach an identity to your dev center
+> - Attach a catalog to your dev center
+> - Create environment types
> [!IMPORTANT]
-> Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Azure Deployment Environments currently is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Azure RBAC role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor) or [Owner](../role-based-access-control/built-in-roles.md#owner).
+- Azure role-based access control role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor) or [Owner](../role-based-access-control/built-in-roles.md#owner).
-## Create a Dev center
+## Create a dev center
-The following steps illustrate how to use the Azure portal to create and configure a Dev center in Azure Deployment Environments.
+To create and configure a Dev center in Azure Deployment Environments by using the Azure portal:
1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for **Azure Deployment Environments**, and then select the service in the results.
+1. In **Dev centers**, select **Create**.
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/deployment-environments-add-devcenter.png" alt-text="Screenshot to create and configure an Azure Deployment Environments dev center.":::
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/deployment-environments-add-devcenter.png" alt-text="Screenshot that shows how to create a dev center in Azure Deployment Environments.":::
-1. Select **+ Add** to create a new dev center.
-1. Add the following details on the **Basics** tab of the **Create a dev center** page.
+1. In **Create a dev center**, on the **Basics** tab, select or enter the following information:
|Name |Value | |-|--| |**Subscription**|Select the subscription in which you want to create the dev center.|
- |**Resource group**|Either use an existing resource group or select **Create new**, and enter a name for the resource group.|
+ |**Resource group**|Either use an existing resource group or select **Create new** and enter a name for the resource group.|
|**Name**|Enter a name for the dev center.|
- |**Location**|Select the location/region in which you want the dev center to be created.|
+ |**Location**|Select the location or region where you want to create the dev center.|
+
+1. (Optional) Select the **Tags** tab and enter a **Name**:**Value** pair.
+1. Select **Review + Create**.
+1. On the **Review** tab, wait for deployment validation, and then select **Create**.
+
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/create-devcenter-review.png" alt-text="Screenshot that shows the Review tab of a dev center to validate the deployment details.":::
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/create-devcenter-page-basics.png" alt-text="Screenshot of Basics tab of the Create a dev center page.":::
+1. Confirm that the dev center was successfully created by checking your Azure portal notifications. Then, select **Go to resource**.
-1. [Optional] Select the **Tags** tab and add a **Name**/**Value** pair.
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/azure-notifications.png" alt-text="Screenshot that shows portal notifications to confirm the creation of a dev center.":::
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/create-devcenter-page-tags.png" alt-text="Screenshot of Tags tab of a Dev center to apply the same tag to multiple resources and resource groups.":::
+1. In **Dev centers**, verify that the dev center appears.
-1. Select **Review + Create**
-1. Validate all details on the **Review** tab, and then select **Create**.
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/deployment-environments-devcenter-created.png" alt-text="Screenshot that shows the Dev centers overview, to confirm that the dev center is created.":::
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/create-devcenter-review.png" alt-text="Screenshot of Review tab of a DevCenter to validate all the details.":::
+## Attach an identity to the dev center
-1. Confirm that the dev center is created successfully by checking **Notifications**. Select **Go to resource**.
+After you create a dev center, attach an [identity](concept-environments-key-concepts.md#identities) to the dev center. Learn about the two [types of identities](how-to-configure-managed-identity.md#types-of-managed-identities) you can attach:
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/azure-notifications.png" alt-text="Screenshot of Notifications to confirm the creation of dev center.":::
+- System-assigned managed identity
+- User-assigned managed identity
-1. Confirm that you see the dev center on the **Dev centers** page.
+For more information, see [Configure a managed identity](how-to-configure-managed-identity.md).
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/deployment-envrionments-devcenter-created.png" alt-text="Screenshot of Dev centers page to confirm the dev center is created and displayed on the page":::
+### Attach a system-assigned managed identity
-## Attach an Identity
+To attach a system-assigned managed identity to your dev center:
-After you've created a dev center, the next step is to attach an [identity](concept-environments-key-concepts.md#identities) to the dev center. Learn about the [types of identities](how-to-configure-managed-identity.md#types-of-managed-identities) (system assigned managed identity or a user assigned managed identity) you can attach.
+1. Complete the steps to create a [system-assigned managed identity](how-to-configure-managed-identity.md#configure-a-system-assigned-managed-identity-for-a-dev-center).
-### Using a system-assigned managed identity
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/system-assigned-managed-identity.png" alt-text="Screenshot that shows a system-assigned managed identity.":::
-1. Create a [system-assigned managed identity](how-to-configure-managed-identity.md#configure-a-system-assigned-managed-identity-for-a-dev-center).
+1. After you create a system-assigned managed identity, assign the Owner role to give the [identity access](how-to-configure-managed-identity.md#assign-a-subscription-role-assignment-to-the-managed-identity) on the subscriptions that will be used to configure [project environment types](concept-environments-key-concepts.md#project-environment-types).
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/system-assigned-managed-identity.png" alt-text="Screenshot of system assigned managed identity.":::
+ Make sure that the identity has [access to the key vault secret](how-to-configure-managed-identity.md#assign-the-managed-identity-access-to-the-key-vault-secret) that contains the personal access token to access your repository.
-1. After the system-assigned managed identity is created, select **Azure role assignments** to provide **Owner** access on the subscriptions that will be used to configure [Project Environment Types](concept-environments-key-concepts.md#project-environment-types) and ensure the **Identity** has [access to the **Key Vault** secrets](how-to-configure-managed-identity.md#assign-the-managed-identity-access-to-the-key-vault-secret) containing the personal access token (PAT) token to access your repository.
+### Attach an existing user-assigned managed identity
-### Using the user-assigned existing managed identity
+To attach a user-assigned managed identity to your dev center:
-1. Attach a [user assigned managed identity](how-to-configure-managed-identity.md#configure-a-user-assigned-managed-identity-for-a-dev-center).
+1. Complete the steps to attach a [user-assigned managed identity](how-to-configure-managed-identity.md#configure-a-user-assigned-managed-identity-for-a-dev-center).
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/user-assigned-managed-identity.png" alt-text="Screenshot of user assigned managed identity.":::
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/user-assigned-managed-identity.png" alt-text="Screenshot that shows a user-assigned managed identity.":::
-1. After the identity is attached, ensure that the attached identity has **Owner** access on the subscriptions that will be used to configure [Project Environment Types](how-to-configure-project-environment-types.md) and provide **Reader** access to all subscriptions that a project lives in. Also ensure the identity has [access to the Key Vault secrets](how-to-configure-managed-identity.md#assign-the-managed-identity-access-to-the-key-vault-secret) containing the personal access token (PAT) token to access the repository.
+1. After you attach the identity, assign the Owner role to give the [identity access](how-to-configure-managed-identity.md#assign-a-subscription-role-assignment-to-the-managed-identity) on the subscriptions that will be used to configure [project environment types](how-to-configure-project-environment-types.md). Give the identity Reader access to all subscriptions that a project lives in.
->[!NOTE]
-> The [identity](concept-environments-key-concepts.md#identities) attached to the dev center should be granted 'Owner' access to the deployment subscription configured per environment type.
+ Make sure that the identity has [access to the key vault secret](how-to-configure-managed-identity.md#assign-the-managed-identity-access-to-the-key-vault-secret) that contains the personal access token to access the repository.
-## Attach a Catalog
+> [!NOTE]
+> The [identity](concept-environments-key-concepts.md#identities) that's attached to the dev center should be assigned the Owner role for access to the deployment subscription for each environment type.
-**Prerequisite** - Before attaching a [Catalog](concept-environments-key-concepts.md#catalogs), store the personal access token (PAT) as a [Key Vault secret](../key-vault/secrets/quick-create-portal.md) and copy the **Secret Identifier**. Ensure that the [Identity](concept-environments-key-concepts.md#identities) attached to the dev center has [**Get** access to the **Secret**](../key-vault/general/assign-access-policy.md).
+## Add a catalog to the dev center
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Access Azure Deployment Environments.
-1. Select your dev center from the list.
-1. Select **Catalogs** from the left pane and select **+ Add**.
