Updates from: 12/23/2020 13:30:20
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/conditional-access-exclusion.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: conceptual ms.subservice: compliance
-ms.date: 06/17/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: mwahl ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/deploy-access-reviews.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 08/14/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: markwahl-msft ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-requests https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-access-package-requests.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/18/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-catalog-create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-catalog-create.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/18/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: hanki ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-delegate.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: conceptual ms.subservice: compliance
-ms.date: 07/22/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: mwahl ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-external-users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-external-users.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/18/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: mwahl ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-logs-and-reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/17/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-process https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-process.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: conceptual ms.subservice: compliance
-ms.date: 03/22/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: mamkumar ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-reports.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/18/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: jocastel ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-troubleshoot.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: troubleshooting ms.subservice: compliance
-ms.date: 06/17/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: markwahl-msft ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/manage-guest-access-with-access-reviews.md
@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: conceptual ms.subservice: compliance
-ms.date: 07/22/2020
+ms.date: 12/23/2020
ms.author: barclayn ms.reviewer: mwahl ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/perform-access-review https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/perform-access-review.md
@@ -11,7 +11,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/17/2020
+ms.date: 12/22/2020
ms.author: barclayn ms.reviewer: mwahl ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/governance/review-your-access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/review-your-access.md
@@ -11,7 +11,7 @@ ms.tgt_pltfrm: na
ms.devlang: na ms.topic: how-to ms.subservice: compliance
-ms.date: 06/17/2020
+ms.date: 12/22/2020
ms.author: barclayn ms.reviewer: mwahl ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/yello-enterprise-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yello-enterprise-tutorial.md new file mode 100644
@@ -0,0 +1,144 @@
+---
+title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Yello Enterprise | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Yello Enterprise.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 12/21/2020
+ms.author: jeedes
+
+---
+
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Yello Enterprise
+
+In this tutorial, you'll learn how to integrate Yello Enterprise with Azure Active Directory (Azure AD). When you integrate Yello Enterprise with Azure AD, you can:
+
+* Control in Azure AD who has access to Yello Enterprise.
+* Enable your users to be automatically signed-in to Yello Enterprise with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Yello Enterprise single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Yello Enterprise supports **IDP** initiated SSO
+
+## Adding Yello Enterprise from the gallery
+
+To configure the integration of Yello Enterprise into Azure AD, you need to add Yello Enterprise from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Yello Enterprise** in the search box.
+1. Select **Yello Enterprise** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Yello Enterprise
+
+Configure and test Azure AD SSO with Yello Enterprise using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Yello Enterprise.
+
+To configure and test Azure AD SSO with Yello Enterprise, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Yello Enterprise SSO](#configure-yello-enterprise-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Yello Enterprise test user](#create-yello-enterprise-test-user)** - to have a counterpart of B.Simon in Yello Enterprise that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Yello Enterprise** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ In the **Identifier** text box, type a URL using the following pattern:
+ `https://www.yello.co/<IDP_NAME>`
+
+ > [!NOTE]
+ > This value is not real. Update the value with the actual Identifier. Contact [Yello Enterprise Client support team](mailto:support@yello.co) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Yello Enterprise application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Yello Enterprise application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | ------------ | --------- |
+ | Employee ID | user.employeeid |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Yello Enterprise** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Yello Enterprise.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Yello Enterprise**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Yello Enterprise SSO
+
+To configure single sign-on on **Yello Enterprise** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Yello Enterprise support team](mailto:support@yello.co). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Yello Enterprise test user
+
+In this section, you create a user called Britta Simon in Yello Enterprise. Work with [Yello Enterprise support team](mailto:support@yello.co) to add the users in the Yello Enterprise platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the Yello Enterprise for which you set up the SSO
+
+* You can use Microsoft My Apps. When you click the Yello Enterprise tile in the My Apps, you should be automatically signed in to the Yello Enterprise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Yello Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-rabbitmq-output https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-rabbitmq-output.md
@@ -13,7 +13,7 @@ ms.custom:
# RabbitMQ output binding for Azure Functions overview > [!NOTE]
-> The RabbitMQ bindings are only fully supported on **Windows Premium and Dedicated** plans. Consumption and Linux are currently not supported.
+> The RabbitMQ bindings are only fully supported on **Premium and Dedicated** plans. Consumption is not supported.
Use the RabbitMQ output binding to send messages to a RabbitMQ queue.
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-rabbitmq-trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-rabbitmq-trigger.md
@@ -13,7 +13,7 @@ ms.custom:
# RabbitMQ trigger for Azure Functions overview > [!NOTE]
-> The RabbitMQ bindings are only fully supported on **Windows Premium and Dedicated** plans. Consumption and Linux are currently not supported.
