Updates from: 02/13/2021 04:06:50
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-adfs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-adfs.md
@@ -9,7 +9,7 @@
Previously updated : 01/27/2021 Last updated : 02/12/2021
@@ -192,7 +192,11 @@ Open a browser and navigate to the URL. Make sure you type the correct URL and t
1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant. 1. In the Azure portal, search for and select **Azure AD B2C**. 1. Under **Policies**, select **Identity Experience Framework**
+1. Select your relying party policy, for example `B2C_1A_signup_signin`.
+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run now** button.
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
## Troubleshooting AD FS service AD FS is configured to use the Windows application log. If you experience challenges setting up AD FS as a SAML identity provider using custom policies in Azure AD B2C, you may want to check the AD FS event log:
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-dynamics-365-fraud-protection https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md
@@ -0,0 +1,183 @@
+
+ Title: Tutorial to configure Azure Active Directory B2C with Microsoft Dynamics 365 Fraud Protection
+
+description: Tutorial to configure Azure Active Directory B2C with Microsoft Dynamics 365 Fraud Protection to identify risky and fraudulent account
+++++++ Last updated : 02/10/2021++++
+# Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C
+
+In this sample tutorial, we provide guidance on how to integrate [Microsoft Dynamics 365 Fraud Protection](https://docs.microsoft.com/dynamics365/fraud-protection/overview) (DFP) with the Azure Active Directory (AD) B2C.
+
+Microsoft DFP provides clients with the capability to assess if the risk of attempts to create new accounts and attempts to login to clientΓÇÖs ecosystem are fraudulent. Microsoft DFP assessment can be used by the customer to block or challenge suspicious attempts to create new fake accounts or to compromise existing accounts. Account protection includes artificial intelligence empowered device fingerprinting, APIs for real-time risk assessment, rule and list experience to optimize risk strategy as per clientΓÇÖs business needs, and a scorecard to monitor fraud protection effectiveness and trends in clientΓÇÖs ecosystem.
+
+In this sample, we'll be integrating the account protection features of Microsoft DFP with an Azure AD B2C user flow. The service will externally fingerprint every sign-in or sign up attempt and watch for any past or present suspicious behavior. Azure AD B2C invokes a decision endpoint from Microsoft DFP, which returns a result based on all past and present behavior from the identified user, and also the custom rules specified within the Microsoft DFP service. Azure AD B2C makes an approval decision based on this result and passes the same back to Microsoft DFP.
+
+## Prerequisites
+
+To get started, you'll need:
+
+- An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+
+- An [Azure AD B2C tenant](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant). Tenant is linked to your Azure subscription.
+
+- Get a Microsoft DFP [subscription](https://dynamics.microsoft.com/pricing/#Sales). You can set up a [trial client version](https://dynamics.microsoft.com/ai/fraud-protection/signin/?RU=https%3A%2F%2Fdfp.microsoft.com%2Fsignin) as well.
+
+## Scenario description
+
+Microsoft DFP integration includes the following components:
+
+- **Azure AD B2C tenant**: Authenticates the user and acts as a client of Microsoft DFP. Hosts a fingerprinting script collecting identification and diagnostic data of every user that executes a target policy. Later blocks or challenges sign-in or sign-up attempts if Microsoft DFP finds them suspicious.
+
+- **Custom app service**: A web application that serves two purposes.
+
+ - Serves HTML pages to be used as Identity Experience Framework's UI. Responsible for embedding the Microsoft Dynamics 365 fingerprinting script.
+
+ - An API controller with RESTful endpoints that connects Microsoft DFP to Azure AD B2C. Handle's data processing, structure, and adheres to the security requirements of both.
+
+- **Microsoft DFP fingerprinting service**: Dynamically embedded script, which logs device telemetry and self-asserted user details to create a uniquely identifiable fingerprint for the user to be used later in the decision-making process.
+
+- **Microsoft DFP API endpoints**: Provides the decision result and accepts a final status reflecting the operation undertaken by the client application. Azure AD B2C doesn't communicate with the endpoints directly because of varying security and API payload requirements, instead uses the app service as an intermediate.
+
+The following architecture diagram shows the implementation.
+
+![Image shows microsoft dynamics365 fraud protection architecture diagram](./media/partner-dynamics365-fraud-protection/microsoft-dynamics-365-fraud-protection-diagram.png)
+
+|Step | Description |
+|:--| :--|
+| 1. | The user arrives at a login page. Users select sign-up to create a new account and enter information into the page. Azure AD B2C collects user attributes.
+| 2. | Azure AD B2C calls the middle layer API and passes on the user attributes.
+| 3. | Middle layer API collects user attributes and transforms it into a format that Microsoft DFP API could consume. Then after sends it to Microsoft DFP API.
+| 4. | After Microsoft DFP API consumes the information and processes it, it returns the result to the middle layer API.
+| 5. | The middle layer API processes the information and sends back relevant information to Azure AD B2C.
+| 6. | Azure AD B2C receives information back from the middle layer API. If it shows a Failure response, an error message is displayed to the user. If it shows a Success response, the user is authenticated and written into the directory.
+
+## Set up the solution
+
+1. [Create a Facebook application](https://docs.microsoft.com/azure/active-directory-b2c/identity-provider-facebook#create-a-facebook-application) configured to allow federation to Azure AD B2C.
+2. [Add the Facebook secret](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started#create-the-facebook-key) you created as an Identity Experience Framework policy key.
+
+## Configure your application under Microsoft DFP
+
+[Set up your Azure AD tenant](https://docs.microsoft.com/dynamics365/fraud-protection/integrate-real-time-api) to use Microsoft DFP.
+
+## Deploy to the web application
+
+### Implement Microsoft DFP service fingerprinting
+
+[Microsoft DFP device fingerprinting](https://docs.microsoft.com/dynamics365/fraud-protection/device-fingerprinting) is a requirement for Microsoft DFP account protection.
+
+>[!NOTE]
+>In addition to Azure AD B2C UI pages, customer may also implement the fingerprinting service inside app code for more comprehensive device profiling. Fingerprinting service in app code is not included in this sample.
+
+### Deploy the Azure AD B2C API code
+
+Deploy the [provided API code](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/API) to an Azure service. The code can be [published from Visual Studio](https://docs.microsoft.com/visualstudio/deployment/quickstart-deploy-to-azure?view=vs-2019).
+
+Set-up CORS, add **Allowed Origin** `https://{your_tenant_name}.b2clogin.com`
+
+>[!NOTE]
+>You'll later need the URL of the deployed service to configure Azure AD with the required settings.
+
+See [App service documentation](https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api) to learn more.
+
+### Add context-dependent configuration settings
+
+Configure the application settings in the [App service in Azure](https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings). This allows settings to be securely configured without checking them into a repository. The Rest API needs the following settings provided:
+
+| Application settings | Source | Notes |
+| :-- | :| :--|
+|FraudProtectionSettings:InstanceId | Microsoft DFP Configuration | |
+|FraudProtectionSettings:DeviceFingerprintingCustomerId | Your Microsoft device fingerprinting customer ID | |
+| FraudProtectionSettings:ApiBaseUrl | Your Base URL from Microsoft DFP Portal | Remove '-int' to call the production API instead
+| TokenProviderConfig: Resource | https://api.dfp.dynamics-int.com | Remove '-int' to call the production API instead |
+| TokenProviderConfig:ClientId |Your Fraud Protection merchant Azure AD client app ID | |
+| TokenProviderConfig:Authority | https://login.microsoftonline.com/<directory_ID> | Your Fraud Protection merchant Azure AD tenant authority |
+| TokenProviderConfig:CertificateThumbprint* | The thumbprint of the certificate to use to authenticate against your merchant Azure AD client app |
+| TokenProviderConfig:ClientSecret* | The secret for your merchant Azure AD client app | Recommended to use a secrets manager |
+
+*Only set 1 of the 2 marked parameters depending on if you authenticate with a certificate or a secret such as a password.
+
+## Azure AD B2C configuration
+
+### Replace the configuration values
+
+In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/Policies), find the following placeholders and replace them with the corresponding values from your instance.
+
+| Placeholder | Replace with | Notes |
+| :-- | :| :--|
+|{your_tenant_name} | Your tenant short name | ΓÇ£yourtenantΓÇ¥ from yourtenant.onmicrosoft.com |
+|{your_tenantId} | Tenant ID of your Azure AD B2C tenant | 01234567-89ab-cdef-0123-456789abcdef |
+| {your_tenant_IdentityExperienceFramework_appid} | App ID of the IdentityExperienceFramework app configured in your Azure AD B2C tenant | 01234567-89ab-cdef-0123-456789abcdef |
+| {your_tenant_ ProxyIdentityExperienceFramework _appid} | App ID of the ProxyIdentityExperienceFramework app configured in your Azure AD B2C tenant | 01234567-89ab-cdef-0123-456789abcdef |
+| {your_tenant_extensions_appid} | App ID of your tenantΓÇÖs storage application | 01234567-89ab-cdef-0123-456789abcdef |
+| {your_tenant_extensions_app_objectid} | Object ID of your tenantΓÇÖs storage application | 01234567-89ab-cdef-0123-456789abcdef |
+| {your_app_insights_instrumentation_key} | Instrumentation key of your app insights instance* | 01234567-89ab-cdef-0123-456789abcdef |
+| {your_ui_base_url} | Endpoint in your app service from where your UI files are served | https://yourapp.azurewebsites.net/B2CUI/GetUIPage |
+| {your_app_service_url} | URL of your app service | https://yourapp.azurewebsites.net |
+| {your-facebook-app-id} | App ID of the facebook app you configured for federation with Azure AD B2C | 000000000000000 |
+| {your-facebook-app-secret} | Name of the policy key you've saved facebook's app secret as | B2C_1A_FacebookAppSecret |
+
+*App insights can be in a different tenant. This step is optional. Remove the corresponding TechnicalProfiles and OrechestrationSteps if not needed.
+
+### Call Microsoft DFP label API
+
+Customers need to [implement label API](https://docs.microsoft.com/dynamics365/fraud-protection/integrate-ap-api). See [Microsoft DFP API](https://apidocs.microsoft.com/services/dynamics365fraudprotection#/AccountProtection/v1.0) to learn more.
+
+`URI: < API Endpoint >/v1.0/label/account/create/<userId>`
+
+The value of the userID needs to be the same as the one in the corresponding Azure AD B2C configuration value (ObjectID).
+
+>[!NOTE]
+>Add consent notification to the attribute collection page. Notify that the users' telemetry and user identity information will be recorded for account protection purposes.
+
+## Configure the Azure AD B2C policy
+
+1. Go to the [Azure AD B2C policy](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Dynamics-Fraud-Protection/Policies) in the Policies folder.
+
+2. Follow this [document](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications#custom-policy-starter-pack) to download [LocalAccounts starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/LocalAccounts)
+
+3. Configure the policy for the Azure AD B2C tenant.
+
+>[!NOTE]
+>Update the policies provided to relate to your specific tenant.
+
+## Test the user flow
+
+1. Open the Azure AD B2C tenant and under Policies select **Identity Experience Framework**.
+
+2. Select your previously created **SignUpSignIn**.
+
+3. Select **Run user flow** and select the settings:
+
+ a. **Application**: select the registered app (sample is JWT)
+
+ b. **Reply URL**: select the **redirect URL**
+
+ c. Select **Run user flow**.
+
+4. Go through sign-up flow and create an account
+
+5. Microsoft DFP service will be called during the flow, after user attribute is created. If the flow is incomplete, check that the user isn't saved in the directory.
+
+>[!NOTE]
+>Update rules directly in Microsoft DFP Portal if using [Microsoft DFP rule engine](https://docs.microsoft.com/dynamics365/fraud-protection/rules).
+
+## Next steps
+
+For additional information, review the following articles:
+
+- [Microsoft DFP samples](https://github.com/Microsoft/Dynamics-365-Fraud-Protection-Samples)
+
+- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview)
+
+- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-gallery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-gallery.md
@@ -70,6 +70,7 @@ Microsoft partners with the following ISVs for security.
| ISV partner | Description and integration walkthroughs | |:-|:--| | ![Screenshot of a Arkose lab logo](./medi) is a fraud prevention solution provider that helps organizations protect against bot attacks, account takeover attacks, and fraudulent account openings. |
+| ![Screenshot of a Microsoft Dynamics 365 logo](./medi) is a solution that helps organizations protect against fraudulent account openings through device fingerprinting. |
| ![Screenshot of a Ping logo](./medi) enables secure hybrid access to on-premises legacy applications across multiple clouds. | | ![Screenshot of a strata logo](./medi) provides secure hybrid access to on-premises applications by enforcing consistent access policies, keeping identities in sync, and making it simple to transition applications from legacy identity systems to standards-based authentication and access control provided by Azure AD B2C. | | ![Screenshot of a zscaler logo](./medi) delivers policy-based, secure access to private applications and assets without the cost, hassle, or security risks of a VPN. |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/fido2-compatibility.md
@@ -0,0 +1,48 @@
+
+ Title: Browser support of FIDO2 passwordless authentication | Azure Active Directory
+description: Browsers and operating system combinations support FIDO2 passwordless authentication for apps using Azure Active Directory
+++++ Last updated : 02/02/2021++++++++
+# Browser support of FIDO2 passwordless authentication
+
+Azure Active Directory allows [FIDO2 security keys](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910). As discussed in the announcement, certain optional features and extensions to the FIDO2 CTAP specification must be implemented to support secure authentication with Microsoft and Azure Active Directory accounts. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory.
+
+## Supported browsers
+
+This table shows support for authenticating Azure Active Directory (Azure AD) and Microsoft Accounts (MSA). Microsoft accounts are created by consumers for services such as Xbox, Skype, or Outlook.com. Supported device types include **USB**, near-field communication (**NFC**), and bluetooth low energy (**BLE**).
+
+| | Chrome | | | Edge | | | Firefox | | |
+|::|::|::|::|::|::|::|::|::|::|
+| | USB | NFC | BLE | USB | NFC | BLE | USB | NFC | BLE |
+| **Windows** | ![Chrome supports USB on Windows for AAD accounts.][y] | ![Chrome supports NFC on Windows for AAD accounts.][y] | ![Chrome supports BLE on Windows for AAD accounts.][y] | ![Edge supports USB on Windows for AAD accounts.][y] | ![Edge supports NFC on Windows for AAD accounts.][y] | ![Edge supports BLE on Windows for AAD accounts.][y] | ![Firefox supports USB on Windows for AAD accounts.][y] | ![Firefox supports NFC on Windows for AAD accounts.][y] | ![Firefox supports BLE on Windows for AAD accounts.][y] |
+| **macOS** | ![Chrome supports USB on macOS for AAD accounts.][y] | ![Chrome does not support NFC on macOS for AAD accounts.][n] | ![Chrome does not support BLE on macOS for AAD accounts.][n] | ![Edge supports USB on macOS for AAD accounts.][y] | ![Edge does not support NFC on macOS for AAD accounts.][n] | ![Edge does not support BLE on macOS for AAD accounts.][n] | ![Firefox does not support USB on macOS for AAD accounts.][n] | ![Firefox does not support NFC on macOS for AAD accounts.][n] | ![Firefox does not support BLE on macOS for AAD accounts.][n] |
+| **Linux** | ![Chrome supports USB on Linux for AAD accounts.][y] | ![Chrome does not support NFC on Linux for AAD accounts.][n] | ![Chrome does not support BLE on Linux for AAD accounts.][n] | ![Edge does not support USB on Linux for AAD accounts.][n] | ![Edge does not support NFC on Linux for AAD accounts.][n] | ![Edge does not support BLE on Linux for AAD accounts.][n] | ![Firefox does not support USB on Linux for AAD accounts.][n] | ![Firefox does not support NFC on Linux for AAD accounts.][n] | ![Firefox does not support BLE on Linux for AAD accounts.][n] |
+
+## Operating system versions tested
+
+The information in the table above was tested for the following operating system versions.
+
+| Operating system | Latest tested version |
+| | |
+| Windows | Windows 10 20H2 1904 |
+| macOS | OS X 11 Big Sur |
+| Linux | Fedora 32 Workstation |
+
+## Next steps
+[Enable passwordless security key sign-in (preview)](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
+
+<!--Image references-->
+[y]: ./media/fido2-compatibility/yes.png
+[n]: ./media/fido2-compatibility/no.png
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/identity-videos https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/identity-videos.md
@@ -26,17 +26,17 @@ Learn the key components and capabilities of the Microsoft identity platform.
___ :::row:::
- :::column:::
+ :::column:::
<a href="https://www.youtube.com/watch?v=tkQJSHFsduY" target="_blank">The basics of modern authentication - Microsoft identity platform</a>(12:28) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=tkQJSHFsduY" target="_blank"> <img src="./media/identity-videos/id-for-devs-07.jpg" alt="Video thumbnail for a video about the basics of modern authentication on the Microsoft identity platform."></a>
+ > [!Video https://www.youtube.com/embed/tkQJSHFsduY]
:::column-end::: :::column::: <a href="https://www.youtube.com/watch?v=7_vxnHiUA1M" target="_blank">Modern authentication: how we got here ΓÇô Microsoft identity platform</a>(15:47) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=7_vxnHiUA1M" target="_blank"> <img src="./media/identity-videos/id-for-devs-08.jpg" alt="Video thumbnail for a video about modern authentication and the Microsoft identity platform." class="mx-imgBorder"></a>
+ > [!Video https://www.youtube.com/embed/7_vxnHiUA1M]
:::column-end::: :::row-end::: :::row:::
@@ -44,7 +44,7 @@ ___
<a href="https://www.youtube.com/watch?v=JpeMeTjQJ04" target="_blank">Overview: Implementing single sign-on in mobile applications - Microsoft Identity Platform</a> (20:30) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=JpeMeTjQJ04" target="_blank"> <img src="./media/identity-videos/mobile-single-sign-on.jpg" alt="Video thumbnail for a video about implementing mobile single sign on using the Microsoft identity platform."></a> (20:30)
+ >[!Video https://www.youtube.com/embed/JpeMeTjQJ04]
:::column-end::: :::column::: :::column-end:::
@@ -71,13 +71,13 @@ ___
1 - <a href="https://www.youtube.com/watch?v=zjezqZPPOfc&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX&index=1" target="_blank">Overview of the Microsoft identity platform for developers</a> (33:55) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=zjezqZPPOfc" target="_blank"> <img src="./media/identity-videos/id-for-devs-01.jpg" alt="Video thumbnail for a video overview of the Microsoft identity platform for developers."></a>
+ >[!Video https://www.youtube.com/embed/zjezqZPPOfc]
:::column-end::: :::column::: 2 - <a href="https://www.youtube.com/watch?v=Mtpx_lpfRLs&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX&index=2" target="_blank">How to authenticate users of your apps with the Microsoft identity platform </a> (29:09) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=Mtpx_lpfRLs" target="_blank"> <img src="./media/identity-videos/id-for-devs-02.jpg" alt="Video thumbnail for a video about how to authenticate users of your apps with the Microsoft identity platform."></a>
+ >[!Video https://www.youtube.com/embed/Mtpx_lpfRLs]
:::column-end::: :::row-end::: :::row:::
@@ -85,13 +85,13 @@ ___
3 - <a href="https://www.youtube.com/watch?v=toAWRNqqDL4&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX&index=3" target="_blank">Microsoft identity platformΓÇÖs permissions and consent framework</a> (45:08) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=toAWRNqqDL4" target="_blank"> <img src="./media/identity-videos/id-for-devs-03.jpg" alt="Video thumbnail for a video about Microsoft identity platformΓÇÖs permissions and consent framework."></a>
+ >[!Video https://www.youtube.com/embed/toAWRNqqDL4]
:::column-end::: :::column::: 4 - <a href="https://www.youtube.com/watch?v=IIQ7QW4bYqA&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX&index=4" target="_blank">How to protect APIs using the Microsoft identity platform</a> (33:17) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=IIQ7QW4bYqA" target="_blank"> <img src="./media/identity-videos/id-for-devs-04.jpg" alt="Video thumbnail for a video about how to protect APIs using the Microsoft identity platform."></a>
+ >[!Video https://www.youtube.com/embed/IIQ7QW4bYqA]
:::column-end::: :::row-end::: :::row:::
@@ -99,7 +99,7 @@ ___
5 - <a href="https://www.youtube.com/watch?v=-BK2iBDrmNo&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX&index=5" target="_blank">Application roles and security groups on the Microsoft identity platform</a> (15:52) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=-BK2iBDrmNo" target="_blank"> <img src="./media/identity-videos/id-for-devs-05.jpg" alt="Video thumbnail for a video about application roles and security groups on the Microsoft identity platform."></a>
+ >[!Video https://www.youtube.com/embed/-BK2iBDrmNo]
:::column-end::: :::column::: :::column-end:::
@@ -134,13 +134,13 @@ ___
1 - <a href="https://www.youtube.com/watch?v=fbSVgC8nGz4&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=1" target="_blank">Basics: The concepts of modern authentication</a> (4:33) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=fbSVgC8nGz4" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-01.jpg" alt="Video thumbnail for a video about the concept of modern authentication."></a>
+ >[!Video https://www.youtube.com/embed/fbSVgC8nGz4]
:::column-end::: :::column::: 2 - <a href="https://www.youtube.com/watch?v=tCNcG1lcCHY&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=2" target="_blank">Modern authentication for web applications</a> (6:02) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=tCNcG1lcCHY" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-02.jpg" alt="Video thumbnail for a video about modern authentication for web applications."></a>
+ >[!Video https://www.youtube.com/embed/tCNcG1lcCHY]
:::column-end::: :::row-end::: :::row:::
@@ -148,13 +148,13 @@ ___
3 - <a href="https://www.youtube.com/watch?v=51B-jSOBF8U&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=3" target="_blank">Web single sign-on</a> (4:13) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=51B-jSOBF8U" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-03.jpg" alt="Video thumbnail for a video about web single sign-on."></a>
+ >[!Video https://www.youtube.com/embed/51B-jSOBF8U]
:::column-end::: :::column::: 4 - <a href="https://www.youtube.com/watch?v=CjarTgjKcX8&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=4" target="_blank">Federated web authentication</a> (6:19) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=CjarTgjKcX8" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-04.jpg" alt="Video thumbnail for a video about federated web authentication."></a>
+ >[!Video https://www.youtube.com/embed/CjarTgjKcX8]
:::column-end::: :::row-end::: :::row:::
@@ -162,13 +162,13 @@ ___
5 - <a href="https://www.youtube.com/watch?v=OGMDnuDrAcQ&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=5" target="_blank">Native client applications - Part 1 </a> (8:12) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=OGMDnuDrAcQ" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-05.jpg" alt="Video thumbnail for part 1 of a video about native client applications."></a>
+ >[!Video https://www.youtube.com/embed/OGMDnuDrAcQ]
:::column-end::: :::column::: 6 - <a href="https://www.youtube.com/watch?v=2RE6IhXfmHY&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=6" target="_blank">Native client applications - Part 2 </a> (5:33) :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=2RE6IhXfmHY" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-06.jpg" alt="Video thumbnail for part 2 of a video about native client applications."></a>
+ >[!Video https://www.youtube.com/embed/2RE6IhXfmHY]
:::column-end::: :::row-end:::
@@ -199,135 +199,125 @@ ___
<a href="https://www.youtube.com/watch?v=bNlcFuIo3r8" target="_blank">Microsoft identity platform overview </a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=bNlcFuIo3r8" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for an overview video about Microsoft identity platform."></a>
+ >[!Video https://www.youtube.com/embed/bNlcFuIo3r8]
:::column-end::: :::column:::
+ <a href="https://www.youtube.com/watch?v=apbbx2n4tnU" target="_blank">Microsoft Graph and the Microsoft Authentication Library (MSAL) </a>
:::column-end::: :::column:::
+ >[!Video https://www.youtube.com/embed/apbbx2n4tnU]
:::column-end::: :::row-end::: :::row:::
- :::column:::
- <a href="https://www.youtube.com/watch?v=apbbx2n4tnU" target="_blank">Microsoft Graph and the Microsoft Authentication Library (MSAL) </a>
- :::column-end:::
- :::column:::
- <a href="https://www.youtube.com/watch?v=apbbx2n4tnU" target="_blank"> <img src="./media/identity-videos/graph-and-msal.jpg" alt="Video thumbnail for a video about Microsoft Graph and the Microsoft Authentication Library (MSAL)."></a>
- :::column-end:::
:::column::: <a href="https://www.youtube.com/watch?v=yLVEBU9Z96Q" target="_blank">What is the MSAL family of libraries?</a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=yLVEBU9Z96Q" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video about the MSAL family of libraries."></a>
+ >[!Video https://www.youtube.com/embed/yLVEBU9Z96Q]
:::column-end::: :::column::: <a href="https://www.youtube.com/watch?v=eiPHOoLmGJs" target="_blank">Scopes explained </a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=eiPHOoLmGJs" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that explains scopes."></a>
- :::column-end:::
- :::column:::
- <a href="https://www.youtube.com/watch?v=Zd_Uubnu0U0" target="_blank">What are brokers </a>
- :::column-end:::
- :::column:::
- <a href="https://www.youtube.com/watch?v=Zd_Uubnu0U0" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video about brokers."> </a>
+ >[!Video https://www.youtube.com/embed/eiPHOoLmGJs]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=znSN_3JAuoU" target="_blank">What redirect URIs do</a>
+ <a href="https://www.youtube.com/watch?v=Zd_Uubnu0U0" target="_blank">What are brokers </a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=znSN_3JAuoU" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that describers what redirect URIs do."></a>
+ >[!Video https://www.youtube.com/embed/Zd_Uubnu0U0]
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=mDhT4Zv1fZU" target="_blank">Tenants explained </a>
+ <a href="https://www.youtube.com/watch?v=znSN_3JAuoU" target="_blank">What redirect URIs do</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=mDhT4Zv1fZU" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that explains tenants."></a>
+ >[!Video https://www.youtube.com/embed/znSN_3JAuoU]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=zDEC7A5ZS2Q" target="_blank">Role of Azure AD </a>
+ <a href="https://www.youtube.com/watch?v=mDhT4Zv1fZU" target="_blank">Tenants explained </a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=zDEC7A5ZS2Q" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that describes the role of Azure AD."></a>
+ >[!Video https://www.youtube.com/embed/mDhT4Zv1fZU]
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=HEpq_YSmuWw" target="_blank">Role of Azure AD app objects</a>
+ <a href="https://www.youtube.com/watch?v=zDEC7A5ZS2Q" target="_blank">Role of Azure AD </a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=HEpq_YSmuWw" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that describes the role of Azure AD app objects."></a>
+ >[!Video https://www.youtube.com/embed/zDEC7A5ZS2Q]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=E2OUluQQKSk" target="_blank">Organizational and personal Microsoft account differences</a>
+ <a href="https://www.youtube.com/watch?v=HEpq_YSmuWw" target="_blank">Role of Azure AD app objects</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=E2OUluQQKSk" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video about organizational and personal Microsoft account differences."></a>
+ >[!Video https://www.youtube.com/embed/HEpq_YSmuWw]
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=ZJirt7eTVw8" target="_blank">SPA and web app differences</a>
+ <a href="https://www.youtube.com/watch?v=E2OUluQQKSk" target="_blank">Organizational and personal Microsoft account differences</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=ZJirt7eTVw8" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video about SPA and web app differences."></a>
+ >[!Video https://www.youtube.com/embed/E2OUluQQKSk]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=6R3W9T01gdE" target="_blank">What are Application Permissions vs Delegated Permissions?</a>
+ <a href="https://www.youtube.com/watch?v=ZJirt7eTVw8" target="_blank">SPA and web app differences</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=6R3W9T01gdE" target="_blank"> <img src="./media/identity-videos/aad-basics-12.jpg" alt="Video thumbnail for a video about the differences between application permissions and delegated permissions."></a>
+ >[!Video https://www.youtube.com/embed/ZJirt7eTVw8]
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=Gm6sALdXtpg" target="_blank">What is Microsoft identity platform OpenID Connect certified?</a>
+ <a href="https://www.youtube.com/watch?v=6R3W9T01gdE" target="_blank">What are Application Permissions vs Delegated Permissions?</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=Gm6sALdXtpg" target="_blank"> <img src="./media/identity-videos/one-dev-question-hs.jpg" alt="Video thumbnail for a video about Microsoft identity platform OpenID Connect certified."></a>
+ >[!Video https://www.youtube.com/embed/6R3W9T01gdE]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=NrydwrckYaw" target="_blank">What are the different Azure Active Directory app types and how do they compare?</a>
+ <a href="https://www.youtube.com/watch?v=Gm6sALdXtpg" target="_blank">What is Microsoft identity platform OpenID Connect certified?</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=NrydwrckYaw" target="_blank"> <img src="./media/identity-videos/aad-basics-13.jpg" alt="Video thumbnail for a video that compares Azure Active Directory app types."></a>
+ >[!Video https://www.youtube.com/embed/Gm6sALdXtpg]
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=cZKgTqF4o88" target="_blank">If you use MSAL, what essential protocol concepts should you know?</a>
+ <a href="https://www.youtube.com/watch?v=NrydwrckYaw" target="_blank">What are the different Azure Active Directory app types and how do they compare?</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=cZKgTqF4o88" target="_blank"> <img src="./media/identity-videos/one-dev-question-hs.jpg" alt="Video thumbnail for a video about protocol concepts you should know if you use MSAL."></a>
+ >[!Video https://www.youtube.com/embed/NrydwrckYaw]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=41vmzPdbfXM" target="_blank">What is the difference between ID tokens, access tokens, refresh tokens, and session tokens?</a>
+ <a href="https://www.youtube.com/watch?v=cZKgTqF4o88" target="_blank">If you use MSAL, what essential protocol concepts should you know?</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=41vmzPdbfXM" target="_blank"> <img src="./media/identity-videos/aad-auth-fund-08.jpg" alt="Video thumbnail for a video that explains the difference between ID tokens, access tokens, refresh tokens, and session tokens."></a>
+ >[!Video https://www.youtube.com/embed/cZKgTqF4o88]
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=jEEwN7XAtUo" target="_blank">What is the relationship between an authorization request and tokens?</a>
+ <a href="https://www.youtube.com/watch?v=41vmzPdbfXM" target="_blank">What is the difference between ID tokens, access tokens, refresh tokens, and session tokens?</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=jEEwN7XAtUo" target="_blank"> <img src="./media/identity-videos/one-dev-question-hs.jpg" alt="Video thumbnail for a video that describes the relationship between an authorization request and tokens."></a>
+ >[!Video https://www.youtube.com/embed/41vmzPdbfXM]
:::column-end::: :::row-end::: :::row::: :::column:::
- <a href="https://www.youtube.com/watch?v=4pwuRYcZbz4" target="_blank">What aspects of using protocols does the MSAL libraries make easier?</a>
+ <a href="https://www.youtube.com/watch?v=jEEwN7XAtUo" target="_blank">What is the relationship between an authorization request and tokens?</a>
:::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=4pwuRYcZbz4" target="_blank"> <img src="./media/identity-videos/id-for-devs-06.jpg" alt="Video thumbnail for video that describes what aspects of using protocols does the MSAL libraries make easier."></a>
+ >[!Video https://www.youtube.com/embed/jEEwN7XAtUo]
:::column-end::: :::column:::
+ <a href="https://www.youtube.com/watch?v=4pwuRYcZbz4" target="_blank">What aspects of using protocols does the MSAL libraries make easier?</a>
:::column-end::: :::column:::
+ >[!Video https://www.youtube.com/embed/4pwuRYcZbz4]
:::column-end::: :::row-end:::
@@ -341,13 +331,13 @@ ___
<a href="https://www.youtube.com/watch?v=qpdC45tZYDg" target="_blank">Why migrate from ADAL to MSAL</a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=qpdC45tZYDg" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that explains why to migrate from ADAL to MSAL."></a>
+ >[!Video https://www.youtube.com/embed/qpdC45tZYDg]
:::column-end::: :::column::: <a href="https://www.youtube.com/watch?v=xgL_z9yCnrE" target="_blank">Migrating your ADAL codebase to MSAL</a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=xgL_z9yCnrE" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that describes migrating your ADAL codebase to MSAL."></a>
+ >[!Video https://www.youtube.com/embed/xgL_z9yCnrE]
:::column-end::: :::row-end::: :::row:::
@@ -355,12 +345,12 @@ ___
<a href="https://www.youtube.com/watch?v=q-TDszj2O-4" target="_blank">Advantages of MSAL over ADAL</a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=q-TDszj2O-4" target="_blank"> <img src="./media/identity-videos/one-dev-question-jm.jpg" alt="Video thumbnail for a video that describes the advantages of MSAL over ADAL."></a>
+ >[!Video https://www.youtube.com/embed/q-TDszj2O-4]
:::column-end::: :::column::: <a href="https://www.youtube.com/watch?v=aBMUxC4evhU" target="_blank">What are the differences between v1 and v2 authentication?</a> :::column-end::: :::column:::
- <a href="https://www.youtube.com/watch?v=aBMUxC4evhU" target="_blank"> <img src="./media/identity-videos/one-dev-question-hs.jpg" alt="Video thumbnail"></a>
+ >[!Video https://www.youtube.com/embed/aBMUxC4evhU]
:::column-end::: :::row-end:::
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-spa-implicit-to-auth-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md
@@ -90,5 +90,5 @@ To learn more about the authorization code flow, including the differences betwe
If you'd like to dive deeper into JavaScript single-page application development on the Microsoft identity platform, the multi-part [Scenario: Single-page application](scenario-spa-overview.md) series of articles can help you get started. <!-- LINKS - external -->
-[msal-js-useragentapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/msal-core/modules/_useragentapplication_.html
-[msal-js-publicclientapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/msal-browser/classes/_src_app_publicclientapplication_.publicclientapplication.html
+[msal-js-useragentapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal.useragentapplication.html
+[msal-js-publicclientapplication]: https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_browser.publicclientapplication.html
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/support-fido2-authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/support-fido2-authentication.md
@@ -0,0 +1,65 @@
+
+ Title: Support passwordless authentication with FIDO2 keys in apps you develop | Azure
+
+description: This deployment guide explains how to support passwordless authentication with FIDO2 security keys in the applications you develop
+++++++ Last updated : 1/29/2021+
+#
+
+# Customer intent: As a developer, I want to know how to support FIDO2 authentication in my apps
++
+# Support passwordless authentication with FIDO2 keys in apps you develop
+
+These configurations and best practices will help you avoid common scenarios that block [FIDO2 passwordless authentication](../../active-directory/authentication/concept-authentication-passwordless.md) from being available to users of your applications.
+
+## General best practices
+
+### Domain hints
+
+Don't use a domain hint to bypass [home-realm discovery](../../active-directory/manage-apps/configure-authentication-for-federated-users-portal.md). This feature is meant to make sign-ins more streamlined, but the federated identity provider may not support passwordless authentication.
+
+### Requiring specific credentials
+
+If you are using SAML, do not specify that a password is required [using the RequestedAuthnContext element](single-sign-on-saml-protocol.md#requestauthncontext).
+
+The RequestedAuthnContext element is optional, so to resolve this you can remove it from your SAML authentication requests. This is a general best practice, as using this element can also prevent other authentication options like multi-factor authentication from working correctly.
+
+### Using the most recently used authentication method
+
+The sign-in method that was most recently used by a user will be presented to them first. This may cause confusion when users believe they must use the first option presented. However, they can choose another option by selecting "Other ways to sign in" as shown below.
++
+## Platform-specific best practices
+
+### Desktop
+
+The recommended options for implementing authentication are, in order:
+
+- .NET desktop applications that are using the Microsoft Authentication Library (MSAL) should use the Windows Authentication Manager (WAM). This integration and its benefits are [documented on GitHub](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/wam).
+- Use [WebView2](https://docs.microsoft.com/microsoft-edge/webview2/) to support FIDO2 in an embedded browser.
+- Use the system browser. The MSAL libraries for desktop platforms use this method by default. You can consult our page on FIDO2 browser compatibility to ensure the browser you use supports FIDO2 authentication.
+
+### Mobile
+
+As of February 2020, FIDO2 is not currently supported for native iOS or Android apps, but it is in development.
+
+To prepare applications for its availability, and as a general best practice, iOS and Android applications should use MSAL with its default configuration of using the system web browser.
+
+If you are not using MSAL, you should still use the system web browser for authentication. Features such as single sign-on and conditional access rely on a shared web surface provided by the system web browser. This means using [Chrome Custom Tabs](https://developer.chrome.com/docs/multidevice/android/customtabs/) (Android) or [Authenticating a User Through a Web Service | Apple Developer Documentation](https://developer.apple.com/documentation/authenticationservices/authenticating_a_user_through_a_web_service) (iOS).
+
+### Web and single-page apps
+
+The availability of FIDO2 passwordless authentication for applications that run in a web browser will depend on the combination of browser and platform. You can consult our [FIDO2 compatibility matrix](../authentication/fido2-compatibility.md) to check if the combination your users will encounter is supported.
+
+## Next steps
+
+[Passwordless authentication options for Azure Active Directory](../../active-directory/authentication/concept-authentication-passwordless.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-federated-domains.md
@@ -95,7 +95,7 @@ If you don't use WPAD and want to configure proxy settings on your computer, you
If your organization requires access to the internet via an authenticated outbound proxy, you must make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, you must configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
-To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
+To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://docs.microsoft.com/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.
## Configure hybrid Azure AD join
active-directory https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-managed-domains.md
@@ -81,7 +81,7 @@ If you don't use WPAD, you can configure WinHTTP proxy settings on your computer
If your organization requires access to the internet via an authenticated outbound proxy, make sure that your Windows 10 computers can successfully authenticate to the outbound proxy. Because Windows 10 computers run device registration by using machine context, configure outbound proxy authentication by using machine context. Follow up with your outbound proxy provider on the configuration requirements.
-Verify the device can access the above Microsoft resources under the system account by using the [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
+Verify the device can access the above Microsoft resources under the system account by using the [Test Device Registration Connectivity](https://docs.microsoft.com/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.
## Configure hybrid Azure AD join
active-directory https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/hybrid-azuread-join-manual.md
@@ -73,7 +73,7 @@ For Windows 10 devices on version 1703 or earlier, if your organization requires
Beginning with Windows 10 1803, even if a hybrid Azure AD join attempt by a device in a federated domain through AD FS fails, and if Azure AD Connect is configured to sync the computer/device objects to Azure AD, the device will try to complete the hybrid Azure AD join by using the synced computer/device.
-To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://gallery.technet.microsoft.com/Test-Device-Registration-3dc944c0) script.
+To verify if the device is able to access the above Microsoft resources under the system account, you can use [Test Device Registration Connectivity](https://docs.microsoft.com/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/) script.
## Verify configuration steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/b2b-fundamentals.md
@@ -6,7 +6,7 @@
Previously updated : 11/30/2020 Last updated : 02/12/2021
@@ -20,7 +20,7 @@
This article contains recommendations and best practices for business-to-business (B2B) collaboration in Azure Active Directory (Azure AD). > [!IMPORTANT]
- > **Starting March 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged ("viral" or "just-in-time") Azure AD accounts and tenants for B2B collaboration scenarios. At that time, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, you have the option of disabling this feature if you choose not to use it. For details, see [Email one-time passcode authentication](one-time-passcode.md)
+ > **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged ("viral" or "just-in-time") Azure AD accounts and tenants for B2B collaboration scenarios. At that time, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, you have the option of disabling this feature if you choose not to use it. For details, see [Email one-time passcode authentication](one-time-passcode.md)
## B2B recommendations
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/delegate-invitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/delegate-invitations.md
@@ -6,7 +6,7 @@
Previously updated : 11/30/2020 Last updated : 02/12/2021
@@ -43,8 +43,6 @@ By default, all users, including guests, can invite guest users.
4. Under **Guest user access restrictions (Preview)**, choose the level of access you want guest users to have:
- ![Guest user access restrictions settings](./media/delegate-invitations/guest-user-access.png)
- - **Guest users have the same access as members (most inclusive)**: This option gives guests the same access to Azure AD resources and directory data as member users. - **Guest users have limited access to properties and memberships of directory objects**: (Default) This setting blocks guests from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all non-hidden groups.
@@ -67,13 +65,11 @@ By default, all users, including guests, can invite guest users.
6. Under **Email one-time passcode for guests**, choose the appropriate settings (for more information, see [Email one-time passcode authentication](one-time-passcode.md)):
- ![Email one-time passcode settings](./media/delegate-invitations/email-otp-settings.png)
-
- - **Automatically enable email one-time passcode for guests in March 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in March 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable.
+ - **Automatically enable email one-time passcode for guests in October 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in October 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable.
- **Enable email one-time passcode for guests effective now**. Turns on the email one-time passcode feature for your tenant.
- - **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in March 2021.
+ - **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in October 2021.
> [!NOTE] > Instead of the options above, you'll see the following toggle if you've enabled or disabled this feature or if you've previously opted in to the preview:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/faq.md
@@ -6,7 +6,7 @@
Previously updated : 09/23/2020 Last updated : 02/12/2021
@@ -22,7 +22,7 @@ These frequently asked questions (FAQs) about Azure Active Directory (Azure AD)
> [!IMPORTANT] > - **Starting January 4, 2021**, Google is [deprecating WebView sign-in support](https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html). If youΓÇÖre using Google federation or self-service sign-up with Gmail, you should [test your line-of-business native applications for compatibility](google-federation.md#deprecation-of-webview-sign-in-support).
-> - **Starting March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
+> - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
### Can we customize our sign-in page so it's more intuitive for our B2B collaboration guest users? Absolutely! See our [blog post about this feature](https://blogs.technet.microsoft.com/enterprisemobility/2017/04/07/improving-the-branding-logic-of-azure-ad-login-pages/). For more information about how to customize your organization's sign-in page, see [Add company branding to sign in and Access Panel pages](../fundamentals/customize-branding.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/one-time-passcode.md
@@ -7,7 +7,7 @@
Previously updated : 12/18/2020 Last updated : 02/12/2021
@@ -24,7 +24,7 @@ This article describes how to enable email one-time passcode authentication for
![Email one-time passcode overview diagram](media/one-time-passcode/email-otp.png) > [!IMPORTANT]
-> **Starting March 2021**, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. If you don't want to allow this feature to turn on automatically, you can disable it. See [Disable email one-time passcode](#disable-email-one-time-passcode) below.
+> **Starting October 2021**, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. If you don't want to allow this feature to turn on automatically, you can disable it. See [Disable email one-time passcode](#disable-email-one-time-passcode) below.
> [!NOTE] > One-time passcode users must sign in using a link that includes the tenant context (for example, `https://myapps.microsoft.com/?tenantid=<tenant id>` or `https://portal.azure.com/<tenant id>`, or in the case of a verified domain, `https://myapps.microsoft.com/<verified domain>.onmicrosoft.com`). Direct links to applications and resources also work as long as they include the tenant context. Guest users are currently unable to sign in using endpoints that have no tenant context. For example, using `https://myapps.microsoft.com`, `https://portal.azure.com` will result in an error.
@@ -69,7 +69,7 @@ Guest user teri@gmail.com is invited to Fabrikam, which does not have Google fed
## Disable email one-time passcode
-Starting March 2021, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. At that time, Microsoft will no longer support the redemption of invitations by creating unmanaged ("viral" or "just-in-time") Azure AD accounts and tenants for B2B collaboration scenarios. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, you have the option of disabling this feature if you choose not to use it.
+Starting October 2021, the email one-time passcode feature will be turned on for all existing tenants and enabled by default for new tenants. At that time, Microsoft will no longer support the redemption of invitations by creating unmanaged ("viral" or "just-in-time") Azure AD accounts and tenants for B2B collaboration scenarios. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, you have the option of disabling this feature if you choose not to use it.
> [!NOTE] >
@@ -85,10 +85,8 @@ Starting March 2021, the email one-time passcode feature will be turned on for a
4. Under **Email one-time passcode for guests**, select **Disable email one-time passcode for guests**.
- ![Email one-time passcode settings](media/one-time-passcode/otp-admin-settings.png)
- > [!NOTE]
- > If you see the following toggle instead of the options shown above, this means you've previously enabled, disabled, or opted into the preview of the feature. Select **No** to disable the feature.
+ > If you see the following toggle instead of the email one-time passcode options, this means you've previously enabled, disabled, or opted into the preview of the feature. Select **No** to disable the feature.
> >![Enable Email one-time passcode opted in](media/delegate-invitations/enable-email-otp-opted-in.png)
@@ -96,14 +94,14 @@ Starting March 2021, the email one-time passcode feature will be turned on for a
## Note for public preview customers
-If you've previously opted in to the email one-time passcode public preview, the March 2021 date for automatic feature enablement doesn't apply to you, so your related business processes won't be affected. Additionally, in the Azure portal, under the **Email one-time passcode for guests** properties, you won't see the option to **Automatically enable email one-time passcode for guests in March 2021**. Instead, you'll see the following **Yes** or **No** toggle:
+If you've previously opted in to the email one-time passcode public preview, the October 2021 date for automatic feature enablement doesn't apply to you, so your related business processes won't be affected. Additionally, in the Azure portal, under the **Email one-time passcode for guests** properties, you won't see the option to **Automatically enable email one-time passcode for guests in October 2021**. Instead, you'll see the following **Yes** or **No** toggle:
![Enable Email one-time passcode opted in](media/delegate-invitations/enable-email-otp-opted-in.png)
-However, if you'd prefer to opt out of the feature and allow it to be automatically enabled in March 2021, you can revert to the default settings by using the Microsoft Graph API [email authentication method configuration resource type](/graph/api/resources/emailauthenticationmethodconfiguration). After you revert to the default settings, the following options will be available under **Email one-time passcode for guests**:
+However, if you'd prefer to opt out of the feature and allow it to be automatically enabled in October 2021, you can revert to the default settings by using the Microsoft Graph API [email authentication method configuration resource type](/graph/api/resources/emailauthenticationmethodconfiguration). After you revert to the default settings, the following options will be available under **Email one-time passcode for guests**:
-- **Automatically enable email one-time passcode for guests in March 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in March 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable.
+- **Automatically enable email one-time passcode for guests in October 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in October 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable.
- **Enable email one-time passcode for guests effective now**. Turns on the email one-time passcode feature for your tenant. -- **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in March 2021.
+- **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in October 2021.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/redemption-experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/redemption-experience.md
@@ -7,7 +7,7 @@
Previously updated : 05/11/2020 Last updated : 02/12/2021
@@ -25,7 +25,7 @@ When you add a guest user to your directory, the guest user account has a consen
> [!IMPORTANT] > - **Starting January 4, 2021**, Google is [deprecating WebView sign-in support](https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html). If youΓÇÖre using Google federation or self-service sign-up with Gmail, you should [test your line-of-business native applications for compatibility](google-federation.md#deprecation-of-webview-sign-in-support).
- > - **Starting March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
+ > - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
## Redemption through the invitation email
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/troubleshoot.md
@@ -5,7 +5,7 @@
Previously updated : 12/11/2020 Last updated : 02/12/2021 tags: active-directory
@@ -22,7 +22,7 @@ Here are some remedies for common problems with Azure Active Directory (Azure AD
> [!IMPORTANT] > - **Starting January 4, 2021**, Google is [deprecating WebView sign-in support](https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html). If youΓÇÖre using Google federation or self-service sign-up with Gmail, you should [test your line-of-business native applications for compatibility](google-federation.md#deprecation-of-webview-sign-in-support).
- > - **Starting March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
+ > - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
## IΓÇÖve added an external user but do not see them in my Global Address Book or in the people picker
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/user-properties.md
@@ -6,7 +6,7 @@
Previously updated : 06/19/2020 Last updated : 02/12/2021
@@ -25,7 +25,7 @@ Depending on the inviting organization's needs, an Azure AD B2B collaboration us
- State 1: Homed in an external instance of Azure AD and represented as a guest user in the inviting organization. In this case, the B2B user signs in by using an Azure AD account that belongs to the invited tenant. If the partner organization doesn't use Azure AD, the guest user in Azure AD is still created. The requirements are that they redeem their invitation and Azure AD verifies their email address. This arrangement is also called a just-in-time (JIT) tenancy or a "viral" tenancy. > [!IMPORTANT]
- > **Starting March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
+ > **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
- State 2: Homed in a Microsoft or other account and represented as a guest user in the host organization. In this case, the guest user signs in with a Microsoft account or a social account (google.com or similar). The invited user's identity is created as a Microsoft account in the inviting organizationΓÇÖs directory during offer redemption.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/what-is-b2b.md
@@ -6,7 +6,7 @@
Previously updated : 08/05/2020 Last updated : 02/12/2021
@@ -22,7 +22,7 @@ Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a
> [!IMPORTANT] > - **Starting January 4, 2021**, Google is [deprecating WebView sign-in support](https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html). If youΓÇÖre using Google federation or self-service sign-up with Gmail, you should [test your line-of-business native applications for compatibility](google-federation.md#deprecation-of-webview-sign-in-support).
-> - **Starting March 31, 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
+> - **Starting October 2021**, Microsoft will no longer support the redemption of invitations by creating unmanaged Azure AD accounts and tenants for B2B collaboration scenarios. In preparation, we encourage customers to opt into [email one-time passcode authentication](one-time-passcode.md). We welcome your feedback on this public preview feature and are excited to create even more ways to collaborate.
## Collaborate with any partner using their identities
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
@@ -40,17 +40,17 @@ However, if youΓÇÖd like all the latest features and updates, the best way to se
Please follow this link to read more about [auto upgrade](how-to-connect-install-automatic-upgrade.md) >[!IMPORTANT]
-> Starting on November 1st, 2020, we will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time we will begin this process by deprecating all releases of Azure AD Connect with version 1.3.20.0 (which was released on 4/24/2019) and older, and we will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.
+> Starting on April 1st, 2024, we will retire versions of Azure AD Connect that were released before May 1st, 2018 - version 1.1.751.0 and older.
> > You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. >
->If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support we may not be able to provide you with the level of service your organization needs.
+>If you run a retired version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support we may not be able to provide you with the level of service your organization needs.
>
->If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.
+ > >Please refer to [this article](./how-to-upgrade-previous-version.md) to learn more about how to upgrade Azure AD Connect to the latest version. >
->For version history information on deprecated versions, see [Azure AD Connect version release history archive](reference-connect-version-history-archive.md)
+>For version history information on retired versions, see [Azure AD Connect version release history archive](reference-connect-version-history-archive.md)
## 1.5.45.0
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
@@ -208,7 +208,7 @@ Managed identity type | All Generally Available<br>Global Azure Regions | Azure
| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] | | User assigned | Not available | Not available | Not available | Not available |
-Refer to the following list to configure managed identity for Azure Data Factory V2 (in regions where available):
+Refer to the following list to configure managed identity for Azure IoT Hub (in regions where available):
- [Azure portal](../../iot-hub/virtual-network-support.md#turn-on-managed-identity-for-iot-hub)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
@@ -111,7 +111,7 @@ The [Authentication administrator](#authentication-administrator) and [Privilege
> [!IMPORTANT] > This role is not currently capable of managing MFA settings in the legacy MFA management portal.
-### [Azure AD Joined Device Local Administrator](#azure-ad-joined-device-local-administrator-permissions)/Device Administrators
+### [Azure AD Joined Device Local Administrator](#azure-ad-joined-device-local-administrator-permissions)
This role is available for assignment only as an additional local administrator in [Device settings](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/DeviceSettings/menuId/). Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.
@@ -210,14 +210,14 @@ Users in this role can read and update basic information of users, groups, and s
Users with this role can manage (read, add, verify, update, and delete) domain names. They can also read directory information about users, groups, and applications, as these objects possess domain dependencies. For on-premises environments, users with this role can configure domain names for federation so that associated users are always authenticated on-premises. These users can then sign into Azure AD-based services with their on-premises passwords via single sign-on. Federation settings need to be synced via Azure AD Connect, so users also have permissions to manage Azure AD Connect.
-### [Dynamics 365 administrator / CRM Administrator](#crm-service-administrator-permissions)
+### [Dynamics 365 administrator](#dynamics-365-administrator-permissions)
Users with this role have global permissions within Microsoft Dynamics 365 Online, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at [Use the service admin role to manage your Azure AD organization](/dynamics365/customer-engagement/admin/use-service-admin-role-manage-tenant). > [!NOTE] > In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Dynamics 365 Service Administrator." It is "Dynamics 365 Administrator" in the [Azure portal](https://portal.azure.com).
-### [Exchange Administrator](#exchange-service-administrator-permissions)
+### [Exchange Administrator](#exchange-administrator-permissions)
Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. More information at [About Microsoft 365 admin roles](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d).
@@ -296,7 +296,7 @@ Users in this role can access the full set of administrative capabilities in the
### [Insights Business Leader](#insights-business-leader-permissions) Users in this role can access a set of dashboards and insights via the [M365 Insights application](https://go.microsoft.com/fwlink/?linkid=2129521). This includes full access to all dashboards and presented insights and data exploration functionality. Users in this role do not have access to product configuration settings, which is the responsibility of the Insights Admin role.
-### [Intune Administrator](#intune-service-administrator-permissions)
+### [Intune Administrator](#intune-administrator-permissions)
Users with this role have global permissions within Microsoft Intune Online, when the service is present. Additionally, this role contains the ability to manage users and devices in order to associate policy, as well as create and manage groups. More information at [Role-based administration control (RBAC) with Microsoft Intune](/intune/role-based-access-control).
@@ -357,7 +357,7 @@ Do not use. This role has been deprecated and will be removed from Azure AD in t
Users with this role have limited ability to manage passwords. This role does not grant the ability to manage service requests or monitor service health. Whether a Password Administrator can reset a user's password depends on the role the user is assigned. For a list of the roles that a Password Administrator can reset passwords for, see [Password reset permissions](#password-reset-permissions).
-### [Power BI Administrator](#power-bi-service-administrator-permissions)
+### [Power BI Administrator](#power-bi-administrator-permissions)
Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. More information at [Understanding the Power BI admin role](/power-bi/service-admin-role).
@@ -479,7 +479,7 @@ Users with this role can open support requests with Microsoft for Azure and Micr
> [!NOTE] > Previously, this role was called "Service Administrator" in [Azure portal](https://portal.azure.com) and [Microsoft 365 admin center](https://admin.microsoft.com). We have renamed it to "Service Support Administrator" to align with the exsiting name in Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell.
-### [SharePoint Administrator](#sharepoint-service-administrator-permissions)
+### [SharePoint Administrator](#sharepoint-administrator-permissions)
Users with this role have global permissions within Microsoft SharePoint Online, when the service is present, as well as the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. More information at [About admin roles](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d).
@@ -489,7 +489,7 @@ Users with this role have global permissions within Microsoft SharePoint Online,
> [!NOTE] > This role also grants scoped permissions to the Microsoft Graph API for Microsoft Intune, allowing the management and configuration of policies related to SharePoint and OneDrive resources.
-### [Skype for Business / Lync Administrator](#lync-service-administrator-permissions)
+### [Skype for Business Administrator](#skype-for-business-administrator-permissions)
Users with this role have global permissions within Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and monitor service health, and to access the Teams and Skype for Business Admin Center. The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. More information at [About the Skype for Business admin role](https://support.office.com/article/about-the-skype-for-business-admin-role-aeb35bda-93fc-49b1-ac2c-c74fbeb737b5) and Teams licensing information at [Skype for Business and Microsoft Teams add-on licensing](/skypeforbusiness/skype-for-business-and-microsoft-teams-add-on-licensing/skype-for-business-and-microsoft-teams-add-on-licensing)
@@ -858,23 +858,6 @@ Can manage Conditional Access capabilities.
> | microsoft.directory/policies/conditionalAccess/policiesAppliedTo/read | Read policies.conditionalAccess property in Azure Active Directory. | > | microsoft.directory/policies/conditionalAccess/tenantDefault/update | Update policies.conditionalAccess property in Azure Active Directory. |
-### CRM Service Administrator permissions
-
-Can manage all aspects of the Dynamics 365 product.
-
-> [!NOTE]
-> This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
-
-> [!div class="mx-tableFixed"]
-> | Actions | Description |
-> | | |
-> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
-> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
-> | microsoft.powerApps.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365. |
-> | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
-> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
-> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
- ### Customer LockBox Access Approver permissions Can approve Microsoft support requests to access customer organizational data.
@@ -1043,7 +1026,24 @@ Can manage domain names in cloud and on-premises.
> | microsoft.directory/domains/allProperties/allTasks | Create and delete domains, and read and update all properties in Azure Active Directory. | > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
-### Exchange Service Administrator permissions
+### Dynamics 365 Administrator permissions
+
+Can manage all aspects of the Dynamics 365 product.
+
+> [!NOTE]
+> This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
+> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets for directory-level services. |
+> | microsoft.powerApps.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365. |
+> | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
+> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
+> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
+
+### Exchange Administrator permissions
Can manage all aspects of the Exchange product.
@@ -1169,6 +1169,7 @@ Can manage all aspects of Azure AD and Microsoft services that use Azure AD iden
> | microsoft.windows.defenderAdvancedThreatProtection/allEntities/read | Read all resources in microsoft.windows.defenderAdvancedThreatProtection. | ### Global Reader permissions+ Can read everything that a Global Administrator can, but not edit anything. > [!NOTE]
@@ -1242,6 +1243,7 @@ Can read everything that a Global Administrator can, but not edit anything.