+> [!NOTE]
+> Before you add a [catalog](concept-environments-key-concepts.md#catalogs), store the personal access token as a [key vault secret](../key-vault/secrets/quick-create-portal.md) in Azure Key Vault and copy the secret identifier. Ensure that the [identity](concept-environments-key-concepts.md#identities) that's attached to the dev center has [GET access to the secret](../key-vault/general/assign-access-policy.md).
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/catalogs-page.png" alt-text="Screenshot of Catalogs page.":::
+To add a catalog to your dev center:
-1. On the **Add New Catalog** page, provide the following details, and then select **Add**.
+1. In the Azure portal, go to Azure Deployment Environments.
+1. In **Dev centers**, select your dev center.
+1. In the left menu under **Environment configuration**, select **Catalogs**, and then select **Add**.
+
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/catalogs-page.png" alt-text="Screenshot that shows the Catalogs pane.":::
+
+1. In the **Add catalog** pane, enter the following information, and then select **Add**.
|Name |Value | ||-|
- |**Name**|Provide a name for your catalog.|
- |**Git clone URI**|Provide the URI to your GitHub or ADO repository.|
- |**Branch**|Provide the repository branch that you would like to connect.|
- |**Folder path**|Provide the repo relative path in which the [catalog item](concept-environments-key-concepts.md#catalog-items) exist.|
- |**Secret identifier**|Provide the secret identifier that which contains your Personal Access Token (PAT) for the repository|
+ |**Name**|Enter a name for your catalog.|
+ |**Git clone URI**|Enter the URI to your GitHub or Azure DevOps repository.|
+ |**Branch**|Enter the repository branch that you want to connect.|
+ |**Folder path**|Enter the repository relative path where the [catalog item](concept-environments-key-concepts.md#catalog-items) exists.|
+ |**Secret identifier**|Enter the secret identifier that contains your personal access token for the repository.|
+
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/add-new-catalog-form.png" alt-text="Screenshot that shows the Add new catalog pane.":::
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/add-new-catalog-form.png" alt-text="Screenshot of add new catalog page.":::
+1. Confirm that the catalog is successfully added by checking your Azure portal notifications.
-1. Confirm that the catalog is successfully added by checking the **Notifications**.
+1. Select the specific repository, and then select **Sync**.
-1. Select the specific repo, and then select **Sync**.
-
- :::image type="content" source="media/configure-catalog-item/sync-catalog-items.png" alt-text="Screenshot showing how to sync the catalog." :::
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/sync-catalog.png" alt-text="Screenshot that shows how to sync the catalog." :::
-## Create Environment types
+## Create an environment type
-Environment types help you define the different types of environments your development teams can deploy. You can apply different settings per environment type.
+Use an environment type to help you define the different types of environments your development teams can deploy. You can apply different settings for each environment type.
-1. Select the **Environment types** from the left pane and select **+ Create**.
-1. On the **Create environment type** page, provide the following details and select **Add**.
+1. In the Azure portal, go to Azure Deployment Environments.
+1. In **Dev centers**, select your dev center.
+1. In the left menu under **Environment configuration**, select **Environment types**, and then select **Create**.
+1. In **Create environment type**, enter the following information, and then select **Add**.
|Name |Value | ||-|
- |**Name**|Add a name for the environment type.|
- |**Tags**|Provide a **Name** and **Value**.|
+ |**Name**|Enter a name for the environment type.|
+ |**Tags**|Enter a tag name and a tag value.|
- :::image type="content" source="media/quickstart-create-and-configure-devcenter/create-environment-type.png" alt-text="Screenshot of Create environment type form.":::
+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/create-environment-type.png" alt-text="Screenshot that shows the Create environment type pane.":::
-1. Confirm that the environment type is added by checking the **Notifications**.
+1. Confirm that the environment type is added by checking your Azure portal notifications.
-Environment types added to the dev center are available within each project it contains, but are not enabled by default. When enabled at the project level, the environment type determines the managed identity and subscription that is used for deploying environments.
+An environment type that you add to your dev center is available in each project in the dev center, but environment types aren't enabled by default. When you enable an environment type at the project level, the environment type determines the managed identity and subscription that are used to deploy environments.
## Next steps
-In this quickstart, you created a dev center and configured it with an identity, a catalog, and environment types. To learn about how to create and configure a project, advance to the next quickstart:
+In this quickstart, you created a dev center and configured it with an identity, a catalog, and an environment type. To learn how to create and configure a project, advance to the next quickstart.
-* [Quickstart: Create and Configure projects](./quickstart-create-and-configure-projects.md)
+> [!div class="nextstepaction"]
+> [Quickstart: Create and configure a project](./quickstart-create-and-configure-projects.md)
deployment-environments Quickstart Create And Configure Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/quickstart-create-and-configure-projects.md
Title: Set up an Azure Deployment Environments Project
-description: This quickstart shows you how to create and configure an Azure Deployment Environments project and associate it with a dev center.
+ Title: Create and configure a project
+
+description: Learn how to create a project in Azure Deployment Environments Preview and associate the project with a dev center.
Previously updated : 10/12/2022 Last updated : 10/26/2022
-# Quickstart: Configure an Azure Deployment Environments Project
+# Quickstart: Create and configure a project
-This quickstart shows you how to create and configure an Azure Deployment Environments Preview Project and associate it to the dev center created in [Quickstart: Configure an Azure Deployment Environments service](./quickstart-create-and-configure-devcenter.md). The enterprise Dev Infra team typically creates projects and provides access to development teams. Development teams then create [environments](concept-environments-key-concepts.md#environments) using the [catalog items](concept-environments-key-concepts.md#catalog-items), connect to individual resources, and deploy their applications.
+This quickstart shows you how to create a project in Azure Deployment Environments Preview. Then, you associate the project with the dev center you created in [Quickstart: Create and configure a dev center](./quickstart-create-and-configure-devcenter.md).
-In this quickstart, you'll learn how to:
+An enterprise development infrastructure team typically creates projects and provides project access to development teams. Development teams then create [environments](concept-environments-key-concepts.md#environments) by using [catalog items](concept-environments-key-concepts.md#catalog-items), connect to individual resources, and deploy applications.
-* Create a project
-* Configure a project
-* Provide access to the development team
+In this quickstart, you learn how to:
+
+> [!div class="checklist"]
+>
+> - Create a project
+> - Configure a project
+> - Provide project access to the development team
> [!IMPORTANT]
-> Azure Deployment Environments is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Azure Deployment Environments currently is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
## Prerequisites - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Azure RBAC role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor) or [Owner](../role-based-access-control/built-in-roles.md#owner).
+- Azure role-based access control role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor) or [Owner](../role-based-access-control/built-in-roles.md#owner).
## Create a project
-Create and configure a project in your dev center as follows:
+To create a project in your dev center:
+
+1. In the [Azure portal](https://portal.azure.com/), go to Azure Deployment Environments.
+
+1. In the left menu under **Configure**, select **Projects**.
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Access Azure Deployment Environments.
-1. Select **Projects** from the left pane.
-1. Select **+ Create**.
-1. On the **Basics** tab of the **Create a project** page, provide the following details:
+1. In **Projects**, select **Create**.
+
+1. In **Create a project**, on the **Basics** tab, enter or select the following information:
|Name |Value | |-|--| |**Subscription** |Select the subscription in which you want to create the project. |
- |**Resource group**|Either use an existing resource group or select **Create new**, and enter a name for the resource group. |
- |**Dev center**|Select a Dev center to associate with this project. All the Dev center level settings will then apply to the project. |
- |**Name**|Add a name for the project. |
- |[Optional]**Description**|Add any project related details. |
+ |**Resource group**|Either use an existing resource group or select **Create new** and enter a name for the resource group. |
+ |**Dev center**|Select a dev center to associate with this project. All settings for the dev center will apply to the project. |
+ |**Name**|Enter a name for the project. |
+ |**Description** (Optional) |Enter any project-related details. |
+
+1. Select the **Tags** tab and enter a **Name**:**Value** pair.