+> The RabbitMQ bindings are only fully supported on **Premium and Dedicated** plans. Consumption is not supported.
Use the RabbitMQ trigger to respond to messages from a RabbitMQ queue.
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-rabbitmq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-rabbitmq.md
@@ -13,7 +13,7 @@ ms.custom:
# RabbitMQ bindings for Azure Functions overview > [!NOTE]
-> The RabbitMQ bindings are only fully supported on **Windows Premium and Dedicated** plans. Consumption and Linux are currently not supported.
+> The RabbitMQ bindings are only fully supported on **Premium and Dedicated** plans. Consumption is not supported.
Azure Functions integrates with [RabbitMQ](https://www.rabbitmq.com/) via [triggers and bindings](./functions-triggers-bindings.md). The Azure Functions RabbitMQ extension allows you to send and receive messages using the RabbitMQ API with Functions.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md
@@ -128,6 +128,20 @@ These services include:
As you prepare for migrating SQL Server databases to SQL Server on Azure VMs, be sure to consider the versions of SQL Server that are supported. For a list of current supported SQL Server versions on Azure VMs, please see [SQL Server on Azure VMs](../../virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview.md#get-started-with-sql-server-vms).
+## Migration assets
+
+For additional assistance, see the following resources that were developed for real world migration projects.
+
+|Asset |Description |
+|---------|---------|
+|[Data workload assessment model and tool](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/Data%20Workload%20Assessment%20Model%20and%20Tool)| This tool provides suggested "best fit" target platforms, cloud readiness, and application/database remediation level for a given workload. It offers simple, one-click calculation and report generation that helps to accelerate large estate assessments by providing and automated and uniform target platform decision process.|
+|[Perfmon data collection automation using Logman](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/Perfmon%20Data%20Collection%20Automation%20Using%20Logman)|A tool that collects Perform data to understand baseline performance that assists in the migration target recommendation. This tool that uses logman.exe to create the command that will create, start, stop, and delete performance counters set on a remote SQL Server.|
+|[SQL Server Deployment in Azure](https://github.com/microsoft/DataMigrationTeam/blob/master/Whitepapers/SQL%20Server%20Deployment%20in%20Azure%20.pdf)|This guidance whitepaper assists in reviewing various options to move your SQL Server workloads to Azure including feature comparison, high availability and backup / storage considerations. |
+|[On-Premise SQL Server to Azure virtual machine](https://github.com/microsoft/DataMigrationTeam/blob/master/Whitepapers/OnPremise%20SQL%20Server%20to%20Azure%20VM.pdf)|This whitepaper outlines the steps to backup and restore databases from on-premises SQL Server to SQL Server on Azure virtual machine using sample scripts.|
+|[Multiple-SQL-VM-VNet-ILB](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/ARM%20Templates/Multiple-SQL-VM-VNet-ILB)|This whitepaper outlines the steps to setup multiple Azure virtual machines in a SQL Server Always On Availability Group configuration.|
+|[Azure virtual machines supporting Ultra SSD per Region](https://github.com/microsoft/DataMigrationTeam/tree/master/IP%20and%20Scripts/Find%20Azure%20VMs%20supporting%20Ultra%20SSD)|These PowerShell scripts provide a programmatic option to retrieve the list of regions that support Azure virtual machines supporting Ultra SSDs.|
+
+These resources were developed as part of the Data SQL Ninja Program, which is sponsored by the Azure Data Group engineering team. The core charter of the Data SQL Ninja program is to unblock and accelerate complex modernization and compete data platform migration opportunities to Microsoft's Azure Data platform. If you think your organization would be interested in participating in the Data SQL Ninja program, please contact your account team and ask them to submit a nomination.
## Next steps
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-arm-restore-vms.md
@@ -17,7 +17,7 @@ Azure Backup provides a number of ways to restore a VM.
--- | --- **Create a new VM** | Quickly creates and gets a basic VM up and running from a restore point.<br/><br/> You can specify a name for the VM, select the resource group and virtual network (VNet) in which it will be placed, and specify a storage account for the restored VM. The new VM must be created in the same region as the source VM.<br><br>If a VM restore fails because an Azure VM SKU wasn't available in the specified region of Azure, or because of any other issues, Azure Backup still restores the disks in the specified resource group. **Restore disk** | Restores a VM disk, which can then be used to create a new VM.<br/><br/> Azure Backup provides a template to help you customize and create a VM. <br/><br> The restore job generates a template that you can download and use to specify custom VM settings, and create a VM.<br/><br/> The disks are copied to the Resource Group you specify.<br/><br/> Alternatively, you can attach the disk to an existing VM, or create a new VM using PowerShell.<br/><br/> This option is useful if you want to customize the VM, add configuration settings that weren't there at the time of backup, or add settings that must be configured using the template or PowerShell.