> | microsoft.office365.webPortal/allEntities/standard/read | Read standard properties on all resources in microsoft.office365.webPortal. | ### Groups Administrator permissions+ Can manage all aspects of groups and group settings like naming and expiration policies. > [!div class="mx-tableFixed"]
@@ -1264,6 +1266,7 @@ Can manage all aspects of groups and group settings like naming and expiration p
> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. | ### Guest Inviter permissions+ Can invite guest users independent of the 'members can invite guests' setting. > [!div class="mx-tableFixed"]
@@ -1363,7 +1366,7 @@ Can view and share dashboards and insights via the M365 Insights app.
> | microsoft.insights/reports/read | View reports and dashboard in Insights app. | > | microsoft.insights/programs/update | Deploy and manage programs in Insights app. |
-### Intune Service Administrator permissions
+### Intune Administrator permissions
Can manage all aspects of the Intune product.
@@ -1431,25 +1434,6 @@ Can manage product licenses on users and groups.
> | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. | > | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
-### Lync Service Administrator permissions
-
-Can manage all aspects of the Skype for Business product.
-
-> [!NOTE]
-> This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
-
-> [!div class="mx-tableFixed"]
-> | Actions | Description |
-> | | |
-> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
-> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
-> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
-> | microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online. |
-> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
-> | microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
-> | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
-- ### Message Center Privacy Reader permissions Can read Message Center posts, data privacy messages, groups, domains and subscriptions.
@@ -1465,6 +1449,7 @@ Can read Message Center posts, data privacy messages, groups, domains and subscr
> | microsoft.office365.messageCenter/securityMessages/read | Read securityMessages in microsoft.office365.messageCenter. | ### Message Center Reader permissions+ Can read messages and updates for their organization in Message Center only. > [!NOTE]
@@ -1477,6 +1462,7 @@ Can read messages and updates for their organization in Message Center only.
> | microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. | ### Modern Commerce User permissions+ Can manage commercial purchases for a company, department or team. > [!NOTE]
@@ -1490,8 +1476,8 @@ Can manage commercial purchases for a company, department or team.
> | microsoft.office365.supportTickets/allEntities/allTasks | Create and view own Office 365 support tickets. | > | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. | - ### Network Administrator permissions+ Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. > [!NOTE]
@@ -1504,6 +1490,7 @@ Can manage network locations and review enterprise network design insights for M
> | microsoft.office365.network/locations/allProperties/allTasks | Read and configure network locations properties for each location. | ### Office Apps Administrator permissions+ Can manage Office apps' cloud services, including policy and settings management, and manage the ability to select, unselect and publish "what's new" feature content to end-user's devices. > [!NOTE]
@@ -1626,7 +1613,7 @@ Can reset passwords for non-administrators and Password administrators.
> | microsoft.directory/users/password/update | Update passwords for all users in Azure Active Directory. See online documentation for more detail. | > | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
-### Power BI Service Administrator permissions
+### Power BI Administrator permissions
Can manage all aspects of the Power BI product.
@@ -1643,7 +1630,6 @@ Can manage all aspects of the Power BI product.
> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. | > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. | - ### Power Platform Administrator permissions Can create and manage all aspects of Microsoft Dynamics 365, PowerApps and Power Automate.
@@ -1826,7 +1812,6 @@ Creates and manages security events.
> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. | > | microsoft.windows.defenderAdvancedThreatProtection/allEntities/read | Read and configure Windows Defender Advanced Threat Protection. | - ### Security Reader permissions Can read security information and reports in Azure AD and Microsoft 365.
@@ -1866,7 +1851,7 @@ Can read service health information and manage support tickets.
> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. | > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
-### SharePoint Service Administrator permissions
+### SharePoint Administrator permissions
Can manage all aspects of the SharePoint service.
@@ -1891,6 +1876,24 @@ Can manage all aspects of the SharePoint service.
> | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports. | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in microsoft.office365.webPortal. |
+### Skype for Business Administrator permissions
+
+Can manage all aspects of the Skype for Business product.
+
+> [!NOTE]
+> This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | | |
+> | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. |
+> | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets. |
+> | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
+> | microsoft.office365.skypeForBusiness/allEntities/allTasks | Manage all aspects of Skype for Business Online. |
+> | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
+> | microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
+> | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |
+ ### Teams Administrator permissions Can manage the Microsoft Teams service.
@@ -1984,6 +1987,7 @@ Can perform management related tasks on Teams certified devices.
> | microsoft.teams/devices/basic/read | Manage all aspects of Teams-certified devices including configuration policies. | ### Usage Summary Reports Reader permissions+ Can see only tenant level aggregates in M365 Usage Analytics and Productivity Score. > [!div class="mx-tableFixed"]
@@ -1993,6 +1997,7 @@ Can see only tenant level aggregates in M365 Usage Analytics and Productivity Sc
> | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in microsoft.office365.webPortal.| ### User Administrator permissions+ Can manage all aspects of users and groups, including resetting passwords for limited admins. > [!div class="mx-tableFixed"]
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/absorblms-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/absorblms-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 04/02/2019 Last updated : 02/05/2021 # Tutorial: Azure Active Directory integration with Absorb LMS
-In this tutorial, you learn how to integrate Absorb LMS with Azure Active Directory (Azure AD).
-Integrating Absorb LMS with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Absorb LMS with Azure Active Directory (Azure AD). When you integrate Absorb LMS with Azure AD, you can:
-* You can control in Azure AD who has access to Absorb LMS.
-* You can enable your users to be automatically signed-in to Absorb LMS (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Absorb LMS.
+* Enable your users to be automatically signed-in to Absorb LMS with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Absorb LMS, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Absorb LMS single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Absorb LMS single sign-on enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
@@ -40,79 +36,60 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Absorb LMS supports **IDP** initiated SSO
-## Adding Absorb LMS from the gallery
-
-To configure the integration of Absorb LMS into Azure AD, you need to add Absorb LMS from the gallery to your list of managed SaaS apps.
-
-**To add Absorb LMS from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Absorb LMS**, select **Absorb LMS** from result panel then click **Add** button to add the application.
-
- ![Absorb LMS in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Absorb LMS based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Absorb LMS needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with Absorb LMS, you need to complete the following building blocks:
+## Add Absorb LMS from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Absorb LMS Single Sign-On](#configure-absorb-lms-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Absorb LMS test user](#create-absorb-lms-test-user)** - to have a counterpart of Britta Simon in Absorb LMS that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Absorb LMS into Azure AD, you need to add Absorb LMS from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Absorb LMS** in the search box.
+1. Select **Absorb LMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Absorb LMS
-To configure Azure AD single sign-on with Absorb LMS, perform the following steps:
+Configure and test Azure AD SSO with Absorb LMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Absorb LMS.
-1. In the [Azure portal](https://portal.azure.com/), on the **Absorb LMS** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Absorb LMS, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Absorb LMS SSO](#configure-absorb-lms-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Absorb LMS test user](#create-absorb-lms-test-user)** - to have a counterpart of B.Simon in Absorb LMS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Absorb LMS** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **Basic SAML Configuration** dialog.
- ![Absorb LMS Domain and URLs single sign-on information](common/idp-intiated.png)
- If you are using **Absorb 5 - UI** use the following configuration:
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://company.myabsorb.com/account/saml`
+ a. In the **Identifier** text box, type a URL using the following pattern::
+ `https://<SUBDOMAIN>.myabsorb.com/account/saml`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://company.myabsorb.com/account/saml`
+ b. In the **Reply URL** text box, type a URL using the following pattern::
+ `https://<SUBDOMAIN>.myabsorb.com/account/saml`
If you are using **Absorb 5 - New Learner Experience** use the following configuration: a. In the **Identifier** text box, type a URL using the following pattern:
- `https://company.myabsorb.com/api/rest/v2/authentication/saml`
+ `https://<SUBDOMAIN>.myabsorb.com/api/rest/v2/authentication/saml`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://company.myabsorb.com/api/rest/v2/authentication/saml`
+ b. In the **Reply URL** text box, type a URL using the following pattern: :
+ `https://<SUBDOMAIN>.myabsorb.com/api/rest/v2/authentication/saml`
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Absorb LMS Client support team](https://support.absorblms.com/hc/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
@@ -129,27 +106,45 @@ To configure Azure AD single sign-on with Absorb LMS, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
- b. Azure AD Identifier
+In this section, you'll create a test user in the Azure portal called B.Simon.
- c. Logout URL
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
-### Configure Absorb LMS Single Sign-On
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Absorb LMS.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Absorb LMS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Absorb LMS SSO
1. In a new web browser window, sign in to your Absorb LMS company site as an administrator. 2. Select the **Account** button at the top right.
- ![The Account button](./media/absorblms-tutorial/1.png)
+ ![The Account button](./media/absorblms-tutorial/account.png)
3. In the Account pane, select **Portal Settings**.
- ![The Portal Settings link](./media/absorblms-tutorial/2.png)
+ ![The Portal Settings link](./media/absorblms-tutorial/portal.png)
4. Select the **Manage SSO Settings** tab.
- ![The Users tab](./media/absorblms-tutorial/managesso.png)
+ ![The Users tab](./media/absorblms-tutorial/sso.png)
5. On the **Manage Single Sign-On Settings** page, do the following:
@@ -177,57 +172,6 @@ To configure Azure AD single sign-on with Absorb LMS, perform the following step
![The Only Allow SSO Login toggle](./media/absorblms-tutorial/save.png)
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon\@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Absorb LMS.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Absorb LMS**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **Absorb LMS**.
-
- ![The Absorb LMS link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Absorb LMS test user For Azure AD users to sign in to Absorb LMS, they must be set up in Absorb LMS. In the case of Absorb LMS, provisioning is a manual task.
@@ -238,11 +182,11 @@ For Azure AD users to sign in to Absorb LMS, they must be set up in Absorb LMS.
2. In the **Users** pane, select **Users**.
- ![The Users link](./media/absorblms-tutorial/absorblms_userssub.png)
+ ![The Users link](./media/absorblms-tutorial/users.png)
3. Select **User** tab.
- ![The Add New drop-down list](./media/absorblms-tutorial/absorblms_createuser.png)
+ ![The Add New drop-down list](./media/absorblms-tutorial/add.png)
4. On the **Add User** page, do the following:
@@ -267,16 +211,14 @@ For Azure AD users to sign in to Absorb LMS, they must be set up in Absorb LMS.
> [!NOTE] > By Default, User Provisioning is not enabled in SSO. If the customer wants to enable this feature, they have to set it up as mentioned in [this](https://support.absorblms.com/hc/en-us/articles/360014083294-Incoming-SAML-2-0-SSO-Account-Provisioning) documentation. Also please note that User Provisioing is only available on **Absorb 5 - New Learner Experience** with ACS URL-`https://company.myabsorb.com/api/rest/v2/authentication/saml`
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Absorb LMS tile in the Access Panel, you should be automatically signed in to the Absorb LMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Absorb LMS for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Absorb LMS tile in the My Apps, you should be automatically signed in to the Absorb LMS for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Absorb LMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/akashi-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/akashi-tutorial.md
@@ -0,0 +1,145 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AKASHI | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and AKASHI.
++++++++ Last updated : 02/10/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with AKASHI
+
+In this tutorial, you'll learn how to integrate AKASHI with Azure Active Directory (Azure AD). When you integrate AKASHI with Azure AD, you can:
+
+* Control in Azure AD who has access to AKASHI.
+* Enable your users to be automatically signed-in to AKASHI with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* AKASHI single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* AKASHI supports **SP and IDP** initiated SSO
+
+## Adding AKASHI from the gallery
+
+To configure the integration of AKASHI into Azure AD, you need to add AKASHI from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **AKASHI** in the search box.
+1. Select **AKASHI** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for AKASHI
+
+Configure and test Azure AD SSO with AKASHI using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AKASHI.
+
+To configure and test Azure AD SSO with AKASHI, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure AKASHI SSO](#configure-akashi-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create AKASHI test user](#create-akashi-test-user)** - to have a counterpart of B.Simon in AKASHI that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **AKASHI** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://atnd.ak4.jp/sso/saml/<CUSTOM_ID>`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://atnd.ak4.jp/sso/saml/<CUSTOM_ID>`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://atnd.ak4.jp/sso/saml/<CUSTOM_ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [AKASHI Client support team](mailto:akashi_cc@ak4.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AKASHI.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **AKASHI**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure AKASHI SSO
+
+To configure single sign-on on **AKASHI** side, you need to send the **App Federation Metadata Url** to [AKASHI support team](mailto:akashi_cc@ak4.jp). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create AKASHI test user
+
+In this section, you create a user called Britta Simon in AKASHI. Work with [AKASHI support team](mailto:akashi_cc@ak4.jp) to add the users in the AKASHI platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to AKASHI Sign on URL where you can initiate the login flow.
+
+* Go to AKASHI Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the AKASHI for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the AKASHI tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AKASHI for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure AKASHI you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/arcgis-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/arcgis-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 12/19/2018 Last updated : 02/08/2021 # Tutorial: Azure Active Directory integration with ArcGIS Online
-In this tutorial, you learn how to integrate ArcGIS Online with Azure Active Directory (Azure AD).
-Integrating ArcGIS Online with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate ArcGIS Online with Azure Active Directory (Azure AD). When you integrate ArcGIS Online with Azure AD, you can:
-* You can control in Azure AD who has access to ArcGIS Online.
-* You can enable your users to be automatically signed-in to ArcGIS Online (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to ArcGIS Online.
+* Enable your users to be automatically signed-in to ArcGIS Online with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with ArcGIS Online, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* ArcGIS Online single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ArcGIS Online single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
@@ -38,66 +34,44 @@ To configure Azure AD integration with ArcGIS Online, you need the following ite
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* ArcGIS Online supports **SP** initiated SSO
+* ArcGIS Online supports **SP** initiated SSO.
-## Adding ArcGIS Online from the gallery
+## Add ArcGIS Online from the gallery
To configure the integration of ArcGIS Online into Azure AD, you need to add ArcGIS Online from the gallery to your list of managed SaaS apps.
-**To add ArcGIS Online from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **ArcGIS Online**, select **ArcGIS Online** from result panel then click **Add** button to add the application.
-
- ![ArcGIS Online in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with ArcGIS Online based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in ArcGIS Online needs to be established.
-
-To configure and test Azure AD single sign-on with ArcGIS Online, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure ArcGIS Online Single Sign-On](#configure-arcgis-online-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create ArcGIS Online test user](#create-arcgis-online-test-user)** - to have a counterpart of Britta Simon in ArcGIS Online that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ArcGIS Online** in the search box.
+1. Select **ArcGIS Online** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for ArcGIS Online
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with ArcGIS Online using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ArcGIS Online.
-To configure Azure AD single sign-on with ArcGIS Online, perform the following steps:
+To configure and test Azure AD SSO with ArcGIS Online, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **ArcGIS Online** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure ArcGIS Online SSO](#configure-arcgis-online-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ArcGIS Online test user](#create-arcgis-online-test-user)** - to have a counterpart of B.Simon in ArcGIS Online that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **ArcGIS Online** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![ArcGIS Online Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<companyname>.maps.arcgis.com`
@@ -113,29 +87,53 @@ To configure Azure AD single sign-on with ArcGIS Online, perform the following s
6. To automate the configuration within **ArcGIS Online**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
- ![image](./media/arcgis-tutorial/install_extension.png)
+ ![image](./media/arcgis-tutorial/install-extension.png)
7. After adding extension to the browser, click on **setup ArcGIS Online** will direct you to the ArcGIS Online application. From there, provide the admin credentials to sign into ArcGIS Online. The browser extension will automatically configure the application for you and automate steps in section **Configure ArcGIS Online Single Sign-On**.
-### Configure ArcGIS Online Single Sign-On
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ArcGIS Online.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ArcGIS Online**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure ArcGIS Online SSO
1. If you want to setup ArcGIS Online manually, open a new web browser window and log into your ArcGIS company site as an administrator and perform the following steps: 2. Click **EDIT SETTINGS**.
- ![Edit Settings](./media/arcgis-tutorial/ic784742.png "Edit Settings")
+ ![Edit Settings](./media/arcgis-tutorial/settings.png "Edit Settings")
3. Click **Security**.
- ![Security](./media/arcgis-tutorial/ic784743.png "Security")
+ ![Security](./media/arcgis-tutorial/secure.png "Security")
4. Under **Enterprise Logins**, click **SET IDENTITY PROVIDER**.
- ![Enterprise Logins](./media/arcgis-tutorial/ic784744.png "Enterprise Logins")
+ ![Enterprise Logins](./media/arcgis-tutorial/enterprise.png "Enterprise Logins")
5. On the **Set Identity Provider** configuration page, perform the following steps:
- ![Set Identity Provider](./media/arcgis-tutorial/ic784745.png "Set Identity Provider")
+ ![Set Identity Provider](./media/arcgis-tutorial/identity-provider.png "Set Identity Provider")
a. In the **Name** textbox, type your organizationΓÇÖs name.
@@ -145,57 +143,6 @@ To configure Azure AD single sign-on with ArcGIS Online, perform the following s
d. Click **SET IDENTITY PROVIDER**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ArcGIS Online.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ArcGIS Online**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **ArcGIS Online**.
-
- ![The ArcGIS Online link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create ArcGIS Online test user In order to enable Azure AD users to log into ArcGIS Online, they must be provisioned into ArcGIS Online.
@@ -207,36 +154,36 @@ In the case of ArcGIS Online, provisioning is a manual task.
2. Click **INVITE MEMBERS**.
- ![Invite Members](./media/arcgis-tutorial/ic784747.png "Invite Members")
+ ![Invite Members](./media/arcgis-tutorial/invite.png "Invite Members")
3. Select **Add members automatically without sending an email**, and then click **NEXT**.
- ![Add Members Automatically](./media/arcgis-tutorial/ic784748.png "Add Members Automatically")
+ ![Add Members Automatically](./media/arcgis-tutorial/members.png "Add Members Automatically")
4. On the **Members** dialog page, perform the following steps:
- ![Add and review](./media/arcgis-tutorial/ic784749.png "Add and review")
+ ![Add and review](./media/arcgis-tutorial/review.png "Add and review")
a. Enter the **Email**, **First Name**, and **Last Name** of a valid Azure AD account you want to provision. b. Click **ADD AND REVIEW**. 5. Review the data you have entered, and then click **ADD MEMBERS**.
- ![Add member](./media/arcgis-tutorial/ic784750.png "Add member")
+ ![Add member](./media/arcgis-tutorial/add.png "Add member")
> [!NOTE] > The Azure Active Directory account holder will receive an email and follow a link to confirm their account before it becomes active.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the ArcGIS Online tile in the Access Panel, you should be automatically signed in to the ArcGIS Online for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to ArcGIS Online Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to ArcGIS Online Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the ArcGIS Online tile in the My Apps, this will redirect to ArcGIS Online Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure ArcGIS Online you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ariba-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ariba-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 08/31/2020 Last updated : 02/01/2021 # Tutorial: Azure Active Directory integration with Ariba
-In this tutorial, you learn how to integrate Ariba with Azure Active Directory (Azure AD).
-Integrating Ariba with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Ariba with Azure Active Directory (Azure AD). When you integrate Ariba with Azure AD, you can:
-* You can control in Azure AD who has access to Ariba.
-* You can enable your users to be automatically signed-in to Ariba (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Ariba.
+* Enable your users to be automatically signed-in to Ariba with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Ariba, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Ariba single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Ariba single sign-on (SSO) enabled subscription.
## Scenario description
@@ -37,40 +33,37 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Ariba supports **SP** initiated SSO
-* Once you configure Ariba you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
-
-## Adding Ariba from the gallery
+## Add Ariba from the gallery
To configure the integration of Ariba into Azure AD, you need to add Ariba from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Ariba** in the search box. 1. Select **Ariba** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for Ariba
-In this section, you configure and test Azure AD single sign-on with Ariba based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Ariba needs to be established.
+Configure and test Azure AD SSO with Ariba using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Ariba.
-To configure and test Azure AD single sign-on with Ariba, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Ariba, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Ariba SSO](#configure-ariba-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Ariba test user](#create-ariba-test-user)** - to have a counterpart of Britta Simon in Ariba that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Ariba SSO](#configure-ariba-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Ariba test user](#create-ariba-test-user)** - to have a counterpart of B.Simon in Ariba that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
### Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Ariba** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Ariba** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -107,16 +100,15 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
### Create an Azure AD test user
+In this section, you'll create a test user in the Azure portal called B.Simon.
-In this section, you'll create a test user named B.Simon in the Azure portal.
-
-1. In the left pane of the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. At the top of the screen, select **New user**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter **B.Simon**.
- 1. In the **User name** field, enter `<username>@<companydomain>.<extension>`. For example: `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then make note of the value that's displayed in the **Password** box.
- 1. Select **Create**.
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
@@ -125,15 +117,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Ariba**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Ariba SSO
@@ -146,14 +132,14 @@ In this section, you create a user called Britta Simon in Ariba. Work with Arib
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Ariba tile in the Access Panel, you should be automatically signed in to the Ariba for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Ariba Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Ariba Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Ariba tile in the My Apps, this will redirect to Ariba Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Ariba you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/autotaskworkplace-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/autotaskworkplace-tutorial.md
@@ -9,31 +9,23 @@
Previously updated : 01/20/2019 Last updated : 02/02/2021 # Tutorial: Azure Active Directory integration with Autotask Workplace
-In this tutorial, you learn how to integrate Autotask Workplace with Azure Active Directory (Azure AD).
-Integrating Autotask Workplace with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Autotask Workplace with Azure Active Directory (Azure AD). When you integrate Autotask Workplace with Azure AD, you can:
-* You can control in Azure AD who has access to Autotask Workplace.
-* You can enable your users to be automatically signed-in to Autotask Workplace (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Autotask Workplace.
+* Enable your users to be automatically signed-in to Autotask Workplace with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Autotask Workplace, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Autotask Workplace single sign-on enabled subscription
-* An Autotask Workplace single-sign on enabled subscription
-* You must be an administrator or super administrator in Workplace.
-* You must have an administrator account in the Azure AD.
-* The users that will utilize this feature must have accounts within Workplace and the Azure AD, and their email addresses for both must match.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Autotask Workplace single sign-on (SSO) enabled subscription.
## Scenario description
@@ -41,59 +33,39 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Autotask Workplace supports **SP and IDP** initiated SSO
-## Adding Autotask Workplace from the gallery
+## Add Autotask Workplace from the gallery
To configure the integration of Autotask Workplace into Azure AD, you need to add Autotask Workplace from the gallery to your list of managed SaaS apps.
-**To add Autotask Workplace from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Autotask Workplace**, select **Autotask Workplace** from result panel then click **Add** button to add the application.
-
- ![Autotask Workplace in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Autotask Workplace based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Autotask Workplace needs to be established.
-
-To configure and test Azure AD single sign-on with Autotask Workplace, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Autotask Workplace** in the search box.
+1. Select **Autotask Workplace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Autotask Workplace Single Sign-On](#configure-autotask-workplace-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Autotask Workplace test user](#create-autotask-workplace-test-user)** - to have a counterpart of Britta Simon in Autotask Workplace that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Autotask Workplace
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Autotask Workplace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Autotask Workplace.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Autotask Workplace, perform the following steps:
-To configure Azure AD single sign-on with Autotask Workplace, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Autotask Workplace SSO](#configure-autotask-workplace-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Autotask Workplace test user](#create-autotask-workplace-test-user)** - to have a counterpart of B.Simon in Autotask Workplace that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Autotask Workplace** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Autotask Workplace** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
@@ -123,13 +95,31 @@ To configure Azure AD single sign-on with Autotask Workplace, perform the follow
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Autotask Workplace.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Autotask Workplace**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Autotask Workplace Single Sign-On
+## Configure Autotask Workplace SSO
1. In a different web browser window, Log in to Workplace Online using the administrator credentials.
@@ -138,13 +128,13 @@ To configure Azure AD single sign-on with Autotask Workplace, perform the follow
2. Go to **Configuration** > **Single Sign-On** and perform the following steps:
- ![Autotask Single Sign-on configuration](./media/autotaskworkplace-tutorial/tutorial_autotaskssoconfig1.png)
+ ![Autotask Single Sign-on configuration](./media/autotaskworkplace-tutorial/configuration-1.png)
a. Select the **XML Metadata File** option, and then upload the downloaded **Federation Metadata XML** from Azure portal. b. Click **ENABLE SSO**.
- ![Autotask Single Sign-on approve configuration](./media/autotaskworkplace-tutorial/tutorial_autotaskssoconfig2.png)
+ ![Autotask Single Sign-on approve configuration](./media/autotaskworkplace-tutorial/configuration-2.png)
c. Select the **I confirm this information is correct and I trust this IdP** check box.
@@ -153,71 +143,26 @@ To configure Azure AD single sign-on with Autotask Workplace, perform the follow
> [!Note] > If you require assistance with configuring Autotask Workplace, please see [this page](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to get assistance with your Workplace account.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Autotask Workplace.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Autotask Workplace**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Autotask Workplace**.
-
- ![The Autotask Workplace link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
+### Create Autotask Workplace test user
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in Autotask Workplace. Please work with [Autotask Workplace support team](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to add the users in the Autotask Workplace platform.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+## Test SSO
-7. In the **Add Assignment** dialog click the **Assign** button.
+In this section, you test your Azure AD single sign-on configuration with following options.
-### Create Autotask Workplace test user
-
-In this section, you create a user called Britta Simon in Autotask Workplace. Please work with [Autotask Workplace support team](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to add the users in the Autotask Workplace platform.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Autotask Workplace Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Autotask Workplace Sign-on URL directly and initiate the login flow from there.
-When you click the Autotask Workplace tile in the Access Panel, you should be automatically signed in to the Autotask Workplace for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Autotask Workplace for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Autotask Workplace tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Autotask Workplace for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Autotask Workplace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bynder-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bynder-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 12/07/2020 Last updated : 02/03/2021
@@ -25,7 +25,7 @@ In this tutorial, you'll learn how to integrate Bynder with Azure Active Directo
To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Bynder single sign-on (SSO) enabled subscription. ## Scenario description
@@ -35,7 +35,7 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* Bynder supports **SP and IDP** initiated SSO * Bynder supports **Just In Time** user provisioning
-## Adding Bynder from the gallery
+## Add Bynder from the gallery
To configure the integration of Bynder into Azure AD, you need to add Bynder from the gallery to your list of managed SaaS apps.
@@ -51,7 +51,7 @@ To configure the integration of Bynder into Azure AD, you need to add Bynder fro
Configure and test Azure AD SSO with Bynder using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Bynder.
-To configure and test Azure AD SSO with Bynder, complete the following building blocks:
+To configure and test Azure AD SSO with Bynder, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
@@ -60,13 +60,13 @@ To configure and test Azure AD SSO with Bynder, complete the following building
1. **[Create Bynder test user](#create-bynder-test-user)** - to have a counterpart of Britta Simon in Bynder that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal. 1. In the Azure portal, on the **Bynder** application integration page, find the **Manage** section and select **Single sign-on**. 1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -164,4 +164,4 @@ You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Bynder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Bynder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/coupa-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/coupa-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/14/2021 Last updated : 02/05/2021 # Tutorial: Azure Active Directory integration with Coupa
@@ -22,10 +22,10 @@ In this tutorial, you'll learn how to integrate Coupa with Azure Active Director
## Prerequisites
-To configure Azure AD integration with Coupa, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
-* Coupa single sign-on enabled subscription.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Coupa single sign-on (SSO) enabled subscription.
## Scenario description
@@ -57,7 +57,7 @@ To configure and test Azure AD SSO with Coupa, perform the following steps:
1. **[Create Coupa test user](#create-coupa-test-user)** - to have a counterpart of B.Simon inCoupa that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
@@ -123,17 +123,17 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Coupa SSO
+## Configure Coupa SSO
1. Sign on to your Coupa company site as an administrator. 2. Go to **Setup \> Security Control**.
- ![Security Controls](./media/coupa-tutorial/ic791900.png "Security Controls")
+ ![Security Controls](./media/coupa-tutorial/setup.png "Security Controls")
3. In the **Log in using Coupa credentials** section, perform the following steps:
- ![Coupa SP metadata](./media/coupa-tutorial/ic791901.png "Coupa SP metadata")
+ ![Coupa SP metadata](./media/coupa-tutorial/login.png "Coupa SP metadata")
a. Select **Log in using SAML**.
@@ -153,15 +153,15 @@ In order to enable Azure AD users to log into Coupa, they must be provisioned in
2. In the menu on the top, click **Setup**, and then click **Users**.
- ![Users](./media/coupa-tutorial/ic791908.png "Users")
+ ![Users](./media/coupa-tutorial/user.png "Users")
3. Click **Create**.
- ![Create Users](./media/coupa-tutorial/ic791909.png "Create Users")
+ ![Create Users](./media/coupa-tutorial/create.png "Create Users")
4. In the **User Create** section, perform the following steps:
- ![User Details](./media/coupa-tutorial/ic791910.png "User Details")
+ ![User Details](./media/coupa-tutorial/details.png "User Details")
a. Type the **Login**, **First name**, **Last Name**, **Single Sign-On ID**, **Email** attributes of a valid Azure Active Directory account you want to provision into the related textboxes.
@@ -174,7 +174,7 @@ In order to enable Azure AD users to log into Coupa, they must be provisioned in
>[!NOTE] >You can use any other Coupa user account creation tools or APIs provided by Coupa to provision Azure AD user accounts.
-### Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/freshworks-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/freshworks-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/20/2021 Last updated : 02/11/2021
@@ -35,7 +35,7 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Freshworks supports **SP** initiated SSO
+* Freshworks supports **SP and IDP** initiated SSO
## Add Freshworks from the gallery
@@ -71,16 +71,21 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.freshworks.com/login`
-
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
`https://<SUBDOMAIN>.freshworks.com/sp/SAML/<MODULE_ID>/metadata`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.freshworks.com/sp/SAML/CUSTOM_URL`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<SUBDOMAIN>.freshworks.com/login`
+ > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Freshworks Client support team](mailto:support@freshworks.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Freshworks Client support team](mailto:support@freshworks.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -154,11 +159,18 @@ In this section, you create a user called B.Simon in Freshworks. Work with [Fre
In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Freshworks Sign-on URL where you can initiate the login flow.
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Freshworks Sign on URL where you can initiate the login flow.
+
+* Go to Freshworks Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Freshworks for which you set up the SSO
-* Go to Freshworks Sign-on URL directly and initiate the login flow from there.
+You can also use Microsoft My Apps to test the application in any mode. When you click the Freshworks tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Freshworks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-* You can use Microsoft My Apps. When you click the Freshworks tile in the My Apps, you should be automatically signed in to the Freshworks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hoxhunt-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hoxhunt-provisioning-tutorial.md
@@ -0,0 +1,141 @@
+
+ Title: 'Tutorial: Configure Hoxhunt for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Hoxhunt.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: 24fbe0a4-ab2d-4e10-93a6-c87d634ffbcf
+++
+ na
+ms.devlang: na
+ Last updated : 01/28/2021+++
+# Tutorial: Configure Hoxhunt for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Hoxhunt and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Hoxhunt](https://www.hoxhunt.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Hoxhunt
+> * Remove users in Hoxhunt when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Hoxhunt
+> * [Single sign-on](hoxhunt-tutorial.md) to Hoxhunt (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A Hoxhunt tenant.
+* A user account in Hoxhunt with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Hoxhunt](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Step 2. Configure Hoxhunt to support provisioning with Azure AD
+
+To configure Hoxhunt to support provisioning with Azure AD - please write an email to Hoxhunt Support (support@hoxhunt.com).
+They will provide the **Authentication Token** and **SCIM Endpoint URL**.
+
+## Step 3. Add Hoxhunt from the Azure AD application gallery
+
+Add Hoxhunt from the Azure AD application gallery to start managing provisioning to Hoxhunt. If you have previously setup Hoxhunt for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
+* When assigning users and groups to Hoxhunt, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
++
+## Step 5. Configure automatic user provisioning to Hoxhunt
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Hoxhunt in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Hoxhunt**.
+
+ ![The Hoxhunt link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Hoxhunt Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Hoxhunt. If the connection fails, ensure your Hoxhunt account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Hoxhunt**.
+
+9. Review the user attributes that are synchronized from Azure AD to Hoxhunt in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Hoxhunt for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Hoxhunt API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;|
+ |emails[type eq "work"].value|String|
+ |active|Boolean|
+ |name.givenName|String|
+ |name.familyName|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|
+ |addresses[type eq "work"].country|String|
+
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+11. To enable the Azure AD provisioning service for Hoxhunt, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+12. Define the users and/or groups that you would like to provision to Hoxhunt by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+13. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hsb-thoughtspot-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hsb-thoughtspot-tutorial.md
@@ -0,0 +1,138 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with HSB ThoughtSpot | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and HSB ThoughtSpot.
++++++++ Last updated : 02/11/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with HSB ThoughtSpot
+
+In this tutorial, you'll learn how to integrate HSB ThoughtSpot with Azure Active Directory (Azure AD). When you integrate HSB ThoughtSpot with Azure AD, you can:
+
+* Control in Azure AD who has access to HSB ThoughtSpot.
+* Enable your users to be automatically signed-in to HSB ThoughtSpot with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* HSB ThoughtSpot single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* HSB ThoughtSpot supports **SP** initiated SSO
+* HSB ThoughtSpot supports **Just In Time** user provisioning
+
+## Adding HSB ThoughtSpot from the gallery
+
+To configure the integration of HSB ThoughtSpot into Azure AD, you need to add HSB ThoughtSpot from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **HSB ThoughtSpot** in the search box.
+1. Select **HSB ThoughtSpot** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for HSB ThoughtSpot
+
+Configure and test Azure AD SSO with HSB ThoughtSpot using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in HSB ThoughtSpot.
+
+To configure and test Azure AD SSO with HSB ThoughtSpot, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure HSB ThoughtSpot SSO](#configure-hsb-thoughtspot-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create HSB ThoughtSpot test user](#create-hsb-thoughtspot-test-user)** - to have a counterpart of B.Simon in HSB ThoughtSpot that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **HSB ThoughtSpot** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ In the **Sign-on URL** text box, type one of the following URLs:
+
+ | Sign-on URL |
+ | - |
+ | `https://hsbthoughtspot.mruscloud.com:443` |
+ | `https://hsbthoughtspot.mruscloud.com/#/login` |
+ |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up HSB ThoughtSpot** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to HSB ThoughtSpot.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **HSB ThoughtSpot**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure HSB ThoughtSpot SSO
+
+To configure single sign-on on **HSB ThoughtSpot** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [HSB ThoughtSpot support team](mailto:HSB-BDL-IT-SAPBO-ADMIN@hsb.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create HSB ThoughtSpot test user
+
+In this section, a user called Britta Simon is created in HSB ThoughtSpot. HSB ThoughtSpot supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in HSB ThoughtSpot, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to HSB ThoughtSpot Sign-on URL where you can initiate the login flow.
+
+* Go to HSB ThoughtSpot Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the HSB ThoughtSpot tile in the My Apps, this will redirect to HSB ThoughtSpot Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure HSB ThoughtSpot you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ibmid-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ibmid-tutorial.md
@@ -0,0 +1,177 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with IBMid | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and IBMid.
++++++++ Last updated : 02/11/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with IBMid
+
+In this tutorial, you'll learn how to integrate IBMid with Azure Active Directory (Azure AD). When you integrate IBMid with Azure AD, you can:
+
+* Control in Azure AD who has access to IBMid.
+* Enable your users to be automatically signed-in to IBMid with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* IBMid single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* IBMid supports **SP and IDP** initiated SSO
+* IBMid supports **Just In Time** user provisioning
+
+## Adding IBMid from the gallery
+
+To configure the integration of IBMid into Azure AD, you need to add IBMid from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **IBMid** in the search box.
+1. Select **IBMid** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for IBMid
+
+Configure and test Azure AD SSO with IBMid using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in IBMid.
+
+To configure and test Azure AD SSO with IBMid, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure IBMid SSO](#configure-ibmid-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create IBMid test user](#create-ibmid-test-user)** - to have a counterpart of B.Simon in IBMid that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **IBMid** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type one of the following URLs:
+
+ | Identifier |
+ | - |
+ | `https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20` |
+ | `https://ibmlogin.ice.ibmcloud.com/saml/sps/saml20sp/saml20` |
+ | `https://prepiam.ice.ibmcloud.com/saml/sps/saml20sp/saml20` |
+ |
+
+ a. In the **Reply URL** text box, type one of the following URLs:
+
+ | Reply URL |
+ | - |
+ | `https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20/login` |
+ | `https://login.ibm.com/saml/sps/saml20sp/saml20/login` |
+ | `https://prepiam.ice.ibmcloud.com/saml/sps/saml20sp/saml20/login` |
+ |
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://myibm.ibm.com/`
++
+1. Click **Save**.
+
+1. IBMid application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, IBMid application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | -- | |
+ | country | user.country |
+ | firstName | user.givenname |
+ | lastName | user.surname |
+ | emailAddress | user.mail |
++
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up IBMid** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to IBMid.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **IBMid**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure IBMid SSO
+
+To configure single sign-on on **IBMid** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [IBMid support team](mailto:ibmidfd@us.ibm.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create IBMid test user
+
+In this section, a user called Britta Simon is created in IBMid. IBMid supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in IBMid, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to IBMid Sign on URL where you can initiate the login flow.
+
+* Go to IBMid Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the IBMid for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the IBMid tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the IBMid for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure IBMid you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/icims-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/icims-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 03/20/2020 Last updated : 02/01/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate ICIMS with Azure Active Director
* Enable your users to be automatically signed-in to ICIMS with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -35,24 +33,23 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * ICIMS supports **SP** initiated SSO
-* Once you configure ICIMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding ICIMS from the gallery
+## Add ICIMS from the gallery
To configure the integration of ICIMS into Azure AD, you need to add ICIMS from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **ICIMS** in the search box. 1. Select **ICIMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for ICIMS
+## Configure and test Azure AD SSO for ICIMS
Configure and test Azure AD SSO with ICIMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ICIMS.
-To configure and test Azure AD SSO with ICIMS, complete the following building blocks:
+To configure and test Azure AD SSO with ICIMS, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -65,9 +62,9 @@ To configure and test Azure AD SSO with ICIMS, complete the following building b
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **ICIMS** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **ICIMS** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -76,10 +73,10 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<tenant name>.icims.com`
- b. In the **Identifier** text box, type a URL:
+ b. In the **Identifier** text box, type the URL:
`icims.com`
- c. In the **Reply URL** text box, type a URL:
+ c. In the **Reply URL** text box, type the URL:
`https://.icims.com/` > [!NOTE]
@@ -112,15 +109,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **ICIMS**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure ICIMS SSO
@@ -133,18 +124,14 @@ In this section, you create a user called B.Simon in ICIMS. Work with [ICIMS sup
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the ICIMS tile in the Access Panel, you should be automatically signed in to the ICIMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to ICIMS Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to ICIMS Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the ICIMS tile in the My Apps, this will redirect to ICIMS Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try ICIMS with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure ICIMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ivanti-service-manager-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ivanti-service-manager-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 02/25/2019 Last updated : 02/05/2021 # Tutorial: Azure Active Directory integration with Ivanti Service Manager (ISM)
-In this tutorial, you learn how to integrate Ivanti Service Manager (ISM) with Azure Active Directory (Azure AD).
-Integrating Ivanti Service Manager (ISM) with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Ivanti Service Manager (ISM) with Azure Active Directory (Azure AD). When you integrate Ivanti Service Manager (ISM) with Azure AD, you can:
-* You can control in Azure AD who has access to Ivanti Service Manager (ISM).
-* You can enable your users to be automatically signed-in to Ivanti Service Manager (ISM) (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Ivanti Service Manager (ISM).
+* Enable your users to be automatically signed-in to Ivanti Service Manager (ISM) with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Ivanti Service Manager (ISM), you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Ivanti Service Manager (ISM) single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Ivanti Service Manager (ISM) single sign-on (SSO) enabled subscription.
## Scenario description
@@ -38,65 +34,43 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Ivanti Service Manager (ISM) supports **SP and IDP** initiated SSO * Ivanti Service Manager (ISM) supports **Just In Time** user provisioning
-## Adding Ivanti Service Manager (ISM) from the gallery
+## Add Ivanti Service Manager (ISM) from the gallery
To configure the integration of Ivanti Service Manager (ISM) into Azure AD, you need to add Ivanti Service Manager (ISM) from the gallery to your list of managed SaaS apps.
-**To add Ivanti Service Manager (ISM) from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Ivanti Service Manager (ISM)**, select **Ivanti Service Manager (ISM)** from result panel then click **Add** button to add the application.
-
- ![Ivanti Service Manager (ISM) in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Ivanti Service Manager (ISM) based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Ivanti Service Manager (ISM) needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Ivanti Service Manager (ISM)** in the search box.
+1. Select **Ivanti Service Manager (ISM)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with Ivanti Service Manager (ISM), you need to complete the following building blocks:
+## Configure and test Azure AD SSO for Ivanti Service Manager (ISM)
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Ivanti Service Manager (ISM) Single Sign-On](#configure-ivanti-service-manager-ism-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Ivanti Service Manager (ISM) test user](#create-ivanti-service-manager-ism-test-user)** - to have a counterpart of Britta Simon in Ivanti Service Manager (ISM) that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with Ivanti Service Manager (ISM) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Ivanti Service Manager (ISM).
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with Ivanti Service Manager (ISM), perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Ivanti Service Manager (ISM) SSO](#configure-ivanti-service-manager-ism-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Ivanti Service Manager (ISM) test user](#create-ivanti-service-manager-ism-test-user)** - to have a counterpart of B.Simon in Ivanti Service Manager (ISM) that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with Ivanti Service Manager (ISM), perform the following steps:
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **Ivanti Service Manager (ISM)** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Ivanti Service Manager (ISM)** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Reply U R L, and select Save.](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
```http https://<customer>.saasit.com/
@@ -109,8 +83,6 @@ To configure Azure AD single sign-on with Ivanti Service Manager (ISM), perform
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://<customer>.saasit.com/`
@@ -125,66 +97,33 @@ To configure Azure AD single sign-on with Ivanti Service Manager (ISM), perform
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Ivanti Service Manager (ISM) Single Sign-On
-
-To configure single sign-on on **Ivanti Service Manager (ISM)** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Ivanti Service Manager (ISM) support team](https://www.ivanti.com/support/contact). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Ivanti Service Manager (ISM).
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Ivanti Service Manager (ISM)**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Ivanti Service Manager (ISM).
-2. In the applications list, select **Ivanti Service Manager (ISM)**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Ivanti Service Manager (ISM)**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The Ivanti Service Manager (ISM) link in the Applications list](common/all-applications.png)
+## Configure Ivanti Service Manager (ISM) SSO
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Ivanti Service Manager (ISM)** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Ivanti Service Manager (ISM) support team](https://www.ivanti.com/support/contact). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Ivanti Service Manager (ISM) test user
@@ -193,16 +132,22 @@ In this section, a user called Britta Simon is created in Ivanti Service Manager
> [!Note] > If you need to create a user manually, contact [Ivanti Service Manager (ISM) support team](https://www.ivanti.com/support/contact).
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Ivanti Service Manager (ISM) Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Ivanti Service Manager (ISM) Sign-on URL directly and initiate the login flow from there.
-When you click the Ivanti Service Manager (ISM) tile in the Access Panel, you should be automatically signed in to the Ivanti Service Manager (ISM) for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Ivanti Service Manager (ISM) for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Ivanti Service Manager (ISM) tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Ivanti Service Manager (ISM) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Ivanti Service Manager (ISM) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/new-relic-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/new-relic-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 04/16/2020 Last updated : 02/02/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate New Relic by Account with Azure
* Enable your users to be automatically signed-in to New Relic by Account with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -36,24 +34,22 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* New Relic by Account supports **SP** initiated SSO
-* Once you configure the New Relic by Account you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-
-## Adding New Relic by Account from the gallery
+## Add New Relic by Account from the gallery
To configure the integration of New Relic by Account into Azure AD, you need to add New Relic by Account from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **New Relic by Account** in the search box. 1. Select **New Relic by Account** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for New Relic by Account
+## Configure and test Azure AD SSO for New Relic by Account
Configure and test Azure AD SSO with New Relic by Account using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in New Relic by Account.
-To configure and test Azure AD SSO with New Relic by Account, complete the following building blocks:
+To configure and test Azure AD SSO with New Relic by Account, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -66,18 +62,19 @@ To configure and test Azure AD SSO with New Relic by Account, complete the follo
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **New Relic by Account** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **New Relic by Account** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
+
1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Sign on URL** text box, type the URL using the following pattern:
`https://rpm.newrelic.com:443/accounts/{acc_id}/sso/saml/finalize` - Be sure to substitute `acc_id` with your own Account ID of New Relic by Account.
- b. In the **Identifier (Entity ID)** text box, type a URL:
+ b. In the **Identifier (Entity ID)** text box, type the URL:
`rpm.newrelic.com` 1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
@@ -88,12 +85,6 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
- ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
@@ -113,15 +104,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **New Relic by Account**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure New Relic by Account SSO
@@ -130,15 +115,15 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. In the menu on the top, click **Account Settings**.
- ![Screenshot shows the Welcome page with Account settings selected.](./media/new-relic-tutorial/ic797036.png "Account Settings")
+ ![Screenshot shows the Welcome page with Account settings selected.](./media/new-relic-tutorial/settings.png "Account Settings")
3. Click the **Security and authentication** tab, and then click the **Single sign on** tab.
- ![Single Sign-On](./media/new-relic-tutorial/ic797037.png "Single Sign-On")
+ ![Single Sign-On](./media/new-relic-tutorial/single-sign-on-tab.png "Single Sign-On")
4. On the SAML dialog page, perform the following steps:
- ![SAML](./media/new-relic-tutorial/ic797038.png "SAML")
+ ![SAML](./media/new-relic-tutorial/save.png "SAML")
a. Click **Choose File** to upload your downloaded Azure Active Directory certificate.
@@ -154,15 +139,15 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. In the menu on the top, click **Account Settings**.
- ![Screenshot shows Account settings selected from the Welcome page.](./media/new-relic-tutorial/ic797040.png "Account Settings")
+ ![Screenshot shows Account settings selected from the Welcome page.](./media/new-relic-tutorial/account.png "Account Settings")
3. In the **Account** pane on the left side, click **Summary**, and then click **Add user**.
- ![Screenshot shows the Summary pane where you can select Add user.](./media/new-relic-tutorial/ic797041.png "Account Settings")
+ ![Screenshot shows the Summary pane where you can select Add user.](./media/new-relic-tutorial/add.png "Account Settings")
4. On the **Active users** dialog, perform the following steps:
- ![Active Users](./media/new-relic-tutorial/ic797042.png "Active Users")
+ ![Active Users](./media/new-relic-tutorial/user.png "Active Users")
a. In the **Email** textbox, type the email address of a valid Azure Active Directory user you want to provision.
@@ -175,18 +160,14 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the New Relic by Account tile in the Access Panel, you should be automatically signed in to the New Relic by Account for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to New Relic by Account Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to New Relic by Account Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the New Relic by Account tile in the My Apps, this will redirect to New Relic by Account Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try New Relic by Account with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure New Relic by Account you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/openathens-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/openathens-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 10/24/2019 Last updated : 02/03/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate OpenAthens with Azure Active Dir
* Enable your users to be automatically signed-in to OpenAthens with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -37,22 +35,22 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* OpenAthens supports **IDP** initiated SSO * OpenAthens supports **Just In Time** user provisioning
-## Adding OpenAthens from the gallery
+## Add OpenAthens from the gallery
To configure the integration of OpenAthens into Azure AD, you need to add OpenAthens from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **OpenAthens** in the search box. 1. Select **OpenAthens** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for OpenAthens
+## Configure and test Azure AD SSO for OpenAthens
Configure and test Azure AD SSO with OpenAthens using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in OpenAthens.
-To configure and test Azure AD SSO with OpenAthens, complete the following building blocks:
+To configure and test Azure AD SSO with OpenAthens, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -65,9 +63,9 @@ To configure and test Azure AD SSO with OpenAthens, complete the following build
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **OpenAthens** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **OpenAthens** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -112,15 +110,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **OpenAthens**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure OpenAthens SSO
@@ -129,19 +121,19 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Select **Connections** from the list under the **Management** tab.
- ![Screenshot that shows the "OpenAthens" company site page with "Connections" selected from the "Management" tab.](./media/openathens-tutorial/tutorial_openathens_application1.png)
+ ![Screenshot that shows the "OpenAthens" company site page with "Connections" selected from the "Management" tab.](./media/openathens-tutorial/connections.png)
1. Select **SAML 1.1/2.0**, and then select the **Configure** button.
- ![Screenshot that shows the "Select local authentication system type." dialog with "S A M L 1.1/2.0" and the "Configure" button selected.](./media/openathens-tutorial/tutorial_openathens_application2.png)
+ ![Screenshot that shows the "Select local authentication system type." dialog with "S A M L 1.1/2.0" and the "Configure" button selected.](./media/openathens-tutorial/saml.png)
1. To add the configuration, select the **Browse** button to upload the metadata .xml file that you downloaded from the Azure portal, and then select **Add**.
- ![Screenshot that shows the "Add S A M L authentication system." dialog with the "Browse" action and "Add button selected.](./media/openathens-tutorial/tutorial_openathens_application3.png)
+ ![Screenshot that shows the "Add S A M L authentication system." dialog with the "Browse" action and "Add button selected.](./media/openathens-tutorial/configure.png)
1. Perform the following steps under the **Details** tab.
- ![Configure single sign-on](./media/openathens-tutorial/tutorial_openathens_application4.png)
+ ![Configure single sign-on](./media/openathens-tutorial/add.png)
a. In **Display name mapping**, select **Use attribute**.
@@ -159,7 +151,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
h. From the **</> Relying Party** tab, copy the **Metadata URL** and open this in the browser to download the **SP metadata XML** file. Upload this SP metadata file on the **Basic SAML Configuration** section in Azure AD.
- ![Screenshot that shows the "Relying party" tab selected and the "Metadata U R L" highlighted.](./media/openathens-tutorial/tutorial_openathens_application5.png)
+ ![Screenshot that shows the "Relying party" tab selected and the "Metadata U R L" highlighted.](./media/openathens-tutorial/metadata.png)
### Create OpenAthens test user
@@ -167,16 +159,12 @@ In this section, a user called Britta Simon is created in OpenAthens. OpenAthens
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the OpenAthens tile in the Access Panel, you should be automatically signed in to the OpenAthens for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the OpenAthens for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the OpenAthens tile in the My Apps, you should be automatically signed in to the OpenAthens for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try OpenAthens with Azure AD](https://aad.portal.azure.com/)
+Once you configure OpenAthens you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/oracle-fusion-erp-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oracle-fusion-erp-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 09/10/2019 Last updated : 02/09/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Oracle Fusion ERP with Azure Act
* Enable your users to be automatically signed-in to Oracle Fusion ERP with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,13 +32,13 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Oracle Fusion ERP supports **SP** initiated SSO
+* Oracle Fusion ERP supports **SP** initiated SSO.
-## Adding Oracle Fusion ERP from the gallery
+## Add Oracle Fusion ERP from the gallery
To configure the integration of Oracle Fusion ERP into Azure AD, you need to add Oracle Fusion ERP from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
@@ -51,7 +49,7 @@ To configure the integration of Oracle Fusion ERP into Azure AD, you need to add
Configure and test Azure AD SSO with Oracle Fusion ERP using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Oracle Fusion ERP.
-To configure and test Azure AD SSO with Oracle Fusion ERP, complete the following building blocks:
+To configure and test Azure AD SSO with Oracle Fusion ERP, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -64,9 +62,9 @@ To configure and test Azure AD SSO with Oracle Fusion ERP, complete the followin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Oracle Fusion ERP** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Oracle Fusion ERP** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -108,15 +106,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Oracle Fusion ERP**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Oracle Fusion ERP SSO
@@ -129,16 +121,14 @@ In this section, you create a user called Britta Simon in Oracle Fusion ERP. Wor
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Oracle Fusion ERP tile in the Access Panel, you should be automatically signed in to the Oracle Fusion ERP for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Oracle Fusion ERP Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Oracle Fusion ERP Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Oracle Fusion ERP tile in the My Apps, this will redirect to Oracle Fusion ERP Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Oracle Fusion ERP with Azure AD](https://aad.portal.azure.com/)
+Once you configure Oracle Fusion ERP you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/parkalot-car-park-management-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/parkalot-car-park-management-tutorial.md
@@ -0,0 +1,180 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Parkalot - Car park management | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Parkalot - Car park management.
++++++++ Last updated : 02/11/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Parkalot - Car park management
+
+In this tutorial, you'll learn how to integrate Parkalot - Car park management with Azure Active Directory (Azure AD). When you integrate Parkalot - Car park management with Azure AD, you can:
+
+* Control in Azure AD who has access to Parkalot - Car park management.
+* Enable your users to be automatically signed-in to Parkalot - Car park management with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Parkalot - Car park management single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Parkalot - Car park management supports **SP** initiated SSO
+
+* Parkalot - Car park management supports **Just In Time** user provisioning
+
+## Adding Parkalot - Car park management from the gallery
+
+To configure the integration of Parkalot - Car park management into Azure AD, you need to add Parkalot - Car park management from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Parkalot - Car park management** in the search box.
+1. Select **Parkalot - Car park management** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Parkalot - Car park management
+
+Configure and test Azure AD SSO with Parkalot - Car park management using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Parkalot - Car park management.
+
+To configure and test Azure AD SSO with Parkalot - Car park management, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Parkalot-Car park management SSO](#configure-parkalot-car-park-management-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Parkalot-Car park management test user](#create-parkalot-car-park-management-test-user)** - to have a counterpart of B.Simon in Parkalot - Car park management that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Parkalot - Car park management** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Identifier (Entity ID)** text box, type a URL using one of the following patterns:
+
+ | Identifier (Entity ID) |
+ | -- |
+ | `https://parkalot.io` |
+ | `https://<CUSTOMERNAME>.parkalot.io` |
+ |
+
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
+
+ | Reply URL |
+ | -- |
+ | `https://<CUSTOMERNAME>.parkalot.io` |
+ | `https://parkalot-saml.firebaseapp.com/__/auth/handler` |
+ | `https://parkalot-saml.web.app/__/auth/handler` |
+ | `https://<CustomerName>.parkalot.io/__/auth/handler` |
+ |
+
+ c. In the **Sign-on URL** text box, type a URL using one of the following patterns:
+
+ | Sign-on URL |
+ | -- |
+ | `https://<CUSTOMERNAME>.parkalot.io/#/login` |
+ | `https://parkalot-saml.firebaseapp.com/#/login` |
+ | `https://parkalot-saml.web.app/#/login` |
+ |
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Parkalot - Car park management Client support team](mailto:contact-us@parkalot.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Parkalot - Car park management** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Parkalot - Car park management.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Parkalot - Car park management**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Parkalot-Car park management SSO
+
+1. In a different web browser window, sign in to your Parkalot - Car park management company site as an administrator.
+
+1. Select **Setup SAML** and click on the **Edit** icon on **Add New** card.
+
+ ![Add New EDIT icon.](./media/parkalot-car-park-management-tutorial/setup-saml.png)
+
+1. Perform the below mentioned steps in the following page.
+
+ ![Configure Parkalot - Car park management SSO.](./media/parkalot-car-park-management-tutorial/configuration.png)
+
+ a. In the **Display Name** textbox, give a valid name to it.
+
+ b. In the **IdP Entity ID** textbox, paste the **Azure AD Identifier** value, which you have copied from the Azure portal.
+
+ c. In the **SSO url** textbox, paste the **Login URL** value, which you have copied from the Azure portal.
+
+ d. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **Certificate** textbox.
+
+ e. Click **SAVE**.
+
+### Create Parkalot-Car park management test user
+
+In this section, a user called Britta Simon is created in Parkalot - Car park management. Parkalot - Car park management supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Parkalot - Car park management, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Parkalot - Car park management Sign-on URL where you can initiate the login flow.
+
+* Go to Parkalot - Car park management Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Parkalot - Car park management tile in the My Apps, this will redirect to Parkalot - Car park management Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Parkalot - Car park management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/perimeter-81-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/perimeter-81-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 12/09/2020 Last updated : 02/10/2021
@@ -67,13 +67,13 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Perimeter 81** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a value using the following pattern:
`urn:auth0:perimeter81:<SUBDOMAIN>` b. In the **Reply URL** text box, type a URL using the following pattern:
@@ -87,9 +87,14 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Perimeter 81 Client support team](mailto:support@perimeter81.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Perimeter 81** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
- ![The Certificate download link](common/copy-metadataurl.png)
### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
@@ -116,7 +121,42 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Perimeter 81 SSO
-To configure single sign-on on **Perimeter 81** side, you need to send the **App Federation Metadata Url** to [Perimeter 81 support team](mailto:support@perimeter81.com). They set this setting to have the SAML SSO connection set properly on both sides.
+1. To automate the configuration within Perimeter 81, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up Perimeter 81** will direct you to the Perimeter 81 application. From there, provide the admin credentials to sign into Perimeter 81. The browser extension will automatically configure the application for you and automate steps 3-7.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup Perimeter 81 manually, in a different web browser window, sign in to your Perimeter 81 company site as an administrator.
+
+4. Go to **Settings** and click on **Identity Providers**.
+
+ ![Perimeter 81 settings](./media/perimeter-81-tutorial/settings.png)
+
+5. Click on **Add Provider** button.