- :::image type="content" source="media/quickstart-create-configure-projects/create-project-page-basics.png" alt-text="Screenshot of the Basics tab of the Create a project page.":::
+1. On the **Review + Create** tab, wait for deployment validation, and then select **Create**.
-1. [Optional]On the **Tags** tab, add a **Name**/**Value** pair that you want to assign.
+ :::image type="content" source="media/quickstart-create-configure-projects/create-project-page-review-create.png" alt-text="Screenshot that shows selecting the Review + Create button to validate and create a project.":::
- :::image type="content" source="media/quickstart-create-configure-projects/create-project-page-tags.png" alt-text="Screenshot of the Tags tab of the Create a project page.":::
+1. Confirm that the project was successfully created by checking your Azure portal notifications. Then, select **Go to resource**.
-1. On the **Review + create** tab, validate all the details and select **Create**:
+1. Confirm that you see the project overview pane.
- :::image type="content" source="media/quickstart-create-configure-projects/create-project-page-review-create.png" alt-text="Screenshot of selecting the Create button to validate and create a project.":::
+ :::image type="content" source="media/quickstart-create-configure-projects/created-project.png" alt-text="Screenshot that shows the project overview pane.":::
-1. Confirm that the project is created successfully by checking the **Notifications**. Select **Go to resource**.
+## Configure a project
-1. Confirm that you see the **Project** page.
+To configure a project, add a [project environment type](how-to-configure-project-environment-types.md):
- :::image type="content" source="media/quickstart-create-configure-projects/created-project.png" alt-text="Screenshot of the Project page.":::
+1. In the Azure portal, go to your project.
-## Configure a Project
+1. In the left menu under **Environment configuration**, select **Environment types**, and then select **Add**.
-Add a [project environment type](how-to-configure-project-environment-types.md) as follows:
+ :::image type="content" source="media/quickstart-create-configure-projects/add-environment-types.png" alt-text="Screenshot that shows the Environment types pane.":::
-1. On the Project page, select **Environment types** from the left pane and select **+ Add**.
-
- :::image type="content" source="media/quickstart-create-configure-projects/add-environment-types.png" alt-text="Screenshot of the Environment types page.":::
-
-1. On the **Add environment type to Project** page, provide the following details:
+1. In **Add environment type to \<project-name\>**, enter or select the following information:
|Name |Value | ||-| |**Type**| Select a dev center level environment type to enable for the specific project.|
- |**Deployment Subscription**| Select the target subscription in which the environments will be created.|
- |**Deployment Identity** | Select either a system assigned identity or a user assigned managed identity that'll be used to perform deployments on behalf of the user.|
- |**Permissions on environment resources** > **Environment Creator Role(s)**| Select the role(s) that'll get access to the environment resources.|
- |**Permissions on environment resources** > **Additional access** | Select the user(s) or Azure Active Directory (Azure AD) group(s) that'll be granted specific role(s) on the environment resources.|
- |**Tags** | Provide a **Name** and **Value**. These tags will be applied on all resources created as part of the environments.|
-
- :::image type="content" source="./media/configure-project-environment-types/add-project-environment-type-page.png" alt-text="Screenshot showing adding details on the add project environment type page.":::
+ |**Deployment subscription**| Select the subscription in which the environment will be created.|
+ |**Deployment identity** | Select either a system-assigned identity or a user-assigned managed identity that's used to perform deployments on behalf of the user.|
+ |**Permissions on environment resources** > **Environment creator role(s)**| Select the roles to give access to the environment resources.|
+ |**Permissions on environment resources** > **Additional access** | Select the users or Azure Active Directory groups to assign to specific roles on the environment resources.|
+ |**Tags** | Enter a tag name and a tag value. These tags are applied on all resources that are created as part of the environment.|
+ :::image type="content" source="./media/quickstart-create-configure-projects/add-project-environment-type-page.png" alt-text="Screenshot that shows adding details in the Add project environment type pane.":::
> [!NOTE]
-> At least one identity (system assigned or user assigned) must be enabled for deployment identity and will be used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be [granted 'Owner' access to the deployment subscription](how-to-configure-managed-identity.md) configured per environment type.
+> At least one identity (system-assigned or user-assigned) must be enabled for deployment identity. The identity is used to perform the environment deployment on behalf of the developer. Additionally, the identity attached to the dev center should be [assigned the Owner role](how-to-configure-managed-identity.md) for access to the deployment subscription for each environment type.
+
+## Give project access to the development team
+
+1. In the Azure portal, go to your project.
-## Provide access to the development team
+1. In the left menu, select **Access control (IAM)**.
-1. On the **Project** page, select **Access Control (IAM)** from the left pane.
-1. Select **+ Add** > **Add role assignment**.
+1. Select **Add** > **Add role assignment**.
- :::image type="content" source="media/quickstart-create-configure-projects/project-access-control-page.png" alt-text="Screenshot of the Access control page.":::
+ :::image type="content" source="media/quickstart-create-configure-projects/project-access-control-page.png" alt-text="Screenshot that shows the Access control pane.":::
+
+1. In **Add role assignment**, enter the following information, and then select **Save**:
-1. On the **Add role assignment** page, provide the following details, and select **Save**:
1. On the **Role** tab, select either [DevCenter Project Admin](how-to-configure-project-admin.md) or [Deployment Environments user](how-to-configure-deployment-environments-user.md). 1. On the **Members** tab, select either a **User, group, or service principal** or a **Managed identity** to assign access.
- :::image type="content" source="media/quickstart-create-configure-projects/add-role-assignment.png" alt-text="Screenshot of the Add role assignment page.":::
+ :::image type="content" source="media/quickstart-create-configure-projects/add-role-assignment.png" alt-text="Screenshot that shows the Add role assignment pane.":::
->[!NOTE]
-> Only users with a [Deployment Environments user](how-to-configure-deployment-environments-user.md) role or a [DevCenter Project Admin](how-to-configure-project-admin.md) role or a built-in role with appropriate permissions will be able to create environments.
+> [!NOTE]
+> Only a user who has the [Deployment Environments User](how-to-configure-deployment-environments-user.md) role, the [DevCenter Project Admin](how-to-configure-project-admin.md) role, or a built-in role that has appropriate permissions can create an environment.
## Next steps
-In this quickstart, you created a project and granted access to your development team. To learn about how your development team members can create environments, advance to the next quickstart:
+In this quickstart, you created a project and granted project access to your development team. To learn about how your development team members can create environments, advance to the next quickstart.
-* [Quickstart: Create & access Environments](quickstart-create-access-environments.md)
+> [!div class="nextstepaction"]
+> [Quickstart: Create and access an environment](quickstart-create-access-environments.md)
dev-box Quickstart Connect To Dev Box With Remote Desktop App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-connect-to-dev-box-with-remote-desktop-app.md
+
+ Title: 'Quickstart: Use a remote desktop client to connect to a dev box'
+
+description: Learn how to download a Remote Desktop client and connect to your dev box.
++++ Last updated : 11/03/2022+++
+# Quickstart: Use a remote desktop client to connect to a dev box
+When you have configured the Microsoft Dev Box Preview service and created dev boxes, you can connect to them using a browser, or by using a remote desktop client.
+
+Remote desktop apps let you use and control a dev box from almost any device. For your desktop or laptop, you can choose to download the Remote Desktop client for Windows Desktop or the Microsoft Remote Desktop for Mac. You can also download a Remote Desktop app for your mobile device: Microsoft Remote Desktop for iOS or Microsoft Remote Desktop for Android.
+
+In this quickstart, you'll perform the following tasks:
+
+* Download the Remote Desktop client (Windows and non-Windows).
+* Use the Remote Desktop client to connect to a dev box.