-**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.<br/><br/> The snapshot is copied to the vault, and retained in accordance with the retention policy. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs, including VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's unsupported for classic VMs.<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is not supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) or [Key Vault](../key-vault/general/overview.md).
+**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.<br/><br/> The snapshot is copied to the vault, and retained in accordance with the retention policy. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs, including VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's unsupported for classic VMs.<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is also supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) or [Key Vault](../key-vault/general/overview.md).
**Cross Region (secondary region)** | Cross Region restore can be used to restore Azure VMs in the secondary region, which is an [Azure paired region](../best-practices-availability-paired-regions.md#what-are-paired-regions).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> This feature is available for the options below:<br> <li> [Create a VM](#create-a-vm) <br> <li> [Restore Disks](#restore-disks) <br><br> We don't currently support the [Replace existing disks](#replace-existing-disks) option.<br><br> Permissions<br> The restore operation on secondary region can be performed by Backup Admins and App admins. > [!NOTE]
backup https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-support-matrix-iaas.md
@@ -96,7 +96,7 @@ Recovery points on DPM/MABS disk | 64 for file servers, and 448 for app servers.
--- | --- **Create a new VM** | Quickly creates and gets a basic VM up and running from a restore point.<br/><br/> You can specify a name for the VM, select the resource group and virtual network (VNet) in which it will be placed, and specify a storage account for the restored VM. The new VM must be created in the same region as the source VM. **Restore disk** | Restores a VM disk, which can then be used to create a new VM.<br/><br/> Azure Backup provides a template to help you customize and create a VM. <br/><br> The restore job generates a template that you can download and use to specify custom VM settings, and create a VM.<br/><br/> The disks are copied to the Resource Group you specify.<br/><br/> Alternatively, you can attach the disk to an existing VM, or create a new VM using PowerShell.<br/><br/> This option is useful if you want to customize the VM, add configuration settings that weren't there at the time of backup, or add settings that must be configured using the template or PowerShell.
-**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.<br/><br/> The snapshot is copied to the vault, and retained in accordance with the retention policy. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs and for VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's not supported for unmanaged disks and [generalized VMs](../virtual-machines/windows/capture-image-resource.md).<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is not supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) and [Key Vault](../key-vault/general/overview.md).
+**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.<br/><br/> The snapshot is copied to the vault, and retained in accordance with the retention policy. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs and for VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's not supported for unmanaged disks and [generalized VMs](../virtual-machines/windows/capture-image-resource.md).<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is also supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) and [Key Vault](../key-vault/general/overview.md).
**Cross Region (secondary region)** | Cross Region restore can be used to restore Azure VMs in the secondary region, which is an [Azure paired region](../best-practices-availability-paired-regions.md#what-are-paired-regions).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> This feature is available for the options below:<br> <li> [Create a VM](./backup-azure-arm-restore-vms.md#create-a-vm) <br> <li> [Restore Disks](./backup-azure-arm-restore-vms.md#restore-disks) <br><br> We don't currently support the [Replace existing disks](./backup-azure-arm-restore-vms.md#replace-existing-disks) option.<br><br> Permissions<br> The restore operation on secondary region can be performed by Backup Admins and App admins. ## Support for file-level restore
backup https://docs.microsoft.com/en-us/azure/backup/tutorial-sap-hana-backup-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/tutorial-sap-hana-backup-cli.md
@@ -122,7 +122,7 @@ To protect and configure backup on a database, one at a time, we use the [az bac
az backup protection enable-for-azurewl --resource-group saphanaResourceGroup \ --policy-name saphanaPolicy \ --protectable-item-name "saphanadatabase;hxe;hxe" \
- --protectable-item-type SAPHANADatabse \
+ --protectable-item-type SAPHANADatabase \
--server-name hxehost \ --workload-type SAPHANA \ --output table
container-registry https://docs.microsoft.com/en-us/azure/container-registry/zone-redundancy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/zone-redundancy.md
@@ -20,7 +20,6 @@ Zone redundancy is a **preview** feature of the Premium container registry servi
* Zone redundancy can't be disabled in a region. * [ACR Tasks](container-registry-tasks-overview.md) doesn't yet support availability zones. * Currently supported through Azure Resource Manager templates or the Azure portal. Azure CLI support will be enabled in a future release.