+
+ ![Perimeter 81 add provider](./media/perimeter-81-tutorial/add-provider.png)
+
+6. Select **SAML 2.0 Identity Providers** and click on **Continue** button.
+
+ ![Perimeter 81 add identity provider](./media/perimeter-81-tutorial/add-identity-provider.png)
+
+7. In the **SAML 2.0 Identity Providers** section, perform the following steps:
+
+ ![Perimeter 81 setting up saml](./media/perimeter-81-tutorial/setting-up-saml.png)
+
+ a. In the **Sign In URL** text box, paste the value of **Login URL**, which you have copied from Azure portal.
+
+ b. In the **Domain Aliases** text box, enter your domain alias value.
+
+ c. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **X509 Signing Certificate** textbox.
+
+ > [!NOTE]
+ > Alternatively you can click on **Upload PEM/CERT File** to upload the **Certificate (Base64)** which you downloaded from Azure portal.
+
+ d. Click **Done**.
### Create Perimeter 81 test user
@@ -134,10 +174,10 @@ In this section, you test your Azure AD single sign-on configuration with follow
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Perimeter 81 for which you set up the SSO
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Perimeter 81 for which you set up the SSO.
You can also use Microsoft My Apps to test the application in any mode. When you click the Perimeter 81 tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Perimeter 81 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ## Next steps
-Once you configure Perimeter 81 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Perimeter 81 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/pipedrive-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/pipedrive-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 03/06/2020 Last updated : 02/05/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Pipedrive with Azure Active Dire
* Enable your users to be automatically signed-in to Pipedrive with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -35,25 +33,23 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Pipedrive supports **SP and IDP** initiated SSO
-* Once you configure Pipedrive SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-
-## Adding Pipedrive from the gallery
+## Add Pipedrive from the gallery
To configure the integration of Pipedrive into Azure AD, you need to add Pipedrive from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Pipedrive** in the search box. 1. Select **Pipedrive** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Pipedrive
+## Configure and test Azure AD SSO for Pipedrive
Configure and test Azure AD SSO with Pipedrive using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Pipedrive.
-To configure and test Azure AD SSO with Pipedrive, complete the following building blocks:
+To configure and test Azure AD SSO with Pipedrive, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -66,9 +62,9 @@ To configure and test Azure AD SSO with Pipedrive, complete the following buildi
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Pipedrive** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Pipedrive** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -125,15 +121,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Pipedrive**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Pipedrive SSO
@@ -142,15 +132,15 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **User Profile** and select **Settings**.
- ![Screenshot that shows "Settings" selected from the "User Profile" menu.](./media/pipedrive-tutorial/configure1.png)
+ ![Screenshot that shows "Settings" selected from the "User Profile" menu.](./media/pipedrive-tutorial/configure-1.png)
1. Scroll down to security center and select **Single sign-on**.
- ![Screenshot that shows "Single sign-on" selected in the "Security Center".](./media/pipedrive-tutorial/configure2.png)
+ ![Screenshot that shows "Single sign-on" selected in the "Security Center".](./media/pipedrive-tutorial/configure-2.png)
1. On the **SAML configuration for pipedrive** section, perform the following steps:
- ![Screenshot that shows the "S A M L configuration for Pipedrive" section with all text boxes highlighted.](./media/pipedrive-tutorial/configure3.png)
+ ![Screenshot that shows the "S A M L configuration for Pipedrive" section with all text boxes highlighted.](./media/pipedrive-tutorial/configure-3.png)
a. In the **Issuer** textbox, paste the **App Federation Metadata Url** value, which you have copied from the Azure portal.
@@ -166,15 +156,15 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Scroll down to company and select **manage users**.
- ![Screenshot that shows "Manage users" selected from the "Company" menu.](./media/pipedrive-tutorial/user1.png)
+ ![Screenshot that shows "Manage users" selected from the "Company" menu.](./media/pipedrive-tutorial/user-1.png)
1. Click on **Add users**.
- ![Screenshot that shows the "Manage users" page with the "Add users" button selected on the right side.](./media/pipedrive-tutorial/user2.png)
+ ![Screenshot that shows the "Manage users" page with the "Add users" button selected on the right side.](./media/pipedrive-tutorial/user-2.png)
1. On the **Manage users** section, perform the following steps:
- ![Pipedrive Configuration](./media/pipedrive-tutorial/user3.png)
+ ![Pipedrive Configuration](./media/pipedrive-tutorial/user-3.png)
a. In the **Email** textbox, enter the email address of the user like `B.Simon@contoso.com`.
@@ -186,18 +176,21 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-When you click the Pipedrive tile in the Access Panel, you should be automatically signed in to the Pipedrive for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Pipedrive Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to Pipedrive Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Pipedrive for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Pipedrive tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Pipedrive for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try Pipedrive with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Pipedrive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/prisma-cloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/prisma-cloud-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 02/07/2020 Last updated : 02/08/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Prisma Cloud SSO with Azure Acti
* Enable your users to be automatically signed-in to Prisma Cloud SSO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,28 +32,26 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Prisma Cloud SSO supports **IDP** initiated SSO
-
-* Prisma Cloud SSO supports **Just In Time** user provisioning
+* Prisma Cloud SSO supports **IDP** initiated SSO.
-* Once you configure the Prisma Cloud SSO you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Prisma Cloud SSO supports **Just In Time** user provisioning.
-## Adding Prisma Cloud SSO from the gallery
+## Add Prisma Cloud SSO from the gallery
To configure the integration of Prisma Cloud SSO into Azure AD, you need to add Prisma Cloud SSO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Prisma Cloud SSO** in the search box. 1. Select **Prisma Cloud SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Prisma Cloud SSO
+## Configure and test Azure AD SSO for Prisma Cloud SSO
Configure and test Azure AD SSO with Prisma Cloud SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Prisma Cloud SSO.
-To configure and test Azure AD SSO with Prisma Cloud SSO, complete the following building blocks:
+To configure and test Azure AD SSO with Prisma Cloud SSO, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -68,9 +64,9 @@ To configure and test Azure AD SSO with Prisma Cloud SSO, complete the following
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Prisma Cloud SSO** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Prisma Cloud SSO** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -111,15 +107,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Prisma Cloud SSO**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Prisma Cloud SSO
@@ -132,18 +122,12 @@ In this section, a user called B.Simon is created in Prisma Cloud SSO. Prisma Cl
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Prisma Cloud SSO tile in the Access Panel, you should be automatically signed in to the Prisma Cloud SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Prisma Cloud SSO for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Prisma Cloud SSO tile in the My Apps, you should be automatically signed in to the Prisma Cloud SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [Try Prisma Cloud SSO with Azure AD](https://aad.portal.azure.com/)
+Once you configure Prisma Cloud SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/rewatch-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rewatch-tutorial.md
@@ -0,0 +1,168 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Rewatch | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Rewatch.
++++++++ Last updated : 02/10/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Rewatch
+
+In this tutorial, you'll learn how to integrate Rewatch with Azure Active. Directory (Azure AD). When you integrate Rewatch with Azure AD, you can:
+
+* Control in Azure AD who has access to Rewatch.
+* Enable your users to be automatically signed-in to Rewatch with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Rewatch single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Rewatch supports **SP and IDP** initiated SSO
+* Rewatch supports **Just In Time** user provisioning
+
+## Adding Rewatch from the gallery
+
+To configure the integration of Rewatch into Azure AD, you need to add Rewatch from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Rewatch** in the search box.
+1. Select **Rewatch** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Rewatch
+
+Configure and test Azure AD SSO with Rewatch using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Rewatch.
+
+To configure and test Azure AD SSO with Rewatch, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Rewatch SSO](#configure-rewatch-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Rewatch test user](#create-rewatch-test-user)** - to have a counterpart of B.Simon in Rewatch that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Rewatch** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://rewatch.tv/login`
+
+1. Rewatch application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Rewatch application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | | |
+ | Group | user.groups |
++
+1. Click **Save**.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Rewatch** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Rewatch.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Rewatch**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Rewatch SSO
+
+1. In a different web browser window, sign in to your Rewatch company site as an administrator.
+
+1. Click on **Admin Console** in the left side menu.
+
+ ![Rewatch admin console in the home page.](./media/rewatch-tutorial/admin-console.png)
+
+1. Go to the **Security** and perform the below steps in the **SAML single sign-on** section.
+
+ ![saml single sign-on section.](./media/rewatch-tutorial/security.png)
+
+ a. In the **IdP SSO target URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+
+ b. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **IdP certificate** textbox.
+
+ c. Check **Enable SAML login for this channel** and click on **Save**.
+
+### Create Rewatch test user
+
+In this section, a user called Britta Simon is created in Rewatch. Rewatch supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Rewatch, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Rewatch Sign on URL where you can initiate the login flow.
+
+* Go to Rewatch Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Rewatch for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Rewatch tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Rewatch for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Rewatch you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharingcloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sharingcloud-tutorial.md
@@ -0,0 +1,159 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with SharingCloud | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and SharingCloud.
++++++++ Last updated : 02/09/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with SharingCloud
+
+In this tutorial, you'll learn how to integrate SharingCloud with Azure Active Directory (Azure AD). When you integrate SharingCloud with Azure AD, you can:
+
+* Control in Azure AD who has access to SharingCloud.
+* Enable your users to be automatically signed-in to SharingCloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SharingCloud single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* SharingCloud supports **SP and IDP** initiated SSO
+* SharingCloud supports **Just In Time** user provisioning
+
+## Adding SharingCloud from the gallery
+
+To configure the integration of SharingCloud into Azure AD, you need to add SharingCloud from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SharingCloud** in the search box.
+1. Select **SharingCloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for SharingCloud
+
+Configure and test Azure AD SSO with SharingCloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SharingCloud.
+
+To configure and test Azure AD SSO with SharingCloud, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SharingCloud SSO](#configure-sharingcloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SharingCloud test user](#create-sharingcloud-test-user)** - to have a counterpart of B.Simon in SharingCloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **SharingCloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<CustomerName>.sharingcloud.net/adfs/<CustomerName>/saml/federation.xml`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<CustomerName>.sharingcloud.net/social/complete/saml/`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<CustomerName>.sharingcloud.net/accounts/login/`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [SharingCloud Client support team](mailto:support@sharingcloud.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. SharingCloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, SharingCloud application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | | |
+ | urn:sharingcloud:sso:email | user.mail |
+ | urn:sharingcloud:sso:firstname | user.givenname |
+ | urn:sharingcloud:sso:lastname | user.surname |
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SharingCloud.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SharingCloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure SharingCloud SSO
+
+To configure single sign-on on **SharingCloud** side, you need to send the **App Federation Metadata Url** to [SharingCloud support team](mailto:support@sharingcloud.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create SharingCloud test user
+
+In this section, a user called Britta Simon is created in SharingCloud. SharingCloud supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in SharingCloud, a new one is created after authentication.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to SharingCloud Sign on URL where you can initiate the login flow.
+
+* Go to SharingCloud Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SharingCloud for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the SharingCloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SharingCloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure SharingCloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/splunkenterpriseandsplunkcloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/splunkenterpriseandsplunkcloud-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/13/2021 Last updated : 02/02/2021 # Tutorial: Azure Active Directory integration with Splunk Enterprise and Splunk Cloud
@@ -22,10 +22,10 @@ In this tutorial, you'll learn how to integrate Splunk Enterprise and Splunk Clo
## Prerequisites
-To configure Azure AD integration with Splunk Enterprise and Splunk Cloud, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
-* Splunk Enterprise and Splunk Cloud single sign-on enabled subscription.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Splunk Enterprise and Splunk Cloud single sign-on (SSO) enabled subscription.
## Scenario description
@@ -57,7 +57,7 @@ To configure and test Azure AD SSO with Splunk Enterprise and Splunk Cloud, perf
1. **[Create Splunk Enterprise and Splunk Cloud test user](#create-splunk-enterprise-and-splunk-cloud-test-user)** - to have a counterpart of B.Simon in Splunk Enterprise and Splunk Cloud that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD SSO
+## Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
@@ -108,16 +108,15 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Splunk Enterprise and Splunk Cloud SSO
+## Configure Splunk Enterprise and Splunk Cloud SSO
To configure single sign-on on **Splunk Enterprise and Splunk Cloud** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Splunk Enterprise and Splunk Cloud support team](https://www.splunk.com/en_us/about-splunk/contact-us.html). They set this setting to have the SAML SSO connection set properly on both sides. - ### Create Splunk Enterprise and Splunk Cloud test user In this section, you create a user called Britta Simon in Splunk Enterprise and Splunk Cloud. Work with [Splunk Enterprise and Splunk Cloud support team](https://www.splunk.com/en_us/about-splunk/contact-us.html) to add the users in the Splunk Enterprise and Splunk Cloud platform. Users must be created and activated before you use single sign-on.
-### Test SSO
+## Test SSO
In this section, you test your Azure AD single sign-on configuration with following options.
@@ -129,4 +128,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure Splunk Enterprise and Splunk Cloud you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app)
+Once you configure Splunk Enterprise and Splunk Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/teamviewer-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/teamviewer-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/10/2020 Last updated : 02/08/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate TeamViewer with Azure Active Dir
* Enable your users to be automatically signed-in to TeamViewer with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -34,40 +32,39 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* TeamViewer supports **SP** initiated SSO
+* TeamViewer supports **SP** initiated SSO.
-## Adding TeamViewer from the gallery
+## Add TeamViewer from the gallery
To configure the integration of TeamViewer into Azure AD, you need to add TeamViewer from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **TeamViewer** in the search box. 1. Select **TeamViewer** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for TeamViewer
+## Configure and test Azure AD SSO for TeamViewer
Configure and test Azure AD SSO with TeamViewer using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TeamViewer.
-To configure and test Azure AD SSO with TeamViewer, complete the following building blocks:
+To configure and test Azure AD SSO with TeamViewer, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure TeamViewer SSO](#configure-teamviewer-sso)** - to configure the single sign-on settings on application side.
- * **[Create TeamViewer test user](#create-teamviewer-test-user)** - to have a counterpart of B.Simon in TeamViewer that is linked to the Azure AD representation of user.
+ 1. **[Create TeamViewer test user](#create-teamviewer-test-user)** - to have a counterpart of B.Simon in TeamViewer that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **TeamViewer** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **TeamViewer** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -98,15 +95,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **TeamViewer**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure TeamViewer SSO
@@ -119,16 +110,14 @@ In this section, you create a user called B.Simon in TeamViewer. Work with [Team
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the TeamViewer tile in the Access Panel, you should be automatically signed in to the TeamViewer for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to TeamViewer Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to TeamViewer Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the TeamViewer tile in the My Apps, this will redirect to TeamViewer Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try TeamViewer with Azure AD](https://aad.portal.azure.com/)
+Once you configure TeamViewer you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/trello-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/trello-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 08/29/2019 Last updated : 02/02/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Trello with Azure Active Directo
* Enable your users to be automatically signed-in to Trello with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -40,22 +38,22 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Trello from the gallery
+## Add Trello from the gallery
To configure the integration of Trello into Azure AD, you need to add Trello from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Trello** in the search box. 1. Select **Trello** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Trello
+## Configure and test Azure AD SSO for Trello
Configure and test Azure AD SSO with Trello using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Trello.
-To configure and test Azure AD SSO with Trello, complete the following building blocks:
+To configure and test Azure AD SSO with Trello, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -66,22 +64,17 @@ To configure and test Azure AD SSO with Trello, complete the following building
## Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
-
-> [!NOTE]
-> You should get the **\<enterprise\>** slug from Trello. If you don't have the slug value, contact the [Trello support team](mailto:support@trello.com) to get the slug for your enterprise.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with Trello, take the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **Trello** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Trello** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
- a. In the **Identifier** text box, type a URL:
+ a. In the **Identifier** text box, type the URL:
`https://trello.com/auth/saml/metadata` b. In the **Reply URL** text box, type a URL using the following pattern:
@@ -122,15 +115,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Trello**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Trello SSO
@@ -146,16 +133,20 @@ In this section, you create a user called Britta Simon in Trello. Trello support
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Trello Sign on URL where you can initiate the login flow.
-When you click the Trello tile in the Access Panel, you should be automatically signed in to the Trello for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Trello Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Trello for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Trello tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Trello for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Trello with Azure AD](https://aad.portal.azure.com/)
+Once you configure Trello you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zuddl-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zuddl-tutorial.md
@@ -0,0 +1,141 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Zuddl | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Zuddl.
++++++++ Last updated : 02/09/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Zuddl
+
+In this tutorial, you'll learn how to integrate Zuddl with Azure Active Directory (Azure AD). When you integrate Zuddl with Azure AD, you can:
+
+* Control in Azure AD who has access to Zuddl.
+* Enable your users to be automatically signed-in to Zuddl with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Zuddl single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Zuddl supports **SP** initiated SSO
+
+## Adding Zuddl from the gallery
+
+To configure the integration of Zuddl into Azure AD, you need to add Zuddl from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Zuddl** in the search box.
+1. Select **Zuddl** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for Zuddl
+
+Configure and test Azure AD SSO with Zuddl using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zuddl.
+
+To configure and test Azure AD SSO with Zuddl, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Zuddl SSO](#configure-zuddl-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Zuddl test user](#create-zuddl-test-user)** - to have a counterpart of B.Simon in Zuddl that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Zuddl** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ a. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://app.zuddl.com/<CUSTOM_URL>`
+
+ b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://auth.zuddl.com/<CUSTOM_ID>`
+
+ c. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://auth.workos.com/sso/saml/acs/<CUSTOM_ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [Zuddl Client support team](mailto:support@zuddl.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Zuddl** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Zuddl.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Zuddl**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Zuddl SSO
+
+To configure single sign-on on **Zuddl** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Zuddl support team](mailto:support@zuddl.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Zuddl test user
+
+In this section, you create a user called Britta Simon in Zuddl. Work with [Zuddl support team](mailto:support@zuddl.com) to add the users in the Zuddl platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Zuddl Sign-on URL where you can initiate the login flow.
+
+* Go to Zuddl Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Zuddl tile in the My Apps, this will redirect to Zuddl Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Zuddl you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
aks https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/operator-best-practices-network.md
@@ -15,7 +15,7 @@ As you create and manage clusters in Azure Kubernetes Service (AKS), you provide
This best practices article focuses on network connectivity and security for cluster operators. In this article, you learn how to: > [!div class="checklist"]
-> * Compare the kubenet and Azure CNI network modes in AKS
+> * Compare the kubenet and Azure Container Networking Interface (CNI) network modes in AKS
> * Plan for required IP addressing and connectivity > * Distribute traffic using load balancers, ingress controllers, or a web application firewall (WAF) > * Securely connect to cluster nodes
@@ -29,11 +29,13 @@ Virtual networks provide the basic connectivity for AKS nodes and customers to a
* **Kubenet networking** - Azure manages the virtual network resources as the cluster is deployed and uses the [kubenet][kubenet] Kubernetes plugin. * **Azure CNI networking** - Deploys into a virtual network, and uses the [Azure Container Networking Interface (CNI)][cni-networking] Kubernetes plugin. Pods receive individual IPs that can route to other network services or on-premises resources.
-The Container Networking Interface (CNI) is a vendor-neutral protocol that lets the container runtime make requests to a network provider. The Azure CNI assigns IP addresses to pods and nodes, and provides IP address management (IPAM) features as you connect to existing Azure virtual networks. Each node and pod resource receives an IP address in the Azure virtual network, and no additional routing is needed to communicate with other resources or services.
+For production deployments, both kubenet and Azure CNI are valid options.
-![Diagram showing two nodes with bridges connecting each to a single Azure VNet](media/operator-best-practices-network/advanced-networking-diagram.png)
+### CNI Networking
-For production deployments, both kubenet and Azure CNI are valid options.
+The Container Networking Interface (CNI) is a vendor-neutral protocol that lets the container runtime make requests to a network provider. The Azure CNI assigns IP addresses to pods and nodes, and provides IP address management (IPAM) features as you connect to existing Azure virtual networks. Each node and pod resource receives an IP address in the Azure virtual network, and no extra routing is needed to communicate with other resources or services.
+
+![Diagram showing two nodes with bridges connecting each to a single Azure VNet](media/operator-best-practices-network/advanced-networking-diagram.png)
A notable benefit of Azure CNI networking for production is the network model allows for separation of control and management of resources. From a security perspective, you often want different teams to manage and secure those resources. Azure CNI networking lets you connect to existing Azure resources, on-premises resources, or other services directly via IP addresses assigned to each pod.
@@ -43,22 +45,26 @@ When you use Azure CNI networking, the virtual network resource is in a separate
For more information about AKS service principal delegation, see [Delegate access to other Azure resources][sp-delegation]. Instead of a service principal, you can also use the system assigned managed identity for permissions. For more information, see [Use managed identities](use-managed-identity.md).
-As each node and pod receive its own IP address, plan out the address ranges for the AKS subnets. The subnet must be large enough to provide IP addresses for every node, pods, and network resources that you deploy. Each AKS cluster must be placed in its own subnet. To allow connectivity to on-premises or peered networks in Azure, don't use IP address ranges that overlap with existing network resources. There are default limits to the number of pods that each node runs with both kubenet and Azure CNI networking. To handle scale out events or cluster upgrades, you also need additional IP addresses available for use in the assigned subnet. This additional address space is especially important if you use Windows Server containers, as those node pools require an upgrade to apply the latest security patches. For more information on Windows Server nodes, see [Upgrade a node pool in AKS][nodepool-upgrade].
+As each node and pod receive its own IP address, plan out the address ranges for the AKS subnets. The subnet must be large enough to provide IP addresses for every node, pods, and network resources that you deploy. Each AKS cluster must be placed in its own subnet. To allow connectivity to on-premises or peered networks in Azure, don't use IP address ranges that overlap with existing network resources. There are default limits to the number of pods that each node runs with both kubenet and Azure CNI networking. To handle scale out events or cluster upgrades, you also need extra IP addresses available for use in the assigned subnet. This extra address space is especially important if you use Windows Server containers, as those node pools require an upgrade to apply the latest security patches. For more information on Windows Server nodes, see [Upgrade a node pool in AKS][nodepool-upgrade].
To calculate the IP address required, see [Configure Azure CNI networking in AKS][advanced-networking].
+When you create a cluster with Azure CNI networking, you specify other address ranges for use by the cluster, such as the Docker bridge address, DNS service IP, and service address range. In general, these address ranges shouldn't overlap each other and shouldn't overlap with any networks associated with the cluster, including any virtual networks, subnets, on-premises and peered networks. For the specific details around limits and sizing for these address ranges, see [Configure Azure CNI networking in AKS][advanced-networking].
+ ### Kubenet networking Although kubenet doesn't require you to set up the virtual networks before the cluster is deployed, there are disadvantages:
-* Nodes and pods are placed on different IP subnets. User Defined Routing (UDR) and IP forwarding is used to route traffic between pods and nodes. This additional routing may reduce network performance.
+* Nodes and pods are placed on different IP subnets. User Defined Routing (UDR) and IP forwarding is used to route traffic between pods and nodes. This extra routing may reduce network performance.
* Connections to existing on-premises networks or peering to other Azure virtual networks can be complex.
-Kubenet is suitable for small development or test workloads, as you don't have to create the virtual network and subnets separately from the AKS cluster. Simple websites with low traffic, or to lift and shift workloads into containers, can also benefit from the simplicity of AKS clusters deployed with kubenet networking. For most production deployments, you should plan for and use Azure CNI networking. You can also [configure your own IP address ranges and virtual networks using kubenet][aks-configure-kubenet-networking].
+Kubenet is suitable for small development or test workloads, as you don't have to create the virtual network and subnets separately from the AKS cluster. Simple websites with low traffic, or to lift and shift workloads into containers, can also benefit from the simplicity of AKS clusters deployed with kubenet networking. For most production deployments, you should plan for and use Azure CNI networking.
+
+You can also [configure your own IP address ranges and virtual networks using kubenet][aks-configure-kubenet-networking]. Similar to Azure CNI networking, these address ranges shouldn't overlap each other and shouldn't overlap with any networks associated with the cluster, including any virtual networks, subnets, on-premises and peered networks. For the specific details around limits and sizing for these address ranges, see [Use kubenet networking with your own IP address ranges in AKS][aks-configure-kubenet-networking].
## Distribute ingress traffic
-**Best practice guidance** - To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Ingress controllers provide additional features over a regular Azure load balancer, and can be managed as native Kubernetes resources.
+**Best practice guidance** - To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Ingress controllers provide extra features over a regular Azure load balancer, and can be managed as native Kubernetes resources.
An Azure load balancer can distribute customer traffic to applications in your AKS cluster, but it's limited in what it understands about that traffic. A load balancer resource works at layer 4, and distributes traffic based on protocol or ports. Most web applications that use HTTP or HTTPS should use Kubernetes ingress resources and controllers, which work at layer 7. Ingress can distribute traffic based on the URL of the application and handle TLS/SSL termination. This ability also reduces the number of IP addresses you expose and map. With a load balancer, each application typically needs a public IP address assigned and mapped to the service in the AKS cluster. With an ingress resource, a single IP address can distribute traffic to multiple applications.
@@ -114,7 +120,7 @@ An ingress controller that distributes traffic to services and applications is t
![A web application firewall (WAF) such as Azure App Gateway can protect and distribute traffic for your AKS cluster](media/operator-best-practices-network/web-application-firewall-app-gateway.png)
-A web application firewall (WAF) provides an additional layer of security by filtering the incoming traffic. The Open Web Application Security Project (OWASP) provides a set of rules to watch for attacks like cross site scripting or cookie poisoning. [Azure Application Gateway][app-gateway] (currently in preview in AKS) is a WAF that can integrate with AKS clusters to provide these security features, before the traffic reaches your AKS cluster and applications. Other third-party solutions also perform these functions, so you can continue to use existing investments or expertise in a given product.
+A web application firewall (WAF) provides an extra layer of security by filtering the incoming traffic. The Open Web Application Security Project (OWASP) provides a set of rules to watch for attacks like cross site scripting or cookie poisoning. [Azure Application Gateway][app-gateway] (currently in preview in AKS) is a WAF that can integrate with AKS clusters to provide these security features, before the traffic reaches your AKS cluster and applications. Other third-party solutions also perform these functions, so you can continue to use existing investments or expertise in a given product.
Load balancer or ingress resources continue to run in your AKS cluster to further refine the traffic distribution. App Gateway can be centrally managed as an ingress controller with a resource definition. To get started, [create an Application Gateway Ingress controller][app-gateway-ingress].
aks https://docs.microsoft.com/en-us/azure/aks/update-credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/update-credentials.md
@@ -44,6 +44,9 @@ az ad sp credential list --id $SP_ID --query "[].endDate" -o tsv
To update the credentials for the existing service principal, get the service principal ID of your cluster using the [az aks show][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable named *SP_ID* for use in additional command. These commands use Bash syntax.
+> [!WARNING]
+> When you reset your cluster credentials on an AKS cluster that uses Azure Virtual Machine Scale Sets, a [node image upgrade][node-image-upgrade] is performed to update your nodes with the new credential information.
+ ```azurecli-interactive SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \ --query servicePrincipalProfile.clientId -o tsv)
@@ -134,3 +137,4 @@ In this article, the service principal for the AKS cluster itself and the AAD In
[az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac [az-ad-sp-credential-list]: /cli/azure/ad/sp/credential#az-ad-sp-credential-list [az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az-ad-sp-credential-reset
+[node-image-upgrade]: ./node-image-upgrade.md
aks https://docs.microsoft.com/en-us/azure/aks/use-pod-security-policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/use-pod-security-policies.md
@@ -3,13 +3,13 @@ Title: Use pod security policies in Azure Kubernetes Service (AKS)
description: Learn how to control pod admissions by using PodSecurityPolicy in Azure Kubernetes Service (AKS) Previously updated : 07/21/2020 Last updated : 02/12/2021 # Preview - Secure your cluster using pod security policies in Azure Kubernetes Service (AKS) > [!WARNING]
-> **The feature described in this document, pod security policy (preview), is set for deprecation and will no longer be available after May 31st, 2021** in favor of [Azure Policy for AKS](use-pod-security-on-azure-policy.md). The deprecation date has been extended from the previous date of October 15th, 2020.
+> **The feature described in this document, pod security policy (preview), is set for deprecation and will no longer be available after June 30th, 2021** in favor of [Azure Policy for AKS](use-pod-security-on-azure-policy.md). The deprecation date has been extended from the previous date of October 15th, 2020.
> > After pod security policy (preview) is deprecated, you must disable the feature on any existing clusters using the deprecated feature to perform future cluster upgrades and stay within Azure support. >
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/hybrid-runbook-worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/hybrid-runbook-worker.md
@@ -3,7 +3,9 @@ Title: Troubleshoot Azure Automation Hybrid Runbook Worker issues
description: This article tells how to troubleshoot and resolve issues that arise with Azure Automation Hybrid Runbook Workers. Previously updated : 11/25/2019++ Last updated : 02/11/2021
@@ -21,9 +23,7 @@ The Hybrid Runbook Worker depends on an agent to communicate with your Azure Aut
Runbook execution fails, and you receive the following error message:
-```error
-"The job action 'Activate' cannot be run, because the process stopped unexpectedly. The job action was attempted three times."
-```
+`The job action 'Activate' cannot be run, because the process stopped unexpectedly. The job action was attempted three times.`
Your runbook is suspended shortly after it attempts to execute three times. There are conditions that can interrupt the runbook from completing. The related error message might not include any additional information.
@@ -51,13 +51,12 @@ Check the **Microsoft-SMA** event log for a corresponding event with the descrip
The Hybrid Runbook Worker receives event 15011, indicating that a query result isn't valid. The following error appears when the worker attempts to open a connection with the [SignalR server](/aspnet/core/signalr/introduction).
-```error
-[AccountId={c7d22bd3-47b2-4144-bf88-97940102f6ca}]
+`[AccountId={c7d22bd3-47b2-4144-bf88-97940102f6ca}]
[Uri=https://cc-jobruntimedata-prod-su1.azure-automation.net/notifications/hub][Exception=System.TimeoutException: Transport timed out trying to connectΓÇï at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()ΓÇï at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)ΓÇï at JobRuntimeData.NotificationsClient.JobRuntimeDataServiceSignalRClient.<Start>d__45.MoveNext()ΓÇï
-```
+`
#### Cause
@@ -91,14 +90,13 @@ Start the worker machine, and then rereregister it with Azure Automation. For in
A runbook running on a Hybrid Runbook Worker fails with the following error message:
-```error
-Connect-AzAccount : No certificate was found in the certificate store with thumbprint 0000000000000000000000000000000000000000
-At line:3 char:1
-+ Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID -Appl ...
-+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- + CategoryInfo : CloseError: (:) [Connect-AzAccount], ArgumentException
- + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzAccountCommand
-```
+`Connect-AzAccount : No certificate was found in the certificate store with thumbprint 0000000000000000000000000000000000000000`
+`At line:3 char:1`
+`+ Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID -Appl ...`
+`+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
+` + CategoryInfo : CloseError: (:) [Connect-AzAccount],ArgumentException`
+` + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzAccountCommand`
+ #### Cause This error occurs when you attempt to use a [Run As account](../automation-security-overview.md#run-as-accounts) in a runbook that runs on a Hybrid Runbook Worker where the Run As account certificate isn't present. Hybrid Runbook Workers don't have the certificate asset locally by default. The Run As account requires this asset to operate properly.
@@ -113,9 +111,7 @@ If your Hybrid Runbook Worker is an Azure VM, you can use [runbook authenticatio
The worker's initial registration phase fails, and you receive the following error (403):
-```error
-"Forbidden: You don't have permission to access / on this server."
-```
+`Forbidden: You don't have permission to access / on this server.`
#### Cause
@@ -135,6 +131,37 @@ Your Log Analytics workspace and Automation account must be in a linked region.
You might also need to update the date or time zone of your computer. If you select a custom time range, make sure that the range is in UTC, which can differ from your local time zone.
+### <a name="set-azstorageblobcontent-execution-fails"></a>Scenario: Set-AzStorageBlobContent fails on a Hybrid Runbook Worker
+
+#### Issue
+
+Runbook fails when it tries to execute `Set-AzStorageBlobContent`, and you receive the following error message:
+
+`Set-AzStorageBlobContent : Failed to open file xxxxxxxxxxxxxxxx: Illegal characters in path`
+
+#### Cause
+
+ This error is caused by the long file name behavior of calls to `[System.IO.Path]::GetFullPath()` which adds UNC paths.
+
+#### Resolution
+
+As a workaround, you can create a configuration file named `OrchestratorSandbox.exe.config` with the following content:
+
+```azurecli
+<configuration>
+ <runtime>
+ <AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
+ </runtime>
+</configuration>
+```
+
+Place this file in the same folder as the executable file `OrchestratorSandbox.exe`. For example,
+
+`%ProgramFiles%\Microsoft Monitoring Agent\Agent\AzureAutomation\7.3.702.0\HybridAgent`
+
+>[!Note]
+> If you upgrade the agent, this config file will be deleted, and will need to be recreated.
+ ## Linux The Linux Hybrid Runbook Worker depends on the [Log Analytics agent for Linux](../../azure-monitor/platform/log-analytics-agent.md) to communicate with your Automation account to register the worker, receive runbook jobs, and report status. If registration of the worker fails, here are some possible causes for the error.
@@ -187,7 +214,7 @@ If the agent isn't running, run the following command to start the service: `sud
If you see the error message `The specified class does not exist..` in **/var/opt/microsoft/omsconfig/omsconfig.log**, the Log Analytics agent for Linux needs to be updated. Run the following command to reinstall the agent.
-```bash
+```Bash
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <WorkspaceID> -s <WorkspaceKey> ```
@@ -262,8 +289,7 @@ Your Hybrid Runbook Worker machine is running, but you don't see heartbeat data
The following example query shows the machines in a workspace and their last heartbeat:
-```loganalytics
-// Last heartbeat of each computer
+```kusto
Heartbeat | summarize arg_max(TimeGenerated, *) by Computer ```
@@ -290,9 +316,7 @@ Start-Service -Name HealthService
You receive the following message when you try to add a Hybrid Runbook Worker by using the `Add-HybridRunbookWorker` cmdlet:
-```error
-Machine is already registered
-```
+`Machine is already registered`
#### Cause
@@ -310,15 +334,11 @@ To resolve this issue, remove the following registry key, restart `HealthService
You receive the following message when you try to add a Hybrid Runbook Worker by using the `sudo python /opt/microsoft/omsconfig/.../onboarding.py --register` python script:
-```error
-Unable to register, an existing worker was found. Please deregister any existing worker and try again.
-```
+`Unable to register, an existing worker was found. Please deregister any existing worker and try again.`
Additionally, attempting to deregister a Hybrid Runbook Worker by using the `sudo python /opt/microsoft/omsconfig/.../onboarding.py --deregister` python script:
-```error
-Failed to deregister worker. [response_status=404]
-```
+`Failed to deregister worker. [response_status=404]`
#### Cause
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/runbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/runbooks.md
@@ -2,8 +2,7 @@
Title: Troubleshoot Azure Automation runbook issues description: This article tells how to troubleshoot and resolve issues with Azure Automation runbooks. - Previously updated : 11/03/2020 Last updated : 02/11/2021
@@ -219,37 +218,46 @@ When executing runbooks, the runbook fails to manage Azure resources.
### Cause
-The runbook isn't using the correct context when running.
+The runbook isn't using the correct context when running. This may be because the runbook is accidentally trying to access the incorrect subscription.
-### Resolution
-
-The subscription context might be lost when a runbook invokes multiple runbooks. To ensure that the subscription context is passed to the runbooks, have the client runbook pass the context to the `Start-AzureRmAutomationRunbook` cmdlet in the `AzureRmContext` parameter. Use the `Disable-AzureRmContextAutosave` cmdlet with the `Scope` parameter set to `Process` to ensure that the specified credentials are only used for the current runbook. For more information, see [Subscriptions](../automation-runbook-execution.md#subscriptions).
-
-```azurepowershell-interactive
-# Ensures that any credentials apply only to the execution of this runbook
-Disable-AzContextAutosave ΓÇôScope Process
+You may see errors like this one:
-# Connect to Azure with Run As account
-$ServicePrincipalConnection = Get-AutomationConnection -Name 'AzureRunAsConnection'
+```error
+Get-AzVM : The client '<automation-runas-account-guid>' with object id '<automation-runas-account-guid>' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/read' over scope '/subscriptions/<subcriptionIdOfSubscriptionWichDoesntContainTheVM>/resourceGroups/REsourceGroupName/providers/Microsoft.Compute/virtualMachines/VMName '.
+ ErrorCode: AuthorizationFailed
+ StatusCode: 403
+ ReasonPhrase: Forbidden Operation
+ ID : <AGuidRepresentingTheOperation> At line:51 char:7 + $vm = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $UNBV... +
+```
-Connect-AzAccount `
- -ServicePrincipal `
- -Tenant $ServicePrincipalConnection.TenantId `
- -ApplicationId $ServicePrincipalConnection.ApplicationId `
- -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
+### Resolution
-$AzContext = Select-AzSubscription -SubscriptionId $ServicePrincipalConnection.SubscriptionID
+The subscription context might be lost when a runbook invokes multiple runbooks. To avoid accidentally trying to access the incorrect subscription you should follow the guidance below.
-$params = @{"VMName"="MyVM";"RepeatCount"=2;"Restart"=$true}
+* To avoid referencing the wrong subscription, disable context saving in your Automation runbooks by using the following code at the start of each runbook.
-Start-AzAutomationRunbook `
- ΓÇôAutomationAccountName 'MyAutomationAccount' `
- ΓÇôName 'Test-ChildRunbook' `
- -ResourceGroupName 'LabRG' `
- -AzContext $AzContext `
- ΓÇôParameters $params ΓÇôwait
-```
+ ```azurepowershell-interactive
+ Disable-AzContextAutosave ΓÇôScope Process
+ ```
+* The Azure PowerShell cmdlets support the `-DefaultProfile` parameter. This was added to all Az and AzureRm cmdlets to support running multiple PowerShell scripts in the same process, allowing you to specify the context and which subscription to use for each cmdlet. With your runbooks, you should save the context object in your runbook when the runbook is created (that is, when an account signs in) and every time it's changed, and reference the context when you specify an Az cmdlet.
+
+ > [!NOTE]
+ > You should pass in a context object even when manipulating the context directly using cmdlets such as [Set-AzContext](/powershell/module/az.accounts/Set-AzContext) or [Select-AzSubscription](/powershell/module/servicemanagement/azure.service/set-azuresubscription).
+
+ ```azurepowershell-interactive
+ $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
+ $context = Add-AzAccount `
+ -ServicePrincipal `
+ -TenantId $servicePrincipalConnection.TenantId `
+ -ApplicationId $servicePrincipalConnection.ApplicationId `
+ -Subscription 'cd4dxxxx-xxxx-xxxx-xxxx-xxxxxxxx9749' `
+ -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
+ $context = Set-AzContext -SubscriptionName $subscription `
+ -DefaultProfile $context
+ Get-AzVm -DefaultProfile $context
+ ```
+
## <a name="auth-failed-mfa"></a>Scenario: Authentication to Azure fails because multifactor authentication is enabled ### Issue
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/release-notes.md
@@ -20,7 +20,28 @@
### New capabilities and features
-Azure Data CLI (`azdata`) version number: 20.3.0. Download at [https://aka.ms/azdata](https://aka.ms/azdata).
+Azure Data CLI (`azdata`) version number: 20.3.0. Download at [https://aka.ms/azdata](https://aka.ms/azdata). You can install `azdata` from [Install Azure Data CLI (`azdata`)](/sql/azdata/install/deploy-install-azdata).
++
+Additional updates include:
+- Localized portal available for 17 new languages
+- Minor changes to Kube-native .yaml files
+- New versions of Grafana and Kibana
+- Issues with Python environments when using azdata in notebooks in Azure Data Studio resolved
+- The pg_audit extension is now available for PostgreSQL Hyperscale
+- A backup ID is no longer required when doing a full restore of a PostgreSQL Hyperscale database
+- The status (health state) is reported for each of the PostgreSQL instances that constitute a sever group
+
+ In earlier releases, the status was aggregated at the server group level and not itemized at the PostgreSQL node level.
+
+- PostgreSQL deployments now honor the volume size parameters indicated in create commands
+- The engine version parameters is now honored when editing a server group
+- The naming convention of the pods for Azure Arc enabled PostgreSQL Hyperscale has changed
+
+ It is now in the form: `ServergroupName{c, w}-n`. For example, a server group with three nodes, one coordinator node and two worker nodes is represented as:
+ - `Postgres01c-0` (coordinator node)
+ - `Postgres01w-0` (worker node)
+ - `Postgres01w-1` (worker node)
## December 2020
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/manage-agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-agent.md
@@ -1,7 +1,7 @@
Title: Managing the Azure Arc enabled servers agent description: This article describes the different management tasks that you will typically perform during the lifecycle of the Azure Arc enabled servers Connected Machine agent. Previously updated : 01/21/2021 Last updated : 02/10/2021
@@ -43,60 +43,17 @@ For Arc enabled servers, before you rename the machine, it is necessary to remov
> [!WARNING] > We recommend you avoid renaming the machine's computer name and only perform this procedure if absolutely necessary.
-The steps below summarize the computer rename procedure.
- 1. Audit the VM extensions installed on the machine and note their configuration, using the [Azure CLI](manage-vm-extensions-cli.md#list-extensions-installed) or using [Azure PowerShell](manage-vm-extensions-powershell.md#list-extensions-installed).
-2. Remove the VM extensions using PowerShell, the Azure CLI, or from the Azure portal.
-
- > [!NOTE]
- > If you deployed the Azure Monitor for VMs (insights) agent or the Log Analytics agent using an Azure Policy Guest Configuration policy, the agents are redeployed after the next [evaluation cycle](../../governance/policy/how-to/get-compliance-data.md#evaluation-triggers) and after the renamed machine is registered with Arc enabled servers.
-
-3. Disconnect the machine from Arc enabled servers using PowerShell, the Azure CLI, or from the portal.
-
-4. Rename the computer.
-
-5. Connect the machine with Arc enabled servers using the `Azcmagent` tool to register and create a new resource in Azure.
-
-6. Deploy VM extensions previously installed on the target machine.
-
-Use the following steps to complete this task.
-
-1. Remove VM extensions installed from the [Azure portal](manage-vm-extensions-portal.md#uninstall-extension), using the [Azure CLI](manage-vm-extensions-cli.md#remove-an-installed-extension), or using [Azure PowerShell](manage-vm-extensions-powershell.md#remove-an-installed-extension).
-
-2. Use one of the following methods to disconnect the machine from Azure Arc. Disconnecting the machine from Arc enabled servers does not remove the Connected Machine agent, and you do not need to remove the agent as part of this process. Any VM extensions that are deployed to the machine continue to work during this process.
-
- # [Azure portal](#tab/azure-portal)
-
- 1. From your browser, go to the [Azure portal](https://portal.azure.com).
- 1. In the portal, browse to **Servers - Azure Arc** and select your hybrid machine from the list.
- 1. From the selected registered Arc enabled server, select **Delete** from the top bar to delete the resource in Azure.
-
- # [Azure CLI](#tab/azure-cli)
-
- ```azurecli
- az resource delete \
- --resource-group ExampleResourceGroup \
- --name ExampleArcMachine \
- --resource-type "Microsoft.HybridCompute/machines"
- ```
-
- # [Azure PowerShell](#tab/azure-powershell)
-
- ```powershell
- Remove-AzResource `
- -ResourceGroupName ExampleResourceGroup `
- -ResourceName ExampleArcMachine `
- -ResourceType Microsoft.HybridCompute/machines
- ```
+2. Remove VM extensions installed from the [Azure portal](manage-vm-extensions-portal.md#uninstall-extension), using the [Azure CLI](manage-vm-extensions-cli.md#remove-an-installed-extension), or using [Azure PowerShell](manage-vm-extensions-powershell.md#remove-an-installed-extension).
-3. Rename the computer name of the machine.
+3. Use the **azcmagent** tool with the [Disconnect](manage-agent.md#disconnect) parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. Disconnecting the machine from Arc enabled servers does not remove the Connected Machine agent, and you do not need to remove the agent as part of this process. You can run this manually while logged on interactively, or automate using the same service principal you used to onboard multiple agents, or with a Microsoft identity platform [access token](../../active-directory/develop/access-tokens.md). If you did not use a service principal to register the machine with Azure Arc enabled servers, see the following [article](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) to create a service principal.
-### After renaming operation
+4. Rename the machines computer name.
-After a machine has been renamed, the Connected Machine agent needs to be re-registered with Arc enabled servers. Run the `azcmagent` tool with the [Connect](#connect) parameter complete this step.
+5. Re-register the Connected Machine agent with Arc enabled servers. Run the `azcmagent` tool with the [Connect](manage-agent.md#connect) parameter complete this step.
-Redeploy the VM extensions that were originally deployed to the machine from Arc enabled servers. If you deployed the Azure Monitor for VMs (insights) agent or the Log Analytics agent using an Azure Policy Guest Configuration policy, the agents are redeployed after the next [evaluation cycle](../../governance/policy/how-to/get-compliance-data.md#evaluation-triggers).
+6. Redeploy the VM extensions that were originally deployed to the machine from Arc enabled servers. If you deployed the Azure Monitor for VMs (insights) agent or the Log Analytics agent using an Azure policy, the agents are redeployed after the next [evaluation cycle](../../governance/policy/how-to/get-compliance-data.md#evaluation-triggers).
## Upgrading agent
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-premium-persistence https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/cache-how-to-premium-persistence.md
@@ -62,6 +62,9 @@ Persistence writes Redis data into an Azure Storage account that you own and man
| **Storage Key** | Drop-down and choose either the **Primary key** or **Secondary key** to use. | If the storage key for your persistence account is regenerated, you must reconfigure the desired key from the **Storage Key** drop-down. | The first backup is initiated once the backup frequency interval elapses.
+
+ > [!NOTE]
+ > When RDB files are backed up to storage, they are stored in the form of page blobs.
9. To enable AOF persistence, click **AOF** and configure the settings.
@@ -92,7 +95,7 @@ The following list contains answers to commonly asked questions about Azure Cach
* [Which persistence model should I choose?](#which-persistence-model-should-i-choose) * [What happens if I have scaled to a different size and a backup is restored that was made before the scaling operation?](#what-happens-if-i-have-scaled-to-a-different-size-and-a-backup-is-restored-that-was-made-before-the-scaling-operation) * [Can I use the same storage account for persistence across two different caches?](#can-i-use-the-same-storage-account-for-persistence-across-two-different-caches)-
+* [Will I be charged for the storage being used in Data Persistence](#will-i-be-charged-for-the-storage-being-used-in-data-persistence)
### RDB persistence * [Can I change the RDB backup frequency after I create the cache?](#can-i-change-the-rdb-backup-frequency-after-i-create-the-cache)
@@ -182,6 +185,10 @@ When clustering is enabled, each shard in the cache has its own set of page blob
After a rewrite, two sets of AOF files exist in storage. Rewrites occur in the background and append to the first set of files, while set operations that are sent to the cache during the rewrite append to the second set. A backup is temporarily stored during rewrites in case of failure, but is promptly deleted after a rewrite finishes.
+### Will I be charged for the storage being used in Data Persistence?
+
+Yes, you will be charged for the storage being used as per the pricing model of the storage account being used.
+ ## Next steps Learn more about Azure Cache for Redis features.
@@ -198,4 +205,4 @@ Learn more about Azure Cache for Redis features.
[redis-cache-aof-persistence]: ./media/cache-how-to-premium-persistence/redis-cache-aof-persistence.png
-[redis-cache-settings]: ./media/cache-how-to-premium-persistence/redis-cache-settings.png
+[redis-cache-settings]: ./media/cache-how-to-premium-persistence/redis-cache-settings.png
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-rabbitmq-trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-rabbitmq-trigger.md
@@ -23,7 +23,7 @@ For information on setup and configuration details, see the [overview](functions
# [C#](#tab/csharp)
-The following example shows a [C# function](functions-dotnet-class-library.md) that reads and logs the RabbitMQ message as a [RabbitMQ Event](https://www.rabbitmq.com/releases/rabbitmq-dotnet-client/v3.2.2/rabbitmq-dotnet-client-3.2.2-client-htmldoc/html/type-RabbitMQ.Client.Events.BasicDeliverEventArgs.html):
+The following example shows a [C# function](functions-dotnet-class-library.md) that reads and logs the RabbitMQ message as a [RabbitMQ Event](https://rabbitmq.github.io/rabbitmq-dotnet-client/api/RabbitMQ.Client.Events.BasicDeliverEventArgs.html):
```cs [FunctionName("RabbitMQTriggerCSharp")]
@@ -225,7 +225,7 @@ The following table explains the binding configuration properties that you set i
# [C#](#tab/csharp)
-The default message type is [RabbitMQ Event](https://www.rabbitmq.com/releases/rabbitmq-dotnet-client/v3.2.2/rabbitmq-dotnet-client-3.2.2-client-htmldoc/html/type-RabbitMQ.Client.Events.BasicDeliverEventArgs.html), and the `Body` property of the RabbitMQ Event can be read as the types listed below:
+The default message type is [RabbitMQ Event](https://rabbitmq.github.io/rabbitmq-dotnet-client/api/RabbitMQ.Client.Events.BasicDeliverEventArgs.html), and the `Body` property of the RabbitMQ Event can be read as the types listed below:
* `An object serializable as JSON` - The message is delivered as a valid JSON string. * `string`
@@ -234,7 +234,7 @@ The default message type is [RabbitMQ Event](https://www.rabbitmq.com/releases/r
# [C# Script](#tab/csharp-script)
-The default message type is [RabbitMQ Event](https://www.rabbitmq.com/releases/rabbitmq-dotnet-client/v3.2.2/rabbitmq-dotnet-client-3.2.2-client-htmldoc/html/type-RabbitMQ.Client.Events.BasicDeliverEventArgs.html), and the `Body` property of the RabbitMQ Event can be read as the types listed below:
+The default message type is [RabbitMQ Event](https://rabbitmq.github.io/rabbitmq-dotnet-client/api/RabbitMQ.Client.Events.BasicDeliverEventArgs.html), and the `Body` property of the RabbitMQ Event can be read as the types listed below:
* `An object serializable as JSON` - The message is delivered as a valid JSON string. * `string`
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/apm-tables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/apm-tables.md
@@ -6,7 +6,7 @@ Last updated 05/09/2020
-# Workspace-based resource changes (preview)
+# Workspace-based resource changes
Prior to the introduction of [workspace-based Application Insights resources](create-workspace-resource.md), Application Insights data was stored separate from other log data in Azure Monitor. Both are based on Azure Data Explorer and use the same Kusto Query Language (KQL). This is described in [Logs in Azure Monitor](../platform/data-platform-logs.md).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/azure-web-apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/azure-web-apps.md
@@ -70,7 +70,8 @@ There are two ways to enable application monitoring for Azure App Services hoste
# [ASP.NET Core](#tab/netcore)
-The following versions of ASP.NET Core are supported: ASP.NET Core 2.1, ASP.NET Core 2.2, ASP.NET Core 3.0, ASP.NET Core 3.1
+> [!IMPORTANT]
+> The following versions of ASP.NET Core are supported: ASP.NET Core 2.1, 3.1, and 5.0. Versions 2.0, 2.2, and 3.0 have been retired and are no longer supported. Please upgrade to a [supported version](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) of .NET Core for auto-instrumentation to work.
Targeting the full framework from ASP.NET Core, self-contained deployment, and Linux based applications are currently **not supported** with agent/extension based monitoring. ([Manual instrumentation](./asp-net-core.md) via code will work in all of the previous scenarios.)
@@ -85,7 +86,7 @@ Targeting the full framework from ASP.NET Core, self-contained deployment, and L
![Instrument your web app](./media/azure-web-apps/create-resource-01.png)
-2. After specifying which resource to use, you can choose how you want Application Insights to collect data per platform for your application. ASP.NET Core offers **Recommended collection** or **Disabled** for ASP.NET Core 2.1, 2.2, 3.0 and 3.1.
+2. After specifying which resource to use, you can choose how you want Application Insights to collect data per platform for your application. ASP.NET Core offers **Recommended collection** or **Disabled** for ASP.NET Core 2.1 and 3.1.
![Choose options per platform](./media/azure-web-apps/choose-options-new-net-core.png)
@@ -415,6 +416,12 @@ If you wish to test out codeless server and client-side monitoring for ASP.NET o
When codeless monitoring is being used, only the connection string is required. However, we still recommend setting the instrumentation key to preserve backwards compatibility with older versions of the SDK when manual instrumentation is being performed.
+### Difference between Standard Metrics from Application Insights vs Azure App Service metrics?
+
+Application Insights collects telemetry for those requests which made it to the application. If the failure occurred in WebApps/IIS, and the request did not reach the user application, then Application Insights will not have any telemetry about it.
+
+The duration for `serverresponsetime` calculated by Application Insights is not necessarily matching the server response time observed by Web Apps. This is because Application Insights only counts the duration when the request actual reaches user application. If the request is stuck/queued in IIS, that waiting time will be included in the Web App metrics, but not in Application Insights metrics.
+ ## Release notes For the latest updates and bug fixes [consult the release notes](./web-app-extension-release-notes.md).
@@ -426,4 +433,4 @@ For the latest updates and bug fixes [consult the release notes](./web-app-exten
* [Monitor service health metrics](../platform/data-platform.md) to make sure your service is available and responsive. * [Receive alert notifications](../platform/alerts-overview.md) whenever operational events happen or metrics cross a threshold. * Use [Application Insights for JavaScript apps and web pages](javascript.md) to get client telemetry from the browsers that visit a web page.
-* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.
+* [Set up Availability web tests](monitor-web-app-availability.md) to be alerted if your site is down.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-in-process-agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-in-process-agent.md
@@ -233,6 +233,7 @@ try {
} finally { long endTime = System.currentTimeMillis(); RemoteDependencyTelemetry telemetry = new RemoteDependencyTelemetry();
+ telemetry.setSuccess(success);
telemetry.setTimestamp(new Date(startTime)); telemetry.setDuration(new Duration(endTime - startTime)); telemetryClient.trackDependency(telemetry);
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-enable-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/vminsights-enable-overview.md
@@ -63,7 +63,7 @@ See the following list of considerations on Linux support of the Dependency agen
## Log Analytics workspace Azure Monitor for VMs requires a Log Analytics workspace. See [Configure Log Analytics workspace for Azure Monitor for VMs](vminsights-configure-workspace.md) for details and requirements of this workspace. ## Agents
-Azure Monitor for VMs requires the following two agents to be installed on each virtual machine or virtual machine scale set to be monitored. To onboard the resource, install these agents and connect them to the workspace. See [Network requirements](../platform/log-analytics-agent.md#network-requirements) for the network requirements for these agents.
+Azure Monitor for VMs requires the following two agents to be installed on each virtual machine or virtual machine scale set to be monitored. To onboard the resource, install these agents and connect them to the workspace.
- [Log Analytics agent](../platform/log-analytics-agent.md). Collects events and performance data from the virtual machine or virtual machine scale set and delivers it to the Log Analytics workspace. Deployment methods for the Log Analytics agent on Azure resources use the VM extension for [Windows](../../virtual-machines/extensions/oms-windows.md) and [Linux](../../virtual-machines/extensions/oms-linux.md). - Dependency agent. Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the [Map feature in Azure Monitor for VMs](vminsights-maps.md). The Dependency agent relies on the Log Analytics agent to deliver its data to Azure Monitor. Deployment methods for the Dependency agent on Azure resources use the VM extension for [Windows](../../virtual-machines/extensions/agent-dependency-windows.md) and [Linux](../../virtual-machines/extensions/agent-dependency-linux.md).
@@ -81,6 +81,10 @@ The following are multiple methods for deploying these agents.
| [Manual install](./vminsights-enable-hybrid.md) | Install the agents in the guest operating system on computers hosted outside of Azure including in your datacenter or other cloud environments. |
+## Network requirements
+
+- See [Network requirements](../platform/log-analytics-agent.md#network-requirements) for the network requirements for the Log Analytics agent.
+- The dependency agent requires a connection from the virtual machine to the address 169.254.169.254. This is the Azure metadata service endpoint. Ensure that firewall settings allow connections to this endpoint.
## Management packs
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/logs-dedicated-clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/log-query/logs-dedicated-clusters.md
@@ -79,7 +79,7 @@ After you create your *Cluster* resource, you can edit additional properties suc
You can have up to 2 active clusters per subscription per region. If cluster is deleted, it is still reserved for 14 days. You can have up to 4 reserved clusters per subscription per region (active or recently deleted). > [!WARNING]
-> Cluster creation triggers resource allocation and provisioning. This operation can take up to an hour to complete. It is recommended to run it asynchronously.
+> Cluster creation triggers resource allocation and provisioning. This operation can take a few hours to complete. It is recommended to run it asynchronously.
The user account that creates the clusters must have the standard Azure resource creation permission: `Microsoft.Resources/deployments/*` and cluster write permission `Microsoft.OperationalInsights/clusters/write` by having in their role assignments this specific action or `Microsoft.OperationalInsights/*` or `*/write`.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/request-just-in-time-access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/request-just-in-time-access.md
@@ -8,7 +8,7 @@
# Enable and request just-in-time access for Azure Managed Applications
-Consumers of your managed application may be reluctant to grant you permanent access to the managed resource group. As a publisher of a manager application, you might prefer that consumers know exactly when you need to access the managed resources. To give consumers greater control over granting access to managed resources, Azure Managed Applications provides a feature called just-in-time (JIT) access. This feature is currently in preview.