+
+## Prerequisites
+
+Configure the Microsoft Dev Box Preview service:
+- [Quickstart: Configure the Microsoft Dev Box Preview service](./quickstart-configure-dev-box-service.md)
+- [Quickstart: Configure a Microsoft Dev Box Preview project](./quickstart-configure-dev-box-project.md)
+
+Create a dev box to connect to:
+- [Add a dev box](./quickstart-create-dev-box.md#create-a-dev-box) on the [developer portal](https://aka.ms/devbox-portal)
+
+## Use the Remote Desktop client to connect to your dev box
+
+There are remote desktop clients available for many different operating systems (OSs) and devices. In this quickstart, you can choose to view the steps for Windows, or the steps for a non-Windows OS by selecting the appropriate tab.
+# [Windows](#tab/windows)
+### Download the Remote Desktop client for Windows
+
+To download and set up the Remote Desktop app for Windows, follow these steps:
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. Select **Open in RDP client** for the dev box you want to connect.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the Your dev box card showing the Open in RDP client option.":::
+
+1. Choose **Download Windows Desktop** to download the Remote Desktop client.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/download-windows-desktop.png" alt-text="Screenshot of the download windows desktop option on the connect dialog.":::
+
+1. Once install of the Windows Desktop client completes, return to the dev portal and [connect to your dev box](#connect-to-your-dev-box)
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/install-complete-return-prompt.png" alt-text="Screenshot of the return prompt after download and install of the RDP client is completed.":::
+
+### Connect to your dev box
+
+1. To open the RDP client, sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. Select **Open in RDP client** for the dev box you want to connect.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the Open in RDP client option.":::
+
+1. Choose **Open Windows Desktop** to connect to your dev box in the Remote Desktop client.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/open-windows-desktop.png" alt-text="Screenshot of the Open Windows Desktop option on the Connect dialog.":::
+
+# [Non-Windows](#tab/non-Windows)
+
+### Download the Remote Desktop client
+
+To use a non-Windows Remote Desktop client to connect to your dev box, follow these steps:
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. Select **Configure Remote Desktop** from **Quick actions**.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/configure-remote-desktop-non-windows.png" alt-text="Screenshot of Configure Remote Desktop in Quick actions.":::
+
+1. Choose **Download** to download the Remote Desktop client.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/download-non-windows-rdp-client.png" alt-text="Screenshot of the non-Windows Remote Desktop client download option on the Configure Remote Desktop dialog.":::
+
+1. Copy the subscription feed URL from step(2) of the **Configure Remote Desktop** card. Once Remote Desktop client is installed, you'll connect to your dev box with this subscription feed URL.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/copy-subscription-url-non-windows.png" alt-text="Screenshot of the subscription feed URL copied from the Configure Remote Desktop card.":::
+
+### Connect to your dev box
+
+1. Open the Remote Desktop client, select **Add Workspace** and paste the subscription feed URL.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-subscription-feed.png" alt-text="Screenshot of the non-Windows Remote Desktop client Add Workspace dialog.":::
+
+1. Your dev box will appear in the Remote Desktop client's Workspaces. Double-click to connect.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-connect-dev-box.png" alt-text="Screenshot of the non-Windows Remote Desktop client workspace with dev box.":::
+++
+## Clean up resources
+
+Dev boxes incur costs whenever they are running. When you have finished using your dev box, shutdown or stop it to avoid incurring unnecessary costs.
+
+You can stop a dev box from the developer portal:
+
+1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+1. For the dev box you want to stop, select the Actions menu, and then select **Stop**.
+
+ :::image type="content" source="./media/quickstart-connect-to-dev-box-with-remote-desktop-app/stop-dev-box.png" alt-text="Screenshot of the Stop option.":::
+
+1. The dev box may take a few moments to stop.
+
+## Next steps
+To learn about managing Microsoft Dev Box Preview, see:
+
+- [Provide access to project admins](./how-to-project-admin.md)
+- [Provide access to dev box users](./how-to-dev-box-user.md)
dev-box Quickstart Create Dev Box https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-create-dev-box.md
When no longer needed, you can delete your dev box.
## Next steps
-In this quickstart, you created a dev box through the developer portal. To learn how to connect to a dev box using a remote desktop app, see [Tutorial: Use the Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).
+In this quickstart, you created a dev box through the developer portal. To learn how to connect to a dev box using a remote desktop app, see [Quickstart: Use a remote desktop client to connect to a dev box](./quickstart-connect-to-dev-box-with-remote-desktop-app.md).
dev-box Tutorial Connect To Dev Box With Remote Desktop App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/tutorial-connect-to-dev-box-with-remote-desktop-app.md
- Title: 'Tutorial: Use the Remote Desktop client to connect to a dev box'-
-description: In this tutorial, you learn how to download a Remote Desktop client and connect to a dev box.
---- Previously updated : 10/12/2022---
-# Tutorial: Use the Remote Desktop client to connect to a dev box
-
-In this tutorial, you'll learn how to download a remote desktop app from the [developer portal](https://aka.ms/devbox-portal) and connect to a dev box by using the remote desktop client.
-
-Remote desktop apps let you use and control a dev box from almost any device. For your desktop or laptop, you can choose to download the Remote Desktop client for Windows Desktop or the Microsoft Remote Desktop for Mac. You can also download a Remote Desktop app for your mobile device: Microsoft Remote Desktop for iOS or Microsoft Remote Desktop for Android.
-
-You can view the dev boxes you're connected to in your Remote Desktop client's [Workspaces](/windows-server/remote/remote-desktop-services/clients/windowsdesktop#workspaces).
-
-In this tutorial, you'll learn how to:
-
-> [!div class="checklist"]
-> * Download the Remote Desktop client (Windows and non-Windows).
-> * Use the Remote Desktop client to connect to a dev box.
-
-## Prerequisites
--- [Add a dev box](./quickstart-create-dev-box.md#create-a-dev-box) on the [developer portal](https://aka.ms/devbox-portal).-
-## Download the Remote Desktop client (Windows)
-
-To download and set up the Remote Desktop app for Windows, follow these steps:
-
-1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
-
-1. Select **Open in RDP client** for the dev box you want to connect.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the Your dev box card showing the Open in RDP client option.":::
-
-1. Choose **Download Windows Desktop** to download the Remote Desktop client.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-windows-desktop.png" alt-text="Screenshot of the download windows desktop option on the connect dialog.":::
-
-1. Once install of the Windows Desktop client completes, return to the dev portal and [connect to your dev box](#connect-to-your-dev-box)
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/install-complete-return-prompt.png" alt-text="Screenshot of the return prompt after download and install of the RDP client is completed.":::
-
-## Connect to your dev box
-
-1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
-
-1. Select **Open in RDP client** for the dev box you want to connect.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/windows-open-rdp-client.png" alt-text="Screenshot of the Open in RDP client option.":::
-
-1. Choose **Open Windows Desktop** to connect to your dev box in the Remote Desktop client.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/open-windows-desktop.png" alt-text="Screenshot of the Open Windows Desktop option on the Connect dialog.":::
-
-## Download the Remote Desktop client (non-Windows) and connect to your dev box
-
-To use a non-Windows Remote Desktop client to connect to your dev box, follow these steps:
-
-1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
-
-1. Select **Configure Remote Desktop** from **Quick actions**.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/configure-remote-desktop-non-windows.png" alt-text="Screenshot of Configure Remote Desktop in Quick actions.":::
-
-1. Choose **Download** to download the Remote Desktop client.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-non-windows-rdp-client.png" alt-text="Screenshot of the non-Windows Remote Desktop client download option on the Configure Remote Desktop dialog.":::
-
-1. Copy the subscription feed URL from step(2) of the **Configure Remote Desktop** card. Once Remote Desktop client is installed, you'll connect to your dev box with this subscription feed URL.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/copy-subscription-url-non-windows.png" alt-text="Screenshot of the subscription feed URL copied from the Configure Remote Desktop card.":::
-
-1. Open the Remote Desktop client, select **Add Workspace** and paste the subscription feed URL.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-subscription-feed.png" alt-text="Screenshot of the non-Windows Remote Desktop client Add Workspace dialog.":::
-
-1. Your dev box will appear in the Remote Desktop client's Workspaces. Double-click to connect.