-* Currently, when you move a zone-redundant container registry to another resource group, the zone redundancy setting shows as `Disabled`.
## About zone redundancy
@@ -183,4 +182,4 @@ In the command output, note the `zoneRedundancy` property for the registry and t
## Next steps * Learn more about [regions that support availability zones](../availability-zones/az-region.md).
-* Learn more about building for [reliability](/azure/architecture/framework/resiliency/overview) in Azure.
\ No newline at end of file
+* Learn more about building for [reliability](/azure/architecture/framework/resiliency/overview) in Azure.
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-protection-overview.md
@@ -28,8 +28,8 @@ Azure DDoS protection does not store customer data.
## Features - **Native platform integration:** Natively integrated into Azure. Includes configuration through the Azure portal. DDoS Protection Standard understands your resources and resource configuration.-- **Turnkey protection:** Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.-- **Always-on traffic monitoring:** Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. Mitigation is performed when protection policies are exceeded.
+- **Turnkey protection:** Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. No intervention or user definition is required.
+- **Always-on traffic monitoring:** Your application traffic patterns are monitored 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
- **Adaptive tuning:** Intelligent traffic profiling learns your application's traffic over time, and selects and updates the profile that is the most suitable for your service. The profile adjusts as traffic changes over time. - **Multi-Layered protection:** Provides full stack DDoS protection, when used with a web application firewall, to get protection both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure [Application Gateway WAF SKU](../web-application-firewall/ag/ag-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) as well as third-party web application firewall offerings available in the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?page=1&search=web%20application%20firewall). - **Extensive mitigation scale:** Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
@@ -37,7 +37,7 @@ Azure DDoS protection does not store customer data.
- **Attack metrics:** Summarized metrics from each attack are accessible through Azure Monitor. - **Attack alerting:** Alerts can be configured at the start and stop of an attack, and over the attack's duration, using built-in attack metrics. Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal. - **DDoS Rapid Response**: Engage the DDoS Protection Rapid Response (DRR) team for help with attack investigation and analysis. To learn more, see [DDoS Rapid Response](ddos-rapid-response.md).-- **Cost guarantee:** Data-transfer and application scale-out service credits for documented DDoS attacks.
+- **Cost guarantee:** Receive data-transfer and application scale-out service credit for resource costs incurred as a result of documented DDoS attacks.
## Pricing
@@ -46,4 +46,4 @@ To learn about Azure DDoS Protection Standard pricing, see [Azure DDoS Protectio
## Next steps > [!div class="nextstepaction"]
-> [Create a DDoS Protection Plan](manage-ddos-protection.md)
\ No newline at end of file
+> [Create a DDoS Protection Plan](manage-ddos-protection.md)
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-protection-standard-features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-protection-standard-features.md
@@ -19,23 +19,23 @@ The following sections outline the key features of the Azure DDoS Protection Sta
## Always-on traffic monitoring
-DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. When traffic returns below the threshold, the mitigation is removed.
+DDoS Protection Standard monitors actual traffic utilization and constantly compares it against the thresholds defined in the DDoS Policy. When the traffic threshold is exceeded, DDoS mitigation is initiated automatically. When traffic returns below the thresholds, the mitigation is stopped.
![Azure DDoS Protection Standard Mitigation](./media/ddos-protection-overview/mitigation.png)
-During mitigation, traffic sent to the protected resource is redirected by the DDoS protection service and several checks are performed, such as the following checks:
+During mitigation, traffic sent to the protected resource is redirected by the DDoS protection service and several checks are performed, such as:
- Ensure packets conform to internet specifications and are not malformed. - Interact with the client to determine if the traffic is potentially a spoofed packet (e.g: SYN Auth or SYN Cookie or by dropping a packet for the source to retransmit it). - Rate-limit packets, if no other enforcement method can be performed.
-DDoS protection blocks attack traffic and forwards the remaining traffic to its intended destination. Within a few minutes of attack detection, you are notified using Azure Monitor metrics. By configuring logging on DDoS Protection Standard telemetry, you can write the logs to available options for future analysis. Metric data in Azure Monitor for DDoS Protection Standard is retained for 30 days.
+DDoS protection drops attack traffic and forwards the remaining traffic to its intended destination. Within a few minutes of attack detection, you are notified using Azure Monitor metrics. By configuring logging on DDoS Protection Standard telemetry, you can write the logs to available options for future analysis. Metric data in Azure Monitor for DDoS Protection Standard is retained for 30 days.