+Consumers of your managed application may be reluctant to grant you permanent access to the managed resource group. As a publisher of a managed application, you might prefer that consumers know exactly when you need to access the managed resources. To give consumers greater control over granting access to managed resources, Azure Managed Applications provides a feature called just-in-time (JIT) access. This feature is currently in preview.
JIT access enables you to request elevated access to a managed application's resources for troubleshooting or maintenance. You always have read-only access to the resources, but for a specific time period you can have greater access.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-tutorial-linked-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deployment-tutorial-linked-template.md
@@ -1,7 +1,7 @@
Title: Tutorial - Deploy a linked template description: Learn how to deploy a linked template Previously updated : 02/10/2021 Last updated : 02/12/2021
@@ -9,7 +9,7 @@
# Tutorial: Deploy a linked template
-In the [previous tutorials](./deployment-tutorial-local-template.md), you learned how to deploy a template that is stored in your local computer. To deploy complex solutions, you can break a template into many templates, and deploy these templates through a main template. In this tutorial, you learn how to deploy a main template that contains the reference to a linked template. When the main template gets deployed, it triggers the deployment of the linked template. You also learn how to store and secure the linked template by using SAS token. It takes about **12 minutes** to complete.
+In the [previous tutorials](./deployment-tutorial-local-template.md), you learned how to deploy a template that is stored in your local computer. To deploy complex solutions, you can break a template into many templates, and deploy these templates through a main template. In this tutorial, you learn how to deploy a main template that contains the reference to a linked template. When the main template gets deployed, it triggers the deployment of the linked template. You also learn how to store and secure the templates by using SAS token. It takes about **12 minutes** to complete.
## Prerequisites
@@ -27,15 +27,18 @@ You can separate the storage account resource into a linked template:
:::code language="json" source="~/resourcemanager-templates/get-started-deployment/linked-template/linkedStorageAccount.json":::
-The following template is the main template. The highlighted `Microsoft.Resources/deployments` object shows how to call a linked template. The linked template cannot be stored as a local file or a file that is only available on your local network. You can only provide a URI value that includes either HTTP or HTTPS. Resource Manager must be able to access the template. One option is to place your linked template in a storage account, and use the URI for that item. The URI is passed to template using a parameter. See the highlighted parameter definition.
+The following template is the main template. The highlighted `Microsoft.Resources/deployments` object shows how to call a linked template. The linked template cannot be stored as a local file or a file that is only available on your local network. You can either provide a URI value of the linked template that includes either HTTP or HTTPS, or use the _relativePath_ property to deploy a remote linked template at a location relative to the parent template. One option is to place both the main template and the linked template in a storage account.
-
-Save a copy of the main template to your local computer with the _.json_ extension, for example, _azuredeploy.json_. You don't need to save a copy of the linked template. The linked template will be copied from a GitHub repository to a storage account.
## Store the linked template
-The following PowerShell script creates a storage account, creates a container, and copies the linked template from a GitHub repository to the container. A copy of the linked template is stored in [GitHub](https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/get-started-deployment/linked-template/linkedStorageAccount.json).
+Both of the main template and the linked template are stored in GitHub:
+
+The following PowerShell script creates a storage account, creates a container, and copies the two templates from a GitHub repository to the container. These two templates are:
+
+- The main template: https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/get-started-deployment/linked-template/azuredeploy.json
+- The linked template: https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/get-started-deployment/linked-template/linkedStorageAccount.json
Select **Try-it** to open the Cloud Shell, select **Copy** to copy the PowerShell script, and right-click the shell pane to paste the script:
@@ -50,11 +53,15 @@ $resourceGroupName = $projectName + "rg"
$storageAccountName = $projectName + "store" $containerName = "templates" # The name of the Blob container to be created.
-$linkedTemplateURL = "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/get-started-deployment/linked-template/linkedStorageAccount.json" # A completed linked template used in this tutorial.
-$fileName = "linkedStorageAccount.json" # A file name used for downloading and uploading the linked template.
+$mainTemplateURL = "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/get-started-deployment/linked-template/azuredeploy.json"
+$linkedTemplateURL = "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/get-started-deployment/linked-template/linkedStorageAccount.json"
+
+$mainFileName = "azuredeploy.json" # A file name used for downloading and uploading the main template.Add-PSSnapin
+$linkedFileName = "linkedStorageAccount.json" # A file name used for downloading and uploading the linked template.
-# Download the template
-Invoke-WebRequest -Uri $linkedTemplateURL -OutFile "$home/$fileName"
+# Download the templates
+Invoke-WebRequest -Uri $mainTemplateURL -OutFile "$home/$mainFileName"
+Invoke-WebRequest -Uri $linkedTemplateURL -OutFile "$home/$linkedFileName"
# Create a resource group New-AzResourceGroup -Name $resourceGroupName -Location $location
@@ -71,11 +78,17 @@ $context = $storageAccount.Context
# Create a container New-AzStorageContainer -Name $containerName -Context $context -Permission Container
-# Upload the template
+# Upload the templates
+Set-AzStorageBlobContent `
+ -Container $containerName `
+ -File "$home/$mainFileName" `
+ -Blob $mainFileName `
+ -Context $context
+ Set-AzStorageBlobContent ` -Container $containerName `
- -File "$home/$fileName" `
- -Blob $fileName `
+ -File "$home/$linkedFileName" `
+ -Blob $linkedFileName `
-Context $context Write-Host "Press [ENTER] to continue ..."
@@ -83,7 +96,7 @@ Write-Host "Press [ENTER] to continue ..."
## Deploy template
-To deploy a private template in a storage account, generate a SAS token and include it in the URI for the template. Set the expiry time to allow enough time to complete the deployment. The blob containing the template is accessible to only the account owner. However, when you create a SAS token for the blob, the blob is accessible to anyone with that URI. If another user intercepts the URI, that user is able to access the template. A SAS token is a good way of limiting access to your templates, but you should not include sensitive data like passwords directly in the template.
+To deploy templates in a storage account, generate a SAS token and supply it to the _-QueryString_ parameter. Set the expiry time to allow enough time to complete the deployment. The blobs containing the templates are accessible to only the account owner. However, when you create a SAS token for a blob, the blob is accessible to anyone with that SAS token. If another user intercepts the URI and the SAS token, that user is able to access the template. A SAS token is a good way of limiting access to your templates, but you should not include sensitive data like passwords directly in the template.
If you haven't created the resource group, see [Create resource group](./deployment-tutorial-local-template.md#create-resource-group).
@@ -92,69 +105,66 @@ If you haven't created the resource group, see [Create resource group](./deploym
# [PowerShell](#tab/azure-powershell)
-```azurepowershell
+```azurepowershell-interactive
-$projectName = Read-Host -Prompt "Enter a project name:" # This name is used to generate names for Azure resources, such as storage account name.
-$templateFile = Read-Host -Prompt "Enter the main template file and path"
+$projectName = Read-Host -Prompt "Enter the same project name:" # This name is used to generate names for Azure resources, such as storage account name.
$resourceGroupName="${projectName}rg" $storageAccountName="${projectName}store" $containerName = "templates"
-$fileName = "linkedStorageAccount.json" # A file name used for downloading and uploading the linked template.
$key = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName).Value[0] $context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $key
-# Generate a SAS token
-$linkedTemplateUri = New-AzStorageBlobSASToken `
+$mainTemplateUri = $context.BlobEndPoint + "$containerName/azuredeploy.json"
+$sasToken = New-AzStorageContainerSASToken `
-Context $context ` -Container $containerName `
- -Blob $fileName `
-Permission r `
- -ExpiryTime (Get-Date).AddHours(2.0) `
- -FullUri
+ -ExpiryTime (Get-Date).AddHours(2.0)
+$newSas = $sasToken.substring(1)
+
-# Deploy the template
New-AzResourceGroupDeployment ` -Name DeployLinkedTemplate ` -ResourceGroupName $resourceGroupName `
- -TemplateFile $templateFile `
+ -TemplateUri $mainTemplateUri `
+ -QueryString $newSas `
-projectName $projectName `
- -linkedTemplateUri $linkedTemplateUri `
-verbose+
+Write-Host "Press [ENTER] to continue ..."
``` # [Azure CLI](#tab/azure-cli)
-```azurecli
-
-echo "Enter a project name that is used to generate resource names:"
-read projectName
-echo "Enter the main template file:"
-read templateFile
+```azurecli-interactive
+echo "Enter a project name that is used to generate resource names:" &&
+read projectName &&
-resourceGroupName="${projectName}rg"
-storageAccountName="${projectName}store"
-containerName="templates"
-fileName="linkedStorageAccount.json"
+resourceGroupName="${projectName}rg" &&
+storageAccountName="${projectName}store" &&
+containerName="templates" &&
-key=$(az storage account keys list -g $resourceGroupName -n $storageAccountName --query [0].value -o tsv)
+key=$(az storage account keys list -g $resourceGroupName -n $storageAccountName --query [0].value -o tsv) &&
-linkedTemplateUri=$(az storage blob generate-sas \
+sasToken=$(az storage container generate-sas \
--account-name $storageAccountName \ --account-key $key \
- --container-name $containerName \
- --name $fileName \
+ --name $containerName \
--permissions r \
- --expiry `date -u -d "120 minutes" '+%Y-%m-%dT%H:%MZ'` \
- --full-uri)
+ --expiry `date -u -d "120 minutes" '+%Y-%m-%dT%H:%MZ'`) &&
+sasToken=$(echo $sasToken | sed 's/"//g')&&
+
+blobUri=$(az storage account show -n $storageAccountName -g $resourceGroupName -o tsv --query primaryEndpoints.blob) &&
+templateUri="${blobUri}${containerName}/azuredeploy.json" &&
-linkedTemplateUri=$(echo $linkedTemplateUri | sed 's/"//g')
az deployment group create \ --name DeployLinkedTemplate \ --resource-group $resourceGroupName \
- --template-file $templateFile \
- --parameters projectName=$projectName linkedTemplateUri=$linkedTemplateUri \
+ --template-uri $templateUri \
+ --parameters projectName=$projectName \
+ --query-string $sasToken \
--verbose ```
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-variables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-variables.md
@@ -1,23 +1,77 @@
Title: Variables in templates
-description: Describes how to define variables in an Azure Resource Manager template (ARM template).
+description: Describes how to define variables in an Azure Resource Manager template (ARM template) and Bicep file.
Previously updated : 01/26/2021 Last updated : 02/12/2021
-# Variables in ARM template
+# Variables in ARM templates
-This article describes how to define and use variables in your Azure Resource Manager template (ARM template). You use variables to simplify your template. Rather than repeating complicated expressions throughout your template, you define a variable that contains the complicated expression. Then, you reference that variable as needed throughout your template.
+This article describes how to define and use variables in your Azure Resource Manager template (ARM template) or Bicep file. You use variables to simplify your template. Rather than repeating complicated expressions throughout your template, you define a variable that contains the complicated expression. Then, you use that variable as needed throughout your template.
Resource Manager resolves variables before starting the deployment operations. Wherever the variable is used in the template, Resource Manager replaces it with the resolved value. + ## Define variable
-When defining a variable, provide a value or template expression that resolves to a [data type](template-syntax.md#data-types). You can use the value from a parameter or another variable when constructing the variable.
+When defining a variable, you don't specify a [data type](template-syntax.md#data-types) for the variable. Instead provide a value or template expression. The variable type is inferred from the resolved value. The following example sets a variable to a string.
+
+# [JSON](#tab/json)
+
+```json
+"variables": {
+ "stringVar": "example value"
+},
+```
+
+# [Bicep](#tab/bicep)
+
+```bicep
+var stringVar = 'example value'
+```
-You can use [template functions](template-functions.md) in the variable declaration, but you can't use the [reference](template-functions-resource.md#reference) function or any of the [list](template-functions-resource.md#list) functions. These functions get the runtime state of a resource, and can't be executed before deployment when variables are resolved.
+
-The following example shows a variable definition. It creates a string value for a storage account name. It uses several template functions to get a parameter value, and concatenates it to a unique string.
+You can use the value from a parameter or another variable when constructing the variable.
+
+# [JSON](#tab/json)
+
+```json
+"parameters": {
+ "inputValue": {
+ "defaultValue": "deployment parameter",
+ "type": "string"
+ }
+},
+"variables": {
+ "stringVar": "myVariable",
+ "concatToVar": "[concat(variables('stringVar'), '-addtovar') ]",
+ "concatToParam": "[concat(parameters('inputValue'), '-addtoparam')]"
+}
+```
+
+# [Bicep](#tab/bicep)
+
+```bicep
+param inputValue string = 'deployment parameter'
+
+var stringVar = 'myVariable'
+var concatToVar = '${stringVar}-addtovar'
+var concatToParam = '${inputValue}-addtoparam'
+```
+++
+You can use [template functions](template-functions.md) to construct the variable value.
+
+In JSON templates, you can't use the [reference](template-functions-resource.md#reference) function or any of the [list](template-functions-resource.md#list) functions in the variable declaration. These functions get the runtime state of a resource, and can't be executed before deployment when variables are resolved.
+
+The reference and list functions are valid when declaring a variable in a Bicep file.
+
+The following example creates a string value for a storage account name. It uses several template functions to get a parameter value, and concatenates it to a unique string.
+
+# [JSON](#tab/json)
```json "variables": {
@@ -25,9 +79,21 @@ The following example shows a variable definition. It creates a string value for
}, ```
+# [Bicep](#tab/bicep)
+
+```bicep
+var storageName = '${toLower(storageNamePrefix)}${uniqueString(resourceGroup().id)}'
+```
+++ ## Use variable
-In the template, you reference the value for the parameter by using the [variables](template-functions-deployment.md#variables) function. The following example shows how to use the variable for a resource property.
+The following example shows how to use the variable for a resource property.
+
+# [JSON](#tab/json)
+
+In a JSON template, you reference the value for the variable by using the [variables](template-functions-deployment.md#variables) function.
```json "resources": [
@@ -39,18 +105,47 @@ In the template, you reference the value for the parameter by using the [variabl
] ```
+# [Bicep](#tab/bicep)
+
+In a Bicep file, you reference the value for the variable by providing the variable name.
+
+```bicep
+resource demoAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+ name: storageName
+```
+++ ## Example template
-The following template doesn't deploy any resources. It just shows some ways of declaring variables.
+The following template doesn't deploy any resources. It shows some ways of declaring variables of different types.
+
+# [JSON](#tab/json)
:::code language="json" source="~/resourcemanager-templates/azure-resource-manager/variables.json":::
+# [Bicep](#tab/bicep)
+
+Bicep doesn't currently support loops.
++++ ## Configuration variables
-You can define variables that hold related values for configuring an environment. You define the variable as an object with the values. The following example shows an object that holds values for two environments - **test** and **prod**. You pass in one of these values during deployment.
+You can define variables that hold related values for configuring an environment. You define the variable as an object with the values. The following example shows an object that holds values for two environments - **test** and **prod**. Pass in one of these values during deployment.
+
+# [JSON](#tab/json)
:::code language="json" source="~/resourcemanager-templates/azure-resource-manager/variablesconfigurations.json":::
+# [Bicep](#tab/bicep)
++++ ## Next steps * To learn about the available properties for variables, see [Understand the structure and syntax of ARM templates](template-syntax.md).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-jobs-powershell-create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-jobs-powershell-create.md
@@ -15,7 +15,7 @@ Last updated 10/21/2020
# Create an Elastic Job agent using PowerShell (preview) [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
-[Elastic jobs (preview)](job-automation-overview.md#elastic-database-jobs-preview) enable the running of one or more Transact-SQL (T-SQL) scripts in parallel across many databases.
+[Elastic jobs (preview)](job-automation-overview.md) enable the running of one or more Transact-SQL (T-SQL) scripts in parallel across many databases.
In this tutorial, you learn the steps required to run a query across multiple databases:
@@ -57,7 +57,7 @@ In addition to the **Az.Sql** module, this tutorial also requires the *SqlServer
## Create required resources
-Creating an Elastic Job agent requires a database (S0 or higher) for use as the [Job database](job-automation-overview.md#job-database).
+Creating an Elastic Job agent requires a database (S0 or higher) for use as the [Job database](job-automation-overview.md#elastic-job-database).
The script below creates a new resource group, server, and database for use as the Job database. The second script creates a second server with two blank databases to execute jobs against.
@@ -265,7 +265,7 @@ The following table lists the possible job execution states:
|:|:| |**Created** | The job execution was just created and is not yet in progress.| |**InProgress** | The job execution is currently in progress.|
-|**WaitingForRetry** | The job execution wasnΓÇÖt able to complete its action and is waiting to retry.|
+|**WaitingForRetry** | The job execution wasn't able to complete its action and is waiting to retry.|
|**Succeeded** | The job execution has completed successfully.| |**SucceededWithSkipped** | The job execution has completed successfully, but some of its children were skipped.| |**Failed** | The job execution has failed and exhausted its retries.|
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-jobs-tsql-create-manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-jobs-tsql-create-manage.md
@@ -6,38 +6,40 @@
ms.devlang:
+dev_langs:
+ - "TSQL"
Previously updated : 02/07/2020 Last updated : 02/01/2021 # Use Transact-SQL (T-SQL) to create and manage Elastic Database Jobs (preview) [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)] This article provides many example scenarios to get started working with Elastic Jobs using T-SQL.
-The examples use the [stored procedures](#job-stored-procedures) and [views](#job-views) available in the [*job database*](job-automation-overview.md#job-database).
+The examples use the [stored procedures](#job-stored-procedures) and [views](#job-views) available in the [*job database*](job-automation-overview.md#elastic-job-database).
Transact-SQL (T-SQL) is used to create, configure, execute, and manage jobs. Creating the Elastic Job agent is not supported in T-SQL, so you must first create an *Elastic Job agent* using the portal, or [PowerShell](elastic-jobs-powershell-create.md#create-the-elastic-job-agent). ## Create a credential for job execution
-The credential is used to connect to your target databases for script execution. The credential needs appropriate permissions, on the databases specified by the target group, to successfully execute the script. When using a [logical SQL server](logical-servers.md) and/or pool target group member, it is highly suggested to create a master credential for use to refresh the credential prior to expansion of the server and/or pool at time of job execution. The database scoped credential is created on the job agent database. The same credential must be used to *Create a Login* and *Create a User from Login to grant the Login Database Permissions* on the target databases.
+The credential is used to connect to your target databases for script execution. The credential needs appropriate permissions, on the databases specified by the target group, to successfully execute the script. When using a [logical SQL server](logical-servers.md) and/or pool target group member, it is highly suggested to create a credential for use to refresh the credential prior to expansion of the server and/or pool at time of job execution. The database scoped credential is created on the job agent database. The same credential must be used to *Create a Login* and *Create a User from Login to grant the Login Database Permissions* on the target databases.
```sqlConnect to the job database specified when creating the job agent
+--Connect to the new job database specified when creating the Elastic Job agent
Create a db master key if one does not already exist, using your own password.
+-- Create a database master key if one does not already exist, using your own password.
CREATE MASTER KEY ENCRYPTION BY PASSWORD='<EnterStrongPasswordHere>'; Create a database scoped credential.
-CREATE DATABASE SCOPED CREDENTIAL myjobcred WITH IDENTITY = 'jobcred',
+-- Create two database scoped credentials.
+-- The credential to connect to the Azure SQL logical server, to execute jobs
+CREATE DATABASE SCOPED CREDENTIAL job_credential WITH IDENTITY = 'job_credential',
SECRET = '<EnterStrongPasswordHere>'; GO- Create a database scoped credential for the master database of server1.
-CREATE DATABASE SCOPED CREDENTIAL mymastercred WITH IDENTITY = 'mastercred',
+-- The credential to connect to the Azure SQL logical server, to refresh the database metadata in server
+CREATE DATABASE SCOPED CREDENTIAL refresh_credential WITH IDENTITY = 'refresh_credential',
SECRET = '<EnterStrongPasswordHere>'; GO ```
@@ -45,20 +47,20 @@ GO
## Create a target group (servers) The following example shows how to execute a job against all databases in a server.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql -- Connect to the job database specified when creating the job agent -- Add a target group containing server(s)
-EXEC jobs.sp_add_target_group 'ServerGroup1'
+EXEC jobs.sp_add_target_group 'ServerGroup1';
-- Add a server target member EXEC jobs.sp_add_target_group_member
-'ServerGroup1',
+@target_group_name = 'ServerGroup1',
@target_type = 'SqlServer',
-@refresh_credential_name = 'mymastercred', --credential required to refresh the databases in a server
-@server_name = 'server1.database.windows.net'
+@refresh_credential_name = 'refresh_credential', --credential required to refresh the databases in a server
+@server_name = 'server1.database.windows.net';
--View the recently created target group and target group members SELECT * FROM jobs.target_groups WHERE target_group_name='ServerGroup1';
@@ -68,29 +70,29 @@ SELECT * FROM jobs.target_group_members WHERE target_group_name='ServerGroup1';
## Exclude an individual database The following example shows how to execute a job against all databases in an server, except for the database named *MappingDB*.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent -- Add a target group containing server(s)
-EXEC [jobs].sp_add_target_group N'ServerGroup'
+EXEC [jobs].sp_add_target_group N'ServerGroup';
GO -- Add a server target member EXEC [jobs].sp_add_target_group_member @target_group_name = N'ServerGroup', @target_type = N'SqlServer',
-@refresh_credential_name = N'mymastercred', --credential required to refresh the databases in a server
-@server_name = N'London.database.windows.net'
+@refresh_credential_name = N'refresh_credential', --credential required to refresh the databases in a server
+@server_name = N'London.database.windows.net';
GO -- Add a server target member EXEC [jobs].sp_add_target_group_member @target_group_name = N'ServerGroup', @target_type = N'SqlServer',
-@refresh_credential_name = N'mymastercred', --credential required to refresh the databases in a server
-@server_name = 'server2.database.windows.net'
+@refresh_credential_name = N'refresh_credential', --credential required to refresh the databases in a server
+@server_name = 'server2.database.windows.net';
GO --Exclude a database target member from the server target group
@@ -99,7 +101,7 @@ EXEC [jobs].sp_add_target_group_member
@membership_type = N'Exclude', @target_type = N'SqlDatabase', @server_name = N'server1.database.windows.net',
-@database_name = N'MappingDB'
+@database_name = N'MappingDB';
GO --View the recently created target group and target group members
@@ -110,21 +112,21 @@ SELECT * FROM [jobs].target_group_members WHERE target_group_name = N'ServerGrou
## Create a target group (pools) The following example shows how to target all the databases in one or more elastic pools.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent -- Add a target group containing pool(s)
-EXEC jobs.sp_add_target_group 'PoolGroup'
+EXEC jobs.sp_add_target_group 'PoolGroup';
-- Add an elastic pool(s) target member EXEC jobs.sp_add_target_group_member
-'PoolGroup',
+@target_group_name = 'PoolGroup',
@target_type = 'SqlElasticPool',
-@refresh_credential_name = 'mymastercred', --credential required to refresh the databases in a server
+@refresh_credential_name = 'refresh_credential', --credential required to refresh the databases in a server
@server_name = 'server1.database.windows.net',
-@elastic_pool_name = 'ElasticPool-1'
+@elastic_pool_name = 'ElasticPool-1';
-- View the recently created target group and target group members SELECT * FROM jobs.target_groups WHERE target_group_name = N'PoolGroup';
@@ -134,20 +136,20 @@ SELECT * FROM jobs.target_group_members WHERE target_group_name = N'PoolGroup';
## Deploy new schema to many databases The following example shows how to deploy new schema to all databases.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent --Add job for create table
-EXEC jobs.sp_add_job @job_name = 'CreateTableTest', @description = 'Create Table Test'
+EXEC jobs.sp_add_job @job_name = 'CreateTableTest', @description = 'Create Table Test';
-- Add job step for create table EXEC jobs.sp_add_jobstep @job_name = 'CreateTableTest', @command = N'IF NOT EXISTS (SELECT * FROM sys.tables WHERE object_id = object_id(''Test'')) CREATE TABLE [dbo].[Test]([TestId] [int] NOT NULL);',
-@credential_name = 'myjobcred',
-@target_group_name = 'PoolGroup'
+@credential_name = 'job_credential',
+@target_group_name = 'PoolGroup';
``` ## Data collection using built-in parameters
@@ -182,7 +184,7 @@ If you want to manually create the table ahead of time, then it needs to have th
3. A nonclustered index named `IX_<TableName>_Internal_Execution_ID` on the internal_execution_id column. 4. All permissions listed above except for `CREATE TABLE` permission on the database.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following commands:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following commands:
```sql --Connect to the job database specified when creating the job agent
@@ -194,32 +196,34 @@ EXEC jobs.sp_add_job @job_name ='ResultsJob', @description='Collection Performan
EXEC jobs.sp_add_jobstep @job_name = 'ResultsJob', @command = N' SELECT DB_NAME() DatabaseName, $(job_execution_id) AS job_execution_id, * FROM sys.dm_db_resource_stats WHERE end_time > DATEADD(mi, -20, GETDATE());',
-@credential_name = 'myjobcred',
+@credential_name = 'job_credential',
@target_group_name = 'PoolGroup', @output_type = 'SqlDatabase',
-@output_credential_name = 'myjobcred',
+@output_credential_name = 'job_credential',
@output_server_name = 'server1.database.windows.net', @output_database_name = '<resultsdb>',
-@output_table_name = '<resutlstable>'
-Create a job to monitor pool performance
+@output_table_name = '<resutlstable>';
+
+--Create a job to monitor pool performance
+ --Connect to the job database specified when creating the job agent Add a target group containing master database
-EXEC jobs.sp_add_target_group 'MasterGroup'
+-- Add a target group containing Elastic Job database
+EXEC jobs.sp_add_target_group 'ElasticJobGroup';
-- Add a server target member EXEC jobs.sp_add_target_group_member
-@target_group_name = 'MasterGroup',
+@target_group_name = 'ElasticJobGroup',
@target_type = 'SqlDatabase', @server_name = 'server1.database.windows.net',
-@database_name = 'master'
+@database_name = 'master';
-- Add a job to collect perf results EXEC jobs.sp_add_job @job_name = 'ResultsPoolsJob', @description = 'Demo: Collection Performance data from all pools', @schedule_interval_type = 'Minutes',
-@schedule_interval_count = 15
+@schedule_interval_count = 15;
-- Add a job step w/ schedule to collect results EXEC jobs.sp_add_jobstep
@@ -240,61 +244,61 @@ SELECT elastic_pool_name , end_time, elastic_pool_dtu_limit, avg_cpu_percent, av
avg_storage_percent, elastic_pool_storage_limit_mb FROM sys.elastic_pool_resource_stats WHERE end_time > @poolStartTime and end_time <= @poolEndTime; '),
-@credential_name = 'myjobcred',
-@target_group_name = 'MasterGroup',
+@credential_name = 'job_credential',
+@target_group_name = 'ElasticJobGroup',
@output_type = 'SqlDatabase',
-@output_credential_name = 'myjobcred',
+@output_credential_name = 'job_credential',
@output_server_name = 'server1.database.windows.net', @output_database_name = 'resultsdb',
-@output_table_name = 'resutlstable'
+@output_table_name = 'resutlstable';
``` ## View job definitions The following example shows how to view current job definitions.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent -- View all jobs
-SELECT * FROM jobs.jobs
+SELECT * FROM jobs.jobs;
-- View the steps of the current version of all jobs SELECT js.* FROM jobs.jobsteps js JOIN jobs.jobs j
- ON j.job_id = js.job_id AND j.job_version = js.job_version
+ ON j.job_id = js.job_id AND j.job_version = js.job_version;
-- View the steps of all versions of all jobs
-select * from jobs.jobsteps
+SELECT * FROM jobs.jobsteps;
``` ## Begin unplanned execution of a job The following example shows how to start a job immediately.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent -- Execute the latest version of a job
-EXEC jobs.sp_start_job 'CreateTableTest'
+EXEC jobs.sp_start_job 'CreateTableTest';
-- Execute the latest version of a job and receive the execution id
-declare @je uniqueidentifier
-exec jobs.sp_start_job 'CreateTableTest', @job_execution_id = @je output
-select @je
+declare @je uniqueidentifier;
+exec jobs.sp_start_job 'CreateTableTest', @job_execution_id = @je output;
+select @je;
-select * from jobs.job_executions where job_execution_id = @je
+select * from jobs.job_executions where job_execution_id = @je;
-- Execute a specific version of a job (e.g. version 1)
-exec jobs.sp_start_job 'CreateTableTest', 1
+exec jobs.sp_start_job 'CreateTableTest', 1;
``` ## Schedule execution of a job The following example shows how to schedule a job for future execution.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent
@@ -303,13 +307,13 @@ EXEC jobs.sp_update_job
@job_name = 'ResultsJob', @enabled=1, @schedule_interval_type = 'Minutes',
-@schedule_interval_count = 15
+@schedule_interval_count = 15;
``` ## Monitor job execution status The following example shows how to view execution status details for all jobs.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent
@@ -317,27 +321,27 @@ Connect to the [*job database*](job-automation-overview.md#job-database) and run
--View top-level execution status for the job named 'ResultsPoolJob' SELECT * FROM jobs.job_executions WHERE job_name = 'ResultsPoolsJob' and step_id IS NULL
-ORDER BY start_time DESC
+ORDER BY start_time DESC;
--View all top-level execution status for all jobs SELECT * FROM jobs.job_executions WHERE step_id IS NULL
-ORDER BY start_time DESC
+ORDER BY start_time DESC;
--View all execution statuses for job named 'ResultsPoolsJob' SELECT * FROM jobs.job_executions WHERE job_name = 'ResultsPoolsJob'
-ORDER BY start_time DESC
+ORDER BY start_time DESC;
-- View all active executions SELECT * FROM jobs.job_executions WHERE is_active = 1
-ORDER BY start_time DESC
+ORDER BY start_time DESC;
``` ## Cancel a job The following example shows how to cancel a job.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent
@@ -345,23 +349,23 @@ Connect to the [*job database*](job-automation-overview.md#job-database) and run
-- View all active executions to determine job execution id SELECT * FROM jobs.job_executions WHERE is_active = 1 AND job_name = 'ResultPoolsJob'
-ORDER BY start_time DESC
+ORDER BY start_time DESC;
GO -- Cancel job execution with the specified job execution id
-EXEC jobs.sp_stop_job '01234567-89ab-cdef-0123-456789abcdef'
+EXEC jobs.sp_stop_job '01234567-89ab-cdef-0123-456789abcdef';
``` ## Delete old job history The following example shows how to delete job history prior to a specific date.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent Delete history of a specific jobΓÇÖs executions older than the specified date
-EXEC jobs.sp_purge_jobhistory @job_name='ResultPoolsJob', @oldest_date='2016-07-01 00:00:00'
+-- Delete history of a specific job's executions older than the specified date
+EXEC jobs.sp_purge_jobhistory @job_name='ResultPoolsJob', @oldest_date='2016-07-01 00:00:00';
--Note: job history is automatically deleted if it is >45 days old ```
@@ -369,19 +373,19 @@ EXEC jobs.sp_purge_jobhistory @job_name='ResultPoolsJob', @oldest_date='2016-07-
## Delete a job and all its job history The following example shows how to delete a job and all related job history.
-Connect to the [*job database*](job-automation-overview.md#job-database) and run the following command:
+Connect to the [*job database*](job-automation-overview.md#elastic-job-database) and run the following command:
```sql --Connect to the job database specified when creating the job agent
-EXEC jobs.sp_delete_job @job_name='ResultsPoolsJob'
+EXEC jobs.sp_delete_job @job_name='ResultsPoolsJob';
--Note: job history is automatically deleted if it is >45 days old ``` ## Job stored procedures
-The following stored procedures are in the [jobs database](job-automation-overview.md#job-database).
+The following stored procedures are in the [jobs database](job-automation-overview.md#elastic-job-database).
|Stored procedure |Description | |||
@@ -425,7 +429,7 @@ The name of the job. The name must be unique and cannot contain the percent (%)
The description of the job. description is nvarchar(512), with a default of NULL. If description is omitted, an empty string is used. [ **\@enabled =** ] enabled
-Whether the jobΓÇÖs schedule is enabled. Enabled is bit, with a default of 0 (disabled). If 0, the job is not enabled and does not run according to its schedule; however, it can be run manually. If 1, the job will run according to its schedule, and can also be run manually.
+Whether the job's schedule is enabled. Enabled is bit, with a default of 0 (disabled). If 0, the job is not enabled and does not run according to its schedule; however, it can be run manually. If 1, the job will run according to its schedule, and can also be run manually.
[ **\@schedule_interval_type =**] schedule_interval_type Value indicates when the job is to be executed. schedule_interval_type is nvarchar(50), with a default of Once, and can be one of the following values:
@@ -456,7 +460,7 @@ The job identification number assigned to the job if created successfully. job_i
#### Remarks sp_add_job must be run from the job agent database specified when creating the job agent.
-After sp_add_job has been executed to add a job, sp_add_jobstep can be used to add steps that perform the activities for the job. The jobΓÇÖs initial version number is 0, which will be incremented to 1 when the first step is added.
+After sp_add_job has been executed to add a job, sp_add_jobstep can be used to add steps that perform the activities for the job. The job's initial version number is 0, which will be incremented to 1 when the first step is added.
#### Permissions
@@ -495,7 +499,7 @@ The new name of the job. new_name is nvarchar(128).
The description of the job. description is nvarchar(512). [ **\@enabled =** ] enabled
-Specifies whether the jobΓÇÖs schedule is enabled (1) or not enabled (0). Enabled is bit.
+Specifies whether the job's schedule is enabled (1) or not enabled (0). Enabled is bit.
[ **\@schedule_interval_type=** ] schedule_interval_type Value indicates when the job is to be executed. schedule_interval_type is nvarchar(50) and can be one of the following values:
@@ -522,7 +526,7 @@ Date on which job execution can stop. schedule_end_time is DATETIME2, with the d
#### Remarks
-After sp_add_job has been executed to add a job, sp_add_jobstep can be used to add steps that perform the activities for the job. The jobΓÇÖs initial version number is 0, which will be incremented to 1 when the first step is added.
+After sp_add_job has been executed to add a job, sp_add_jobstep can be used to add steps that perform the activities for the job. The job's initial version number is 0, which will be incremented to 1 when the first step is added.
#### Permissions
@@ -645,7 +649,7 @@ The number of times to retry execution if the initial attempt fails. For example
The maximum amount of time allowed for the step to execute. If this time is exceeded, then the job execution will terminate with a lifecycle of TimedOut. step_timeout_seconds is int, with default value of 43,200 seconds (12 hours). [ **\@output_type =** ] 'output_type'
-If not null, the type of destination that the commandΓÇÖs first result set is written to. output_type is nvarchar(50), with a default of NULL.
+If not null, the type of destination that the command's first result set is written to. output_type is nvarchar(50), with a default of NULL.
If specified, the value must be SqlDatabase.
@@ -668,7 +672,7 @@ If not null, the name of the database that contains the output destination table
If not null, the name of the SQL schema that contains the output destination table. If output_type equals SqlDatabase, the default value is dbo. output_schema_name is nvarchar(128). [ **\@output_table_name =** ] 'output_table_name'
-If not null, the name of the table that the commandΓÇÖs first result set will be written to. If the table doesn't already exist, it will be created based on the schema of the returning result-set. Must be specified if output_type equals SqlDatabase. output_table_name is nvarchar(128), with a default value of NULL.
+If not null, the name of the table that the command's first result set will be written to. If the table doesn't already exist, it will be created based on the schema of the returning result-set. Must be specified if output_type equals SqlDatabase. output_table_name is nvarchar(128), with a default value of NULL.
[ **\@job_version =** ] job_version OUTPUT Output parameter that will be assigned the new job version number. job_version is int.
@@ -682,7 +686,7 @@ The maximum level of parallelism per elastic pool. If set, then the job step wil
#### Remarks
-When sp_add_jobstep succeeds, the jobΓÇÖs current version number is incremented. The next time the job is executed, the new version will be used. If the job is currently executing, that execution will not contain the new step.
+When sp_add_jobstep succeeds, the job's current version number is incremented. The next time the job is executed, the new version will be used. If the job is currently executing, that execution will not contain the new step.
#### Permissions
@@ -776,7 +780,7 @@ The number of times to retry execution if the initial attempt fails. For example
The maximum amount of time allowed for the step to execute. If this time is exceeded, then the job execution will terminate with a lifecycle of TimedOut. step_timeout_seconds is int, with default value of 43,200 seconds (12 hours). [ **\@output_type =** ] 'output_type'
-If not null, the type of destination that the commandΓÇÖs first result set is written to. To reset the value of output_type back to NULL, set this parameter's value to '' (empty string). output_type is nvarchar(50), with a default of NULL.
+If not null, the type of destination that the command's first result set is written to. To reset the value of output_type back to NULL, set this parameter's value to '' (empty string). output_type is nvarchar(50), with a default of NULL.
If specified, the value must be SqlDatabase.
@@ -793,7 +797,7 @@ If not null, the name of the database that contains the output destination table
If not null, the name of the SQL schema that contains the output destination table. If output_type equals SqlDatabase, the default value is dbo. To reset the value of output_schema_name back to NULL, set this parameter's value to '' (empty string). output_schema_name is nvarchar(128). [ **\@output_table_name =** ] 'output_table_name'
-If not null, the name of the table that the commandΓÇÖs first result set will be written to. If the table doesn't already exist, it will be created based on the schema of the returning result-set. Must be specified if output_type equals SqlDatabase. To reset the value of output_server_name back to NULL, set this parameter's value to '' (empty string). output_table_name is nvarchar(128), with a default value of NULL.
+If not null, the name of the table that the command's first result set will be written to. If the table doesn't already exist, it will be created based on the schema of the returning result-set. Must be specified if output_type equals SqlDatabase. To reset the value of output_server_name back to NULL, set this parameter's value to '' (empty string). output_table_name is nvarchar(128), with a default value of NULL.
[ **\@job_version =** ] job_version OUTPUT Output parameter that will be assigned the new job version number. job_version is int.
@@ -807,7 +811,7 @@ The maximum level of parallelism per elastic pool. If set, then the job step wil
#### Remarks
-Any in-progress executions of the job will not be affected. When sp_update_jobstep succeeds, the jobΓÇÖs version number is incremented. The next time the job is executed, the new version will be used.
+Any in-progress executions of the job will not be affected. When sp_update_jobstep succeeds, the job's version number is incremented. The next time the job is executed, the new version will be used.
#### Permissions
@@ -850,7 +854,7 @@ Output parameter that will be assigned the new job version number. job_version i
#### Remarks
-Any in-progress executions of the job will not be affected. When sp_update_jobstep succeeds, the jobΓÇÖs version number is incremented. The next time the job is executed, the new version will be used.
+Any in-progress executions of the job will not be affected. When sp_update_jobstep succeeds, the job's version number is incremented. The next time the job is executed, the new version will be used.
The other job steps will be automatically renumbered to fill the gap left by the deleted job step.
@@ -1018,25 +1022,25 @@ Adds a database or group of databases to a target group.
The name of the target group to which the member will be added. target_group_name is nvarchar(128), with no default. [ **\@membership_type =** ] 'membership_type'
-Specifies if the target group member will be included or excluded. target_group_name is nvarchar(128), with default of ΓÇÿIncludeΓÇÖ. Valid values for membership_type are ΓÇÿIncludeΓÇÖ or ΓÇÿExcludeΓÇÖ.
+Specifies if the target group member will be included or excluded. target_group_name is nvarchar(128), with default of 'Include'. Valid values for membership_type are 'Include' or 'Exclude'.
[ **\@target_type =** ] 'target_type'
-The type of target database or collection of databases including all databases in a server, all databases in an Elastic pool, all databases in a shard map, or an individual database. target_type is nvarchar(128), with no default. Valid values for target_type are ΓÇÿSqlServerΓÇÖ, ΓÇÿSqlElasticPoolΓÇÖ, ΓÇÿSqlDatabaseΓÇÖ, or ΓÇÿSqlShardMapΓÇÖ.
+The type of target database or collection of databases including all databases in a server, all databases in an Elastic pool, all databases in a shard map, or an individual database. target_type is nvarchar(128), with no default. Valid values for target_type are 'SqlServer', 'SqlElasticPool', 'SqlDatabase', or 'SqlShardMap'.
[ **\@refresh_credential_name =** ] 'refresh_credential_name' The name of the database scoped credential. refresh_credential_name is nvarchar(128), with no default. [ **\@server_name =** ] 'server_name'
-The name of the server that should be added to the specified target group. server_name should be specified when target_type is ΓÇÿSqlServerΓÇÖ. server_name is nvarchar(128), with no default.
+The name of the server that should be added to the specified target group. server_name should be specified when target_type is 'SqlServer'. server_name is nvarchar(128), with no default.
[ **\@database_name =** ] 'database_name'
-The name of the database that should be added to the specified target group. database_name should be specified when target_type is ΓÇÿSqlDatabaseΓÇÖ. database_name is nvarchar(128), with no default.
+The name of the database that should be added to the specified target group. database_name should be specified when target_type is 'SqlDatabase'. database_name is nvarchar(128), with no default.
[ **\@elastic_pool_name =** ] 'elastic_pool_name'
-The name of the Elastic pool that should be added to the specified target group. elastic_pool_name should be specified when target_type is ΓÇÿSqlElasticPoolΓÇÖ. elastic_pool_name is nvarchar(128), with no default.
+The name of the Elastic pool that should be added to the specified target group. elastic_pool_name should be specified when target_type is 'SqlElasticPool'. elastic_pool_name is nvarchar(128), with no default.
[ **\@shard_map_name =** ] 'shard_map_name'
-The name of the shard map pool that should be added to the specified target group. elastic_pool_name should be specified when target_type is ΓÇÿSqlShardMapΓÇÖ. shard_map_name is nvarchar(128), with no default.
+The name of the shard map pool that should be added to the specified target group. elastic_pool_name should be specified when target_type is 'SqlShardMap'. shard_map_name is nvarchar(128), with no default.
[ **\@target_id =** ] target_group_id OUTPUT The target identification number assigned to the target group member if created added to the target group. target_id is an output variable of type uniqueidentifier, with a default of NULL.
@@ -1061,27 +1065,27 @@ The following example adds all the databases in the London and NewYork servers t
```sql --Connect to the jobs database specified when creating the job agent
-USE ElasticJobs ;
+USE ElasticJobs;
GO -- Add a target group containing server(s)
-EXEC jobs.sp_add_target_group @target_group_name = N'Servers Maintaining Customer Information'
+EXEC jobs.sp_add_target_group @target_group_name = N'Servers Maintaining Customer Information';
GO -- Add a server target member EXEC jobs.sp_add_target_group_member @target_group_name = N'Servers Maintaining Customer Information', @target_type = N'SqlServer',
-@refresh_credential_name=N'mymastercred', --credential required to refresh the databases in server
-@server_name=N'London.database.windows.net' ;
+@refresh_credential_name=N'refresh_credential', --credential required to refresh the databases in server
+@server_name=N'London.database.windows.net';
GO -- Add a server target member EXEC jobs.sp_add_target_group_member @target_group_name = N'Servers Maintaining Customer Information', @target_type = N'SqlServer',
-@refresh_credential_name=N'mymastercred', --credential required to refresh the databases in server
-@server_name=N'NewYork.database.windows.net' ;
+@refresh_credential_name=N'refresh_credential', --credential required to refresh the databases in server
+@server_name=N'NewYork.database.windows.net';
GO --View the recently added members to the target group
@@ -1135,12 +1139,12 @@ GO
-- Retrieve the target_id for a target_group_members declare @tid uniqueidentifier
-SELECT @tid = target_id FROM [jobs].target_group_members WHERE target_group_name = 'Servers Maintaining Customer Information' and server_name = 'London.database.windows.net'
+SELECT @tid = target_id FROM [jobs].target_group_members WHERE target_group_name = 'Servers Maintaining Customer Information' and server_name = 'London.database.windows.net';
-- Remove a target group member of type server EXEC jobs.sp_delete_target_group_member @target_group_name = N'Servers Maintaining Customer Information',
-@target_id = @tid
+@target_id = @tid;
GO ```
@@ -1198,7 +1202,7 @@ GO
## Job views
-The following views are available in the [jobs database](job-automation-overview.md#job-database).
+The following views are available in the [jobs database](job-automation-overview.md#elastic-job-database).
|View |Description | |||
@@ -1224,18 +1228,18 @@ Shows job execution history.
|**job_version** | int | Version of the job (automatically updated each time the job is modified). |**step_id** |int | Unique (for this job) identifier for the step. NULL indicates this is the parent job execution. |**is_active** | bit | Indicates whether information is active or inactive. 1 indicates active jobs, and 0 indicates inactive.
-|**lifecycle** | nvarchar(50) | Value indicating the status of the job:ΓÇÿCreatedΓÇÖ, ΓÇÿIn ProgressΓÇÖ, ΓÇÿFailedΓÇÖ, ΓÇÿSucceededΓÇÖ, ΓÇÿSkippedΓÇÖ, ΓÇÿSucceededWithSkippedΓÇÖ|
+|**lifecycle** | nvarchar(50) | Value indicating the status of the job:'Created', 'In Progress', 'Failed', 'Succeeded', 'Skipped', 'SucceededWithSkipped'|
|**create_time**| datetime2(7) | Date and time the job was created. |**start_time** | datetime2(7) | Date and time the job started execution. NULL if the job has not yet been executed. |**end_time** | datetime2(7) | Date and time the job finished execution. NULL if the job has not yet been executed or has not yet completed execution. |**current_attempts** | int | Number of times the step was retried. Parent job will be 0, child job executions will be 1 or greater based on the execution policy. |**current_attempt_start_time** | datetime2(7) | Date and time the job started execution. NULL indicates this is the parent job execution. |**last_message** | nvarchar(max) | Job or step history message.
-|**target_type** | nvarchar(128) | Type of target database or collection of databases including all databases in a server, all databases in an Elastic pool or a database. Valid values for target_type are ΓÇÿSqlServerΓÇÖ, ΓÇÿSqlElasticPoolΓÇÖ or ΓÇÿSqlDatabaseΓÇÖ. NULL indicates this is the parent job execution.
+|**target_type** | nvarchar(128) | Type of target database or collection of databases including all databases in a server, all databases in an Elastic pool or a database. Valid values for target_type are 'SqlServer', 'SqlElasticPool' or 'SqlDatabase'. NULL indicates this is the parent job execution.
|**target_id** | uniqueidentifier | Unique ID of the target group member. NULL indicates this is the parent job execution. |**target_group_name** | nvarchar(128) | Name of the target group. NULL indicates this is the parent job execution.
-|**target_server_name** | nvarchar(256) | Name of the server contained in the target group. Specified only if target_type is ΓÇÿSqlServerΓÇÖ. NULL indicates this is the parent job execution.
-|**target_database_name** | nvarchar(128) | Name of the database contained in the target group. Specified only when target_type is ΓÇÿSqlDatabaseΓÇÖ. NULL indicates this is the parent job execution.
+|**target_server_name** | nvarchar(256) | Name of the server contained in the target group. Specified only if target_type is 'SqlServer'. NULL indicates this is the parent job execution.
+|**target_database_name** | nvarchar(128) | Name of the database contained in the target group. Specified only when target_type is 'SqlDatabase'. NULL indicates this is the parent job execution.
### jobs view
@@ -1279,8 +1283,8 @@ Shows all steps in the current version of each job.
|**job_version**|int|Version of the job (automatically updated each time the job is modified).| |**step_id**|int|Unique (for this job) identifier for the step.| |**step_name**|nvarchar(128)|Unique (for this job) name for the step.|
-|**command_type**|nvarchar(50)|Type of command to execute in the job step. For v1, value must equal to and defaults to ΓÇÿTSqlΓÇÖ.|
-|**command_source**|nvarchar(50)|Location of the command. For v1, ΓÇÿInlineΓÇÖ is the default and only accepted value.|
+|**command_type**|nvarchar(50)|Type of command to execute in the job step. For v1, value must equal to and defaults to 'TSql'.|
+|**command_source**|nvarchar(50)|Location of the command. For v1, 'Inline' is the default and only accepted value.|
|**command**|nvarchar(max)|The commands to be executed by Elastic jobs through command_type.| |**credential_name**|nvarchar(128)|Name of the database scoped credential used to execution the job.| |**target_group_name**|nvarchar(128)|Name of the target group.|
@@ -1297,7 +1301,7 @@ Shows all steps in the current version of each job.
|**output_server_name**|nvarchar(256)|Name of the destination server for the results set.| |**output_database_name**|nvarchar(128)|Name of the destination database for the results set.| |**output_schema_name**|nvarchar(max)|Name of the destination schema. Defaults to dbo, if not specified.|
-|**output_table_name**|nvarchar(max)|Name of the table to store the results set from the query results. Table will be created automatically based on the schema of the results set if it doesnΓÇÖt already exist. Schema must match the schema of the results set.|
+|**output_table_name**|nvarchar(max)|Name of the table to store the results set from the query results. Table will be created automatically based on the schema of the results set if it doesn't already exist. Schema must match the schema of the results set.|
|**max_parallelism**|int|The maximum number of databases per elastic pool that the job step will be run on at a time. The default is NULL, meaning no limit. | ### <a name="jobstep_versions-view"></a>jobstep_versions view
@@ -1327,16 +1331,16 @@ Shows all members of all target groups.
|--|--|--| |**target_group_name**|nvarchar(128|The name of the target group, a collection of databases. | |**target_group_id**|uniqueidentifier|Unique ID of the target group.|
-|**membership_type**|int|Specifies if the target group member is included or excluded in the target group. Valid values for target_group_name are ΓÇÿIncludeΓÇÖ or ΓÇÿExcludeΓÇÖ.|
-|**target_type**|nvarchar(128)|Type of target database or collection of databases including all databases in a server, all databases in an Elastic pool or a database. Valid values for target_type are ΓÇÿSqlServerΓÇÖ, ΓÇÿSqlElasticPoolΓÇÖ, ΓÇÿSqlDatabaseΓÇÖ, or ΓÇÿSqlShardMapΓÇÖ.|
+|**membership_type**|int|Specifies if the target group member is included or excluded in the target group. Valid values for target_group_name are 'Include' or 'Exclude'.|
+|**target_type**|nvarchar(128)|Type of target database or collection of databases including all databases in a server, all databases in an Elastic pool or a database. Valid values for target_type are 'SqlServer', 'SqlElasticPool', 'SqlDatabase', or 'SqlShardMap'.|
|**target_id**|uniqueidentifier|Unique ID of the target group member.| |**refresh_credential_name**|nvarchar(128)|Name of the database scoped credential used to connect to the target group member.| |**subscription_id**|uniqueidentifier|Unique ID of the subscription.| |**resource_group_name**|nvarchar(128)|Name of the resource group in which the target group member resides.|
-|**server_name**|nvarchar(128)|Name of the server contained in the target group. Specified only if target_type is ΓÇÿSqlServerΓÇÖ. |
-|**database_name**|nvarchar(128)|Name of the database contained in the target group. Specified only when target_type is ΓÇÿSqlDatabaseΓÇÖ.|
-|**elastic_pool_name**|nvarchar(128)|Name of the Elastic pool contained in the target group. Specified only when target_type is ΓÇÿSqlElasticPoolΓÇÖ.|
-|**shard_map_name**|nvarchar(128)|Name of the shard maps contained in the target group. Specified only when target_type is ΓÇÿSqlShardMapΓÇÖ.|
+|**server_name**|nvarchar(128)|Name of the server contained in the target group. Specified only if target_type is 'SqlServer'. |
+|**database_name**|nvarchar(128)|Name of the database contained in the target group. Specified only when target_type is 'SqlDatabase'.|
+|**elastic_pool_name**|nvarchar(128)|Name of the Elastic pool contained in the target group. Specified only when target_type is 'SqlElasticPool'.|
+|**shard_map_name**|nvarchar(128)|Name of the shard maps contained in the target group. Specified only when target_type is 'SqlShardMap'.|
## Resources
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-query-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-query-overview.md
@@ -52,7 +52,7 @@ An elastic query allows easy access to an entire collection of databases through
Customer scenarios for elastic query are characterized by the following topologies: * **Vertical partitioning - Cross-database queries** (Topology 1): The data is partitioned vertically between a number of databases in a data tier. Typically, different sets of tables reside on different databases. That means that the schema is different on different databases. For instance, all tables for inventory are on one database while all accounting-related tables are on a second database. Common use cases with this topology require one to query across or to compile reports across tables in several databases.
-* **Horizontal Partitioning - Sharding** (Topology 2): Data is partitioned horizontally to distribute rows across a scaled out data tier. With this approach, the schema is identical on all participating databases. This approach is also called ΓÇ£shardingΓÇ¥. Sharding can be performed and managed using (1) the elastic database tools libraries or (2) self-sharding. An elastic query is used to query or compile reports across many shards. Shards are typically databases within an elastic pool. You can think of elastic query as an efficient way for querying all databases of elastic pool at once, as long as databases share the common schema.
+* **Horizontal Partitioning - Sharding** (Topology 2): Data is partitioned horizontally to distribute rows across a scaled out data tier. With this approach, the schema is identical on all participating databases. This approach is also called "sharding". Sharding can be performed and managed using (1) the elastic database tools libraries or (2) self-sharding. An elastic query is used to query or compile reports across many shards. Shards are typically databases within an elastic pool. You can think of elastic query as an efficient way for querying all databases of elastic pool at once, as long as databases share the common schema.
> [!NOTE] > Elastic query works best for reporting scenarios where most of the processing (filtering, aggregation) can be performed on the external source side. It is not suitable for ETL operations where large amount of data is being transferred from remote database(s). For heavy reporting workloads or data warehousing scenarios with more complex queries, also consider using [Azure Synapse Analytics](https://azure.microsoft.com/services/synapse-analytics).
@@ -87,7 +87,7 @@ The following steps configure elastic database queries for vertical partitioning
* [CREATE/DROP EXTERNAL DATA SOURCE](/sql/t-sql/statements/create-external-data-source-transact-sql) mydatasource of type **RDBMS** * [CREATE/DROP EXTERNAL TABLE](/sql/t-sql/statements/create-external-table-transact-sql) mytable
-After running the DDL statements, you can access the remote table ΓÇ£mytableΓÇ¥ as though it were a local table. Azure SQL Database automatically opens a connection to the remote database, processes your request on the remote database, and returns the results.
+After running the DDL statements, you can access the remote table "mytable" as though it were a local table. Azure SQL Database automatically opens a connection to the remote database, processes your request on the remote database, and returns the results.
## Horizontal partitioning - sharding
@@ -109,13 +109,13 @@ The following steps configure elastic database queries for horizontal partitioni
* [CREATE/DROP EXTERNAL DATA SOURCE](/sql/t-sql/statements/create-external-data-source-transact-sql) mydatasource of type **SHARD_MAP_MANAGER** * [CREATE/DROP EXTERNAL TABLE](/sql/t-sql/statements/create-external-table-transact-sql) mytable
-Once you have performed these steps, you can access the horizontally partitioned table ΓÇ£mytableΓÇ¥ as though it were a local table. Azure SQL Database automatically opens multiple parallel connections to the remote databases where the tables are physically stored, processes the requests on the remote databases, and returns the results.
+Once you have performed these steps, you can access the horizontally partitioned table "mytable" as though it were a local table. Azure SQL Database automatically opens multiple parallel connections to the remote databases where the tables are physically stored, processes the requests on the remote databases, and returns the results.
More information on the steps required for the horizontal partitioning scenario can be found in [elastic query for horizontal partitioning](elastic-query-horizontal-partitioning.md). To begin coding, see [Getting started with elastic query for horizontal partitioning (sharding)](elastic-query-getting-started.md). > [!IMPORTANT]
-> Successful execution of elastic query over a large set of databases relies heavily on the availability of each of databases during the query execution. If one of databases is not available, entire query will fail. If you plan to query hundreds or thousands of databases at once, make sure your client application has retry logic embedded, or consider leveraging [Elastic Database Jobs](./job-automation-overview.md#elastic-database-jobs-preview) (preview) and querying smaller subsets of databases, consolidating results of each query into a single destination.
+> Successful execution of elastic query over a large set of databases relies heavily on the availability of each of databases during the query execution. If one of databases is not available, entire query will fail. If you plan to query hundreds or thousands of databases at once, make sure your client application has retry logic embedded, or consider leveraging [Elastic Database Jobs](./job-automation-overview.md) (preview) and querying smaller subsets of databases, consolidating results of each query into a single destination.
## T-SQL querying
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/job-automation-managed-instances https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/job-automation-managed-instances.md
@@ -0,0 +1,202 @@
+
+ Title: Job automation with SQL Agent jobs in Azure SQL Managed Instance
+description: 'Automation options to run Transact-SQL (T-SQL) scripts in Azure SQL Managed Instance'
++++
+dev_langs:
+ - TSQL
++++ Last updated : 02/01/2021+
+# Automate management tasks using SQL Agent jobs in Azure SQL Managed Instance
+
+Using [SQL Server Agent](/sql/ssms/agent/sql-server-agent) in SQL Server and [SQL Managed Instance](../../azure-sql/managed-instance/sql-managed-instance-paas-overview.md), you can create and schedule jobs that could be periodically executed against one or many databases to run Transact-SQL (T-SQL) queries and perform maintenance tasks. This article introduced SQL Agent for SQL Managed Instance.