-
- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/non-windows-rdp-connect-dev-box.png" alt-text="Screenshot of the non-Windows Remote Desktop client workspace with dev box.":::
-
-## Next steps
-To learn about managing Microsoft Dev Box Preview, see:
--- [Provide access to project admins](./how-to-project-admin.md)-- [Provide access to dev box users](./how-to-dev-box-user.md)
dns Dns Private Resolver Get Started Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dns/dns-private-resolver-get-started-portal.md
- Title: Quickstart - Create an Azure private DNS resolver using the Azure portal
+
+ Title: Quickstart - Create an Azure DNS Private Resolver using the Azure portal
description: In this quickstart, you create and test a private DNS resolver in Azure DNS. This article is a step-by-step guide to create and manage your first private DNS resolver using the Azure portal.
#Customer intent: As an experienced network administrator, I want to create an Azure private DNS resolver, so I can resolve host names on my private virtual networks.
-# Quickstart: Create an Azure Private DNS Resolver using the Azure portal
+# Quickstart: Create an Azure DNS Private Resolver using the Azure portal
This quickstart walks you through the steps to create an Azure DNS Private Resolver using the Azure portal. If you prefer, you can complete this quickstart using [Azure PowerShell](private-dns-getstarted-powershell.md).
You should now be able to send DNS traffic to your DNS resolver and resolve reco
## Next steps > [!div class="nextstepaction"]
-> [What is Azure private DNS Resolver?](dns-private-resolver-overview.md)
+> [What is Azure DNS Private Resolver?](dns-private-resolver-overview.md)
energy-data-services How To Convert Segy To Zgy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/how-to-convert-segy-to-zgy.md
Last updated 08/18/2022
-# How to convert a SEG-Y file to ZGY?
+# How to convert a SEG-Y file to ZGY
-Seismic data stored in industry standard SEG-Y format can be converted to ZGY for use in applications such as Petrel via the Seismic DMS. See here for [ZGY Conversion FAQ's](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion#faq) and more background can be found in the OSDU&trade; community here: [SEG-Y to ZGY conversation](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion/-/tree/azure/m10-master)
+In this article, you will learn how to convert SEG-Y formatted data to the ZGY format. Seismic data stored in industry standard SEG-Y format can be converted to ZGY for use in applications such as Petrel via the Seismic DMS. See here for [ZGY Conversion FAQ's](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion#faq) and more background can be found in the OSDU&trade; community here: [SEG-Y to ZGY conversation](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion/-/tree/azure/m10-master)
[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)] ## Prerequisites
-### Postman
-
-* Download and install [Postman](https://www.postman.com/) desktop app.
-* Import the [oZGY Conversions.postman_collection](https://community.opengroup.org/osdu/platform/pre-shipping/-/blob/main/R3-M9/Azure-M9/Services/DDMS/oZGY%20Conversions.postman_collection.json) into Postman. All curl commands used below are added to this collection. Update your Environment file accordingly
-* Microsoft Energy Data Services Preview instance is created already
-* Clone the **sdutil** repo as shown below:
+1. Download and install [Postman](https://www.postman.com/) desktop app.
+2. Import the [oZGY Conversions.postman_collection](https://github.com/microsoft/meds-samples/blob/main/postman/SegyToZgyConversion%20Workflow%20using%20SeisStore%20R3%20CI-CD%20v1.0.postman_collection.json) into Postman. All curl commands used below are added to this collection. Update your Environment file accordingly
+3. Ensure that your Microsoft Energy Data Services Preview instance is created already
+4. Clone the **sdutil** repo as shown below:
```markdown git clone https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil.git git checkout azure/stable ```
-* The [jq command](https://stedolan.github.io/jq/download/), using your favorite tool on your favorite OS.
+5. The [jq command](https://stedolan.github.io/jq/download/), using your favorite tool on your favorite OS.
-## Step by Step guide
-
-1. The user needs to be part of the `users.datalake.admins` group and user needs to generate a valid refresh token. See [How to generate a refresh token](how-to-generate-refresh-token.md) for further instructions. If you continue to follow other "how-to" documentation, you'll use this refresh token again. Once you've generated the token, store it in a place where you'll be able to access it in the future. If it isn't present, add the group for the member ID. In this case, use the app ID you have been using for everything as the `user-email`.
+## Convert SEG-Y file to ZGY file
- > [!NOTE]
- > `data-partition-id` should be in the format `<instance-name>-<data-partition-name>` in both the header and the url, and will be for any following command that requires `data-partition-id`.
+1. The user needs to be part of the `users.datalake.admins` group and user needs to generate a valid refresh token. See [How to generate a refresh token](how-to-generate-refresh-token.md) for further instructions. If you continue to follow other "how-to" documentation, you'll use this refresh token again. Once you've generated the token, store it in a place where you'll be able to access it in the future. If it isn't present, add the group for the member ID. In this case, use the app ID you have been using for everything as the `user-email`. Additionally, the `data-partition-id` should be in the format `<instance-name>-<data-partition-name>` in both the header and the url, and will be for any following command that requires `data-partition-id`.
```bash curl --location --request POST "<url>/api/entitlements/v2/groups/users.datalake.admins@<data-partition>.<domain>.com/members" \
Seismic data stored in industry standard SEG-Y format can be converted to ZGY fo
}' ```
-5. Create Subproject. Use your previously created entitlements groups that you would like to add as ACLs (Access Control List) admins and viewers. If you haven't yet created entitlements groups, follow the directions as outlined in [How to manage users?](how-to-manage-users.md). If you would like to see what groups you have, use [Get entitlements groups for a given user](how-to-manage-users.md#get-entitlements-groups-for-a-given-user). Data access isolation achieved with this dedicated ACL (access control list) per object within a given data partition. You may have many subprojects within a data partition, so this command allows you to provide access to a specific subproject without providing access to an entire data partition. Data partition entitlements don't necessarily translate to the subprojects within it, so it's important to be explicit about the ACLs for each subproject, regardless of what data partition it is in.
+5. Create Subproject. Use your previously created entitlements groups that you would like to add as ACLs (Access Control List) admins and viewers. If you haven't yet created entitlements groups, follow the directions as outlined in [How to manage users](how-to-manage-users.md). If you would like to see what groups you have, use [Get entitlements groups for a given user](how-to-manage-users.md#get-entitlements-groups-for-a-given-user). Data access isolation is achieved with this dedicated ACL (access control list) per object within a given data partition. You may have many subprojects within a data partition, so this command allows you to provide access to a specific subproject without providing access to an entire data partition. Data partition entitlements don't necessarily translate to the subprojects within it, so it's important to be explicit about the ACLs for each subproject, regardless of what data partition it is in.
- > [!NOTE]
- > Later in this tutorial, you'll need at least one `owner` and at least one `viewer`. These user groups will look like `data.default.owners` and `data.default.viewers`. Make sure to include one of each in your list of `acls` in the request below.
+ Later in this tutorial, you'll need at least one `owner` and at least one `viewer`. These user groups will look like `data.default.owners` and `data.default.viewers`. Make sure to include one of each in your list of `acls` in the request below.
```bash curl --location --request POST '<url>/seistore-svc/api/v3/subproject/tenant/<data-partition>/subproject/<subproject>' \
Seismic data stored in industry standard SEG-Y format can be converted to ZGY fo
}' ```
-6. Patch Subproject with the legal tag you created above:
+6. Patch Subproject with the legal tag you created above. Recall that the format of the legal tag will be prefixed with the Microsoft Energy Data Services instance name and data partition name, so it looks like `<instancename>`-`<datapartitionname>`-`<legaltagname>`.
```bash curl --location --request PATCH '<url>/seistore-svc/api/v3/subproject/tenant/<data-partition>/subproject/<subproject-name>' \
Seismic data stored in industry standard SEG-Y format can be converted to ZGY fo
}' ```
- > [!NOTE]
- > Recall that the format of the legal tag will be prefixed with the Microsoft Energy Data Services instance name and data partition name, so it looks like `<instancename>`-`<datapartitionname>`-`<legaltagname>`.