## Adaptive real time tuning
-The Azure DDoS Protection Basic service helps protect customers and prevent impacts to other customers. For example, if a service is provisioned for a typical volume of legitimate incoming traffic that's smaller than the *trigger rate* of the infrastructure-wide DDoS Protection policy, a DDoS attack on that customerΓÇÖs resources might go unnoticed. More generally, the complexity of recent attacks (for example, multi-vector DDoS) and the application-specific behaviors of tenants call for per-customer, customized protection policies. The service accomplishes this customization by using two insights:
+The Azure DDoS Protection Basic service helps protect customers and prevent impacts to other customers. For example, if a service is provisioned for a typical volume of legitimate incoming traffic that's smaller than the *trigger rate* of the infrastructure-wide DDoS Protection policy, a DDoS attack on that customerΓÇÖs resources might go unnoticed. More generally, the complexity of recent attacks (for example, multi-vector DDoS) and the application-specific behaviors of tenants call for per-customer, tailored protection policies. The service accomplishes this by using two insights:
-- Automatic learning of per-customer (per-IP) traffic patterns for Layer 3 and 4.
+- Automatic learning of per-customer (per- Public IP) traffic patterns for Layer 3 and 4.
- Minimizing false positives, considering that the scale of Azure allows it to absorb a significant amount of traffic.
@@ -43,7 +43,7 @@ The Azure DDoS Protection Basic service helps protect customers and prevent impa
## DDoS Protection telemetry, monitoring, and alerting
-DDoS Protection Standard exposes rich telemetry via [Azure Monitor](../azure-monitor/overview.md) for the duration of a DDoS attack. You can configure alerts for any of the Azure Monitor metrics that DDoS Protection uses. You can integrate logging with Splunk (Azure Event Hubs), Azure Monitor logs, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.
+DDoS Protection Standard exposes rich telemetry via [Azure Monitor](../azure-monitor/overview.md). You can configure alerts for any of the Azure Monitor metrics that DDoS Protection uses. You can integrate logging with Splunk (Azure Event Hubs), Azure Monitor logs, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface.
### DDoS mitigation policies
@@ -83,4 +83,4 @@ Learn how your services will respond to an attack by [testing through simulation
## Next steps -- Learn how to [create a DDoS protection plan](manage-ddos-protection.md).\ No newline at end of file
+- Learn how to [create a DDoS protection plan](manage-ddos-protection.md).
hdinsight https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-for-vscode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-for-vscode.md
@@ -206,29 +206,31 @@ Using the PySpark interactive command to submit the queries, follow these steps:
![pyspark installed successfully](./media/hdinsight-for-vscode/pyspark-kernel-installed-successfully.png)
-7. From the menu bar, navigate to **View** > **Command Palette...** or use the **Shift + Ctrl + P** keyboard shortcut, and enter **Python: Select Interpreter to start Jupyter Server**.
+7. Please use the command prompt to run **pip install numpy == 1.19.3**, and then reload the VSCode window again.
+
+8. From the menu bar, navigate to **View** > **Command Palette...** or use the **Shift + Ctrl + P** keyboard shortcut, and enter **Python: Select Interpreter to start Jupyter Server**.
![select interpreter to start jupyter server](./media/hdinsight-for-vscode/select-interpreter-to-start-jupyter-server.png)
-8. Select the python option below.
+9. Select the python option below.
![choose the below option](./media/hdinsight-for-vscode/choose-the-below-option.png)
-9. From the menu bar, navigate to **View** > **Command Palette...** or use the **Shift + Ctrl + P** keyboard shortcut, and enter **Developer: Reload Window**.
+10. From the menu bar, navigate to **View** > **Command Palette...** or use the **Shift + Ctrl + P** keyboard shortcut, and enter **Developer: Reload Window**.
- ![reload window](./media/hdinsight-for-vscode/reload-window.png)
+ ![reload window](./media/hdinsight-for-vscode/reload-window.png)
-10. [Connect](#connect-to-an-azure-account) to your Azure account, or link a cluster if you haven't yet done so.
+11. [Connect](#connect-to-an-azure-account) to your Azure account, or link a cluster if you haven't yet done so.
-11. Select all the code, right-click the script editor, and select **Spark: PySpark Interactive / Synapse: Pyspark Interactive** to submit the query.
+12. Select all the code, right-click the script editor, and select **Spark: PySpark Interactive / Synapse: Pyspark Interactive** to submit the query.