+
+> [!Note]
+> SQL Agent is not available in Azure SQL Database or Azure Synapse Analytics. Instead, we recommend [Job automation with Elastic Jobs](job-automation-overview.md).
+
+### SQL Agent job limitations in Azure SQL managed instance
+
+It is worth noting the differences between SQL Agent available in SQL Server and as part of SQL Managed Instance. For more on the supported feature differences between SQL Server and SQL Managed Instance, see [Azure SQL Managed Instance T-SQL differences from SQL Server](../../azure-sql/managed-instance/transact-sql-tsql-differences-sql-server.md#sql-server-agent).
+
+Some of the SQL Agent features that are available in SQL Server are not supported in SQL Managed Instance:
+
+- SQL Agent settings are read only.
+ - The system stored procedure `sp_set_agent_properties` is not supported in SQL Managed Instance.
+- Enabling/disabling SQL Agent is currently not supported in SQL Managed Instance. SQL Agent is always running.
+- Notifications are partially supported:
+ - Pager is not supported.
+ - NetSend is not supported.
+ - Alerts are not supported.
+- Proxies are not supported.
+- Eventlog is not supported.
+- Job schedule trigger based on an idle CPU is not supported.
+
+## When to use SQL Agent jobs
+
+There are several scenarios when you could use SQL Agent jobs:
+
+- Automate management tasks and schedule them to run every weekday, after hours, etc.
+ - Deploy schema changes, credentials management, performance data collection or tenant (customer) telemetry collection.
+ - Update reference data (information common across all databases), load data from Azure Blob storage.
+ - Common maintenance tasks including DBCC CHECKDB to ensure data integrity or index maintenance to improve query performance. Configure jobs to execute across a collection of databases on a recurring basis, such as during off-peak hours.
+ - Collect query results from a set of databases into a central table on an on-going basis. Performance queries can be continually executed and configured to trigger additional tasks to be executed.
+- Collect data for reporting
+ - Aggregate data from a collection of databases into a single destination table.
+ - Execute longer running data processing queries across a large set of databases, for example the collection of customer telemetry. Results are collected into a single destination table for further analysis.
+- Data movements
+ - Create jobs that replicate changes made in your databases to other databases or collect updates made in remote databases and apply changes in the database.
+ - Create jobs that load data from or to your databases using SQL Server Integration Services (SSIS).
+
+## SQL Agent jobs in Azure SQL managed instance
+
+SQL Agent Jobs are executed by the SQL Agent service that continues to be used for task automation in SQL Server and SQL Managed Instance.
+
+SQL Agent Jobs are a specified series of T-SQL scripts against your database. Use jobs to define an administrative task that can be run one or more times and monitored for success or failure.
+
+A job can run on one local server or on multiple remote servers. SQL Agent Jobs are an internal Database Engine component that is executed within the SQL Managed Instance service.
+
+There are several key concepts in SQL Agent Jobs:
+
+- **Job steps** set of one or many steps that should be executed within the job. For every job step you can define retry strategy and the action that should happen if the job step succeeds or fails.
+- **Schedules** define when the job should be executed.
+- **Notifications** enable you to define rules that will be used to notify operators via email once the job completes.
+
+### SQL Agent job steps
+
+SQL Agent Job steps are sequences of actions that SQL Agent should execute. Every step has the following step that should be executed if the step succeeds or fails, number of retries in a case of failure.
+
+SQL Agent enables you to create different types of job steps, such as Transact-SQL job steps that execute a single Transact-SQL batch against the database, or OS command/PowerShell steps that can execute custom OS script, [SSIS job steps](/azure/data-factory/how-to-invoke-ssis-package-managed-instance-agent) that enable you to load data using SSIS runtime, or [replication](../managed-instance/replication-transactional-overview.md) steps that can publish changes from your database to other databases.
+
+> [!Note]
+> For more information on leveraging the Azure SSIS Integration Runtime with SSISDB hosted by Azure SQL Managed Instance, see [Use Azure SQL Managed Instance with SQL Server Integration Services (SSIS) in Azure Data Factory](/../azure/data-factory/how-to-use-sql-managed-instance-with-ir.md).
+
+[Transactional replication](../managed-instance/replication-transactional-overview.md) can replicate the changes from your tables into other databases in Azure SQL Managed Instance, Azure SQL Database, or SQL Server. For information, see [Configure replication in Azure SQL Managed Instance](../../azure-sql/managed-instance/replication-between-two-instances-configure-tutorial.md).
+
+Other types of job steps are not currently supported in SQL Managed Instance, including:
+
+- Merge replication job step is not supported.
+- Queue Reader is not supported.
+- Analysis Services are not supported
+
+### SQL Agent job schedules
+
+A schedule specifies when a job runs. More than one job can run on the same schedule, and more than one schedule can apply to the same job.
+
+A schedule can define the following conditions for the time when a job runs:
+
+- Whenever SQL Server Agent starts. Job is activated after every failover.
+- One time, at a specific date and time, which is useful for delayed execution of some job.
+- On a recurring schedule.
+
+> [!Note]
+> SQL Managed Instance currently does not enable you to start a job when the CPU is idle.
+
+### SQL Agent job notifications
+
+SQL Agent Jobs enable you to get notifications when the job finishes successfully or fails. You can receive notifications via email.
+
+If it isn't already enabled, first you would need to configure [the Database Mail feature](/sql/relational-databases/database-mail/database-mail) on Azure SQL Managed Instance:
+
+```sql
+GO
+EXEC sp_configure 'show advanced options', 1;
+GO
+RECONFIGURE;
+GO
+EXEC sp_configure 'Database Mail XPs', 1;
+GO
+RECONFIGURE
+```
+
+As an example exercise, set up the email account that will be used to send the email notifications. Assign the account to the email profile called `AzureManagedInstance_dbmail_profile`. To send e-mail using SQL Agent jobs in SQL Managed Instance, there should be a profile that must be called `AzureManagedInstance_dbmail_profile`. Otherwise, SQL Managed Instance will be unable to send emails via SQL Agent. See the following sample:
+
+```sql
+-- Create a Database Mail account
+EXECUTE msdb.dbo.sysmail_add_account_sp
+ @account_name = 'SQL Agent Account',
+ @description = 'Mail account for Azure SQL Managed Instance SQL Agent system.',
+ @email_address = '$(loginEmail)',
+ @display_name = 'SQL Agent Account',
+ @mailserver_name = '$(mailserver)' ,
+ @username = '$(loginEmail)' ,
+ @password = '$(password)';
+
+-- Create a Database Mail profile
+EXECUTE msdb.dbo.sysmail_add_profile_sp
+ @profile_name = 'AzureManagedInstance_dbmail_profile',
+ @description = 'E-mail profile used for messages sent by Managed Instance SQL Agent.';
+
+-- Add the account to the profile
+EXECUTE msdb.dbo.sysmail_add_profileaccount_sp
+ @profile_name = 'AzureManagedInstance_dbmail_profile',
+ @account_name = 'SQL Agent Account',
+ @sequence_number = 1;
+```
+
+Test the Database Mail configuration via T-SQL using the [sp_send_db_mail](/sql/relational-databases/system-stored-procedures/sp-send-dbmail-transact-sql) system stored procedure:
+
+```sql
+DECLARE @body VARCHAR(4000) = 'The email is sent from ' + @@SERVERNAME;
+EXEC msdb.dbo.sp_send_dbmail
+ @profile_name = 'AzureManagedInstance_dbmail_profile',
+ @recipients = 'ADD YOUR EMAIL HERE',
+ @body = 'Add some text',
+ @subject = 'Azure SQL Instance - test email';
+```
+
+You can notify the operator that something happened with your SQL Agent jobs. An operator defines contact information for an individual responsible for the maintenance of one or more instances in SQL Managed Instance. Sometimes, operator responsibilities are assigned to one individual.
+
+In systems with multiple instances in SQL Managed Instance or SQL Server, many individuals can share operator responsibilities. An operator does not contain security information, and does not define a security principal. Ideally, an operator is not an individual whose responsibilities may change, but an email distribution group.
+
+You can [create operators](/sql/relational-databases/system-stored-procedures/sp-add-operator-transact-sql) using SQL Server Management Studio (SSMS) or the Transact-SQL script shown in the following example:
+
+```sql
+EXEC msdb.dbo.sp_add_operator
+ @name=N'AzureSQLTeam',
+ @enabled=1,
+ @email_address=N'AzureSQLTeamn@contoso.com';
+```
+
+Confirm the email's success or failure via the [Database Mail Log](/sql/relational-databases/database-mail/database-mail-log-and-audits) in SSMS.
+
+You can then [modify any SQL Agent job](/sql/relational-databases/system-stored-procedures/sp-update-job-transact-sql) and assign operators that will be notified via email if the job completes, fails, or succeeds using SSMS or the following Transact-SQL script:
+
+```sql
+EXEC msdb.dbo.sp_update_job @job_name=N'Load data using SSIS',
+ @notify_level_email=3, -- Options are: 1 on succeed, 2 on failure, 3 on complete
+ @notify_email_operator_name=N'AzureSQLTeam';
+```
+
+### SQL Agent job history
+
+Azure SQL Managed Instance currently doesn't allow you to change any SQL Agent properties because they are stored in the underlying registry values. This means options for adjusting the Agent retention policy for job history records are fixed at the default of 1000 total records and max 100 history records per job.
+
+### SQL Agent fixed database role membership
+
+If users linked to non-sysadmin logins are added to any of the three SQL Agent fixed database roles in the msdb system database, there exists an issue in which explicit EXECUTE permissions need to be granted to the master stored procedures for these logins to work. If this issue is encountered, the error message "The EXECUTE permission was denied on the object <object_name> (Microsoft SQL Server, Error: 229)" will be shown.
+
+Once you add users to a SQL Agent fixed database role (SQLAgentUserRole, SQLAgentReaderRole, or SQLAgentOperatorRole) in msdb, for each of the user's logins added to these roles, execute the below T-SQL script to explicitly grant EXECUTE permissions to the system stored procedures listed. This example assumes that the user name and login name are the same.
+
+```sql
+USE [master]
+GO
+CREATE USER [login_name] FOR LOGIN [login_name];
+GO
+GRANT EXECUTE ON master.dbo.xp_sqlagent_enum_jobs TO [login_name];
+GRANT EXECUTE ON master.dbo.xp_sqlagent_is_starting TO [login_name];
+GRANT EXECUTE ON master.dbo.xp_sqlagent_notify TO [login_name];
+```
+
+## Learn more
+
+- [What is Azure SQL Managed Instance?](../managed-instance/sql-managed-instance-paas-overview.md)
+- [What's new in Azure SQL Database & SQL Managed Instance?](../../azure-sql/database/doc-changes-updates-release-notes.md?tabs=managed-instance)
+- [Azure SQL Managed Instance T-SQL differences from SQL Server](../../azure-sql/managed-instance/transact-sql-tsql-differences-sql-server.md#sql-server-agent)
+- [Features comparison: Azure SQL Database and Azure SQL Managed Instance](../../azure-sql/database/features-comparison.md)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/job-automation-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/job-automation-overview.md
@@ -1,212 +1,102 @@
Title: Job automation
-description: 'Use Job Automation to run Transact-SQL (T-SQL) scripts across a set of one or more databases'
+ Title: Job automation overview with Elastic Jobs
+description: 'Use Elastic Jobs for Job Automation to run Transact-SQL (T-SQL) scripts across a set of one or more databases'
---+++ ms.devlang:
+dev_langs:
+ - "TSQL"
--++ Previously updated : 03/10/2020 Last updated : 2/1/2021
-# Automate management tasks using database jobs
+# Automate management tasks using elastic jobs (preview)
-You can create and schedule jobs that could be periodically executed against one or many databases to run Transact-SQL (T-SQL) queries and perform maintenance tasks.
+
+You can create and schedule elastic jobs that could be periodically executed against one or many Azure SQL databases to run Transact-SQL (T-SQL) queries and perform maintenance tasks.
You can define target database or groups of databases where the job will be executed, and also define schedules for running a job. A job handles the task of logging in to the target database. You also define, maintain, and persist Transact-SQL scripts to be executed across a group of databases. Every job logs the status of execution and also automatically retries the operations if any failure occurs.
-## When to use automated jobs
+## When to use elastic jobs
-There are several scenarios when you could use job automation:
+There are several scenarios when you could use elastic job automation:
- Automate management tasks and schedule them to run every weekday, after hours, etc. - Deploy schema changes, credentials management, performance data collection or tenant (customer) telemetry collection. - Update reference data (information common across all databases), load data from Azure Blob storage.
- - Rebuild indexes to improve query performance. Configure jobs to execute across a collection of databases on a recurring basis, such as during off-peak hours.
+- Configure jobs to execute across a collection of databases on a recurring basis, such as during off-peak hours.
- Collect query results from a set of databases into a central table on an on-going basis. Performance queries can be continually executed and configured to trigger additional tasks to be executed. - Collect data for reporting - Aggregate data from a collection of databases into a single destination table. - Execute longer running data processing queries across a large set of databases, for example the collection of customer telemetry. Results are collected into a single destination table for further analysis.-- Data movements
- - Create jobs that replicate changes made in your databases to other databases or collect updates made in remote databases and apply changes in the database.
- - Create jobs that load data from or to your databases using SQL Server Integration Services (SSIS).
-
-## Overview
-
-The following job scheduling technologies are available:
--- **SQL Agent Jobs** are classic and battle-tested SQL Server job scheduling component that is available in Azure SQL Managed Instance. SQL Agent Jobs are not available in Azure SQL Database.-- **Elastic Database Jobs (preview)** are Job Scheduling services that execute custom jobs on one or many databases in Azure SQL Database.-
-It is worth noting a couple of differences between SQL Agent (available on-premises and as part of SQL Managed Instance), and the Database Elastic Job agent (available for single databases in Azure SQL Database and databases in Azure Synapse Analytics).
-
-| |Elastic Jobs |SQL Agent |
-||||
-|**Scope** | Any number of databases in Azure SQL Database and/or data warehouses in the same Azure cloud as the job agent. Targets can be in different servers, subscriptions, and/or regions. <br><br>Target groups can be composed of individual databases or data warehouses, or all databases in a server, pool, or shardmap (dynamically enumerated at job runtime). | Any individual database in the same instance as the SQL agent. |
-|**Supported APIs and Tools** | Portal, PowerShell, T-SQL, Azure Resource Manager | T-SQL, SQL Server Management Studio (SSMS) |
-
-## SQL Agent Jobs
-
-SQL Agent Jobs are a specified series of T-SQL scripts against your database. Use jobs to define an administrative task that can be run one or more times and monitored for success or failure.
-A job can run on one local server or on multiple remote servers. SQL Agent Jobs are an internal Database Engine component that is executed within the Managed Instance service.
-There are several key concepts in SQL Agent Jobs:
--- **Job steps** set of one or many steps that should be executed within the job. For every job step you can define retry strategy and the action that should happen if the job step succeeds or fails.-- **Schedules** define when the job should be executed.-- **Notifications** enable you to define rules that will be used to notify operators via email once the job completes.-
-### Job steps
-
-SQL Agent Job steps are sequences of actions that SQL Agent should execute. Every step has the following step that should be executed if the step succeeds or fails, number of retries in a case of failure.
-
-SQL Agent enables you to create different types of job steps, such as Transact-SQL job steps that execute a single Transact-SQL batch against the database, or OS command/PowerShell steps that can execute custom OS script, SSIS job steps that enable you to load data using SSIS runtime, or [replication](../managed-instance/replication-transactional-overview.md) steps that can publish changes from your database to other databases.
-
-[Transactional replication](../managed-instance/replication-transactional-overview.md) is a Database Engine feature that enables you to publish the changes made on one or multiple tables in one database and publish/distribute them to a set of subscriber databases. Publishing of the changes is implemented using the following SQL Agent job step types:
--- Transaction-log reader.-- Snapshot.-- Distributor.-
-Other types of job steps are not currently supported, including:
--- Merge replication job step is not supported.-- Queue Reader is not supported.-- Analysis Services are not supported-
-### Job schedules
+- Data movements
-A schedule specifies when a job runs. More than one job can run on the same schedule, and more than one schedule can apply to the same job.
-A schedule can define the following conditions for the time when a job runs:
+### Automation on other platforms
-- Whenever Instance is restarted (or when SQL Server Agent starts). Job is activated after every failover.-- One time, at a specific date and time, which is useful for delayed execution of some job.-- On a recurring schedule.
+Consider the following job scheduling technologies on different platforms:
-> [!Note]
-> SQL Managed Instance currently does not enable you to start a job when the instance is "idle".
+- **Elastic Jobs** are Job Scheduling services that execute custom jobs on one or many databases in Azure SQL Database.
+- **SQL Agent Jobs** are executed by the SQL Agent service that continues to be used for task automation in SQL Server and is also included with Azure SQL Managed Instances. SQL Agent Jobs are not available in Azure SQL Database.
-### Job notifications
+Elastic Jobs can target [Azure SQL Databases](sql-database-paas-overview.md), [Azure SQL Database elastic pools](elastic-pool-overview.md), and Azure SQL Databases in [shard maps](elastic-scale-shard-map-management.md).
-SQL Agent Jobs enable you to get notifications when the job finishes successfully or fails. You can receive notifications via email.
+For T-SQL script job automation in SQL Server and Azure SQL Managed Instance, consider [SQL Agent](job-automation-managed-instances.md).
-First, you would need to set up the email account that will be used to send the email notifications and assign the account to the email profile called `AzureManagedInstance_dbmail_profile`, as shown in the following sample:
+For T-SQL script job automation in Azure Synapse Analytics, consider [pipelines with recurring triggers](/azure/synapse-analytics/data-integration/concepts-data-factory-differences.md), which are [based on Azure Data Factory](/azure/synapse-analytics/data-integration/concepts-data-factory-differences).
-```sql
Create a Database Mail account
-EXECUTE msdb.dbo.sysmail_add_account_sp
- @account_name = 'SQL Agent Account',
- @description = 'Mail account for Azure SQL Managed Instance SQL Agent system.',
- @email_address = '$(loginEmail)',
- @display_name = 'SQL Agent Account',
- @mailserver_name = '$(mailserver)' ,
- @username = '$(loginEmail)' ,
- @password = '$(password)'
+It is worth noting differences between SQL Agent (available in SQL Server and as part of SQL Managed Instance), and the Database Elastic Job agent (which can execute T-SQL on Azure SQL Databases or databases in SQL Server and Azure SQL Managed Instance, Azure Synapse Analytics).
Create a Database Mail profile
-EXECUTE msdb.dbo.sysmail_add_profile_sp
- @profile_name = 'AzureManagedInstance_dbmail_profile',
- @description = 'E-mail profile used for messages sent by Managed Instance SQL Agent.' ;
- Add the account to the profile
-EXECUTE msdb.dbo.sysmail_add_profileaccount_sp
- @profile_name = 'AzureManagedInstance_dbmail_profile',
- @account_name = 'SQL Agent Account',
- @sequence_number = 1;
-```
-
-You would also need to enable Database Mail on Managed Instance:
-
-```sql
-GO
-EXEC sp_configure 'show advanced options', 1;
-GO
-RECONFIGURE;
-GO
-EXEC sp_configure 'Database Mail XPs', 1;
-GO
-RECONFIGURE
-```
-
-You can notify the operator that something happened with your SQL Agent jobs. An operator defines contact information for an individual responsible for the maintenance of one or more instances in SQL Managed Instance. Sometimes, operator responsibilities are assigned to one individual.
-In systems with multiple instances in SQL Managed Instance or SQL Server, many individuals can share operator responsibilities. An operator does not contain security information, and does not define a security principal.
-
-You can create operators using SSMS or the Transact-SQL script shown in the following example:
-
-```sql
-EXEC msdb.dbo.sp_add_operator
- @name=N'Mihajlo Pupun',
- @enabled=1,
- @email_address=N'mihajlo.pupin@contoso.com'
-```
-
-You can modify any job and assign operators that will be notified via email if the job completes, fails, or succeeds using SSMS or the following Transact-SQL script:
-
-```sql
-EXEC msdb.dbo.sp_update_job @job_name=N'Load data using SSIS',
- @notify_level_email=3, -- Options are: 1 on succeed, 2 on failure, 3 on complete
- @notify_email_operator_name=N'Mihajlo Pupun'
-```
-
-### SQL Agent Job Limitations
-
-Some of the SQL Agent features that are available in SQL Server are not supported in Managed Instance:
--- SQL Agent settings are read only. Procedure `sp_set_agent_properties` is not supported in Managed Instance.-- Enabling/disabling SQL Agent is currently not supported in Managed Instance. SQL Agent is always running.-- Notifications are partially supported
- - Pager is not supported.
- - NetSend is not supported.
- - Alerts are not supported.
-- Proxies are not supported.-- Eventlog is not supported.-
-For information about SQL Server Agent, see [SQL Server Agent](/sql/ssms/agent/sql-server-agent).
-
-## Elastic Database Jobs (preview)
+| |Elastic Jobs |SQL Agent |
+||||
+|**Scope** | Any number of databases in Azure SQL Database and/or data warehouses in the same Azure cloud as the job agent. Targets can be in different servers, subscriptions, and/or regions. <br><br>Target groups can be composed of individual databases or data warehouses, or all databases in a server, pool, or shard map (dynamically enumerated at job runtime). | Any individual database in the same instance as the SQL agent. The Multi Server Administration feature of SQL Server Agent allows for master/target instances to coordinate job execution, though this feature is not available in SQL managed instance. |
+|**Supported APIs and Tools** | Portal, PowerShell, T-SQL, Azure Resource Manager | T-SQL, SQL Server Management Studio (SSMS) |
+
+## Elastic job targets
-**Elastic Database Jobs** provide the ability to run one or more T-SQL scripts in parallel, across a large number of databases, on a schedule or on-demand.
+**Elastic Jobs** provide the ability to run one or more T-SQL scripts in parallel, across a large number of databases, on a schedule or on-demand.
-**Run jobs against any combination of databases**: one or more individual databases, all databases on a server, all databases in an elastic pool, or shardmap, with the added flexibility to include or exclude any specific database. **Jobs can run across multiple servers, multiple pools, and can even run against databases in different subscriptions.** Servers and pools are dynamically enumerated at runtime, so jobs run against all databases that exist in the target group at the time of execution.
+You can run scheduled jobs against any combination of databases: one or more individual databases, all databases on a server, all databases in an elastic pool, or shard map, with the added flexibility to include or exclude any specific database. Jobs can run across multiple servers, multiple pools, and can even run against databases in different subscriptions. Servers and pools are dynamically enumerated at runtime, so jobs run against all databases that exist in the target group at the time of execution.
The following image shows a job agent executing jobs across the different types of target groups: ![Elastic Job agent conceptual model](./media/job-automation-overview/conceptual-diagram.png)
-### Elastic Job components
+### Elastic job components
|Component | Description (additional details are below the table) | ||| |[**Elastic Job agent**](#elastic-job-agent) | The Azure resource you create to run and manage Jobs. |
-|[**Job database**](#job-database) | A database in Azure SQL Database that the job agent uses to store job related data, job definitions, etc. |
+|[**Job database**](#elastic-job-database) | A database in Azure SQL Database that the job agent uses to store job related data, job definitions, etc. |
|[**Target group**](#target-group) | The set of servers, pools, databases, and shard maps to run a job against. |
-|[**Job**](#job) | A job is a unit of work that is composed of one or more [job steps](#job-step). Job steps specify the T-SQL script to run, as well as other details required to execute the script. |
+|[**Job**](#elastic-jobs-and-job-steps) | A job is a unit of work that is composed of one or more job steps. Job steps specify the T-SQL script to run, as well as other details required to execute the script. |
-#### Elastic Job agent
+#### Elastic job agent
An Elastic Job agent is the Azure resource for creating, running, and managing jobs. The Elastic Job agent is an Azure resource you create in the portal ([PowerShell](elastic-jobs-powershell-create.md) and REST are also supported).
-Creating an **Elastic Job agent** requires an existing database in Azure SQL Database. The agent configures this existing database as the [*Job database*](#job-database).
+Creating an **Elastic Job agent** requires an existing database in Azure SQL Database. The agent configures this existing Azure SQL Database as the [*Job database*](#elastic-job-database).
The Elastic Job agent is free. The job database is billed at the same rate as any database in Azure SQL Database.
-#### Job database
+#### Elastic job database
The *Job database* is used for defining jobs and tracking the status and history of job executions. The *Job database* is also used to store agent metadata, logs, results, job definitions, and also contains many useful stored procedures and other database objects for creating, running, and managing jobs using T-SQL. For the current preview, an existing database in Azure SQL Database (S0 or higher) is required to create an Elastic Job agent.
-The *Job database* doesn't literally need to be new, but should be a clean, empty, S0 or higher service objective. The recommended service objective of the *Job database* is S1 or higher, but the optimal choice depends on the performance needs of your job(s): the number of job steps, the number of job targets, and how frequently jobs are run. For example, an S0 database might be sufficient for a job agent that runs few jobs an hour targeting less than ten databases, but running a job every minute might not be fast enough with an S0 database, and a higher service tier might be better.
+The *Job database* should be a clean, empty, S0 or higher service objective Azure SQL Database. The recommended service objective of the *Job database* is S1 or higher, but the optimal choice depends on the performance needs of your job(s): the number of job steps, the number of job targets, and how frequently jobs are run.
If operations against the job database are slower than expected, [monitor](monitor-tune-overview.md#azure-sql-database-and-azure-sql-managed-instance-resource-monitoring) database performance and the resource utilization in the job database during periods of slowness using Azure portal or the [sys.dm_db_resource_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-db-resource-stats-azure-sql-database) DMV. If utilization of a resource, such as CPU, Data IO, or Log Write approaches 100% and correlates with periods of slowness, consider incrementally scaling the database to higher service objectives (either in the [DTU model](service-tiers-dtu.md) or in the [vCore model](service-tiers-vcore.md)) until job database performance is sufficiently improved.
-##### Job database permissions
+##### Elastic job database permissions
During job agent creation, a schema, tables, and a role called *jobs_reader* are created in the *Job database*. The role is created with the following permission and is designed to give administrators finer access control for job monitoring:
@@ -215,16 +105,16 @@ During job agent creation, a schema, tables, and a role called *jobs_reader* are
|**jobs_reader** | SELECT | None | > [!IMPORTANT]
-> Consider the security implications before granting access to the *Job database* as a database administrator. A malicious user with permissions to create or edit jobs could create or edit a job that uses a stored credential to connect to a database under the malicious user's control, which could allow the malicious user to determine the credentialΓÇÖs password.
+> Consider the security implications before granting access to the *Job database* as a database administrator. A malicious user with permissions to create or edit jobs could create or edit a job that uses a stored credential to connect to a database under the malicious user's control, which could allow the malicious user to determine the credential's password.
#### Target group A *target group* defines the set of databases a job step will execute on. A target group can contain any number and combination of the following: -- **Logical SQL server** - if a server is specified, all databases that exist in the server at the time of the job execution are part of the group. The master database credential must be provided so that the group can be enumerated and updated prior to job execution.
+- **Logical SQL server** - if a server is specified, all databases that exist in the server at the time of the job execution are part of the group. The master database credential must be provided so that the group can be enumerated and updated prior to job execution. For more information on logical servers, see [What is a server in Azure SQL Database and Azure Synapse Analytics?](logical-servers.md).
- **Elastic pool** - if an elastic pool is specified, all databases that are in the elastic pool at the time of the job execution are part of the group. As for a server, the master database credential must be provided so that the group can be updated prior to the job execution. - **Single database** - specify one or more individual databases to be part of the group.-- **Shardmap** - databases of a shardmap.
+- **Shard map** - databases of a shard map.
> [!TIP] > At the moment of job execution, *dynamic enumeration* re-evaluates the set of databases in target groups that include servers or pools. Dynamic enumeration ensures that **jobs run across all databases that exist in the server or pool at the time of job execution**. Re-evaluating the list of databases at runtime is specifically useful for scenarios where pool or server membership changes frequently.
@@ -250,14 +140,11 @@ The following examples show how different target group definitions are dynamical
> [!NOTE] > The Job database itself can be the target of a job. In this scenario, the Job database is treated just like any other target database. The job user must be created and granted sufficient permissions in the Job database, and the database scoped credential for the job user must also exist in the Job database, just like it does for any other target database.
->
-#### Job
+#### Elastic jobs and job steps
A *job* is a unit of work that is executed on a schedule or as a one-time job. A job consists of one or more *job steps*.
-##### Job step
- Each job step specifies a T-SQL script to execute, one or more target groups to run the T-SQL script against, and the credentials the job agent needs to connect to the target database. Each job step has customizable timeout and retry policies, and can optionally specify output parameters. #### Job output
@@ -266,7 +153,11 @@ The outcome of a job's steps on each target database are recorded in detail, and
#### Job history
-Job execution history is stored in the *Job database*. A system cleanup job purges execution history that is older than 45 days. To remove history less than 45 days old, call the **sp_purge_history** stored procedure in the *Job database*.
+View Elastic Job execution history in the *Job database* by [querying the table jobs.job_executions](elastic-jobs-tsql-create-manage.md#monitor-job-execution-status). A system cleanup job purges execution history that is older than 45 days. To remove history less than 45 days old, call the **sp_purge_history** stored procedure in the *Job database*.
+
+#### Job status
+
+You can monitor Elastic Job executions in the *Job database* by [querying the table jobs.job_executions](elastic-jobs-tsql-create-manage.md#monitor-job-execution-status).
### Agent performance, capacity, and limitations
@@ -274,7 +165,7 @@ Elastic Jobs use minimal compute resources while waiting for long-running jobs t
Depending on the size of the target group of databases and the desired execution time for a job (number of concurrent workers), the agent requires different amounts of compute and performance of the *Job database* (the more targets and the higher number of jobs, the higher the amount of compute required).
-Currently, the preview is limited to 100 concurrent jobs.
+Currently, the limit is 100 concurrent jobs.
#### Prevent jobs from reducing target database performance
@@ -282,7 +173,6 @@ To ensure resources aren't overburdened when running jobs against databases in a
## Next steps -- [What is SQL Server Agent](/sql/ssms/agent/sql-server-agent) - [How to create and manage elastic jobs](elastic-jobs-overview.md) - [Create and manage Elastic Jobs using PowerShell](elastic-jobs-powershell-create.md) - [Create and manage Elastic Jobs using Transact-SQL (T-SQL)](elastic-jobs-tsql-create-manage.md)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server.md
@@ -9,7 +9,7 @@
Previously updated : 11/10/2020 Last updated : 1/12/2021
@@ -279,6 +279,7 @@ For more information, see [ALTER DATABASE](/sql/t-sql/statements/alter-database-
### SQL Server Agent - Enabling and disabling SQL Server Agent is currently not supported in SQL Managed Instance. SQL Agent is always running.
+- Job schedule trigger based on an idle CPU is not supported.
- SQL Server Agent settings are read only. The procedure `sp_set_agent_properties` isn't supported in SQL Managed Instance. - Jobs - T-SQL job steps are supported.
@@ -300,14 +301,8 @@ For more information, see [ALTER DATABASE](/sql/t-sql/statements/alter-database-
- Alerts aren't yet supported. - Proxies aren't supported. - EventLog isn't supported.-- User must be directly mapped to Azure AD server principal (login) to create, modify, or execute SQL Agent jobs. Users that are not directly mapped, for example, users that belong to an Azure AD group that has the rights to create, modify, or execute SQL Agent jobs, will not effectively be able to perform those actions. This is due to Managed Instance impersonation and [EXECUTE AS limitations](#logins-and-users).-
-The following SQL Agent features currently aren't supported:
--- Proxies-- Scheduling jobs on an idle CPU-- Enabling or disabling an Agent-- Alerts
+- User must be directly mapped to Azure AD server principal (login) to create, modify, or execute SQL Agent jobs. Users that are not directly mapped, for example, users that belong to an Azure AD group that has the rights to create, modify or execute SQL Agent jobs, will not effectively be able to perform those actions. This is due to Managed Instance impersonation and [EXECUTE AS limitations](#logins-and-users).
+- The Multi Server Administration feature for master/target (MSX/TSX) jobs are not supported.
For information about SQL Server Agent, see [SQL Server Agent](/sql/ssms/agent/sql-server-agent).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/migration-guides/database/sql-server-to-sql-database-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/database/sql-server-to-sql-database-overview.md
@@ -160,7 +160,7 @@ Manual setup of SQL Server high availability features like Always On failover cl
Beyond the high availability architecture that is included in SQL Database, there is also the [auto-failover groups](../../database/auto-failover-group-overview.md) feature that allows you to manage the replication and failover of databases in a managed instance to another region. #### SQL Agent jobs
-SQL Agent jobs are not directly supported in Azure SQL Database and will need to be deployed to [Elastic Database Jobs (Preview)](../../database/job-automation-overview.md#elastic-database-jobs-preview).
+SQL Agent jobs are not directly supported in Azure SQL Database and will need to be deployed to [Elastic Database Jobs (Preview)](../../database/job-automation-overview.md).
#### Logins and groups Move SQL logins from the source SQL Server to Azure SQL Database using Database Migration Service (DMS) in offline mode. Use the **Selected logins** blade in the **Migration Wizard** to migrate logins to your target SQL Database.
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-identity.md
@@ -7,7 +7,7 @@ Last updated 02/02/2021
# Azure VMware Solution identity concepts
-Azure VMware Solution private clouds are provisioned with a vCenter server and NSX-T Manager. You use vCenter to manage virtual machine (VM) workloads. You use the NSX-T manager to extend the private cloud.
+Azure VMware Solution private clouds are provisioned with a vCenter server and NSX-T Manager. You use vCenter to manage virtual machine (VM) workloads. You use the NSX-T Manager to extend the private cloud.
Access and identity management use CloudAdmin group privileges for vCenter and restricted administrator rights for NSX-T Manager. It ensures that your private cloud platform upgrades automatically with the newest features and patches. For more information, see [private cloud upgrades concepts article][concepts-upgrades].
@@ -44,7 +44,7 @@ The table shows **CloudAdmin** and **CloudGlobalAdmin** privileges.
## NSX-T Manager access and identity
-Use the "administrator" account to access NSX-T Manager. It has full privileges and lets you create and manage T1 routers, logical switches, and all services. The privileges give you access to the NSX-T T0 router. A change to the T0 router could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 router.
+Use the *administrator* account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) Gateways, segments (logical switches), and all services. The privileges give you access to the NSX-T Tier-0 (T0) Gateway. A change to the T0 Gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 Gateway.
## Next steps
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-networking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-networking.md
@@ -34,7 +34,7 @@ The use cases for Azure VMware Solution private clouds include:
In the virtual network to private cloud implementation, you can manage your Azure VMware Solution private cloud, consume workloads in your private cloud, and access Azure services over the ExpressRoute connection. The diagram below shows the basic network interconnectivity established at the time of a private cloud deployment. It shows the logical, ExpressRoute-based networking between a virtual network in Azure and a private cloud. The interconnectivity fulfills three of the primary use cases:
-* Inbound access to vCenter server and NSX-T manager that is accessible from VMs in your Azure subscription and not from your on-premises systems.
+* Inbound access to vCenter server and NSX-T Manager that is accessible from VMs in your Azure subscription and not from your on-premises systems.
* Outbound access from VMs to Azure services. * Inbound access and consumption of workloads running a private cloud.
@@ -64,4 +64,5 @@ Now that you've covered Azure VMware Solution network and interconnectivity conc
[enable Global Reach]: ../expressroute/expressroute-howto-set-global-reach.md <!-- LINKS - internal -->-
+[concepts-upgrades]: ./concepts-upgrades.md
+[concepts-storage]: ./concepts-storage.md
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-private-clouds-clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-private-clouds-clusters.md
@@ -20,7 +20,7 @@ This article describes all of these concepts.
## Private clouds
-Private clouds contain vSAN clusters built with dedicated, bare-metal Azure hosts. Each private cloud can have multiple clusters managed by the same vCenter server and NSX-T manager. You can deploy and manage private clouds in the portal, CLI, or PowerShell.
+Private clouds contain vSAN clusters built with dedicated, bare-metal Azure hosts. Each private cloud can have multiple clusters managed by the same vCenter server and NSX-T Manager. You can deploy and manage private clouds in the portal, CLI, or PowerShell.
As with other resources, private clouds are installed and managed from within an Azure subscription. The number of private clouds within a subscription is scalable. Initially, there's a limit of one private cloud per subscription.
@@ -68,6 +68,7 @@ Now that you've covered Azure VMware Solution private cloud concepts, you may wa
- [How to enable Azure VMware Solution resource](enable-azure-vmware-solution.md). <!-- LINKS - internal -->
+[concepts-networking]: ./concepts-networking.md
<!-- LINKS - external--> [VCSA versions]: https://kb.vmware.com/s/article/2143838
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/configure-nsx-network-components-azure-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-nsx-network-components-azure-portal.md
@@ -0,0 +1,177 @@
+
+ Title: Configure NSX network components in Azure VMware Solution
+description: Learn how to use the Azure VMware Solution console to configure NSX-T network segments.
+ Last updated : 02/16/2021++
+# Configure NSX network components in Azure VMware Solution
+
+An Azure VMware Solution private cloud comes with NSX-T as a software-defined network (SDDC) by default. It comes pre-provisioned with an NSX-T Tier-0 gateway in Active/Active mode and a default NSX-T Tier-1 gateway in Active/Standby mode. These gateways let you connect the segments (logical switches) and provide East-West and North-South connectivity.
+
+After the Azure VMware Solution private cloud is deployed, you can configure the necessary NSX-T objects from the Azure VMware Solution console under **Workload Networking**. The console presents the simplified view of NSX-T operations that a VMware administrator needs daily and targeted at users not familiar with NSX-T.
+
+You'll have four options to configure NSX-T components in the Azure VMware Solution console:
+- **Segments** - Create segments that display in NSX-T Manager and vCenter.
+- **DHCP** - Create a DHCP server or DHCP relay if you plan to use DHCP.
+- **Port mirroring** ΓÇô Create port mirroring to help troubleshoot network issues.
+- **DNS** ΓÇô Create a DNS forwarder to send DNS requests to a designated DNS server for resolution.
+
+>[!NOTE]
+>You'll still have access to the NSX-T Manager console, where you can use the advanced settings mentioned and other NSX-T features.
+
+
+## Prerequisites
+Virtual machines (VMs) created or migrated to the Azure VMware Solution private cloud should be attached to a segment.
+
+## Create an NSX-T segment in the Azure portal
+You can create and configure an NSX-T segment from the Azure VMware Solution console in the Azure portal. These segments are connected to the default Tier-1 gateway, and the workloads on these segments get East-West and North-South connectivity. Once you create the segment, it displays in NSX-T Manager and vCenter.
+
+>[!NOTE]
+>If you plan to use DHCP, you'll need to [configure a DHCP server or DHCP relay](#create-a-dhcp-server-or-dhcp-relay-in-the-azure-portal) before you can create and configure an NSX-T segment.
+
+1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **Segments** > **Add**.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-new-nsxt-segment.png" alt-text="Screenshot showing how to add a new segment.":::
+
+1. Provide the details for the new logical segment.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/create-new-segment-details.png" alt-text="Screenshot showing the details of the new segment.":::
+
+ - **Segment name** - Name of the logical switch that is visible in vCenter.
+ - **Subnet gateway** - Gateway IP address for the logical switch's subnet with a subnet mask. VMs are attached to a logical switch, and all VMs connecting to this switch belong to the same subnet. Also, all VMs attached to this logical segment must carry an IP address from the same segment.
+ - **DHCP** (optional) - DHCP ranges for a logical segment. A [DHCP server or DHCP relay](#create-a-dhcp-server-or-dhcp-relay-in-the-azure-portal) must be configured to consume DHCP on Segments.
+ - **Connected gateway** - *Selected by default and read only.* Tier-1 gateway and type of segment information.
+ - **T1** - Name of the Tier-1 gateway in NSX-T Manager. An Azure VMware Solution private cloud comes with an NSX-T Tier-0 gateway in Active/Active mode and a default NSX-T Tier-1 gateway in Active/Standby mode. Segments created through the Azure VMware Solution console only connect to the default Tier-1 gateway, and the workloads of these segments get East-West and North-South connectivity. You can only create more Tier-1 gateways through NSX-T Manager. Tier-1 gateways created from the NSX-T Manager console are not visible in the Azure VMware Solution console.
+ - **Type** - Overlay segment supported by Azure VMware Solution.
+
+1. Select **OK** to create the segment and attach it to the Tier-1 gateway.
+
+ The segment is now visible in the Azure VMware Solution console, NSX-T Manger, and vCenter.
+
+## Create a DHCP server or DHCP relay in the Azure portal
+You can create a DHCP server or relay directly from the Azure VMware Solution console in the Azure portal. The DHCP server or relay connects to the Tier-1 gateway, which gets created when you deploy Azure VMware Solution. All the segments where you gave DHCP ranges will be part of this DHCP. After you've created a DHCP server or DHCP relay, you must define a subnet or range on segment level to consume it.
+
+1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **DHCP** > **Add**.
+
+2. Select either **DHCP Server** or **DHCP Relay** and then provide a name for the server or relay and three IP addresses.
+
+ >[!NOTE]
+ >For DHCP relay, only one IP address is required for a successful configuration.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-dhcp-server-relay.png" alt-text="Screenshot showing how to add a DHCP server or DHCP relay in Azure VMware Solutions.":::
+
+4. Complete the DHCP configuration by [providing DHCP ranges on the logical segments](#create-an-nsx-t-segment-in-the-azure-portal) and then select **OK**.
+
+## Configure port mirroring in the Azure portal
+You can configure port mirroring to monitor network traffic that involves forwarding a copy of each packet from one network switch port to another. This option places a protocol analyzer on the port that receives the mirrored data. It analyzes traffic from a source, a VM, or a group of VMs, and then sent to a defined destination.
+
+To set up port mirroring in the Azure VMware Solution console, you'll:
+
+* [Step 1. Create source and destination VMs or VM groups](#step-1-create-source-and-destination-vms-or-vm-groups) ΓÇô The source group has a single VM or multiple VMs where the traffic is mirrored.
+
+* [Step 2. Create a port mirroring profile](#step-2-create-a-port-mirroring-profile) ΓÇô You'll define the traffic direction for the source and destination VM groups.
+
+### Step 1. Create source and destination VMs or VM groups
+
+In this step, you'll create a source VM group and a destination VM group.
+
+1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **Port mirroring** > **VM groups** > **Add**.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-port-mirroring-vm-groups.png" alt-text="Screenshot showing how to create a VM group for port mirroring.":::
+
+1. Provide a name for the new VM group, select the desired VMs from the list, and then **Ok**.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-vm-group.png" alt-text="Screenshot showing the list of VMs to add to the VM group.":::
+
+1. Repeat these steps to create the destination VM group.
+
+### Step 2. Create a port mirroring profile
+
+In this step, you'll define a profile for the source and destination VM groups' traffic direction.
+
+>[!NOTE]
+>Make sure you have both the source and destination VM groups created.
+
+1. Select **Port mirroring** > **Add** and then provide:
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-port-mirroring-profile.png" alt-text="Screenshot showing the information required for the port mirroring profile.":::
+
+ - **Port mirroring name** - Descriptive name for the profile.
+ - **Direction** - Select from Ingress, Egress, or Bi-directional.
+ - **Source** - Select the source VM group.
+ - **Destination** - Select the destination VM group.
+ - **Description** - Enter a description for the port mirroring.
+
+1. Select **OK** to complete the profile.
+
+ The profile and VM groups are visible in the Azure VMware Solution console.
+
+## Configure a DNS forwarder in the Azure portal
+You'll configure a DNS forwarder where specific DNS requests get forwarded to a designated DNS server for resolution. A DNS forwarder is associate with a **default DNS zone** and up to three **FQDN zones**.
+
+>[!TIP]
+>You can also use the [NSX-T Manager console to configure a DNS forwarder](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-A0172881-BB25-4992-A499-14F9BE3BE7F2.html).
+
+To set up a DNS forwarder in the Azure VMware Solution console, you'll:
+
+* [Step 1. Configure a default DNS zone and FQDN zone](#step-1-configure-a-default-dns-zone-and-fqdn-zone) ΓÇô When a DNS query is received, a DNS forwarder compares the domain name with the domain names in the FQDN DNS zone.
+
+* [Step 2. Configure DNS service](#step-2-configure-dns-service) - You'll configure the DNS forwarder service.
+
+### Step 1. Configure a default DNS zone and FQDN zone
+You'll configure a default DNS zone and FQDN zone to send DNS queries to the upstream server. When a DNS query is received, the DNS forwarder compares the domain name in the query with the FQDN DNS zones' domain names. If a match is found, the query is forwarded to the DNS servers specified in the FQDN DNS zone. If no match is found, the query is forwarded to the DNS servers specified in the default DNS zone.
+
+>[!NOTE]
+>A default DNS zone must be defined before you configure an FQDN zone.
+
+1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **DNS** > **DNS zones** > **Add**.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-dns-zones.png" alt-text="Screenshot showing how to add DNS zones and a DNS service.":::
+
+1. Select **Default DNS zone** and provide:
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-configure-dns-zones.png" alt-text="Screenshot showing how to add a default DNS zone.":::
+
+ 1. A name for the DNS zone.
+
+ 1. Up to three DNS server IP addresses in the format of **8.8.8.8**.
+
+1. Select **FQDN zone** and provide:
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-configure-fqdn-zone.png" alt-text="Screenshot showing how to add an FQDN zone. ":::
+
+ 1. A name for the DNS zone.
+
+ 1. The FQDN domain.
+
+ 1. Up to three DNS server IP addresses in the format of **8.8.8.8**.
+
+1. Select **OK** to finish adding the default DNS zone and DNS service.
+
+### Step 2. Configure DNS service
+
+1. Select the **DNS service** tab, select **Add**, and then provide:
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-configure-dns-service.png" alt-text="Screenshot showing the information required for the DNS service.":::
+
+ 1. A name for the DNS service.
+
+ 1. Enter the IP address for the DNS service.
+
+ 1. Select the default DNS zone that you created under the DNS zones tab.
+
+ 1. Select the FQDN zones that you added under the DNS zones tab.
+
+ 1. Select the **Log level**.
+
+ >[!TIP]
+ >**Tier-1 Gateway** is selected by default and reflects the gateway created when deploying Azure VMware Solution.
+
+1. Select **OK**.
+
+ The DNS service was added successfully.
+
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-configure-dns-service-success.png" alt-text="Screenshot showing the DNS service added successfully.":::
+
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/deploy-azure-vmware-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-azure-vmware-solution.md
@@ -63,13 +63,13 @@ In this example, the 10.74.72.0/22 network was input during deployment derives t
## Connect and sign in to vCenter and NSX-T
-Log into the jump box you created in the earlier step. Once you've logged in, open a web browser and navigate to and log into both vCenter and NSX-T admin console.
+Log into the jump box you created in the earlier step. Once you've logged in, open a web browser and navigate to and log into both vCenter and NSX-T Manager.
-You can identify the vCenter, and NSX-T admin console's IP addresses and credentials in the Azure portal. Select your private cloud and then in the **Overview** view, select **Identity > Default**.
+You can identify the vCenter, and NSX-T Manager console's IP addresses and credentials in the Azure portal. Select your private cloud and then in the **Overview** view, select **Identity > Default**.
## Create a network segment on Azure VMware Solution
-You use NSX-T to create new network segments in your Azure VMware Solution environment. You defined the networks you want to create in the [planning section](production-ready-deployment-steps.md). If you haven't defined them, go back to the [planning section](production-ready-deployment-steps.md) before proceeding.
+You use NSX-T Manager to create new network segments in your Azure VMware Solution environment. You defined the networks you want to create in the [planning section](production-ready-deployment-steps.md). If you haven't defined them, go back to the [planning section](production-ready-deployment-steps.md) before proceeding.
>[!IMPORTANT] >Make sure the CIDR network address block you defined doesn't overlap with anything in your Azure or on-premises environments.
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/deploy-vm-content-library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-vm-content-library.md
@@ -13,7 +13,7 @@ In this article, we'll walk through the procedure for creating a content library
## Prerequisites
-An NSX-T logical switch segment and a managed DHCP service are required to complete this tutorial. For more information, see the [How to manage DHCP in Azure VMware Solution](manage-dhcp.md) article.
+An NSX-T segment (logical switch) and a managed DHCP service are required to complete this tutorial. For more information, see the [How to manage DHCP in Azure VMware Solution](manage-dhcp.md) article.
## Create a content library
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/github-enterprise-server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/github-enterprise-server.md
@@ -2,16 +2,16 @@
Title: Set up GitHub Enterprise Server on your Azure VMware Solution private cloud description: Learn how to Set up GitHub Enterprise Server on your Azure VMware Solution private cloud. Previously updated : 02/03/2021 Last updated : 02/11/2021 # Set up GitHub Enterprise Server on your Azure VMware Solution private cloud
-In this article, we walk through the steps to set up GitHub Enterprise Server, the "on-premises" version of [GitHub.com](https://github.com/), on your Azure VMware Solution private cloud. The scenario covered in this walk-through is for a GitHub Enterprise Server instance capable of serving up to 3,000 developers running up to 25 jobs per minute on GitHub Actions. It includes the setup of (at time of writing) *preview* features, such as GitHub Actions. To customize the setup for your particular needs, review the requirements listed in [Installing GitHub Enterprise Server on VMware](https://docs.github.com/en/enterprise/admin/installation/installing-github-enterprise-server-on-vmware#hardware-considerations).
+In this article, we walk through the steps to set up GitHub Enterprise Server, the "on-premises" version of [GitHub.com](https://github.com/), on your Azure VMware Solution private cloud. The scenario we'll cover is a GitHub Enterprise Server instance that can serve up to 3,000 developers running up to 25 jobs per minute on GitHub Actions. It includes the setup of (at time of writing) *preview* features, such as GitHub Actions. To customize the setup for your particular needs, review the requirements listed in [Installing GitHub Enterprise Server on VMware](https://docs.github.com/en/enterprise/admin/installation/installing-github-enterprise-server-on-vmware#hardware-considerations).
## Before you begin
-GitHub Enterprise Server requires a valid license key. You may sign up for a [trial license](https://enterprise.github.com/trial). If you are looking to extend the capabilities of GitHub Enterprise Server via an integration, you may qualify for a free five-seat developer license. Apply for this license through [GitHub's Partner Program](https://partner.github.com/).
+GitHub Enterprise Server requires a valid license key. You may sign up for a [trial license](https://enterprise.github.com/trial). If you're looking to extend the capabilities of GitHub Enterprise Server via an integration, you may qualify for a free five-seat developer license. Apply for this license through [GitHub's Partner Program](https://partner.github.com/).
## Installing GitHub Enterprise Server on VMware
@@ -25,7 +25,7 @@ Provide a recognizable name for your new virtual machine, such as GitHubEnterpri
Once imported, [adjust the hardware configuration](https://docs.github.com/en/enterprise/admin/installation/installing-github-enterprise-server-on-vmware#creating-the-github-enterprise-server-instance) based on your needs. In our example scenario, we'll need the following configuration.
-| Resource | Standard Setup | Standard Setup + "Beta Features" (Actions) |
+| Resource | Standard Setup | Standard Set up + "Beta Features" (Actions) |
| | | | | vCPUs | 4 | 8 | | Memory | 32 GB | 61 GB |
@@ -46,7 +46,7 @@ We recommend to at least take the following steps:
1. Upload a public SSH key to the management console, so that you can [access the administrative shell via SSH](https://docs.github.com/en/enterprise/admin/configuration/accessing-the-administrative-shell-ssh).
-2. [Configure TLS on your instance](https://docs.github.com/en/enterprise/admin/configuration/configuring-tls) so that you can use a certificate that is signed by a trusted certificate authority.
+2. [Configure TLS on your instance](https://docs.github.com/en/enterprise/admin/configuration/configuring-tls) so that you can use a certificate signed by a trusted certificate authority.
:::image type="content" source="media/github-enterprise-server/configuring-your-instance.png" alt-text="Configuring your instance.":::
@@ -54,7 +54,7 @@ Apply your settings. While the instance restarts, you can continue with the nex
:::image type="content" source="media/github-enterprise-server/create-admin-account.png" alt-text="Create your admin account.":::
-Once the instance restarts, create a new admin account on the instance. Be sure to make a note of this user's password as well.
+After the instance restarts, you can create a new admin account on the instance. Be sure to make a note of this user's password as well.
### Other configuration steps
@@ -173,7 +173,7 @@ To make this runner available to organizations in your enterprise, edit its orga
:::image type="content" source="media/github-enterprise-server/edit-runner-access.png" alt-text="Edit runner access.":::
-Here we will make it available to all organizations, but you can also limit access to a subset of organizations, and even to specific repositories.
+Here we'll make it available to all organizations, but you can limit access to a subset of organizations, and even to specific repositories.
## (Optional) Configuring GitHub Connect
@@ -218,11 +218,11 @@ If everything ran successfully, you should see a new issue in your repo, entitle
Congratulations! You just completed your first Actions workflow on GitHub Enterprise Server, running on your Azure VMware Solution private cloud.
-In this article, we set up a new instance of GitHub Enterprise Server, the self-hosted equivalent of GitHub.com, on top of your Azure VMware Solution private cloud. This instance includes support for GitHub Actions and uses Azure Blob Storage for persistence of logs and artifacts. But we are just scratching the surface of what you can do with GitHub Actions. Check out the list of Actions on [GitHub's Marketplace](https://github.com/marketplace), or [create your own](https://docs.github.com/en/actions/creating-actions).
+In this article, we set up a new instance of GitHub Enterprise Server, the self-hosted equivalent of GitHub.com, on top of your Azure VMware Solution private cloud. This instance includes support for GitHub Actions and uses Azure Blob Storage for persistence of logs and artifacts. But we're just scratching the surface of what you can do with GitHub Actions. Check out the list of Actions on [GitHub's Marketplace](https://github.com/marketplace), or [create your own](https://docs.github.com/en/actions/creating-actions).
## Next steps
-Now that you've seen how to set up GitHub Enterprise Server on your Azure VMware Solution private cloud, you may want to learn about:
+Now that you've covered setting up GitHub Enterprise Server on your Azure VMware Solution private cloud, you may want to learn about:
- [Getting started with GitHub Actions](https://docs.github.com/en/actions). - [Joining the beta program](https://resources.github.com/beta-signup/).
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/includes/add-network-segment-steps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/includes/add-network-segment-steps.md
@@ -13,7 +13,7 @@ Last updated 11/09/2020
1. Select **Add Segment** and enter a name for the segment.
-1. Select the Tier1 Gateway (TNTxx-T1) as the **Connected Gateway** and leave the **Type** as Flexible.
+1. Select the Tier-1 Gateway (TNTxx-T1) as the **Connected Gateway** and leave the **Type** as Flexible.
1. Select the pre-configured overlay **Transport Zone** (TNTxx-OVERLAY-TZ) and then select **Set Subnets**.
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/protect-azure-vmware-solution-with-application-gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/protect-azure-vmware-solution-with-application-gateway.md
@@ -30,7 +30,7 @@ The diagram shows the testing scenario used to validate the Application Gateway
:::image type="content" source="media/hub-spoke/azure-vmware-solution-second-level-traffic-segmentation.png" alt-text="Diagram showing the testing scenario used to validate the Application Gateway with Azure VMware Solution web applications." border="false":::
-The Application Gateway instance is deployed on the hub in a dedicated subnet. It has an Azure public IP address. Activating Standard DDoS protection for the virtual network is recommended. The web server is hosted on an Azure VMware Solution private cloud behind NSX T0 and T1 routers. Azure VMware Solution uses [ExpressRoute Global Reach](../expressroute/expressroute-global-reach.md) to enable communication with the hub and on-premises systems.
+The Application Gateway instance is deployed on the hub in a dedicated subnet. It has an Azure public IP address. Activating Standard DDoS protection for the virtual network is recommended. The web server is hosted on an Azure VMware Solution private cloud behind NSX T0 and T1 Gateways. Azure VMware Solution uses [ExpressRoute Global Reach](../expressroute/expressroute-global-reach.md) to enable communication with the hub and on-premises systems.
## Prerequisites
backup https://docs.microsoft.com/en-us/azure/backup/azure-file-share-support-matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/azure-file-share-support-matrix.md
@@ -10,6 +10,9 @@
You can use the [Azure Backup service](./backup-overview.md) to back up Azure file shares. This article summarizes support settings when you back up Azure file shares with Azure Backup.
+> [!NOTE]
+> Azure Backup currently doesn't support NFS shares.
+ ## Supported regions ### GA regions for Azure file shares backup
bastion https://docs.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/bastion/bastion-connect-vm-ssh.md
@@ -6,7 +6,7 @@
Previously updated : 02/24/2020 Last updated : 02/12/2021 # Customer intent: As someone with a networking background, I want to connect to an Azure virtual machine running Linux that doesn't have a public IP address by using Azure Bastion.
@@ -47,37 +47,55 @@ In order to connect to the Linux VM via SSH, you must have the following ports o
1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.
- ![Screenshot shows the overview for a virtual machine in Azure portal with Connect selected.](./media/bastion-connect-vm-ssh/connect.png)
-1. After you click Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./tutorial-create-host-portal.md).
+ :::image type="content" source="./media/bastion-connect-vm-ssh/connect.png" alt-text="Screenshot shows the overview for a virtual machine in Azure portal with Connect selected":::
+1. After you select Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./tutorial-create-host-portal.md).