-
-7. Open the [sdutil](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable) codebase and edit the `config.yaml` at the root. Update this config to:
+7. Open the [sdutil](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable) codebase and edit the `config.yaml` at the root. Replace the contents of this config file with the following yaml. See [How to generate a refresh token](how-to-generate-refresh-token.md) to generate the required refresh token. Once you've generated the token, store it in a place where you'll be able to access it in the future.
```yaml seistore:
Seismic data stored in industry standard SEG-Y format can be converted to ZGY fo
empty: none ```
- > [!NOTE]
- > See [How to generate a refresh token](how-to-generate-refresh-token.md). Once you've generated the token, store it in a place where you'll be able to access it in the future.
-
-8. Run the following commands using **sdutil** to see its working fine. Follow the directions in [Setup and Usage for Azure env](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable#setup-and-usage-for-azure-env). Understand that depending on your OS and Python version, you may have to run `python3` command as opposed to `python`. If you run into errors with these commands, refer to the [SDUTIL tutorial](/azure/energy-data-services/tutorial-seismic-ddms-sdutil).
+8. Run the following commands using **sdutil** to see its working fine. Follow the directions in [Setup and Usage for Azure env](https://community.opengroup.org/osdu/platform/domain-data-mgmt-services/seismic/seismic-dms-suite/seismic-store-sdutil/-/tree/azure/stable#setup-and-usage-for-azure-env). Understand that depending on your OS and Python version, you may have to run `python3` command as opposed to `python`. If you run into errors with these commands, refer to the [SDUTIL tutorial](/tutorials/tutorial-seismic-ddms-sdutil.md). See [How to generate a refresh token](how-to-generate-refresh-token.md). Once you've generated the token, store it in a place where you'll be able to access it in the future.
> [!NOTE] > when running `python sdutil config init`, you don't need to enter anything when prompted with `Insert the azure (azureGlabEnv) application key:`.
Seismic data stored in industry standard SEG-Y format can be converted to ZGY fo
10. Create the manifest file (otherwise known as the records file)
- ZGY conversion uses a manifest file that you'll upload to your storage account in order to run the conversion. This manifest file is created by using multiple JSON files and running a script. The JSON files for this process are stored [here](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion/-/tree/master/doc/sample-records/volve). For more information on Volve, where the dataset definitions come from, visit [their website](https://www.equinor.com/energy/volve-data-sharing). Complete the following steps in order to create the manifest file:
+ ZGY conversion uses a manifest file that you'll upload to your storage account in order to run the conversion. This manifest file is created by using multiple JSON files and running a script. The JSON files for this process are stored [here](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion/-/tree/master/doc/sample-records/volve). For more information on Volve, such as where the dataset definitions come from, visit [their website](https://www.equinor.com/en/what-we-do/digitalisation-in-our-dna/volve-field-data-village-download.html). Complete the following steps in order to create the manifest file:
* Clone the [repo](https://community.opengroup.org/osdu/platform/data-flow/ingestion/segy-to-zgy-conversion/-/tree/master/) and navigate to the folder doc/sample-records/volve
- * Edit the values in the `prepare-records.sh` bash script:
+ * Edit the values in the `prepare-records.sh` bash script. Recall that the format of the legal tag will be prefixed with the Microsoft Energy Data Services instance name and data partition name, so it looks like `<instancename>`-`<datapartitionname>`-`<legaltagname>`.
* `DATA_PARTITION_ID=<your-partition-id>` * `ACL_OWNER=data.default.owners@<your-partition-id>.<your-tenant>.com` * `ACL_VIEWER=data.default.viewers@<your-partition-id>.<your-tenant>.com` * `LEGAL_TAG=<legal-tag-created-above>`
- > [!NOTE]
- > Recall that the format of the legal tag will be prefixed with the Microsoft Energy Data Services instance name and data partition name, so it looks like `<instancename>`-`<datapartitionname>`-`<legaltagname>`.
+ * Run the `prepare-records.sh` script.
* The output will be a JSON array with all objects and will be saved in the `all_records.json` file. * Save the `filecollection_segy_id` and the `work_product_id` values in that JSON file to use in the conversion step. That way the converter knows where to look for this contents of your `all_records.json`.
-11. Insert the contents of your `all_records.json` file in storage for work-product, seismic trace data, seismic grid, and file collection (that is, copy and paste the contents of that file to the `--data-raw` field in the following command):
+11. Insert the contents of your `all_records.json` file in storage for work-product, seismic trace data, seismic grid, and file collection. In other words, copy and paste the contents of that file to the `--data-raw` field in the following command. If the above steps have produced two sets, you can run this command twice, using each set once.
```bash curl --location --request PUT '<url>/api/storage/v2/records' \
event-grid Cloud Event Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/cloud-event-schema.md
Title: CloudEvents v1.0 schema with Azure Event Grid
description: Describes how to use the CloudEvents v1.0 schema for events in Azure Event Grid. The service supports events in the JSON implementation of Cloud Events. Previously updated : 07/22/2021 Last updated : 11/03/2022 # CloudEvents v1.0 schema with Azure Event Grid
This article describes CloudEvents schema with Event Grid.
## Sample event using CloudEvents schema
-Here is an example of an Azure Blob Storage event in CloudEvents format:
+Here is an example of an Azure Blob Storage event in the CloudEvents format:
```json {
event-grid Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/policy-reference.md
Title: Built-in policy definitions for Azure Event Grid description: Lists Azure Policy built-in policy definitions for Azure Event Grid. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
event-grid Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Event Grid description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Grid. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
event-hubs Event Hubs Kafka Connect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-kafka-connect-tutorial.md
Title: Integrate with Apache Kafka Connect- Azure Event Hubs | Microsoft Docs description: This article provides information on how to use Kafka Connect with Azure Event Hubs for Kafka. Previously updated : 01/06/2021 Last updated : 11/03/2022
-# Integrate Apache Kafka Connect support on Azure Event Hubs
+# Integrate Apache Kafka Connect support on Azure Event Hubs (Preview)
[Apache Kafka Connect](https://kafka.apache.org/documentation/#connect) is a framework to connect and import/export data from/to any external system such as MySQL, HDFS, and file system through a Kafka cluster. This tutorial walks you through using Kafka Connect framework with Event Hubs.
+> [!NOTE]
+> This feature is currently in Preview.
+ > [!WARNING] > Use of the Apache Kafka Connect framework and its connectors is **not eligible for product support through Microsoft Azure**. >
event-hubs Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/policy-reference.md
Title: Built-in policy definitions for Azure Event Hubs description: Lists Azure Policy built-in policy definitions for Azure Event Hubs. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/12/2022 Last updated : 11/04/2022
event-hubs Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Event Hubs description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Hubs. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/12/2022 Last updated : 11/04/2022
expressroute Expressroute About Virtual Network Gateways https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-about-virtual-network-gateways.md
For all other downgrade scenarios, you'll need to delete and recreate the gatewa
The following table shows the features supported across each gateway type.
-|**Gateway SKU**|**VPN Gateway and ExpressRoute coexistence**|**FastPath**|**Max Number of Circuit Connections**|
+|Gateway SKU|VPN Gateway and ExpressRoute coexistence|FastPath|Max Number of Circuit Connections|
| | | | | |**Standard SKU/ERGw1Az**|Yes|No|4| |**High Perf SKU/ERGw2Az**|Yes|No|8 |**Ultra Performance SKU/ErGw3Az**|Yes|Yes|16
-### <a name="aggthroughput"></a>Estimated performances by gateway SKU
-
-The following table shows the gateway types and the estimated performance scale numbers. These numbers are derived from the following testing conditions and represent the max support limits. Actual performance may vary, depending on how closely traffic replicates the testing conditions.
-
-### Testing conditions
-##### **Standard/ERGw1Az** #####
--- Traffic sent from on-premises: 1,000 Mega-Bits per second-- Number of routes advertises by the Gateway: 500-- Number of routes learned: 4,000
-##### **High Performance/ERGw2Az** #####
--- Traffic sent from on-premises: 2,000 Mega-Bits per second-- Number of routes advertises by the Gateway: 500-- Number of routes learned: 9,500
-##### **Ultra Performance/ErGw3Az** #####
--- Traffic sent from on-premises: 10,000 Mega-Bits per second-- Number of routes advertises by the Gateway: 500-- Number of routes learned: 9,500-
- This table applies to both the Resource Manager and classic deployment models.