![pyspark interactive context menu](./media/hdinsight-for-vscode/pyspark-interactive-right-click.png)
-12. Select the cluster, if you haven't specified a default cluster. After a few moments, the **Python Interactive** results appear in a new tab. Click on PySpark to switch the kernel to **PySpark / Synapse Pyspark**, and the code will run successfully. If you want to switch to Synapse Pyspark kernel, disabling auto-settings in Azure portal is encouraged. Otherwise it may take a long while to wake up the cluster and set synapse kernel for the first time use. If The tools also let you submit a block of code instead of the whole script file by using the context menu:
+13. Select the cluster, if you haven't specified a default cluster. After a few moments, the **Python Interactive** results appear in a new tab. Click on PySpark to switch the kernel to **PySpark / Synapse Pyspark**, and the code will run successfully. If you want to switch to Synapse Pyspark kernel, disabling auto-settings in Azure portal is encouraged. Otherwise it may take a long while to wake up the cluster and set synapse kernel for the first time use. If The tools also let you submit a block of code instead of the whole script file by using the context menu:
![pyspark interactive python interactive window](./media/hdinsight-for-vscode/pyspark-interactive-python-interactive-window.png)
-13. Enter **%%info**, and then press Shift+Enter to view the job information (optional):
+14. Enter **%%info**, and then press Shift+Enter to view the job information (optional):
![pyspark interactive view job information](./media/hdinsight-for-vscode/pyspark-interactive-view-job-information.png)
@@ -261,7 +263,8 @@ The tool also supports the **Spark SQL** query:
> [!NOTE]
-> Ms-python >=2020.5.78807 version is not supported on this extention is a [known issue](#known-issues).
+>
+> ["Ms-python >=2020.5.78807 version is not supported on this extention"](#issues-changed) has been resolved. The latest ms-python version can be used for now.
## Submit PySpark batch job
@@ -482,13 +485,10 @@ Submit a job to an HDInsight cluster using Data Lake Storage Gen2. You're prompt
From the menu bar, go to **View** > **Command Palette**, and then enter **Azure: Sign Out**.
-## Known Issues
-
-### ms-python >=2020.5.78807 version is not supported on this extention
+## Issues Changed
-"Failed to connect to Jupyter notebook." is a known issue for python version >=2020.5.78807. It is recommended that users use the **[2020.4.76186](https://github.com/microsoft/vscode-python/releases/download/2020.4.76186/ms-python-release.vsix)** version of ms-python to avoid this issue.
+For this issue "ms-python >=2020.5.78807 version is not supported on this extention" has been resolved, the **latest ms-python version** can be used for now.
-![known issues](./media/hdinsight-for-vscode/known-issue.png)
## Next steps
sentinel https://docs.microsoft.com/en-us/azure/sentinel/fusion https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/sentinel/fusion.md
@@ -82,6 +82,70 @@ This scenario is currently in **public preview**.
- **Sign-in event from user with leaked credentials leading to multiple VM creation activities**
+## Credential harvesting (New threat classification)
+
+### Malicious credential theft tool execution following suspicious sign-in
+
+**MITRE ATT&CK tactics:** Initial Access, Credential Access
+
+**MITRE ATT&CK techniques:** Valid Account (T1078), OS Credential Dumping (T1003)
+
+**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Endpoint
+
+**Description:** Fusion incidents of this type indicate that a known credential theft tool was executed following a suspicious Azure AD sign-in. This provides a high-confidence indication that the user account noted in the alert description has been compromised and may have successfully used a tool like **Mimikatz** to harvest credentials such as keys, plaintext passwords and/or password hashes from the system. The harvested credentials may allow an attacker to access sensitive data, escalate privileges, and/or move laterally across the network. The permutations of suspicious Azure AD sign-in alerts with the malicious credential theft tool alert are:
+
+- **Impossible travel to atypical locations leading to malicious credential theft tool execution**
+
+- **Sign-in event from an unfamiliar location leading to malicious credential theft tool execution**
+
+- **Sign-in event from an infected device leading to malicious credential theft tool execution**
+
+- **Sign-in event from an anonymous IP address leading to malicious credential theft tool execution**
+
+- **Sign-in event from user with leaked credentials leading to malicious credential theft tool execution**
+
+### Suspected credential theft activity following suspicious sign-in
+
+**MITRE ATT&CK tactics:** Initial Access, Credential Access
+
+**MITRE ATT&CK techniques:** Valid Account (T1078), Credentials from Password Stores (T1555), OS Credential Dumping (T1003)
+
+**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Endpoint
+
+**Description:** Fusion incidents of this type indicate that activity associated with patterns of credential theft occurred following a suspicious Azure AD sign-in. This provides a high-confidence indication that the user account noted in the alert description has been compromised and used to steal credentials such as keys, plain-text passwords, password hashes, and so on. The stolen credentials may allow an attacker to access sensitive data, escalate privileges, and/or move laterally across the network. The permutations of suspicious Azure AD sign-in alerts with the credential theft activity alert are:
+
+- **Impossible travel to atypical locations leading to suspected credential theft activity**
+
+- **Sign-in event from an unfamiliar location leading to suspected credential theft activity**
+
+- **Sign-in event from an infected device leading to suspected credential theft activity**
+
+- **Sign-in event from an anonymous IP address leading to suspected credential theft activity**
+
+- **Sign-in event from user with leaked credentials leading to suspected credential theft activity**
+
+## Crypto-mining (New threat classification)
+
+### Crypto-mining activity following suspicious sign-in
+
+**MITRE ATT&CK tactics:** Initial Access, Credential Access
+
+**MITRE ATT&CK techniques:** Valid Account (T1078), Resource Hijacking (T1496)
+
+**Data connector sources:** Azure Active Directory Identity Protection, Azure Defender (Azure Security Center)
+
+**Description:** Fusion incidents of this type indicate crypto-mining activity associated with a suspicious sign-in to an Azure AD account. This provides a high-confidence indication that the user account noted in the alert description has been compromised and was used to hijack resources in your environment to mine crypto-currency. This can starve your resources of computing power and/or result in significantly higher-than-expected cloud usage bills. The permutations of suspicious Azure AD sign-in alerts with the crypto-mining activity alert are:
+
+- **Impossible travel to atypical locations leading to crypto-mining activity**
+
+- **Sign-in event from an unfamiliar location leading to crypto-mining activity**
+
+- **Sign-in event from an infected device leading to crypto-mining activity**
+
+- **Sign-in event from an anonymous IP address leading to crypto-mining activity**
+
+- **Sign-in event from user with leaked credentials leading to crypto-mining activity**
+ ## Data exfiltration ### Office 365 mailbox exfiltration following a suspicious Azure AD sign-in
@@ -366,6 +430,26 @@ This scenario is currently in **public preview**.
**Description:** Fusion incidents of this type indicate that Windows Management Interface (WMI) commands were remotely executed on a system, and following that, suspicious inbound activity was detected by the Palo Alto Networks Firewall. This provides an indication that an attacker may have gained access to your network and is attempting to move laterally, escalate privileges, and/or execute malicious payloads. As with all ΓÇ£living off the landΓÇ¥ attacks, this activity could be a legitimate use of WMI. However, the remote WMI command execution followed by suspicious inbound Firewall activity increases the confidence that WMI is being used in a malicious manner and should be investigated further. In Palo Alto logs, Azure Sentinel focuses on [threat logs](https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/threat-logs), and traffic is considered suspicious when threats are allowed (suspicious data, files, floods, packets, scans, spyware, URLs, viruses, vulnerabilities, wildfire-viruses, wildfires). Also reference the Palo Alto Threat Log corresponding to the [Threat/Content Type](https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html) listed in the Fusion incident description for additional alert details.
+### Suspicious PowerShell command line following suspicious sign-in
+
+**MITRE ATT&CK tactics:** Initial Access, Execution
+
+**MITRE ATT&CK techniques:** Valid Account (T1078), Command and Scripting Interpreter (T1059)
+
+**Data connector sources:** Azure Active Directory Identity Protection, Microsoft Defender for Endpoint (formerly MDATP)
+
+**Description:** Fusion incidents of this type indicate that a user executed potentially malicious PowerShell commands following a suspicious sign-in to an Azure AD account. This provides a high-confidence indication that the account noted in the alert description has been compromised and further malicious actions were taken. Attackers often leverage PowerShell to execute malicious payloads in memory without leaving artifacts on the disk, in order to avoid detection by disk-based security mechanisms such as virus scanners. The permutations of suspicious Azure AD sign-in alerts with the suspicious PowerShell command alert are:
+
+- **Impossible travel to atypical locations leading to suspicious PowerShell command line**
+
+- **Sign-in event from an unfamiliar location leading to suspicious PowerShell command line**
+
+- **Sign-in event from an infected device leading to suspicious PowerShell command line**
+
+- **Sign-in event from an anonymous IP address leading to suspicious PowerShell command line**
+
+- **Sign-in event from user with leaked credentials leading to suspicious PowerShell command line**
+ ## Malware C2 or download ### Network request to TOR anonymization service followed by anomalous traffic flagged by Palo Alto Networks firewall.
synapse-analytics https://docs.microsoft.com/en-us/azure/synapse-analytics/sql/develop-storage-files-storage-access-control https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/synapse-analytics/sql/develop-storage-files-storage-access-control.md
@@ -86,9 +86,68 @@ You can use the following combinations of authorization and Azure Storage types:
\* SAS token and Azure AD Identity can be used to access storage that is not protected with firewall.