- ![Screenshot shows the Connect to virtual machine dialog box with BASTION selected.](./media/bastion-connect-vm-ssh/bastion.png)
+ :::image type="content" source="./media/bastion-connect-vm-ssh/bastion.png" alt-text="Screenshot shows the Connect to virtual machine dialog box with BASTION selected":::
1. Enter the username and password for SSH to your virtual machine.
-1. Click **Connect** button after entering the key.
+1. Select **Connect** button after entering the key.
## <a name="privatekey"></a>Connect: Manually enter a private key 1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.
- ![Screenshot shows the overview for a virtual machine in Azure portal with Connect selected.](./media/bastion-connect-vm-ssh/connect.png)
-1. After you click Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./tutorial-create-host-portal.md).
+ :::image type="content" source="./media/bastion-connect-vm-ssh/connect.png" alt-text="Screenshot shows the overview for a virtual machine in Azure portal with Connect selected":::
+1. After you select Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./tutorial-create-host-portal.md).
- ![Screenshot shows the Connect to virtual machine dialog box with BASTION selected.](./media/bastion-connect-vm-ssh/bastion.png)
+ :::image type="content" source="./media/bastion-connect-vm-ssh/bastion.png" alt-text="Connect to virtual machine dialog box with BASTION selected.":::
1. Enter the username and select **SSH Private Key**. 1. Enter your private key into the text area **SSH Private Key** (or paste it directly).
-1. Click **Connect** button after entering the key.
+1. Select **Connect** button after entering the key.
## <a name="ssh"></a>Connect: Using a private key file 1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.
- ![Screenshot shows the overview for a virtual machine in Azure portal with Connect selected.](./media/bastion-connect-vm-ssh/connect.png)
-1. After you click Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./tutorial-create-host-portal.md).
+ :::image type="content" source="./media/bastion-connect-vm-ssh/connect.png" alt-text="Connect selected":::
+1. After you select Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./tutorial-create-host-portal.md).
- ![Screenshot shows the Connect to virtual machine dialog box with BASTION selected.](./media/bastion-connect-vm-ssh/bastion.png)
+ :::image type="content" source="./media/bastion-connect-vm-ssh/bastion.png" alt-text="BASTION selected.":::
1. Enter the username and select **SSH Private Key from Local File**.
-1. Click the **Browse** button (the folder icon in the local file).
-1. Browse for the file, then click **Open**.
-1. Click **Connect** to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.
+1. Select the **Browse** button (the folder icon in the local file).
+1. Browse for the file, then select **Open**.
+1. Select **Connect** to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.
+
+## <a name="akv"></a>Connect: Using a private key stored in Azure Key Vault
+
+The portal update for this feature is currently rolling out to regions.
+
+1. Open the [Azure portal](https://portal.azure.com). Navigate to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.
+1. After you select Bastion, a side bar appears that has three tabs ΓÇô RDP, SSH, and Bastion. If Bastion was provisioned for the virtual network, the Bastion tab is active by default. If you didn't provision Bastion for the virtual network, see [Configure Bastion](bastion-create-host-portal.md).
+
+ :::image type="content" source="./media/bastion-connect-vm-ssh/bastion.png" alt-text="Bastion tab":::
+1. Enter the username and select **SSH Private Key from Azure Key Vault**.
+1. Select the **Azure Key Vault** dropdown and select the resource in which you stored your SSH private key. If you didnΓÇÖt set up an Azure Key Vault resource, see [Create a key vault](../key-vault/general/quick-create-portal.md) and store your SSH private key as the value of a new Key Vault secret.
+
+ :::image type="content" source="./media/bastion-connect-vm-ssh/key-vault.png" alt-text="Azure Key Vault":::
+
+Make sure you have **List** and **Get** access to the secrets stored in the Key Vault resource. To assign and modify access policies for your Key Vault resource, see [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-portal.md).
+
+1. Select the **Azure Key Vault Secret** dropdown and select the Key Vault secret containing the value of your SSH private key.
+1. Select **Connect** to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.
## Next steps
bastion https://docs.microsoft.com/en-us/azure/bastion/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/bastion/security-baseline.md
@@ -4,7 +4,7 @@ description: The Azure Bastion security baseline provides procedural guidance an
Previously updated : 11/20/2020 Last updated : 02/12/2021
@@ -67,7 +67,11 @@ Connectivity to Gateway Manager and Azure service tag is protected (locked down)
**Guidance**: Azure Bastion is integrated with Azure Active Directory (Azure AD) which is Azure's default identity and access management service. Users can access the Azure portal using Azure AD authentication to manage Azure Bastion service (create, update, and delete Bastion resources).
-Connecting to virtual machines using Azure Bastion relies on either an SSH key or username/password, and currently does not support the use of Azure AD credentials.
+Connecting to virtual machines using Azure Bastion relies on either an SSH key or username/password, and currently does not support the use of Azure AD credentials.
+
+You can store your SSH keys as Azure Key Vault secrets and use these secrets to connect to your virtual machines using Azure Bastion. You can control user access to these secrets by [assigning Key Vault access policies](../key-vault/general/assign-access-policy-portal.md) either on individual users or Azure AD groups. Your users will need the following permissions to use this method to connect to a virtual machine:
+- **Get** access to the secrets stored in the chosen Azure Key Vault
+- **List** access to the secrets stored in the chosen Azure Key Vault
In addition to an SSH key or username/password, when connecting to virtual machines using Azure Bastion your user will need the following role assignments: - Reader role on the target virtual machine
@@ -104,7 +108,8 @@ For more information, see the following references:
### IM-4: Use strong authentication controls for all Azure Active Directory based access
-**Guidance**: Azure Bastion is integrated with Azure Active Directory (Azure AD) for access and management of the service. Configure Azure Multi-Factor Authentication for your Azure AD tenant. Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.
+**Guidance**: Azure Bastion is integrated with Azure Active Directory (Azure AD) for access and management of the service. Configure Azure Active Directory Multi-Factor Authentication for your Azure AD tenant. Azure AD supports strong authentication controls through multi-factor authentication (MFA) and strong passwordless methods.
+
- Multi-factor authentication: Enable Azure AD MFA and follow Azure Security Center identity and access management recommendations for your MFA setup. MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. - Passwordless authentication: Three passwordless authentication options are available: Windows Hello for Business, Microsoft Authenticator app, and on-premises authentication methods such as smart cards.
@@ -373,7 +378,7 @@ Enable and collect network security group (NSG) resource logs and NSG flow logs
- [Understand logging and different log types in Azure](../azure-monitor/platform/platform-logs-overview.md) -- [Enable Azure resource logs for Azure Bastion ](diagnostic-logs.md)
+- [Enable Azure resource logs for Azure Bastion](diagnostic-logs.md)
**Azure Security Center monitoring**: Not applicable
batch https://docs.microsoft.com/en-us/azure/batch/batch-account-create-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-account-create-portal.md
@@ -64,6 +64,9 @@ To view the [resource quotas](batch-quota-limit.md) that apply to the Batch acco
If you choose to create a Batch account in user subscription mode, perform the following additional steps before creating the account.
+> [!IMPORTANT]
+> The user creating the Batch account in user subscription mode needs to have Contributor or Owner role assignment for the subscription in which the Batch account will be created.
+ ### Allow Azure Batch to access the subscription (one-time operation) When creating your first Batch account in user subscription mode, you need to register your subscription with Batch. (If you already did this, skip to the next section.)
batch https://docs.microsoft.com/en-us/azure/batch/batch-rendering-applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-rendering-applications.md
@@ -1,7 +1,7 @@
Title: Rendering applications description: It's possible to use any rendering applications with Azure Batch. However, Azure Marketplace VM images are available with common applications pre-installed. Previously updated : 02/01/2021 Last updated : 02/12/2021
@@ -13,20 +13,15 @@ Where applicable, pay-per-use licensing is available for the pre-installed rende
Some applications only support Windows, but most are supported on both Windows and Linux.
-## Applications on CentOS 7 rendering image
+## Applications on latest CentOS 7 rendering image
-The following list applies to CentOS 7.6, version 1.1.6 rendering images.
+The following list applies to the CentOS rendering image, version 1.1.7.
-* Autodesk Maya I/O 2017 Update 5 (cut 201708032230)
-* Autodesk Maya I/O 2018 Update 2 (cut 201711281015)
-* Autodesk Maya I/O 2019 Update 1
-* Autodesk Arnold for Maya 2017 (Arnold version 5.3.1.1) MtoA-3.2.1.1-2017
-* Autodesk Arnold for Maya 2018 (Arnold version 5.3.1.1) MtoA-3.2.1.1-2018
-* Autodesk Arnold for Maya 2019 (Arnold version 5.3.1.1) MtoA-3.2.1.1-2019
-* Chaos Group V-Ray for Maya 2017 (version 3.60.04)
-* Chaos Group V-Ray for Maya 2018 (version 3.60.04)
-* Blender (2.68)
-* Blender (2.8)
+* Autodesk Maya I/O 2020 Update 4.6
+* Autodesk Arnold for Maya 2020 (Arnold version 6.2.0.0) MtoA-4.2.0-2020
+* Chaos Group V-Ray for Maya 2020 (version 5.00.21)
+* Blender (2.80)
+* AZ 10
## Applications on latest Windows Server rendering image
@@ -92,6 +87,21 @@ The following list applies to Windows Server 2016, version 1.3.7 rendering image
> [!NOTE] > Chaos Group V-Ray for 3ds Max 2019 (version 4.10.01) introduces breaking changes to V-ray. To use the previous version (version 3.60.02), use Windows Server 2016, version 1.3.2 rendering nodes.
+## Applications on previous CentOS rendering images
+
+The following list applies to CentOS 7.6, version 1.1.6 rendering images.
+
+* Autodesk Maya I/O 2017 Update 5 (cut 201708032230)
+* Autodesk Maya I/O 2018 Update 2 (cut 201711281015)
+* Autodesk Maya I/O 2019 Update 1
+* Autodesk Arnold for Maya 2017 (Arnold version 5.3.1.1) MtoA-3.2.1.1-2017
+* Autodesk Arnold for Maya 2018 (Arnold version 5.3.1.1) MtoA-3.2.1.1-2018
+* Autodesk Arnold for Maya 2019 (Arnold version 5.3.1.1) MtoA-3.2.1.1-2019
+* Chaos Group V-Ray for Maya 2017 (version 3.60.04)
+* Chaos Group V-Ray for Maya 2018 (version 3.60.04)
+* Blender (2.68)
+* Blender (2.8)
+ ## Next steps To use the rendering VM images, they need to be specified in the pool configuration when a pool is created; see the [Batch pool capabilities for rendering](./batch-rendering-functionality.md).
cdn https://docs.microsoft.com/en-us/azure/cdn/cdn-features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-features.md
@@ -53,7 +53,7 @@ The following table compares the features available with each product.
| [Token authentication](cdn-token-auth.md) | | | |**&#x2713;**| | [DDOS protection](https://www.us-cert.gov/ncas/tips/ST04-015) | **&#x2713;** |**&#x2713;** |**&#x2713;** |**&#x2713;** | | [Bring your own certificate](cdn-custom-ssl.md?tabs=option-2-enable-https-with-your-own-certificate#tlsssl-certificates) |**&#x2713;** | | **&#x2713;** | **&#x2713;** |
-| Supported TLS Versions | TLS 1.2, TLS 1.0/1.1 - [Configurable](/rest/api/cdn/customdomains/enablecustomhttps#usermanagedhttpsparameters) | TLS 1.2 | TLS 1.2 | TLS 1.2 |
+| Supported TLS Versions | TLS 1.2, TLS 1.0/1.1 - [Configurable](/rest/api/cdn/cdn/customdomains/enablecustomhttps#usermanagedhttpsparameters) | TLS 1.2 | TLS 1.2 | TLS 1.2 |
|||| | **Analytics and reporting** | **Standard Microsoft** | **Standard Akamai** | **Standard Verizon** | **Premium Verizon** | | [Azure diagnostic logs](cdn-azure-diagnostic-logs.md) | **&#x2713;** | **&#x2713;** |**&#x2713;** |**&#x2713;** |
cdn https://docs.microsoft.com/en-us/azure/cdn/cdn-pop-list-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-pop-list-api.md
@@ -24,7 +24,7 @@
You can use the REST API to retrieve the set of IPs for VerizonΓÇÖs point of presence (POP) servers. These POP servers make requests to origin servers that are associated with Azure Content Delivery Network (CDN) endpoints on a Verizon profile (**Azure CDN Standard from Verizon** or **Azure CDN Premium from Verizon**). Note that this set of IPs is different from the IPs that a client would see when making requests to the POPs.
-For the syntax of the REST API operation for retrieving the POP list, see [Edge Nodes - List](/rest/api/cdn/edgenodes/list).
+For the syntax of the REST API operation for retrieving the POP list, see [Edge Nodes - List](/rest/api/cdn/cdn/edgenodes/list).
## Retrieve the current Microsoft POP IP list for Azure CDN
cdn https://docs.microsoft.com/en-us/azure/cdn/cdn-purge-endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cdn/cdn-purge-endpoint.md
@@ -71,5 +71,5 @@ This tutorial walks you through purging assets from all edge nodes of an endpoin
## See also * [Pre-load assets on an Azure CDN endpoint](cdn-preload-endpoint.md)
-* [Azure CDN REST API reference - Purge or Pre-Load an Endpoint](/rest/api/cdn/endpoints)
+* [Azure CDN REST API reference - Purge or Pre-Load an Endpoint](/rest/api/cdn/cdn/endpoints)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Computer-vision/computer-vision-how-to-install-containers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/computer-vision-how-to-install-containers.md
@@ -36,7 +36,7 @@ The Read 3.2-preview OCR container provides:
* Confidence scores. * Support for documents with both print and handwritten text. * Ability to extract text from only selected page(s) in a document.
-* Choose text line output order from default to a more natural reading order.
+* Choose text line output order from default to a more natural reading order for Latin languages only.
* Text line classification as handwritten style or not for Latin languages only. If you're using Read 2.0 containers today, see the [migration guide](read-container-migration-guide.md) to learn about changes in the new versions.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Computer-vision/concept-recognizing-text https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/concept-recognizing-text.md
@@ -128,13 +128,13 @@ See the following example of a successful JSON response:
} ```
-## Natural reading order output
-With the [Read 3.2 preview API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2-preview-2/operations/5d986960601faab4bf452005), specify the order in which the text lines are output with the `readingOrder` query parameter. Use `natural` for a more human-friendly reading order output as shown in the following example.
+## Natural reading order output (Latin only)
+With the [Read 3.2 preview API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2-preview-2/operations/5d986960601faab4bf452005), specify the order in which the text lines are output with the `readingOrder` query parameter. Use `natural` for a more human-friendly reading order output as shown in the following example. This feature is only supported for Latin languages.
:::image border type="content" source="./Images/ocr-reading-order-example.png" alt-text="OCR Reading order example"::: ## Handwritten classification for text lines (Latin only)
-The [Read 3.2 preview API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2-preview-2/operations/5d986960601faab4bf452005) response includes classifying whether each text line is of handwriting style or not, along with a confidence score. This feature is supported only for Latin languages. The following example shows the handwritten classification for the text in the image.
+The [Read 3.2 preview API](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2-preview-2/operations/5d986960601faab4bf452005) response includes classifying whether each text line is of handwriting style or not, along with a confidence score. This feature is only supported for Latin languages. The following example shows the handwritten classification for the text in the image.
:::image border type="content" source="./Images/ocr-handwriting-classification.png" alt-text="OCR handwriting classification example":::
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Computer-vision/whats-new https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/whats-new.md
@@ -21,7 +21,7 @@ Learn what's new in the service. These items may be release notes, videos, blog
### Read API v3.2 Public Preview with OCR support for 73 languages Computer Vision's Read API v3.2 public preview, available as cloud service and Docker container, includes these updates: * [OCR for 73 languages](./language-support.md#optical-character-recognition-ocr) including Simplified and Traditional Chinese, Japanese, Korean, and Latin languages.
-* Natural reading order for the text line output.
+* Natural reading order for the text line output (Latin languages only)
* Handwriting style classification for text lines along with a confidence score (Latin languages only). * Extract text only for selected pages for a multi-page document. * Available as a [Distroless container](./computer-vision-how-to-install-containers.md?tabs=version-3-2) for on-premise deployment.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/QnAMaker/Concepts/role-based-access-control https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/Concepts/role-based-access-control.md
@@ -19,6 +19,9 @@ This Azure RBAC feature includes:
* Azure Active Directory (AAD) is 100% backward compatible with key-based authentication for owners and contributors. Customers can use either key-based authentication or Azure RBAC-based authentication in their requests. * Quickly add authors and editors to all knowledge bases in the resource because control is at the resource level, not at the knowledge base level.
+> [!NOTE]
+> When you ar Make sure to add a custom subdomain for the resource. [Custom Subdomain](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-custom-subdomains) should be present by default, but if not, please add it
+ ## Access is provided by a defined role [!INCLUDE [Azure RBAC permissions table](../includes/role-based-access-control.md)]
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/custom-speech-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/custom-speech-overview.md
@@ -8,9 +8,9 @@
Previously updated : 11/11/2020 Last updated : 02/12/2021 -+ # What is Custom Speech?
@@ -21,25 +21,26 @@
Before you can do anything with Custom Speech, you'll need an Azure account and a Speech service subscription. After you have an account, you can prep your data, train and test your models, inspect recognition quality, evaluate accuracy, and ultimately deploy and use the custom speech-to-text model.
-This diagram highlights the pieces that make up the [Custom Speech portal](https://aka.ms/customspeech). Use the links below to learn more about each step.
+This diagram highlights the pieces that make up the [Custom Speech area of the Speech Studio](https://aka.ms/customspeech). Use the links below to learn more about each step.
-![Diagram that highlights the components that make up the Custom Speech portal.](./media/custom-speech/custom-speech-overview.png)
+![Diagram that highlights the components that make up the Custom Speech area of the Speech Studio.](./media/custom-speech/custom-speech-overview.png)
-1. [Subscribe and create a project](#set-up-your-azure-account). Create an Azure account and subscribe to the Speech service. This unified subscription gives you access to speech-to-text, text-to-speech, speech translation, and the [Custom Speech portal](https://speech.microsoft.com/customspeech). Then use your Speech service subscription to create your first Custom Speech project.
+1. [Subscribe and create a project](#set-up-your-azure-account). Create an Azure account and subscribe to the Speech service. This unified subscription gives you access to speech-to-text, text-to-speech, speech translation, and the [Speech Studio](https://speech.microsoft.com/customspeech). Then use your Speech service subscription to create your first Custom Speech project.
1. [Upload test data](./how-to-custom-speech-test-and-train.md). Upload test data (audio files) to evaluate the Microsoft speech-to-text offering for your applications, tools, and products.
-1. [Inspect recognition quality](how-to-custom-speech-inspect-data.md). Use the [Custom Speech portal](https://speech.microsoft.com/customspeech) to play back uploaded audio and inspect the speech recognition quality of your test data. For quantitative measurements, see [Inspect data](how-to-custom-speech-inspect-data.md).
+1. [Inspect recognition quality](how-to-custom-speech-inspect-data.md). Use the [Speech Studio](https://speech.microsoft.com/customspeech) to play back uploaded audio and inspect the speech recognition quality of your test data. For quantitative measurements, see [Inspect data](how-to-custom-speech-inspect-data.md).
-1. [Evaluate and improve accuracy](how-to-custom-speech-evaluate-data.md). Evaluate and improve the accuracy of the speech-to-text model. The [Custom Speech portal](https://speech.microsoft.com/customspeech) will provide a *Word Error Rate*, which you can use to determine if additional training is required. If you're satisfied with the accuracy, you can use the Speech service APIs directly. If you want to improve accuracy by a relative average of 5% to 20%, use the **Training** tab in the portal to upload additional training data, like human-labeled transcripts and related text.
+1. [Evaluate and improve accuracy](how-to-custom-speech-evaluate-data.md). Evaluate and improve the accuracy of the speech-to-text model. The [Speech Studio](https://speech.microsoft.com/customspeech) will provide a *Word Error Rate*, which you can use to determine if additional training is required. If you're satisfied with the accuracy, you can use the Speech service APIs directly. If you want to improve accuracy by a relative average of 5% to 20%, use the **Training** tab in the portal to upload additional training data, like human-labeled transcripts and related text.
1. [Train and deploy a model](how-to-custom-speech-train-model.md). Improve the accuracy of your speech-to-text model by providing written transcripts (10 to 1,000 hours) and related text (<200 MB) along with your audio test data. This data helps to train the speech-to-text model. After training, retest. If you're satisfied with the result, you can deploy your model to a custom endpoint. ## Set up your Azure account
-You need to have an Azure account and Speech service subscription before you can use the [Custom Speech portal](https://speech.microsoft.com/customspeech) to create a custom model. If you don't have an account and subscription, [try the Speech service for free](overview.md#try-the-speech-service-for-free).
+You need to have an Azure account and Speech service subscription before you can use the [Speech Studio](https://speech.microsoft.com/customspeech) to create a custom model. If you don't have an account and subscription, [try the Speech service for free](overview.md#try-the-speech-service-for-free).
-If you plan to train a custom model with audio data, pick one of the following regions that have dedicated hardware available for training. This will reduce the time it takes to train a model.
+> [!NOTE]
+> If you plan to train a custom model with **audio data**, pick one of the following regions that have dedicated hardware available for training. This will reduce the time it takes to train a model.
* Australia East * Canada Central
@@ -59,20 +60,20 @@ If you plan to train a custom model with audio data, pick one of the following r
> [!NOTE] > Please be sure to create a standard (S0) subscription. Free (F0) subscriptions aren't supported.
-After you create an Azure account and a Speech service subscription, you'll need to sign in to the [Custom Speech portal](https://speech.microsoft.com/customspeech) and connect your subscription.
+After you create an Azure account and a Speech service subscription, you'll need to sign in to the [Speech Studio](https://speech.microsoft.com/customspeech) and connect your subscription.
-1. Sign in to the [Custom Speech portal](https://aka.ms/custom-speech).
+1. Sign in to the [Speech Studio](https://aka.ms/custom-speech).
1. Select the subscription you need to work in and create a speech project. 1. If you want to modify your subscription, select the cog button in the top menu. ## How to create a project
-Content like data, models, tests, and endpoints are organized into *projects* in the [Custom Speech portal](https://speech.microsoft.com/customspeech). Each project is specific to a domain and country/language. For example, you might create a project for call centers that use English in the United States.
+Content like data, models, tests, and endpoints are organized into *projects* in the [Speech Studio](https://speech.microsoft.com/customspeech). Each project is specific to a domain and country/language. For example, you might create a project for call centers that use English in the United States.
To create your first project, select **Speech-to-text/Custom speech**, and then select **New Project**. Follow the instructions provided by the wizard to create your project. After you create a project, you should see four tabs: **Data**, **Testing**, **Training**, and **Deployment**. Use the links provided in [Next steps](#next-steps) to learn how to use each tab. > [!IMPORTANT]
-> The [Custom Speech portal](https://aka.ms/custom-speech) was recently updated! If you created previous data, models, tests, and published endpoints in the CRIS.ai portal or with APIs, you need to create a new project in the new portal to connect to these old entities.
+> The [Speech Studio](https://aka.ms/custom-speech) formerly known as "Custom Speech portal" was recently updated! If you created previous data, models, tests, and published endpoints in the CRIS.ai portal or with APIs, you need to create a new project in the new portal to connect to these old entities.
## Model lifecycle
@@ -101,7 +102,7 @@ As new models and new functionality become available and older, less accurate mo
* Decoding: Available for two years after the model is created. So you can use the custom model for two years (batch/realtime/testing) after it's created. After two years, *you should retrain your model* because the base model will usually have been deprecated for adaptation. * Endpoints: Available on the same timeline as decoding.
-When either a base model or custom model expires, it will always fall back to the *newest base model version*. So your implementation will never break, but it might become less accurate for *your specific data* if custom models reach expiration. You can see the expiration for a model in the following places in the Custom Speech portal:
+When either a base model or custom model expires, it will always fall back to the *newest base model version*. So your implementation will never break, but it might become less accurate for *your specific data* if custom models reach expiration. You can see the expiration for a model in the following places in the Custom Speech area of the Speech Studio:
* Model training summary * Model training detail
@@ -110,11 +111,11 @@ When either a base model or custom model expires, it will always fall back to th
You can also check the expiration dates via the [`GetModel`](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetModel) and [`GetBaseModel`](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetBaseModel) custom speech APIs under the `deprecationDates` property in the JSON response.
-Note that you can upgrade the model on a custom speech endpoint without downtime by changing the model used by the endpoint in the deployment section of the custom speech portal, or via the custom speech API.
+Note that you can upgrade the model on a custom speech endpoint without downtime by changing the model used by the endpoint in the deployment section of the Speech Studio, or via the custom speech API.
## Next steps * [Prepare and test your data](./how-to-custom-speech-test-and-train.md) * [Inspect your data](how-to-custom-speech-inspect-data.md) * [Evaluate and improve model accuracy](how-to-custom-speech-evaluate-data.md)
-* [Train and deploy a model](how-to-custom-speech-train-model.md)
+* [Train and deploy a model](how-to-custom-speech-train-model.md)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/how-to-audio-content-creation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-audio-content-creation.md
@@ -120,7 +120,7 @@ After you've reviewed your audio output and are satisfied with your tuning and a
## How to add/remove Audio Content Creation users?
-If more than one user wants to use Audio Content Creation, you can either share your Azure account and password with the user, or grant user access to the Azure subscription and the speech resource. If you add a user to an Azure subscription, the user can access all the resources under the Azure subscription. But if you only add a user to a speech resource, the user will only have access to the speech resource, and cannot access other resources under this Azure subscription. A user with access to the speech resource can use Audio Content Creation.
+If more than one user wants to use Audio Content Creation, you can grant user access to the Azure subscription and the speech resource. If you add a user to an Azure subscription, the user can access all the resources under the Azure subscription. But if you only add a user to a speech resource, the user will only have access to the speech resource, and cannot access other resources under this Azure subscription. A user with access to the speech resource can use Audio Content Creation.
### Add users to a speech resource
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/how-to-custom-speech-evaluate-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-evaluate-data.md
@@ -8,7 +8,7 @@
Previously updated : 11/11/2020 Last updated : 02/12/2021
@@ -111,11 +111,16 @@ Consider these details:
* When the quality of transcripts vary, you can duplicate exceptionally good sentences (like excellent transcriptions that include key phrases) to increase their weight. * The Speech service will automatically use the transcripts to improve the recognition of domain-specific words and phrases, as if they were added as related text. * Training with audio will bring the most benefits if the audio is also hard to understand for humans. In most cases, you should start training by just using related text.
-* It can take several days for a training operation to complete. To improve the speed of training, make sure to create your Speech service subscription in a [region with dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+* It can take several days for a training operation to complete. To improve the speed of training, make sure to create your Speech service subscription in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
> [!NOTE] > Not all base models support training with audio. If a base model does not support it, the Speech service will only use the text from the transcripts and ignore the audio. See [Language support](language-support.md#speech-to-text) for a list of base models that support training with audio data.
+> [!NOTE]
+> In cases when you change the base model used for training, and you have audio in the training dataset, *always* check whether the new selected base model [supports training with audio data](language-support.md#speech-to-text). If the previously used base model did not support training with audio data, and the training dataset contains audio, training time with the new base model will **drastically** increase, and may easily go from several hours to several days and more. This is especially true if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+>
+> If you face the issue described in the paragraph above, you can quickly decrease the training time by reducing the amount of audio in the dataset or removing it completely and leaving only the text. The latter option is highly recommended if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+ ### Add new words with pronunciation Words that are made-up or highly specialized may have unique pronunciations. These words can be recognized if the word can be broken down into smaller words to pronounce it. For example, to recognize **Xbox**, pronounce as **X box**. This approach will not increase overall accuracy, but can increase recognition of these keywords.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/how-to-custom-speech-human-labeled-transcriptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-human-labeled-transcriptions.md
@@ -9,7 +9,7 @@
Previously updated : 09/06/2019 Last updated : 02/12/2021
@@ -22,6 +22,11 @@ A large sample of transcription data is required to improve recognition, we sugg
> [!NOTE] > Not all base models support customization with audio files. If a base model does not support it, training will just use the text of the transcriptions in the same way as related text is used. See [Language support](language-support.md#speech-to-text) for a list of base models that support training with audio data.
+> [!NOTE]
+> In cases when you change the base model used for training, and you have audio in the training dataset, *always* check whether the new selected base model [supports training with audio data](language-support.md#speech-to-text). If the previously used base model did not support training with audio data, and the training dataset contains audio, training time with the new base model will **drastically** increase, and may easily go from several hours to several days and more. This is especially true if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+>
+> If you face the issue described in the paragraph above, you can quickly decrease the training time by reducing the amount of audio in the dataset or removing it completely and leaving only the text. The latter option is highly recommended if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+ ## US English (en-US) Human-labeled transcriptions for English audio must be provided as plain text, only using ASCII characters. Avoid the use of Latin-1 or Unicode punctuation characters. These characters are often inadvertently added when copying text from a word-processing application or scraping data from web pages. If these characters are present, make sure to update them with the appropriate ASCII substitution.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/how-to-custom-speech-inspect-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-inspect-data.md
@@ -8,7 +8,7 @@
Previously updated : 09/23/2020 Last updated : 02/12/2021
@@ -17,7 +17,7 @@
> [!NOTE] > This page assumes you've read [Prepare test data for Custom Speech](./how-to-custom-speech-test-and-train.md) and have uploaded a dataset for inspection.
-Custom Speech provides tools that allow you to visually inspect the recognition quality of a model by comparing audio data with the corresponding recognition result. From the [Custom Speech portal](https://speech.microsoft.com/customspeech), you can play back uploaded audio and determine if the provided recognition result is correct. This tool helps you inspect quality of Microsoft's baseline speech-to-text model, inspect a trained custom model, or compare transcription by two models.
+Custom Speech provides tools that allow you to visually inspect the recognition quality of a model by comparing audio data with the corresponding recognition result. From the [Speech Studio](https://speech.microsoft.com/customspeech), you can play back uploaded audio and determine if the provided recognition result is correct. This tool helps you inspect quality of Microsoft's baseline speech-to-text model, inspect a trained custom model, or compare transcription by two models.
In this document, you learn how to visually inspect the quality of Microsoft's baseline speech-to-text model, and/or custom models that you've trained . You also learn how to use the online transcription editor to create and refine labeled audio datasets.
@@ -25,7 +25,7 @@ In this document, you learn how to visually inspect the quality of Microsoft's b
Follow these instructions to create a test:
-1. Sign in to the [Custom Speech portal](https://speech.microsoft.com/customspeech).
+1. Sign in to the [Speech Studio](https://speech.microsoft.com/customspeech).
2. Navigate to **Speech-to-text > Custom Speech > [name of project] > Testing**. 3. Click **Add Test**. 4. Select **Inspect quality (Audio-only data)**. Give the test a name, description, and select your audio dataset.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/how-to-custom-speech-test-and-train https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-test-and-train.md
@@ -8,7 +8,7 @@
Previously updated : 03/27/2020 Last updated : 02/12/2021
@@ -52,9 +52,17 @@ Files should be grouped by type into a dataset and uploaded as a .zip file. Each
> [!TIP] > To quickly get started, consider using sample data. See this GitHub repository for <a href="https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/sampledata/customspeech" target="_target">sample Custom Speech data <span class="docon docon-navigate-external x-hidden-focus"></span></a>
+> [!NOTE]
+> Not all base models support training with audio. If a base model does not support it, the Speech service will only use the text from the transcripts and ignore the audio. See [Language support](language-support.md#speech-to-text) for a list of base models that support training with audio data.
+
+> [!NOTE]
+> In cases when you change the base model used for training, and you have audio in the training dataset, *always* check whether the new selected base model [supports training with audio data](language-support.md#speech-to-text). If the previously used base model did not support training with audio data, and the training dataset contains audio, training time with the new base model will **drastically** increase, and may easily go from several hours to several days and more. This is especially true if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+>
+> If you face the issue described in the paragraph above, you can quickly decrease the training time by reducing the amount of audio in the dataset or removing it completely and leaving only the text. The latter option is highly recommended if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+ ## Upload data
-To upload your data, navigate to the <a href="https://speech.microsoft.com/customspeech" target="_blank">Custom Speech portal <span class="docon docon-navigate-external x-hidden-focus"></span></a>. From the portal, click **Upload data** to launch the wizard and create your first dataset. You'll be asked to select a speech data type for your dataset, before allowing you to upload your data.
+To upload your data, navigate to the <a href="https://speech.microsoft.com/customspeech" target="_blank">Speech Studio <span class="docon docon-navigate-external x-hidden-focus"></span></a>. From the portal, click **Upload data** to launch the wizard and create your first dataset. You'll be asked to select a speech data type for your dataset, before allowing you to upload your data.
![Screenshot that highlights the Audio upload option from the Speech Portal.](./media/custom-speech/custom-speech-select-audio.png)
@@ -131,7 +139,7 @@ speech03.wav the lazy dog was not amused
The transcriptions are text-normalized so they can be processed by the system. However, there are some important normalizations that must be done before uploading the data to the Speech Studio. For the appropriate language to use when you prepare your transcriptions, see [How to create a human-labeled transcription](how-to-custom-speech-human-labeled-transcriptions.md)
-After you've gathered your audio files and corresponding transcriptions, package them as a single .zip file before uploading to the <a href="https://speech.microsoft.com/customspeech" target="_blank">Custom Speech portal <span class="docon docon-navigate-external x-hidden-focus"></span></a>. Below is an example dataset with three audio files and a human-labeled transcription file:
+After you've gathered your audio files and corresponding transcriptions, package them as a single .zip file before uploading to the <a href="https://speech.microsoft.com/customspeech" target="_blank">Speech Studio <span class="docon docon-navigate-external x-hidden-focus"></span></a>. Below is an example dataset with three audio files and a human-labeled transcription file:
> [!div class="mx-imgBorder"] > ![Select audio from the Speech Portal](./media/custom-speech/custom-speech-audio-transcript-pairs.png)
@@ -149,7 +157,7 @@ Product names or features that are unique, should include related text data for
| Sentences (utterances) | Improve accuracy when recognizing product names, or industry-specific vocabulary within the context of a sentence. | | Pronunciations | Improve pronunciation of uncommon terms, acronyms, or other words with undefined pronunciations. |
-Sentences can be provided as a single text file or multiple text files. To improve accuracy, use text data that is closer to the expected spoken utterances. Pronunciations should be provided as a single text file. Everything can be packaged as a single zip file and uploaded to the <a href="https://speech.microsoft.com/customspeech" target="_blank">Custom Speech portal <span class="docon docon-navigate-external x-hidden-focus"></span></a>.
+Sentences can be provided as a single text file or multiple text files. To improve accuracy, use text data that is closer to the expected spoken utterances. Pronunciations should be provided as a single text file. Everything can be packaged as a single zip file and uploaded to the <a href="https://speech.microsoft.com/customspeech" target="_blank">Speech Studio <span class="docon docon-navigate-external x-hidden-focus"></span></a>.
Training with related text usually completes within a few minutes.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/how-to-custom-speech-train-model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/how-to-custom-speech-train-model.md
@@ -8,7 +8,7 @@
Previously updated : 11/11/2020 Last updated : 02/12/2021
@@ -35,7 +35,19 @@ The first step to train a model is to upload training data. See [Prepare and tes
3. Select **Train model**. 4. Give your training a **Name** and **Description**. 5. In the **Scenario and Baseline model** list, select the scenario that best fits your domain. If you're not sure which scenario to choose, select **General**. The baseline model is the starting point for training. The latest model is usually the best choice.
-6. On the **Select training data** page, choose one or more related text datasets or audio + human-labeled transcription datasets that you want to use for training. When you train a new model, start with related text; training with audio + human-labeled transcription might take much longer (up to [several days](how-to-custom-speech-evaluate-data.md#improve-model-recognition)).
+6. On the **Select training data** page, choose one or more related text datasets or audio + human-labeled transcription datasets that you want to use for training.
+
+> [!NOTE]
+> When you train a new model, start with related text; training with audio + human-labeled transcription might take much longer **(up to [several days](how-to-custom-speech-evaluate-data.md#add-audio-with-human-labeled-transcripts)**).
+
+> [!NOTE]
+> Not all base models support training with audio. If a base model does not support it, the Speech service will only use the text from the transcripts and ignore the audio. See [Language support](language-support.md#speech-to-text) for a list of base models that support training with audio data.
+
+> [!NOTE]
+> In cases when you change the base model used for training, and you have audio in the training dataset, *always* check whether the new selected base model [supports training with audio data](language-support.md#speech-to-text). If the previously used base model did not support training with audio data, and the training dataset contains audio, training time with the new base model will **drastically** increase, and may easily go from several hours to several days and more. This is especially true if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+>
+> If you face the issue described in the paragraph above, you can quickly decrease the training time by reducing the amount of audio in the dataset or removing it completely and leaving only the text. The latter option is highly recommended if your Speech service subscription is **not** in a [region with the dedicated hardware](custom-speech-overview.md#set-up-your-azure-account) for training.
+ 7. After training is complete, you can do accuracy testing on the newly trained model. This step is optional. 8. Select **Create** to build your custom model.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/includes/spx-setup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/includes/spx-setup.md
@@ -118,7 +118,7 @@ To use the `spx` command installed in a container, always enter the full command
For example, on Windows, this command sets your key: ```console
-docker run -it -v c:\spx-data:/data --rm msftspeech/spx config @key --set SUBSCRIPTION-KEY
+docker run -it -v c:\spx-data:/data --rm msftspeech/spx config --set @key SUBSCRIPTION-KEY
``` For more extended interaction with the command line tool, you can start a container with an interactive bash shell by adding an entrypoint parameter.
@@ -172,8 +172,8 @@ Get these credentials by following steps in [Try the Speech service for free](..
Once you have your subscription key and region identifier (ex. `eastus`, `westus`), run the following commands. ```console
-spx config @key --set SUBSCRIPTION-KEY
-spx config @region --set REGION
+spx config --set @key SUBSCRIPTION-KEY
+spx config --set @region REGION
``` Your subscription authentication is now stored for future SPX requests. If you need to remove either of these stored values, run `spx config @region --clear` or `spx config @key --clear`.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/quickstarts/speech-studio-test-model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/quickstarts/speech-studio-test-model.md
@@ -8,7 +8,7 @@
Previously updated : 09/04/2020 Last updated : 02/12/2021
@@ -18,7 +18,7 @@ In this how-to, you use Speech Studio to convert speech from an audio file to te
## Prerequisites
-Before you use Speech Portal, [follow these instructions to create an Azure account and subscribe to the Speech service](../custom-speech-overview.md#set-up-your-azure-account). This unified subscription gives you access to speech-to-text, text-to-speech, speech translation, and the Custom Speech portal.
+Before you use Speech Studio, [follow these instructions to create an Azure account and subscribe to the Speech service](../custom-speech-overview.md#set-up-your-azure-account). This unified subscription gives you access to speech-to-text, text-to-speech, speech translation, and the Speech Studio.
## Download an audio file
@@ -27,7 +27,7 @@ Follow these steps to download an audio file that contains speech and package it
1. Download the **[sample wav file from this link](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-speech-sdk/f9807b1079f3a85f07cbb6d762c6b5449d536027/samples/cpp/windows/console/samples/whatstheweatherlike.wav)** by right-clicking the link and selecting **Save link as**. Click **Save** to download the `whatstheweatherlike.wav` file. 2. Using a file explorer or terminal window with a zip tool, create a zip file named `whatstheweatherlike.zip` that contains the `whatstheweatherlike.wav` file you downloaded. In Windows, you can open Windows Explorer, navigate to the `Downloads` folder, right-click `whatstheweatherliike.wav`, click **Send to**, click **Compressed (zipped) folder**, and press enter to accept the default filename.
-## Create a project in the Custom Speech portal
+## Create a project in the Speech Studio
Follow these steps to create a project that contains your zip of one audio file.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/form-recognizer/deploy-label-tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/deploy-label-tool.md
@@ -2,13 +2,13 @@
Title: How to deploy the Form Recognizer sample labeling tool description: Learn the different ways you can deploy the Form Recognizer sample labeling tool to help with supervised learning.-+ Previously updated : 04/14/2020- Last updated : 02/11/2021+ # Deploy the sample labeling tool
@@ -27,7 +27,7 @@ The fastest way to start labeling data is to run the sample labeling tool locall
## Deploy with Azure Container Instances (ACI)
-Before we get started, it's important to note that there are two ways to deploy the sample labeling tool to an Azure Container Instance (ACI). Both options are used to run the sample labeling tool with ACI:
+Before we get started, it's important to note that there are two ways to deploy the sample labeling tool to an Azure Container Instance (ACI). Both options are used to run the sample labeling tool with ACI:
* [Using the Azure portal](#azure-portal) * [Using the Azure CLI](#azure-cli)
@@ -37,16 +37,16 @@ Before we get started, it's important to note that there are two ways to deploy
Follow these steps to create a new resource using the Azure portal: 1. Sign in to the [Azure portal](https://portal.azure.com/signin/index/).
-2. Select **Create a resource**.
-3. Next, select **Web App**.
+2. Select **Create a resource**.
+3. Next, select **Web App**.
> [!div class="mx-imgBorder"]
- > ![Select web app](./media/quickstarts/formre-create-web-app.png)
-
-4. First, make sure that the **Basics** tab is selected. Now, you're going to need to provide some information:
+ > ![Select web app](./media/quickstarts/create-web-app.png)
+
+4. First, make sure that the **Basics** tab is selected. Now, you're going to need to provide some information:
> [!div class="mx-imgBorder"]
- > ![Select Basics](./media/quickstarts/formre-select-basics.png)
+ > ![Select Basics](./media/quickstarts/select-basics.png)
* Subscription - Select an existing Azure subscription * Resource Group - You can reuse an existing resource group or create a new one for this project. Creating a new resource group is recommended. * Name - Give your web app a name.
@@ -56,44 +56,46 @@ Follow these steps to create a new resource using the Azure portal:
* Linux Plan - Select a pricing tier/plan for your app service. > [!div class="mx-imgBorder"]
- > ![Configure your web app](./media/quickstarts/formre-select-docker-linux.png)
+ > ![Configure your web app](./media/quickstarts/select-docker.png)
-5. Next, select the **Docker** tab.
+5. Next, select the **Docker** tab.
> [!div class="mx-imgBorder"]
- > ![Select Docker](./media/quickstarts/formre-select-docker.png)
+ > ![Select Docker](./media/quickstarts/select-docker.png)
6. Now let's configure your Docker container. All fields are required unless otherwise noted:
- # [v2.0](#tab/v2-0)
- * Options - Select **Single Container**
- * Image Source - Select **Private Registry**
- * Server URL - Set this to `https://mcr.microsoft.com`
- * Username (Optional) - Create a username.
- * Password (Optional) - Create a secure password that you'll remember.
- * Image and tag - Set this to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest`
- * Continuous Deployment - Set this to **On** if you want to receive automatic updates when the development team makes changes to the sample labeling tool.
- * Startup command - Set this to `./run.sh eula=accept`
+ # [v2.0](#tab/v2-0)
+
+* Options - Select **Single Container**
+* Image Source - Select **Private Registry**
+* Server URL - Set this to `https://mcr.microsoft.com`
+* Username (Optional) - Create a username.
+* Password (Optional) - Create a secure password that you'll remember.
+* Image and tag - Set this to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest`
+* Continuous Deployment - Set this to **On** if you want to receive automatic updates when the development team makes changes to the sample labeling tool.
+* Startup command - Set this to `./run.sh eula=accept`
# [v2.1 preview](#tab/v2-1)
- * Options - Select **Single Container**
- * Image Source - Select **Private Registry**
- * Server URL - Set this to `https://mcr.microsoft.com`
- * Username (Optional) - Create a username.
- * Password (Optional) - Create a secure password that you'll remember.
- * Image and tag - Set this to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest-preview`
- * Continuous Deployment - Set this to **On** if you want to receive automatic updates when the development team makes changes to the sample labeling tool.
- * Startup command - Set this to `./run.sh eula=accept`
-
+
+* Options - Select **Single Container**
+* Image Source - Select **Private Registry**
+* Server URL - Set this to `https://mcr.microsoft.com`
+* Username (Optional) - Create a username.
+* Password (Optional) - Create a secure password that you'll remember.
+* Image and tag - Set this to `mcr.microsoft.com/azure-cognitive-services/custom-form/labeltool:latest-preview`
+* Continuous Deployment - Set this to **On** if you want to receive automatic updates when the development team makes changes to the sample labeling tool.
+* Startup command - Set this to `./run.sh eula=accept`
+ > [!div class="mx-imgBorder"]
- > ![Configure Docker](./media/quickstarts/formre-configure-docker.png)
+ > ![Configure Docker](./media/quickstarts/configure-docker.png)
7. That's it. Next, select **Review + Create**, then **Create** to deploy your web app. When complete, you can access your web app at the URL provided in the **Overview** for your resource. > [!NOTE]
-> When creating your web app, you can also configure authorization/authentication. This is not necessary to get started.
+> When creating your web app, you can also configure authorization/authentication. This is not necessary to get started.
> [!IMPORTANT] > You may need to enable TLS for your web app in order to view it at its `https` address. Follow the instructions in [Enable a TLS endpoint](../../container-instances/container-instances-container-group-ssl.md) to set up a sidecar container than enables TLS/SSL for your web app.
@@ -109,10 +111,10 @@ There's a few things you need know about this command:
* You'll need to specify where you want to create the resource. Replace `<region name>` with your desired region for the web app. * This command automatically accepts EULA.
-From the Azure CLI, run this command to create a web app resource for the sample labeling tool:
+From the Azure CLI, run this command to create a web app resource for the sample labeling tool:
+# [v2.0](#tab/v2-0)
-# [v2.0](#tab/v2-0)
```azurecli DNS_NAME_LABEL=aci-demo-$RANDOM
@@ -126,8 +128,10 @@ az container create \
--cpu 2 \ --memory 8 \ --command-line "./run.sh eula=accept"
-```
-# [v2.1 preview](#tab/v2-1)
+`
+
+# [v2.1 preview](#tab/v2-1)
+
```azurecli DNS_NAME_LABEL=aci-demo-$RANDOM
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/form-recognizer/quickstarts/label-tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/quickstarts/label-tool.md
@@ -224,7 +224,7 @@ Follow the steps above to label at least five of your forms.
Optionally, you can set the expected data type for each tag. Open the context menu to the right of a tag and select a type from the menu. This feature allows the detection algorithm to make certain assumptions that will improve the text-detection accuracy. It also ensures that the detected values will be returned in a standardized format in the final JSON output. Value type information is saved in the *fields.json* file in the same path as your label files. > [!div class="mx-imgBorder"]
-> ![Value type selection with sample labeling tool](../media/whats-new/formre-value-type.png)
+> ![Value type selection with sample labeling tool](../media/whats-new/value-type.png)
The following value types and variations are currently supported: * `string`
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/form-recognizer/whats-new https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/whats-new.md
@@ -145,7 +145,7 @@ The Form Recognizer service is updated on an ongoing basis. Use this article to
The following image is an example of how tables are recognized and extracted: > [!div class="mx-imgBorder"]
- > ![Table visualization using the sample labeling tool](./media/whats-new/formre-table-viz.png)
+ > ![Table visualization using the sample labeling tool](./media/whats-new/table-viz.png)
The extracted tables are available in the JSON output under `"pageResults"`.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/personalizer/concept-apprentice-mode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/personalizer/concept-apprentice-mode.md
@@ -58,7 +58,7 @@ Learning when in Apprentice mode differs from Online mode in the following ways.
|--|--|--| |Impact on User Experience|You can use existing user behavior to train Personalizer by letting it observe (not affect) what your **default action** would have been and the reward it obtained. This means your usersΓÇÖ experience and the business results from them wonΓÇÖt be impacted.|Display top action returned from Rank call to affect user behavior.| |Learning speed|Personalizer will learn more slowly when in Apprentice mode than when learning in Online mode. Apprentice mode can only learn by observing the rewards obtained by your **default action**, which limits the speed of learning, as no exploration can be performed.|Learns faster because it can both exploit the current model and explore for new trends.|
-|Learning effectiveness "Ceiling"|Personalizer can approximate, very rarely match, and never exceed the performance of your base business logic (the reward total achieved by the **default action** of each Rank call).|Personalizer should exceed applications baseline, and over time where it stalls you should conduct on offline evaluation and feature evaluation to continue to get improvements to the model. |
+|Learning effectiveness "Ceiling"|Personalizer can approximate, very rarely match, and never exceed the performance of your base business logic (the reward total achieved by the **default action** of each Rank call). This approximation cieling is reduced by exploration. For example, with exploration at 20% it is very unlikely apprentice mode performance will exceed 80%, and 60% is a reasonable target at which to graduate to online mode.|Personalizer should exceed applications baseline, and over time where it stalls you should conduct on offline evaluation and feature evaluation to continue to get improvements to the model. |
|Rank API value for rewardActionId|The users' experience doesnΓÇÖt get impacted, as _rewardActionId_ is always the first action you send in the Rank request. In other words, the Rank API does nothing visible for your application during Apprentice mode. Reward APIs in your application should not change how it uses the Reward API between one mode and another.|Users' experience will be changed by the _rewardActionId_ that Personalizer chooses for your application. | |Evaluations|Personalizer keeps a comparison of the reward totals that your default business logic is getting, and the reward totals Personalizer would be getting if in Online mode at that point. A comparison is available in the Azure portal for that resource|Evaluate PersonalizerΓÇÖs effectiveness by running [Offline evaluations](concepts-offline-evaluation.md), which let you compare the total rewards Personalizer has achieved against the potential rewards of the applicationΓÇÖs baseline.|
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/personalizer/concepts-features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/personalizer/concepts-features.md
@@ -75,7 +75,7 @@ JSON objects can include nested JSON objects and simple property/values. An arra
{ "user": { "profileType":"AnonymousUser",
- "latlong": ["47.6", "-122.1"]
+ "latlong": ["47.6,-122.1"]
} }, {
communication-services https://docs.microsoft.com/en-us/azure/communication-services/concepts/telephony-sms/concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/concepts.md
@@ -41,4 +41,4 @@ The following documents may be interesting to you:
- Familiarize yourself with the [SMS client library](../telephony-sms/sdk-features.md) - Get an SMS capable [phone number](../../quickstarts/telephony-sms/get-phone-number.md)-- [Plan your SMS solution](../telephony-sms/plan-solution.md)
+- [Phone number types in Azure Communication Services](../telephony-sms/plan-solution.md)
communication-services https://docs.microsoft.com/en-us/azure/communication-services/concepts/telephony-sms/plan-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/plan-solution.md
@@ -1,7 +1,7 @@
Title: Plan your Azure Communication Services telephony and SMS solution
+ Title: Phone number types in Azure Communication Services
-description: Learn how to effectively plan your use of phone numbers and telephony.
+description: Learn how to effectively use different types of phone numbers for SMS and telephony.
@@ -12,19 +12,14 @@
-# Plan your telephony and SMS solution
+# Phone number types in Azure Communication Services
[!INCLUDE [Public Preview Notice](../../includes/public-preview-include.md)] [!INCLUDE [Regional Availability Notice](../../includes/regional-availability-include.md)] Azure Communication Services allows you to use phone numbers to make voice calls and send SMS messages with the public-switched telephone network (PSTN). In this document, we'll review the phone number types, configuration options, and region availability for planning your telephony and SMS solution using Communication Services. ----
-## Phone number types in Azure Communication Services
-
+## Number types and features
Communication Services offers two types of phone numbers: **local** and **toll-free**. ### Local numbers
@@ -47,7 +42,7 @@ The table below summarizes these phone number types:
| Toll-Free | +1 (toll-free area *code*) XXX XX XX | US | Calling (Outbound), SMS (Inbound/Outbound)| Assigning phone numbers to Interactive Voice Response (IVR) systems/Bots, SMS applications |
-## Phone number features in Azure Communication Services
+### Phone number features in Azure Communication Services
[!INCLUDE [Emergency Calling Notice](../../includes/emergency-calling-notice-include.md)]
@@ -87,5 +82,6 @@ Currently, phone number availability is restricted to Azure subscriptions that h
### Conceptual documentation - [Voice and video concepts](../voice-video-calling/about-call-types.md)
+- [Telephony concepts](./telephony-concept.md)
- [Call Flows](../call-flows.md) - [Pricing](../pricing.md)
communication-services https://docs.microsoft.com/en-us/azure/communication-services/concepts/telephony-sms/sdk-features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/sdk-features.md
@@ -44,4 +44,4 @@ The following documents may be interesting to you:
- Familiarize yourself with general [SMS concepts](../telephony-sms/concepts.md) - Get an SMS capable [phone number](../../quickstarts/telephony-sms/get-phone-number.md)-- [Plan your SMS solution](../telephony-sms/plan-solution.md)
+- [Phone number types in Azure Communication Services](../telephony-sms/plan-solution.md)
communication-services https://docs.microsoft.com/en-us/azure/communication-services/concepts/telephony-sms/sip-interface-infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/sip-interface-infrastructure.md
@@ -0,0 +1,199 @@
+
+ Title: SIP Interface infrastructure requirements - Azure Communication Services
+description: Familiarize yourself with the infrastructure requirements for Azure Communication Services SIP Interface configuration
+++++ Last updated : 02/09/2021++++
+# SIP Interface infrastructure requirements
++
+
+This article describes infrastructure, licensing, and session border controller (SBC) connectivity details that you'll want to keep in mind as your plan your SIP Interface deployment.
++
+## Infrastructure requirements
+The infrastructure requirements for the supported SBCs, domains, and other network connectivity requirements to deploy SIP Interface are listed in the following table:
+
+|Infrastructure requirement|You need the following|
+|: |: |
+|Session Border Controller (SBC)|A supported SBC. For more information, see [Supported SBCs](#supported-session-border-controllers-sbcs).|
+|Telephony trunks connected to the SBC|One or more telephony trunks connected to the SBC. On one end, the SBC connects to the Azure Communication Service via SIP Interface. The SBC can also connect to third-party telephony entities, such as PBXs, Analog Telephony Adapters, and so on. Any PSTN connectivity option connected to the SBC will work. (For configuration of the PSTN trunks to the SBC, please refer to the SBC vendors or trunk providers.)|
+|Azure subscription|An Azure subscription that you use to create ACS resource, and the configuration and connection to the SBC.|
+|Communication Services Access Token|To make calls, you need a valid Access Token with `voip` scope. See [Access Tokens](https://docs.microsoft.com/azure/communication-services/concepts/identity-model#access-tokens)|
+|Public IP address for the SBC|A public IP address that can be used to connect to the SBC. Based on the type of SBC, the SBC can use NAT.|
+|Fully Qualified Domain Name (FQDN) for the SBC|A FQDN for the SBC, where the domain portion of the FQDN does not match registered domains in your Microsoft 365 or Office 365 organization. For more information, see [SBC domain names](#sbc-domain-names).|
+|Public DNS entry for the SBC |A public DNS entry mapping the SBC FQDN to the public IP Address. |
+|Public trusted certificate for the SBC |A certificate for the SBC to be used for all communication with SIP Interface. For more information, see [Public trusted certificate for the SBC](#public-trusted-certificate-for-the-sbc).|
+|Firewall IP addresses and ports for SIP signaling and media |The SBC communicates to the following services in the cloud:<br/><br/>SIP Proxy, which handles the signaling<br/>Media Processor, which handles media<br/><br/>These two services have separate IP addresses in Microsoft Cloud, described later in this document.
++
+## SBC domain names
+
+Customers without Office 365 can use any domain name for which they can obtain a public certificate.
+
+The following table shows examples of DNS names registered for the tenant, whether the name can be used as an fully qualified domain name (FQDN) for the SBC, and examples of valid FQDN names:
+
+|DNS name|Can be used for SBC FQDN|Examples of FQDN names|
+|: |: |: |
+contoso.com|Yes|**Valid names:**<br/>sbc1.contoso.com<br/>ssbcs15.contoso.com<br/>europe.contoso.com|
+|contoso.onmicrosoft.com|No|Using *.onmicrosoft.com domains is not supported for SBC names
+
+If you are an Office 365 customer, then the SBC domain name must not match registered in Domains of the Office 365 tenant. Below is the example of Office 365 and Azure Communication Service coexistence:
+
+|Domain registered in Office 365|Examples of SBC FQDN in Teams|Examples of SBC FQDN names in ACS|
+|: |: |: |
+**contoso.com** (second level domain)|**sbc.contoso.com** (name in the second level domain)|**sbc.acs.contoso.com** (name in the third level domain)<br/>**sbc.fabrikam.com** (any name within different domain)|
+|**o365.contoso.com** (third level domain)|**sbc.o365.contoso.com** (name in the third level domain)|**sbc.contoso.com** (name in the second level domain)<br/>**sbc.acs.o365.contoso.com** (name in the fourth level domain)<br/>**sbc.fabrikam.com** (any name within different domain)
+
+SBC pairing works on the Communication Services resource level, meaning you can pair many SBCs to a single Communication Services resource, but you cannot pair a single SBC to more than one Communication Services resource. Unique SBC FQDNs are required for pairing to different resources.