-
-|**Gateway SKU**|**Connections per second**|**Mega-Bits per second**|**Packets per second**|**Supported number of VMs in the Virtual Network**|
-| | | | | |
-|**Standard/ERGw1Az**|7,000|1,000|100,000|2,000|
-|**High Performance/ERGw2Az**|14,000|2,000|250,000|4,500|
-|**Ultra Performance/ErGw3Az**|16,000|10,000|1,000,000|11,000|
-
-> [!IMPORTANT]
-> * Application performance depends on multiple factors, such as the end-to-end latency, and the number of traffic flows the application opens. The numbers in the table represent the upper limit that the application can theoretically achieve in an ideal environment. Additionally, Microsoft performs routine host and OS maintenance on the ExpressRoute Virtual Network Gateway, to maintain reliability of the service. During a maintenance period, control plane and data path capacity of the gateway is reduced.
-> * During a maintenance period, you may experience intermittent connectivity issues to private endpoint resources.
- >[!NOTE] > The maximum number of ExpressRoute circuits from the same peering location that can connect to the same virtual network is 4 for all gateways. >
+### <a name="aggthroughput"></a>Estimated performances by gateway SKU
++ ## <a name="gwsub"></a>Gateway subnet Before you create an ExpressRoute gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required ExpressRoute gateway settings. Never deploy anything else into the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know to deploy the virtual network gateway VMs and services into this subnet.
frontdoor Troubleshoot Compression https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/troubleshoot-compression.md
There are several possible causes, including:
## Troubleshooting steps > [!TIP]
-> As with deploying new endpoints, Azure Front Door configuration changes take some time to propagate through the network. Usually, changes are applied within 90 minutes. If this is the first time you've set up compression for your CDN endpoint, you should consider waiting 1-2 hours to be sure the compression settings have propagated to the POPs.
+> As with deploying new endpoints, Azure Front Door configuration changes take some time to propagate through the network. Usually, changes are applied within 10 minutes. If this is the first time you've set up compression for your CDN endpoint, you should consider waiting 1-2 hours to be sure the compression settings have propagated to the POPs.
> ### Verify the request
governance Exemption Structure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/concepts/exemption-structure.md
Title: Details of the policy exemption structure description: Describes the policy exemption definition used by Azure Policy to exempt resources from evaluation of initiatives or definitions. Previously updated : 07/09/2022 Last updated : 11/03/2022
see [Understand scope in Azure Policy](./scope.md). Azure Policy exemptions only
[Resource Manager modes](./definition-structure.md#resource-manager-modes) and don't work with [Resource Provider modes](./definition-structure.md#resource-provider-modes).
+> [!NOTE]
+> By design, Azure Policy exempts all resources under the `Microsoft.Resources` resource provider (RP) from
+policy evaluation with the exception of subscriptions and resource groups, which can be evaluated.
+ You use JavaScript Object Notation (JSON) to create a policy exemption. The policy exemption contains elements for: - [display name](#display-name-and-description)
governance Get Compliance Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/how-to/get-compliance-data.md
Title: Get policy compliance data description: Azure Policy evaluations and effects determine compliance. Learn how to get the compliance details of your Azure resources. Previously updated : 11/02/2022 Last updated : 11/03/2022
Evaluations of assigned policies and initiatives happen as the result of various
compliant status information for the individual resource becomes available in the portal and SDKs around 15 minutes later. This event doesn't cause an evaluation of other resources. -- A subscription (resource type `Microsoft.Resource/subscriptions`) is created or moved within a
+- A subscription (resource type `Microsoft.Resources/subscriptions`) is created or moved within a
[management group hierarchy](../../management-groups/overview.md) with an assigned policy definition targeting the subscription resource type. Evaluation of the subscription supported effects (audit, auditIfNotExist, deployIfNotExists, modify), logging, and any remediation actions
Evaluations of assigned policies and initiatives happen as the result of various
- On-demand scan
+> [!NOTE]
+> By design, Azure Policy exempts all resources under the `Microsoft.Resources` resource provider (RP) from
+policy evaluation with the exception of subscriptions and resource groups, which can be evaluated.
+ ### On-demand evaluation scan An evaluation scan for a subscription or a resource group can be started with Azure CLI, Azure
governance NZ_ISM_Restricted_V3_5 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/NZ_ISM_Restricted_v3_5.md
Title: Regulatory Compliance details for NZ ISM Restricted v3.5 description: Details of the NZ ISM Restricted v3.5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 10/12/2022 Last updated : 11/04/2022
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) | ## Gateway security
initiative definition.
|[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) | |[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Guest Configuration extension should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae89ebca-1c92-4898-ac2c-9f63decb045c) |To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) |
-|[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |
-|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |
-|[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) |
-|[Kubernetes clusters should be accessible only over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc) |audit, Audit, deny, Deny, disabled, Disabled |[8.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |
-|[Kubernetes clusters should disable automounting API credentials](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F423dd1ba-798e-40e4-9c4d-b6902674b423) |Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json) |
-|[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[7.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) |
-|[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) |
-|[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) |
+|[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |
+|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |
+|[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) |
+|[Kubernetes clusters should be accessible only over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc) |audit, Audit, deny, Deny, disabled, Disabled |[8.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |
+|[Kubernetes clusters should disable automounting API credentials](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F423dd1ba-798e-40e4-9c4d-b6902674b423) |Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json) |
+|[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[7.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) |
+|[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) |
+|[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) |
|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | |[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) | |[Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd26f7642-7545-4e18-9b75-8c9bbdee3a9a) |The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol) |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) |
initiative definition.
|[App Service apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) | |[App Service apps should have authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95bccee9-a7f8-4bec-9ee9-62c3473701fc) |Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c122334-9d20-4eb8-89ea-ac9a705b74ae) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json) |
+|[App Service apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c122334-9d20-4eb8-89ea-ac9a705b74ae) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json) |
|[App Service apps that use Java should use the latest 'Java version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) | |[App Service apps that use PHP should use the latest 'PHP version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) | |[App Service apps that use Python should use the latest 'Python version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) | |[Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) | |[Function apps should have authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc75248c1-ea1d-4a9c-8fc9-29a6aabd5da8) |Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Authentication_functionapp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) |
+|[Function apps should use latest 'HTTP Version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) |
|[Function apps that use Java should use the latest 'Java version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | |[Function apps that use Python should use the latest 'Python version'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps since Python is not supported on Windows apps. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) |
governance Pciv3_2_1_2018_Audit Pci Dss 3 2 1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/PCIv3_2_1_2018_audit.md pci-dss-3-2-1.md
+
+ Title: Regulatory Compliance details for PCI v3.2.1:2018 PCI DSS 3.2.1
+description: Details of the PCI v3.2.1:2018 PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Last updated : 11/04/2022+++
+# Details of the PCI v3.2.1:2018 PCI DSS 3.2.1 Regulatory Compliance built-in initiative
+
+The following article details how the Azure Policy Regulatory Compliance built-in initiative
+definition maps to **compliance domains** and **controls** in PCI v3.2.1:2018 PCI DSS 3.2.1.
+For more information about this compliance standard, see
+[PCI v3.2.1:2018 PCI DSS 3.2.1](https://www.commerce.uwo.ca/pdf/PCI_DSS_v3-2-1.pdf https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf). To understand
+_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
+[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
+
+The following mappings are to the **PCI v3.2.1:2018 PCI DSS 3.2.1** controls. Use the
+navigation on the right to jump directly to a specific **compliance domain**. Many of the controls
+are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
+initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
+Then, find and select the **PCI v3.2.1:2018** Regulatory Compliance built-in
+initiative definition.