-> [!IMPORTANT]
-> When accessing storage that is protected with the firewall, only Managed Identity can be used. You need to [Allow trusted Microsoft services... setting](../../storage/common/storage-network-security.md#trusted-microsoft-services) and explicitly [assign an Azure role](../../storage/common/storage-auth-aad.md#assign-azure-roles-for-access-rights) to the [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) for that resource instance. In this case, the scope of access for the instance corresponds to the Azure role assigned to the managed identity.
->
+
+### Querying firewall protected storage
+
+When accessing storage that is protected with the firewall, you can use **User Identity** or **Managed Identity**.
+
+#### User Identity
+
+To access storage that is protected with the firewall via User Identity, you can use PowerShell module Az.Storage.
+#### Configuration via PowerShell
+
+Follow these steps to configure your storage account firewall and add an exception for Synapse workspace.
+
+1. Open PowerShell or [install PowerShell](https://docs.microsoft.com/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.1&preserve-view=true )
+2. Install the updated Az. Storage Module:
+ ```powershell
+ Install-Module -Name Az.Storage -RequiredVersion 3.0.1-preview -AllowPrerelease
+ ```
+ > [!IMPORTANT]
+ > Make sure that you use version 3.0.1 or newer. You can check your Az.Storage version by running this command:
+ > ```powershell
+ > Get-Module -ListAvailable -Name Az.Storage | select Version
+ > ```
+ >
+
+3. Connect to your Azure Tenant:
+ ```powershell
+ Connect-AzAccount
+ ```
+4. Define variables in PowerShell:
+ - Resource group name - you can find this in Azure portal in overview of Synapse workspace.
+ - Account Name - name of storage account that is protected by firewall rules.
+ - Tenant ID - you can find this in Azure portal in Azure Active Directory in tenant information.
+ - Resource ID - you can find this in Azure portal in overview of Synapse workspace.
+
+ ```powershell
+ $resourceGroupName = "<resource group name>"
+ $accountName = "<storage account name>"
+ $tenantId = "<tenant id>"
+ $resourceId = "<Synapse workspace resource id>"
+ ```
+ > [!IMPORTANT]
+ > Make sure that resource id matches this template.
+ >
+ > It's important to write **resourcegroups** in lower case.
+ > Example of one resource id:
+ > ```
+ > /subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Synapse/workspaces/{name-of-workspace}
+ > ```
+ >
+5. Add Storage Network rule:
+ ```powershell
+ Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroupName -Name $accountName -TenantId $tenantId -ResourceId $resourceId
+ ```
+6. Verify that rule was applied in your storage account:
+ ```powershell
+ $rule = Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $accountName
+ $rule.ResourceAccessRules
+ ```
+
+#### Managed Identity
+You need to [Allow trusted Microsoft services... setting](../../storage/common/storage-network-security.md#trusted-microsoft-services) and explicitly [assign an Azure role](../../storage/common/storage-auth-aad.md#assign-azure-roles-for-access-rights) to the [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) for that resource instance.
+In this case, the scope of access for the instance corresponds to the Azure role assigned to the managed identity.
## Credentials
web-application-firewall https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/web-application-firewall/afds/waf-front-door-configure-ip-restriction.md
@@ -13,8 +13,7 @@ ms.author: tyao
This article shows you how to configure IP restriction rules in a Web Application Firewall (WAF) for Azure Front Door by using the Azure portal, Azure CLI, Azure PowerShell, or an Azure Resource Manager template.
-An IP addressΓÇôbased access control rule is a custom WAF rule that lets you control access to your web applications. It does this by specifying a list of IP addresses or IP address ranges in Classless Inter-Domain Routing (CIDR) format. There are two type of match variables in IP address match, **RemoteAddr** and **SocketAddr**. RemoteAddr is the original client IP that is usually sent via
-**X-Forwarded-For** request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.
+An IP addressΓÇôbased access control rule is a custom WAF rule that lets you control access to your web applications. It does this by specifying a list of IP addresses or IP address ranges in Classless Inter-Domain Routing (CIDR) format. There are two type of match variables in IP address match, **RemoteAddr** and **SocketAddr**. RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.
By default, your web application is accessible from the Internet. If you want to limit access to clients from a list of known IP addresses or IP address ranges, you may create an IP matching rule that contains the list of IP addresses as matching values and sets operator to "Not" (negate is true) and the action to **Block**. After an IP restriction rule is applied, requests that originate from addresses outside this allowed list receive a 403 Forbidden response.