+
+## Public trusted certificate for the SBC
+
+Microsoft recommends that you request the certificate for the SBC by generating a certification signing request (CSR). For specific instructions on generating a CSR for an SBC, refer to the interconnection instructions or documentation provided by your SBC vendors.
+
+ > [!NOTE]
+ > Most Certificate Authorities (CAs) require the private key size to be at least 2048. Keep this in mind when generating the CSR.
+
+The certificate needs to have the SBC FQDN as the common name (CN) or the subject alternative name (SAN) field. The certificate should be issued directly from a certification authority, not from an intermediate provider.
+
+Alternatively, Communication Services SIP Interface supports a wildcard in the CN and/or SAN, and the wildcard needs to conform to standard [RFC HTTP Over TLS](https://tools.ietf.org/html/rfc2818#section-3.1).
+
+An example would be using `\*.contoso.com` which would match the SBC FQDN `sbc.contoso.com`, but wouldn't match with `sbc.test.contoso.com`.
+
+The certificate needs to be generated by one of the following root certificate authorities:
+
+- AffirmTrust
+- AddTrust External CA Root
+- Baltimore CyberTrust Root*
+- Buypass
+- Cybertrust
+- Class 3 Public Primary Certification Authority
+- Comodo Secure Root CA
+- Deutsche Telekom
+- DigiCert Global Root CA
+- DigiCert High Assurance EV Root CA
+- Entrust
+- GlobalSign
+- Go Daddy
+- GeoTrust
+- Verisign, Inc.
+- SSL.com
+- Starfield
+- Symantec Enterprise Mobile Root for Microsoft
+- SwissSign
+- Thawte Timestamping CA
+- Trustwave
+- TeliaSonera
+- T-Systems International GmbH (Deutsche Telekom)
+- QuoVadis
+
+Microsoft is working on adding additional certification authorities based on customer requests.
+
+## SIP Signaling: FQDNs
+
+The connection points for Communication Services SIP Interface are the following three FQDNs:
+
+- **sip.pstnhub.microsoft.com** ΓÇô Global FQDN ΓÇô must be tried first. When the SBC sends a request to resolve this name, the Microsoft Azure DNS servers return an IP address pointing to the primary Azure datacenter assigned to the SBC. The assignment is based on performance metrics of the datacenters and geographical proximity to the SBC. The IP address returned corresponds to the primary FQDN.
+- **sip2.pstnhub.microsoft.com** ΓÇô Secondary FQDN ΓÇô geographically maps to the second priority region.
+- **sip3.pstnhub.microsoft.com** ΓÇô Tertiary FQDN ΓÇô geographically maps to the third priority region.
+
+Placing these three FQDNs in order is required to:
+
+- Provide optimal experience (less loaded and closest to the SBC datacenter assigned by querying the first FQDN).
+- Provide failover when connection from an SBC is established to a datacenter that is experiencing a temporary issue. For more information, see [Failover mechanism](#failover-mechanism-for-sip-signaling) below.
+
+The FQDNs ΓÇô sip.pstnhub.microsoft.com, sip2.pstnhub.microsoft.com and sip3.pstnhub.microsoft.com ΓÇô will be resolved to one of the following IP addresses:
+
+- `52.114.148.0`
+- `52.114.132.46`
+- `52.114.75.24`
+- `52.114.76.76`
+- `52.114.7.24`
+- `52.114.14.70`
+- `52.114.16.74`
+- `52.114.20.29`
+
+Open firewall ports for these IP addresses to allow incoming and outgoing traffic to and from the addresses for signaling. If your firewall supports DNS names, the FQDN `sip-all.pstnhub.microsoft.com` resolves to all these IP addresses.
+
+## SIP Signaling: Ports
+
+Use the following ports for Communication Services SIP Interface:
+
+|Traffic|From|To|Source port|Destination port|
+|: |: |: |: |: |
+|SIP/TLS|SIP Proxy|SBC|1024 ΓÇô 65535|Defined on the SBC (For Office 365 GCC High/DoD only port 5061 must be used)|
+SIP/TLS|SBC|SIP Proxy|Defined on the SBC|5061|
+
+### Failover mechanism for SIP Signaling
+
+The SBC makes a DNS query to resolve sip.pstnhub.microsoft.com. Based on the SBC location and the datacenter performance metrics, the primary datacenter is selected. If the primary datacenter experiences an issue, the SBC will try the sip2.pstnhub.microsoft.com, which resolves to the second assigned datacenter, and, in the rare case that datacenters in two regions are not available, the SBC retries the last FQDN (sip3.pstnhub.microsoft.com), which provides the tertiary datacenter IP.
+
+## Media traffic: IP and Port ranges
+
+The media traffic flows to and from a separate service called Media Processor. At the moment of publishing Media Processor for ACS can use any Azure IP address.
+Download [the full list of addresses](https://www.microsoft.com/download/details.aspx?id=56519).
+
+### Port range
+The port range of the Media Processors is shown in the following table:
+
+|Traffic|From|To|Source port|Destination port|
+|: |: |: |: |: |
+|UDP/SRTP|Media Processor|SBC|3478-3481 and 49152 ΓÇô 53247|Defined on the SBC|
+|UDP/SRTP|SBC|Media Processor|Defined on the SBC|3478-3481 and 49152 ΓÇô 53247|
+
+ > [!NOTE]
+ > Microsoft recommends at least two ports per concurrent call on the SBC.
++
+## Media traffic: Media processors geography
+
+The media traffic flows via components called media processors. Media processors are placed in the same datacenters as SIP proxies. Also, there are additional media processors to optimize media flow. For example, we do not have a SIP proxy component now in Australia (SIP flows via Singapore or Hong Kong) but we do have the media processor locally in Australia. The need for the media processors locally is dictated by the latency which we experience by sending traffic long-distance, for example from Australia to Singapore or Hong Kong. While latency in the example of traffic flowing from Australia to Hong Kong or Singapore is acceptable to preserve good call quality for SIP traffic, for real-time media traffic it is not.
+
+Locations where both SIP proxy and media processor components deployed:
+- US (two in US West and US East datacenters)
+- Europe (Amsterdam and Dublin datacenters)
+- Asia (Singapore and Hong Kong datacenters)
+- Australia (AU East and Southeast datacenters)
+
+Locations where only media processors are deployed (SIP flows via the closest datacenter listed above):
+- Japan (JP East and West datacenters)
++
+## Media traffic: Codecs
+
+### Leg between SBC and Cloud Media Processor or Microsoft Teams client.
+Applies to both media bypass case and non-bypass cases.
+
+The Direct Routing interface on the leg between the Session Border Controller and Cloud Media Processor can use the following codecs:
+
+- SILK, G.711, G.722, G.729
+
+You can force use of the specific codec on the Session Border Controller by excluding undesirable codecs from the offer.
+
+### Leg between ACS SDK app and Cloud Media Processor
+
+On the leg between the Cloud Media Processor and ACS SDK app either SILK or G.722 is used. The codec choice on this leg is based on Microsoft algorithms, which take into consideration multiple parameters.
+
+## Supported Session Border Controllers (SBCs)
+
+Certification is in progress. Meanwhile, customers can use [Teams Certified Session Border Controllers](https://docs.microsoft.com/MicrosoftTeams/direct-routing-border-controllers).
+
+## Next steps
+
+### Conceptual documentation
+
+- [Telephony Concept](./telephony-concept.md)
+- [Phone number types in Azure Communication Services](./plan-solution.md)
+- [Pricing](../pricing.md)
+
+### Quickstarts
+
+- [Call to Phone](../../quickstarts/voice-video-calling/pstn-call.md)
communication-services https://docs.microsoft.com/en-us/azure/communication-services/concepts/telephony-sms/telephony-concept https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/telephony-sms/telephony-concept.md
@@ -0,0 +1,78 @@
+
+ Title: PSTN Telephony integration concepts for Azure Communication Services
+description: Learn how to integrate PSTN calling capabilities in your Azure Communication Services application.
+++++ Last updated : 02/09/2021++++
+# Telephony concepts
++
+Azure Communication Services Calling client libraries can be used to add telephony and PSTN to your applications. This page summarizes key telephony concepts and capabilities. See the [calling library](../../quickstarts/voice-video-calling/calling-client-samples.md) to learn more about specific client library languages and capabilities.
+
+## Overview of telephony
+Whenever your users interact with a traditional telephone number, calls are facilitated by PSTN (Public Switched Telephone Network) voice calling. To make and receive PSTN calls, you need to add telephony capabilities to your Azure Communication Services resource. In this case, signaling and media use a combination of IP-based and PSTN-based technologies to connect your users. Communication Services provides two discrete ways to reach the PSTN network: Azure Cloud Calling and SIP interface.
+
+### Azure Cloud Calling
+
+An easy way of adding PSTN connectivity to your app or service, in this case, Microsoft is your telco provider. You can buy numbers directly from Microsoft. Azure Cloud Calling is an all-in-the-cloud telephony solution for Communication services. This is the simplest option that connects ACS to the Public Switched Telephone Network (PSTN) to enable calls to landlines and mobile phones worldwide. With this option, Microsoft acts as your PSTN carrier, as shown in the following diagram:
+
+![Azure Cloud Calling diagram.](../media/telephony-concept/azure-calling-diagram.png)
+
+If you answer ΓÇÿyesΓÇÖ to the following, then Azure Cloud Calling is the right solution for you:
+- Azure cloud calling is available in your region.
+- You do not need to retain your current PSTN carrier.
+- You want to use Microsoft-managed access to the PSTN.
+
+With this option:
+- You get numbers directly from Microsoft and can call phones around the world.
+- You do not require deployment or maintenance of an on-premises deploymentΓÇöbecause Azure Cloud calling operates out of Azure Communication Services.
+- Note: If necessary, you can choose to connect a supported Session Border Controller (SBC) through SIP Interface for interoperability with third-party PBXs, analog devices, and other third-party telephony equipment supported by the SBC.
+
+This option requires an uninterrupted connection to Azure Communication Services.
+
+### SIP Interface
+
+With this option, you can connect legacy on-premises telephony and your carrier of choice to Azure Communication services. It provides PSTN calling capabilities to your ACS applications even if Azure Cloud Calling is not available in your country/region.
+
+![SIP Interface diagram.](../media/telephony-concept/sip-interface-diagram.png)
+
+If you answer ΓÇÿyesΓÇÖ to any of the following questions, then SIP Interface is the right solution for you:
+
+- You want to use ACS with PSTN calling capabilities.
+- You need to retain your current PSTN carrier.
+- You want to mix routing, with some calls going through Azure Cloud Calling, some through your carrier.
+- You need to interoperate with third-party PBXs and/or equipment such as overhead pagers, analog devices, and so on.
+
+With this option:
+
+- You connect your own supported SBC to Azure Communication Services without the need for additional on-premises software.
+- You can use literally any telephony carrier with ACS.
+- You can choose to configure and manage this option, or it can be configured and managed by your carrier or partner (ask if your carrier or partner provides this option).
+- You can configure interoperability between your telephony equipmentΓÇösuch as a third-party PBX and analog devicesΓÇöand ACS.
+
+This option requires the following:
+
+- Uninterrupted connection to Azure.
+- Deploying and maintaining a supported SBC.
+- A contract with a third-party carrier. (Unless deployed as an option to provide a connection to third-party PBX, analog devices, or other telephony equipment for users who are on Communication Services.)
+
+## Next steps
+
+### Conceptual documentation
+
+- [Phone number types in Azure Communication Services](./plan-solution.md)
+- [Plan for SIP Interface](./sip-interface-infrastructure.md)
+- [Pricing](../pricing.md)
+
+### Quickstarts
+
+- [Get a phone Number](../../quickstarts/telephony-sms/get-phone-number.md)
+- [Call to Phone](../../quickstarts/voice-video-calling/pstn-call.md)
communication-services https://docs.microsoft.com/en-us/azure/communication-services/tutorials/building-app-start https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/tutorials/building-app-start.md
@@ -101,11 +101,25 @@ Follow the same steps for the [Azure Functions](https://marketplace.visualstudio
## Set up a local webserver
+### Create a new npm package
+
+In your terminal, from the path of your workspace folder, type:
+
+``` console
+npm init -y
+```
+
+This command initializes a new npm package and adds `package.json` into the root folder of your project.
++
+Additional documentation on the npm init command can be found [here](https://docs.npmjs.com/cli/v6/commands/npm-init)
+ ### Install webpack [webpack](https://webpack.js.org/) lets you bundle code into static files that you can deploy to Azure. It also has a development server, which we'll configure to use with the calling sample.
-Type the following in your open terminal to install webpack:
+In your terminal type the following to install webpack:
``` Console npm install webpack@4.42.0 webpack-cli@3.3.11 webpack-dev-server@3.10.3 --save-dev
@@ -170,7 +184,7 @@ Source map options are listed [here](https://webpack.js.org/configuration/devtoo
:::image type="content" source="./media/step-one-pic-11.png" alt-text="Configuring webpack":::
-To run the development server, go to `package.json.js` and add the following code under scripts:
+To run the development server, go to `package.json` and add the following code under scripts:
```JavaScript "build:dev": "webpack-dev-server --config webpack.dev.js"
@@ -201,7 +215,7 @@ Your file now should look like this:
You added the command that can be used from npm. ### Testing the development server
@@ -256,7 +270,7 @@ Use the following terminal command to test your development configuration:
npm run build:dev ```
-The console will show you where the server is running. By default, it's `http://localhost:8080`. The build:dev command is the command we added to our `package-json.js` earlier.
+The console will show you where the server is running. By default, it's `http://localhost:8080`. The build:dev command is the command we added to our `package.json` earlier.
:::image type="content" source="./media/step-one-pic-16.png" alt-text="Starting a development server":::
@@ -284,26 +298,11 @@ This action will add the Azure Communication Services common and calling package
:::image type="content" source="./media/step-one-pic-nine.png" alt-text="Installing Azure Communication Services packages":::
-These packages are provided by the Azure Communication Services team and include the authentication and calling libraries. The "--save" command signals that our application depends on these packages for production use and will be included in the `dependencies` of our `package-json.js` file. When we build the application for production, the packages will be included in our production code.
+These packages are provided by the Azure Communication Services team and include the authentication and calling libraries. The "--save" command signals that our application depends on these packages for production use and will be included in the `dependencies` of our `package.json` file. When we build the application for production, the packages will be included in our production code.
## Publish your website to Azure Static Websites
-### Create a new npm package
-
-In your terminal, from the path of your workspace folder, type:
-
-``` console
-npm init -y
-```
-
-This command initializes a new npm package and adds `package.json` into the root folder of your project.
--
-Additional documentation on the npm init command can be found [here](https://docs.npmjs.com/cli/v6/commands/npm-init)
-
-
### Create a configuration for production deployment Add the following code to the `webpack.prod.js`:
connectors https://docs.microsoft.com/en-us/azure/connectors/apis-list https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/apis-list.md
@@ -5,7 +5,7 @@
ms.suite: integration Previously updated : 01/07/2021 Last updated : 02/12/2021 # Connectors for Azure Logic Apps
@@ -455,15 +455,21 @@ To call APIs that run custom code or aren't available as connectors, you can ext
> > For more information about creating ISEs, see [Connect to Azure virtual networks from Azure Logic Apps](../logic-apps/connect-virtual-network-vnet-isolated-environment.md).
+## Get ready for deployment
+
+Although you create connections from within a logic app, connections are separate Azure resources with their own resource definitions. To review these connection resource definitions, [download your logic app from Azure into Visual Studio](../logic-apps/manage-logic-apps-with-visual-studio.md), which is the easiest way to create a valid parameterized logic app template that's mostly ready for deployment.
+ <a name="block-connections"></a> ## Block creating connections If your organization doesn't permit connecting to specific resources by using their connectors in Azure Logic Apps, you can [block the capability to create those connections](../logic-apps/block-connections-connectors.md) for specific connectors in logic app workflows by using [Azure Policy](../governance/policy/overview.md). For more information, see [Block connections created by specific connectors in Azure Logic Apps](../logic-apps/block-connections-connectors.md).
-## Get ready for deployment
+## Known issues
-Although you create connections from within a logic app, connections are separate Azure resources with their own resource definitions. To review these connection resource definitions, [download your logic app from Azure into Visual Studio](../logic-apps/manage-logic-apps-with-visual-studio.md), which is the easiest way to create a valid parameterized logic app template that's mostly ready for deployment.
+#### Error: BadGateway. Client request id: '{GUID}'
+
+This error results from updating the tags on a logic app where one or more connections don't support Azure Active Directory (Azure AD) OAuth authentication, such as SFTP ad SQL, breaking those connections. To prevent this behavior, avoid updating those tags.
## Next steps
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/index-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/index-policy.md
@@ -5,7 +5,7 @@
Previously updated : 02/02/2021 Last updated : 02/10/2021
@@ -285,7 +285,7 @@ WHERE c.firstName = "John" AND Contains(c.lastName, "Smith", true)
ORDER BY c.firstName, c.lastName ```
-The following considerations are used when creating composite indexes to optimize a query with a filter and `ORDER BY` clause:
+The following considerations apply when creating composite indexes to optimize a query with a filter and `ORDER BY` clause:
* If you do not define a composite index on a query with a filter on one property and a separate `ORDER BY` clause using a different property, the query will still succeed. However, the RU cost of the query can be reduced with a composite index, particularly if the property in the `ORDER BY` clause has a high cardinality. * If the query filters on properties, these should be included first in the `ORDER BY` clause.
@@ -304,6 +304,26 @@ The following considerations are used when creating composite indexes to optimiz
| ```(age ASC, name ASC, timestamp ASC)``` | ```SELECT * FROM c WHERE c.age = 18 and c.name = "John" ORDER BY c.age ASC, c.name ASC,c.timestamp ASC``` | `Yes` | | ```(age ASC, name ASC, timestamp ASC)``` | ```SELECT * FROM c WHERE c.age = 18 and c.name = "John" ORDER BY c.timestamp ASC``` | `No` |
+### Queries with a filter and an aggregate
+
+If a query filters on one or more properties and has an aggregate system function, it may be helpful to create a composite index for the properties in the filter and aggregate system function. This optimization applies to the [SUM](sql-query-aggregate-sum.md) and [AVG](sql-query-aggregate-avg.md) system functions.
+
+The following considerations apply when creating composite indexes to optimize a query with a filter and aggregate system function.
+
+* Composite indexes are optional when running queries with aggregates. However, the RU cost of the query can often be significantly reduced with a composite index.
+* If the query filters on multiple properties, the equality filters must be the first properties in the composite index.
+* You can have a maximum of one range filter per composite index and it must be on the property in the aggregate system function.
+* The property in the aggregate system function should be defined last in the composite index.
+* The `order` (`ASC` or `DESC`) does not matter.
+
+| **Composite Index** | **Sample Query** | **Supported by Composite Index?** |
+| - | | |
+| ```(name ASC, timestamp ASC)``` | ```SELECT AVG(c.timestamp) FROM c WHERE c.name = "John"``` | `Yes` |
+| ```(timestamp ASC, name ASC)``` | ```SELECT AVG(c.timestamp) FROM c WHERE c.name = "John"``` | `No` |
+| ```(name ASC, timestamp ASC)``` | ```SELECT AVG(c.timestamp) FROM c WHERE c.name > "John"``` | `No` |
+| ```(name ASC, age ASC, timestamp ASC)``` | ```SELECT AVG(c.timestamp) FROM c WHERE c.name = "John" AND c.age = 25``` | `Yes` |
+| ```(age ASC, timestamp ASC)``` | ```SELECT AVG(c.timestamp) FROM c WHERE c.name = "John" AND c.age > 25``` | `No` |
+ ## <index-transformation>Modifying the indexing policy A container's indexing policy can be updated at any time [by using the Azure portal or one of the supported SDKs](how-to-manage-indexing-policy.md). An update to the indexing policy triggers a transformation from the old index to the new one, which is performed online and in-place (so no additional storage space is consumed during the operation). The old indexing policy is efficiently transformed to the new policy without affecting the write availability, read availability, or the throughput provisioned on the container. Index transformation is an asynchronous operation, and the time it takes to complete depends on the provisioned throughput, the number of items and their size.
cost-management-billing https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/billing-subscription-transfer.md
@@ -86,9 +86,12 @@ Use the following troubleshooting information if you're having trouble transferr
### Original Azure subscription billing owner leaves your organization
-It's possible that the original billing owner who created an Azure account and an Azure subscription leaves your organization. If that situation happens, then their user identity is no longer in the organization's Azure Active Directory. Then the Azure subscription doesn't have a billing owner. This situation prevents anyone from performing billing operations to the account, including viewing, and paying bills. The subscription could go into a past-due state. Eventually the subscription could get disabled because of non-payment. Ultimately, the subscription could get deleted and it would affect every service that runs on the subscription.
+> [!Note]
+> This section specifically applies to a billing account for a Microsoft Customer Agreement. Check if you have access to a [Microsoft Customer Agreement](mca-request-billing-ownership.md#check-for-access).
-When a subscription no longer has a valid billing owner, Azure sends an email to other Billing owners, Service Administrators, Co-Administrators, and Subscription Owners informing them of the situation and provides them with a link to accept billing ownership of the subscription. Any one of the users can select the link to accept billing ownership. For more information about billing roles, see [Billing Roles](understand-mca-roles.md) and [Classic Roles and Azure RBAC Roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).
+It's possible that the original billing account owner who created an Azure account and an Azure subscription leaves your organization. If that situation happens, then their user identity is no longer in the organization's Azure Active Directory. Then the Azure subscription doesn't have a billing owner. This situation prevents anyone from performing billing operations to the account, including viewing, and paying bills. The subscription could go into a past-due state. Eventually the subscription could get disabled because of non-payment. Ultimately, the subscription could get deleted and it would affect every service that runs on the subscription.
+
+When a subscription no longer has a valid billing account owner, Azure sends an email to other Billing account owners, Service Administrators (if any), Co-Administrators (if any), and Subscription Owners informing them of the situation and provides them with a link to accept billing ownership of the subscription. Any one of the users can select the link to accept billing ownership. For more information about billing roles, see [Billing Roles](understand-mca-roles.md) and [Classic Roles and Azure RBAC Roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).
Here's an example of what the email looks like.
cost-management-billing https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/link-partner-id https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/link-partner-id.md
@@ -157,9 +157,7 @@ Yes, You can link your partner ID for Azure Stack.
**How do I link my partner ID if my company uses [Azure Lighthouse](../../lighthouse/overview.md) to access customer resources?**
-If you onboard customers to Azure delegated resource management by [publishing a managed services offer to Azure Marketplace](../../lighthouse/how-to/publish-managed-services-offers.md), your MPN ID will automatically be associated.
-
-If you [onboard customers by deploying Azure Resource Manager templates](../../lighthouse/how-to/onboard-customer.md), you'll need to associate your MPN ID with at least one user account that has access to each of your onboarded subscriptions. Note that you'll need to do this in your service provider tenant rather than in each customer tenant. For simplicity, we recommend creating a service principal account in your tenant, associating it with your MPN ID, then granting it access to every customer you onboard with an [Azure built-in role that is eligible for partner earned credit](/partner-center/azure-roles-perms-pec). For more information, see [Link your partner ID to track your impact on delegated resources](../../lighthouse/how-to/partner-earned-credit.md).
+In order for Azure Lighthouse activities to be recognized, you'll need to associate your MPN ID with at least one user account that has access to each of your onboarded subscriptions. Note that you'll need to do this in your service provider tenant rather than in each customer tenant. For simplicity, we recommend creating a service principal account in your tenant, associating it with your MPN ID, then granting it access to every customer you onboard with an [Azure built-in role that is eligible for partner earned credit](/partner-center/azure-roles-perms-pec). For more information, see [Link your partner ID to track your impact on delegated resources](../../lighthouse/how-to/partner-earned-credit.md).
**How do I explain Partner Admin Link (PAL) to my Customer?**
cost-management-billing https://docs.microsoft.com/en-us/azure/cost-management-billing/reservations/prepay-app-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/prepay-app-service.md
@@ -32,24 +32,12 @@ You can use reservation recommendations to help determine the reservations you s
- You can use the APIs to get purchase recommendations for both shared scope and single subscription scope. For more information, see [Reserved instance purchase recommendation APIs for enterprise customers](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-recommendation). - For Enterprise Agreement (EA) and Microsoft Customer Agreement (MCA) customers, purchase recommendations for shared and single subscription scopes are available with the [Azure Consumption Insights Power BI content pack](/power-bi/service-connect-to-azure-consumption-insights).
-#### Instance size flexibility setting
-
-The instance size flexibility setting determines which services get the reserved instance discounts.
-
-Whether the setting is on or off, reservation discounts automatically apply to any matching Premium v3 reserved instance usage.
- ### Analyze your usage information Analyze your usage information to help determine which reservations you should purchase. Usage data is available in the usage file and APIs. Use them together to determine which reservation to purchase. Check for Premium v3 instances that have high usage on daily basis to determine the quantity of reservations to purchase. Your usage file shows your charges by billing period and daily usage. For information about downloading your usage file, see [View and download your Azure usage and charges](../understand/download-azure-daily-usage.md). Then, by using the usage file information, you can [determine what reservation to purchase](determine-reservation-purchase.md).
-### Purchase restriction considerations
-
-Reservation discounts don't apply for the following Premium v3 instances:
--- **Preview or Promo instances** - Any Premium v3 reserved instance-series or size that is in preview or uses promotional meter.-- **Clouds** - Reservations aren't available for purchase in Germany or China regions. ## Buy a Premium v3 reserved instance
@@ -74,7 +62,6 @@ If you have an EA agreement, you can use the **Add more option** to quickly add
| Scope | The reservation's scope can cover one subscription or multiple subscriptions (shared scope). If you select: <ul><li>**Single resource group scope** ΓÇö Applies the reservation discount to the matching resources in the selected resource group only. </li><li>**Single subscription scope** ΓÇö Applies the reservation discount to the matching resources in the selected subscription.</li><li>**Shared scope** ΓÇö Applies the reservation discount to matching resources in eligible subscriptions that are in the billing context. For EA customers, the billing context is the enrollment. For individual subscriptions with pay-as-you-go rates, the billing scope is all eligible subscriptions created by the account administrator.</li></ul> | | Region | The Azure region that's covered by the reservation. | | Premium v3 reserved instance size | The size of the Premium v3 reserved instances. |
-| Optimize for | Premium v3 Reserved instance size flexibility is selected by default. Click **Advanced settings** to change the instance size flexibility value to apply the reservation discount to other Premium v3 reserved instances in the same [Premium v3 Reserved Instance size group](../../virtual-machines/reserved-vm-instance-size-flexibility.md). Capacity priority prioritizes data center capacity for your deployments. It offers additional confidence in your ability to launch the Premium v3 reserved instances when you need them. Capacity priority is only available when the reservation scope is single subscription. |
| Term | One year or three years. There's also a 5-year term available only for HBv2 Premium v3 reserved instances. | | Quantity | The number of instances being purchased within the reservation. The quantity is the number of running Premium v3 reserved instances that can get the billing discount. For example, if you are running 10 Standard\_D2 Premium v3 reserved instances in the East US, then you would specify quantity as 10 to maximize the benefit for all running Premium v3 reserved instances. |
@@ -140,4 +127,4 @@ For more information about how reservation discount shows in usage data, see [Ge
- To learn more about Azure Reservations, see the following articles: - [What are Azure Reservations?](save-compute-costs-reservations.md) - [Understand how an Azure App Service Isolated Stamp reservation discount is applied](reservation-discount-app-service.md)
- - [Understand reservation usage for your Enterprise enrollment](understand-reserved-instance-usage-ea.md)
+ - [Understand reservation usage for your Enterprise enrollment](understand-reserved-instance-usage-ea.md)
cost-management-billing https://docs.microsoft.com/en-us/azure/cost-management-billing/reservations/reservation-discount-app-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/reservation-discount-app-service.md
@@ -6,7 +6,7 @@
Previously updated : 02/01/2021 Last updated : 02/12/2021
@@ -36,10 +36,6 @@ The Azure reservation discount is applied to running Premium v3 instances on an
To understand and view the application of your Azure Reservations in billing usage reports, see [Understand reservation usage](understand-reserved-instance-usage-ea.md).
-### Discount can apply to different sizes
-
-When you buy a Reserved Premium v3 Instance and select **Optimized for instance size flexibility**, the discount coverage applies to the Premium v3 instance size you select. It can also apply to other instance sizes that are in the same series instance size flexibility group.
- ## How reservation discounts apply to Isolated Stamps After you buy App Service Isolated Stamp Fee reserved capacity, the reservation discount is automatically applied to the Stamp Fee in a region. The reservation discount applies to the usage emitted by the Isolated Stamp Fee meter. Workers, additional Front Ends, and any other resources associated with the stamp continue to get billed at the regular rate.
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-parse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-parse.md
@@ -0,0 +1,117 @@
+
+ Title: Parse data transformation in mapping data flow
+description: Parse embedded column documents
++++ Last updated : 02/08/2021++
+# Parse transformation in mapping data flow
++
+Use the Parse transformation to parse columns in your data that are in document form. The current supported types of embedded documents that can be parsed are JSON and delimited text.
+
+## Configuration
+
+In the parse transformation configuration panel, you will first pick the type of data contained in the columns that you wish to parse inline. The parse transformation also contains the following configuration settings.
+
+![Parse settings](media/data-flow/data-flow-parse-1.png "Parse")
+
+### Column
+
+Similar to derived columns and aggregates, this is where you will either modify an exiting column by selecting it from the drop-down picker. Or you can type in the name of a new column here. ADF will store the parsed source data in this column.
+
+### Expression
+
+Use the expression builder to set the source for your parsing. This can be as simple as just selecting the source column with the self-contained data that you wish to parse, or you can create complex expressions to parse.
+
+### Output column type
+
+Here is where you will configure the target output schema from the parsing that will be written into a single column.
+
+![Parse example](media/data-flow/data-flow-parse-2.png "Parse example")
+
+In this example, we have defined parsing of the incoming field "jsonString" which is plain text, but formatted as a JSON structure. We're going to store the parsed results as JSON in a new column called "json" with this schema:
+
+```(trade as boolean, customers as string[])```
+
+Refer to the inspect tab and data preview to verify your output is mapped properly.
+
+## Examples
+
+```
+source(output(
+ name as string,
+ location as string,
+ satellites as string[],
+ goods as (trade as boolean, customers as string[], orders as (orderId as string, orderTotal as double, shipped as (orderItems as (itemName as string, itemQty as string)[]))[])
+ ),
+ allowSchemaDrift: true,
+ validateSchema: false,
+ ignoreNoFilesFound: false,
+ documentForm: 'documentPerLine') ~> JsonSource
+source(output(
+ movieId as string,
+ title as string,
+ genres as string
+ ),
+ allowSchemaDrift: true,
+ validateSchema: false,
+ ignoreNoFilesFound: false) ~> CsvSource
+JsonSource derive(jsonString = toString(goods)) ~> StringifyJson
+StringifyJson parse(json = jsonString ? (trade as boolean,
+ customers as string[]),
+ format: 'json',
+ documentForm: 'arrayOfDocuments') ~> ParseJson
+CsvSource derive(csvString = 'Id|name|year\n\'1\'|\'test1\'|\'1999\'') ~> CsvString
+CsvString parse(csv = csvString ? (id as integer,
+ name as string,
+ year as string),
+ format: 'delimited',
+ columnNamesAsHeader: true,
+ columnDelimiter: '|',
+ nullValue: '',
+ documentForm: 'documentPerLine') ~> ParseCsv
+ParseJson select(mapColumn(
+ jsonString,
+ json
+ ),
+ skipDuplicateMapInputs: true,
+ skipDuplicateMapOutputs: true) ~> KeepStringAndParsedJson
+ParseCsv select(mapColumn(
+ csvString,
+ csv
+ ),
+ skipDuplicateMapInputs: true,
+ skipDuplicateMapOutputs: true) ~> KeepStringAndParsedCsv
+```
+
+## Data flow script
+
+### Syntax
+
+### Examples
+
+```
+parse(json = jsonString ? (trade as boolean,
+ customers as string[]),
+ format: 'json',
+ documentForm: 'singleDocument') ~> ParseJson
+
+parse(csv = csvString ? (id as integer,
+ name as string,
+ year as string),
+ format: 'delimited',
+ columnNamesAsHeader: true,
+ columnDelimiter: '|',
+ nullValue: '',
+ documentForm: 'documentPerLine') ~> ParseCsv
+```
+
+## Next steps
+
+* Use the [Flatten transformation](data-flow-flatten.md) to pivot rows to columns.
+* Use the [Derived column transformation](data-flow-derived-column.md) to pivot columns to rows.
data-factory https://docs.microsoft.com/en-us/azure/data-factory/tutorial-data-flow-delta-lake https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/tutorial-data-flow-delta-lake.md
@@ -0,0 +1,124 @@
+
+ Title: Delta lake ETL with data flows
+description: This tutorial provides step-by-step instructions for using data flows to transform and analyze data in delta lake
+++++ Last updated : 02/09/2021++
+# Transform data in delta lake using mapping data flows
++
+If you're new to Azure Data Factory, see [Introduction to Azure Data Factory](introduction.md).
+
+In this tutorial, you'll use the data flow canvas to create data flows that allow you to analyze and transform data in Azure Data Lake Storage (ADLS) Gen2 and store it in Delta Lake.
+
+## Prerequisites
+* **Azure subscription**. If you don't have an Azure subscription, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.
+* **Azure storage account**. You use ADLS storage as a *source* and *sink* data stores. If you don't have a storage account, see [Create an Azure storage account](../storage/common/storage-account-create.md) for steps to create one.
+
+The file that we are transforming in this tutorial is MoviesDB.csv, which can be found [here](https://github.com/kromerm/adfdataflowdocs/blob/master/sampledat). The examples will be referencing a container named 'sample-data'.
+
+## Create a data factory
+
+In this step, you create a data factory and open the Data Factory UX to create a pipeline in the data factory.
+
+1. Open **Microsoft Edge** or **Google Chrome**. Currently, Data Factory UI is supported only in the Microsoft Edge and Google Chrome web browsers.
+1. On the left menu, select **Create a resource** > **Integration** > **Data Factory**
+1. On the **New data factory** page, under **Name**, enter **ADFTutorialDataFactory**
+1. Select the Azure **subscription** in which you want to create the data factory.
+1. For **Resource Group**, take one of the following steps:
+
+ a. Select **Use existing**, and select an existing resource group from the drop-down list.
+
+ b. Select **Create new**, and enter the name of a resource group.
+
+ To learn about resource groups, see [Use resource groups to manage your Azure resources](../azure-resource-manager/management/overview.md).
+1. Under **Version**, select **V2**.
+1. Under **Location**, select a location for the data factory. Only locations that are supported are displayed in the drop-down list. Data stores (for example, Azure Storage and SQL Database) and computes (for example, Azure HDInsight) used by the data factory can be in other regions.
+1. Select **Create**.
+1. After the creation is finished, you see the notice in Notifications center. Select **Go to resource** to navigate to the Data factory page.
+1. Select **Author & Monitor** to launch the Data Factory UI in a separate tab.
+
+## Create a pipeline with a data flow activity
+
+In this step, you'll create a pipeline that contains a data flow activity.
+
+1. On the **Let's get started** page, select **Create pipeline**.
+
+ ![Create pipeline](./media/doc-common-process/get-started-page.png)
+
+1. In the **General** tab for the pipeline, enter **DeltaLake** for **Name** of the pipeline.
+1. In the factory top bar, slide the **Data Flow debug** slider on. Debug mode allows for interactive testing of transformation logic against a live Spark cluster. Data Flow clusters take 5-7 minutes to warm up and users are recommended to turn on debug first if they plan to do Data Flow development. For more information, see [Debug Mode](concepts-data-flow-debug-mode.md).
+
+ ![Data Flow Activity](media/tutorial-data-flow/dataflow1.png)
+1. In the **Activities** pane, expand the **Move and Transform** accordion. Drag and drop the **Data Flow** activity from the pane to the pipeline canvas.
+
+ ![Screenshot that shows the pipeline canvas where you can drop the Data Flow activity.](media/tutorial-data-flow/activity1.png)
+1. In the **Adding Data Flow** pop-up, select **Create new Data Flow** and then name your data flow **DeltaLake**. Click Finish when done.
+
+ ![Screenshot that shows where you name your data flow when you create a new data flow.](media/tutorial-data-flow/activity2.png)
+
+## Build transformation logic in the data flow canvas
+
+You will generate two data flows in this tutorial. The fist data flow is a simple source to sink to generate a new Delta Lake from the movies CSV file from above. Lastly, you'll create this flow design below to update data in Delta Lake.
+
+![Final flow](media/data-flow/data-flow-tutorial-6.png "Final flow")
+
+### Tutorial objectives
+
+1. Take the MoviesCSV dataset source from above, form a new Delta Lake from it
+1. Build the logic to updated ratings for 1988 movies to '1'
+1. Delete all movies from 1950
+1. Insert new movies for 2021 by duplicating the movies from 1960
+
+### Start from a blank data flow canvas
+
+1. Click on the source transformation
+1. Click new next to dataset in the bottom panel
+1 Create a new Linked Service for ADLS Gen2
+1. Choose Delimited Text for the dataset type
+1. Name the dataset “MoviesCSV” 
+1. Point to the MoviesCSV file that you uploaded to storage above
+1. Set it to be comma delimited and include header on first row 
+1. Go to the source projection tab and click "Detect data types"
+1. Once you have your projection set, you can continue 
+1. Add a sink transformation
+1. Delta is an inline dataset type. You will need to point to your ADLS Gen2 storage account.
+
+ ![Inline dataset](media/data-flow/data-flow-tutorial-5.png "Inline dataset")
+
+1. Choose a folder name in your storage container where you would like ADF to create the Delta Lake
+1. Go back to the pipeline designer and click Debug to execute the pipeline in debug mode with just this data flow activity on the canvas. This will generate your new Delta Lake in ADLS Gen2.
+1. From Factory Resources, click new > Data flow 
+1. Use the MoviesCSV again as a source and click "Detect data types" again
+1. Add a filter transformation to your source transformation in the graph
+1. Only allow movie rows that match the three years you are going to work with which will be 1950, 1988, and 1960
+1. Update ratings for each 1988 movie to '1' by now adding a derived column transformation to your filter transformation
+1. In that same derived column, create movies for 2021 by taking an existing year and change the year to 2021. Let’s pick 1960.
+1. This is what your three derived columns will look like
+
+ ![Derived column](media/data-flow/data-flow-tutorial-2.png "Derived column")
+
+1. ```Update, insert, delete, and upsert``` policies are created in the alter Row transform. Add an alter row transformation after your derived column.
+1. Your alter row policies should look like this.
+
+ ![Alter row](media/data-flow/data-flow-tutorial-3.png "Alter row")
+
+1. Now that youΓÇÖve set the proper policy for each alter row type, check that the proper update rules have been set on the sink transformation
+
+ ![Sink](media/data-flow/data-flow-tutorial-4.png "Sink")
+
+1. Here we are using the Delta Lake sink to your ADLS Gen2 data lake and allowing inserts, updates, deletes. 
+1. Note that the Key Columns is a composite key made up of the Movie primary key column and year column. This is because we created fake 2021 movies by duplicating the 1960 rows. This avoids collisions when looking up the existing rows by providing uniqueness.
+
+### Download completed sample
+[Here is a sample solution for the Delta pipeline with a data flow for update/delete rows in the lake:](https://github.com/kromerm/adfdataflowdocs/blob/master/sampledata/DeltaPipeline.zip)
+
+## Next steps
+
+Learn more about the [data flow expression language](data-flow-expression-functions.md).
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-manage-device-event-alert-notifications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-manage-device-event-alert-notifications.md
@@ -18,7 +18,7 @@ This article describes how to create action rules in the Azure portal to trigger
An action rule can trigger or suppress alert notifications. The action rule is added to an *action group* - a set of notification preferences that's used to notify users who need to act on alerts triggered in different contexts for a resource or set of resources.
-For more information about action rules, see [Configuring an action rule](/azure/azure-monitor/platform/alerts-action-rules?tabs=portal#configuring-an-action-rule). For more information about action groups, see [Create and manage action groups in the Azure portal](/blob/master/articles/azure-monitor/platform/action-groups).
+For more information about action rules, see [Configuring an action rule](/azure/azure-monitor/platform/alerts-action-rules?tabs=portal#configuring-an-action-rule). For more information about action groups, see [Create and manage action groups in the Azure portal](/azure/azure-monitor/platform/action-groups).
> [!NOTE] > The action rules feature is in preview. Some screens and steps might change as the process is refined.
@@ -118,8 +118,8 @@ The email notification will look similar to this one.
## Next steps
-<!-
+<!-
- See [Configure an action rule](/azure/azure-monitor/platform/alerts-action-rules?tabs=portal#configuring-an-action-rule) for more info about creating action rules that send or suppress alert notifications. -2 bullets referenced above. Making room for local tasks in "Next Steps." --> - See [Monitor your Azure Stack Edge Pro](azure-stack-edge-monitor.md) for info about reviewing device events, hardware status, and metrics charts. - See [Using Azure Monitor](azure-stack-edge-gpu-enable-azure-monitor.md) for info about optimizing Azure Monitor for Azure Stack Edge Pro GPU devices.-- See [Create, view, and manage metric alerts using Azure Monitor Link target](/../azure-monitor/platform/alerts-metric.md) for info about managing individual alerts.
+- See [Create, view, and manage metric alerts using Azure Monitor Link target](/azure/azure-monitor/platform/alerts-metric) for info about managing individual alerts.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-mini-r-safety https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-mini-r-safety.md
@@ -7,7 +7,7 @@
Previously updated : 02/08/2021 Last updated : 02/12/2021
@@ -157,7 +157,6 @@ Operation in the band 5150ΓÇô5250 MHz is only for indoor use to reduce the poten
![Regulatory information warning - indoor use](./media/azure-stack-edge-mini-r-safety/regulatory-information-indoor-use-only.png) - Users are advised that high-power radars are allocated as primary users (priority users) of the bands 5250ΓÇô5350 MHz and 5650ΓÇô5850 MHz, and these radars could cause interference and/or damage to LE-LAN devices. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation.
@@ -201,12 +200,13 @@ A table with the Specific Absorption Rate (SAR) averaged over 1 g for each produ
#### EUROPEAN UNION:
-Request a copy of the EU Declaration of Conformity for this equipment.
+Request a copy of the EU Declaration of Conformity for this equipment. Send email to [CSI_Compliance@microsoft.com](mailto:CSI_Compliance@microsoft.com).
The Netgear A6150 WiFi USB Adapter provided with this equipment is in compliance with Directive 2014/53/EU and can also be provided on request.
-> ![Warning Icon 13](./media/azure-stack-edge-mini-r-safety/icon-safety-warning.png)
-> This is a class A product. In a domestic environment, this product may cause radio interference in which case the user may be required to take adequate measures.
+![Warning Icon 13](./media/azure-stack-edge-mini-r-safety/icon-safety-warning.png) **WARNING:**
+
+This is a class A product. In a domestic environment, this product may cause radio interference in which case the user may be required to take adequate measures.
Disposal of waste batteries and electrical and electronic equipment:
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-pro-r-configure-vpn-bcdr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-pro-r-configure-vpn-bcdr.md
@@ -13,7 +13,7 @@
# Configure business continuity and disaster recovery for Azure Stack Edge VPN This article describes how to configure business continuity and disaster recovery (BCDR) on a virtual private network (VPN) configured on an Azure Stack Edge device.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-pro-r-safety https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-pro-r-safety.md
@@ -7,7 +7,7 @@
Previously updated : 02/04/2021 Last updated : 02/12/2021
@@ -130,6 +130,7 @@ The following hazard icons are to be observed when setting up and running your A
* For systems without an uninterrupted power supply (UPS), unplug all AC power cord(s) to completely remove AC power from the equipment. * For systems with UPS, unplug all AC power cord(s) and use the UPS power switch to de-energize the System. UPS contains hazardous AC and DC voltages.
+* If a system includes a UPS, the UPS was provided with a shielded input power cable. You must use the shielded input power cable, do not replace or modify the cord.
![Warning Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-warning.png) ![Electrical Shock Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-electric-shock.png) **WARNING:**
@@ -206,9 +207,9 @@ A device that has a UPS installed is designed to operate in the following enviro
> ![Notice Icon - 2](./media/azure-stack-edge-pro-r-safety/icon-safety-notice.png) **NOTICE:** &nbsp;Changes or modifications made to the equipment not expressly approved by Microsoft may void the user's authority to operate the equipment.
-CANADA and USA:
+#### CANADA and USA:
-NOTICE: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at their own expense.
+> ![Notice Icon - 2](./media/azure-stack-edge-pro-r-safety/icon-safety-notice.png) **NOTICE:** &nbsp;This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at their own expense.
This device complies with part 15 of the FCC Rules and Industry Canada license-exempt RSS standard(s). Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation of the device.
@@ -216,14 +217,15 @@ This device complies with part 15 of the FCC Rules and Industry Canada license-e
CAN ICES-3(A)/NMB-3(A)
-Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA.
+Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
United States: (800) 426-9400 Canada: (800) 933-4750
-EUROPEAN UNION:
-Request a copy of the EU Declaration of Conformity.
+#### EUROPEAN UNION:
-![Warning Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-warning.png)
+Request a copy of the EU Declaration of Conformity. Send email to [CSI_Compliance@microsoft.com](mailto:CSI_Compliance@microsoft.com).
+
+![Warning Icon](./media/azure-stack-edge-pro-r-safety/icon-safety-warning.png) **WARNING!**
This is a class A product. In a domestic environment, this product may cause radio interference in which case the user may be required to take adequate measures.
@@ -240,7 +242,6 @@ Telephone number: +353 1 295 3826
Fax number: +353 1 706 4110 - ## Next steps - [Prepare to deploy Azure Stack Edge Pro R Edge](azure-stack-edge-pro-r-deploy-prep.md)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-pro-r-security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-pro-r-security.md
@@ -12,7 +12,7 @@
# Security and data protection for Azure Stack Edge Pro R and Azure Stack Edge Mini R Security is a major concern when you're adopting a new technology, especially if the technology is used with confidential or proprietary data. Azure Stack Edge Pro R and Azure Stack Edge Mini R help you ensure that only authorized entities can view, modify, or delete your data.
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-manage-graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-graph.md
@@ -117,6 +117,21 @@ You can now call this function in your main method like this:
:::code language="csharp" source="~/digital-twins-docs-samples/sdks/csharp/graph_operations_sample.cs" id="UseFetchAndPrint":::
+## Update relationships
+
+Relationships are updated using the `UpdateRelationship` method.
+
+>[!NOTE]
+>This method is for updating the **properties** of a relationship. If you need to change the source twin or target twin of the relationship, you'll need to [delete the relationship](#delete-relationships) and [re-create one](#create-relationships) using the new twins.
+
+The required parameters for the client call are the ID of the source twin (the twin where the relationship originates), the ID of the relationship to update, and a [JSON Patch](http://jsonpatch.com/) document containing the properties and new values you'd like to update.
++
+Here is an example of a call to this method, passing in a JSON Patch document with the information to update a property.
++ ## Delete relationships The first parameter specifies the source twin (the twin where the relationship originates). The other parameter is the relationship ID. You need both the twin ID and the relationship ID, because relationship IDs are only unique within the scope of a twin.
event-grid https://docs.microsoft.com/en-us/azure/event-grid/consume-private-endpoints https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/consume-private-endpoints.md
@@ -0,0 +1,47 @@
+
+ Title: Deliver events using private link service
+description: This article describes how to work around the limitation of not able to deliver events using private link service.
+ Last updated : 02/12/2021++
+# Deliver events using private link service
+Currently, it's not possible to deliver events using [private endpoints](../private-link/private-endpoint-overview.md). That is, there is no support if you have strict network isolation requirements where your delivered events traffic must not leave the private IP space.
+
+## Use managed identity
+However, if your requirements call for a secure way to send events using an encrypted channel and a known identity of the sender (in this case, Event Grid) using public IP space, you could deliver events to Event Hubs, Service Bus, or Azure Storage service using an Azure event grid custom topic or a domain with system-managed identity. For details about delivering events using managed identity, see [Event delivery using a managed identity](managed-service-identity.md).
+
+Then, you can use a private link configured in Azure Functions or your webhook deployed on your virtual network to pull events. See the sample: [Connect to private endpoints with Azure Functions](/samples/azure-samples/azure-functions-private-endpoints/connect-to-private-endpoints-with-azure-functions/).
++++
+Under this configuration, the traffic goes over the public IP/internet from Event Grid to Event Hubs, Service Bus, or Azure Storage, but the channel can be encrypted and a managed identity of Event Grid is used. If you configure your Azure Functions or webhook deployed to your virtual network to use an Event Hubs, Service Bus, or Azure Storage via private link, that section of the traffic will evidently stay within Azure.
+
+## Deliver events to Event Hubs using managed identity
+To deliver events to event hubs in your Event Hubs namespace using managed identity, follow these steps:
+
+1. [Enable system-assigned identity for a topic or a domain](managed-service-identity.md#create-a-custom-topic-or-domain-with-an-identity).
+1. [Add the identity to the **Azure Event Hubs Data Sender** role on the Event Hubs namespace](../event-hubs/authenticate-managed-identity.md#to-assign-azure-roles-using-the-azure-portal).
+1. [Enable the **Allow trusted Microsoft services to bypass this firewall** setting on your Event Hubs namespace](../event-hubs/event-hubs-service-endpoints.md#trusted-microsoft-services).
+1. [Configure the event subscription](managed-service-identity.md#create-event-subscriptions-that-use-an-identity) that uses an event hub as an endpoint to use the system-assigned identity.
+
+## Deliver events to Service Bus using managed identity
+To deliver events to Service Bus queues or topics in your Service Bus namespace using managed identity, follow these steps:
+
+1. [Enable system-assigned identity for a topic or a domain](managed-service-identity.md#create-a-custom-topic-or-domain-with-an-identity).
+1. Add the identity to the [Azure Service Bus Data Sender](/service-bus-messaging/service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus) role on the Service Bus namespace
+1. [Enable the **Allow trusted Microsoft services to bypass this firewall** setting on your Service Bus namespace](../service-bus-messaging/service-bus-service-endpoints.md#trusted-microsoft-services).
+1. [Configure the event subscription](managed-service-identity.md#create-event-subscriptions-that-use-an-identity) that uses a Service Bus queue or topic as an endpoint to use the system-assigned identity.
+
+## Deliver events to Storage
+To deliver events to Storage queues using managed identity, follow these steps:
+
+1. [Enable system-assigned identity for a topic or a domain](managed-service-identity.md#create-a-custom-topic-or-domain-with-an-identity).
+1. Add the identity to the [Storage Queue Data Message Sender](../storage/common/storage-auth-aad-rbac-portal.md) role on Azure Storage queue.
+1. [Configure the event subscription](managed-service-identity.md#create-event-subscriptions-that-use-an-identity) that uses a Service Bus queue or topic as an endpoint to use the system-assigned identity.
++
+## Next steps
+For more information about delivering events using a managed identity, see [Event delivery using a managed identity](managed-service-identity.md).
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-app-configuration.md
@@ -2,15 +2,13 @@
Title: Azure App Configuration as Event Grid source description: This article describes how to use Azure App Configuration as an Event Grid event source. It provides the schema and links to tutorial and how-to articles. Previously updated : 07/07/2020 Last updated : 02/11/2021 # Azure App Configuration as an Event Grid source This article provides the properties and schema for Azure App Configuration events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md). It also gives you a list of quick starts and tutorials to use Azure App Configuration as an event source.
-## Event Grid event schema
-
-### Available event types
+## Available event types
Azure App Configuration emits the following event types:
@@ -19,8 +17,9 @@ Azure App Configuration emits the following event types:
| Microsoft.AppConfiguration.KeyValueModified | Raised when a key-value is created or replaced. | | Microsoft.AppConfiguration.KeyValueDeleted | Raised when a key-value is deleted. |
-### Example event
+## Example event
+# [Event Grid event schema](#tab/event-grid-event-schema)
The following example shows the schema of a key-value modified event: ```json
@@ -58,29 +57,87 @@ The schema for a key-value deleted event is similar:
"metadataVersion": "1" }] ```
-
-### Event properties
+# [Cloud event schema](#tab/cloud-event-schema)
+
+The following example shows the schema of a key-value modified event:
+
+```json
+[{
+ "id": "84e17ea4-66db-4b54-8050-df8f7763f87b",
+ "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/microsoft.appconfiguration/configurationstores/contoso",
+ "subject": "https://contoso.azconfig.io/kv/Foo?label=FizzBuzz",
+ "data": {
+ "key": "Foo",
+ "label": "FizzBuzz",
+ "etag": "FnUExLaj2moIi4tJX9AXn9sakm0"
+ },
+ "type": "Microsoft.AppConfiguration.KeyValueModified",
+ "time": "2019-05-31T20:05:03Z",
+ "specversion": "1.0"
+}]
+```
+
+The schema for a key-value deleted event is similar:
+
+```json
+[{
+ "id": "84e17ea4-66db-4b54-8050-df8f7763f87b",
+ "source": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg/providers/microsoft.appconfiguration/configurationstores/contoso",
+ "subject": "https://contoso.azconfig.io/kv/Foo?label=FizzBuzz",
+ "data": {
+ "key": "Foo",
+ "label": "FizzBuzz",
+ "etag": "FnUExLaj2moIi4tJX9AXn9sakm0"
+ },
+ "type": "Microsoft.AppConfiguration.KeyValueDeleted",
+ "time": "2019-05-31T20:05:03Z",
+ "specversion": "1.0"
+}]
+```
+++
+## Event properties
+# [Event Grid event schema](#tab/event-grid-event-schema)
An event has the following top-level data: | Property | Type | Description | | -- | - | -- |
-| topic | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. |
-| subject | string | Publisher-defined path to the event subject. |
-| eventType | string | One of the registered event types for this event source. |
-| eventTime | string | The time the event is generated based on the provider's UTC time. |
-| ID | string | Unique identifier for the event. |
-| data | object | App Configuration event data. |
-| dataVersion | string | The schema version of the data object. The publisher defines the schema version. |
-| metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | App Configuration event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
++
+# [Cloud event schema](#tab/cloud-event-schema)
+
+An event has the following top-level data:
+
+| Property | Type | Description |
+| -- | - | -- |
+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `type` | string | One of the registered event types for this event source. |
+| `time` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | App Configuration event data. |
+| `specversion` | string | CloudEvents schema specification version. |
++ The data object has the following properties: | Property | Type | Description | | -- | - | -- |
-| key | string | The key of the key-value that was modified or deleted. |
-| label | string | The label, if any, of the key-value that was modified or deleted. |
-| etag | string | For `KeyValueModified` the etag of the new key-value. For `KeyValueDeleted` the etag of the key-value that was deleted. |
+| `key` | string | The key of the key-value that was modified or deleted. |
+| `label` | string | The label, if any, of the key-value that was modified or deleted. |
+| `etag` | string | For `KeyValueModified` the etag of the new key-value. For `KeyValueDeleted` the etag of the key-value that was deleted. |
+ ## Tutorials and how-tos
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-app-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-app-service.md
@@ -3,7 +3,7 @@ Title: Azure App Service as Event Grid source
description: This article describes how to use Azure App Service as an Event Grid event source. It provides the schema and links to tutorial and how-to articles. Previously updated : 07/07/2020 Last updated : 02/12/2021
@@ -11,9 +11,7 @@
This article provides the properties and schema for Azure App Service events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md). It also gives you a list of quick starts and tutorials to use Azure App Service as an event source.
-## Event Grid event schema
-
-### Available event types
+## Available event types
Azure App Service emits the following event types
@@ -35,263 +33,466 @@ Azure App Service emits the following event types
| Microsoft.Web/sites.AppUpdated.ChangedAppSettings | Triggered when a siteΓÇÖs app settings have changed | | Microsoft.Web/serverfarms.AppServicePlanUpdated | Triggered when an App Service Plan is updated |
-### The contents of an event response
+## Properties common to all events
+# [Event Grid event schema](#tab/event-grid-event-schema)
When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each event. Each event has the following top-level data: | Property | Type | Description | |--|--||
-| topic | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. |
-| subject | string | Publisher-defined path to the event subject. |
-| eventType | string | One of the registered event types for this event source. |
-| eventTime | string | The time the event is generated based on the provider's UTC time. |
-| id | string | Unique identifier for the event. |
-| data | object | Blob storage event data. |
-| dataVersion | string | The schema version of the data object. The publisher defines the schema version. |
-| metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
-
-#### BackupOperationStarted, BackupOperationCompleted, BackupOperationFailed
-
-```js
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Blob storage event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+
+# [Cloud event schema](#tab/cloud-event-schema)
+
+When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint.