+
+> [!IMPORTANT]
+> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
+> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
+> control; however, there often is not a one-to-one or complete match between a control and one or
+> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
+> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
+> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
+> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
+> overall compliance status. The associations between compliance domains, controls, and Azure Policy
+> definitions for this compliance standard may change over time. To view the change history, see the
+> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/ Regulatory%20Compliance/PCIv3_2_1_2018_audit.json PCIv3_2_1_2018_audit.json).
+
+## Requirement 1
+
+### PCI DSS requirement 1.3.2
+
+**ID**: PCI DSS v3.2.1 1.3.2
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
+|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
+
+### PCI DSS requirement 1.3.4
+
+**ID**: PCI DSS v3.2.1 1.3.4
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
+|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
+
+### PCI DSS requirement 1.3.4
+
+**ID**: PCI DSS v3.2.1 1.3.4
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) |
+|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |
+
+## Requirement 10
+
+### PCI DSS requirement 10.5.4
+
+**ID**: PCI DSS v3.2.1 10.5.4
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) |
+|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |
+
+## Requirement 11
+
+### PCI DSS requirement 11.2.1
+
+**ID**: PCI DSS v3.2.1 11.2.1
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+
+## Requirement 3
+
+### PCI DSS requirement 3.2
+
+**ID**: PCI DSS v3.2.1 3.2
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
+|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+|[MFA should be enabled for accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+
+### PCI DSS requirement 3.4
+
+**ID**: PCI DSS v3.2.1 3.4
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
+|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
+|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
+
+## Requirement 4
+
+### PCI DSS requirement 4.1
+
+**ID**: PCI DSS v3.2.1 4.1
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
+|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
+|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
+
+## Requirement 5
+
+### PCI DSS requirement 5.1
+
+**ID**: PCI DSS v3.2.1 5.1
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+
+## Requirement 6
+
+### PCI DSS requirement 6.2
+
+**ID**: PCI DSS v3.2.1 6.2
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+
+### PCI DSS requirement 6.5.3
+
+**ID**: PCI DSS v3.2.1 6.5.3
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
+|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
+|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
+|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](https://aka.ms/diskencryptioncomparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
+
+### PCI DSS requirement 6.6
+
+**ID**: PCI DSS v3.2.1 6.6
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+
+## Requirement 7
+
+### PCI DSS requirement 7.1.1
+
+**ID**: PCI DSS v3.2.1 7.1.1
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
+|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
+
+### PCI DSS requirement 7.1.2
+
+**ID**: PCI DSS v3.2.1 7.1.2
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
+|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
+
+### PCI DSS requirement 7.1.3
+
+**ID**: PCI DSS v3.2.1 7.1.3
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
+|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
+
+### PCI DSS requirement 7.2.1
+
+**ID**: PCI DSS v3.2.1 7.2.1
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
+|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+|[MFA should be enabled for accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+
+## Requirement 8
+
+### PCI DSS requirement 8.1.2
+
+**ID**: PCI DSS v3.2.1 8.1.2
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
+|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+
+### PCI DSS requirement 8.1.3
+
+**ID**: PCI DSS v3.2.1 8.1.3
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
+|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
+
+### PCI DSS requirement 8.1.5
+
+**ID**: PCI DSS v3.2.1 8.1.5
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
+|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+
+### PCI DSS requirement 8.2.3
+
+**ID**: PCI DSS v3.2.1 8.2.3
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that allow re-use of the previous 24 passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) |
+|[Audit Windows machines that do not have a maximum password age of 70 days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) |
+|[Audit Windows machines that do not restrict the minimum password length to 14 characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) |
+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
+
+### PCI DSS requirement 8.2.5
+
+**ID**: PCI DSS v3.2.1 8.2.5
+**Ownership**: customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that allow re-use of the previous 24 passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) |
+|[Audit Windows machines that do not have a maximum password age of 70 days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) |
+|[Audit Windows machines that do not restrict the minimum password length to 14 characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) |
+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
+
+### PCI DSS requirement 8.3.1
+
+**ID**: PCI DSS v3.2.1 8.3.1
+**Ownership**: shared
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
+|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+|[MFA should be enabled for accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+
+## Next steps
+
+Additional articles about Azure Policy:
+
+- [Regulatory Compliance](../concepts/regulatory-compliance.md) overview.
+- See the [initiative definition structure](../concepts/initiative-definition-structure.md).
+- Review other examples at [Azure Policy samples](./index.md).
+- Review [Understanding policy effects](../concepts/effects.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
governance RBI_ITF_Banks_V2016 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/RBI_ITF_Banks_v2016.md
Title: Regulatory Compliance details for Reserve Bank of India IT Framework for Banks v2016 description: Details of the Reserve Bank of India IT Framework for Banks v2016 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 10/12/2022 Last updated : 11/04/2022
initiative definition.
|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | |[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
-### Authentication Framework For Customers-9.3
+### Authentication Framework For Customers-9.1
**ID**:
initiative definition.
||||| |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
|[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) |Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](https://aka.ms/defender-for-dns) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[Non-internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb91dfba-c30d-4263-9add-9c2384e659a6) |Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) | |[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
initiative definition.
||||| |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
|[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) |Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](https://aka.ms/defender-for-dns) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[Non-internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbb91dfba-c30d-4263-9add-9c2384e659a6) |Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternalVirtualMachines_Audit.json) | |[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
initiative definition.
|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | |[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
-### Authentication Framework For Customers-9.3
+### Authentication Framework For Customers-9.1
**ID**:
initiative definition.
|[App Service apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) | |[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](/azure/security-center/security-center-endpoint-protection). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) | |[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) | |[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
|[Guest Configuration extension should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae89ebca-1c92-4898-ac2c-9f63decb045c) |To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) | |[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) | |[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
initiative definition.
|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) | |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](../../../virtual-machines/linux/create-ssh-keys-detailed.md). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) | |[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) | |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
initiative definition.
|[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) | |[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
governance Australia Ism https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md
Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 10/12/2022 Last updated : 11/04/2022
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
|[Virtual machines should be connected to a specified workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff47b5582-33ec-4c5c-87c0-b010a6b2e917) |Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) | ### Events to be logged - 1537
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | ## Guidelines for Database Systems - Database servers
initiative definition.
||||| |[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) | |[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) | ## Guidelines for Gateways - Content filtering
governance Azure Security Benchmark https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md
Title: Regulatory Compliance details for Azure Security Benchmark description: Details of the Azure Security Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 10/12/2022 Last updated : 11/04/2022
initiative definition.
|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | |[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
-### Deploy DDOS protection
+### Deploy firewall at the edge of enterprise network
-**ID**: Azure Security Benchmark NS-5
+**ID**: Azure Security Benchmark NS-3
**Ownership**: Shared |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
### Ensure Domain Name System (DNS) security
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
|[App Service apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json) |
-|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_WebApp_Audit.json) |
|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
-|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
|[Function apps should require FTPS only](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F399b2637-a50f-4f95-96f8-3a145476eb15) |Enable FTPS enforcement for enhanced security. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json) |
-|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
-|[Kubernetes clusters should be accessible only over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc) |audit, Audit, deny, Deny, disabled, Disabled |[8.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |
+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
+|[Kubernetes clusters should be accessible only over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc) |audit, Audit, deny, Deny, disabled, Disabled |[8.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |
|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | |[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[\[Preview\]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b2122c1-8120-4ff5-801b-17625a355590) |The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ArcPolicyExtension_Audit.json) |
-|[\[Preview\]: Kubernetes clusters should gate deployment of vulnerable images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759) |Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. |Audit, Deny, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockVulnerableImages.json) |
+|[\[Preview\]: Kubernetes clusters should gate deployment of vulnerable images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759) |Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. |Audit, Deny, Disabled |[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockVulnerableImages.json) |
|[App Service apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) | |[App Service apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) | |[App Service apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
initiative definition.
|[Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. |Audit, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) | |[Function apps should have remote debugging turned off](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) | |[Function apps should not have CORS configured to allow every resource to access your apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) |
-|[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |
-|[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) |
-|[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[6.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |
-|[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, Audit, deny, Deny, disabled, Disabled |[9.0.0](https://github.com/Azur