+This section contains an example of what that data would look like for each event. Each event has the following top-level data:
+
+| Property | Type | Description |
+|--|--||
+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `type` | string | One of the registered event types for this event source. |
+| `time` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Blob storage event data. |
+| `specversion` | string | CloudEvents schema specification version. |
+++
+## Example events
+
+### BackupOperationStarted, BackupOperationCompleted, BackupOperationFailed
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+```json
+{
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "eventType": "Microsoft.Web.BackupOperationStarted",
+ "eventTime": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": {
+ "action": "Started"
+ },
+ "siteName": "<site-name>",
+ "clientRequestId": "None",
+ "correlationRequestId": "None",
+ "requestId": "292f499d-04ee-4066-994d-c2df57b99198",
+ "address": "None",
+ "verb": "None"
+ },
+ "dataVersion": "1",
+ "metaDataVersion": "1"
+}
+```
+# [Cloud event schema](#tab/cloud-event-schema)
+
+```json
{
- id:'7c5d6de5-eb70-4de2-b788-c52a544e68b8',
- subject:'/Microsoft.Web/sites/<site-name>',
- eventType:'Microsoft.Web.BackupOperationStarted',
- eventTime:'2020-01-28T18:26:51.7194887Z',
- data: {
- "appEventTypeDetail": { "action": "Started" },
- "siteName": "<site-name>",
- "clientRequestId": "None",
- "correlationRequestId": "None",
- "requestId": "292f499d-04ee-4066-994d-c2df57b99198",
- "address": "None",
- "verb": "None"
- }
- topic:'/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>',
- dataVersion:'1',
- metaDataVersion:'1'
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "type": "Microsoft.Web.BackupOperationStarted",
+ "time": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": {
+ "action": "Started"
+ },
+ "siteName": "<site-name>",
+ "clientRequestId": "None",
+ "correlationRequestId": "None",
+ "requestId": "292f499d-04ee-4066-994d-c2df57b99198",
+ "address": "None",
+ "verb": "None"
+ },
+ "specversion": "1.0"
} ``` ++ The data object contains the following properties: | Property | Type | Description | |-|--|-|
-| appEventTypeDetail | object | Detail of action on the app |
-| action | string | Type of action of the operation |
-| name | string | name of the web site that had this event |
-| clientRequestId | string | The client request id generated by the app service for the site API operation that triggered this event |
-| correlationRequestId | string | The correlation request id generated by the app service for the site API operation that triggered this event |
-| requestId | string | The request id generated by the app service for the site API operation that triggered this event |
-| address | string | HTTP request URL of this operation |
-| verb | string | HTTP verb of this operation |
-
-#### RestoreOperationStarted, RestoreOperationCompleted, RestoreOperationFailed
-
-```js
+| `appEventTypeDetail` | object | Detail of action on the app |
+| `action` | string | Type of action of the operation |
+| `name` | string | name of the web site that had this event |
+| `clientRequestId` | string | The client request ID generated by the app service for the site API operation that triggered this event |
+| `correlationRequestId` | string | The correlation request ID generated by the app service for the site API operation that triggered this event |
+| `requestId` | string | The request ID generated by the app service for the site API operation that triggered this event |
+| `address` | string | HTTP request URL of this operation |
+| `verb` | string | HTTP verb of this operation |
+
+### RestoreOperationStarted, RestoreOperationCompleted, RestoreOperationFailed
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+```json
{
- id: '7c5d6de5-eb70-4de2-b788-c52a544e68b8',
- subject: '/Microsoft.Web/sites/<site-name>',
- eventType: 'Microsoft.Web.RestoreOperationStarted',
- eventTime: '2020-01-28T18:26:51.7194887Z',
- data: {
- appEventTypeDetail: {
- action: "Started"
- },
- siteName: "<site-name>",
- clientRequestId: "None",
- correlationRequestId: "None",
- requestId: "292f499d-04ee-4066-994d-c2df57b99198",
- address: "None",
- verb: "POST"
- }
- topic: '/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>',
- dataVersion: '1',
- metaDataVersion: '1'
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "eventType": "Microsoft.Web.RestoreOperationStarted",
+ "eventTime": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": {
+ "action": "Started"
+ },
+ "siteName": "<site-name>",
+ "clientRequestId": "None",
+ "correlationRequestId": "None",
+ "requestId": "292f499d-04ee-4066-994d-c2df57b99198",
+ "address": "None",
+ "verb": "POST"
+ },
+ "dataVersion": "1",
+ "metaDataVersion": "1"
} ```
+# [Cloud event schema](#tab/cloud-event-schema)
+
+```json
+{
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "type": "Microsoft.Web.RestoreOperationStarted",
+ "time": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": {
+ "action": "Started"
+ },
+ "siteName": "<site-name>",
+ "clientRequestId": "None",
+ "correlationRequestId": "None",
+ "requestId": "292f499d-04ee-4066-994d-c2df57b99198",
+ "address": "None",
+ "verb": "POST"
+ },
+ "specversion": "1.0"
+}
+```
+++ The data object contains the following properties: | Property | Type | Description | |-|--|-|
-| appEventTypeDetail | object | Detail of action on the app |
-| action | string | Type of action of the operation |
-| name | string | name of the web site that had this event |
-| clientRequestId | string | The client request id generated by the app service for the site API operation that triggered this event |
-| correlationRequestId | string | The correlation request id generated by the app service for the site API operation that triggered this event |
-| requestId | string | The request id generated by the app service for the site API operation that triggered this event |
-| address | string | HTTP request URL of this operation |
-| verb | string | HTTP verb of this operation |
-
-#### SlotSwapStarted, SlotSwapCompleted, SlotSwapFailed
-
-```js
+| `appEventTypeDetail` | object | Detail of action on the app |
+| `action` | string | Type of action of the operation |
+| `name` | string | name of the web site that had this event |
+| `clientRequestId` | string | The client request ID generated by the app service for the site API operation that triggered this event |
+| `correlationRequestId` | string | The correlation request ID generated by the app service for the site API operation that triggered this event |
+| `requestId` | string | The request ID generated by the app service for the site API operation that triggered this event |
+| `address` | string | HTTP request URL of this operation |
+| `verb` | string | HTTP verb of this operation |
+
+### SlotSwapStarted, SlotSwapCompleted, SlotSwapFailed
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+```json
+{
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "eventType": "Microsoft.Web.SlotSwapStarted",
+ "eventTime": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": null,
+ "siteName": "<site-name>",
+ "clientRequestId": "922f4841-20d9-4dd6-8c5b-23f0d85e5592",
+ "correlationRequestId": "9ac46505-2b8a-4e06-834c-05ffbe2e8c3a",
+ "requestId": "765117aa-eaf8-4bd2-a644-1dbf69c7b0fd",
+ "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/slots?Command=SWAP&targetSlot=production",
+ "verb": "POST",
+ "sourceSlot": "staging",
+ "targetSlot": "production"
+ },
+ "dataVersion": "1",
+ "metaDataVersion": "1"
+}
+```
+
+# [Cloud event schema](#tab/cloud-event-schema)
+
+```json
{
- id: '7c5d6de5-eb70-4de2-b788-c52a544e68b8',
- subject: '/Microsoft.Web/sites/<site-name>',
- eventType: 'Microsoft.Web.SlotSwapStarted',
- eventTime: '2020-01-28T18:26:51.7194887Z',
- data: {
- appEventTypeDetail: null,
- siteName: '<site-name>',
- clientRequestId: '922f4841-20d9-4dd6-8c5b-23f0d85e5592',
- correlationRequestId: '9ac46505-2b8a-4e06-834c-05ffbe2e8c3a',
- requestId: '765117aa-eaf8-4bd2-a644-1dbf69c7b0fd',
- address: '/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/slots?Command=SWAP&targetSlot=production',
- verb: 'POST'
- sourceSlot: "staging",
- targetSlot: "production"
- },
- topic: '/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>',
- dataVersion: '1',
- metaDataVersion: '1'
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "type": "Microsoft.Web.SlotSwapStarted",
+ "time": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": null,
+ "siteName": "<site-name>",
+ "clientRequestId": "922f4841-20d9-4dd6-8c5b-23f0d85e5592",
+ "correlationRequestId": "9ac46505-2b8a-4e06-834c-05ffbe2e8c3a",
+ "requestId": "765117aa-eaf8-4bd2-a644-1dbf69c7b0fd",
+ "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/slots?Command=SWAP&targetSlot=production",
+ "verb": "POST",
+ "sourceSlot": "staging",
+ "targetSlot": "production"
+ },
+ "specversion": "1.0"
} ``` ++ The data object contains the following properties: | Property | Type | Description | |-|--|-|
-| appEventTypeDetail | object | Detail of action on the app |
-| action | string | Type of action of the operation |
-| name | string | name of the web site that had this event |
-| clientRequestId | string | The client request id generated by the app service for the site API operation that triggered this event |
-| correlationRequestId | string | The correlation request id generated by the app service for the site API operation that triggered this event |
-| requestId | string | The request id generated by the app service for the site API operation that triggered this event |
-| address | string | HTTP request URL of this operation |
-| verb | string | HTTP verb of this operation |
-| sourceSlot | string | The source slot of the swap |
-
-#### SlotSwapWithPreviewStarted, SlotSwapWithPreviewCancelled
-
-```js
+| `appEventTypeDetail` | object | Detail of action on the app |
+| `action` | string | Type of action of the operation |
+| `name` | string | name of the web site that had this event |
+| `clientRequestId` | string | The client request ID generated by the app service for the site API operation that triggered this event |
+| `correlationRequestId` | string | The correlation request ID generated by the app service for the site API operation that triggered this event |
+| `requestId` | string | The request ID generated by the app service for the site API operation that triggered this event |
+| `address` | string | HTTP request URL of this operation |
+| `verb` | string | HTTP verb of this operation |
+| `sourceSlot` | string | The source slot of the swap |
+
+### SlotSwapWithPreviewStarted, SlotSwapWithPreviewCancelled
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+```json
+{
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "eventType": "Microsoft.Web.SlotSwapWithPreviewStarted",
+ "eventTime": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": null,
+ "siteName": "<site-name>",
+ "clientRequestId": "922f4841-20d9-4dd6-8c5b-23f0d85e5592",
+ "correlationRequestId": "9ac46505-2b8a-4e06-834c-05ffbe2e8c3a",
+ "requestId": "765117aa-eaf8-4bd2-a644-1dbf69c7b0fd",
+ "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/slots?Command=SWAP&targetSlot=production",
+ "verb": "POST",
+ "sourceSlot": "staging",
+ "targetSlot": "production"
+ },
+ "dataVersion": "1",
+ "metaDataVersion": "1"
+}
+```
+
+# [Cloud event schema](#tab/cloud-event-schema)
+
+```json
{
- id: '7c5d6de5-eb70-4de2-b788-c52a544e68b8',
- subject: '/Microsoft.Web/sites/<site-name>',
- eventType: 'Microsoft.Web.SlotSwapWithPreviewStarted',
- eventTime: '2020-01-28T18:26:51.7194887Z',
- data: {
- appEventTypeDetail: null,
- siteName: '<site-name>',
- clientRequestId: '922f4841-20d9-4dd6-8c5b-23f0d85e5592',
- correlationRequestId: '9ac46505-2b8a-4e06-834c-05ffbe2e8c3a',
- requestId: '765117aa-eaf8-4bd2-a644-1dbf69c7b0fd',
- address: '/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/slots?Command=SWAP&targetSlot=production',
- verb: 'POST'
- sourceSlot: "staging",
- targetSlot: "production"
- },
- topic: '/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>',
- dataVersion: '1',
- metaDataVersion: '1'
+ "id": "7c5d6de5-eb70-4de2-b788-c52a544e68b8",
+ "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "type": "Microsoft.Web.SlotSwapWithPreviewStarted",
+ "time": "2020-01-28T18:26:51.7194887Z",
+ "data": {
+ "appEventTypeDetail": null,
+ "siteName": "<site-name>",
+ "clientRequestId": "922f4841-20d9-4dd6-8c5b-23f0d85e5592",
+ "correlationRequestId": "9ac46505-2b8a-4e06-834c-05ffbe2e8c3a",
+ "requestId": "765117aa-eaf8-4bd2-a644-1dbf69c7b0fd",
+ "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/slots?Command=SWAP&targetSlot=production",
+ "verb": "POST",
+ "sourceSlot": "staging",
+ "targetSlot": "production"
+ },
+ "specversion": "1.0"
} ``` ++ The data object contains the following properties: | Property | Type | Description | |-|--|-|
-| appEventTypeDetail | object | Detail of action on the app |
-| action | string | Type of action of the operation |
-| name | string | name of the web site that had this event |
-| clientRequestId | string | The client request id generated by the app service for the site API operation that triggered this event |
-| correlationRequestId | string | The correlation request id generated by the app service for the site API operation that triggered this event |
-| requestId | string | The request id generated by the app service for the site API operation that triggered this event |
-| address | string | HTTP request URL of this operation |
-| verb | string | HTTP verb of this operation |
-
-#### AppUpdated.Restarted, AppUpdated.Stopped, AppUpdated.ChangedAppSettings
-
-```js
+| `appEventTypeDetail` | object | Detail of action on the app |
+| `action` | string | Type of action of the operation |
+| `name` | string | name of the web site that had this event |
+| `clientRequestId` | string | The client request ID generated by the app service for the site API operation that triggered this event |
+| `correlationRequestId` | string | The correlation request ID generated by the app service for the site API operation that triggered this event |
+| `requestId` | string | The request ID generated by the app service for the site API operation that triggered this event |
+| `address` | string | HTTP request URL of this operation |
+| `verb` | string | HTTP verb of this operation |
+
+### AppUpdated.Restarted, AppUpdated.Stopped, AppUpdated.ChangedAppSettings
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+```json
{
- id: 'b74ea56b-2a3f-4de5-a5d7-38e60c81cf23',
- subject: '/Microsoft.Web/sites/<site-name>',
- eventType: 'Microsoft.Web.AppUpdated',
- eventTime: '2020-01-28T18:22:30.2760952Z',
- data: {
- appEventTypeDetail: {
- action: 'Stopped'
- },
- siteName: '<site-name>',
- clientRequestId: '64a5e0aa-7cee-4ff1-9093-b9197b820014',
- correlationRequestId: '25bb36a5-8f6c-4f04-b615-e9a0ee045756',
- requestId: 'f2e8eb3f-b190-42de-b99e-6acefe587374',
- address: '/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/stop',
- verb: 'POST'
- },
- topic: '/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>',
- dataVersion: '1',
- metaDataVersion: '1'
+ "id": "b74ea56b-2a3f-4de5-a5d7-38e60c81cf23",
+ "topic": "/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "eventType": "Microsoft.Web.AppUpdated",
+ "eventTime": "2020-01-28T18:22:30.2760952Z",
+ "data": {
+ "appEventTypeDetail": {
+ "action": "Stopped"
+ },
+ "siteName": "<site-name>",
+ "clientRequestId": "64a5e0aa-7cee-4ff1-9093-b9197b820014",
+ "correlationRequestId": "25bb36a5-8f6c-4f04-b615-e9a0ee045756",
+ "requestId": "f2e8eb3f-b190-42de-b99e-6acefe587374",
+ "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/stop",
+ "verb": "POST"
+ },
+ "dataVersion": "1'",
+ "metaDataVersion": "1"
} ```
+# [Cloud event schema](#tab/cloud-event-schema)
+
+```json
+{
+ "id": "b74ea56b-2a3f-4de5-a5d7-38e60c81cf23",
+ "source": "/subscriptions/<id>/resourceGroups/<group>/providers/Microsoft.Web/sites/<site-name>",
+ "subject": "/Microsoft.Web/sites/<site-name>",
+ "type": "Microsoft.Web.AppUpdated",
+ "time": "2020-01-28T18:22:30.2760952Z",
+ "data": {
+ "appEventTypeDetail": {
+ "action": "Stopped"
+ },
+ "siteName": "<site-name>",
+ "clientRequestId": "64a5e0aa-7cee-4ff1-9093-b9197b820014",
+ "correlationRequestId": "25bb36a5-8f6c-4f04-b615-e9a0ee045756",
+ "requestId": "f2e8eb3f-b190-42de-b99e-6acefe587374",
+ "address": "/websystems/WebSites/web/subscriptions/<id>/webspaces/<webspace>/sites/<site-name>/stop",
+ "verb": "POST"
+ },
+ "specversion": "1.0"
+}
+```
+++ The data object has the following properties: | Property | Type | Description | |-|--|-|
-| appEventTypeDetail | object | Detail of action on the app |
-| action | string | Type of action of the operation |
-| name | string | name of the web site that had this event |
-| clientRequestId | string | The client request id generated by the app service for the site API operation that triggered this event |
-| correlationRequestId | string | The correlation request id generated by the app service for the site API operation that triggered this event |
-| requestId | string | The request id generated by the app service for the site API operation that triggered this event |
-| address | string | HTTP request URL of this operation |
-| verb | string | HTTP verb of this operation |
-
-#### Serverfarms.AppServicePlanUpdated
-
-```js
+| `appEventTypeDetail` | object | Detail of action on the app |
+| `action` | string | Type of action of the operation |
+| `name` | string | name of the web site that had this event |
+| `clientRequestId` | string | The client request ID generated by the app service for the site API operation that triggered this event |
+| `correlationRequestId` | string | The correlation request ID generated by the app service for the site API operation that triggered this event |
+| `requestId` | string | The request ID generated by the app service for the site API operation that triggered this event |
+| `address` | string | HTTP request URL of this operation |
+| `verb` | string | HTTP verb of this operation |
+
+### Serverfarms.AppServicePlanUpdated
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+```json
+{
+ "id": "56501672-9150-40e1-893a-18420c7fdbf7",
+ "topic": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>",
+ "subject": "/Microsoft.Web/serverfarms/<plan-name>",
+ "eventType": "Microsoft.Web.AppServicePlanUpdated",
+ "eventTime": "2020-01-28T18:22:23.5516004Z",
+ "data": {
+ "serverFarmEventTypeDetail": {
+ "stampKind": "Public",
+ "action": "Updated",
+ "status": "Started"
+ },
+ "serverFarmId": "0",
+ "sku": {
+ "name": "P1v2",
+ "tier": "PremiumV2",
+ "size": "P1v2",
+ "family": "Pv2",
+ "capacity": 1
+ },
+ "clientRequestId": "8f880321-a991-45c7-b743-6ff63fe4c004",
+ "correlationRequestId": "1995c3be-ba7f-4ccf-94af-516df637ec8a",
+ "requestId": "b973a8e6-6949-4783-b44c-ac778be831bb",
+ "address": "/websystems/WebSites/serverfarms/subscriptions/<id>/webspaces/<webspace-id>/serverfarms/<plan-name>/async",
+ "verb": "PUT"
+ },
+ "dataVersion": "1",
+ "metaDataVersion": "1"
+}
+```
+
+# [Cloud event schema](#tab/cloud-event-schema)
+
+```json
{
- id: "56501672-9150-40e1-893a-18420c7fdbf7",
- subject: "/Microsoft.Web/serverfarms/<plan-name>",
- eventType: "Microsoft.Web.AppServicePlanUpdated",
- eventTime: "2020-01-28T18:22:23.5516004Z",
- data: {
- serverFarmEventTypeDetail: {
- stampKind: "Public",
- action: "Updated",
- status: "Started"
- },
- serverFarmId: "0",
- sku: {
- name: "P1v2",
- tier: "PremiumV2",
- size: "P1v2",
- family: "Pv2",
- capacity: 1
- },
- clientRequestId: "8f880321-a991-45c7-b743-6ff63fe4c004",
- correlationRequestId: "1995c3be-ba7f-4ccf-94af-516df637ec8a",
- requestId: "b973a8e6-6949-4783-b44c-ac778be831bb",
- address: "/websystems/WebSites/serverfarms/subscriptions/<id>/webspaces/<webspace-id>/serverfarms/<plan-name>/async",
- verb: "PUT"
- },
- topic: "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>",
- dataVersion: "1",
- metaDataVersion: "1"
+ "id": "56501672-9150-40e1-893a-18420c7fdbf7",
+ "source": "/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Web/serverfarms/<serverfarm-name>",
+ "subject": "/Microsoft.Web/serverfarms/<plan-name>",
+ "type": "Microsoft.Web.AppServicePlanUpdated",
+ "time": "2020-01-28T18:22:23.5516004Z",
+ "data": {
+ "serverFarmEventTypeDetail": {
+ "stampKind": "Public",
+ "action": "Updated",
+ "status": "Started"
+ },
+ "serverFarmId": "0",
+ "sku": {
+ "name": "P1v2",
+ "tier": "PremiumV2",
+ "size": "P1v2",
+ "family": "Pv2",
+ "capacity": 1
+ },
+ "clientRequestId": "8f880321-a991-45c7-b743-6ff63fe4c004",
+ "correlationRequestId": "1995c3be-ba7f-4ccf-94af-516df637ec8a",
+ "requestId": "b973a8e6-6949-4783-b44c-ac778be831bb",
+ "address": "/websystems/WebSites/serverfarms/subscriptions/<id>/webspaces/<webspace-id>/serverfarms/<plan-name>/async",
+ "verb": "PUT"
+ },
+ "specversion": "1.0"
} ``` ++ The data object has the following properties: | Property | Type | Description | |-|--|-|
-| appServicePlanEventTypeDetail | object | Detail of action on the app service plan |
-| stampKind | string | Kind of environment where app service plan is |
-| action | string | Type of action on the app service plan |
-| status | string | Status of the operation on the app service plan |
-| sku | object | sku of the app service plan |
-| name | string | name of the app service plan |
-| Tier | string | tier of the app service plan |
-| Size | string | size of the app service plan |
-| Family | string | family of app service plan |
-| Capacity | string | capacity of app service plan |
-| action | string | Type of action of the operation |
-| name | string | name of the web site that had this event |
-| clientRequestId | string | The client request id generated by the app service for the site API operation that triggered this event |
-| correlationRequestId | string | The correlation request id generated by the app service for the site API operation that triggered this event |
-| requestId | string | The request id generated by the app service for the site API operation that triggered this event |
-| address | string | HTTP request URL of this operation |
-| verb | string | HTTP verb of this operation |
+| `appServicePlanEventTypeDetail` | object | Detail of action on the app service plan |
+| `stampKind` | string | Kind of environment where app service plan is |
+| `action` | string | Type of action on the app service plan |
+| `status` | string | Status of the operation on the app service plan |
+| `sku` | object | sku of the app service plan |
+| `name` | string | name of the app service plan |
+| `Tier` | string | tier of the app service plan |
+| `Size` | string | size of the app service plan |
+| `Family` | string | family of app service plan |
+| `Capacity` | string | capacity of app service plan |
+| `action` | string | Type of action of the operation |
+| `name` | string | name of the web site that had this event |
+| `clientRequestId` | string | The client request ID generated by the app service for the site API operation that triggered this event |
+| `correlationRequestId` | string | The correlation request ID generated by the app service for the site API operation that triggered this event |
+| `requestId` | string | The request ID generated by the app service for the site API operation that triggered this event |
+| `address` | string | HTTP request URL of this operation |
+| `verb` | string | HTTP verb of this operation |
+
+## Next steps
+
+* For an introduction to Azure Event Grid, see [What is Event Grid?](overview.md)
+* For more information about creating an Azure Event Grid subscription, see [Event Grid subscription schema](subscription-creation-schema.md)
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-azure-cache https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-azure-cache.md
@@ -2,7 +2,7 @@
Title: Azure Cache for Redis as Event Grid source description: Describes the properties that are provided for Azure Cache for Redis events with Azure Event Grid Previously updated : 12/21/2020 Last updated : 02/11/2021
@@ -11,10 +11,7 @@
This article provides the properties and schema for Azure Cache for Redis events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md).
-## Event Grid event schema
-
-### List of events for Azure Cache for Redis REST APIs
-
+## Available event types
These events are triggered when a client exports, imports, or scales by calling Azure Cache for Redis REST APIs. Patching event is triggered by Redis update. |Event name |Description|
@@ -24,12 +21,10 @@ These events are triggered when a client exports, imports, or scales by calling
|**Microsoft.Cache.PatchingCompleted** |Triggered when patching is completed. | |**Microsoft.Cache.ScalingCompleted** |Triggered when scaling is completed. |
-<a name="example-event"></a>
-### The contents of an event response
-
-When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint.
+## Example event
+When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each Azure Cache for Redis event.
-This section contains an example of what that data would look like for each Azure Cache for Redis event.
+# [Event Grid event schema](#tab/event-grid-event-schema)
### Microsoft.Cache.PatchingCompleted event
@@ -99,30 +94,127 @@ This section contains an example of what that data would look like for each Azur
"eventTime":"2020-12-09T21:50:19.9995668+00:00"}] ```
-### Event properties
+# [Cloud event schema](#tab/cloud-event-schema)
++
+### Microsoft.Cache.PatchingCompleted event
+
+```json
+[{
+ "id": "9b87886d-21a5-4af5-8e3e-10c4b8dac73b",
+ "type": "Microsoft.Cache.PatchingCompleted",
+ "source": "/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}",
+ "data": {
+ "name": "PatchingCompleted",
+ "timestamp": "2020-12-09T21:50:19.9995668+00:00",
+ "status": "Succeeded"
+ },
+ "subject": "PatchingCompleted",
+ "time": "2020-12-09T21:50:19.9995668+00:00",
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Cache.ImportRDBCompleted event
+
+```json
+[{
+ "id": "9b87886d-21a5-4af5-8e3e-10c4b8dac73b",
+ "type": "Microsoft.Cache.ImportRDBCompleted",
+ "source": "/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}",
+ "data": {
+ "name": "ImportRDBCompleted",
+ "timestamp": "2020-12-09T21:50:19.9995668+00:00",
+ "status": "Succeeded"
+ },
+ "subject": "ImportRDBCompleted",
+ "eventTime": "2020-12-09T21:50:19.9995668+00:00",
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Cache.ExportRDBCompleted event
+
+```json
+[{
+ "id": "9b87886d-21a5-4af5-8e3e-10c4b8dac73b",
+ "type": "Microsoft.Cache.ExportRDBCompleted",
+ "source": "/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}",
+ "data": {
+ "name": "ExportRDBCompleted",
+ "timestamp": "2020-12-09T21:50:19.9995668+00:00",
+ "status": "Succeeded"
+ },
+ "subject": "ExportRDBCompleted",
+ "time": "2020-12-09T21:50:19.9995668+00:00",
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Cache.ScalingCompleted
+
+```json
+[{
+ "id": "9b87886d-21a5-4af5-8e3e-10c4b8dac73b",
+ "type": "Microsoft.Cache.ScalingCompleted",
+ "source": "/subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/Microsoft.Cache/Redis/{cache_name}",
+ "data": {
+ "name": "ScalingCompleted",
+ "timestamp": "2020-12-09T21:50:19.9995668+00:00",
+ "status": "Succeeded"
+ },
+ "subject": "ScalingCompleted",
+ "time": "2020-12-09T21:50:19.9995668+00:00",
+ "specversion": "1.0"
+}]
+```
+++
+## Event properties
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
An event has the following top-level data: | Property | Type | Description | | -- | - | -- |
-| topic | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. |
-| subject | string | Publisher-defined path to the event subject. |
-| eventType | string | One of the registered event types for this event source. |
-| eventTime | string | The time the event is generated based on the provider's UTC time. |
-| id | string | Unique identifier for the event. |
-| data | object | Azure Cache for Redis event data. |
-| dataVersion | string | The schema version of the data object. The publisher defines the schema version. |
-| metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Azure Cache for Redis event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
-The data object has the following properties:
+
+# [Cloud event schema](#tab/cloud-event-schema)
++
+An event has the following top-level data:
| Property | Type | Description | | -- | - | -- |
-| timestamp | string | The time at which the event occurred. |
-| name | string | The name of the event. |
-| status | string | The status of the event. Failed or succeeded. |
+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `type` | string | One of the registered event types for this event source. |
+| `time` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Azure Cache for Redis event data. |
+| `specversion` | string | CloudEvents schema specification version. |
++
+The data object has the following properties:
+
+| Property | Type | Description |
+| -- | - | -- |
+| `timestamp` | string | The time at which the event occurred. |
+| `name` | string | The name of the event. |
+| `status` | string | The status of the event. Failed or succeeded. |
+ ## Quickstarts If you want to try Azure Cache for Redis events, see any of these quickstart articles:
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-azure-maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-azure-maps.md
@@ -2,16 +2,14 @@
Title: Azure Maps as Event Grid source description: Describes the properties and schema provided for Azure Maps events with Azure Event Grid Previously updated : 07/07/2020 Last updated : 02/11/2021 # Azure Maps as an Event Grid source This article provides the properties and schema for Azure Maps events. For an introduction to event schemas, see [Azure Event Grid event schema](./event-schema.md). It also gives you a list of quick starts and tutorials to use Azure Maps as an event source.
-## Event Grid event schema
-
-### Available event types
+## Available event types
An Azure Maps account emits the following event types:
@@ -21,8 +19,9 @@ An Azure Maps account emits the following event types:
| Microsoft.Maps.GeofenceExited | Raised when coordinates received have moved from within a given geofence to outside | | Microsoft.Maps.GeofenceResult | Raised every time a geofencing query returns a result, regardless of the state |
-### Event examples
+## Example events
+# [Event Grid event schema](#tab/event-grid-event-schema)
The following example shows the schema of a **GeofenceEntered** event ```JSON
@@ -91,70 +90,154 @@ The following example show schema for **GeofenceResult**
} ```
-### Event properties
+# [Cloud event schema](#tab/cloud-event-schema)
+The following example shows the schema of a **GeofenceEntered** event
+
+```JSON
+{  
+   "id":"7f8446e2-1ac7-4234-8425-303726ea3981",
+   "source":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}",
+   "subject":"/spatial/geofence/udid/{udid}/id/{eventId}",
+   "data":{  
+      "geometries":[  
+         {  
+            "deviceId":"device_1",
+            "udId":"1a13b444-4acf-32ab-ce4e-9ca4af20b169",
+            "geometryId":"2",
+            "distance":-999.0,
+            "nearestLat":47.618786,
+            "nearestLon":-122.132151
+         }
+      ],
+      "expiredGeofenceGeometryId":[  
+      ],
+      "invalidPeriodGeofenceGeometryId":[  
+      ]
+   },
+   "type":"Microsoft.Maps.GeofenceEntered",
+   "time":"2018-11-08T00:54:17.6408601Z",
+   "specversion":"1.0"
+}
+```
+
+The following example show schema for **GeofenceResult**
+
+```JSON
+{  
+   "id":"451675de-a67d-4929-876c-5c2bf0b2c000",
+   "source":"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Maps/accounts/{accountName}",
+   "subject":"/spatial/geofence/udid/{udid}/id/{eventId}",
+   "data":{  
+      "geometries":[  
+         {  
+            "deviceId":"device_1",
+            "udId":"1a13b444-4acf-32ab-ce4e-9ca4af20b169",
+            "geometryId":"1",
+            "distance":999.0,
+            "nearestLat":47.609833,
+            "nearestLon":-122.148274
+         },
+         {  
+            "deviceId":"device_1",
+            "udId":"1a13b444-4acf-32ab-ce4e-9ca4af20b169",
+            "geometryId":"2",
+            "distance":999.0,
+            "nearestLat":47.621954,
+            "nearestLon":-122.131841
+         }
+      ],
+      "expiredGeofenceGeometryId":[  
+      ],
+      "invalidPeriodGeofenceGeometryId":[  
+      ]
+   },
+   "type":"Microsoft.Maps.GeofenceResult",
+   "time":"2018-11-08T00:52:08.0954283Z",
+   "specversion":"1.0"
+}
+```
++
+## Event properties
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+An event has the following top-level data:
+| Property | Type | Description |
+| -- | - | -- |
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Geofencing event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+
+# [Cloud event schema](#tab/cloud-event-schema)
An event has the following top-level data: | Property | Type | Description | | -- | - | -- |
-| topic | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. |
-| subject | string | Publisher-defined path to the event subject. |
-| eventType | string | One of the registered event types for this event source. |
-| eventTime | string | The time the event is generated based on the provider's UTC time. |
-| id | string | Unique identifier for the event. |
-| data | object | Geofencing event data. |
-| dataVersion | string | The schema version of the data object. The publisher defines the schema version. |
-| metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `type` | string | One of the registered event types for this event source. |
+| `time` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Geofencing event data. |
+| `specversion` | string | CloudEvents schema specification version. |
++ The data object has the following properties: | Property | Type | Description | | -- | - | -- |
-| apiCategory | string | API category of the event. |
-| apiName | string | API name of the event. |
-| issues | object | Lists issues encountered during processing. If any issues are returned, then there will be no geometries returned with the response. |
-| responseCode | number | HTTP response code |
-| geometries | object | Lists the fence geometries that contain the coordinate position or overlap the searchBuffer around the position. |
+| `apiCategory` | string | API category of the event. |
+| `apiName` | string | API name of the event. |
+| `issues` | object | Lists issues occurred during processing. If any issues are returned, then there will be no geometries returned with the response. |
+| `responseCode` | number | HTTP response code |
+| `geometries` | object | Lists the fence geometries that contain the coordinate position or overlap the searchBuffer around the position. |
The error object is returned when an error occurs in the Maps API. The error object has the following properties: | Property | Type | Description | | -- | - | -- |
-| error | ErrorDetails |This object is returned when an error occurs in the Maps API |
+| `error` | ErrorDetails |This object is returned when an error occurs in the Maps API |
The ErrorDetails object is returned when an error occurs in the Maps API. The ErrorDetails or object has the following properties: | Property | Type | Description | | -- | - | -- |
-| code | string | The HTTP status code. |
-| message | string | If available, a human readable description of the error. |
-| innererror | InnerError | If available, an object containing service-specific information about the error. |
+| `code` | string | The HTTP status code. |
+| `message` | string | If available, a human readable description of the error. |
+| `innererror` | InnerError | If available, an object containing service-specific information about the error. |
The InnerError is an object containing service-specific information about the error. The InnerError object has the following properties: | Property | Type | Description | | -- | - | -- |
-| code | string | The error message. |
+| `code` | string | The error message. |
The geometries object, lists geometry IDs of the geofences that have expired relative to the user time in the request. The geometries object has geometry items with the following properties: | Property | Type | Description | |:-- |:- |:-- |
-| deviceid | string | ID of device. |
-| distance | string | <p>Distance from the coordinate to the closest border of the geofence. Positive means the coordinate is outside of the geofence. If the coordinate is outside of the geofence, but more than the value of searchBuffer away from the closest geofence border, then the value is 999. Negative means the coordinate is inside of the geofence. If the coordinate is inside the polygon, but more than the value of searchBuffer away from the closest geofencing border, then the value is -999. A value of 999 means that there is great confidence the coordinate is well outside the geofence. A value of -999 means that there is great confidence the coordinate is well within the geofence.<p> |
-| geometryid |string | The unique id identifies the geofence geometry. |
-| nearestlat | number | Latitude of the nearest point of the geometry. |
-| nearestlon | number | Longitude of the nearest point of the geometry. |
-| udId | string | The unique id returned from user upload service when uploading a geofence. Will not be included in geofencing post API. |
+| `deviceid` | string | ID of device. |
+| `distance` | string | <p>Distance from the coordinate to the closest border of the geofence. Positive means the coordinate is outside of the geofence. If the coordinate is outside of the geofence, but more than the value of searchBuffer away from the closest geofence border, then the value is 999. Negative means the coordinate is inside of the geofence. If the coordinate is inside the polygon, but more than the value of searchBuffer away from the closest geofencing border, then the value is -999. A value of 999 means that there is great confidence the coordinate is well outside the geofence. A value of -999 means that there is great confidence the coordinate is well within the geofence.<p> |
+| `geometryid` |string | The unique ID identifies the geofence geometry. |
+| `nearestlat` | number | Latitude of the nearest point of the geometry. |
+| `nearestlon` | number | Longitude of the nearest point of the geometry. |
+| `udId` | string | The unique ID returned from user upload service when uploading a geofence. Won't be included in geofencing post API. |
The data object has the following properties: | Property | Type | Description | | -- | - | -- |
-| expiredGeofenceGeometryId | string[] | Lists of the geometry ID of the geofence that is expired relative to the user time in the request. |
-| geometries | geometries[] |Lists the fence geometries that contain the coordinate position or overlap the searchBuffer around the position. |
-| invalidPeriodGeofenceGeometryId | string[] | Lists of the geometry ID of the geofence that is in invalid period relative to the user time in the request. |
-| isEventPublished | boolean | True if at least one event is published to the Azure Maps event subscriber, false if no event is published to the Azure Maps event subscriber. |
+| `expiredGeofenceGeometryId` | string[] | Lists of the geometry ID of the geofence that is expired relative to the user time in the request. |
+| `geometries` | geometries[] |Lists the fence geometries that contain the coordinate position or overlap the searchBuffer around the position. |
+| `invalidPeriodGeofenceGeometryId` | string[] | Lists of the geometry ID of the geofence that is in invalid period relative to the user time in the request. |
+| `isEventPublished` | boolean | True if at least one event is published to the Azure Maps event subscriber, false if no event is published to the Azure Maps event subscriber. |
## Tutorials and how-tos |Title |Description |
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-azure-signalr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-azure-signalr.md
@@ -2,16 +2,15 @@
Title: Azure SignalR as Event Grid source description: Describes the properties that are provided for Azure SignalR events with Azure Event Grid Previously updated : 07/07/2020 Last updated : 02/11/2021 # Azure Event Grid event schema for SignalR Service This article provides the properties and schema for SignalR Service events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md). It also gives you a list of quick starts and tutorials to use Azure SignalR as an event source.
-## Event Grid event schema
-### Available event types
+## Available event types
SignalR Service emits the following event types:
@@ -20,8 +19,9 @@ SignalR Service emits the following event types:
| Microsoft.SignalRService.ClientConnectionConnected | Raised when a client connection connected. | | Microsoft.SignalRService.ClientConnectionDisconnected | Raised when a client connection disconnected. |
-### Example event
+## Example event
+# [Event Grid event schema](#tab/event-grid-event-schema)
The following example shows the schema of a client connection connected event: ```json
@@ -63,30 +63,92 @@ The schema for a client connection disconnected event is similar:
}] ```
+# [Cloud event schema](#tab/cloud-event-schema)
+
+The following example shows the schema of a client connection connected event:
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource",
+ "subject": "/hub/chat",
+ "type": "Microsoft.SignalRService.ClientConnectionConnected",
+ "time": "2019-06-10T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "timestamp": "2019-06-10T18:41:00.9584103Z",
+ "hubName": "chat",
+ "connectionId": "crH0uxVSvP61p5wkFY1x1A",
+ "userId": "user-eymwyo23"
+ },
+ "specversion": "1.0"
+}]
+```
+
+The schema for a client connection disconnected event is similar:
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/signalr-rg/providers/Microsoft.SignalRService/SignalR/signalr-resource",
+ "subject": "/hub/chat",
+ "type": "Microsoft.SignalRService.ClientConnectionDisconnected",
+ "time": "2019-06-10T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "timestamp": "2019-06-10T18:41:00.9584103Z",
+ "hubName": "chat",
+ "connectionId": "crH0uxVSvP61p5wkFY1x1A",
+ "userId": "user-eymwyo23",
+ "errorMessage": "Internal server error."
+ },
+ "specversion": "1.0"
+}]
+```
++++ ### Event properties +
+# [Event Grid event schema](#tab/event-grid-event-schema)
An event has the following top-level data: | Property | Type | Description | | -- | - | -- |
-| topic | string | Full resource path to the event source. This field is not writeable. Event Grid provides this value. |
-| subject | string | Publisher-defined path to the event subject. |
-| eventType | string | One of the registered event types for this event source. |
-| eventTime | string | The time the event is generated based on the provider's UTC time. |
-| id | string | Unique identifier for the event. |
-| data | object | SignalR Service event data. |
-| dataVersion | string | The schema version of the data object. The publisher defines the schema version. |
-| metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | SignalR Service event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+
+# [Cloud event schema](#tab/cloud-event-schema)
+
+An event has the following top-level data:
+
+| Property | Type | Description |
+| -- | - | -- |
+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `type` | string | One of the registered event types for this event source. |
+| `time` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | SignalR Service event data. |
+| `specversion` | string | CloudEvents schema specification version. |
++ The data object has the following properties: | Property | Type | Description | | -- | - | -- |
-| timestamp | string | The time the event is generated based on the provider's UTC time. |
-| hubName | string | The hub which the client connection belongs to. |
-| connectionId | string | The unique identifier for the client connection. |
-| userId | string | The user identifier defined in claim. |
-| errorMessage | string | The error that causes the connection disconnected. |
+| `timestamp` | string | The time the event is generated based on the provider's UTC time. |
+| `hubName` | string | The hub that the client connection belongs to. |
+| `connectionId` | string | The unique identifier for the client connection. |
+| `userId` | string | The user identifier defined in claim. |
+| `errorMessage` | string | The error that causes the connection disconnected. |
## Tutorials and how-tos |Title | Description |
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-blob-storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-blob-storage.md
@@ -2,7 +2,7 @@
Title: Azure Blob Storage as Event Grid source description: Describes the properties that are provided for blob storage events with Azure Event Grid Previously updated : 07/07/2020 Last updated : 02/11/2021 # Azure Blob Storage as an Event Grid source
@@ -13,7 +13,7 @@ This article provides the properties and schema for blob storage events. For an
>[!NOTE] > Only storage accounts of kind **StorageV2 (general purpose v2)**, **BlockBlobStorage**, and **BlobStorage** support event integration. **Storage (general purpose v1)** does *not* support integration with Event Grid.
-## Event Grid event schema
+## Available event types
### List of events for Blob REST APIs
@@ -46,12 +46,10 @@ These events are triggered if you enable a hierarchical namespace on the storage
> [!NOTE] > For **Azure Data Lake Storage Gen2**, if you want to ensure that the **Microsoft.Storage.BlobCreated** event is triggered only when a Block Blob is completely committed, filter the event for the `FlushWithClose` REST API call. This API call triggers the **Microsoft.Storage.BlobCreated** event only after data is fully committed to a Block Blob. To learn how to create a filter, see [Filter events for Event Grid](./how-to-filter-events.md).
-<a name="example-event"></a>
-### The contents of an event response
+## Example event
+When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each blob storage event.
-When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint.
-
-This section contains an example of what that data would look like for each blob storage event.
+# [Event Grid event schema](#tab/event-grid-event-schema)
### Microsoft.Storage.BlobCreated event
@@ -282,39 +280,278 @@ If the blob storage account has a hierarchical namespace, the data looks similar
}] ```
-### Event properties
+# [Cloud event schema](#tab/cloud-event-schema)
+
+### Microsoft.Storage.BlobCreated event
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/test-container/blobs/new-file.txt",
+ "type": "Microsoft.Storage.BlobCreated",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "PutBlockList",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "eTag": "\"0x8D4BCC2E4835CD0\"",
+ "contentType": "text/plain",
+ "contentLength": 524288,
+ "blobType": "BlockBlob",
+ "url": "https://my-storage-account.blob.core.windows.net/testcontainer/new-file.txt",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.BlobCreated event (Data Lake Storage Gen2)
+
+If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes:
+
+* The `data.api` key is set to the string `CreateFile` or `FlushWithClose`.
+* The `contentOffset` key is included in the data set.
+
+> [!NOTE]
+> If applications use the `PutBlockList` operation to upload a new blob to the account, the data won't contain these changes.
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/my-file-system/blobs/new-file.txt",
+ "type": "Microsoft.Storage.BlobCreated",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "CreateFile",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "eTag": "\"0x8D4BCC2E4835CD0\"",
+ "contentType": "text/plain",
+ "contentLength": 0,
+ "contentOffset": 0,
+ "blobType": "BlockBlob",
+ "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/new-file.txt",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.BlobDeleted event
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/testcontainer/blobs/file-to-delete.txt",
+ "type": "Microsoft.Storage.BlobDeleted",
+ "time": "2017-11-07T20:09:22.5674003Z",
+ "id": "4c2359fe-001e-00ba-0e04-58586806d298",
+ "data": {
+ "api": "DeleteBlob",
+ "requestId": "4c2359fe-001e-00ba-0e04-585868000000",
+ "contentType": "text/plain",
+ "blobType": "BlockBlob",
+ "url": "https://my-storage-account.blob.core.windows.net/testcontainer/file-to-delete.txt",
+ "sequencer": "0000000000000281000000000002F5CA",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.BlobDeleted event (Data Lake Storage Gen2)
+
+If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes:
++
+* The `data.api` key is set to the string `DeleteFile`.
+* The `url` key contains the path `dfs.core.windows.net`.
+
+> [!NOTE]
+> If applications use the `DeleteBlob` operation to delete a blob from the account, the data won't contain these changes.
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/my-file-system/blobs/file-to-delete.txt",
+ "type": "Microsoft.Storage.BlobDeleted",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "DeleteFile",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "contentType": "text/plain",
+ "blobType": "BlockBlob",
+ "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/file-to-delete.txt",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.BlobRenamed event
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-file.txt",
+ "type": "Microsoft.Storage.BlobRenamed",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "RenameFile",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "destinationUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-renamed-file.txt",
+ "sourceUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-original-file.txt",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.DirectoryCreated event
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/my-file-system/blobs/my-new-directory",
+ "type": "Microsoft.Storage.DirectoryCreated",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "CreateDirectory",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-new-directory",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.DirectoryRenamed event
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-directory",
+ "type": "Microsoft.Storage.DirectoryRenamed",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "RenameDirectory",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "destinationUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-renamed-directory",
+ "sourceUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-original-directory",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Storage.DirectoryDeleted event
+
+```json
+[{
+ "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",
+ "subject": "/blobServices/default/containers/my-file-system/blobs/directory-to-delete",
+ "type": "Microsoft.Storage.DirectoryDeleted",
+ "time": "2017-06-26T18:41:00.9584103Z",
+ "id": "831e1650-001e-001b-66ab-eeb76e069631",
+ "data": {
+ "api": "DeleteDirectory",
+ "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",
+ "requestId": "831e1650-001e-001b-66ab-eeb76e000000",
+ "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/directory-to-delete",
+ "recursive": "true",
+ "sequencer": "00000000000004420000000000028963",
+ "storageDiagnostics": {
+ "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"
+ }
+ },
+ "specversion": "1.0"
+}]
+```
++++
+## Event properties
+
+# [Event Grid event schema](#tab/event-grid-event-schema)
+
+An event has the following top-level data:
+
+| Property | Type | Description |
+| -- | - | -- |
+| `topic` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `eventType` | string | One of the registered event types for this event source. |
+| `eventTime` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Blob storage event data. |
+| `dataVersion` | string | The schema version of the data object. The publisher defines the schema version. |
+| `metadataVersion` | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+
+# [Cloud event schema](#tab/cloud-event-schema)
An event has the following top-level data: | Property | Type | Description | | -- | - | -- |
-| topic | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
-| subject | string | Publisher-defined path to the event subject. |
-| eventType | string | One of the registered event types for this event source. |
-| eventTime | string | The time the event is generated based on the provider's UTC time. |
-| ID | string | Unique identifier for the event. |
-| data | object | Blob storage event data. |
-| dataVersion | string | The schema version of the data object. The publisher defines the schema version. |
-| metadataVersion | string | The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value. |
+| `source` | string | Full resource path to the event source. This field isn't writeable. Event Grid provides this value. |
+| `subject` | string | Publisher-defined path to the event subject. |
+| `type` | string | One of the registered event types for this event source. |
+| `time` | string | The time the event is generated based on the provider's UTC time. |
+| `id` | string | Unique identifier for the event. |
+| `data` | object | Blob storage event data. |
+| `specversion` | string | CloudEvents schema specification version. |
++ The data object has the following properties: | Property | Type | Description | | -- | - | -- |
-| api | string | The operation that triggered the event. |
-| clientRequestId | string | a client-provided request ID for the storage API operation. This ID can be used to correlate to Azure Storage diagnostic logs using the "client-request-id" field in the logs, and can be provided in client requests using the "x-ms-client-request-id" header. See [Log Format](/rest/api/storageservices/storage-analytics-log-format). |
-| requestId | string | Service-generated request ID for the storage API operation. Can be used to correlate to Azure Storage diagnostic logs using the "request-id-header" field in the logs and is returned from initiating API call in the 'x-ms-request-id' header. See [Log Format](/rest/api/storageservices/storage-analytics-log-format). |
-| eTag | string | The value that you can use to run operations conditionally. |
-| contentType | string | The content type specified for the blob. |
-| contentLength | integer | The size of the blob in bytes. |
-| blobType | string | The type of blob. Valid values are either "BlockBlob" or "PageBlob". |
-| contentOffset | number | The offset in bytes of a write operation taken at the point where the event-triggering application completed writing to the file. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace.|
-| destinationUrl |string | The url of the file that will exist after the operation completes. For example, if a file is renamed, the `destinationUrl` property contains the url of the new file name. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace.|
-| sourceUrl |string | The url of the file that exists before the operation is done. For example, if a file is renamed, the `sourceUrl` contains the url of the original file name before the rename operation. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace. |
-| url | string | The path to the blob. <br>If the client uses a Blob REST API, then the url has this structure: `<storage-account-name>.blob.core.windows.net\<container-name>\<file-name>`. <br>If the client uses a Data Lake Storage REST API, then the url has this structure: `<storage-account-name>.dfs.core.windows.net/<file-system-name>/<file-name>`. |
-| recursive | string | `True` to run the operation on all child directories; otherwise `False`. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace. |
-| sequencer | string | An opaque string value representing the logical sequence of events for any particular blob name. Users can use standard string comparison to understand the relative sequence of two events on the same blob name. |
-| storageDiagnostics | object | Diagnostic data occasionally included by the Azure Storage service. When present, should be ignored by event consumers. |
+| `api` | string | The operation that triggered the event. |
+| `clientRequestId` | string | a client-provided request ID for the storage API operation. This ID can be used to correlate to Azure Storage diagnostic logs using the "client-request-id" field in the logs, and can be provided in client requests using the "x-ms-client-request-id" header. See [Log Format](/rest/api/storageservices/storage-analytics-log-format). |
+| `requestId` | string | Service-generated request ID for the storage API operation. Can be used to correlate to Azure Storage diagnostic logs using the "request-id-header" field in the logs and is returned from initiating API call in the 'x-ms-request-id' header. See [Log Format](/rest/api/storageservices/storage-analytics-log-format). |
+| `eTag` | string | The value that you can use to run operations conditionally. |
+| `contentType` | string | The content type specified for the blob. |
+| `contentLength` | integer | The size of the blob in bytes. |
+| `blobType` | string | The type of blob. Valid values are either "BlockBlob" or "PageBlob". |
+| `contentOffset` | number | The offset in bytes of a write operation taken at the point where the event-triggering application completed writing to the file. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace.|
+| `destinationUrl` |string | The url of the file that will exist after the operation completes. For example, if a file is renamed, the `destinationUrl` property contains the url of the new file name. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace.|
+| `sourceUrl` |string | The url of the file that exists before the operation is done. For example, if a file is renamed, the `sourceUrl` contains the url of the original file name before the rename operation. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace. |
+| `url` | string | The path to the blob. <br>If the client uses a Blob REST API, then the url has this structure: `<storage-account-name>.blob.core.windows.net\<container-name>\<file-name>`. <br>If the client uses a Data Lake Storage REST API, then the url has this structure: `<storage-account-name>.dfs.core.windows.net/<file-system-name>/<file-name>`. |
+| `recursive` | string | `True` to run the operation on all child directories; otherwise `False`. <br>Appears only for events triggered on blob storage accounts that have a hierarchical namespace. |
+| `sequencer` | string | An opaque string value representing the logical sequence of events for any particular blob name. Users can use standard string comparison to understand the relative sequence of two events on the same blob name. |
+| `storageDiagnostics` | object | Diagnostic data occasionally included by the Azure Storage service. When present, should be ignored by event consumers. |
## Tutorials and how-tos |Title |Description |
event-grid https://docs.microsoft.com/en-us/azure/event-grid/event-schema-communication-services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/event-schema-communication-services.md
@@ -2,7 +2,7 @@
Title: Azure Communication Services as an Event Grid source description: This article describes how to use Azure Communication Services as an Event Grid event source. Previously updated : 07/07/2020 Last updated : 02/11/2021
@@ -15,9 +15,7 @@
This article provides the properties and schema for Azure Communication Services events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md).
-## Event Grid event schema
-
-### Available event types
+## Available event types
Event grid uses [event subscriptions](./concepts.md#event-subscriptions) to route event messages to subscribers.
@@ -27,7 +25,7 @@ Azure Communication Services emits the following event types:
| -- | - | | Microsoft.Communication.SMSReceived | Published when an SMS is received by a phone number associated with the Communication Service. | | Microsoft.Communication.SMSDeliveryReportReceived | Published when a delivery report is received for an SMS sent by the Communication Service. |
-| Microsoft.Communication.ChatMessageReceived* | Published when a message is received for a user in a chat thread that she is member of. |
+| Microsoft.Communication.ChatMessageReceived* | Published when a message is received for a user in a chat thread that the user is member of. |
| Microsoft.Communication.ChatMessageEdited* | Published when a message is edited in a chat thread that the user is member of. | | Microsoft.Communication.ChatMessageDeleted* | Published when a message is deleted in a chat thread that the user is member of. | | Microsoft.Communication.ChatThreadCreatedWithUser | Published when the user is added as member at the time of creation of a chat thread. |
@@ -37,11 +35,11 @@ Azure Communication Services emits the following event types:
| Microsoft.Communication.ChatMemberRemovedFromThreadWithUser | Published when the user is removed from a chat thread. |
-*Please make sure you provide "sender name" in your "send message" API calls for these events to get triggered.
+* Make sure you provide "sender name" in your "send message" API calls for these events to get triggered.
## Event subjects
-The `subject` field of all Communication Services events identifies the user, phone number or entity that is targeted by the event. Common prefixes are used to allow simple [Event Grid Filtering](./event-filtering.md).
+The `subject` field of all Communication Services events identifies the user, phone number, or entity that is targeted by the event. Common prefixes are used to allow simple [Event Grid Filtering](./event-filtering.md).
| Subject Prefix | Communication Service Entity | | - | - |
@@ -63,9 +61,9 @@ The following example shows a filter for all SMS messages and delivery reports s
## Sample event responses
-When an event is triggered, the Event Grid service sends data about that event to subscribing endpoints.
+When an event is triggered, the Event Grid service sends data about that event to subscribing endpoints. This section contains an example of what that data would look like for each event.
-This section contains an example of what that data would look like for each event.
+# [Event Grid event schema](#tab/event-grid-event-schema)
### Microsoft.Communication.SMSDeliveryReportReceived event
@@ -333,6 +331,266 @@ This section contains an example of what that data would look like for each even
}] ```
+# [Cloud event schema](#tab/cloud-event-schema)
+
+### Microsoft.Communication.SMSDeliveryReportReceived event
+
+```json
+[{
+ "id": "Outgoing_202009180022138813a09b-0cbf-4304-9b03-1546683bb910",
+ "source": "/subscriptions/{subscription-id}/resourceGroups/{group-name}/providers/microsoft.communication/communicationservices/{communication-services-resource-name}",
+ "subject": "/phonenumber/15555555555",
+ "data": {
+ "MessageId": "Outgoing_202009180022138813a09b-0cbf-4304-9b03-1546683bb910",
+ "From": "15555555555",
+ "To": "+15555555555",
+ "DeliveryStatus": "Delivered",
+ "DeliveryStatusDetails": "No error.",
+ "ReceivedTimestamp": "2020-09-18T00:22:20.2855749Z",
+ "DeliveryAttempts": [
+ {
+ "Timestamp": "2020-09-18T00:22:14.9315918Z",
+ "SegmentsSucceeded": 1,
+ "SegmentsFailed": 0
+ }
+ ]
+ },
+ "type": "Microsoft.Communication.SMSDeliveryReportReceived",
+ "time": "2020-09-18T00:22:20Z",
+ "specversion": "1.0"
+}]
+```
+### Microsoft.Communication.SMSReceived event
+
+```json
+[{
+ "id": "Incoming_20200918002745d29ebbea-3341-4466-9690-0a03af35228e",
+ "source": "/subscriptions/50ad1522-5c2c-4d9a-a6c8-67c11ecb75b8/resourcegroups/acse2e/providers/microsoft.communication/communicationservices/{communication-services-resource-name}",
+ "subject": "/phonenumber/15555555555",
+ "data": {
+ "MessageId": "Incoming_20200918002745d29ebbea-3341-4466-9690-0a03af35228e",
+ "From": "15555555555",
+ "To": "15555555555",
+ "Message": "Great to connect with ACS events ",
+ "ReceivedTimestamp": "2020-09-18T00:27:45.32Z"
+ },
+ "type": "Microsoft.Communication.SMSReceived",
+ "time": "2020-09-18T00:27:47Z",
+ "specversion": "1.0"
+}]
+```
+
+### Microsoft.Communication.ChatMessageReceived event
+
+```json
+[{
+ "id": "c13afb5f-d975-4296-a8ef-348c8fc496ee",
+ "source": "/subscriptions/{subscription-id}/resourceGroups/{group-name}/providers/Microsoft.Communication/communicationServices/{communication-services-resource-name}",
+ "subject": "thread/{thread-id}/sender/{id-of-message-sender}/recipient/{id-of-message-recipient}",
+ "data": {
+ "messageBody": "Welcome to Azure Communication Services",
+ "messageId": "1600389507167",
+ "senderId": "8:acs:fac4607d-d2d0-40e5-84df-6f32ebd1251a_00000005-3e0d-e5aa-0e04-343a0d00037c",
+ "senderDisplayName": "John",
+ "composeTime": "2020-09-18T00:38:27.167Z",
+ "type": "Text",
+ "version": 1600389507167,
+ "recipientId": "8:acs:fac4607d-d2d0-40e5-84df-6f32ebd1251a_00000005-3e1a-3090-6a0b-343a0d000409",
+ "transactionId": "WGW1YmwRzkupk0UI0QA9ZA.1.1.1.1.1797783722.1.9",
+ "thread